Abstract: A Bluetooth host solves the aforementioned problems by evaluating a Bluetooth service provider server ID and by determining which of a plurality of access IDs map to the server ID and, correspondingly, providing a Bluetooth access ID that corresponds thereto. Accordingly, one Bluetooth host may readily gain access to any one of a plurality of different devices and different types of devices. Additionally, the Bluetooth host includes capacity to store and provide additional supporting information according to the type of device that is the Bluetooth service provider. Generally, the Bluetooth host stores a plurality of access or link IDs in relation to a plurality of master device IDs and, upon detecting a beacon, determines what access or link ID to provide and whether to provide additional stored information.

Abstract: An apparatus and methods for securely forwarding data packets at a data switching node in a data transport network is provided. The data switching node maintains a switching database of switching entries. Each switching entry has a modification protection feature preventing its modification when activated. Dynamic topology discovery of data network nodes can be disabled via topology discovery control flags associated with individual physical communications ports of the data switching node. Unknown destination flood data traffic is not replicated to physical communications ports having topology discovery disabled or specifying the suppression of replication of such unknown destination data traffic thereto. The advantages are derived from a data switching node being enabled to operate concurrently in friendly and hostile environments while detecting, preventing and reporting incidences of hostile MAC ADDR attacks.

Abstract: Apparatus, methods, computer readable media and processors may provide a secure architecture within which a client application on a wireless device may, in some aspects, exchange information securely with resident device resources, and in other aspects, with a remote server over a wireless network.

Abstract: The use of suitable measures in a method for agreeing on a security key between at least one first and one second communication station to secure a communication link is improved so that the security level for the communication is increased and the improved method can be combined with already available methods. A first parameter is determined from an authentication and key derivation protocol. In addition, an additional parameter is sent securely from the second to the first communications station. A security key is then determined from the first parameter and the additional parameter.

Abstract: A network apparatus which is connected to a network is disclosed. The network apparatus includes a managing unit which manages an address range in which addresses to be allocated to a destination network apparatus are registered and encryption parameters for encrypting data to be transmitted to the destination network apparatus so that the address range and the encryption parameters are related to each other, an address generating unit which generates an address for the destination network apparatus by selecting an address in the address range, and an encryption unit which encrypts the data to be transmitted to the address generated by the address generating unit based on the encryption parameters.

Abstract: A method which improves the security of the authentication between two entities in a telecommunication network, and particularly between a mobile terminal and the fixed network, notably visitor location and nominal recorders and an authentication center, in a cellular radiotelephony network. Prior to a first authentication of the terminal, and more precisely of the SIM card therein, by the fixed network, a second authentication is based on an algorithm in which there are entered a random number produced and transmitted by the fixed network and a key different from the key for the first authentication. A transmitted signature and a signature result are produced by the fixed network and the terminal, and compared in the terminal in order to enable the first authentication in the event of equality.

Abstract: The present invention provides a method for a roaming user to establish security association with the application server in the visited network. When receiving the service request from the roaming user, the application server in the visited network establishes security association with the roaming user by making use of the authentication results of the generic authentication architecture in the home network via the BSF in the local network, or the generic authentication architecture proxy in the local network, or the AAA server in the local network and the AAA server in the roaming user's home network, so as to achieve the object that the roaming user is able to use the services of the visited network after authentication of the generic authentication architecture in his home network.

Abstract: A mobile phone includes a fingerprint input unit, a storage unit, a switch unit, and a control unit. The fingerprint input unit is used to read and record fingerprint information of a user, and output the fingerprint information. The storage unit stores a fingerprint mode. The switch unit is connected to a power on/off terminal of the mobile phone. The control unit is used to receive the fingerprint information and compare the received fingerprint information with the stored fingerprint mode. If the received fingerprint information is not consistent with the stored fingerprint mode and the mobile phone is at a power-off state, the control unit outputs a first control signal to control switch unit to keep the mobile phone being at the power-off state.

