Abstract: The invention relates to a telecommunication method having the following steps: establishing a first connection (101) between a first ID token (106) and a first computer system (136) via a second computer system (100) for reading at least one first attribute from the first ID token, generating a first soft token, wherein the first soft token comprises the at least one first attribute and a time specification, and wherein the first soft token is signed by the first computer system, sending the first soft token from the first computer system to a third computer system (150), wherein the first connection is a connection with end-to-end encryption.

Abstract: Enhanced cryptographically generated addresses (ECGA) for MIPv6 incorporate a built-in backward key chain. The backward key chain prevents time-memory attacks to discover a network address and helps prevent spoofing a network address of a mobile node. The backward key chain also provides a means to authenticate network addresses of a mobile node.

Abstract: Methods and apparatus that reduce user identification overhead for communications. In one aspect of the invention, a reciprocal transmission channel characteristic (e.g., the channel impulse response) is used to derive shared and anonymous user identification between two wireless devices. In one embodiment, subscription-less data transmissions are broadcast from a base station to multiple user equipment, each user equipment receiving its correspondingly identified subscription-less data. The use of quantization levels and/or levels of tolerance for compensating for non-ideal differences in recipient and transmitter channel characteristics are also disclosed.

Abstract: The invention includes methods for cryptographically authenticating access between devices when the devices are within a geospatial boundary comprising the first step of keeping track of the physical position of the devices using both low and, or high fidelity geospatial positioning techniques. Next, a first device determines whether any nearby mobile devices have entered the geospatial boundary. Next, the first device determines if any of the mobile devices are peers eligible for cryptographic authentication. After the first device authenticates that the other device within the geospatial boundary is a trusted peer, the devices may perform various data and, or dynamic policy operations.

Abstract: A method includes: establishing a first connection between a first ID token and a first computer system via a second computer system for reading at least one first attribute from the first ID token, establishing a second connection between a second ID token and the first computer system via the second computer system for reading at least one second attribute from the second ID token, sending the first and second attributes from the first computer system to a third computer system, receiving the data from the third computer system by the first computer system, writing the data into the second ID token via the second connection by the first computer system thereby storing the data in the second ID token, where the first connection still exists, wherein the first and the second connection are respectively connection with end-to-end encryption and a connection oriented protocol.

Abstract: Secure access to a wireless network access can be provided in a system where wireless devices access a wireless network through a wireless access point (WAP). For example, a plurality of pre-shared keys (PSKs) may be generated and distributed to the WAP and the wireless device. The wireless device may automatically rotate an active one of the plurality of PSKs, while the WAP receives one or more rotation signals identifying the active one of the plurality of PSKs. The wireless device and the WAP may encrypt information relating to the active one of the PSKs within communications between them, thus securing the communications.

Abstract: Systems and/or methods of selectively terminating security in mobile networks are presented. User equipment (UE) can specify cipher termination location capabilities for encrypting/decrypting data packets to a base station in a mobile network. The mobile network can subsequently determine at which node in the network to terminate the cipher in part according to the capabilities provided and deliver the determined location to the UE. The determined cipher termination location can be provided in response to a request to initiate communications, the initial request can specify the capabilities. The UE can utilize the location to support disparate types of networks and to intelligently deal with hand-offs and other functions of the mobile network.

Abstract: A transport connection system is set forth. The system includes a first device adapted to send and receive messages. A second device, adapted to send and receive message, is also provided. A message i generated by the first device includes a secret Ri-1 to a Hash (Ri-1) sent from the first device to the second device in a prior message i-1. The message i is signed by a random key Ai-1, the random key being derived from an update of a key Ai-2 from the prior message, wherein message i-1 is signed by the key Ai-2.

Abstract: An authentication apparatus includes: a database section that stores a password; an entry section through which a password is entered; a storage section that stores an entered password which is entered through the entry section; an authentication section that authenticates whether the password and the entered password match with each other; and a determining section that determines whether or not a re-entered password is to be subjected to an authentication processing performed by the authentication section when the re-entered password is entered through the entry section after the authentication section determines that the password and the entered password do not match with each other.

