Abstract: A system, method, and apparatus for secure router operation and initialization. A router may require at least two sets of credentials at different phases of initialization, thereby adhering to a multi-layered security approach. In a first phase of a router initializing for operation, a boot loader of the router may require a first authentication in order to unlock the full-disk encryption and commence booting into firmware. In a second phase, the firmware of the router may require second authentication to continue the initialization and to unlock the file-based encryption and access the settings of the router, after which the router may be fully operational.

Abstract: Systems and methods of automatically controlling a user's data footprint are provided. Data associated with a user may be analyzed to determine an action the user is preparing to take. Based on the analysis, a potential risk associated with the action the user is preparing to take may be identified. The potential risk associated with the action the user is preparing to take may be, for example, a data security risk, a data privacy risk, a physical risk, a risk of damage to property, and/or a financial risk. A notification indicating the potential risk associated with the action the user is preparing to take may be provided to the user. The notification may include one or more suggestions for mitigating the potential risk associated with the action the user is preparing to take.

Abstract: An apparatus that includes a memory configured to store encryption keys and encrypted data entries. The apparatus further includes an encryption service engine configured to periodically re-encrypt the encrypted data element, which includes determining that an encryption wait time period has lapsed, obtaining a first encryption key using a first key index, and decrypting the encrypted data element using the first encryption key to recover the original data. The encryption service engine is further configured to obtain a second encryption key, encrypt the original data using the second encryption key, and modify the metadata linked with the encrypted data element with a second key index referencing the second encryption key. The encryption service engine is further configured to receive a data request for the encrypted data element, to send the encrypted data element, and to limit the bandwidth of a data channel used to send the encrypted data element.

Abstract: A device identifying method for identifying whether a candidate member device belongs to a device set or not by an identifying device. The device set comprising at least one member device. The method comprises: (a) establishing a connection between the identifying device and a first member device among the member device, to acquire a set ID and at least one identifying key from the first member device; (b) discovering the candidate member device according to the set ID; (c) generating identifying data according to the identifying key and transmitting the identifying data to the candidate member device; and (d) determining whether the candidate member device belongs to the device set or not according to a comparing result for the identifying data.

Abstract: Disclosed are various examples for providing a single sign-on experience for managed mobile devices. A management application executed in a computing device receives a single sign-on request from a managed client application executed by the same computing device. The management application determines that the client application is permitted to access a management credential for single sign-on use. The management application provides the management credential to the client application in response to the single sign-on request.

Abstract: Digital certificates are signed by a server's private key and installed at lock controllers that restrict access to physical resources. The server's public key is distributed to lock controllers and to mobile electronic devices operated by users who are given access to the physical resources. Lock-access data is digitally signed by the server's private key and provided to mobile electronic devices to facilitate access. The lock controller validates lock-access data and grants access conditionally based on time, version, and/or identity data provided within lock-access data. The use of certificates reduces the need to rely on a security scheme specific to the network. Lock controllers can also broadcast status notifications, so that updates and log data can be securely communicated with the server using mobile electronic devices as a proxy. The system is highly scalable, as each lock controller need not track the full scope of access permissions.

Abstract: Techniques are described that enable maintaining of session stickiness across authentication and authorization channels in an access management system, through the use an identifier for an access manager from a plurality of access managers. The access manager authenticates a user of a client device based on an authentication request. In response to response to successful authentication of the user, the access manager creates a session. The access manager also generates the identifier and causes the identifier to be stored for the session. The access manager can then receive a second request, which is sent to the access manager based on identifying the access manager using the stored identifier.

Abstract: A method for remote authentication aided by an audio signal includes: storing, in a memory of a computing device, at least first authentication data; receiving, by a first input device of the computing device, an audio signal electronically transmitted by a separate computing system; decoding, by a decoding module of the computing device, the received audio signal to identify a server identification value; receiving, by a second input device of the computing device, second authentication data submitted by a user of the computing device; authenticating, by an authentication module of the computing device, the received second authentication data based on the stored first authentication data; and electronically transmitting, by a transmitting device of the computing device, a result of the authentication and a profile identifier to an external processing server based on the server identification value.

Abstract: A method for distributing encrypted cryptographic data includes receiving, by a key service, from a first client device, a request for a first public key. The method includes transmitting, by the key service, to the first client device, the first public key. The method includes receiving, by the key service, from an access control management system, an encryption key encrypted with the first public key and a request from a second client device for access to the encryption key. The method includes decrypting, by the key service, the encrypted encryption key, with a private key corresponding to the first public key. The method includes encrypting, by the key service, the decrypted encryption key, with a second public key received from the second computing device. The method includes transmitting, by the key service, to the second client device, the encryption key encrypted with the second public key.

