Abstract: A method is provided method to control deployment of an application over a network in response to a client request sent over the network to access the application comprising: capturing at one or more first computing machines coupled to the network, an identifier of the requested application from the client request; sending information over the network from the one or more first computing machines coupled to the network to one or more second machines coupled to the network, wherein the information identifies the requested application and identifies a network address of an edge node at which to deploy the requested application; receiving the information at the one or more second machines coupled to the network; and causing by the one or more second machines coupled to the network, deployment of the application over the network to the edge node at the identified network address, based at least in part upon the received information.

Abstract: The disclosure relates to methods for establishing a secure communication link between a mobile station and a secondary base station in a mobile communication system. The disclosure is also providing mobile communication system for performing these methods, and computer readable media the instructions of which cause the mobile communication system to perform the methods described herein. Specifically, the disclosure suggests that in response to the detected or signaled potential security breach, the master base station increments a freshness counter for re-initializing the communication between the mobile station and the secondary base station; and the mobile station and the secondary base station re-initialize the communication there between. The re-initialization is performed under the control of the master base station and further includes deriving a same security key based on said incremented freshness counter, and establishing the secure communication link utilizing the same, derived security key.

Abstract: A handover handling method and apparatus applied to a scenario in which user equipment (UE) is handed over from a first access and management function (AMF) to a second AMF, and where the method includes receiving, by the UE, a handover command message from a first access network device, wherein the handover command message carries a Non-Access Stratum container (NASC), performing, by the UE, integrity verification on the NASC, and continuing, by the UE, to use a first NAS security context when the integrity verification performed on the NASC fails, wherein the first NAS security context is a security context used between the UE and the first AMF.

Abstract: The present invention relates to a method for receiving packets by a user equipment (UE) in a wireless communication system. In particular, the method includes receiving a handover command including security information; establishing a connection with a second network; based on detecting a connection failure with the second network, deriving a security key for a first network based on the security information; performing a PDCP re-establishment for one or more radio bearers of the first network based on the security key for the first network; and reporting, to the first network, the connection failure with the second network.

Abstract: A gateway is described which facilitates a change of communication cell for a mobile device in a communication system, which includes a core network. The gateway receives messages from a base station operating a cell and forwards the messages received from the base station to the core network. The gateway intercepts a message relating to a change of communication cell, from a source cell in which the mobile communication device is located to a target cell, to determine if the core network needs to be notified of the change of cell. When it is determined that the core network needs to be notified, the gateway generates a message for providing information relating to the change of cell to the core network and transmits the message to the core network.

Abstract: A service computing system receives an API call in which an authorization token, that contains an identifier in the content of the authorization token, is included in a header of the API call. The identifier is also included as a parameter passed in with the API call. The service computing system parses the API call to obtain the authorization token, and the identifier included in the authorization token. It also obtains the identifier passed in as a parameter of the API call. The service computing system compares the identifier obtained from the authorization token to the identifier passed in as a parameter of the API call to determine whether they match. If they do not match, the API call is processed as an unauthorized API call. A security system in the service computing system authorizes the API call based on the comparison.

Abstract: A method includes: obtaining a signal strength sequence of signals detected by a user terminal during a travel route. The detected signals are originated from signal sources disposed at different locations in the travel route, and the different location includes one or more vehicles or one or more stops. The method further includes: extracting, from the signal strength sequence, a first sequence fragment corresponding to a signal transmitted by a signal source disposed at a vehicle; determining a travel time duration of the user riding on the vehicle according to a signal strength value and time stamp information of the first sequence fragment.

Abstract: A method for proxy algorithm identity selection may comprise: selecting, at a first network node, a security algorithm identity for a user equipment which is determined to handover to a second network node, based at least in part on security information of the user equipment and a list of security algorithm identities for the second network node; generating security keys for a communication between the user equipment and the second network node, based at least in part on the selected security algorithm identity; providing the security keys and the selected security algorithm identity to the second network node from the first network node; and sending the selected security algorithm identity to the user equipment from the first network node, in response to a handover acknowledgement from the second network node.