Abstract: One embodiment of the present invention provides a system that associates a digital certificate with an enterprise profile. During operation, an identity store receives a digital certificate from a client. Next, the identity store searches for a mapping rule which determines if an enterprise profile is associated with the digital certificate, wherein the enterprise profile facilitates in identifying user capabilities. If a mapping rule is found, the identity store executes the mapping rule to determine if an enterprise profile is associated with the digital certificate. If so, the enterprise profile, which is associated with the digital certificate, is returned to the client.

Abstract: A method for obtaining authentication credentials for attaching a wireless device to a foreign wireless domain in a 3rd Generation Partnership Project (3GPP) communication system, which includes: receiving an attach request message from the wireless device; and responsive to the attach request message, authenticating the wireless device and retrieving a set of authentication vectors, wherein the authentication vectors are for authenticating the wireless device to the foreign wireless domain. The method further includes encrypting the set of authentication vectors using a first security key of a home wireless domain of the wireless device. In addition, the method includes encrypting the first security key using a second security key of the foreign wireless domain and sending the encrypted set of authentication vectors and the encrypted first security key to the wireless device.

Abstract: When transmitting position/time information calculated by means of a GPS function to a server apparatus, authentication is carried out with the server apparatus. The position/time information may be certified as legitimate measured by a portable apparatus with a GPS reception function employed by a user. When transmitting information related to the position and the time acquired from a portable phone terminal having the GPS function and a network function by means of the GPS function to the server apparatus, authentication is carried out between the portable phone terminal and the server apparatus. The position/time information is transmitted to the server apparatus, only if the server apparatus is authenticated as a legitimate counterpart for connection.

Abstract: A security token includes a wireless interface to communicate with a secured device. A cryptographic module generates cryptographic information, encrypts messages to the secured device, decrypts messages from the secured device and coordinates the encryption and decryption of data on the secured device.

Abstract: Methods for rule-based group security data management and corresponding systems and computer-readable mediums. A method includes receiving a complex rule set corresponding to at least one electronic document, the complex rule set including a combination of granting rules, denying rules, and rule precedence. The method includes generating derived user groups according to the complex rule set. The method includes deriving grant rules for each electronic document according to the complex rule set to produce a derived grant rule set. The method includes storing the derived grant rules as associated with the electronic document.

Abstract: Messages exchanged between a mobile node and a home agent according to a mobile Internet protocol are authenticated using cryptographic methods applied to the messages and which have been agreed on between the mobile node and the home agent.

Abstract: An image forming apparatus includes: an authentication unit that can execute a login process and a logout process; an operation unit that receives an instruction for the logout process from the user; a user attribute storage unit that stores the identification information of a non-logged-out user; a determination unit that determines whether a logged-in user, who is a user for whom the login process is executed by the authentication unit, is the non-logged-out user, based on the identification information stored in the user attribute storage unit; and a forced logout processing unit that, in a case in which the logged-in user is determined to be the non-logged-out user by the determination unit, instructs the authentication unit to execute the logout process when a predefined particular process among the plurality of processes is executed and completed by the processing unit.

Abstract: Techniques for identity-based Peer-to-Peer (P2P) Virtual Private Networks (VPN's) are provided. First and second principals authenticate to a trusted third party. The first principal subsequently requests a P2P VPN with the second principal. The second principal is contacted on behalf of the first principal and permission is acquired. The first and second principals are then sent commands to directly establish a P2P VPN communication session with one another.

Abstract: A mobile communication system according to the present invention is a mobile communication system so configured that a mobile station UE performs communication with a radio base station eNB by simultaneously using a plurality of frequency carriers, in which the mobile station UE is configured to perform a communication security process by applying the same key KeNB to all of the plurality of frequency carriers.

