Patent application number | Description | Published |
20090190758 | Method and Apparatus for Authentication Service Application Processes During Service Reallocation in High Availability Clusters - A method and communication node for providing secure communications and services in a High Availability (HA) cluster. The communication node comprises an Operating System (OS) that detects an unavailability of a first service application process and switches a second service application process from the first state to the second state, the second service application being selected for taking over service currently provided from the first service application process, the first state and the second state each being associated to a set of rights in the cluster. The OS generates a private key for the second service application process based on its second state. The set of rights associated to the second state allows the OS to replace the first service application process with the second service application process for providing secure communications between the second service application and other service application processes in the HA cluster. | 07-30-2009 |
20090199001 | Access to services in a telecommunications network - A method and arrangement is disclosed for providing a user, not previously having an individual subscription with a network operator, with credentials for secure access to network services. The arrangement includes a gateway, associated with a subscription for network services, having means for generating and exporting to a user entity personalized user security data derived from security data related to the subscription. In particular, the derivation of credentials is based on a function that is shared between network and gateway and further conveniently makes use of bootstrapping on keying material from the subscription authentication. Pre-registered user identities are assigned trusted users who, thereafter, can download credentials and authenticate for service access. The invention may be implemented at a public place for providing temporary visitors network access whereby trust may exemplary be established by presenting a credit card. | 08-06-2009 |
20090253411 | Authentication In A Communication Network - A mobile wireless terminal, the terminal comprising a generator configured to generate and store a first numerical chain comprising a series of n values using a one-way coding function such that a given value within the chain is easily obtainable from a subsequent value, but the subsequent value is not easily obtainable from that given value, and an authentication requester configured to disclose a value from the numerical chain to an access node, in order to allow the access node to authenticate the mobile wireless terminal, wherein the disclosed value succeeds any values in the chain already disclosed by the mobile wireless terminal. | 10-08-2009 |
20090307748 | METHOD AND ARRANGEMENT FOR USER FRIENDLY DEVICE AUTHENTICATION - The present invention relates to fraud prevention and authentication of a device to a user. The method of authenticating a personal device according to the invention comprises a set up sequence, wherein at least a first preferred output format is selected by the user, and a device configuration verification sequence. In the device configuration verification sequence a checksum is calculated and converted to a user friendly output format based on the user selected preferred output format. In addition the checksum may be calculated based on variable, and user selectable, keying material. The personal device, after being authenticated according to the above, may be used to authenticate a second device. | 12-10-2009 |
20090313466 | Managing User Access in a Communications Network - A method of operating a node for performing handover between access networks wherein a user has authenticated for network access in a first access network. The method comprises receiving from a home network a first session key and a temporary identifier allocated to the user for the duration of a communication session. The identifier is mapped to the first session key, and the mapped identifier and key are stored at the node. A second session key is derived from the first session key and the second session key is sent to an access network, and the identifier sent to a user terminal. When the user subsequently moves to a second access network, the node receives the identifier from the user terminal. The node then retrieves the first session key mapped to the received identifier, derives a third session key and sends the third session key to the second access network. | 12-17-2009 |
20100031044 | PREFIX REACHABILITY DETECTION IN A COMMUNICATION - There is disclosed a method, and a communication system, and a communication node for implementing the claimed method, for attempting to enhance legitimacy assessment and thwart a man-in-the middle or similar false-location attack by evaluating the topology of a communication-session requesting node relative to the proposed communication path through a network between the requesting node and the requested node. Upon receiving the request, a PRD (Prefix Reachability Detection) protocol is initiated, either after or during a secure key exchange, if any, which if performed preferably includes an ART (address reachability text). The PRD is executed by sending a message to the communication node challenging the location-authenticity of the requesting device. The communication node, which may be for example an access router through which the requesting node accesses the network, determines if the requesting node is positioned behind the communication node topologically, and reports the result to the requested node. The requested node may then make a decision on whether to permit the communication. If so, the PRD may be repeated one or more times while the communication session is in progress. | 02-04-2010 |
