Abstract: Communication between a private network (1) and a roaming mobile terminal (4), the private network (1) including a home agent (5) for the mobile terminal and a gateway (2, 3) through which, the communication passes and which-provides security protection for the private network (1). The protocols of the communication Including security association bundles each include a security association between the mobile terminal (4) and the gateway (2, 3) for inbound communication and another security association for outbound communication. In response to a handover of communication causing an IP address. (MN Co @) of the mobile terminal (4), to change to a new IP address (MN: New Co @), the mobile terminal updates its inbound security association from the, gateway (2, 3) so that it can receive packets sent to it with the new IP address (MN New Co @) as destination.

Abstract: A method and system for wireless access provider management of digital rights. A wireless carrier receives a content request transmitted from a given wireless client station. The carrier determines by reference to digital rights management data that the requested content is premium content and then determines if the requesting party has the right to obtain the content. If the party does not have the right to obtain the content, the wireless carrier may engage in a payment collection process, to collect the party's payment for the content. Upon determination that the requesting party has the right to obtain the content, the wireless carrier inserts an access-token into the content request and sends the content request, with the access-token, to the content provider. The content provider can then rely on the access-token as proof that the requesting party has the right to obtain the requested content.

Abstract: Security context transfer and ROHC context transfer to enable secure and efficient mobile device handoff is facilitated by the introduction of new information elements to the UL Allocation message or separate downlink (DL) physical channel, the use of reverse tunneling during hand off (HO) to provide the User Equipment (UE) with new security parameters, the generation of multiple key sets and automated or context based triggering of the Security Mode Command.

Abstract: The invention allows changing a Radio Access Network security algorithm during handover in a manner that is efficient and secure. A security message is received at a mobile station previously using a first security algorithm in communication with a first access point, which message instructs to use a second security algorithm required by a second access point. In response, the mobile station is changed to use the second security algorithm.

Abstract: During connection setup with a first radio access network, a multimode mobile station sends an unprotected initial signaling message that includes information about those encryption algorithms that the multimode mobile station supports when it communicates in a second radio access network. The first radio access network saves some or all the information. Then it composes and sends an integrity-protected message that includes information about the encryption algorithms supported by the multimode mobile station in the second radio access network.

Abstract: A method for handing off a connection of a mobile device from a primary VPN to which the mobile device is connected to an angel VPN to which the mobile device may be connected in an Internet Protocol-based multimedia mobile network includes the steps of searching for alternative available routes to a peer, creating the angel VPN for storage in the mobile device and replacing the primary VPN with the angel VPN in a case where the primary VPN is disrupted.

Abstract: The present invention supports a secure transmissions protocol for information packet transmission between a Mobile Node and a Foreign Agent. The information packets are encrypted and decrypted using an integrated software client that combines mobile IP communication support and encrypting and decrypting protocols.

Abstract: Disclosed are a forward multiple scrambling code generating method and apparatus in a communication system. Each base station uses primary scrambling codes and an associated one of secondary scrambling code sets, each consisting of a plurality of secondary scrambling codes. When an n-th one of the primary scrambling codes is to be generated, an initial value of the scrambling code generator is set with a binary value of “n,” so that a desired primary scrambling code is generated using the initial value. When an n-th one of the secondary scrambling codes in an m-th one of the secondary scrambling code sets is to be generated, an initial value of the scrambling code generator is set with a value obtained by shifting the n-th primary scrambling code by m times, thereby generating a desired secondary scrambling code.

Abstract: The present invention provides secure communication from one encryption domain to another using a trusted module. In one embodiment, the invention includes generating a cipher stream based on a first key for encrypted streamed content, and generating a second cipher stream based on a second key to re-encrypt the streamed content. The invention further includes receiving the encrypted streamed content, simultaneously decrypting and re-encrypting the encrypted content using a combination of the first and the second cipher streams and conveying the re-encrypted content to a sink.

