A mobile device receives a shared access key corresponding to a work machine. An access code is generated from the shared access key, and from a changing value (such as a time-sensitive value). The access code is transmitted to the work machine which, itself, calculates an access code based on the shared access key and based on the changing value. If the access code provided to the work machine and the access code generated by the work machine match one another, then the work machine unlocks corresponding functionality so that the operator can use the work machine.

One embodiment provides a storage management system. During operation, the system identifies a data file of a user. The system obtains an encrypted client registry from a primary cloud provider in a plurality of cloud providers that provide cloud storage to the user and retrieves a key associated with a device of the user by decrypting the encrypted client registry using a hash of a password associated with the user. The system obtains credentials of the plurality of cloud providers by decrypting a locally stored cloud configuration using the key and generates a plurality of coded fragments from the data file based on a generator matrix of erasure encoding. The number of coded fragments is determined based on a number of the cloud providers associated with the user. The system selects a respective coded fragment for uploading to a corresponding cloud provider in the plurality of cloud providers.

SEPP 1 forms a first TLS protected N32-c connection between with SEPP 2 so that SEPP 1 and SEPP 2 are respectively a TLS client and server. A TLS protected second N32-c connection between with SEPP 2 so that SEPP 1 and SEPP 2 are respectively a TLS server and client. On forming the first and second TLS protected N32-c connections, respective first and second shared secrets are formed. First and second master keys are obtained from the first and second shared secrets, respectively. N32-f context IDs are created by each SEPP on setup of the first and second N32-c connections. Based on the first master key and the first N32-f context ID, a first session key is produced for encryption of a first N32-f request to the second security edge proxy and correspondingly a second session key is produced for decryption of a second N32-f request from SEPP 2.

The present disclosure relates to a 5G or pre-5G communication system for supporting a higher data transfer rate beyond a 4G communication system such as LTD. A method of a terminal connected to another base station (BS) for a second communication system in a wireless environment, the method comprising receiving, via the another BS from a BS for the first communication system, a radio resource control (RRC) connection reconfiguration message comprising information regarding a first key, generating a secure key for a security of the first communication system based on the first key, an identifier (ID) for indicating an algorithm for applying to the first key, a distinguisher for indicating a function of the algorithm indicated by the ID, and transmitting, to the BS, a signal based on the generated secure key.

A base key that is stored at a device may be received. A network identification may further be received. A device identification key may be generated based on a combination of the network identification and the base key. Furthermore, the device identification key may be used to authenticate the device with a network that corresponds to the network identification.

The present disclosure relates to methods and apparatus for flexible, security context management during AMF changes. One aspect of the disclosure is a mechanism for achieving backward security during AMF changes. Instead of passing the current NAS key to the target AMF, the source AMF derives a new NAS key, provides the new NAS key to the target AMF, and sends a key change indication to the UE, either directly or through some other network node. The UE can then derive the new NAS key from the old NAS key. In some embodiments, the AMF may provide a key generation parameter to the UE to use in deriving the new NAS key. In other embodiments, the target AMF may change one or more security algorithms.

According to one embodiment, techniques are provided to enable secure communication among devices in a mesh network using a group temporal key. An authenticator device associated with a mesh network stores a pairwise master key for each of a plurality of devices in a mesh network upon authentication of the respective devices. Using the pairwise master key, the authenticator device initiates a handshake procedure with a particular device in the mesh network to mutually derive a pairwise temporal key from the pairwise master key. The authenticator device encrypts and signs a group temporal key using the pairwise temporal key for the particular device and sends the group temporal key encrypted and signed with the pairwise temporal key to the particular device.

In the communications system, a user equipment UE accesses a core network via a first network-side device by using a first air interface and connects to the first network-side device via a second network-side device by using a second air interface to access the core network. The method includes: acquiring, by the network-side device, an input parameter; calculating, by the network-side device, an access stratum root key KeNB* according to the input parameter and an access stratum root key KeNB on the first air interface, or using, by the network-side device, the KeNB as the KeNB*; and generating, by the second network-side device, an access stratum key on the second air interface according to the KeNB*, or sending, by the first network-side device, the KeNB* to the second network-side device.

Methods (100, 200, 300) and apparatus (400, 500, 600, 700, 800, 900) are disclosed for establishing a key for direct communication between a User Equipment device, UE, and a device. The methods and apparatus cooperate to form a system for securing direct communication between a UE and a device over an interface. The system comprises a UE (20), a device (30) and a Direct Communication Element (40). The UE (20) is configured to establish a UE shared key with a Bootstrapping Server Function, BSF (50), using a Generic Bootstrapping Architecture, GBA, procedure, to discover the device (30) through a discovery procedure after establishing the UE shared key, and to derive a direct communication key from at least the UE shared key. The device (30) is configured to receive a transaction identifier associated with the UE shared key from the UE (20), to send the transaction identifier to the Direct Communication Element (40), and to receive the direct communication key from the Direct Communication Element (40). The Direct Communication Element (40) is configured to receive the transaction identifier from the device (30), to obtain a shared session key from the BSF (50); to derive the direct communication key, and to send the direct communication key to the device (30). Also disclosed are a computer product operable to carry out methods according to the present invention and a computer program product comprising a computer readable medium having such a computer product stored thereon.

Embodiments of systems and methods disclosed herein provide a simple and effective method for authentication and key exchange that is secure from man-in-the-middle attacks and is characterized by perfect forward secrecy. More specifically, in certain embodiments, the systems and methods are disclosed that enable secure communications between a local device and a remote device(s) via a protocol that uses a Central Licensing Authority that shares derived secrets with the endpoints, without sharing the secrets themselves. The derived secrets may be comprised of public information, taking the form of nonces, in order to protect the system against replay-style attacks. Each endpoint can generate its own nonce with sufficient entropy such that neither endpoint is dependent on the trustworthiness of the other.