Abstract: Some embodiments provide a method for an end machine, that implements a distributed application, to redirect new network connection requests to other end machines that also implement the distributed application. The method receives a set of measurement data from a set of resources of the end machine and determines whether a measurement data received from a particular resource has exceeded a threshold. When the measurement data has exceeded the threshold, the method notifies a load balancer that balances new requests for connection to the distributed application between the end machines. The notification causes the load balancer not to send any new connection request to the end machine and redirect them to other end machines.

Abstract: The invention relates to a method for validating message strings through a decentralized network. Said method also makes it possible to manage the validations of messages relating to a message chain in a unitary and asynchronous manner thus rendering the process unlimited in terms of performance. The method also allows enhanced security and confidentiality, in particular by integrating the number and geolocation constraints of message validations. The method thus makes it possible, through a decentralized network of trusted third parties with limited confidence, to restore real trust to the users.

Abstract: A device, system, and method for decentralized management of a distributed proxy re-encryption key ledger by multiple devices in a distributed peer-to-peer network. A network device may receive shared data defining access to a proxy re-encryption key. The network device may locally generate a hash code based on the shared data. The network device may receive a plurality of hash codes generated based on versions of the shared data at a respective plurality of the other devices in the network. If the locally generated hash code matches the received plurality of hash codes, the network device may validate that the shared data is the same across the network devices and may add the received proxy re-encryption key access data and locally generated hash code to a local copy of the distributed proxy re-encryption key ledger.

Abstract: A method for denying or nullifying a specific online transaction carried out by a specific user using a computing device associated with at least one input interface, while the specific user was coached by a fraudster. The method includes collecting a specific set of behavioral data relating to the behavior of the specific user during a specific online transaction, and using a multi-dimensional classification module to determine a probability that the specific user was coached during collection of the set of behavioral data. In response to the probability being greater than a predefined threshold, the specific transaction is denied or nullified.

Abstract: The present disclosure relates to a trustworthy data exchange. Embodiments include receiving, from a device, a query, wherein the query comprises a question. Embodiments include identifying particular information related to the query. Embodiments include receiving credentials from a user for retrieving the particular information related to the query. Embodiments include retrieving, using the credentials, the particular information related to the query from one or more data repositories that are part of a distributed database comprising an immutable data store that maintains a verifiable history of changes to information stored in the distributed database. Embodiments include determining, based on the particular information related to the query, an answer to the query. Embodiments include providing the answer to the device.

Abstract: An attempted transaction is identified involving a customer device and the first customer device is redirected to a security broker. A security report for the first customer device is received from the security broker. The security report is based on security data transmitted from the customer device to the security broker. An action can be performed in association with the attempted transaction based at least in part on the received security report. In some aspects, the security broker receives security data describing security conditions on the customer device in connection with the transaction between the customer device and a transaction partner. A risk tolerance policy is identified that corresponds to the transaction partner, such as an ecommerce provider. A security report is generated based on a comparison of the risk tolerance policy and the security data and the security report.

Abstract: Data items such as files or database records associated with particular applications (such as messaging applications and other applications) can be stored in one or more remote locations, such as a cloud storage system, and synchronized with other devices. The remote storage can be configured such that each application executing on a client device can only view data items stored at the remote location to which the application has permission to access. An access manager on each client device enforces application specific access policies. Storage at the remote location can be secured for each application associated with a user or user account, for example, using isolated containers. The cloud storage of data can be anonymized and anonymous group data can be stored in the cloud storage.

Abstract: This application discloses a mobile network authentication method, a terminal device, a server, and a network authentication entity. The method includes: receiving, by a first terminal device, a DH public key and a first ID that are sent by at least one second terminal device; sending a first message to a server, where the first message includes a DH public key of each second terminal device of the at least one second terminal device and a first ID of the second terminal device; receiving a second message sent by the server, where the second message includes a DH public key of the server and a second ID of the second terminal device that is generated by the server; and sending, by the first terminal device, the second ID of the second terminal device and the DH public key of the server to the second terminal device.

