Abstract: Implementations of the present invention efficiently establish secure connections between a client and server, at least in part by authenticating the client and server early on in the connection setup phases. A client initiating a connection with a server identifies the secure communication protocols enabled at the client, and identifies these protocols in a connection request it sends to the server. The server processes the message and responds with a communication protocol it deems appropriate for the connection. The client and server then exchange appropriate authentication information, and then establish a connection session that implements the chosen communication protocol, and encrypts messages using the negotiated communication protocol. Additional implementations relate to reestablishing dropped connections behind virtual Internet Protocol addresses, without necessarily having to recommit much connection resource overhead.

Abstract: A method of ensuring secure and cost effective communication of aeronautical data to and from an aircraft is provided. The method includes uplinking air-ground aircraft data communications via an aeronautical safety data link and downlinking air-ground aircraft data communications via a consumer data link separated from the aeronautical safety data link by a one-way firewall.

Abstract: A method and system for facilitating interaction between an electronic device and a plurality of content provider websites are disclosed. In one embodiment, the method includes receiving at a server a plurality of information portions provided from the websites, where each of the information portions is associated with a respective copy of information that is available at each of the websites. The method also includes aggregating at the server the information portions so that they are combined into an overall grouping, with the respective information portions being maintained respectively as distinct subportions within the grouping. Further, the method includes sending from the server a message for receipt by a part of the electronic device, the primary message including the grouping. The grouping is sent together with an additional copy of the information or with an indication of that information to which the overall grouping relates.

Abstract: A content data reproducing method includes: decrypting encrypted data to generate plain-text data; dividing the plain-text data into decrypted content data and reproduction management information; sending the reproduction management information to a user space; storing the decrypted content data in a secret buffer; obtaining the decrypted content data as reproduction target data from the secret buffer and transmitting the reproduction target data to a decoder; and decoding the reproduction target data by the decoder.

Abstract: A system administrator of a wireless LAN 100 manipulates a personal computer PC1 to change a WEP key. The personal computer PC1 authenticates a memory card MC as genuine under management of the system administrator. In the case of the authenticated memory card MC, changed setting information, as well as a previous WEP key before the change of the setting information, is written into the memory card MC. The system administrator then inserts this memory card MC into a memory card slot of a printer PRT1. The printer PRT1 authenticates the memory card MC as genuine under management of the system administrator. In the case of the authenticated memory card MC, the setting information is updated. This arrangement effectively relieves the user's workload in setting wireless communication devices, while ensuring the sufficiently high security.

Abstract: An information processing apparatus includes a control unit that, in a case where it is determined that proxy response processing should be performed, performs control such that an inputted job is processed without causing the information processing apparatus to transition from a second power mode to a first power mode, and, in a case where it is determined that proxy response processing should not be performed, performs control such that inputted job is processed after causing the information processing apparatus to transition from the second power mode to the first power mode.

Abstract: An example method includes identifying a transport layer security (TLS) session between a client and a server, parsing one or more TLS messages to identify a session ticket associated with the session, transforming the session ticket into a fixed size session token, and managing the session using the session token to identify the session. The transforming may include computing a hash value of the session ticket using a hashing algorithm. If any of the TLS messages is spread across more than one TLS protocol record, the method can include computing a hash value of a portion of the session ticket encountered in a TLS protocol record using a hashing algorithm, incrementally computing another hash value of another portion of the session ticket encountered in a subsequent TLS protocol record from the previously computed hash value, and repeating the incremental computing until portions of the session ticket have been processed.

Abstract: Systems and methods are provided for authenticating Internet Protocol (IP) Multimedia Subsystem (IMS) applications in a User Equipment (UE). A method includes: receiving a first Session Initiation Protocol (SIP) REGISTER message from an IMS application operating on the UE; transmitting a response message to the IMS application based on the received first SIP REGISTER message; receiving a second SIP REGISTER message from the IMS application operating on the UE; determining authentication for the IMS application based on the received second SIP REGISTER message from the IMS application operating on the UE; and based on the step of determining authentication for the IMS application, if the IMS application is authorized, then transmitting information associated with the first and second SIP REGISTER messages toward a SIP node or if the IMS application is unauthorized, then discarding data associated with the first and second SIP REGISTER messages.