Abstract: A system and method for controlling access to a computer provides for loose security within a local network while retaining strong security against external access to the network. In one embodiment, a user has access to trusted nodes in a secured group within an unmanaged network, without being required to choose, enter and remember a login password. To establish such a secure blank password or one-click logon account for the user on a computer, a strong random password is generated and stored, and the account is designated as a blank password account. If the device is part of a secured network group, the strong random password is replicated to the other trusted nodes. When a user with a blank password account wishes to log in to a computer, the stored strong random password is retrieved and the user is authenticated.

Abstract: A mobile telecommunications network and method of operation that includes establishing a first user plane connection between a telecommunications device registered with the network and a network gateway device of the network via a first access point; providing the telecommunications device with a token using the first user plane connection; establishing a second user plane connection between the telecommunications device and the network gateway device via a second access point bv using the token information to validate the telecommunications device; and, subsequent to establishment of and corresponding to the second user plane connection, establishing a control plane connection between the telecommunications device and the network gateway device via the second access point.

Abstract: A method of validating a digital certificate comprises retrieving from a first data store a digital certificate, retrieving from a second data store a plurality of certificate revocation lists (CRLs), and selecting one of the plurality of CRLs to validate the digital certificate as of a date which is before the current date.

Abstract: A system and method for the secure storage of data in a network. Data stored on a primary server connected to the network is initially encrypted. The IP address of the primary server is sent to a second server, via the network, and a communication is received from the second server indicating pending instructions. If the instructions indicate that theft of the primary server has occurred, then the data stored on the primary server is re-encrypted and the IP address of the primary server is sent to the second server. If attempted unauthorized access of the primary server is determined, and a predetermined number of consecutive unauthorized attempts to access the primary server are made, then the data stored on the primary server is erased.

Abstract: Methods and devices for allowing a wireless communication device (1301) initially unauthorized for communication with a network to obtain persistent soft network subscription credential information (1303) from a wireless communication device (1401) initially authorized for communication with the network are disclosed. In performing the persistent transfer of the soft network subscription credential information (1303), one of a token management module (1312), a session initiation protocol communication module (1408), or a electronic rights manager (1406) may be used to ensure that only one communication device is capable of communicating with a network at any one time.

Abstract: A system and method for providing roaming access on a network are disclosed. The network includes a plurality of wireless and/or wired access points. A user may access the network by using client software on a client computer (e.g., a portable computing device) to initiate an access procedure. In response, a network management device operated by a network provider may return an activation response message to the client. The client may send the user's username and password to the network provider. The network provider may rely on a roaming partner, another network provider with whom the user subscribes for internet access, for authentication of the user. Industry-standard methods such as RADIUS, CHAP, or EAP may be used for authentication. The providers may exchange pricing and service information and account information for the authentication session. A customer may select a pricing and service option from a list of available options.

Abstract: A communication device having a secret mode enters the secret mode in response to receiving a secret mode access key. In the secret mode, the communication device receives a first instruction to handle a covert communication source in the secret mode. The communication device receives a second instruction to exit the secret mode. After exiting the secret mode, and in response to the first instruction, the communication device provides a covert communication alert for an incoming communication from the covert communication source. The communication device provides overt communication alerts for incoming communications from overt communication sources.

Abstract: A method is provided for connecting a wireless local network (WLAN) to a UMTS terminal station (ME) having USIM/USAT functionality, including the following method steps: monitoring the activity of the local network via the terminal station; transmitting the type and/or identity number of the local network to the terminal station once the activity of the local network has been successfully detected; initiating a logical link between the local network and the terminal station, and; querying the specific subscriber data of the local network. In an embodiment of the present invention, the temporary status of the local network and/or specific subscriber data of the local network are/is queried at periodic intervals.

Abstract: A method and system are described for operating a source communication device. The source communication device receives a first request from a user through a user interface requesting a first communication session with a target communication device. The source communication device transfers a first signal to a network requesting the first communication session with the target communication device, wherein the target communication device provides an overt communication alert for the first communication session. The source communication device receives a second request from the user requesting a second communication session requesting that the target communication device provide a covert communication alert for the second communication session.