Abstract: A client obtains, in response to a request to a server, a response that includes data for fulfillment of the request, a digital signature that can be verified using a digital certificate, and location information that specifies a location where the digital certificate can be obtained. The client uses the location information to access the location and obtains the digital certificate. Using the digital certificate, the client evaluates the digital signature provided in the response to determine whether the digital signature is valid. If the digital signature is valid, the client accepts the data included in the response for fulfillment of the request.

Abstract: A system and method of allowing a new device to join an existing network are disclosed. A configuration tool is used to communicate relevant information from the new network device to the gateway in the existing network using a secondary network protocol different from that used by the primary network. For example, in one embodiment, messages are exchanged between the configuration tool and the new device and between the configuration tool and the gateway using BLUETOOTH®. Once all of the pertinent information has been exchanged, the new device is able to securely join the primary network, which may be based on the IEEE802.15.4 standard.

Abstract: Disclosed herein are embodiments for providing finite state machine driven workflows. In an embodiment, a workflow template is defined for a type of task. The workflow template may represent a finite state machine. The workflow template may be linked to an external party and an asset type, which may be stored in a workflow database. An asset may be received from the external party including an external party attribute identifying the external party, an asset type attribute, and an owner attribute. The owner attribute may be associated with an application end user. A determination may be made whether the external party attribute and the asset type attribute of the asset match the external party and the asset type linked to the workflow template. If a match is determined, instances of the task and the one or more actions of the workflow template may be created.

Abstract: Disclosed is a system for recommending content of a predefined category to an account holder, detecting spam applications, or account holders based on the account holder application graphs. The system receives information corresponding to applications executing on the client device of the account holders and generates an application graph for each account holder that includes a list of predefined application categories that are preferred by the account holder. For each predefined category, a list of account holders preferring content relevant to that category is predicted based on the set of generated application graphs. Some application graphs may be detected as spam application graphs by comparing the generated application graphs with a set of predefined spam application graphs. Alternatively, if the generated application graph does not match the predefined spam application graphs, they are compared to a set of application graphs from a database to find similar application graphs.

Abstract: Verifying caller identification information is described. A query to verify a first communications connection associated with an observed caller ID is received. Using a second communications channel, a message to a device associated with the observed caller ID is transmitted. A response to the message is received. The message is evaluated to perform a security determination. The security determination is provided as output.

Abstract: A method and system are provided for updating an elliptic curve (EC) base point G, with the EC basepoint used in encryption and coding of video data. A candidate base point G is generated that includes additional data used for validation purposes and checked as a valid base point before transmission and use.

Abstract: Methods, devices, and systems for generating a plurality of network addresses for a plurality of communication devices communicating over a network. One method includes receiving, with an electronic processor included in a server, geographical coordinates of the network, generating, with the electronic processor, a first set of bits based on the geographical coordinates, generating, with the electronic processor, a second set of bits based on a random number, and generating, with the electronic processor, a baseline address including the first set of bits and the second set of bits. The method also includes generating the plurality of network addresses, wherein each of the plurality of network addresses includes the baseline address and a unique offset. In addition, the method includes assigning one of the plurality of network addresses to one of the plurality of communication devices.

Abstract: An authentication technique is disclosed that uses a distributed secure listing of transactions that includes encrypted data that can be used to authenticate a principal to a verifier.

Abstract: Embodiments of the present invention provide a persistent integration platform for conducting a multichannel resource transfer. In particular, the system may utilize a multi-step and multilayered authentication process across multiple disparate computing systems to complete the resource transfer process. In some embodiments, the system may utilize a persistent element which may be accessed by the user across multiple devices which aids in the resource transfer. For instance, the resource transfer process may be started on a first computing system, which may be a stationary networked terminal. At this point, a record of the resource transfer may be created within the persistent element. The user may thereafter access the persistent element through a second computing system, such as a user device, to resume the resource transfer and complete the remaining steps as necessary.

Abstract: Systems and methods for authenticating a user to access a public terminal are described. Disclosed embodiments may include reading, using the physical credential reader, a user identifier from the physical credential device. Disclosed embodiments may also include transmitting the public terminal identifier and the user identifier to a secure server. Further, disclosed embodiments may include receiving, after completing the transmission, a unique code from the secure server. Disclose embodiments may additionally include displaying the unique code on the display device. Disclosed embodiments may include receiving, after displaying the unique code, an authentication message from the secure server. Disclosed embodiments may further include, responsive to receiving the authentication message, authorizing the user to use a terminal command at the public terminal.

