Abstract: A method for establishing a new security association between a mobile node and a network source, the method comprising creating a first token comprising a security association between a network source and a mobile node, the first token being encrypted using a first key known to the mobile node and a first trust authority within a home network associated with the mobile node, and creating a second token comprising the same security association between the network source and the mobile node, the second token being encrypted using a second key known to the first trust authority and a second trust authority associated with the network source, wherein the first token and the second token are sent to the second trust authority using a chain of trust infrastructure.

Abstract: A system for automatic security authentication in a wireless network includes a server and a terminal. The terminal includes a processor, a first communications unit, and a second communications unit. The server includes a database, a control unit, and a third communications unit. The processor receives an identification code of an access point through the first communications unit, and sends a message to the control unit through the second communications unit. The message includes the identification code of the access point, a user account and a user password. The control unit sends an authentication code corresponding to the identification code according to data stored in the database to the processor through the third communications unit. After receipt of the authentication code, the processor automatically logs in to the access point through the first communications unit to activate a wireless network access function.

Abstract: A method of synchronizing a smart antenna apparatus with a base station transceiver includes receiving at the smart antenna apparatus control signals being communicated from a base station transceiver to one or more mobile stations via an antenna unit. The control signals are operable to be used to synchronize the mobile stations with the base station transceiver. The method further includes executing one or more algorithms using the control signals received by the smart antenna apparatus as input to synchronize the smart antenna apparatus with the base station transceiver.

Abstract: A method for generating a key identity identifier when a user equipment (UE) transfers is disclosed. The method includes the following steps: a mobility management entity (MME) of an evolved UMTS terrestrial radio access network (EUTRAN) sends an identity identifier of an access security management entity key (KSIASME) to a serving general packet radio service support node (SGSN) of a target system when the UE transfers from the EUTRAN to the target system, and both the SGSN and the UE map the KSIASME into a key identity identifier of the target system.

Abstract: A method for generating an identifier of a key, comprises that: when a user equipment (UE) transfers from an evolved UMTS terrestrial radio access network (EUTRAN) to a universal terrestrial radio access network (UTRAN) or a global system for mobile communications (GSM), or an enhanced data rate for GSM evolved radio access network (GERAN), an identifier of a system key after transfer is generated by mapping an identifier KSIASME for an access security management entity, and a mobile management entity generates an identifier of a ciphering key (CK) and an integrity key (IK) by mapping the KSIASME, and then sends the generated identifier to a serving GPRS support node (SGSN), when the UE transfers from the EUTRAN to the UTRAN, the SGSN stores the ciphering key, the integrity key and the identifier thereof, and when the UE transfers from the EUTRAN to the GERAN, the SGSN assigns the value of the identifier of the ciphering key and the integrity key to an identifier of a ciphering key of the GERAN.

Abstract: A method, an apparatus and a system for key derivation are disclosed. The method includes the following steps: a target base station) receives multiple keys derived by a source base station, where the keys correspond to cells under control of the target base station; the target base station selects a key corresponding to the target cell after knowing a target cell that a user equipment (UE) wants to access. An apparatus for key derivation and a communications system are also provided.

Abstract: A method and system for encrypting data in a wireless communication system are provided. The system includes a first node for generating a first encryption key using a plurality of encryption key parameters when performing authentication with a second node, for changing a second parameter among the plurality of encryption key parameters to generate a second encryption key being identical to the first encryption key, if a first parameter among the plurality of encryption key parameters is changed during re-authentication between the first node and the second node, for generating the second encryption key using the changed first parameter and the changed second parameter, and for encrypting data to be transmitted to the second node using the second encryption key.

Abstract: A communication network includes a local area network (LAN) and a wireless access point coupled to the LAN. In one embodiment, each access point includes a medium access control (MAC) stage, and a radio frequency (RF) transmitter/receiver for communicating unsecure message data via RF links with users of associated wireless devices. An optical transmitter/receiver in the access point enables the users to communicate secure message data over the LAN via free space optical (FSO) links with the users. The MAC stage operates (i) to direct unsecure data from the LAN to the wireless device users and to direct unsecure data from the users to the LAN, via the RF transmitter/receiver; and (ii) to direct secure data from the LAN to the wireless device users and to direct secure data from the users to the LAN, via the optical transmitter/receiver. An integrated VoIP/FSO portable handset is also disclosed.