Abstract: A module dual mode device architecture and method of use is disclosed. The system architecture provides a distributed design of an IEEE 802.11i compliant supplicant module that provides security to data/voice packets sent over the wireless local area network (“WLAN”) radio interface from a dual mode device to an access point. The dual mode device establishes a connection with the access point and if the access point is security enabled, one or more session keys are generated. The session keys are used to provide security for communications over the radio interface between the dual mode device and the access point.

Abstract: An authentication device that the user wears reads biometrics information and executes individual authentication by verification. Only when the individual authentication has been successfully performed, authentication with an external unit (such as a server) can be started. Then, only when both the individual authentication based on the biometrics information and the mutual authentication between the external unit (such as a server) and the authentication device have been successfully performed, subsequent data processing, such as payment processing, can be executed. Therefore, even if a fraudulent third party uses a stolen authentication device, because the party cannot satisfy the start condition of authentication with the external server or a PC, fraudulent transactions and other illegitimate behaviors are effectively prevented.

Abstract: A technique for improving authentication speed when a client roams from a first authentication domain to a second authentication domain involves coupling authenticators associated with the first and second authentication domains to an authentication server. A system according to the technique may include, for example, a first authenticator using an encryption key to ensure secure network communication, a second authenticator using the same encryption key to ensure secure network communication, and a server coupled to the first authenticator and the second authenticator wherein the server distributes, to the first authenticator and the second authenticator, information to extract the encryption key from messages that a client sends to the first authenticator and the second authenticator.

Abstract: A transaction processing service operates as an intermediary between acquirers of financial transaction requests and issuing institutions that process the financial transaction requests. The intermediary service utilizes a customer's mobile device as an out-of-band communication channel to notify a customer of a received financial transaction request. To send the notification, the intermediary service retrieves stored customer information, including an address of the customer's mobile device and a list of payment instruments that can be used to pay for the transaction. Before continuing to process the received financial transaction request, the service may first require the customer to confirm the transaction via the mobile device. The intermediary service retrieves financial account information associated with the customer from issuing institutions, and, if the transaction is confirmed, provides the account information to acquirers in order to allow transactions to be processed.

Abstract: When transmitting position/time information calculated by means of a GPS function to a server apparatus, authentication is carried out with the server apparatus. The position/time information may be certified as legitimate measured by a portable apparatus with a GPS reception function employed by a user. When transmitting information related to the position and the time acquired from a portable phone terminal having the GPS function and a network function by means of the GPS function to the server apparatus, authentication is carried out between the portable phone terminal and the server apparatus. The position/time information is transmitted to the server apparatus, only if the server apparatus is authenticated as a legitimate counterpart for connection. A secret key holding section is provided for holding different secret keys for different apparatuses.

Abstract: Method and system of auditing databases for security compliance. The method and system relating to querying databases for security parameters and auditing the queried parameters against authorized security parameters to determine security compliance of the databases.

Abstract: A data processing device including a microcontroller and configured to communicate with at least one remote system distributed on a network. The data processing device and the remote system are adapted to store a plurality of parameters identifying a user account belonging to a subscriber. The data processing device comprises a one-time parameter comprising the active account attached to the device designed for a one-time use, and a permanent parameter identifying an account attached to the data processing device, the permanent parameter being deactivated. The one-time and permanent parameter are stored in the at least one remote system, and the microcontroller is programmed to: use the one-time parameter to logon to the network when the data processing device is switched on; and exchanges the one-time parameter with the permanent parameter, upon successful logon to the network, the permanent parameter becoming the permanent active account.

Abstract: An apparatus, system, computer-readable medium, and method to facilitate quick transition of communications of a mobile station between network stations of a radio communication system, such as a WLAN operable to a variant of an IEEE 802 operating specification, is provided. Implementations of embodiments described herein reduce the transition duration by a pre-keying mechanism that performs authentication procedures prior to commencement of reassociation procedures. In other embodiments, a mobile station is allowed to select whether to perform pre-keying processes over an air interface with a target transition access point or whether to perform the pre-keying processes over a distribution system.

Abstract: A method for provisioning client devices securely and automatically by means of a network provisioning system is disclosed. Provisioning occurs before the client is granted access to the network. The provisioning is determined dynamically at the time a client connects to the network and may depend on a multitude of factors specified by data dictionaries of the provisioning system.