Abstract: A key generation and distribution method is disclosed. The method includes receiving a first request from a first requestor, the first requestor comprising an identity of the first requestor; generating a new identity (ID) based on the identity of the first requestor; generating a secret key for the new ID with a predetermined pair of global keys, namely a Global Secret Key (GSK) and a Global Public Key (GPK); transmitting the new ID, secret key and the GPK to the first requestor; receiving a request from a second requestor, the request comprising a plurality of identities; generating an new ID for each of the plurality of identities; generating a secret key based on the IBC key generation algorithm for each of the plurality of new IDs; and transmitting the plurality of new IDs, secret keys corresponding to each of the plurality of IDs and the GPK to the second requestor.

Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media for program execution and data proof scheme to prove that sub-logic code that was expected to be executed within a TEE was indeed executed, and that the resulting data is trustworthy. In some implementations, each sub-logic code of a plurality of sub-logic code is registered, and stored within the TEE, and a key pair (private key, public key) corresponding to the sub-logic code is generated. The client receives and stores the public key, sends requests to the TEE with an identifier of the sub-logic that is to be executed. The sub-logic code corresponding to the identifier is executed within the TEE, which signs the result using a digital signature that is generated using the private key of the sub-logic code. The client verifies the result based on the digital signature and the public key of the sub-logic code.

Abstract: A communications system comprises a client device and a server device; the server device comprising server communication circuitry configured to establish a server-authenticated first encrypted data path between the client device and the server device; and the client device comprising client communication circuitry configured to provide client-specific information to the server device using the first encrypted data path; the server communication circuitry being configured to use the client-specific information provided by the client device to establish a second encrypted data path between the server device and the client device, the second encrypted data path being authenticated by at least the client device.

Abstract: Methods and systems anchor hypertext transfer protocol (HTTP) level communication in an information-centric networking (ICN) network. Both content requests and responses to servers within the ICN network and to servers located outside the ICN network, in an IP network for example, are disclosed. Communication may be between two IP capable only devices at the HTTP level, one connected to an ICN network while the other one is connected either to an ICN or IP network. The disclosed namespace 200 enables IP based HTTP communication within the ICN network. An information-centric networking (ICN) network attachment point (NAP) or border gateway (BGW) may receive an HTTP request packet and encapsulate the received HTTP request packet. The ICN NAP/BGW may then forward the HTTP request packet towards the local ICN network servers. The HTTP request packet may be published to a named content identifier (CID) that may be determined through a hash function of a fully qualified domain name (FQDN).

Abstract: A method for managing account data and handling account recovery requests are disclosed. The method comprises a multi-level identity verification process, including a first level where a specific computing device requesting recovery of an electronic account is requested to identify a trusted contact for the electronic account and a second level where the specific computing device is requested to provide a dynamically generated security code that has been communicated to a trusted contact identified by the specific computing device.

Abstract: Methods, systems, and devices are provided for generating biometric signatures. The system can detect, at an electronic device, one or more biometric acoustic signals. The system can generate a biometric signal input of the one or more biometric acoustic signals. The system can apply a machine learning model to conduct feature extraction of the biometric signal input having one or more biometric acoustic signals. The system can generate a biometric user signature of the user from the machine learning model. The system can perform one or more privacy preserving hashing functions to the biometric user signature to generate a hashed biometric user signature. The system can determine whether the hashed biometric user signature satisfies a predetermined threshold with an enrollment hashed signature of the user. And the system can authenticate an identity of the user upon detecting that the hashed biometric user signature satisfies the predetermined threshold.

Abstract: The invention provides a method and system for Bluetooth-based multi-end-to-multi-end communication, including: obtaining, through a short-term connection-oriented communication, a UUID of a device that needs to receive private data, corresponding the UUID to a private label according to a private label allocation table and storing the UUID in a mapping table within a broadcast host; and looking-up the mapping table, if data to be sent contains private information targeted for a specific receiving object group, then determining whether encryption is required; if encryption is required, then performing dynamical encryption based on the private label and proceeding to a step of Bluetooth broadcast payload sending; and performing corresponding non-private data hosting encapsulation or private data hosting encapsulation for the data to be sent and broadcasting the data.

Abstract: In authenticating a first circuit by a second circuit, the second circuit selects one of a set of public values and sends to the first circuit a request for a secret value corresponding to the selected one of the set of public values. The first circuit derives the secret value from the selected one of the set of public values using a seed from set of seeds that is stored in a destructive fashion such that each use of a seed destroys that seed. The set of seeds is smaller in number than the set of public values. The second circuit determines whether the secret value matches the selected one of the set of public values using a one-way function. A positive authentication is generated based upon the determination of a match.