Abstract: When a SET receives a positioning service from a V-SLP by performing a roaming from a H-SLP to the V-SLP in a SUPL-based positioning system, only a new TLS connection is generated using an abbreviated handshake protocol without generating a new TLS session after the roaming. That is, when opening a TLS session for ensuring security in a SUPL-based positioning method, in particular, when opening a new TLS session between the V-SLP (V-SPC) and the SET after opening the TLS session between the H-SLP and the SET, the key information having used in the previous TLS session is provided to the V-SLP to set a new TLS connection, thereby reducing a load of an entire system.

Abstract: A method for preparing for handover of an apparatus from a first wireless network to a second, different wireless network, a master session key (MSK) having been generated during establishment of a connectivity of the apparatus to the first wireless network includes detecting signals of the second wireless network. In response thereto, establishing a connectivity of the apparatus to the second wireless network, using a pairwise master key (PMK) derived from the MSK generated during establishment of the connectivity to the first wireless network, one or more encryption keys being derivable from the PMK to support secure communication over the second wireless network.

Abstract: A security key generating method, device and system are provided, wherein, the method is used for generating a security key in the process of the handover to an EUTRAN network from other network, the method includes: an MME generates a security key based on a root key KASME of the EUTRAN network, a specific value and/or other parameters and transmits a handover request message carrying the security key to a target evolved Node B, i.e. eNB; a UE generates the security key which used by the target eNB based on the root key KASME of the EUTRAN network, the specific value and/or other parameters. The application of the present invention adopts a specific value, KASME and/or other parameters to output a security key, which can solve the problem existed in the related technology, the problem is that the middle security key used by access layer while handover between different access system can not be generated, and then it can not realize the security protection of the access layer.

Abstract: Systems and methods provide a mechanism for wireless stations and access points to negotiate security parameters for protecting management frames. The access point and station determine which management frames they are capable of and desire to protect. Data indicating protected frames are then exchanged between the station and access point to select which management frames are to be protected and a protection mechanism to be used for protecting the management frames.

Abstract: A node that couples to the Internet establishes a secure connection with another node that couples to the Internet. The secure connection to be established via an IPsec security association. The node registers with an authority that couples to the Internet and provides public key infrastructure (PKI) services. Registration is to include obtaining both a private and a public and key. The PKI services to include providing the private key to only the registered node and providing the public key to another registered node that requests PKI services from the authority. The node requests the PKI services from the authority based on a change in a point of attachment for the node to the Internet. The node then authenticates the other node via the PKI services and exchanges a secret key with the other node based on the authentication of the other node. The node is to implement an encryption scheme that uses the exchanged secret key for symmetric encryption of data exchanged between the node and the other node.

Abstract: A multi-band radio having seamless satellite communication capability is provided. The radio includes: a user interface for controlling operations of the radio; an encryption module; a LOS wireless transceiver for transmitting encrypted data at a frequency in the radio frequency spectrum; a BLOS wireless transceiver for transmitting encrypted data at a frequency in the microwave frequency spectrum; and a router for routing the encrypted data to at least one of the LOS transceiver and the BLOS transceiver.

Abstract: A client apparatus includes a wireless network access unit configured to access wireless networks, a packet analysis unit configured to analyze uplink and downlink data packets, a security tunnel processor configured to establish a mobile security tunnel and to maintain the established mobile security tunnel when handover is performed in heterogeneous networks, a wireless network controller configured to control a wireless network accessing process and a connection releasing process of the wireless network access unit, a mobile security tunnel controller configured to perform a MOBIKE protocol and to control a process of establishing and maintaining a mobile security tunnel of the security tunnel processor, and a wireless network connection manager configured to request the mobile security tunnel controller to perform a MOBIKE protocol by managing MOBIKE information and to control handover by setting up and managing a wireless network access policy.

Abstract: Integrated handover authentication technology for a next generation network (NGN) environment to which wire-less access technology and mobile IP based mobility control technology are applied is provided. In a method of operating a mobile terminal MN in order to perform the integrated handover authentication in the NGN environment including an access router PAR, a target router NAR, and an authentication(AAA) server. First, a handover authentication key HKNAR which is shared by the mobile terminal and the target router and protects a fast binding update (FBU) message between the mobile terminal and the target router is generated. Then, an authentication request message AAuthReq generated using the handover authentication key HKNAR is transmitted. Thereafter, an authentication success message AAuthResp is received in response to the authentication request message AAuthReq.