Abstract: A method of supporting location privacy of a mobile station includes receiving, from a base station, a message including a temporary station identifier (TSTID) during an initial ranging procedure, wherein the TSTID is temporarily used to protect the location privacy of the mobile station; performing, with the base station, a basic capabilities negotiation procedure after the initial ranging procedure; performing, with the base station, an authentication procedure after the basic capabilities negotiation procedure; performing, with the base station, a registration procedure after the authentication procedure; and releasing the TSTID after receiving a station identifier (STID) which is assigned during the registration procedure, wherein the STID uniquely identifies the mobile station in the base station.

Abstract: This method makes secure a link, for example a radio link, between a data terminal (PDA2) and a data processing local area network (WLAN2) that is coupled to a mobile telephone network (PLMN2) that includes an authentication center (AU2).

Abstract: A method and system is provided to analyse receiver indicia of location for a set of at least one receivers to determine whether a receiver has an erroneous indicator of location. The embodiment may take further steps to confirm whether or not inappropriate usage has occurred. The method and system includes identifying a first indicia of location for a set of one or more receivers, identifying a second indicia of location for one or more receivers from the set, and determining if the first and second indicia of location are mutually inconsistent. Indicia of location include indicators of receiver location, inventory state, communication path and definition on systems. The method and system may optionally include action to report or correct the location error.

Abstract: Various embodiments are described herein for a mobile communication device that utilizes a smart battery. The mobile device includes a main processor for controlling the operation of the mobile communication device. The smart battery is coupled to the main processor and provides supply power. The smart battery includes a battery processor for controlling the operation of the smart battery and communicating with the main processor, and a battery module having one or more batteries for providing the supply power. A battery interface is provided for coupling between the main processor and the battery processor for providing communication therebetween. The battery interface comprises a data communication line and protection circuitry for protecting the main processor from electrostatic discharge. A communication protocol is also provided for communication between the main processor and the battery processor.

Abstract: Systems, methods, and devices that integrate a subscriber's communication services, including home wireline communication services, and a service-entity communication services are presented. User equipment (UE) is associated with a subscription for communication services, comprising wireline and wireless communication services, of a subscriber. The UE communicates with an enhanced service management component (ESMC) associated with a service entity to facilitate integration of at least a portion of the subscriber's communication services with the service entity's communication services while the UE is registered with the ESMC.

Abstract: The present invention provides a safe handover method and system which are applied in a handover process of a terminal in the next generation network, wherein the next generation network comprises a handover management module, an authentication server and a terminal. The safe handover method comprises: presetting initial safety parameters in the authentication server and the terminal, and generating safety parameters from the initial safety parameters; the handover management module obtaining the safety parameters; and the handover management module and the terminal interacting with each other by using the generated safety parameters to ensure a communication safety between the two communication parties. The present invention can ensure the communication safety between the terminal and the handover management module.

Abstract: A method of supporting location privacy of a mobile station includes receiving, from a base station, a temporary station identifier (TSTID) during an initial ranging procedure; transmitting a registration request (REG-REQ) message requesting a registration to the base station, the REG-REQ message including a real medium access control (MAC) address of the mobile station; and receiving, from the base station, a registration response (REG-RSP) message including a station identifier (STID) assigned to the mobile station. The TSTID is temporarily used to protect a mapping between the real MAC address of the mobile station and the STID, and the TSTID is used until the STID is assigned to the mobile station.

Abstract: Systems and methods for enhancing the convenience, reliability and security of transactions are provided. In authenticating a user attempting to engage in a transaction, a machine-readable indicia may be optically acquired and a challenge derived therefrom sent to a one-time password (OTP) application running on a mobile or other device. The device may then generate a response OTP using, at least in part, the derived challenge. The response may be read by a user and used in-band or may alternatively be sent by the mobile device out-of-band to an authentication server, which may respond with an authentication response operable to authenticate the user.

