A method performed by an authentication server in a home network of a UE for obtaining a subscription permanent identifier, SUPI. The method comprises: receiving a SUCI which comprises an encrypted part in which at least a part of the SUPI is encrypted, and a clear-text part which comprises a home network identifier and an encryption scheme identifier that identifies an encryption scheme used by the UE to encrypt the SUPI in the SUCI; determining a de-concealing server to use to decrypt the encrypted part of the SUCI; sending the SUCI to the de-concealing server; and receiving the SUPI in response. Methods performed by a UE and a de-concealing server are also disclosed. Furthermore, UEs, de-concealing servers, authentication servers, computer program and a memory circuitry are also disclosed.

Performing cryptographic operations such as encryption and decryption may be computationally expensive. In some contexts, initialization vectors and keystreams operable to perform encryption operations are generated and stored in a repository, and later retrieved for use in performing encryption operations. Multiple devices in a distributed system can each generate and store a subset of a larger set of keystreams.

Systems and methods are described for securely and efficiently processing electronic content. In one embodiment, a first application running on a first computing system establishes a secure channel with a second computing system, the secure channel being secured by one or more cryptographic session keys. The first application obtains a license from the second computing system via the secure channel, the license being encrypted using at least one of the one or more cryptographic session keys, the license comprising a content decryption key, the content decryption key being further encrypted using at least one of the one or more cryptographic session keys or one or more keys derived therefrom. The first application invokes a second application to decrypt the license using at least one of the one or more cryptographic session keys, and further invokes the second application to decrypt the content decryption key using at least one of the one or more cryptographic session keys or one or more keys derived therefrom, and to decrypt a piece of content using the content decryption key. The first application then provides access to the decrypted piece of content in accordance with the license.

In one embodiment, a system for generating an access stratum key comprises: a first network-side device that has access to a core network (CN) and is communicably coupled to a user equipment device (UE) through a first air interface, and a second network-side device that has access to the CN through the first network-side device and is communicably coupled to the UE through a second air interface. The first network-side device is configured to calculate an access stratum root key of the second network-side device according to an access stratum root key of the first network-side device and an input parameter; and send the access stratum root key of the second network-side device to the second network-side device. The second network-side device is configured to receive the access stratum root key of the second network-side device from the first network-side device; and generate an access stratum key according to the access stratum root key of the second network-side device.

A root key (K_iwf) is derived at a network and sent to MTC UE (10). The K_iwf is used for deriving subkeys for protecting communication between MTC UE (10) and MTC-IWF (20). In a case where HSS (30) derives the K_iwf, HSS (30) send to MTC-IWF (20) the K_iwf in a new message (Update Subscriber Information). In a case where MME (40) derives the K_iwf, MME (40) sends the K_iwf through HSS (30) or directly to MTC-IWF (20). MTC-IWF (20) can derive the K_iwf itself. The K_iwf is sent through MME (40) to MTC UE (10) by use of a NAS SMC or Attach Accept message, or sent from MTC-IWF (20) directly to MTC UE (10). In a case where the K_iwf is sent from MME (40), MME (40) receives the K_iwf from HSS (30) in an Authentication Data Response message, or from MTC-IWF (20) directly.

Embodiments of the invention disclose a method for security communication of carrier aggregation between base stations, which method comprises receiving, by a user equipment, a first message to add a cell controlled by a secondary base station as a service cell sent by a primary base station; and creating, by the user equipment, a security key for communication with cells controlled by the secondary base station according to security context of the primary base station and the first message. Embodiments of the invention further disclose the corresponding user equipment and base stations. Implementation of the method and apparatus according to the present invention makes it possible to effectively protect security of data transmission of the air interface and to avoid attacks on air interface security.

System and method for managing devices comprising a memory store having memory locations, wherein each memory location stores one or more attributes associated with one or more devices. Device manager arranged to execute commands to take an action on the one or more attributes stored in the memory locations, and to receive from the one or more devices values of the corresponding one or more attributes. Synchronizer configured to maintain synchronization between the attributes stored in the memory store and the attributes associated with the devices.

A novel key management approach is provided for securing communication handoffs between a UE and two base stations. A UE establishes a secure communication session with a first base station based on a first master session key based on a master transient key. The UE obtains a second base station identifier associated with a second base station and sends a message associated with a handoff to either the first base station or the second base station. The UE generates a second master session key based on at least the master transient key and the second base station identifier. The second master session key is used for secure communications with the second base station in connection with an intra-authenticator handoff from the first base station to the second base station. The UE then moves the secure communication session to the second base station.

A method and device for providing a key for IoT communication are disclosed. The method includes an embodiment whereby an IoT device transmits a security code to a personal electronic device, derives a first security key and a second security key from the security code, protects outgoing communication with a control device based on the first security key, and protects outgoing communication with the personal electronic device based on the second security key.

Systems, devices, and methods are disclosed for instantaneously decrypting data in an end-to-end encrypted secure messaging session while maintaining forward secrecy and post-compromise security using a double ratchet communication protocol. Unique message keys can be generated in a predictable progression independently on each device, ratcheting keys for each message on an as-needed basis, and a seed key and state for the predictable progression can be updated based on an asymmetric key exchange between the devices, thereby serving as a second ratchet. Message keys can feed a pseudo-random number generator (PRG) to generate the next message key in a progression. A Continuous Key Agreement (CKA) engine can use an asymmetric key pair to generate a shared secret key to feed a Pseudo-Random Function (PRF-PRNG) to reset the state of the PRG and provide a refresh key to the PRG.