Abstract: A first aspect of the invention relates to a method for verifying an attachment of a mobile node to a network element in a network. A second aspect of the invention relates to a method to be implemented in a mobility anchor node, which detects whether a race condition between registration messages occurs and resolves the most recent location of a mobile node. A third aspect of the invention relates to a method for detecting whether a binding cache entry for a mobile at a correspondent node has been spoofed and to a method for registering a care-of address of a mobile node at a correspondent node. A fourth aspect of the invention relates to a method for providing from a mobile node to a local mobility anchor information on an attachment of a mobile node to a network element.

Abstract: A single instance of a session key generation protocol is executed in a manner that generates a plurality of security associations between user equipment and a first network element of a communication system. In one aspect, a first one of the security associations is utilized to secure data sent between the user equipment and the first network element in an ongoing communication. In conjunction with a handoff of the ongoing communication from the first network element to a second network element of the communication system, another one of the security associations is selected, and the other selected security association is utilized to secure data sent between the user equipment and the second network element in the ongoing communication. The security associations may comprise respective sets of session keys derived from a single pairwise master key.

Abstract: A decryption apparatus (109) comprises a key stream generator (111) generating a local decryption key stream. It furthermore comprises a synchronization value receiver (201) receiving key stream synchronization values. A synchronization processor (203) implements a state machine which may operate in a synchronized state (303) wherein the communication is decrypted using the local key stream, a non-synchronized state (301) wherein the local key stream is not synchronized, or in an uncertain synchronization state (305) wherein the communication is decrypted using the local key stream and wherein the local key stream is synchronized to each new received synchronization value. The synchronization processor (203) furthermore comprises a transition controller (213) operable to transition from the synchronized state to the non-synchronized state in response to a first criterion and to the uncertain synchronization state in response to a second criterion.

Abstract: A method for quickly performing a handover in a wireless access system is disclosed. The method for quickly performing a handover includes transmitting a handover request message to a serving base station (SBS), receiving a handover response message from the serving base station (SBS), and transmitting an uplink sequence generated by authentication-associated information of the serving base station (SBS) to a target base station (TBS). Therefore, a mobile station (MS) can complete the handover without exchanging a ranging message with the target base station (TBS), such that a communication interruption time can be minimized.

Abstract: Providing a mobility key for a communication session for a mobile station includes facilitating initiation of the communication session. A master key for the communication session is established, where the master key is generated at an authentication server in response to authenticating the mobile station. A mobility key is derived from the authentication key at an access node, where the mobility key is operable to authenticate mobility signaling for the communication session.

Abstract: A base station includes an apparatus for protecting information of a mobile station during a process of authenticating a ranging message of the mobile station that performs a handover in a wireless communication, system. In a method for encrypting a ranging response message in a base station, when a ranging request message is received from a mobile station that performs a handover, an authentication station is requested to transmit Authorization Key (AK) context of the mobile station. Validity of the ranging request message is determined using CMAC based on the AK context of the mobile station provided by the authentication station. When the ranging request message is valid, a response message to the ranging request message is encrypted. The encrypted response message is transmitted to the mobile station.

Abstract: Methods, systems, and computer program products for implementing a roaming controlled wireless network and services is provided. The method includes assigning an identifier and key to a multi-mode network-enabled communications device, the identifier and key inaccessible to an end user of the communications device. The method further includes assigning an identifier and key to a gateway device. The method further includes configuring an auto-provisioning element on each of the devices and remotely provisioning activation of roaming controlled communications services for the end user of the communications device. The remote provisioning includes transmitting a signal to one of the devices configured with the auto-provisioning element, which causes the devices to exchange identifiers and keys via a wireless local network. In response to exchanging the identifiers and keys between the devices, the communications device is permitted to communicate over the wireline network via the gateway device.

Abstract: A method, apparatus and computer program product are provided to facilitate security in response to a handover from an initial network to a subsequent network, such as a handover between a packet-switched network and a circuit-switched network. The method, apparatus and computer program product may provide at least one security key for use in the subsequent network following handover from the initial network such that communications conducted via the subsequent network, including initial communications, may be secure. In order to provide at least one security key for use in the subsequent network, at least one security key of the initial network may be identified along with a nonce in response to a determination that a handover is to be made. The at least one security key of the subsequent network may then be determined based upon the at least one security key of the initial network and the nonce.