Abstract: A method and apparatus for person identification by a smart device, wherein the method comprises: establishing a registration information base that corresponds to the new user, and completing registration information base that corresponds to each valid user, and the registration information base comprises a name, a characteristic and person relation structure data, and the person relation structure data record each person relation appellation and respective person name; receiving an interaction command inputted by a current user, and collecting characteristic information of the current user; searching the registration information base of each valid user, judging whether a valid user that matches the characteristic information exists, and if yes, determining the user name of the current user; searching the registration information base that corresponds to the determined user name, and identifying a corresponding target person.

Abstract: Methods and systems for establishing a chain of relationships are disclosed. An identity verification platform receives a first request for registration comprising an identification of a first user, identification of an entity, and a relationship between the first user and the entity; verifies the identity of the first user and the relationship between the first user and the entity; and verifies that the entity is legitimate. Once a relationship between a first individual, invited by the first user, and the entity is confirmed, the platform creates a custom badge representing the relationship between the first individual and the entity for display on the entity's website. The platform receives an identification of a selection by an end user of the custom badge and, responsive to receiving the identification of the selection, renders, on a domain controlled by the identity verification platform, a verification that the relationship between the first individual and the entity is valid.

Abstract: Systems and methods involve an input layer function of a function-as-a-service (FaaS) pipeline that receives trigger data from a trigger layer function of one or more processors of enterprise processing systems, calls one or more processors of an enrich layer function of the FaaS pipeline that adds enriching context to the trigger data, and creates an event based at least in part on the enriched trigger data. A route layer function of the FaaS pipeline invoked by the input layer function creates an action based on the event created by the input layer function. An action layer function of the FaaS pipeline invoked by the route layer function creates a command based on the action created by the route layer function, and the action layer function sends a remediation action to a command layer function of the enterprise processor based on the action created by the route layer function.

Abstract: Disclosed are various examples for single-sign on by way of managed mobile devices using Kerberos. For example, a certificate is received from a client device. In response, a Kerberos ticket-granting ticket is generated and sent to the client device. A request for a service ticket is later received from the client device. The request for the service ticket can include the ticket-granting ticket. The service ticket is then generated and sent to the client device. Subsequently, the service ticket is received from the client device and a security assertion markup language (SAML) response is sent to the client device in reply. The SAML response can provide authentication credentials for a service provider associated with the service ticket.

Abstract: The invention relates to a method for establishing a secure communication between a first network device (initiator) and a second network device (responder) in a communication network and to an arrangement of network device suitable for this purpose, which are distinguished by using a symmetric cryptosystem in which both network devices each use the same secrets as keys for encrypting and decrypting data sets for performing a respective separate authentication with respect to the first and second network devices before generating a secret to be used as a shared key for the secure communication.

Abstract: Two-factor authentication is processed on a transaction terminal before access is provided to a secure resource of the transaction terminal. A first factor authentication is performed to authenticate an identifier and a credential of a user. A unique challenge is sent, in response to a successful first factor authentication, to a secure device interfaced to the transaction terminal. A one-time unique signed response is received from the secure device in response to the unique challenge and a user action that depresses a button on the secure device. The one-time unique signed response is compared against what is expected from the secure device. When the comparison is successful, a user identity for the user is set, a security role is set for the user identity, and the user is granted access to the secure resource with the set security role.

Abstract: A method for authentication related to a software client application within a client computing device includes: in a first step, an authentication-related command and/or module is invoked by the software client application, and a first group of application protocol data units is exchanged between the client computing device and a subscriber identity module entity; in a second step, a subscriber identity module applet is triggered—via the first group of application protocol data units—to contact a subscriber identity module toolkit and/or to trigger an event, so as to invoke a command of the subscriber identity module toolkit; and in a third step, a second group of application protocol data units are exchanged between the client computing device and the subscriber identity module entity, wherein the subscriber identity module toolkit thereby triggers the client computing device to request a user action from the user of the client computing device.