Abstract: A method for protecting traffic in a radio access network connected to at least two core networks. The method includes maintaining a core-network-specific authentication protocol and a radio-bearer-specific ciphering process, and generating, for each ciphering process, a count parameter including a cyclical sequence number and a hyperframe number (HFN) which is incremented each time the cyclical sequence number completes one cycle. For each core network or authentication protocol, a first radio bearer of a session is initialized with a HFN exceeding the highest HFN used during the previous session. When a new radio bearer is established, the mobile station selects the highest HFN used during the session for the core network in question, increments it and uses it for initializing the count parameter for the new radio bearer. At the end of a session, the mobile station stores at least part of the highest HFN used during the session.

Abstract: A method and system for pre-authenticating a pre-establishing key management on a roaming device prior to reassociation to facilitate fast hand-off in a wireless network is described. For enhanced mobility, both authentication and key establishment is performed prior to reassociation of the roaming device between access points. When the roaming device enters in contact with one of the access points, a local authentication is performed between the access point and the roaming device prior to reassociation with the access point to allow for fast hand-offs of the device between access points within the network.

Abstract: Security key distribution techniques using key rollover strategies for wireless networks are described. A number of keys are generated, usually by an access point. The present invention allows a standard mode and a mixed mode. In standard mode, each device on the network supports automatic key updates. In mixed mode, one or more devices on the wireless network require fixed keys. In both modes, a predetermined number of keys are determined and communicated to client devices that are accessing the wireless network. The predetermined number is determined so that a client device can miss a certain number of authentication periods without losing communication with the wireless network. Preferably, transmit keys used by an access point are different than the transmit keys used by the client devices that support automatic key updates.

Abstract: A security system for a digital trunked radio system having a digital control channel and a plurality of working channels, wherein said working channels are assigned for temporary use of individual radio units by digital control signals transmitted over said control channel, said control channel carrying digital control signals between a base site and said radio units, comprising a digital key, said key used to limit access to the system equipment and system control channel transmissions.

Abstract: A method of managing a wireless device (2), the method comprising installing a management agent program in a memory of the wireless device (2), the installed management agent monitoring the status of application programs installed on the device. Management instructions are sent to the mobile device (2) from a Management Centre (5) using a wireless telecommunications network (1) and, following a receipt of the management instructions at the device, the management agent processes the instructions and manages the applications accordingly. The management agent reports the results of the processing operation to the Management Centre (5) via the wireless telecommunications network (1).

Abstract: A method and apparatus for re-synchronizing a stream cipher during soft handoff. Transmitted quasi-secret keying information is used with a secret key to reinitialize a stream cipher generator located in a base station and a stream cipher generator located in a travelling mobile station. Since the quasi-secret keying information is uniquely determined according to each base station in the wireless telephone system, a base station's quasi-secret keying information and a shared secret key can also be used to create a new key. Thus, as the mobile station travels from one base station to another base station, a unique new key is generated for each base station.

Abstract: A memory card (110) decodes data delivered to a data bus (BS3) and extracts a session key (Ks1) sent from a server from the data. Based on the session key (Ks1), an encrypting section (1406) encrypts a public encryption key (KPm (1)) of the memory card (110) and delivers it to a server through the data bus (BS3). The memory card (110) receives data including a license key (Kc) and a license (ID) encrypted with the public encryption key (KPm (1)) different with memory card to memory card, decrypts the data, encrypted it again with uniquely given secret key (K(1)), and stores it in a memory (1415).

Abstract: An object of the present invention is to provide a technology to improve security against spoofing in a method of authentication using a challenge and response system. In the method of authentication of the present invention, the piece of challenge data is transmitted from the sever 10 to the terminal 20 (S104), and then the piece of response data, which is the decrypted challenge data (S105), is transmitted from the terminal to the server (S107). Further, whether the piece of response data is the piece of challenge data decrypted or not is judged based on encryption performed in the server 10 (S109). When the result of judgment is affirmative, the parameter used both for encryption and decryption is renewed to a parameter to be used in the next authentication (S111, S112).

Abstract: An external client securely accesses a private corporate network using a communications device, but without the communications device being required to communicate through the private corporate network when communicating with resources external to the private corporate network. The external client establishes a connection with the private corporate network over the public network such as the Internet using, for example, Transmission Control Protocol (TCP). The external client then provides security to the connection by running, for example, the Secure Socket Layer (SSL) protocol over the TCP protocol. During the ensuing session with the private corporate network, the communications device establishes a subsequent connection(s) with the external resource.