Abstract: A protection method for a mobile IPv6 fast handover is provided, which includes the following steps: generating a fast-handover signaling protection key by using a key which is shared with a network side device; generating an authentication code according to the protection key; adding the authentication code to the fast-handover signaling and transmitting the fast-handover signaling to a router. A protection device for a mobile IPv6 fast handover is also provided. By using the method, the shared key between the mobile node and the network side device is used to derive the fast-handover signaling protection key to protect the fast-handover signaling, which solves the security problem of the fast-handover message during a mobile IPv6 fast handover, decreases overhead during storing and calculating regarding the mobile node, and can be used to protect the downward fast-handover signaling of the SeND protocol that cannot be supported by the mobile node.

Abstract: Various methods and apparatuses for managing count values (e.g. key counts) to manage a TEK in various communication environments are disclosed. Also, various methods and apparatuses for generating and maintaining a traffic key encryption key by using key count values are disclosed.

Abstract: Systems and methods for a wireless communication system used for transmitting and receiving information, the information not containing identification of the information's intended recipient. A method for transmitting payload information, the method comprising providing verification information scrambling a portion of the verification information and transmitting the payload information with the scrambled verification information portion. Also provided is a method for processing transmitted payload information incorporated into an encoded information message with scrambled verification information, the method comprising receiving the encoded information message descrambling at least a portion of the scrambled verification information and comparing said descrambled verification information with predetermined verification information processing said payload information based on said comparison.

Abstract: A method of handling inter-system handover security for a communication device in a wireless communication system includes creating a first security key set for security with a serving network, creating a second security key set with a deactivating state, receiving an inter-system handover command for an inter-system handover from the serving network to a target network, selecting either the first security key set or the second security key set during the inter-system handover, and using the selected security key set for security with the target network, wherein the selected security key set is identical with a third security key set that is used by the target network for security with the communication device.

Abstract: A method of Authentication Authorization and Accounting (AAA) in an interworking between first and second networks that do not belong in the same administrative domain, using certificate based transactions. In the method according to the invention, the second network sends a public key to the first network, and a certificate to a mobile device. The certificate includes information regarding the subscription level of the mobile device and is signed with a private key of the second network. Upon detection of the first network the mobile device transmits the certificate and the first network authenticates the certificate using the public and private keys of the second network, and authorizes access to the network in response. The first network then sends a session key encrypted with a public key of the mobile device. The mobile device decrypts the session key with a private key and access the first network using the session key.

Abstract: The invention relates to a method for transmitting data between a GRPS/EDGE radio access network and user equipment of a mobile system, and to user equipment using the method, and to GERAN. In the method, the data to be transmitted is encrypted using an encryption algorithm at the transmitting end, the encrypted data is transmitted from the transmitting end to the receiving end, and the transmitted data is decrypted using an encryption algorithm at the receiving end. The used encryption algorithm is an encryption algorithm of the radio access network UTRAN employing the wideband code division multiple access method of the universal mobile telecommunications system, in which case the input parameters of agreed format required by the encryption algorithm are created on the basis of the operating parameters of the GPRS/EDGE radio access network GERAN.

Abstract: The present invention relates to relocation of the control of communication between a first station and a second station from a first communication system controller to a second communication system controller. The communication is ciphered by means of a first ciphering key. In the method, after the initiation of the relocation of control of the communication from the first controller to the second controller a request for relocation is transmitted to the second controller. The request contains the first ciphering key and at least one other ciphering key.

Abstract: A multiple entity gateway for supporting cellular authentication from a non-cellular network, the gateway comprising a plurality of entities each located at a different one of a plurality of secure zones and having at least one gap between said entities across said secure zones, said gateway being configured to predefine communication signals allowed across said gap between said entities, thereby to filter out non-allowed signals, and provide secure cellular authentication for a communication originating from said non-cellular network. The gateway allows cellular users to connect to a cellular network via a wireless local area network such as a hotspot, use the services of the cellular network, the Internet and the hotspot at will, and be securely authenticated and charged through the cellular infrastructure.

Abstract: A method and apparatus for implementing a security procedure during handover of a wireless transmit/receive unit (WTRU) in wireless communications that controls the behavior of a handover target if it cannot support the required security algorithms. The handover source can detect that the target does not support the required security algorithms and the WTRU can detect that security algorithms may change during handover. Security procedures for the WTRU include contingencies for Radio Link Failure and if the public land mobile network (PLMN) changes.

