The present disclosure provides a method and apparatuses configured for identifying a server instance in communications between an entity and a bootstrapping server. In particular, the method is directed to sending a data communication between the entity and the bootstrapping server, wherein the data include a pointer to the server instance. In addition, the bootstrapping server is configured to set, in at least part of data to be communicated to an entity, a pointer to a security server instance.

In an aspect, a network supporting client devices includes one or more network nodes implementing network functions. Such network functions enable a client device to apply a security context to communications with the network when the client device is not in a connected mode. The client device obtains a user plane key shared with a user plane network function implemented at a first network node and/or a control plane key shared with a control plane network function implemented at a second network node. The client device protects a data packet with the user plane key or a control packet with the control plane key. The data packet includes first destination information indicating the first network node and the control packet includes second destination information indicating the second network node. The client device transmits the data packet or control packet.

In an aspect, a network supporting client devices includes one or more network nodes implementing network functions. Such network functions enable a client device to apply a security context to communications with the network when the client device is not in a connected mode. The client device obtains a user plane key shared with a user plane network function implemented at a first network node and/or a control plane key shared with a control plane network function implemented at a second network node. The client device protects a data packet with the user plane key or a control packet with the control plane key. The data packet includes first destination information indicating the first network node and the control packet includes second destination information indicating the second network node. The client device transmits the data packet or control packet.

In one implementation, a method for providing end-to-end communication security for a controller area network (CANbus) in an automotive vehicle across which a plurality of electronic control units (ECU) communicate is described. Such an automotive vehicle can include, for example, a car or truck with multiple different ECUs that are each configured to control various aspects of the vehicle's operation, such as an infotainment system, a navigation system, various engine control systems, and/or others.

This invention disclosure describes how the security of existing quantum key distribution protocols can be enhanced with the use of a ternary/binary arithmetic conversion along with shared keys between communicating parties. With these schemes, Bob can detect eavesdropping attacks without exchanging the content of the transmitted data stream with the Alice. Addressable physical unclonable function (PUF) technology can be exploited to design protocols that securely exchange the shared keys.

In the context of facilitating a circuit switched to packet switched handover of a call in a cellular communication system, a first node (e.g., packet switched target node) generates a security context for a client whose call is being handed over. This involves the first node receiving at least one cryptographic key from a second node (e.g., a circuit switched node supporting the existing connection) and receiving identities of security algorithms supported by the client from a third node (e.g., a packet switched node supporting the existing connection); The first node uses the at least one cryptographic key and the identities to generate the security context for the client.

A method and apparatus for applying security information in a wireless communication system is provided. A user equipment (UE) obtains first security information and second security information, applies the first security information to a first set of radio bearers (RBs) which is served by a master eNodeB (MeNB), and applies the second security information to a second set of RBs which is served by a secondary eNodeB (SeNB).

A system for securing radio access with inter-eNB carrier aggregation including a primary eNB configured to secure transmission with a user equipment. The primary eNB generates a base key and derives a set of derived keys used to secure transmission on a set of radio bearers that correspond to the set of derived keys. The system for securing radio access with inter-eNB carrier aggregation also including a secondary eNB configured to secure transmission with the UE using at least one of the set of derived keys received which corresponds to a radio bearer from the set of radio bearers used by the SeNB.

Techniques are described for wireless communication. A method for wireless communication at a user equipment (UE) includes performing an extensible authentication protocol (EAP) procedure with an authentication server via an authenticator. The EAP procedure is based at least in part on a set of authentication credentials exchanged between the UE and the authentication server. The method also includes deriving, as part of performing the EAP procedure, a master session key (MSK) and an extended master session key (EMSK) that are based at least in part on the authentication credentials and a first set of parameters; determining a network type associated with the authenticator; and performing, based at least in part on the determined network type, at least one authentication procedure with the authenticator. The at least one authentication procedure is based on an association of the MSK or the EMSK with the determined network type.

Embodiments provide a mobile communications device that includes a processor configured to communicate with a transceiver and a memory. The transceiver is configured to exchange control signals with a network node. The memory contains instructions that when executed by the processor configure the processor to operate the transceiver to exchange the control signals. The instructions further configure the processor to pass a first proper subset of the control signals to a remote device without operating according to the control signals, and to operate according to control signals in a second proper subset of the control signals. The processor is thereby configured to operate on behalf of a remote communication device to support communication between the remote communication device and the network node.