Abstract: Techniques are described for wireless communication. A wireless device may generate a secured query message based at least in part on a security credential of the wireless device. The secured query message may be generated prior to performing an authentication and key agreement (AKA) with a network. The wireless device may transmit the secured query message to the network, and receive a response to the secured query message. The wireless device may then determine whether or not to perform the AKA with the network based on the received response (e.g., the wireless device may determine whether or not the response is associated with the security credential of the wireless communication device and a network security credential of the network). The wireless device may establish a secure connection with the network or refrain from considering the response based on the determination.

Abstract: A method for communications station sleep mode recovery includes a communications station receiving a first wakeup identifier (WUID) from a first access point (AP), and obtaining a second WUID. The method further includes the communications station entering a sleep mode in which a radio communications module (RCM) of the communications station is in a reduced power state, and in which a wakeup receiver of the communications station is in an active state. The method further includes the wakeup receiver of the communications station detecting one of a first wakeup packet (WUP) including the first WUID or a second WUP including the second WUID, while the RCM is in the reduced power state. The method further includes, in response to the detecting, transitioning the RCM from the reduced power state to the active state.

Abstract: In some examples, a source wireless access network node generates, for a user equipment (UE), a plurality of security configurations, wherein each security configuration of the plurality of security configurations is associated with a different respective candidate target wireless network node in a set of candidate target wireless access network nodes. The source wireless access network node sends each security configuration of the plurality of security configurations to the respective candidate target wireless network node, and sends security information of the plurality of security configurations to the UE.

Abstract: A mobile device may transition between Extended Service Set (“ESS”) networks seamlessly, such that a consumer never loses the network connection despite the transition. The communication for enabling a transition may be prior to association with that network. The seamless transition may be enabled through the creation and utilization of a central key holder authority that advertises its identity to mobile devices in a pre-associated state. The mobile device can use the key discovery communication along with a key generation method to authenticate and/or associate with a network and transition from one ESS to another. There may be a common root key across ESSs. At each new access point (“AP”) that the mobile device encounters, ESS and key holder identities may be discovered through discovery communications.

Abstract: A UE, a device and a Direct Communication Element. The UE is configured to establish a UE shared key with a Bootstrapping Server Function (BSF) using a Generic Bootstrapping Architecture (GBA) procedure, to discover the device through a discovery procedure after establishing the UE shared key, and to derive a direct communication key from at least the UE shared key. The device is configured to receive a transaction identifier associated with the UE shared key from the UE, to send the transaction identifier to the Direct Communication Element, and to receive the direct communication key from the Direct Communication Element. The Direct Communication Element is configured to receive the transaction identifier from the device, to obtain a shared session key from the BSF; to derive the direct communication key, and to send the direct communication key to the device.

Abstract: A user of a system defines a limited use access token for an external user for that external user to access defined resources of the system based on the user's account with the system. An access control system validates the access token when the external user attempts to access the defined resources and grants the external principal access to the defined resources.

Abstract: A terminal device for wireless communication comprises a wireless interface configured for communication with a radio access network of a cellular communication network. The terminal device is configured to transmit, via the wireless interface, a message to at least one other terminal. The message includes configuration information related to a relay function of the terminal device. The terminal device is configured to activate the relay function to start relaying communication between a requesting terminal of the at least one other terminal and the radio access network after transmission of the message.

Abstract: The present disclosure relates to a pre-5th-Generation (5G) or 5G communication system to be provided for supporting higher data rates Beyond 4th-Generation (4G) communication system such as Long Term Evolution (LTE). A method for communicating by a user equipment with a macro cell base station and a small cell base station in a communication system is provided. The method comprises applying a first base station security key to a first communication link with the macro cell base station; generating a second base station security key to be used for a second communication link with the small cell base station based on the first base station security key; applying the second base station security key to the second communication link with the small cell base station; and communicating through at least one of the first communication link and the second communication link.

Abstract: In some examples, a source wireless access network node generates, for a user equipment (UE), a plurality of security configurations, wherein each security configuration of the plurality of security configurations is associated with a different respective candidate target wireless network node in a set of candidate target wireless access network nodes. The source wireless access network node sends each security configuration of the plurality of security configurations to the respective candidate target wireless network node, and sends security information of the plurality of security configurations to the UE.