Abstract: A physical channel transmission method and a transmission chain therefor in a communication system are disclosed. In transmitting packet data or packet control data through a physical channel having a transmission format of variable lengths, the data transmission chain includes a scrambler for scrambling the packet data or packet control data using the transmission format information.

Abstract: A method for efficiently deriving a traffic encryption key for data encryption is disclosed. A method of generating a traffic encryption key (TEK) comprises the steps of receiving, by a mobile station from base station, a first nonce and first security materials for deriving the traffic encryption key (TEK) and deriving the traffic encryption key (TEK) using one or more of the first nonce, the authentication key (AK), and the first security materials.

Abstract: In service access networks having different key hierarchies that provide broadcast service to a mobile terminal, when switching from a first service access network, from which the mobile terminal receives the data of the broadcast service in an encrypted manner by a first data content encryption key, to a second service access network, from which the mobile terminal receives the data of the same broadcast service in an encrypted manner by a second data content encryption key, the mobile terminal receives a key of the hierarchy of the second service access network which is encrypted by a user-specific key of the first service access network.

Abstract: A mobile station is provided. The mobile station includes one or more radio transceiver module and a processor. The processor performs a handover negotiation procedure with a serving base station so as to handover communication services to a target base station by transmitting and receiving a plurality of handover negotiation messages via the radio transceiver module, and generates an Authorization Key (AK) context and derives at least one Traffic Encryption Key (TEK) for the target base station. The AK context includes a plurality of keys shared with the target base station for encrypting messages to be transmitted to the target base station, and the TEK is a secret key shared with the target base station for encrypting traffic data.

Abstract: A method of providing secure communications between a base station, a relay station, and a mobile station in a communication network includes authenticating the mobile station over the communication network; generating, by the base station, security material, wherein the security material comprises at least one of a traffic encryption key (TEK) and a message authentication code key (MACK); transmitting, by the base station, the security material to the mobile station; and transmitting, by the base station, the security material to the relay station.

Abstract: The invention relates to a method of ciphering data transmission in a radio system, and to a user equipment using the method, and to a radio network subsystem using the method. The method includes the steps of: (602) generating a ciphering key; (604A) producing a ciphering mask in a ciphering algorithm using the ciphering key as an input parameter; (604B) using a logical channel specific parameter or a transport channel specific parameter as an additional input parameter to the ciphering algorithm; and (606) producing ciphered data by applying the ciphering mask to plain data.

Abstract: Example embodiments provide a method for performing handovers and key management while performing handovers. The method includes communicating a random handover seed key protected by a secure protocol from a core component of a network to a user equipment. The secure protocol prevents the random handover seed key from being learned by base stations supported by the core component of the network. The secure protocol may be non-access stratum signaling of an evolved packet system environment for wireless communications.

Abstract: The present invention provides a method and system for handoff in a wireless communication network. In one embodiment, a common handoff encryption key is generated by an authentication server and transmitted to a first access point and a second access point. The first access point transmits the handoff encryption key to a wireless terminal. The wireless terminal encrypts output data with the handoff encryption key. When the wireless terminal is associated with the second access point, the second access point decrypts data from the wireless terminal with the handoff encryption key. In a second embodiment, a handoff WEP key generation secret parameter is provided to a first and a second access point. Both access points generate a handoff WEP key as a function of the handoff WEP key generation secret parameter and an address of a wireless terminal. The first access point transmits the handoff WEP key to the wireless terminal.

Abstract: A method for generating and distributing keys based on the Diameter server in the mobile communication field is disclosed herein. The MN sends the NAR identifier to the PAR; after receiving the identifier, the PAR sends the NAR identifier and the MN identifier to the Diameter server; after receiving the identifiers, the Diameter server generates a random number first, then generates a shared key according to the random key, and then sends the shared key to the NAR and sends the random number to the MN; after receiving the random number, the MN generates a shared key. An apparatus and system for generating and distributing keys based on the Diameter server are also disclosed herein. The technical solution under the present invention avoids the domino effect and enhances security of the shared key.

Abstract: A system and method that allows a device to complete a single complete authentication sequence to a AAA server resulting in as many secure sessions required for the different applications or subsystems determined by the client's identity and the AAA server's policy. As the device is authenticated, it is determined where there are other sessions for the device. The sessions are established by generating unique new keying material that is passed to each session. This can be accomplished by (a) the authenticator or AAA server issuing the keys and distributing them to both the supplicant and applications (via their authenticators); or (b) authenticator or the AAA server mutually generating the session unique keys with the supplicant that are then distributed to the applications (via their authenticators).

