Abstract: Secure computation of enterprise data in a cloud is provided, by a third party, such that values and data manipulation processes are encrypted through use cryptographic processes that are secure. A method can comprise performing operations including receiving security data representing an attribute included in a log file, generating encoded attribute data as a function of the attribute, a hash function, or salt data representing an alphanumeric string, and sending the encoded attribute data to a second device.

Abstract: A data storage unit (202) stores encrypted data while remaining in an encrypted state, and stores decryption conditions to define a user attribute of a decryption-permission user who is permitted to decrypt the encrypted data. In a case wherein revocation information to indicate a user attribute of a revoked user who is no longer the decryption-permission user has been added to the decryption condition when update timing arrives, a revocation information removing unit (206) removes the revocation information from the decryption condition while the encrypted data remains in the encrypted state.

Abstract: A method of transferring information between subscribers associated with a communication service is disclosed. The method includes receiving a first handle address associated with a first subscriber device, in which the first subscriber device transfers information to a group of subscriber devices, each of the group of subscriber devices is linked to different handle addresses, and each of the different handle addresses is included in a group of handle addresses. The method also includes determining whether the first handle address is included in the group of handle addresses, transferring information from the first subscriber device to the group of subscriber devices in response to the first handle address being included in the group of handle addresses, and verifying that the transferred information was received by the group of subscriber devices. A corresponding system and computer-readable device are also disclosed.

Abstract: Embodiments are directed towards establishing a network between mobile devices, an automobile head unit, and a plurality of automobile accessories. A user utilizes a user interface on a mobile device to send an accessory access request to the head unit. The head unit receives the request and determines if the mobile device is authentic. If authentic, the head unit determines if the mobile device has the proper permissions to perform the requested access of the accessory. If permitted, the head unit generates and sends control commands to the accessory or obtains the requested accessory data and provides it to the mobile device.

Abstract: The invention relates to a method for authenticating and/or identifying a device, a service, a person and/or money in a communication network, consisting of a first communication device and an additional communication device, for example a central database, between which an authentication query is carried out. Initially, a first key is provided in the communication device, which comprises at least one character sequence consisting of individual or several locally modifiable characters which can be dynamically modified in accordance with a measurable variable or an algorithm which is dependent on the measurable variable, rules and/or instructions in the communication device, between two authentication time points. A second key is also provided in the central database or an additional communication subscriber which comprises a character sequence consisting of centrally modifiable characters and optionally non-modifiable characters.

Abstract: Apparatus and methods for providing content to IP-enabled devices in a content distribution network. In one embodiment, a network architecture is disclosed which enables delivery of content to such IP-enabled devices without the use of a high-speed data connection This capability allow the managed network operator to provide content services to an IP-enabled device associated with a non-data subscriber. In one implementation, requests for content from user IP-enabled devices are received, authenticated, and content processed into a series of encrypted segments. Once the requesting user/device is authenticated, the segments are provided with a playlist. The rendering device is also provided access to a decryption key (e.g., via a URL to a managed key server). Variants providing (i) user access to the MSO distribution network via an indigenous modem or gateway; and (ii) user access to the MSO core via a gateway and a third party unmanaged network are described.

Abstract: The present invention relates to a multiple encrypting method, for encrypting a file and/or a protocol and generating encryption keys. Comprising the steps of: uploading at least one of a file and a protocol by a file uploading unit; generating random numbers by a random number generation unit; arranging the random numbers to form at least one key and at least one initialization vector respectively by a key generation unit and an initialization vector generation unit; encrypting the file and/or the protocol from the file uploading unit via using AES encryption by an encryption unit, so as to generate an encrypted file and/or an encrypted protocol; saving the key and the initialization vector respectively in a first storage unit and a second storage unit; Repeating the above steps at least one time.

Abstract: Disclosed are various embodiments for facilitating collaboration among users for network-shared documents. A computing environment can identify that a particular identifier was used in a communication regarding a file being accessible on various client devices. A suitable task to perform in association with at least one of the plurality of client devices can be identified based on the identifier and a determination can be made whether performance of the task would comply with at least one compliance rule. In response to the performance of the task complying with the at least one compliance rule, the task can be performed.

Abstract: A system and method is disclosed for performing unified broadcast encryption and traitor tracing for digital content. In one embodiment a media key tree is divided into S subtrees, the media key tree including media keys and initial values, which may be random values. The digital content is divided into a plurality of segments and at least some of the segments are converted into a plurality of variations. The random values are transformed into media key variations and a separate media key variant is assigned to each of the subdivided subtrees. A unified media key block including the media key tree is stored on the media.