20100064135 | Secure Negotiation of Authentication Capabilities - A network ( | 03-11-2010 |
20100146274 | SECURITY FOR SOFTWARE DEFINED RADIO TERMINALS | 06-10-2010 |
20100150006 | DETECTION OF PARTICULAR TRAFFIC IN COMMUNICATION NETWORKS - A method for detecting a particular data traffic in a communication network having a plurality of nodes comprises: maintaining a list of detecting scans to be applied to an incoming data traffic; receiving the incoming data traffic; and applying a subset of the detecting scans in the list to the incoming data traffic. A network node for detecting a particular traffic in a communication network having a plurality of nodes comprises: a list of detecting scans to be applied to an incoming data traffic; an input for receiving the incoming data traffic; and an inspection chain, which applies a subset of detecting scans in the list to the incoming data traffic. | 06-17-2010 |
20100195829 | METHOD FOR ESTABLISHING A RANDOM NUMBER FOR SECURITY AND ENCRYPTION, AND A COMMUNICATIONS APPARATUS - A communications apparatus includes a mobile device. The apparatus includes a receiver for receiving at the mobile device a plurality of signals carrying information including received signals which provides randomly varying data related to location of the mobile device. The apparatus includes a random number generator which generates a random number as a function of the data. The apparatus includes acryptographickey generator which generates a cryptographic key using the random number. A method to establish at a mobile device a random number for cryptographic operations includes the steps of receiving at the mobile device a plurality of signals carrying information including received signals which provides randomly varying data related to location of the mobile device. There is the step of estimating signal entropy for at least one of the received signals in dependence of location where the signals are received by the mobile device. There is the step of selecting the at least one entropy estimated signal having estimated entropy—satisfying a predetermined property. There is the step of generating from the at least one entropy estimated signal the random number. | 08-05-2010 |
20100238874 | System and Method of Providing Denial Service protection in a Telecommunication System - A system, method, and node for protecting a telecommunication system against a mobile and multi-homed attacker, MMA ( | 09-23-2010 |
20100250930 | METHOD AND APPARATUS FOR PROTECTING THE ROUTING OF DATA PACKETS - A method and apparatus for protecting the routing of data packets in a packet data network. When a first end-host sends an address query to a DNS server system regarding a second end-host, the DNS server system responds by providing a destination parameter containing an encrypted destination address associated with the second end-host. Thereby, the first end-host is able to get across data packets to the second end-host by attaching the destination parameter to each transmitted data packet. A router in the packet data network admits a received packet if a destination parameter is attached to the pocket including a valid destination address encrypted by a key dependent on a distributed master encryption key. Otherwise, the router discards the packet if no such valid destination address can be derived from the packet by applying decryption to the destination parameter. | 09-30-2010 |
20100260338 | METHOD AND APPARATUS FOR ESTABLISHING A CRYPTOGRAPHIC RELATIONSHIP IN A MOBILE COMMUNICATIONS NETWORK - A method and apparatus for establishing a cryptographic relationship between a first node and a second node in a communications network. The first node receives at least part of a cryptographic attribute of the second node, uses the received at least part of the cryptographic attribute to generate an identifier for the first node. The cryptographic attribute may a public key belonging to the second node, and the identifier may be a Cryptographically Generated IP address. The cryptographic relationship allows the second node to establish with a third node that it is entitled to act on behalf of the first node. | 10-14-2010 |
20100268937 | KEY MANAGEMENT FOR SECURE COMMUNICATION - A method and arrangement is disclosed for managing session keys for secure communication between a first and at least a second user device in a communications network. The method is characterized being independent of what type of credential each user device implements for security operations. A first user receives from a first key management server keying information and a voucher and generates a first session key. The voucher is forwarded to at least a responding user device that, with support from a second key management server communicating with the first key management server, resolves the voucher and determines a second session keys. First and second session keys are, thereafter, used for secure communication. In one embodiment the communication traverses an intermediary whereby first and second session keys protect communication with respective leg to intermediary. | 10-21-2010 |