Abstract: The present invention provides a method and system for handoff in a wireless communication network. In one embodiment, a common handoff encryption key is generated by an authentication server and transmitted to a first access point and a second access point. The first access point transmits the handoff encryption key to a wireless terminal. The wireless terminal encrypts output data with the handoff encryption key. When the wireless terminal is associated with the second access point, the second access point decrypts data from the wireless terminal with the handoff encryption key. In a second embodiment, a handoff WEP key generation secret parameter is provided to a first and a second access point. Both access points generate a handoff WEP key as a function of the handoff WEP key generation secret parameter and an address of a wireless terminal. The first access point transmits the handoff WEP key to the wireless terminal.

Abstract: The present invention provides a method and system for handoff in a wireless communication network. In one embodiment, a common handoff encryption key is generated by an authentication server and transmitted to a first access point and a second access point. The first access point transmits the handoff encryption key to a wireless terminal. The wireless terminal encrypts output data with the handoff encryption key. When the wireless terminal is associated with the second access point, the second access point decrypts data from the wireless terminal with the handoff encryption key. In a second embodiment, a handoff WEP key generation secret parameter is provided to a first and a second access point. Both access points generate a handoff WEP key as a function of the handoff WEP key generation secret parameter and an address of a wireless terminal. The first access point transmits the handoff WEP key to the wireless terminal.

Abstract: There is disclosed a technique whereby, in a case wherein a mobile node (MN) performs a handover, between access points (APs) present on the links of different access routers (ARs), security is quickly established between the MN and the AP so as to reduce the possibility of a communication delay or disconnection due to the handover. According to this technique, before performing a handover, the MN 10 transmits, to an access router (nAR) 30 that is to be newly connected after the handover, a notification indicating an MAC address for the MN and a communication encryption/decryption key used with the AP 21 before the handover, and the nAR transmits a notification for this information to the AP 31, to which the MN is to be connected after the handover. Therefore, the MN can employ the communication encryption/decryption key used before the handover and communicate with the AP after the handover.

Abstract: The invention concerns the security of the data connections of a telephone user. The basic idea of the invention is to forward the authentication of a telephone system to the leg between two private data networks connected via an arbitrating network. When establishing the connection, the private network connected to the telephone system forwards the authenticated subscriber identity to the other private network. To provide the identity forwarded with authenticity, the message containing the identity is signed. To provide encryption of the subscriber identity, the message is encrypted using a public key method. In response the second private network generates a session key to be used in the connection. This key is signed and encrypted using a public key method and sent to the first private network. During the connection, a symmetrical encryption method with the session key is used.

Abstract: A receiving unit receives a handover request from a terminal apparatus. As the handover request is received, a requesting unit requests a control apparatus connected via a network that an encryption key used for wireless communication performed between the terminal apparatus and a handover source base station apparatus be outputted. As the encryption key is received from the control apparatus as a response to the request, a tentative execution unit performs wireless communication with the terminal using the encryption key using the encryption key. While wireless communication is being performed between the tentative execution unit and the terminal, a setting unit determines a new encryption key between the setting unit and the terminal and continues to perform wireless communication after updating the encryption key with the new encryption key.

Abstract: Disclosed is a method for providing fast secure handoff in a wireless mesh network. The method comprises configuring multiple first level key holders (R0KHs) within a radio access network to which supplicants within the multi-hop wireless mesh network are capable of establishing a security association, configuring a common mobility domain identifier within the first level key holders of a mobility domain, and propagating identity of a first level key holder and the mobility domain identifier through the wireless mesh network to enable the supplicants within the mobility domain to perform fast secure handoff.

Abstract: A method includes receiving an authentication request from a mobile station (401) and determining whether to forward the request to an authentication agent. When it is determined to forward the request, the request is forwarded to the authentication agent (107). A random number and a random seed are received from the authentication agent (107). The random number and the random seed are forwarded to the mobile station (401). A response to the random number and the random seed from the mobile station (401) is received and forwarded to the authentication agent (107). The authentication agent (107) compares the response with an expected response. When the authentication agent (107) authenticates the mobile station (401), a derived cipher key is received from the authentication agent (107).