Abstract: A network element (NE) comprising a memory device configured to store instructions, and a processor configured to execute the instructions by dividing a first plurality of data packets of a data flow into a first plurality of sub-flows, and causing the first plurality of sub-flows to be transmitted to a second NE via a network, wherein the first plurality of sub-flows are transmitted using a first Internet Protocol Security (IPsec) security association (SA) cluster comprising a plurality of parallel sub-SAs. The disclosure also includes a NE comprising a processor configured to create an IPsec SA cluster comprising a first plurality of sub-SAs between the NE and a second NE using an internet key exchange (IKE) or an IKEv2, wherein the first sub-SAs are unidirectional, and wherein the first sub-SAs are configured to transport a first plurality of data packets in a common direction.

Abstract: The need for upload security arises during content sharing between users in communication link with each other and a server. In one embodiment, providing the upload security involves the server identifying a mobile device that sends an upload message destined to a user. Providing the upload security further involves the server accessing opt-in parameters predetermined by the user, determining if the identity of the sending mobile device is included in the opt-in parameters, and, if so, allowing the upload to the user's account, otherwise blocking the upload. The opt-in parameters include the identity of mobile devices that are authorized by the user to upload data to the user's account. In one embodiment, the communication link includes a wireless carrier network with capability for security screening of the upload message before it reaches the server based on the identity of the wireless carrier network.

Abstract: This disclosure is directed toward an integrated switching and routing security device that provides zone-based security directly between layer two (L2) interfaces of L2 bridge domains and/or layer three (L3) interfaces of L3 routing instances within the security device. The integrated switching and routing security device supports both switching and routing functionalities for packets on L2 and L3 interfaces, and supports security within and between L2 bridge domains and L3 routing instances. The integrated switching and routing security device configures L2 security zones for one or more L2 interfaces and configures L3 security zones for one or more L3 interfaces. The integrated switching and routing security device then applies security policies to incoming packets according to the L2 security zones and/or the L3 security zones associated with the incoming interface and an outgoing interface for the packets to provide end-to-end security within the security device.

Abstract: The present invention relates to key management in a secure microcontroller, and more particularly, to systems, devices and methods of automatically and transparently employing logic or physical address based keys that may also be transferred using dedicated buses. A cryptographic engine translates a logic address to at least one physical address, and processes a corresponding data word based on at least one target key. The target key is selected from a plurality of keys based on the logic or physical address. A universal memory controller stores each processed data word in the corresponding physical address within a memory. Each key is associated with a memory region within the memory, and therefore, the logic or physical address associated with a memory region may be used to automatically identify the corresponding target key. A dedicated secure link may be used to transport key request commands and the plurality of keys.

Abstract: The present invention discloses a XSS detection method for detecting the XSS vulnerabilities in a web page, comprising for each parameter-value pair in a set of parameter-value pairs that can be accepted by the web page: constructing a parameter-value pair in which a dedicated script is inserted; assembling a URL corresponding to the web page based on the parameter-value pair in which a dedicated script is inserted; acquiring the dynamic web page content corresponding to the assembled URL; and simulating the execution of the acquired dynamic web page content, if the dedicated script is executed, it is determined that the processing of the parameter in the web page contains XSS vulnerabilities. The present invention further discloses a corresponding XSS detection device and a web site security scanning system and a web scanning system using such a device.

Abstract: Systems and methods for inline security protocol inspection are provided. According to one embodiment, a security device receives an encrypted raw packet from a first network appliance and buffers the encrypted raw packet in a buffer. An inspection module accesses the encrypted raw packet from the buffer, decrypts the encrypted raw packet to produce a plain text and scans the plain text by the inspection module.

Abstract: A method includes loading a software class containing class information for a lock state. The method includes allocating an instance of a software object derived from the software class, wherein the allocating includes allocating of a lock word as part of the instance of the software object. The lock word defines whether the object is locked by a thread of multiple threads. The method includes observing activity relative to the instance of the software object. The method includes responsive to observing the activity relative to the instance of the software object that indicates that the lock state of the instance of the software object is non-locking, removing the lock word from the instance of the software object.

Abstract: A proxy server in a cloud-based proxy service receives a secure session request from a client device for a secure session. The secure session request is received at the proxy server as a result of a Domain Name System (DNS) request for a domain resolving to the proxy server. The proxy server participates in a secure session negotiation with the client device including transmitting a digital certificate to the client device that is bound to domain and multiple other domains. The proxy server receives an encrypted request from the client device for an action to be performed on a resource that is hosted at an origin server corresponding to the domain. The proxy server decrypts the request and participates in a secure session negotiation with the origin server including receiving a digital certificate from the origin server. The proxy server encrypts the decrypted request using the digital certificate from the origin server and transmits the encrypted request to the origin server.

