Existing standards for mobile networks provide for protection of communication between a serving network and a terminal based on a security context created as a result of successful Authentication and Key Agreement (AKA). For example, AKA is the mechanism used to perform authentication and session key distribution in Universal Mobile Telecommunications System (UMTS) and Long Term Evolution (LTE) networks.
AKA requires that a pre-shared key K is stored in the terminal (e.g. USIM card) and an authentication server, AS (for example a Home Subscriber Server, HSS, in the home network of the terminal).                Based on a subscriber/terminal identity (e.g. International Mobile Subscriber Identity (IMSI)), the serving network (using the terminal's identity) requests the following data from the AS: a random challenge (RAND), an authentication token (AUTN), an expected response (XRES) and a set of keys. These keys correspond in UMTS to Ck, Ik (see below).        The random challenge and the authentication token (which provides replay protection and enables the terminal to authenticate the network) are sent to the terminal via the serving network.        The USIM at the terminal verifies AUTN and computes two values from RAND: a set of keys (Ck, Ik), and a response, RES.        RES is sent back to the serving network, which verifies that the response RES is as expected (i.e. it matches XRES) and, if so, draws the conclusion that it has been received from the expected sender. If so, the terminal is considered authenticated and subsequent data exchange is protected using the set of keys.        
AKA thus creates fresh session keys (Ck, Ik) used for security (encrypting/authenticating) communication between the terminal and serving network.
This freshness is essential for security. The session keys together with any additional state necessary to secure the communication between the terminal and the network are referred to below as the security context.
Cellular technology such as LTE, including its basic security features, is for many reasons attractive to re-use for machine-to-machine communication (M2M). In many cases M2M devices (MDs) will communicate with the network (and with each other) relatively infrequently, yet security must be provided.
There are problems with the current 3GPP security solutions as they are, because one of the following options must be used to establish a security context for protection of the traffic between the MD and the network, and each has significant drawbacks:                A security context can be kept in the serving network for each device, but this may lead to the requirement to store very large numbers of security contexts, most of which are very seldom going to be used.        On the other hand, if MDs run AKA each time they wish to communicate, it will have an impact on MD battery power and create additional delays and possible signalling overload in the network.        Re-using the fixed pre-shared key in the AS directly (without running AKA at all) implies that, if the key is broken, all future and past sessions are insecure. If, on the other hand, a key derived from AKA is broken, only the session protected by that particular key is compromised.        Public key technology is ruled out for two reasons: computational/communication overhead and/or the need for the MD to keep a reasonably accurate clock for replay protection. (Without a time-based mechanism, at least three exchanges between MD and network would be needed to obtain replay protection, which is not signalling-compatible with the 2-pass AKA protocol). In addition, there are practical problems with keeping a Public Key Infrastructure (PKI) (e.g. deployment, who shall be the certifying authority, etc.) which arise when there are multiple parties involved (MD manufacturers, network equipment manufacturers and operators).        
In the situation where an MD and the network have already once shared a security context, it may be possible to efficiently re-establish a new security context based on the previously shared one. It should be noted that IETF adaptations of (U)SIM based authentication (known as EAP SIM and EAP AKA, respectively) have provisions for a so-called fast re-authentication procedure. However, these protocols have several shortcomings:                The re-authentication procedure is always triggered from the network side and, following this trigger, there are at least four message exchanges between the device and the network, totalling 2.5 roundtrips.        There is no guarantee that the protocol succeeds in 2.5 roundtrips because the so-called “fast re-authentication identities” may be modified by intermediate Authentication, Authorisation and Accounting (AAA) proxies. In this case, an additional (full) roundtrip with an explicit Identity Request is needed.        There is no guarantee that fast re-authentication is even possible since it is based on the MD having such an (unused) fast re-authentication identity available (which may not always be the case).        The procedure is not (optimally) resistant to denial-of-service since the first message from the device is not authenticated.        
It would therefore be desirable to provide a system which enables secure communication to be re-established quickly, but without the requirement for large numbers of security contexts to be stored unnecessarily.