Abstract: A chip card needs to be allocated in a secured manner to a network operator via a personalization center in order to determine a final authentication key which is attributed to a subscriber of the operator without its being transmitted via a network. The following is loaded into a card by a module: an algorithm and an allocation key; an algorithm for determination of the authentication key and at least one intermediate authentication key. A module transmits an allocation message which includes a final identity number, a random number and an allocation signature from the center to the card. The card authenticates the message by means of the allocation algorithm as a function of the allocation key and the allocation signature, and determines the final authentication key as a function of the intermediate key and the random number.

Abstract: A basic idea is to use the AAA infrastructure to assign (S3) an appropriate DHCP server to DHCP client for the DHCP service, and transferring DHCP-related information over the AAA infrastructure for authenticating (S1) and authorizing (S4) the DHCP client for DHCP service with the assigned DHCP server. Instead of the more complex DHCP server discovery process known from the prior art, the AAA infrastructure, and more particularly a suitable AAA server or equivalent AAA component, is used for assigning an appropriate DHCP server to the DHCP client. Consequently, there is no longer any mandatory dependency on the DHCP discovery-related messages. The invention preferably provides AAA protocol support for facilitating assignment of appropriate DHCP servers and providing an out-of-band key agreement protocol for DHCP clients and servers by carrying DHCP related information facilitating the bootstrapping of DHCP authentication extension (RFC3118).

Abstract: In the conventional network using the PPP stipulated by RFC1661, the LCP phase to establish an LCP link, the authentication phase, and the NCP phase such as address assignment processing of the NCP are sequentially conducted each time the line connection is performed, and hence the connection takes a certain period of time. Particular, in the case of the mobile communication, there is often performed operation in which connection and disconnection are frequently conducted in a short period of time, and hence when the operation up to the connection takes a long period of time, the usability is deteriorated. Therefore, a need exists for a configuration of an apparatus and a communication method to reduce the connection time.

Abstract: A system that incorporates teachings of the present disclosure may include, for example, a server having a controller to implement an Elliptic Curve Diffie-Hellman (ECDH) cryptosystem and manage a key exchange, authentication, and certificate exchange with a communication device also implementing the ECDH cryptosystem, wherein the server communicates over a network that provides an encrypted communication link for the communication device. Other embodiments are disclosed.

Abstract: A method in a communication network wherein users are authenticated based on network originated user identities is disclosed. The authentication method comprising the steps of receiving a network originated identity from a user and associating the network originated identity with at least one non-network originated identity stored in a data storage. When a non-network originated identity is received from the user, the non-network originated identity from the user is compared with the at least one non-network originated identity from the data storage. The user is authenticated if the comparison is valid.

Abstract: A method of securely initializing subscriber and security data in a mobile routing system when the subscribers are also subscribers of a radio communication network. The method comprises, within the mobile routing system, authenticating subscribers to the mobile routing system using an authentication procedure defined for the radio communication network, collecting subscriber information from relevant nodes of the radio network, and agreeing upon keys by which further communications between the subscribers and the mobile routing system can take place, and using the subscriber information and keys in the provision of mobility services to subscriber mobile nodes and correspondent nodes.

Abstract: The invention disclose a method for verifying the validity of a user, making full use of a TID as the bridge for establishing confidence between a NAF and a user equipment, and the BSF assigning a term of validity for the TID, thereby extending the function of the TID, enabling the NAF to verify the term of validity for using the TID, and accordingly, achieving a further verification of the validity to the user. By using the method of the invention, it is possible to avoid the situation in which one TID is permanently valid for one or more NAFs, enhance the system security, decrease the risks caused by the theft of users' TID and corresponding secret keys, and at the same time, implement TID management by the NAF. In addition, a combination of the method with billing system makes it easy to implement the function of charging a user.

Abstract: Systems and methods for activating a mobile device for use with a service provider are described. In one exemplary method, a mobile device having a currently inserted SIM card may be prepared for activation using a signing process in which an activation server generates a signed activation ticket that uniquely corresponds to the combination of the device and SIM card, and that is securely stored on the mobile device. In another exemplary method the mobile device may be activated in an activation process in which the device verifies an activation ticket against information specific to the device and SIM card, and initiates activation when the verification of the activation ticket is successful.