Abstract: Systems and methods which provide a new application security assessment framework that allows auditing and testing systems to automatically perform security and compliance audits, detect technical security vulnerabilities, and illustrate the associated security risks affecting business-critical applications.

Abstract: A communication method for a host and a wireless Internet access module, and a data card, are provided so that the host implements wireless Internet access with the wireless Internet access module of a secure digital interface. The method includes simulating each port on a wireless Internet access processing function unit in a wireless Internet access module into a secure digital card partition and reporting the secure digital card partition to a host side; receiving downlink interaction information from the host side encapsulated in a secure digital card interface format, decapsulating the downlink interaction information, and delivering the decapsulated downlink interaction information to a corresponding port; and receiving uplink interaction information reported to the host side from each port, encapsulating the received uplink interaction information in the secure digital card interface format.

Abstract: Framework for conditionally attaching web service policies to a policy subject (e.g., a web service client or service endpoint) at subject runtime. In one set of embodiments, a constraint expression can be defined that specifies one or more runtime conditions under which a policy should be attached to a policy subject. The constraint expression can be associated with the policy and the policy subject via policy attachment metadata. The constraint expression can then be evaluated at runtime of the policy subject to determine whether attachment of the policy to the policy subject should occur. If the evaluation indicates that the policy should be attached, the attached policy can be processed at the policy subject (e.g., enforced or advertised) as appropriate. Using these techniques, the policy subject can be configured to dynamically exhibit different behaviors based on its runtime context.

Abstract: A computer-implemented method, network management system, and network clients are provided for out-of-band network security management. The network management system includes routers, firewalls, and out-of-band interfaces. The out-of-band interface of the network management system transmits access control lists to network clients connected to a trusted network. The trusted network connects the routers, firewalls, and network clients. The firewalls receive access control lists from the network management system to police communications that traverse the trusted network and an untrusted network. The routers receive access control lists from the network management system to police communications that traverse the router within the trusted network. The access control lists for the routers and firewalls are transmitted over a network interface to the trusted network and are transmitted separately from the access control lists for the network clients.

Abstract: A method and system for securing hosting web pages from malicious third party modules. The method includes uploading a third party module to a hosting web page; validating a proxy API call received from the third party module, wherein the proxy API call includes at least a payload parameter provided by the third party module; generating an engine API call including at least the payload parameter; validating the engine API call; and executing the payload parameter if the engine API call is validated.

Abstract: A client application, when executed by a processor, is operative to create a HyperText Transfer Protocol (HTTP) request containing a target header that includes a confidential value. The HTTP request is to be sent over a Secure Sockets Layer (SSL) 3.0 connection or a Transport Layer Security (TLS) 1.0 connection to a web server. The client application implements at its HTTP layer a countermeasure to a blockwise chosen-boundary attack. The client application generates an additional header having a header name that is not recognizable by the web server and inserts the additional header into the HTTP request ahead of the target header, thus creating a modified HTTP request. The modified HTTP request is to be sent, instead of the unmodified HTTP request, over the SSL 3.0 connection or the TLS 1.0 connection to the web server.

Abstract: The method is for downloading applications takes place in a network that has a server, a mobile terminal, a trusted operator and preferably, a personal computer. In the method a user selects an application to be downloaded at his computer or mobile terminal. The user then sends a request to the server for downloading the selected application to the mobile terminal. The server sends a message to the mobile terminal with instructions for downloading of the application. This message is sent via a trusted operator in order to ensure a secure downloading. Thereafter, the application is downloaded to the mobile terminal.

Abstract: A method, product and system for selective encryption in a mobile device. The method comprising: selectively encrypting requests issued by the mobile device, wherein said selectively encrypting comprises: obtaining a request issued by an application executed by the mobile device, the request having one or more characteristics, the request has a destination; determining, based on the one or more characteristics, whether to encrypt the request; and in response to a determination to encrypt the request, re-routing the request to be transmitted to the destination through a secure channel; whereby the request is encrypted regardless of the destination being a priori associated with the secure channel.