20100293595 | Security Policy Distribution to Communication Terminals - A method and arrangement for distributing a security policy to a communication terminal having an association with a home communication network, but being present in a visited communication network. The home communication network ( | 11-18-2010 |
20100325412 | APPARATUS FOR RECONFIGURATION OF A TECHNICAL SYSTEM BASED ON SECURITY ANALYSIS AND A CORRESPONDING TECHNICAL DECISION SUPPORT SYSTEM AND COMPUTER PROGRAM PRODUCT - The invention relates to an apparatus for analyzing and reconfiguring a technical system ( | 12-23-2010 |
20110004754 | Method And Apparatuses For Authentication And Reauthentication Of A User With First And Second Authentication Procedures - A method of authenticating a user to a network, the user being in possession of first and second authentication credentials associated respectively with first and second authentication procedures. The method comprises sending a challenge from the network to the user according to said second authentication procedure, receiving the challenge at the user and computing a response using said first credential or keying material obtained during an earlier running of said first authentication procedure, and said second credential, sending the response from the user to the network, and receiving the response within the network and using the response to authenticate the user according to said second authentication procedure. | 01-06-2011 |
20110004758 | Application Specific Master Key Selection in Evolved Networks - An authentication method comprises providing a set of N plural number of master keys both to a user terminal ( | 01-06-2011 |
20110010768 | Method and Apparatuses for End-to-Edge Media Protection in ANIMS System - An IMS system includes an IMS initiator user entity. The system includes an IMS responder user entity that is called by the initiator user entity. The system includes a calling side S-CSCF in communication with the caller entity which receives an INVITE having a first protection offer and parameters for key establishment from the caller entity, removes the first protection offer from the INVITE and forwards the INVITE without the first protection offer. The system includes a receiving end S-CSCF in communication with the responder user entity and the calling side S-CSCF which receives the INVITE without the first protection offer and checks that the responder user entity supports the protection, inserts a second protection offer into the INVITE and forwards the INVITE to the responder user entity, wherein the responder user entity accepts the INVITE including the second protection offer and answers with an acknowledgment having a first protection accept. A method for supporting a call by a telecommunications node. | 01-13-2011 |
20110014891 | Earthquake and Tsunami Cellular Warning System | 01-20-2011 |
20110022843 | SECURITY IN A MOBILE COMMUNICATION SYSTEM - When a mobile terminal ( | 01-27-2011 |
20110035787 | Access Through Non-3GPP Access Networks - When setting up communication from a user equipment UE ( | 02-10-2011 |
20110064085 | Method and Apparatus for Controlling the Routing of Data Packets - Method and apparatus for controlling the routing of data packets in an IP network ( | 03-17-2011 |
20110091036 | Cryptographic Key Generation - A technique for generating a cryptographic key ( | 04-21-2011 |
20110093609 | Sending Secure Media Streams - A method and apparatus for sending a first secured media stream having a payload via an intermediate node. The intermediate node receives from a sender the first secured media stream. An end-to-end context identifier and a hop-by-hop context identifier are determined for the first secured media stream, where the hop-by-hop context identifier relates to the intermediate node and the end-to-end identifier relates to the sender. A second secured media stream is generated, which includes at least the payload of the first secured media stream and the context identifiers to identify the first secured media stream. The second secured media stream is sent to a receiving node, and the context identifiers are also sent to the receiving node. The context identifiers are usable by the receiving node to recover the first secured media stream. | 04-21-2011 |
20110093698 | SENDING MEDIA DATA VIA AN INTERMEDIATE NODE - A method and apparatus for sending protected media data from a data source node to a client node via an intermediate node. The data source node establishes a first hop-by-hop key to be shared with the intermediate node and an end-to-end key to be shared with the client node. A single security protocol instance is configured and used to trans-protocol form data from a media stream into transformed data using the keys. The transformed data is then sent to the intermediate node. The intermediate node uses the first hop-by-hop key to apply a security processing to the transformed data, and establishes a second hop-by-hop key with the client node. A second transformation is performed on the transformed data using the second hop-by-hop key to produce further transformed media data, which is then sent to the client node. At the client node a single security protocol instance is configured with the second hop-by-hop key and the end-to-end key, which are used to apply further security processing to the transformed media data. | 04-21-2011 |
20110093919 | Method and Apparatus for Determining an Authentication Procedure - A server for managing the authentication of clients that are subscribers of a home domain within which the server is located, the server comprising means for determining whether a client that is attached to a visited domain is to be authenticated by the home domain or by said visited domain, and for signalling the result to said visited domain. | 04-21-2011 |
