This invention discloses a method for security communication of carrier aggregation between base stations, which method comprises receiving, by a user equipment, a first message to add a cell controlled by a secondary base station as a service cell sent by a primary base station; and creating, by the user equipment, a security key for communication with cells controlled by the secondary base station according to security context of the primary base station and the first message. This invention further discloses the corresponding user equipment and base stations. Implementation of the method and apparatus according to the present invention makes it possible to effectively protect security of data transmission of the air interface and to avoid attacks on air interface security.

Disclosed is a method for secure transmission of small data of a machine type communication (MTC) device group, comprising a process wherein an MTC device and an MTC-Interworking Function (MTC-IWF) generate a shared key KIWF on the basis of a GBA procedure, the MTC device and a bootstrapping server (BSF) performing AKA authentication: a home subscriber server (HSS) determines whether the MTC device belongs to the MTC device group and whether said device has small data transmission and reception capabilities; if said device belongs to said group and has said capabilities, an AKA authentication vector generated on the basis of the MTC device group key is sent to said BSF; the BSF carries out AKA authentication with the MTC device on the basis of the received AKA authentication vector. Also disclosed is a system for secure transmission of small data of an MTC device group.

A method in a User Equipment (UE) of an Evolved Packet System (EPS) establishes a security key (K_eNB) for protecting Radio Resource Control/User Plane (RRC/UP) traffic exchanged with a serving eNodeB. The method comprises sending a

Non-Access Stratum (NAS) Service Request to a Mobility Management Entity (MME), the request indicating a NAS uplink sequence number (NAS_U_SEQ). The method further comprises receiving an indication of the NAS_U_SEQ of the NAS Service Request sent to the MME, back from the MME via the eNodeB. The method further comprises deriving the K_eNB from at least the received indication of the NAS_U_SEQ and from a stored Access Security Management Entity-key (K_ASME) shared with said MME.

A system and method are described for provisioning an IoT device using an association ID code. For example, one embodiment of a method comprises: generating an association between a new Internet of Things (IoT) device identification (ID) code and an association ID code; storing the association in an IoT device database of an IoT service; retrieving the association ID code from the new IoT device; transmitting the association ID code to the IoT service, the IoT service performing a lookup in the IoT device database using the association ID code to determine the device ID code; and provisioning the IoT device to communicate with the IoT service using the device ID code.

Techniques for handling ciphering keys in a mobile station comprising a mobile equipment (ME) and a Universal Subscriber Identity Module (USIM) are disclosed. An example method includes obtaining a UMTS cipher key (CK), integrity key (IK), and ciphering key sequence number (CKSN) from the USIM, deriving a 128-bit ciphering key (Kc-128) from the CK and the IK, and storing the Kc-128 and the CKSN on the mobile equipment, separate from the USIM. The stored CKSN is associated with the stored Kc-128, so that the Kc-128's correspondence to the most current UMTS security context can be tracked. This example method applies to the generation and storage of a 128-bit ciphering key for either the packet-switched or circuit-switched domains. A corresponding user equipment apparatus is also disclosed.

Aspects may relate to a device that comprises: a non-volatile storage medium (NVM) to store a signature and a device key, the device key based on a symmetric master key and an identifier; an interface; and a processor coupled to the interface and the NVM. The processor may be configured to: apply a key derivation function (KDF) to the device key to generate a derivative key; apply a key generation function to the derivative key to generate at least one public key; and command transmission of the signature and the at least one public key through the interface to a service provider.

Embodiments of the present invention discloses a method, an apparatus, and a system for establishing a security context and relates to the communications field, so as to comprehensively protect UE data. The method includes: acquiring an encryption algorithm of an access node; acquiring a root key and deriving, according to the root key and the encryption algorithm, an encryption key of the access node; sending the encryption key and the encryption algorithm to the access node, so that the access node starts downlink encryption and uplink decryption; sending the encryption algorithm of the access node to the UE so as to negotiate the encryption algorithm with the UE; and instructing the access node to start downlink encryption and uplink decryption and instructing, during algorithm negotiation, the UE to start downlink decryption and uplink encryption. The present invention mainly applies to SCC security protection.

A method begins by a dispersed storage (DS) processing module segmenting a data partition into a plurality of data segments. For a data segment of the plurality of data segments, the method continues with the DS processing module dividing the data segment into a set of data sub-segments and generating a set of sub keys for the set of data sub-segments based on a master key. The method continues with the DS processing module encrypting the set of data sub-segments using the set of sub keys to produce a set of encrypted data sub-segments and aggregating the set of encrypted data sub-segments into encrypted data. The method continues with the DS processing module generating a masked key based on the encrypted data and the master key and combining the encrypted data and the masked key to produce an encrypted data segment.

A computing device has a processor and a first memory, e.g., a fuse-based memory, storing a first cryptographic key. The processor is configured to receive information related to a second cryptographic key from a cryptographic key provisioning system. The processor derives the second cryptographic key from the information related to a second cryptographic key. The first cryptographic key has fewer bits than the second cryptographic key. The processor is also configured to encrypt the second cryptographic key using the first cryptographic key, and store the encrypted second cryptographic key in a second memory, e.g., a flash memory.

A system and method that generates a password and places that password in a password input field of a running computer software application. The password input field is accessed by a computer that has a user interface. In a first embodiment of the invention, an electronic device is connected to the computer. The electronic device can generate a password as a random long string of characters. A communications link is established between the electronic device and the computer. The electronic device causes the user interface of the computer to lock or otherwise become disabled. The electronic device then generates a password. The password is entered into said password input prompt via said communications link while said user interface is disabled. The password is later identified with an identification code so that the same password can be recalled in the future.