Abstract: Methods are discussed of managing security reconfiguration and cell update procedures in a user equipment and in a node in a cellular communication system and a user equipment and a node in the cellular communication system. Methods in the user equipment may include detecting a cell update trigger event, and aborting any ongoing security reconfiguration procedure in the user equipment in response to the detected cell update trigger event. Subsequently, a security status indication in response to the aborted security reconfiguration may be provided, and a cell update message and the provided security status indication may be jointly transmitted to a node.

Abstract: The present invention provides a processing method for a radio link failure, a small cell and a mobile communication system. The method includes: determining, by a small cell, whether or not a signaling radio bearer transmission connection between a user equipment and a macro base station is interrupted; receiving, if the signaling radio bearer transmission connection is interrupted, signaling radio bearer configuration parameters sent by the macro base station, wherein the signaling radio bearer configuration parameters comprise an SRB identification, a radio link control layer configuration and a logic channel configuration; establishing a signaling radio bearer for the user equipment according to the signaling radio bearer configuration parameters; and notifying the user equipment to hand over the signaling radio bearer transmission connection to the signaling radio bearer established by the small cell.

Abstract: The present disclosure relates to a pre-5th-Generation (5G) or 5G communication system to be provided for supporting higher data rates Beyond 4th-Generation (4G) communication system such as Long Term Evolution (LTE). A method for communicating by a user equipment with a macro cell base station and a small cell base station in a communication system is provided. The method comprises applying a first base station security key to a first communication link with the macro cell base station; generating a second base station security key to be used for a second communication link with the small cell base station based on the first base station security key; applying the second base station security key to the second communication link with the small cell base station; and communicating through at least one of the first communication link and the second communication link.

Abstract: The present application discloses a method for configuring and transmitting a key, which includes that: a) a serving cell (PCell) of UE determines a key (KeNB) used by a SCell and transmits the KeNB to the SCell; and b) the PCell transmits configuration information for configuring the SCell to the UE after receiving a response message from the SCell, and receives a response message from the UE. Or, the method includes that: a SCell of UE transmits a cell key request to a MME and receives key information from the MME; and the SCell transmits the key information received from the MME to the UE, and receives a response message from the UE. By the present application, data of the SCell is transmitted after being encrypted, so as to avoid a case that the data is decoded by other users, and further guarantee the security of the data.

Abstract: This application discloses a method of using NH and NCC pairs to resolve security issues. It includes: an MME sends a sequence including multiple NH and NCC pairs to S1GW that is calculated to correspond to a UE. After the S1GW receives a UE handover message or a UE bearer switch message from a base station, the S1GW may choose a next unused NH and NCC pair from the sequence sent by the MME and send it to a target base station. In using this application, part of the bearer switch of the UE or the switch of the UE can be terminated at the S1GW or HeNB GW, which reduces impact on the core network and cuts down on the use of system resources.

Abstract: A method and apparatus for re-associating a station (STA) to an access point (AP). The STA sends a re-association request to the AP to initiate a re-association process with the AP. The re-association request indicates that a handshake operation is to be bypassed during the re-association process. The STA receives a re-association response from the AP in response to the re-association request and, upon receiving the re-association response, enables data communications with the AP using a set of preexisting cryptographic keys. For example, the set of preexisting cryptographic keys may be negotiated with the AP during at least one of a prior association process or a prior re-association process.

Abstract: Methods (100, 200, 300) and apparatus (400, 500, 600, 700, 800, 900) are disclosed for establishing a key for direct communication between a User Equipment device, UE, and a device. The methods and apparatus cooperate to form a system for securing direct communication between a UE and a device over an interface. The system comprises a UE (20), a device (30) and a Direct Communication Element (40). The UE (20) is configured to establish a UE shared key with a Bootstrapping Server Function, BSF (50), using a Generic Bootstrapping Architecture, GBA, procedure, to discover the device (30) through a discovery procedure after establishing the UE shared key, and to derive a direct communication key from at least the UE shared key. The device (30) is configured to receive a transaction identifier associated with the UE shared key from the UE (20), to send the transaction identifier to the Direct Communication Element (40), and to receive the direct communication key from the Direct Communication Element (40).