20110142044 | METHOD AND APPARATUS FOR AVOIDING UNWANTED DATA PACKETS - Method and apparatus for controlling transmission of data packets in a packet-switched network. When a first end-host (A) sends an address query to a DNS system ( | 06-16-2011 |
20110179277 | Key Distribution to a Set of Routers - Before actually communicating information/data between two endpoints (C, S) connected to a network a secure and confidential distribution of a special key (K h) is performed to nodes (R j) along a path in the network. This is allowed by performing a path handshaking procedure in which first a hint token is forwarded along the path in a first direction and then a disclosure token is forwarded in the opposite direction. In forwarding the disclosure token it is verified in the nodes against the already received hint token. This assures that only nodes on the particular path will receive the special key or possibly some other information related thereto. | 07-21-2011 |
20110191859 | Digital Rights Management in User-Controlled Environment - A method of controlling access to content comprises receiving, at a domain gateway ( | 08-04-2011 |
20110206206 | Key Management in a Communication Network - A method and apparatus for key management in a communication network. A Key Management Terminal KMS Terminal Server (KMS) receives from a first device a request for a token associated with a user identity, the user identity being associated with a second device. The KMS then sends the requested token and a user key associated with the user to the first device. The KMS subsequently receives the token from the second device. A second device key is generated using the user key and a modifying parameter associated with the second device. The modifying parameter is available to the first device for generating the second device key. The second device key is then sent from the KMS to the second device. The second device key can be used by the second device to authenticate itself to the first device, or for the first device to secure communications to the second device. | 08-25-2011 |
20110256850 | METHOD AND ARRANGEMENT FOR CREATION OF ASSOCIATION BETWEEN USER EQUIPMENT AND AN ACCESS POINT - Methods, apparatus, and computer program products for creating an association between a first user equipment and at least one access point assisted by a registration server in a telecommunication network are disclosed. The registration server responds to a first contact request carried out using a first association number for the access point, provided by the first user equipment, receives a first association request for the association with the access point, provided by the first user equipment, authorizes the first association request based on a first authorization information provided by the first user equipment; registers the association between the first user equipment and the access point responsive to authorization of the first association request. The first user equipment is associated with the access point and the association is administered by the registration server. | 10-20-2011 |
20110264906 | METHOD AND NODES FOR PROVIDING SECURE ACCESS TO CLOUD COMPUTING FOR MOBILE USERS - A mobile node, a gateway node and methods are provided for securely storing a content into a remote node. The mobile node, or a gateway node of a network providing access to the mobile node, applies a content key to the content prior to sending the content for storage in the remote node. The content key is generated at the mobile node, based on a random value obtained from an authentication server, or directly at the authentication server if applied by the gateway node. The content key is not preserved in the mobile node or in the gateway node, for security purposes. When the mobile node or the gateway node fetches again the content from the remote node, the same content key is generated again for decrypting the content. The remote node does not have access to the content key and can therefore no read or modify the content. | 10-27-2011 |
20110274112 | Method and Apparatus for Forwarding Data Packets using Aggregating Router Keys - Method and apparatus for supporting the forwarding of received data packets in a router ( | 11-10-2011 |
20120059897 | CHALLENGING A FIRST TERMINAL INTENDING TO COMMUNICATE WITH A SECOND TERMINAL - The invention relates to a method, party challenging device ( | 03-08-2012 |
20120322413 | Trust Discovery in a Communications Network - A method and apparatus to establish trust between two nodes in a communications network. A first node receives from a network node authentication data unique to the first node, which can be used to derive a compact representation of verification data for the first node. The first node also receives a certified compact representation of verification data of all nodes in the network. The first node derives trust information from the authentication data for the node, and sends to a second node a message that includes the trust information and part of the authentication data. The second node has its own copy of the certified compact representation of verification data of all nodes in the network, and verifies the authenticity of the message from the first node using the compact representation of verification data of all nodes in the network and the received trust information and authentication data. | 12-20-2012 |
