A security system is disclosed in which a device-specific key value is provided to a security processing device, and then used to derive additional derived keys for use in secured communications. In response to identifying a compromise of the derived keys, the system can be instructed to derive new or replacement derived keys for use in the secured communications. In some embodiments, the security system can be used in a video reception device, to decrypt encrypted video content.

A novel key management approach is provided for securing communication handoffs between a UE and two base stations. A UE establishes a secure communication session with a first base station based on a first master session key based on a master transient key. The UE obtains a second base station identifier associated with a second base station and sends a message associated with a handoff to either the first base station or the second base station. The UE generates a second master session key based on at least the master transient key and the second base station identifier. The second master session key is used for secure communications with the second base station in connection with an intra-authenticator handoff from the first base station to the second base station. The UE then moves the secure communication session to the second base station.

Embodiments disclose a method, an apparatus, and a system for establishing a security context and relates to the communications field, so as to comprehensively protect UE data. The method includes: acquiring an encryption algorithm of an access node; acquiring a root key and deriving, according to the root key and the encryption algorithm, an encryption key of the access node; sending the encryption key and the encryption algorithm to the access node, so that the access node starts downlink encryption and uplink decryption; sending the encryption algorithm of the access node to the UE so as to negotiate the encryption algorithm with the UE; and instructing the access node to start downlink encryption and uplink decryption and instructing, during algorithm negotiation, the UE to start downlink decryption and uplink encryption.

A fast-accessing method may comprise: establishing a first security connection between a first network node and a user equipment; obtaining first information from a second network node, wherein the first information comprises at least one of system information of the second network node and an identifier of a security algorithm selected by the second network node for the user equipment; providing second information to the second network node, in response to an indication of the second network node from the user equipment, wherein the second information comprises security information related to the user equipment; and sending the first information to the user equipment for establishing a second security connection between the user equipment and the second network node.

The disclosed technology relates to broadcasting encrypted data to multiple receiver devices, where some receiver devices have long-term access to the encrypted data and some receiver devices have a temporary access to the encrypted data. Receivers having long-term access are part of a member group because these member group devices have a master key and the master key enables the member group devices to derive the necessary information to decrypt the encrypted broadcast. In contrast, devices with temporary access possess only a guest key and not master key, without a master key the devices need to receive the guest key from another device to decrypt the broadcast. Access to the encrypted stream can also be based on broadcasting multiple or single diversifiers, where a diversifier can include group identification information to assist in restricting access to the encrypted stream.

A system for generating symmetric cryptographic keys for communications between hosts. Hosts use associated devices to generate secret keys. Each key is generated based on a static seed and a dynamic seed. The dynamic seed is created from sensor data or auxiliary data. The secret key allows host machines to encrypt, or decrypt, plaintext messages sent to, or received from, other host machines.

The technology disclosed relates to securely encrypting a document. In particular, it relates to accessing a key-manager with a triplet of organization identifier, application identifier and region identifier and in response receiving a triplet-key and a triplet-key identifier that uniquely identifies the triplet-key. Also, for a document that has a document identifier (ID), the technology disclosed relates to deriving a per-document key from a combination of the triplet-key, the document ID and a salt. Further, the per-document key is used to encrypt the document.

A method for receiving data (DATASEND) within an electronic entity (2) includes the following steps: establishment, between the electronic entity (2) and an external electronic apparatus, of a first secure channel by encipherment by element of a first cryptographic key (SK-ENC); reception, via the first secure channel, of a first command; reception of at least one second cryptographic key (BK-ENC) via the first secure channel; setting up, owing to the execution of the command, of a second secure channel by encipherment by element of the second cryptographic key (BK-ENC); and reception of the data (DATASEND) in the second secure channel. A corresponding electronic entity is also described.

Embodiments utilizing secret keys for authentication and/or encrypted communication are described. In certain embodiments, authentication data is provided from a source network communication device to a target network communication device that allows a computing server to verify that the key migration is authorized by the source network communication device. The authentication data also enables the data provider and the target network communication device to independently determine a temporary key for establishing a secure communication channel between the service provider and the target network communication device and/or determine a new key for the target network communication device. In some implementations, the authentication data may be exchanged between the source and target network communication devices between offline without involvement of the computing server. When the target network communication device later connects to the computing server, the authentication data may be used to verify that the key migration is authorized and/or generate key(s).

A method and apparatus for handling security keys for individual bearers of the user equipment include dividing between a plurality of different sub-groups, a plurality of individual bearers, each sub-group having a different base value from which the security keys for the associated bearers are derived. When the security keys associated with the individual bearers of one particular sub-group are refreshed, the security keys of the individual bearers, which are not a part of the particular sub-group do not need to be refreshed.