Abstract: Embodiments describe a system and/or method for multiple party digital signatures. According to a first aspect a method comprises establishing a first validity range for a first key, establishing a first validity range for at least a second key, and determining if the validity range of the first key overlaps the first validity range of the at least a second key. A certificate is signed with the first validity range of the first key and the first validity range of the at least a second key if the validity ranges overlap. According to another embodiment, signage of the certificate is refused if the first validity range of the first key does not overlap with the first validity range of the at least a second key.

Abstract: Another feature provides an efficient encryption method that safeguards the security of encrypted symbols. Each plaintext symbol is encrypted by using a separate pseudorandomly selected translation table. Rather than pre-storing every possible permutation of symbols as translation tables, the translation tables may be efficiently generated on-the-fly based on a pseudorandom number and a symbol shuffling algorithm. A receiving device may similarly generate reverse translation tables on-the-fly to decrypt received encrypted symbols.

Abstract: Techniques to securely boot up an electronics device (e.g., a cellular phone) from an external storage device are described. Secure data (e.g., a hash digest, a signature, a cryptographic key, and so on) is initially retrieved from a non-writable area of an external memory device (e.g., an one-time programmable (OTP) area of a NAND Flash device). A first program (e.g., a boot program) is retrieved from a writable or main area of the external memory device and authenticated based on the secure data. The first program is enabled for execution if authenticated. A second program may be retrieved from the main area of the external memory device and authenticated based on the secure data. The second program is enabled for execution if authenticated. Additional programs may be retrieved and authenticated. Each program may be authenticated using a secure hash function, a digital signature, and/or some other cryptographic technique.

Abstract: Storage authorization and access control of data stored on a peer-to-peer overlay network is provided. A publishing node stores data on a storage node in the overlay network. The publishing node is adapted to facilitate data storage authorization by generating a resource identifier as a function of a usage string associated with a data type to be stored. A storage request is generated that includes the resource identifier and data to be stored. The storage request may be sent to the storage node. The storage device receives the storage request sent by a publishing node, including a resource identifier and data to be stored. Independent storage authorization is performed by the storage node at an overlay level by verifying the resource identifier. The data in the storage request is stored at the storage node if the resource identifier is successfully verified.

Abstract: Providing for secure and efficient communication for mobile applications executed in a mobile operating environment is described herein. As an example, a primary mobile application can initiate a handshake that includes a unique identifier of the primary application and a random number for signing and/or certifying responsive requests. A recipient application can reference the unique identifier with a list of certified primary applications to verify the primary application. If verified, the recipient responds with the random number and a second random number that can sign and/or certify data requests sent by the primary application. According to some embodiments, random numbers can be hashed and/or truncated to provide low power encryption for such numbers. Further, round-trip policies can be enforced to provide reliable transmission of data. Accordingly, reliable, secure and low power synchronous communication can be conducted in a mobile environment.

Abstract: A cryptosync design comprising (1) a channel identifier indicative of a particular channel via which a data packet is sent, (2) an extended time stamp indicative of a time value associated with the data packet, and (3) a counter indicative of a packet count associated with the data packet. The lengths of the extended time stamp and counter fields and the time unit for the extended time stamp are parameters that may be configured for each channel. At the sender, the extended time stamp for the cryptosync may be obtained from the System Time maintained by the sender. The counter value for the cryptosync may be provided by a counter that is maintained for the channel by the sender. The sender may include a time stamp and/or the counter value, if they are needed to derive the cryptosync at the receiver, in a header of the data packet.

Abstract: A stream stretcher is provided for securely expanding a key stream to match the length of a data block to be encrypted and/or decrypted. A key stream is obtained having a length of LZ bits. A length LD corresponding to a data block to be encrypted/decrypted is obtained, where LD>LZ. LD?LZ new bits are recursively generated by combining at least two bits of the key stream. The LD?LZ new bits are appended to the key stream to generate a stretched key stream. The data block may then be encrypted/decrypted with the stretched key stream. The at least two bits are selected to have offsets that form a full positive difference set.

Abstract: This disclosure describes a key update scheme for use in a mobile IP network. The update scheme may be implemented to facilitate key updates between a mobile device and a server computer that authenticates the mobile device. The techniques described herein can facilitate key updates in a manner that accounts for potential message loss during the update routine, mobile device failure during the update routine, or other problems typically encountered in a mobile network settings. In this manner, the techniques can provide a robust scheme for key updates and may improve network security.

Abstract: A method for protecting traffic in a radio access network connected to at least two core networks. The method comprises maintaining a corenetwork-specific authentication protocol and a radio-bearer-specific ciphering process, and generating, for each ciphering process, a count parameter comprising a cyclical sequence number and a hyperframe number (HFN) which is incremented each time the cyclical sequence number completes one cycle. For each core network or authentication protocol, a first radio bearer of a session is initialized with a HFN exceeding the highest HFN used during the previous session. When a new radio bearer is established, the mobile station selects the highest HFN used during the session for the core network in question, increments it and uses it for initializing the count parameter for the new radio bearer. At the end of a session, the mobile station stores at least part of the highest HFN used during the session.

Abstract: Disclosed is a method for multiple EAP-based authentications in a wireless communication system. In the method, a first master session key (MSK) is generated in a first EAP-based authentication for a first-type access. A first temporal session key (TSK) is generated from the first master session key (MSK). A second EAP-based authentication is performed, using the first temporal session key (TSK), for a second-type access. First-type access and second-type access are provided after the first and second EAP-based authentications are successfully completed.