20130003967 | Enhanced Key Management For SRNS Relocation - A method comprises maintaining, in a first node serving a mobile terminal over a connection protected by at least one first key, said first key and information about the key management capabilities of the mobile terminal. Upon relocation of the mobile terminal to a second node the method includes: if, and only if, said key management capabilities indicate an enhanced key management capability supported by the mobile terminal, modifying, by said first node, the first key, thereby creating a second key, sending, from the first node to the second node, the second key, and transmitting to the second node the information about the key management capabilities of the mobile terminal. | 01-03-2013 |
20130084854 | Methods and Arrangements for Direct Mode Communication - A method in a first user equipment (UE | 04-04-2013 |
20130097296 | SECURE CLOUD-BASED VIRTUAL MACHINE MIGRATION - A virtual machine (VM) system is provided. The system includes a target physical server (PS) that has a resource configuration. The system includes a source PS that runs a virtual machine (VM). The source PS is in communication with the target PS. The source PS includes a memory that stores a migration policy file. The migration policy file includes at least one trust criteria in which the at least one trust criteria indicates a minimum resource configuration. The source PS includes a receiver that receives target PS resource configuration and a processor in communication with the memory and receiver. The processor determines whether the target PS resource configuration meets the at least one trust criteria. The processor initiates VM migration to the target PS based at least in part on whether the target PS resource configuration meets the at least one trust criteria. | 04-18-2013 |
20130117824 | PRIVACY PRESERVING AUTHORISATION IN PERVASIVE ENVIRONMENTS - A method for preserving privacy during authorisation in pervasive environments is described. The method includes an authorisation phase in which the user is provided with a reusable credential associated with verifiable constraints, and an operation phase where the service provider verifies the reusable credential before authorising the user. Third parties cannot link plural uses of the credential to each other, and the service provider cannot link plural uses of said credential to each other. | 05-09-2013 |
20130124757 | Methods and Apparatus for Secure Routing of Data Packets - Methods and arrangements for supporting a forwarding process in routers when routing data packets through a packet-switched network, by employing hierarchical parameters in which the hops of a predetermined transmission path between a sender and a receiver are encoded. A name server generates and distributes router-associated keys to routers in the network which keys are used for computing the hierarchical parameters. | 05-16-2013 |
20130156182 | Cryptographic Key Generation - A technique for generating a cryptographic key is provided. The technique is particularly useful for protecting the communication between two entities cooperatively running a distributed security operation. The technique comprises providing at least two parameters, the first parameter comprising or deriving from some cryptographic keys which have been computed by the first entity by running the security operation; and the second parameter comprising or deriving from a token, where the token comprises an exclusive OR of a sequence number (SQN) and an Anonymity Key (AK). A key derivation function is applied to the provided parameters to generate the desired cryptographic key. | 06-20-2013 |
20130203454 | METHOD AND ARRANGEMENT FOR RESOURCE ALLOCATION IN RADIO COMMUNICATION - A method and arrangement in a first mobile terminal ( | 08-08-2013 |
20130268681 | Method and Apparatuses for End-to-Edge Media Protection in ANIMS System - An IMS system includes an IMS initiator user entity. The system includes an IMS responder user entity that is called by the initiator user entity. The system includes a calling side S-CSCF in communication with the caller entity which receives an INVITE having a first protection offer and parameters for key establishment from the caller entity, removes the first protection offer from the INVITE and forwards the INVITE without the first protection offer. The system includes a receiving end S-CSCF in communication with the responder user entity and the calling side S-CSCF which receives the INVITE without the first protection offer and checks that the responder user entity supports the protection, inserts a second protection offer into the INVITE and forwards the INVITE to the responder user entity, wherein the responder user entity accepts the INVITE including the second protection offer and answers with an acknowledgment having a first protection accept. A method for supporting a call by a telecommunications node. | 10-10-2013 |
20130291071 | Method and Apparatus for Authenticating a Communication Device - According to an aspect of the present invention there is provided a method of operating a communication device, the communication device being part of a group comprising two or more communication devices that share a subscription to a communication network. The method comprises receiving a group authentication challenge from the network, at least part of the group authentication challenge having been generated using group authentication information that is associated with the shared subscription. The device then generates a device specific response to the group authentication challenge using the group authentication information and device specific authentication information and sends the device specific response to the network. The device is for example a member of a machine-type communication device group. | 10-31-2013 |