Abstract: A system for securing information. The system includes a first tracking device associated with an object or an individual. In one embodiment, the first tracking device generates independently a synchronous secret key and a server generates independently the synchronous secret key. Over an insecure communication channel, the server communicates an asynchronous vector pair encrypted with the synchronous secret key with the tracking device. To securely communicate information, messages are encrypted and decrypted using the asynchronous vector pair between the tracking device and the server. To further secure message information, a set of random numbers may be further utilized with the asynchronous vector pair to further encrypt and decrypt the messages communicated between the tracking device and the server.

Abstract: The present invention relates to a subscriber station security-related parameter negotiation method in a wireless portable Internet system. The subscriber station security-related parameter negotiation method includes security-related parameters in transmitting/receiving basic capability negotiation request messages and basic capability negotiation response messages such that the subscriber station and the base station negotiate the subscriber station security-related parameters. The security-related parameters include an authorization policy support subfield used to negotiate an authorization policy between the subscriber station and the base station, and message authentication code mode subfields used to negotiate a message authentication code mode.

Abstract: A user equipment (UE) device that is able to engage in multiple security contexts contains a key generator to generate one or more authentication keys for authentication of the UE device in a particular security context and a component configured to facilitate storing of the authentication keys in a subscriber identity module (SIM) if an elementary file (EF) structure for the particular security context is available in the SIM and to facilitate storing of the authentication keys in a nonvolatile memory (NVM) of the UE device if the EF structure is not found in the SIM.

Abstract: The contemplated embodiments of the invention provide a method for implementing a mandatory integrity control (MIC) system that provides access control for each and every object and subject that need access control, but in a way that allows legacy operating systems to continue with little modification. The invention provides a novel method that selects an integrity level designator for a subject, when the subject logs onto the computer system. The selected integrity level designator is then added to an existing data structure in the computer system. The existing data structure may be a part of a security descriptor stored in a system access control list of an object. The existing data structure may be a part of a list of security permissions that constitute an access token for a process executing as a subject.

Abstract: The present invention is directed to a game apparatus, system and method for improving in-game communications, more specifically a game apparatus, system and method for allowing players to dynamically transmit and receive communications in real-time from their coaches and/or other players on or off the field concerning game play instructions to be effected on the field or court. The system and method of the invention includes a headgear being provided to at least one player, where the headgear includes a game apparatus equipped with a circuit board, electrical wiring, battery, antennae, microprocessor, communications means and displaying means all enclosed within a housing that is affixed to the headgear. The communication means receives in real-time an encrypted signal containing a game play instruction intended for execution on the field during a game.

Abstract: A method for confirming identity of a physical unit (M) in an open, wireless telecommunications network, having the following steps: storing a secret identity (SIMEI) and an open identity (IMEI) in memory in the physical unit (M); receiving an identity request (IR) with a first parameter (CHv) from the testing device (P) at the physical unit (M); generating an electronic signature (SIGt) by means of a first cryptographic function (F3) from the secret identity (SIMEI) and at least the first parameter (CHv) in the physical unit (M), and sending the generated electronic signature (SIGt) and the open identity (IMEI) to a testing device (P); wherein the identity of the physical unit (M) is confirmed if the electronic signature (SIGt) matches a corresponding electronic signature (SIGv) generated by the testing device by application of a first cryptographic function to the secret identity (SIMEI).

Abstract: A method and apparatus for securing location information and access control using the location information are disclosed. A wireless transmit/receive unit (WTRU) includes a location sensing entity and a subscriber identity module (SIM). The location sensing entity generates location information of the WTRU and the location information is embedded in a message in an SIM. A trusted processing module in the WTRU verifies integrity of the location information. The trusted processing module may be on the SIM. The location information may be physical location information or contextual location-related information. The trusted processing module is configured to cryptographically secure and bind the location information to the WTRU, and verify trust metrics of an external entity prior to granting an access to the location information or accepting information from the external entity. The trusted processing module may be a trusted computing group (TCG) trusted platform module (TPM) or mobile trusted module (MTM).