Abstract: A system and method for providing security for an Internet server. The system comprises: a logical security system for processing login and password data received from a client device during a server session in order to authenticate a user; and a physical security system for processing Internet protocol (IP) address information of the client device in order to authenticate the client device for the duration of the server session.

Abstract: A solution for a remote service provider outside a customer's controlled network to reference an object of service (OOS) that is part of the customer's controlled network using a globally unique identifier (GUID) which is derived independently of network information associated with the OOS. A GUID generator module within the customer's controlled network generates a GUID for each device in the customer's controlled network and stores each GUID with a reference to its network information (e.g., IP addresshost name) in a lookup datastore accessible by an object of service management system (OOS) within the customer's controlled network. For service instances (e.g., data harvesting, software upgrades), the OOS management module sends the GUID in lieu of network information for the OOS. Thus the remote service provider can uniquely identify a device and reference it in a customer's network without the security implications of transferring customer network information outside the customer's network.

Abstract: This invention proposes an integrated process for AAA (Authentication, Authorisation, and Accounting) with the order reversed whereby L2 follows L3. The L3 process treats the wireless link as any normal IP access link, and the L3 authorisation provides L3 processing, but also includes the L2 terminal authentication identifiers so that the L2 security parameters can also be returned. This means that the wireless link and the IP layer are not secured until after the L3 authorisation has completed and therefore the first IP messages that trigger authorisation are sent insecurely. This invention also provides methods to avoid these insecure messages presenting any opportunities to an attacker. Finally, the inventions include methods to enable L3 before L2 authorisation when a user is roaming in a foreign network.

Abstract: A method and apparatus for preventing unauthorized use of a mobile terminal are provided, in which an execution code processor decrypts an Mobile Phone Certificate (MPC) using an MPC decryption code stored in it, when the mobile terminal is booted, an MPC processor compares a pre-stored MPC decryption execution code with the MPC decryption execution code, compares a pre-stored MPC encryption key with an MPC encryption key stored in the execution code processor. When the MPC decryption execution codes are identical, sets data required for an initial operation of the mobile terminal using an MPC management execution code included in a pre-stored MPC. When the MPC encryption keys are identical, decrypts Secured Code (SCode) blocks for execution of an application program, after executing the MPC management execution code. The execution code processor performs an operation program of the mobile terminal using the MPC management execution code and the decrypted SCode blocks.

Abstract: A system is provided for establishing a secure link among multiple users on a single machine with a remote machine. The system includes a subsystem to filter traffic so that traffic from each user is separate. The subsystem generates and associates a Security Association (SA) with at least one filter corresponding to the user and the traffic, and employs the SA to establish the secure link. An Internet Key Exchange module and a policy module may be included to generate and associate the security association, wherein the policy module is configured via Internet Protocol Security (IPSEC).

Abstract: A decryption apparatus (109) comprises a key stream generator (111) generating a local decryption key stream. It furthermore comprises a synchronization value receiver (201) receiving key stream synchronization values. A synchronization processor (203) implements a state machine which may operate in a synchronized state (303) wherein the communication is decrypted using the local key stream, a non-synchronized state (301) wherein the local key stream is not synchronized, or in an uncertain synchronization state (305) wherein the communication is decrypted using the local key stream and wherein the local key stream is synchronized to each new received synchronization value. The synchronization processor (203) furthermore comprises a transition controller (213) operable to transition from the synchronized state to the non-synchronized state in response to a first criterion and to the uncertain synchronization state in response to a second criterion.

Abstract: An apparatus for activating a cellular telephone within a cellular telecommunications network. A PCMCIA card interacts with a controller to display required programming information and questions. A user of the cellular telephone inputs responses to questions on a display. The user responses are transmitted to a system administrator at a customer activation center via a mobile telephone switching office in the cellular telecommunications network. The system administrator provides any necessary information for activating the cellular telephone. In an alternative embodiment of the invention, a personal computer is connected to cellular telephone and the PCMCIA card is connected to the personal computer. Information for the user may be shown on either the display of the cellular telephone or on a display of the personal computer. The user may input information and responses to questions via a user input device provided as part of the display or as part of the personal computer.

