The present disclosure relates to methods and apparatus for flexible, security context management during AMF changes. One aspect of the disclosure is a mechanism for achieving backward security during AMF changes. Instead of passing the current NAS key to the target AMF, the source AMF derives a new NAS key, provides the new NAS key to the target AMF, and sends a key change indication to the UE, either directly or through some other network node. The UE can then derive the new NAS key from the old NAS key. In some embodiments, the AMF may provide a key generation parameter to the UE to use in deriving the new NAS key. In other embodiments, the target AMF may change one or more security algorithms.

The various examples are directed to establishing a secure session between a device and a server. The device and the server may establish a session key. The session key may be used for encrypting data. After authenticating the session key, the server may transmit secure session data to the device, and the device may store the secure session data. The server may transmit information for deriving, based on secure session data, the session key to a different server. The device may transmit the secure session data to the server, or to the different server, to re-establish the secure session. The different server may derive, using the information and based on the secure session data, the session key. The different server may re-establish, using the session key, the secure session.

Embodiments provide a system and method for stateless session synchronization between inspectors for high availability deployments. Man in the Middle inspectors of a communication session between a client and server exchange a shared key that is used as a common seed value in a mapping function algorithm. Each inspector generates identical key-pairs using the common mapping function algorithm, and the inspectors generate the session keys from the key-pairs. Inspectors use the session keys to decrypt and either actively or passively inspect data transferred in a session between a client and server.

Disclosed are systems and methods for registering a user and/or a client device with a server computer. In one embodiment, a registration method does not use any stored passwords or tokens. In certain embodiments, a method can include (a) generating a plurality of mathematical formulas, at least some of the plurality of mathematical formulas comprising variables; (b) generating a user ID file name comprising a decryption key, the decryption key associated with the plurality of mathematical formulas; (c) generating a plurality of icons; (d) assigning uniquely each mathematical formula from the plurality of mathematical formulas to each of the icons of the plurality of icons; and (e) receiving an ordered selection of icons, the ordered selection of icons selected by the user from said plurality of icons.

Embodiments of the present invention disclose a key processing method in dual connectivity mode and a device, which ensure communication security of UE in dual connectivity mode. The method according to the embodiments of the present invention includes: of a first base station and a second base station that have a communication connection to a terminal each, receiving, by the second base station, first request information sent by the first base station, where the first request information is used to request the second base station to generate a key used for communication with the terminal, and generating, by the second base station based on a security key carried in the first request information, the key used for communication with the terminal.

Embodiments of the invention relate to efficient methods for authenticated communication. In one embodiment, a first computing device can generate a key pair comprising a public key and a private key. The first computing device can generate a first shared secret using the private key and a static second device public key. The first computing device can encrypt request data using the first shared secret to obtain encrypted request data. The first computing device can send a request message including the encrypted request data and the public key to a server computer. Upon receiving a response message from the server computer, the first computing device can determine a second shared secret using the private key and the blinded static second device public key. The first computing device can then decrypt the encrypted response data from the response message to obtain response data.

In order for supporting separate ciphering at an MeNB (20) and an SeNB (30), the MeNB (20) derives separate first and second keys (KUPenc-M, KUPenc-S) from a third key (KeNB). The first key (KUPenc-M) is used for confidentially protecting first traffic transmitted over U-Plane between the MeNB (20) and a UE (10). The first key (KUPenc-M) may be the same as current KUPenc or a new key. The second key (KUPenc-S) is used for confidentially protecting second traffic transmitted over the U-Plane between the UE (10) and the SeNB (30). The MeNB (20) sends the second key (KUPenc-S) to the SeNB (30). The UE (10) negotiates with the MeNB (20), and derives the second key (KUPenc-S) based on a result of the negotiation.

A system is disclosed that adds a layer of security to a user who wishes to access an account. The system requires the user to enter both a private PIN number and biometric data (e.g. a fingerprint, an eye scan) into a device, which will then combine the data to create a new, secure PIN. The new PIN is then used to access the account. The new PIN could also be generated using ancillary data, such as the time of the request, a request PIN sent to the device from a server, or a GPS location of the device. In other embodiments, the device itself could transmit the new PIN instead of requiring the new PIN to be entered via the user.

Implementations provide for extending an authentication protocol to dynamically create a per user end to end encryption over a multi-hop path for data traffic, which provides an automatic triggering of authentication on each hop of a path when a client joins the network. A device includes a processor that is configured to, in response to receipt of a request for authentication from an end device, perform an authentication protocol to authenticate with an authentication server via an authenticator device. When the authentication protocol is successfully performed, the processor is configured to receive a message indicating that the device was successfully authenticated by the authentication server. The processor is configured to create a pairwise master key (PMK) from the parameters, and derive a pairwise temporary key (PTK) from a key derivation function seeded by the PMK. The processor is configured to encrypt, using the PTK, a message from the end device.

A fast-accessing method may comprise: establishing a first security connection between a first network node and a user equipment; obtaining first information from a second network node, wherein the first information comprises at least one of system information of the second network node and an identifier of a security algorithm selected by the second network node for the user equipment; providing second information to the second network node, in response to an indication of the second network node from the user equipment, wherein the second information comprises security information related to the user equipment; and sending the first information to the user equipment for establishing a second security connection between the user equipment and the second network node.