Abstract: A method includes receiving an authentication request from a mobile station (401) and determining whether to forward the request to an authentication agent. When it is determined to forward the request, the request is forwarded to the authentication agent (107). A random number and a random seed are received from the authentication agent (107). The random number and the random seed are forwarded to the mobile station (401). A response to the random number and the random seed from the mobile station (401) is received and forwarded to the authentication agent (107). The authentication agent (107) compares the response with an expected response. When the authentication agent (107) authenticates the mobile station (401), a derived cipher key is received from the authentication agent (107).

Abstract: Disclosed is a method and apparatus for synchronizing data. In one embodiment, the apparatus includes a first communication link for transmitting first data and a second communication link for transmitting second data. A circuit coupled to the first and second communication links. The circuit is configured to receive the first and second data. The circuit is configured to synchronously output the first and second data when the first and second data are received by the circuit out of synchronization.

Abstract: A system and method for automatically selecting an encryption, or ciphering, algorithm in a cellular communication network is disclosed. A cellular communication network includes a Base Transceiver Station (BTS) connected to a Base Station Controller (BSC), which is connected to a Mobile services Switching Center (MSC). The BTS is adapted to implement one of at least two different encryption algorithms. The BSC includes a tabular database containing Mobile Country Codes (MCCs) and associated codes corresponding to the allowable encryption algorithm for the MCC. When the BTS is initialized, the BSC's processor retrieves from the tabular database the encryption algorithm code that corresponds to the country in which the BTS resides. This code is transmitted to the BTS, which selects an encryption algorithm based on the value of this code.

Abstract: Techniques for providing secure processing and data storage for a wireless communication device. In one specific design, a remote terminal includes a data processing unit, a main processor, and a secure unit. The data processing unit processes data for a communication over a wireless link. The main processor provides control for the remote terminal. The secure unit includes a secure processor that performs the secure processing for the remote terminal (e.g., using public-key cryptography) and a memory that provides secure storage of data (e.g., electronics funds, personal data, certificates, and so on). The secure processor may include an embedded ROM that stores program instructions and parameters used for the secure processing. For enhanced security, the secure processor and memory may be implemented within a single integrated circuit. Messaging and data may be exchanged with the secure unit via a single entry point provided by a bus.

Abstract: Methods, systems and computer program products are provided which provide profile information associated with a client to a server by generating, at the client, a profile document containing profile information associated with the client and incorporating in the profile document a designator which indicates that profile information identified by the designator is not provided by the client and is provided by a network intermediary in a path between the client and the server. The designator in the profile document is encrypted utilizing a key associated with the client and the profile document with the encrypted designator transmitted from the client to the server utilizing the path. Method, systems and computer program products corresponding to the network intermediaries are also provided.

Abstract: An apparatus and method for location based wireless client authentication is described. The method includes the receipt of an authentication/access request from a wireless client desiring access to a wireless network. Once the request is received, a spatial location of the client is identified. Once the physical location of the client is identified, compliance with the authentication/access request is performed according to the identified spatial location of the device. For example, in one embodiment, when the spatial location of the client falls within predefined wireless network boundaries, the client is generally granted network access. The granted access may include a possible key exchange for unidentified clients, or challenge and response authentication for identified clients. In other words, wireless clients that have gained access to a certain physical location are assumed to have passed through some other form of physical authentication and, hence, are deemed trustable.

Abstract: Method and system for providing security mobility between two cellular systems. One or more ciphering keys are generated for a second cellular system by an interoperability authentication center at a first cellular system and by a mobile device separately. Traffic between the mobile device and the first cellular system is encrypted using one or more first ciphering keys for the first cellular system. A handover of the traffic of the mobile device from the first cellular system to the second cellular system is requested by the mobile device. After approval of handoff and before handoff, the one or more second ciphering keys are sent from the first cellular system to the second cellular system. The traffic is handed off by the mobile device from the first cellular system to the second cellular system. The traffic between the mobile device and the second cellular system is encrypted using the one or more second ciphering keys. The ciphering of the traffic is maintained during handoff.