Abstract: A transmit portion of a network device including a medium access control (MAC) module configured to receive a frame of data to be transmitted from the network device in accordance with a MAC security (MACsec) protocol. In response to the frame of data being a precise time protocol (PTP) frame, the MAC module is configured to encrypt the PTP frame in accordance with the MACsec protocol, and associate an identifier with the encrypted PTP frame. A physical layer module includes a transmit module configured to transmit the encrypted PTP frame from the network device at a particular time. A PTP module configured to, based on the identifier associated with the encrypted PTP frame, generate a time stamp indicating the particular time that the transmit module transmits the encrypted PTP frame from the network device. The time stamp is transmitted from the network device along with the encrypted PTP frame.

Abstract: In an information management system, policies are deployed to targets and targets can evaluate the policies whether they are connected or disconnected to the system. The policies may be transferred to the target, which may be a device or user. Relevant policies may be transferred while not relevant policies are not. The policies may have policy abstractions.

Abstract: An example method and system for a mobile proxy for WebRTC interoperability is discussed. The method may include receiving a DTLS security handshake from a WebRTC API of a browser endpoint, negotiating an encryption mechanism through a signaling protocol with a non-WebRTC enabled endpoint, completing, using one or more hardware processors, the DTLS security handshake with the WebRTC API of the browser endpoint based on the encryption mechanism, and exchanging, through a mobile proxy, first media traffic from the browser endpoint with the non-WebRTC enabled endpoint and second media traffic from the non-WebRTC enabled endpoint with the browser endpoint. In various embodiments, if the non-WebRTC endpoint uses SDES for negotiation of the encryption mechanism, the encryption mechanism may include SDES-conveyed key information.

Abstract: Embodiments are directed towards decrypting encrypted content. A key for decrypting the encrypted content may be provided to a web application executing within a browser. The application may employ a generic cryptography application program interface (GCAPI) to perform actions on the key, including, storing the key, decrypting an encrypted key, generating another key, converting the key to a different encryption type, or the like. The GCAPI may or may not be enabled to explicitly share the key with the browser's media engine. In response to receiving encrypted content, the GCAPI may provide the key to the application, explicitly or inexplicitly to the browser's media engine, or the like. The key may be utilized by the application, the browser, the media element, browser's media engine, and/or the GCAPI to decrypt the encrypted content. The decrypted content may be displayed within the browser to a user of a client device.

Abstract: According to one aspect, the subject matter described herein includes a method for communicating an encrypted data packet. The method includes steps occurring at a first gateway node. The method also includes receiving a data packet from a first host. The method further includes determining that a first security association (SA) instance associated with the data packet is in an inactive state. The method further includes identifying a second SA instance that is both associated with the data packet and in an active state. The method further includes forwarding the data packet to the second SA instance.

Abstract: The invention provides a method and apparatus for transmitting data securely using an unreliable communication protocol, such as User Datagram Protocol. In one variation, the invention retains compatibility with conventional Secure Sockets Layer (SSL) and SOCKS protocols, such that secure UDP datagrams can be transmitted between a proxy server and a client computer in a manner analogous to conventional SOCKS processing. In contrast to conventional SSL processing, which relies on a guaranteed delivery service such as TCP and encrypts successive data records with reference to a previously-transmitted data record, encryption is performed using a nonce that is embedded in each transmitted data record. This nonce acts both as an initialization vector for encryption/decryption of the record, and as a unique identifier to authenticate the record.

Abstract: In a key pair management method for use in an image forming device, one or more key pairs which are usable for secure communication between the image forming device and an external device are stored into a first area of a memory. A key pair required for the secure communication with the external device is received from the first area of the memory. After the key pair is received from the first area of the memory, the key pair required for the secure communication with the external device is generated in an asynchronous mode and stored into the first area of the memory again. The secure communication between the image forming device and the external device is performed using the key pair received from the first area of the memory.

Abstract: Methods, devices, and systems are disclosed for simulating a large, realistic computer network. Virtual actors statistically emulate the behaviors of humans using networked devices or responses and automatic functions of networked equipment, and their stochastic actions are queued in buffer pools by a behavioral engine. An abstract machine engine creates the minimal interfaces needed for each actor, and the interfaces then communicate persistently over a network with each other and real and virtual network resources to form realistic network traffic. The network can respond to outside stimuli, such as a network mapping application, by responding with false views of the network in order to spoof hackers, and the actors can respond by altering a software defined network upon which they operate.