Abstract: A method for generating a network address in a communication network includes at least one user equipment and a network equipment. The method includes: a) providing a same shared secret key both at the at least one user equipment and at the network equipment; and b) generating at least a portion of the network address at the at least one user equipment and at the network equipment based upon at least the shared secret key.

Abstract: Techniques for use in processing user data associated with a user account of a mobile device having an application is described. The mobile device includes a memory and an interface configured to receive a removable memory card. A encryption/decryption key is stored in the memory, but is not stored in the removable memory card. The mobile device regularly receives and stores updates to the user data in the memory for use in the application. For updates to the user data, the mobile device updates a copy of the user data stored in the removable memory card in an encrypted format in accordance with the encryption/decryption key.

Abstract: Inter-Working Function (IWF) for interfacing between a Wireless Local Area Network (WLAN) and a communication system. The IWF may contain sufficient information to authenticate a user access to the WLAN, or the IWF may need to request authentication from the communication system. In one embodiment, the IWF sends an access challenge to the WLAN for a user. The IWF may then pass a response to the challenge on to the communication system for authentication. The IWF allows the WLAN to use the authentication capability of the communication system for local authentication.

Abstract: A method for a server to initiate resynchronization with an access terminal, when synchronization has been lost, that cannot be exploited by attackers is provided. The server may provide the access terminal with a secret key that is only known to the access terminal and the server. The access terminal may store the secret key in a secure storage device to prevent the secret key from being hacked. If the server determines that synchronization has been lost, the server may send a resynchronization message to the access terminal with the secret key attached. The access terminal retrieves the stored secret key from the secure memory device and compares it to the secret key attached to the resynchronization message. If there is a match, the access terminal may initiate a secure communication link with the server to reestablish synchronization.

Abstract: The invention relates to a method for reading at least one attribute stored in an ID token, wherein, where the ID token is associated with a user, having the following steps: the user is authenticated to the ID token, a first computer system is authenticated to the ID token, following successful authentication of the user and the first computer system to the ID token, the first computer system effects read access to the at least one attribute stored in the ID token in order to transmit the at least one attribute, when it has been signed, to a second computer system, where the authentication of the first computer system to the ID token is performed because of an attribute specification, which is received by the first computer system from a third computer system.

Abstract: A system includes a remote authentication dial in user service (RADIUS) server in communication with a network access server. The network access server provides an authentication request to the RADIUS server. The authentication request includes at least a user identifier and a device identifier. The RADIUS server determines an authentication format utilized by the network access server based on the received authentication request. The system may also determine an authorization level to provide with an authentication response.

Abstract: A method for authenticating messages in a communication network includes forming a super message having a plurality of individual messages such that at least two of the individual messages are intended for separate receiving entities. The method further includes creating a message authentication code (MAC) using a private key, such that the MAC is configured to permit authentication of the super message using a public key.

Abstract: There are disclosed systems and methods for authenticating a mobile device by a network and/or for generating one or more keys that can be used for securely transmitting data between the mobile device and the network. In one embodiment, the following operations are performed by a mobile device: (i) the mobile device participates in at least a portion of a key agreement protocol with a network to compute a secret value; (ii) the mobile device obtains a response value derived from the secret value; and (iii) the mobile device sends the response value to a verification entity for use in authenticating the mobile device. There are also disclosed systems and methods for authenticating a network by a mobile device.

Abstract: According to various aspects of this disclosure, a circuit arrangement is provided. The circuit arrangement may include: a memory configured to store a first encryption key for generating a first authentication vector for authentication between a mobile station and a home network of the mobile station; and a key-generator configured to derive a second encryption key from the first encryption key, the second encryption key for generating a second authentication vector for authentication between the mobile station and a visited network.