Abstract: The present invention permits a user to conduct remote transactions without a network while using an untrusted computing device, such as a hand-held personal digital assistant or a laptop computer. The computing device is augmented with a smartcard reader, and the user obtains a smartcard and connects it to the device. This design can be used by an untrusted user to perform financial transactions, such as placing bets on the outcome of a probabilistic computation. Protocols are presented for adding (purchasing) or removing (selling) value on the smartcard, again without requiring a network connection. Using the instant protocols, neither the user nor the entity issuing the smartcards can benefit from cheating.

Abstract: A first station communicates with a second over first and second channels. The first station includes first and second ciphering configurations, and a ciphering engine. The ciphering engine uses the first or second ciphering configuration when ciphering data. Activation times are determined for the channels. A ciphering reconfiguration message is composed containing the activation times. The first station transmits the ciphering reconfiguration message to the second station along the second channel. A reset operation is performed on one of the channels, which does not affect the corresponding activation time. The ciphering engine uses the first ciphering configuration prior to the activation times, and uses the second ciphering configuration on or after the activation times.

Abstract: A HANDOVER FROM UTRAN procedure is performed to handover a wireless device from the UTRAN to a second network. While attached to the second network, the wireless device sends an INTER RAT HANDOVER INFO message to the UTRAN. The INTER RAT HANDOVER INFO message includes the security START value maintained by the wireless device for ciphering purposes. In response to determining that the security START value equals or exceeds a THRESHOLD value, the UTRAN disables ciphering with the wireless device when performing a HANDOVER TO UTRAN procedure. Similarly, the wireless device disables ciphering when performing the HANDOVER TO UTRAN procedure if the START value equals or exceeds the THRESHOLD value. Alternatively, a new ciphering key set is generated while the wireless device is attached to the second network, and ciphering is performed during the HANDOVER TO UTRAN procedure, utilizing the new key set.

Abstract: A method and apparatus for re-synchronizing a stream cipher during soft handoff. Transmitted quasi-secret keying information is used with a secret key to reinitialize a stream cipher generator located in a base station and a stream cipher generator located in a travelling mobile station. Since the quasi-secret keying information is uniquely determined according to each base station in the wireless telephone system, a base station's quasi-secret keying information and a shared secret key can also be used to create a new key. Thus, as the mobile station travels from one base station to another base station, a unique new key is generated for each base station.

Abstract: A method of effecting handoff of a mobile station from a first base station in a first cellular communications system controlled by a first mobile switching control station to a second base station in a second, different cellular system controlled by a second mobile switching control station is described. The method comprises generating for the mobile station a cipher key for use by the mobile station during communication in the second cellular communications system. The cipher key is generated by the mobile station from a private key assigned to the mobile station for the second cellular communications system and from a random number generated by the second cellular communications system. The cipher key is then communicated to the first mobile system and a private long code is generated for use by the mobile station during communication in the first cellular communications system.

Abstract: An existing security association is re-established when a communication handover event occurs in a radio communications system such as IEEE 082.11 or a HIPERLAN wherein the existing security association between a mobile terminal and a wireless communication network is maintained when the communication handover occurs within the network. Authentication during a handover event is achieved by a challenge/response procedure. In accordance with the challenge/response procedure each member of a communication pair that is made up of a new access point and the mobile terminal that is experiencing a handover to the new access point sends a challenge to the other member of the communication pair. Each member of the communication pair then calculates a response to its received challenge, and these responses are sent back to the other member of the communication pair. Each member of the communication pair then compares its received response to a correct response.

Abstract: A trainable transmitter comprises a transmitter, code-generation circuitry and a removable, plug-in data module. The data module includes information necessary for generating a code for a specific security system, such as a garage door opener. Preferably, the data includes a cryptographic algorithm and the frequency at which the wireless signal is to be generated. The code-generation circuitry accesses the data in the data module to generate a code, which is then transmitted by the transmitter. A variety of data modules are provided. A user installs a data module which corresponds to the security system to be accessed.