Abstract: Embodiments of the present invention discloses a method, an apparatus, and a system for establishing a security context and relates to the communications field, so as to comprehensively protect UE data. The method includes: acquiring an encryption algorithm of an access node; acquiring a root key and deriving, according to the root key and the encryption algorithm, an encryption key of the access node; sending the encryption key and the encryption algorithm to the access node, so that the access node starts downlink encryption and uplink decryption; sending the encryption algorithm of the access node to the UE so as to negotiate the encryption algorithm with the UE; and instructing the access node to start downlink encryption and uplink decryption and instructing, during algorithm negotiation, the UE to start downlink decryption and uplink encryption. The present invention mainly applies to SCC security protection.

Abstract: A method is disclosed, comprising sending a local connection re-establishment request to a local access apparatus in response to a failure of a radio link by which a user equipment was connected to a local network and operated in a single radio mode to use bearer services provided by a macro network; and recovering local signalling radio bearer in response to successfully verifying, by the local access apparatus, local context of the user equipment.

Abstract: Security of a plurality of registered digital documents in a system are monitored and the monitoring includes determining whether signatures associated with the registered digital documents are included in data propagating in network traffic of the system. A particular signature of a particular document in the plurality of registered digital documents is detected from the data propagating in the network. It is determined, based at least in part on the detecting, that detection of the particular signature exceeds a threshold detection rate for registered digital documents in the system. The particular signature is removed from a signature database including the signatures of the plurality of registered digital documents.

Abstract: A Terminal Identity Token is created for identifying a User Equipment (UE) connected to a radio base station in a radio system. The UE communicates with the radio base station via a secure communication associated with an existing cryptographic key. The Terminal Identity Token is created based on a physical cell identity of a target cell known to both the UE and the radio base station, the terminal identity, and the existing key. By using the Terminal Identity Token, a secure communication can be established and enhanced without having to provide for additional security network components or additional signaling.

Abstract: Systems and methods for remote authentication using Single Sign-On (SSO) credentials are disclosed. An implementation includes transmitting a request for an identification code from an application to a wireless service provider, the request provided through an encrypted transport protocol, receiving the identification code as a messaging service message from the wireless service provider, securely routing the received identification code to the requesting application, upon receipt of the identification code at the application, retrieving an authentication token for the application through the encrypted transport protocol and providing the authentication token to an application content server to allow content transfer between the application content server and the application.

Abstract: In a method and a system for providing secure communication in a cellular radio system radio base station key is generated by determining a set of data bits known to both the UE and the radio base station, and creating the radio base station key in response to the determined set of data.

Abstract: A mechanism by which handoff delay can be minimized while not compromising the IMS/MMD security and also protecting the media if required by certain applications is presented. Methods for mitigating delay during SA re-association and mitigating the IPSec tunnel overhead for signaling and media at the Mobile Node are given. In one embodiment, SA keys can be transferred from the old P-CSCF to new P-CSCF, enabling the establishment of SAs before Mobile Node physically moves to the new subnet in a network. Proactive handover is used. In another embodiment, SA keys are transferred from S-CSCF to new P-CSCF. In this case, the SA keys are transferred to the new P-CSCF by S-CSCF through a context transfer mechanism well in advance so that SAs may be established before Mobile Node physically moves to new subnet. In another embodiment, methods for mitigating IPSec tunnel overhead are presented.

Abstract: An embodiment of the present invention provides a method, comprising using optimized neighbor graphs for low-power access point assisted fast wireless roaming by a wireless station (STA) operating in a wireless network.

Abstract: A method, network element, and mobile station (MS) are disclosed. The method includes: obtaining information that a plug-in card of the MS does not support a first encryption algorithm; deleting the first encryption algorithm from an encryption algorithm list permitted by a core network element according to the information that the plug-in card of the MS does not support the first encryption algorithm; sending the encryption algorithm list excluding the first encryption algorithm to an access network element, so that the access network element selects an encryption algorithm according to the encryption algorithm list excluding the first encryption algorithm and the MS capability information sent from the MS and sends the selected encryption algorithm to the MS. By using the method, network element, and MS, errors due to the fact that the plug-in card of the MS does not support an encryption algorithm may be avoided during the encryption process.