Abstract: Methods and apparatus are provided for communicating a flow of packets with a requested quality of service. An exemplary method involves receiving a first packet of a flow, determining a first reference value for the packet flow identification field of the first packet using a key value, and facilitating the requested quality of service for the first packet when the received value of the packet flow identification field of the first packet matches the first reference value. The method continues by receiving a second packet of the flow, determining a second reference value for the packet flow identification field using the key value, and facilitating the requested quality of service for the second packet when the received value of the packet flow identification field of the second packet matches the second reference value.

Abstract: A communication method for a host and a wireless Internet access module, and a data card, are provided so that the host implements wireless Internet access with the wireless Internet access module of a secure digital interface. The method includes simulating each port on a wireless Internet access processing function unit in a wireless Internet access module into a secure digital card partition and reporting the secure digital card partition to a host side; receiving downlink interaction information from the host side encapsulated in a secure digital card interface format, decapsulating the downlink interaction information, and delivering the decapsulated downlink interaction information to a corresponding port; and receiving uplink interaction information reported to the host side from each port, encapsulating the received uplink interaction information in the secure digital card interface format.

Abstract: Techniques are provided to append packet handling information “in the clear” ahead of security related information in a packet to be routed over a network to optimize wide area network deployments of security-configured equipment. In one form, at a network device that performs connectionless secure communication and network routing of packets, data is received from a source device to be sent through a network to a destination device. Packet handling information is inserted in a packet that is to be used to transport the data. The packet handling information is configured to enable controlled handling of the packet in the network and is inserted in an unprotected portion of the packet. Encrypted payload data is generated from the data received from the source device. The encrypted payload data and security information are inserted in a protected portion of the packet and the packet is sent to the network.

Abstract: This invention provides a method and system for data encryption and decryption in data transmission through the web. The method includes: a browser sends a cryptographic information acquisition request to a cryptographic information providing equipment; the cryptographic information providing equipment sends cryptographic information back to the browser via an HTTPS channel; the cryptographic information includes a cryptographic algorithm and a cryptographic index; the browser uses the cryptographic algorithm to encrypt the data to be transmitted, and sends the encrypted data and the cryptographic index to the web server via an HTTP channel; the web server obtains the cryptographic algorithm corresponding to the cryptographic index from the cryptographic information providing equipment, then decrypts the encrypted data. Embodiments of the present invention can alleviate the load in the HTTPS channel, and improve the overall performance.

Abstract: A data communication security system is disclosed that includes a network interface including a first security module implementing a first security architecture, and a second security module implementing a second security architecture different from the first security architecture. The network interface further includes a file-based application programming interface defining a plurality of attributes of the network interface and including at least one attribute associated with data security managed by one of the first and second security modules. The file-based application programming interface includes at least one attribute from among the plurality of attributes that is associated with selecting between the first or second security modules.

Abstract: A first application at a first device selects one of multiple encapsulation format types based on a cost or bandwidth associated with a network, or associated with a link of the network, connected between the first application at the first device and a second application at a second device. The first application receives, at the first application from Open Systems Interconnection (OSI) layers above an OSI session layer, payload data associated with a session, and generates one or more session layer encapsulated blocks of the payload data using the selected one of the multiple encapsulated format types. The first application encrypts the payload data, and other data of the one or more session layer encapsulated blocks, and passes the encrypted session layer encapsulated block to OSI layers below the session layer for sending to the second application at the second device.

Abstract: A network media gateway is used to bridge trust between a Service Provider network and subscriber devices. The gateway is authenticated by the Service Provider by using knowledge of network topology. Subscriber devices are authenticated in response to subscriber input to the gateway via an interface. Trusted subscriber devices can be tightly coupled with the Service Provider network, thereby facilitating delivery of QoE. Mobile and remote subscriber devices may also be authenticated. The gateway may also facilitate establishment of VPNs for peer-to-peer communications, and dynamically adjustable traffic, policy and queue weightings based on usage patterns.

Abstract: An authentication system, method and device are provided in the present application. The authentication system includes an Application Server (AS) for providing non Internet protocol Multimedia Subsystem (IMS) service, an authentication gateway and an IMS terminal. The AS forwards a connection request message sent by the IMS terminal to said authentication gateway, the authentication gateway sends a obtained first random number to said IMS terminal through the AS, the IMS terminal generates a first Response (RES) value according to the first random number and sends the generated first RES value to the authentication gateway through the AS, and if the received first response value and an obtained Expected Response (XRES) value is found coincident after being compared by the authentication gateway, the authentication gateway determines that the authentication to the IMS terminal is passed, and indicates the AS to provide non IMS service for the IMS terminal.