20130344823 | Method and Arrangement in A Wireless Communication Device - In some embodiments of the invention, a method is provided in a wireless communication device ( | 12-26-2013 |
20140023194 | Managing User Access in a Communications Network - A method of operating a node for performing handover between access networks wherein a user has authenticated for network access in a first access network. The method comprises receiving from a home network a first session key and a temporary identifier allocated to the user for the duration of a communication session. The identifier is mapped to the first session key, and the mapped identifier and key are stored at the node. A second session key is derived from the first session key and the second session key is sent to an access network, and the identifier sent to a user terminal. When the user subsequently moves to a second access network, the node receives the identifier from the user terminal. The node then retrieves the first session key mapped to the received identifier, derives a third session key and sends the third session key to the second access network. | 01-23-2014 |
20140053241 | Authenticating a Device in a Network - There is disclosed a system for authentication of a device in a network by establishing a second security context between the device and a serving network node when a first security context has previously been established, assisted by an authentication server, based on a random value and a secret shared between an identity module associated with the device and the authentication server. First re-use information from the establishment of the first security context is stored at the authentication server and at the device, the first re-use information enabling secure generation of the second security context from the random value and the secret. Second re-use information may be generated or stored at the device. A context regeneration request is generated at the device, the context regeneration request authenticated at least partly based on the secret. The context regeneration request is sent to the serving network node. The context regeneration request is sent from the serving network node to the authentication server. The context regeneration request is verified at the authentication server. The second security context is generated at the authentication server based on at least the secret, the random value, and the first and second re-use information. The second security context is communicated from the authentication server to the serving network node. | 02-20-2014 |
20140096193 | ACCESS THROUGH NON-3GPP ACCESS NETWORKS - When setting up communication from a user equipment UE ( | 04-03-2014 |
20140196127 | Service Access Authentication Method and System - An access authentication system for authenticating a subscriber of a service, the access authentication system comprising an operator access authentication system and one or more private access authentication systems, each private access authentication system being communicatively connectable with the operator access authentication system, the operator access authentication system being adapted to provide one or more authentication functions for facilitating authentication of subscribers of the service based on respective subscriber authentication data items associated with credentials of the subscriber; wherein each private access authentication system is adapted to communicate one or more subscriber authentication data items to said operator access authentication system; and wherein each private access authentication system is further adapted to communicate one or more verification data items indicative of the private access authentication system operating in at least one predetermined state. | 07-10-2014 |
20140215217 | Secure Communication - A method comprising the use of a bootstrapping protocol to define a security relationship between a first server and a second server, the first and second servers co-operating to provide a service to a user terminal. A bootstrapping protocol is used to generate a shared key for securing communication between the first server and the second server. The shared key is based on a context of the bootstrapping protocol, and the context is associated with a Subscriber Identity Module (SIM) associated with the user terminal and provides a base for the shared key. A method of the invention may, for example, be employed within a computing/service network such as a “cloud”, and in particular for communications between two servers in the cloud that are co-operating to provide a service to a user. | 07-31-2014 |
20140289870 | APPARATUS AND METHODS FOR OBTAINING A PASSWORD HINT - A method and apparatus for obtaining a password hint is disclosed. In some embodiments, the method includes: receiving a spatial pattern from a user; obtaining a password comprising a plurality of characters; obtaining a password hint comprising an arrangement of characters, wherein the arrangement of characters includes the plurality of characters of the password and additional characters, and the plurality of characters of the password are located within the arrangement of characters according to the received spatial pattern. The method may also include storing the password hint or providing the password hint to the user. | 09-25-2014 |