Abstract: Various embodiments are directed to providing a multi-tiered anti-abuse approach to registration of a mobile device user. A registration service may determine whether communications with the mobile device is through a trusted carrier gateway, and if so, then a mobile device identifier may be used to automatically register the mobile device. Otherwise, a determination may be made whether the mobile device is configured to support a challenge-response image. In one embodiment, such determination may be based, in part, on information received from the mobile device through a user agent, or the like. If the mobile device is capable of supporting a challenge-response image, one may be sent to the mobile device to enable registration. If, however, the mobile device does not support the challenge-response image and the carrier gateway is not trusted, the mobile device may be directed to employ an SMS mechanism to complete registration.

Abstract: Data storage and management systems can be interconnected as clustered systems to distribute data and operational loading. Further, independent clustered storage systems can be associated to form peered clusters. As provided herein, methods and systems for creating and managing intercluster relationships between independent clustered storage systems, allowing the respective independent clustered storage systems to exchange data and distribute management operations between each other while mitigating administrator involvement. Cluster introduction information is provided on a network interface of one or more nodes in a cluster, and intercluster relationships are created between peer clusters. A relationship can be created by initiating contact with a peer using a logical interface, and respective peers retrieving the introduction information provided on the network interface.

Abstract: Methods, interface, and a communication network in a 3GPP network are presented. A user is authenticated and application service rules are binded to the user in GGSN filters ensuring that the correct charging, QoS level or similar function rules apply to the user for specific application services available from both external application service providers and network operator supplied specific services.

Abstract: An authentication system includes a plurality of electronic tags (120, 122, 124) that are each associated with a respective unique identity ID. The tags include a memory (220) with a first memory location (222) for storing a pre-computed challenge and a second memory location (224) for storing a pre-computed response that is associated with the challenge. The first memory location (222) is non-readable from outside the tag. An access circuit (210) only provides the response after having received a challenge that matches the challenge stored in the first memory location. A reader station (110) obtains the identity associated with a tag. It then determines a corresponding challenge and sends the challenge to the tag. It receives a response from the tag and verifies the authenticity of the tag by comparing the received response to a response that corresponds to the challenge.

Abstract: A first terminal subscribes to at least one service using a service guide in which information necessary for reception of each service is stored, and sends the service guide and an identifier (ID) of the subscribed service to a smartcard. The smartcard stores the service guide and the ID of the subscribed service, and sends the service guide and the ID of the subscribed service to a second terminal through a response message to a request message used for acquiring TBK information, received from the second terminal. The second terminal receives the response message by sending the request message to the smartcard, acquires TBK information corresponding to a service that the second terminal intends to play back, from the service guide depending on the subscribed service's ID included in the response message, and acquires the TBK by performing an authentication process using the TBK information.

Abstract: A method and apparatus for providing a secure authentication process is described. In one embodiment, a method for a method for providing a secure authentication process includes monitoring login activity of at least one authentication process associated with a computer resource and analyzing the login activity to identify suspicious login activity associated with user credentials.

Abstract: A communication network provides access to a network service by providing an additional level of authentication beyond device level authentication. Operations include receiving a message at a Bootstrapping Server Function (BSF) from User Equipment (UE) that additional authentication beyond UE authentication is required for UE access to a network service, and performing an authentication protocol between the BSF and a Home Subscriber System (HSS) to authenticate an identity associated with the UE responsive to receiving the message.

Abstract: The present invention relates to a far-end control method with a security mechanism including a host transmitting an identification code through the PSTN (Public switched telephone network) to the I/O control device of the far-end. The I/O control device has a CPU to receive the identification code and judge whether the identification code matches with the predetermined value stored therein; if the identification code matches with the predetermined value, the mobile internet connection between the host and the I/O control device is activated to enable the host to mutually transmit information or signals with a far-end control device from the I/O control device through the mobile internet, and the connection will be disabled after the information or signal transmission is completed.