Abstract: An input content data managing system, includes a first electronic storing apparatus that stores encoded content data generated by encoding content data with a cryptographic key; a electronic second storing apparatus that stores the cryptographic key with corresponding digest-value data of the encoded content data capable of identifying sameness of the encoded content data; a matching unit that determines a matched cryptographic key stored in the second storing apparatus for the encoded content data stored in the first storing apparatus, the matching using, as a matching key, at a predetermined time, digest-value data of the encoded content data obtained from the encoded content data stored in the first storing apparatus to match with the digest-value data of the encoded content data stored in the second storing apparatus, in order to obtain the content data by decoding the encoded content data using the matched cryptographic key.

Abstract: A method and system for roaming between heterogeneous networks. The method involves authenticating a mobile communication device on a first network, and providing the device with a single-use token that can be used to sign on to a second network without requiring conventional re-authentication over the second network.

Abstract: A single instance of a session key generation protocol is executed in a manner that generates a plurality of security associations between user equipment and a first network element of a communication system. In one aspect, a first one of the security associations is utilized to secure data sent between the user equipment and the first network element in an ongoing communication. In conjunction with a handoff of the ongoing communication from the first network element to a second network element of the communication system, another one of the security associations is selected, and the other selected security association is utilized to secure data sent between the user equipment and the second network element in the ongoing communication. The security associations may comprise respective sets of session keys derived from a single pairwise master key.

Abstract: A method for encrypting radio resource control (RRC) messages exchanged between a wireless communication device and a node in a wireless communication system includes separating sequence number rollover events from mobility events while encrypting radio resource control (RRC) messages for exchange within a wireless communication system. According to the method, the sequence number rollover events and mobility events are separated by utilizing a state transition counter, a handover counter, and an overflow counter such that, when the state counter is incremented due to occurrences of a first group of events, the handover counter and the overflow counter are re-set to zero and, when the handover counter is incremented due to occurrences of a second group of events the overflow counter is re-set to zero.

Abstract: An embodiment of the invention is directed to associating a wireless device with a basestation. A connection request is received from the wireless device. The wireless device is authenticated to the basestation. A token-transfer-request message is received. The wireless device is associated with the basestation by transferring a token associated with the wireless device to the basestation.

Abstract: A method, system, and computer-readable storage medium for authenticating a computing device are provided. According to embodiments of the invention, a first computing device generates a message using first secret data and second secret data, the first secret data for authenticating to a second computing device, the second secret data for authenticating to a third computing device. The first computing device sends the message to the second computing device. In some embodiments, challenge-response authentication is implemented. For example, the first computing device receives a challenge from the second computing device and generates the message based at least in part on the challenge. The second computing device compares local information with information received from the first computing device. The first computing device can thereby be authenticated to the second computing device. Furthermore, the first computing device can be authenticated to the third computing device by a similar process.

Abstract: A method for generating an identifier of a key includes that: when a user equipment (UE) transfers from an evolved UMTS terrestrial radio access network (EUTRAN) to a universal terrestrial radio access network (UTRAN) or a global system for mobile communications (GSM), or an enhanced data rate for GSM evolved radio access network (GERAN), an identifier of a system key after transfer is generated by mapping an identifier KSIASME for an access security management entity, and a mobile management entity generates an identifier of a ciphering key (CK) and an integrity key (IK) by mapping the KSIASME, and then sends the generated identifier to a serving GPRS support node (SGSN), when the UE transfers from the EUTRAN to the UTRAN, the SGSN stores the ciphering key, the integrity key and the identifier thereof, and when the UE transfers from the EUTRAN to the GERAN, the SGSN assigns the value of the identifier of the ciphering key and the integrity key to an identifier of a ciphering key of the GERAN.

Abstract: A method, user equipment (UE) and system are provided for negotiating a security capability during idle state mobility of the UE from a non-long term evolution (non-LTE) network to a long term evolution (LTE) network. The UE sends UE security capabilities supported by the UE to the LTE network for a non-access stratum (NAS) security algorithm selection use. The UE then receives from the LTE network selected NAS security algorithm. The UE further generates a root key from an authentication vector-related key stored at the UE and then derives, from the generated root key, a NAS protection key for security communication with the LTE network.