Abstract: A data processing apparatus comprises a primary processor, a secondary processor configured to perform secure data processing operations and non-secure data processing operations and a memory configured to store secure data used by the secondary processor when performing the secure data processing operations and configured to store non-secure data used by the secondary processor when performing the non-secure data processing operations, wherein the secure data cannot be accessed by the non-secure data processing operations, wherein the secondary processor comprises a memory management unit configured to administer accesses to the memory from the secondary processor, the memory management unit configured to perform translations between virtual memory addresses used by the secondary processor and physical memory addresses used by the memory, wherein the translations are configured in dependence on a page table base address, the page table base address identifying a storage location in the memory of a set of des

Abstract: Method for providing a mesh key which can be used to encrypt messages between a first node and a second node of a mesh network, wherein a session key is generated when authenticating the first node in an authentication server, the first node and the authentication server or an authentication proxy server using a predefined key derivation function to derive the mesh key from said session key, which mesh key is transmitted to the second node.

Abstract: An apparatus and method for ciphering uplink data in a mobile communication system are provided. The apparatus includes a Radio Network Controller (RNC) for, when receiving a Radio Bearer Setup Complete after a ciphering activation time, determining a Hyper Frame Number (HFN) value of a User Equipment (UE) and changing an HFN value of the RNC to the same HFN value determined of the UE.

Abstract: Methods, systems, and computer-readable media are disclosed for packet sanitization. A particular method intercepts a packet of a packet stream, where the packet stream is transmitted in accordance with a particular protocol. The packet is analyzed based on a specification associated with the particular protocol. Based on the analysis, a data value of a field of the packet is replaced with a sanitized data value to create a sanitized packet. The sanitized packet may be injected into the packet stream or may optionally be forwarded to a signature module that checks the sanitized packet for malicious content. When malicious content is found, the sanitized packet may be dropped, the sanitized packet may be logged, the sanitized packet may be redirected, or a notification regarding the sanitized packet may be sent to an administrator.

Abstract: A digital security bubble encapsulation is disclosed. A first key and a device identifier of at least one recipient is requested from a first server. A message containing one or more components is encrypted using a second key. The second key is encrypted using the first key. The encrypted message, the encrypted second key, and the device identifier are encapsulated in a digital security bubble encapsulation. The digital security bubble encapsulation is transmitted to a second server.

Abstract: A server receives identifying information of a user of a client device and data encrypted with a public key of a group, where the encrypted data includes an encrypted session key for secure content. The server determines whether the user is a member of the group using the identifying information of the user. If the user is a member of the group, the server decrypts the encrypted session key using a private key of the group, and causes the client device to obtain a session key to access the secure content.

Abstract: A process of triggering an Internet packet protocol against malware includes providing protocol trigger mechanisms configured to affect network access and data object access against malware, denial of service attacks, and distributed denial of service attacks, A multi-level security system is established with a cryptographically secure network channel, or another equivalent encrypted channel, and a second object of an encrypted document or data message that uses the secure network channel. The equivalent encrypted channel can be a Virtual Private Network tunnel (VPN) including MPPE/PPTP/CIPE/Open VPN, Secure Socket Layer (SSL), or IPSec tunnel.

Abstract: A mobile device includes a user interface that has a plurality of non-password-protected desktop screens and at least one password protected desktop screen. The mobile device includes a touch sensitive display device that accepts gestures used to navigate between the desktop screens. Applications may be installed to password protected desktop screens.

Abstract: In the present disclosure, a DRM (in this case IPRM) system may be used to deliver media content keys to a player device in a live streaming environment and take advantage of all DRM related functionalities that come with it, such as proximity control, copy protection enforcement and rights verification. A playlist may be used to deliver a key identifier for encrypted live streaming content.

Abstract: Techniques for sending information without interruption during a change in ciphering configuration are described. A user equipment (UE) communicates with a wireless communication network for a call. The UE sends first information to the wireless network using a first ciphering configuration. For a change in ciphering configuration, the UE selects an activation time for a second ciphering configuration and sends a security message with the activation time. This activation time is the time at which the UE applies the second ciphering configuration to transmission sent to the wireless network. The UE thereafter sends second information (e.g., a measurement report message) using the first ciphering configuration after sending the security message and before the activation time. The UE sends third information using the second ciphering configuration after the activation time.