20140351595 | Key Management in a Communication Network - A method and apparatus for key management in a communication network. A Key Management Server (KMS) receives from a first device a request for a token associated with a user identity, the user identity being associated with a second device. The KMS then sends the requested token and a user key associated with the user to the first device. The KMS subsequently receives the token from the second device. A second device key is generated using the user key and a modifying parameter associated with the second device. The modifying parameter is available to the first device for generating the second device key. The second device key is then sent from the KMS to the second device. The second device key can be used by the second device to authenticate itself to the first device, or for the first device to secure communications to the second device. | 11-27-2014 |
20150023499 | Cryptographic Key Generation - A technique for generating a cryptographic key is provided. The technique is particularly useful for protecting the communication between two entities cooperatively running a distributed security operation. The technique comprises providing at least two parameters, the first parameter comprising or deriving from some cryptographic keys which have been computed by the first entity by running the security operation; and the second parameter comprising or deriving from a token, where the token comprises an exclusive OR of a sequence number (SQN) and an Anonymity Key (AK). A key derivation function is applied to the provided parameters to generate the desired cryptographic key. | 01-22-2015 |
20150026458 | Managing User Access in a Communications Network - A method of operating a node for performing handover between access networks wherein a user has authenticated for network access in a first access network. The method comprises receiving from a home network a first session key and a temporary identifier allocated to the user for the duration of a communication session. The identifier is mapped to the first session key, and the mapped identifier and key are stored at the node. A second session key is derived from the first session key and the second session key is sent to an access network, and the identifier sent to a user terminal. When the user subsequently moves to a second access network, the node receives the identifier from the user terminal. The node then retrieves the first session key mapped to the received identifier, derives a third session key and sends the third session key to the second access network. | 01-22-2015 |
20150046981 | TRUST DISCOVERY IN A COMMUNICATIONS NETWORK - A method and apparatus to establish trust between two nodes in a communications network. A first node receives from a network node authentication data unique to the first node, which can be used to derive a compact representation of verification data for the first node. The first node also receives a certified compact representation of verification data of all nodes in the network. The first node derives trust information from the authentication data for the node, and sends to a second node a message that includes the trust information and part of the authentication data. The second node has its own copy of the certified compact representation of verification data of all nodes in the network, and verifies the authenticity of the message from the first node using the compact representation of verification data of all nodes in the network and the received trust information and authentication data. | 02-12-2015 |
20150047041 | METHOD FOR PREFIX REACHABILITY IN A COMMUNICATION SYSTEM - A method, arrangement, and first access router in a packet-switched communication network for determining that a first endpoint originating a communication session with a second endpoint is not initiating a malicious man-in-the-middle attack. The first access router provides access for the first endpoint to the network and a second access router provides access for the second endpoint. The first and second access routers facilitate conducting a secure key exchange between the first and second endpoints, wherein a shared secret key is generated. The first access router utilizes a Prefix Reachability Detection (PRD) protocol to determine the first endpoint is topologically legitimate due to being topologically located behind the first access router, and then sends a Prefix Request Test Initialization (PRTI) message to the second access router indicating the first endpoint is topologically legitimate. | 02-12-2015 |
20150074396 | Lawful Interception of Encrypted Communications - A method and apparatus for providing access to an encrypted communication between a sending node and a receiving node to a Law Enforcement Agency (LEA). A Key Management Server (KMS) function stores cryptographic information used to encrypt the communication at a database. The cryptographic information is associated with an identifier used to identify the encrypted communication between the sending node and the receiving node. The KMS receives a request for Lawful Interception, the request including an identity of a Lawful Interception target. The KMS uses the target identity to determine the identifier, and retrieves the cryptographic information associated with the identifier from the database. The cryptographic information can be used to decrypt the encrypted communication. The KMS then sends either information derived from the cryptographic information or a decrypted communication towards the LEA. This allows the LEA to obtain a decrypted version of the communication. | 03-12-2015 |