Abstract: Methods and apparatus are presented for encrypting and authenticating data, wherein some data is encrypted and some data is not encrypted, but all of the data is authenticated. Masking modules (410) are used in a partial-block encryption mode to indicate which bits of a data block are to be encrypted.

Abstract: Methods and apparatus are presented for efficient broadcasting in wireless packet data systems. A single MAC_ID is used for broadcasting to a group of subscribers. By using the channel quality information of the group of subscribers, a base station determines the identity of the subscriber with the worst channel conditions. The timing and the transmission format of the multi-cast are then tailored so that the subscriber with the worst channel conditions is capable of recovering the transmission. If the timing and the transmission format is chosen in relation to subscriber with the worst channel conditions, it is probable that other subscribers will be able to recover the transmission as well. Hence, only a single MAC_ID need to be used to make a single broadcast, rather than sending multiple transmissions to multiple subscribers.

Abstract: Disclosed is a method for evaluating resistance to cryptanalysis of a cipher structure having a diffusion element including a linear transformation placed between differently-sized confusion elements at an input and an output of the diffusion element. A generalized minimum number of non-zero symbols at the diffusion element's input and output is determined. The diffusion element's input is divided into subset inputs, each having a size corresponding to the size of each confusion element at the diffusion element input. For each subset input, a subset number of non-zero symbols at the subset input and the diffusion element output is determined. Each subset number is summed to generate a summed subset number. The summed subset number is subtracted from the generalized minimum number to generate a worst-case number. An upper bound of a maximum differential characteristic probability is calculated and used to evaluate the cipher structure.

Abstract: A method and apparatus for configuration management for a computing device. The apparatus comprises an interface for providing available software to the computing device to be loaded onto the computing device. A processor executes a set of computer instructions to determine whether or not software resident in the computing device is authenticated or not. If the resident software is not authenticated, the processor loads the available software onto the computing device. If the resident software is authenticated, the processor loads the available software only if the available software is also authenticated.

Abstract: First and second transmission links are established with a remote station. An information signal is encoded to provide an encoded information signal having more bits than the information signal. First and second transmission signals are provided wherein each transmission signal has bits selected from the encoded information signal. Each of the first and second transmission signals is transmitted to the remote station by way of a respective one of the first and second transmission links. The remote station receives and combines the first and second transmission signals transmitted by the remote station to provide a combined encoded signal. The combined encoded signal is decoded by the remote station to provide the information signal. The first and second transmission links can be formed between the remote station and a single base station or between the remote station and two separate base stations.

Abstract: A cryptographically secure pseudo-random number generator is configured to obtain one or more unpredictable sources of entropy that provide a seed. A current internal state of the number generator is modified as a function of the current internal state and the seed to accumulate entropy. The modified internal state may be obtained by using non-linear feedback shift register operations on the internal state and the seed. A pseudo-random number is then generated based on the modified internal state of the number generator. The one or more unpredictable sources of entropy may be combined into the seed. The internal state of the number generator may be continually modified with additional seeds obtained from the one or more unpredictable sources and the current internal state. Additionally, the internal state of the number generator may be modified on demand with a new seed received from a calling application.

Abstract: A device and method for accelerating functioning of a software application having multi-layer, high overhead protocols, wherein the device has a first processor operating a software application having a multi-layer protocol; a second processor configured to operate at least one layer of the multi-layer protocol; and a memory accessible to each of the processor and the second processor.

Abstract: In a communications system, a method of transforming a set of message signals representing a message comprising the steps of first encoding one of the set of message signals in accordance with a first keyed transformation, a second encoding of the one of the set of message signals in accordance with at least one additional keyed transformation, a third encoding of the one of the set of message signals in accordance with a self inverting transformation in which at least one of the set of message signals is altered, a fourth encoding of the one of the set of message signals in accordance with at least one additional inverse keyed transformation wherein each of the at least one additional inverse keyed transformation is a corresponding inverse of at least one additional keyed transformation, and fifth encoding the one of the set of message signals in accordance with first inverse keyed transformation wherein the first inverse keyed transformation is the inverse of the first keyed transformation.

Abstract: Method and apparatus for providing link quality feedback to a transmitter. In one embodiment, a periodic link quality message is transmitted on a gated channel, while continuous differential indicators are transmitted. Between quality messages, the differential indicators track the quality of the link. In one embodiment, a parity check is provided with the quality message. In another embodiment, the frequency of transmission for the quality messages is determined by the channel quality. When the receiver anticipates reception of a transmission, the quality messages are generated; else the quality messages are halted.

Abstract: A mutual authentication method is provided for securely agreeing application-security keys with mobile terminals supporting legacy Subscriber Identity Modules (e.g., GSM SIM and CDMA2000 R-UIM, which do not support 3G AKA mechanisms). A challenge-response key exchange is implemented between a bootstrapping server function (BSF) and mobile terminal (MT). The BSF generates an authentication challenge and sends it to the MT under a server-authenticated public key mechanism. The MT receives the challenge and determines whether it originates from the BSF based on a bootstrapping server certificate. The MT formulates a response to the authentication challenge based on keys derived from the authentication challenge and a pre-shared secret key. The BSF receives the authentication response and verifies whether it originates from the MT.