Abstract: A method of enabling single sign-on (SSO) access to an application executing in an enterprise, wherein authorized, secure access to specific enterprise applications are facilitated via an enterprise-based connector. In response to successful authentication of an end user via a first authentication method, a credential associated with the successful authentication is encrypted to generate an encrypted user token. The encrypted user token is then forwarded for storage in a database accessible by the enterprise-based connector. Following a redirect (e.g., from a login server instance) that returns the end user to the enterprise-based connector, the encrypted user token is fetched and decrypted to recover the credential. The credential so recovered is then used to attempt to authenticate the user to an application via a second authentication method distinct from the first authentication method.

Abstract: Transaction scheduling is described for a user data cache by assessing update criteria. In one example an event records memory stores a list of events each corresponding to performance of a transaction at a remote resource for a user. The memory has criteria for each event and a criterion value for each criterion and event combination. An event manager assesses criteria for each event by performing an operation on the stored criterion value for each criterion and event combination, assigning a score for each criterion and event combination, and compiling the assigned scores to generate a composite score for each event. The events are ordered based on the respective composite scores and executed in the ordered sequence by performing a corresponding transaction at remote resource. Updated criterion values are stored for executed events.

Abstract: According to an embodiment, an information processing device switching between a secure mode and a non-secure mode to operate, includes one or more processors configured to perform: implementing a secure OS which operates in the secure mode; implementing a non-secure OS which operates in the non-secure mode; acquiring initialization process information autonomously in the secure mode, the initialization process information relating to an initialization process which the non-secure OS executes for a shared resource shared by the secure OS and the non-secure OS; and enabling, based on the initialization process information, the shared resource to be shared and used by the secure OS and the non-secure OS.

Abstract: Described are methods that allow credentials of a first client station to authenticate a second client station. An exemplary method includes associating a first client station with a second client station, the first client station including credential information, the associating authorizing the second client station to use the credential information, transmitting, by the second client station, an association request to a network, the network utilizing the credential information to authorize a connection, the second client station configured to perform a proxy functionality for requests received from the network to be forwarded to the first client station and responses received from the first client station to be forwarded to the network, determining, by the network, whether the credential information received from the second client station is authenticated and establishing a connection between the second client station and the network using the credential information of the first client station.

Abstract: A method for the initial operation and personalization of a subscriber identity module in a mobile radio network, prior to its first initial operation in the mobile radio network, the subscriber identity module does not yet include an individual secret key and is being equipped with an individual, unique parameter data set only after its first initial operation in the mobile radio network. A mobile radio server takes on, from the subscriber identity module, an authentication message formed with a preliminary parameter data set comprising an individual, unique subscriber identification and a non-individual, non-unique preliminary secret key, and sends, after a verification, in response thereto an individual, unique final secret key to the subscriber identity module for programming into the subscriber identity module. The preliminary parameter data set is introduced into the subscriber identity module selectively during production or by an initializing step based on an initial parameter data set.

Abstract: System and method for for associating general data with an end-user based on the domain name system (DNS) resolver that the end-user uses to map the canonical domain names of internet services to their associated network addresses. The present invention elegantly addresses concerns of scale regarding the key-space, for example the global number of distinct DNS resolvers, and the data-space, for example the number of distinct geographical areas to associate.

Abstract: Methods, systems, and devices are described herein for delivering protected data to a trusted execution environment (TrEE) associated with an untrusted requestor. In one aspect, a targeting protocol head, or other intermediary between a requestor and a key management system or other store of protected data may register a public encryption key of a TrEE that corresponds to a private encryption key held by the TrEE or a symmetric key of the TrEE. The targeting protocol head may receive a request for protected data from a requestor associated with the TrEE, and retrieve the protected data for example, from a key management system or store of protected data. The targeting protocol head may generate targeted protected data by encrypting the protected data with the public encryption key or symmetric key of the TrEE. The targeting protocol head may then send the targeted protected data to the requestor.

Abstract: Methods And Apparatus For Direct Communication Key Establishment Methods, apparatuses and system are disclosed for establishing a key for secure direct communication between a User Equipment device, UE, and a device. The system comprises a UE (20), a device (30) and a Direct Communication Element (40). The UE establishes a UE shared key with a Bootstrapping Server Function, BSF (50), using a Generic Bootstrapping Architecture, GBA, procedure. The device receives a transaction identifier associated with the UE shared key from the UE, and sends the transaction identifier to the Direct Communication Element. The Direct Communication Element receives the transaction identifier from the device, obtains a shared session key from the BSF, derives the UE delivery key, generates the direct communication key, encrypts the direct communication key with the UE delivery key, and sends the direct communication key and the encrypted direct communication key to the device.