Abstract: Methods and apparatus are presented for providing local authentication of subscribers traveling outside their home systems. A subscriber identification token 230 provides authentication support by generating a signature 370 based upon a key that is held secret from a mobile unit 220. A mobile unit 220 that is programmed to wrongfully retain keys from a subscriber identification token 230 after a subscriber has removed his or her token is prevented from subsequently accessing the subscriber's account.

Abstract: Data forwarded from forward units (133 and 134) of eNodeBs (113 and 114) is decrypted by encryptor (115) which encrypts data to be transmitted to UE (121) via eNodeBs (113 and 114) of Evolved CN (111) and which is to be transmitted as forwarding data from Evolved CN (111) to CN (101).

Abstract: Mobile device user interface techniques are disclosed that can run across multiple platforms. These techniques allow for unobtrusive and intuitive communication with the user of the mobile device. For instance, one particular embodiment of the present invention allows a security product executing on a mobile device to use SMS-like messages to alert the user of the security status of the device, and more generally that security products (e.g., anti-virus, anti-spyware, email scanning, and/or intrusion detection) are actively protecting his/her device. A non-platform-user-interface dependent means of providing such alerts is also provided.

Abstract: A method and system for using an Internet client's local authentication mechanism in systems having updated browser code, so as to enable third party authentication according to an authentication scheme specified by a participating server on clients with updated browser code, while not breaking clients with legacy browser code. A redirect response from a server has authentication data added thereto such that updated browser code can detect the data's presence and enable the use of local security mechanisms for authentication purposes with the server-specified authentication scheme, including local credential entry for verification at a third party login server. At the same time, if such a redirect response is received by prior browser code, the added data is ignored while conventional redirection occurs, such that third party authentication may be performed via redirection to a third party's Internet page that provides a form for credential entry.

Abstract: In one embodiment, the present invention includes a method to initiate updating of a second portion of a system if a value indicates that the system is in a trusted state. In such an embodiment, a first portion of the system may validate updated code before the second portion of the system is updated. In one such embodiment, the first portion may be an applications portion and the second portion may be a communications portion of a wireless device.

Abstract: A mobile communication terminal moves and backs up a content, which was downloaded from a content server, to a personal computer. When the mobile communication terminal receives an encryption key generation request from the personal computer via a cable, the mobile communication terminal extracts information to be used for generating the encryption key and generates the encryption key by using the extracted information and own telephone number. And the generated encryption key is transmitted to the personal computer via the cable. Accordingly, the backed up and moved content can be reproduced with the personal computer.

Abstract: A network system includes a plurality of individual Internet service providers each having access points, and a parallel Internet service provider connected to the plurality of individual Internet service providers, the individual Internet service providers and the parallel Internet service provider each include an authentication server. When the access point of a provider receives a connection request from a user who contracts with the parallel service provider, the provider transfers a connection ID and a password to an authentication server of the parallel Internet service provider to perform user authentication. When a result of the authentication is good, the user terminal is connected to the user terminal through the access point.

Abstract: Techniques are described for enabling authentication and/or key agreement between communications network stations and service networks. The techniques described include the negotiation and use of a cryptographic primitive shared between a service network and a home environment of a station. The techniques described also feature a key usage indicator, such as a sequence number, maintained by the service network and a station. Comparison of the key usage indicators can, for example, permit efficient authentication of the service network.

Abstract: An interactive client-server authentication system and method are based on Random Partial Pattern Recognition algorithm (RPPR). In RPPR, an ordered set of data fields is stored for a client to be authenticated in secure memory. An authentication server presents a clue to the client via a communication medium, such positions in the ordered set of a random subset of data fields from the ordered set. The client enters input data in multiple fields according to the clue, and the server accepts the input data from the client via a data communication medium. The input data corresponds to the field contents for the data fields at the identified positions of the random subset of data fields. The server then determines whether the input data matches the field contents of corresponding data fields in a random subset.