Abstract: A first station communicates with a second over first and second channels. The first station includes first and second ciphering configurations, and a ciphering engine. The ciphering engine uses the first or second ciphering configuration when ciphering data. Activation times are determined for the channels. A ciphering reconfiguration message is composed containing the activation times. The first station transmits the ciphering reconfiguration message to the second station along the second channel. A reset operation is performed on one of the channels, which does not affect the corresponding activation time. The ciphering engine uses the first ciphering configuration prior to the activation times, and uses the second ciphering configuration on or after the activation times.

Abstract: A wireless communications system includes a first station in wireless communications with a second station along at least one channel. The first station initiates a local suspend function for the channel, with a suspend point determined by a first sequence number (SN). Prior to a resume command to terminate the local suspend function, a reset procedure for the channel is performed. In response to the reset procedure, the first SN of the suspend point is set equal to a default value. This halts communications along the channel while the channel is locally suspended. The resume command for the channel then terminates the local suspend function. Alternatively, the suspend point is determined by a first hyper-frame number/sequence number (HFN/SN) pair.

Abstract: A wireless broadband IP network with a data transfer rate in excess of one megabyte per second for providing up to the minute subscription services to mobile client devices. The network has a network operation center (NOC) and base stations communicating with respective data centers and with mobile client devices. As a mobile client device moves from the area of one base station to another, the provision of subscription services to the device is handed off from one base station to the next without interruption.

Abstract: A cryptosystem having a Certificate (Key) Server for storing and maintaining certificate or key information in a certificate database is described. The Certificate Server allows clients to submit and retrieve keys from a database based on a set of policy constraints which are set for one's particular site (e.g., company). Access to the Certificate Server is maintained by a Certificate Policy Agent, which makes sure that the policy is enforced for a given site based on the information supplied during the configuration. During operation, the Certificate Server responds to client requests to add, search for, and retrieve certificates. The server accepts or rejects certificates based on configurable parameters enforced by a Certificate Policy Agent. When a certificate is submitted to the server, the Certificate Policy Agent checks to see if it meets the criteria for a given site based on the settings specified during the configuration.

Abstract: A communication system (100) includes an infrastructure (150) and at least one vehicle (101), the vehicle including at least one vehicle system (103), and at least one user system (113). The infrastructure includes an application (155) which, in turn, is arranged to reprogram the vehicle system, the user system, or both.

Abstract: The invention relates to a method for transmitting an encryption number in a communication system (1) comprising mobile terminals (MT1-MT4) and at least a first access point (AP1) and a second access point (AP2). The method comprises the steps of defining a set of encryption keys, selecting at each said access point (AP1, AP2) from said set of encryption keys one to be used at a time for encrypting information to be transmitted between said access point (AP1, AP2) and mobile terminal (MT1-MT4), transmitting from the access point (AP1, AP2), at intervals, data about the encryption key selected at the time, setting up a data transmission connection between a mobile terminal (MT1-MT4) and the first access point (AP1) for the transmission of information, and performing a handover, whereby a data transmission connection is set up between the second access point (AP2) and the mobile terminal (MT1-MT4).

Abstract: The invention provides technology that improves the security of the A-Keys in a wireless communications system. The technology effectively prevents any human access to the A-Keys and eliminates cloning. The invention improves the security and integrity of the wireless communications system. A secure processor exchanges random numbers with a wireless communications device to generate the A-Key. The secure processor then encrypts the A-Key and transfers the encrypted A-Key to an authentication system. When the authentication system generates or updates the SSD, the authentication system transfers the encrypted A-Key and other information to the secure processor. The secure processor decrypts the A-Key and calculates the SSD. The secure processor transfers the SSD to the authentication system for use in authenticating the wireless communications device.

Abstract: The mobile station comprises Traffic Identification Encryption means (TIE) and a memory (54) for storing at least one authentication number (A-key). According to the invention, the protection system comprises a program (61) for encrypting during operation the A-key by the TIE means, and for storing (A1) the encrypted A key, and a program (62) for decrypting, according to the TIE means, the A-key when its non-coded use is needed in the mobile station.