Abstract: The disclosure provides a method and a system for establishing an enhanced air interface key. During a serving Radio Network Controller (RNC) relocation process, a target RNC with an enhanced security capability enables a received legacy key to perform security protection on communication in the serving RNC relocation process when the target RNC cannot learn from a relocation request sent by a source RNC whether or not a user equipment supports the enhanced security capability (500); and when the target RNC receives a message from the user equipment and learns that the user equipment supports the enhanced security capability, the target RNC notifies a core network to establish and enable the enhanced air interface keys on the network side and in the user equipment respectively (501).

Abstract: A method, apparatus and computer program product are provided to facilitate security in response to a handover from an initial network to a subsequent network, such as a handover between a packet-switched network and a circuit-switched network. The method, apparatus and computer program product may provide at least one security key for use in the subsequent network following handover from the initial network such that communications conducted via the subsequent network, including initial communications, may be secure. In order to provide at least one security key for use in the subsequent network, at least one security key of the initial network may be identified along with a nonce in response to a determination that a handover is to be made. The at least one security key of the subsequent network may then be determined based upon the at least one security key of the initial network and the nonce.

Abstract: A single instance of a session key generation protocol is executed in a manner that generates a plurality of security associations between user equipment and a first network element of a communication system. In one aspect, a first one of the security associations is utilized to secure data sent between the user equipment and the first network element in an ongoing communication. In conjunction with a handoff of the ongoing communication from the first network element to a second network element of the communication system, another one of the security associations is selected, and the other selected security association is utilized to secure data sent between the user equipment and the second network element in the ongoing communication. The security associations may comprise respective sets of session keys derived from a single pairwise master key.

Abstract: A method for generating an identifier of a key, comprises that: when a user equipment (UE) transfers from an evolved UMTS terrestrial radio access network (EUTRAN) to a universal terrestrial radio access network (UTRAN) or a global system for mobile communications (GSM), or an enhanced data rate for GSM evolved radio access network (GERAN), an identifier of a system key after transfer is generated by mapping an identifier KSIASME for an access security management entity, and a mobile management entity generates an identifier of a ciphering key (CK) and an integrity key (IK) by mapping the KSIASME, and then sends the generated identifier to a serving GPRS support node (SGSN), when the UE transfers from the EUTRAN to the UTRAN, the SGSN stores the ciphering key, the integrity key and the identifier thereof, and when the UE transfers from the EUTRAN to the GERAN, the SGSN assigns the value of the identifier of the ciphering key and the integrity key to an identifier of a ciphering key of the GERAN.

Abstract: A method for efficiently deriving a traffic encryption key for data encryption is disclosed. A method of generating a traffic encryption key (TEK) comprises the steps of receiving, by a mobile station from base station, a first nonce and first security materials for deriving the traffic encryption key (TEK) and deriving the traffic encryption key (TEK) using one or more of the first nonce, the authentication key (AK), and the first security materials.

Abstract: In a communication system in which two communication entities seek to have a private or confidential communication session, a trust relationship needs first be established. The trust relationship is based on the determination of a shared secret which in turn is generated from contextual information. The contextual information can be derived from the circumstances surrounding the communication session. For example, the contextual information can include topological information, time-based information, and transactional information. The shared secret may be self-generated or received from a third party. In either event, the shared secret may be used as key material for any cryptographic protocol used between the communication entities.

Abstract: Various methods and apparatuses for managing count values (e.g. key counts) to manage a TEK in various communication environments are disclosed. Also, various methods and apparatuses for generating and maintaining a traffic key encryption key by using key count values are disclosed.

Abstract: This present application relates to, among other things, Key Caching, QoS and Multicast extensions and improvements to the Media-independent Pre-Authentication (MPA) framework, a new handover optimization mechanism that has a potential to address issues on existing mobility management protocols and mobility optimization mechanisms. MPA is a mobile assisted, secure handover optimization scheme that works over any link-layer and with any mobility management protocol.

Abstract: In one embodiment, a traffic encryption key is generated based on a count value associated with a mobile. The count value is indicative of network accesses by a mobile, and the traffic encryption key is for encrypting communication traffic between the mobile and a base station. Generation of the traffic encryption key at a base station may be triggered by receipt of a message indicating that the mobile may handoff to the base station. In this embodiment, the message includes the count value. In another embodiment, the traffic encryption key is generated based on the count value and a key count. The mobile may trigger updating the traffic encryption key by changing the key count, and sending the new key count to the base station in a traffic encryption key update request message.