Abstract: A system including a centralized organizational information system in communication with a centralized organizational information database and an entitlement generator in communication with the centralized organizational information system, wherein the entitlement generator is configured to automatically generate at least one executable entitlement rule based on an input rule. The system also includes a federated set of entitlements engines in communication with the entitlement generator and a plurality of entitlement databases, wherein each of the entitlements engines is for determining whether a user is entitled to access secured resources requested by the user based on the executable entitlement rule.

Abstract: A method for storing a first data object includes: decomposing the first data object into a first fragment associated with a first original record locator and a second fragment associated with a second original record locator; obfuscating the first original record locator to generate a first obfuscated record locator and the second original record locator to generate a second obfuscated record locator; encrypting the first fragment using a first encryption key and the second fragment using a second encryption key; and storing, to at least a first of a plurality of storage locations, the first encrypted fragment with the corresponding first obfuscated record locator and the second encrypted fragment with the second obfuscated record locator.

Abstract: Video content is streamed to portable devices based on an entitlement determination that includes determining the location of the portable device. Channel listings available for the portable device may be filtered based on the determined entitlements. A device may determine an indication of a location of the portable device and determine entitlements defining which of the plurality of video content items are permitted to be viewed by the portable device, where the entitlements are determined based at least on the indication of the location of the portable device. The device may further transmit, to the portable device, a listing of the plurality of video content items, filtered based on those of the plurality of video content items that are permitted to be viewed by the portable device, as determined by the entitlements.

Abstract: A communication system 10 includes a head end 12 that generates a device list with channel or content authorizations. The head end communicates the list to a system gateway 26. The gateway 26 receives the list. A plurality of user devices 28 is coupled to the gateway 26. A first device of the plurality of user devices generates a channel or content request at the system gateway. The gateway 26 compares the channel or content authorizations from the list to the channel request from the first user device and communicates to the first user device a channel or content corresponding to the channel request in response to comparing. Thus, authorized users are able to receive the channel or content in response to the list. The list may be generated at a subscriber information module 52 and communicated with the content or channel through a satellite 18 or through a communication network 50.

Abstract: A communication system and method of operating the same includes a conditional access module and a customer service module customer service request signal. A handler receives the customer service request signal. The handler determines a communication path to the conditional access module through a connection pool and assigns the communication path for the customer service request signal. The handler communicates the request through the communication path and returns the path to the connection pool when communicating is complete.

Abstract: The present disclosure provides systems and methods for electronically providing each of a plurality of content distributors with access to a library of content items, facilitating the selection of a combination of the content items, creating a unique set of links for each recipient-distributor combination, and distributing the selected content and unique links via one or more distribution channels to a plurality of recipients. As each link is associated with both a recipient and a distributor, conversion actions stemming from the selection of a link by a recipient are attributed to the proper distributor. Distributors can create content distribution approaches that can be shared with other distributors.

Abstract: In one embodiment, a localization beacon is inserted into a digital communication signal by a localization device. The resulting modified signal is transmitted to customer premises equipment (CPE). One or more CPE devices monitor incoming signals to detect the presence of a localization beacon. If a localization beacon having certain characteristics is not received, the one or more CPE devices are configured to disable one or more CPE features.

Abstract: A method begins by a first device generating a self-validating message by creating a master key, using the master key to create a message encryption key, encrypting a message using the message encryption key to produce an encrypted message, encrypting the master key using a public key of a second device to produce an encrypted master key, and including a message authentication code of the first device in the self-validating message. The method continues by the second device receiving and decoding the self-validating message by verifying the message authentication code of the first device, and when the message authentication code of the first device is verified, decrypting the encrypted master key using a private key of the second device to recover the master key, using the master key to create the message encryption key, and decrypting the encrypted message using the message encryption key to recover the message.

Abstract: A method and system for performing multi-level searches includes a user device and a display associated with the user device. A guide system receives a content provider category for a first content and receives a global guide category different than the content provider category for the first content. A communication network communicates the global guide category and the provider category to the user device. The user device performs a global search and displays on the display the first content in response to the global guide category and displays on the display a provider homepage with the first content displayed under the content provider category.

Abstract: A content sharing device may receive, from a content providing device, information that identifies content to be shared with a dongle device via a content sharing service. The content sharing device may receive, from the content providing device, information that identifies a contact with which the content is to be shared. The content sharing device may determine, based on the information that identifies the contact, a dongle device identifier. The dongle device identifier may include a network address associated with the dongle device. The content sharing device may provide, to the dongle device and based on determining the dongle device identifier, information that identifies the content. The information that identifies the content may cause the content to be accessible by a content receiving device connected to the dongle device.

Abstract: A method, system, and computer program product comprising intercepting communication between a virtual machine and encrypted replication data stored on a storage medium and redirecting the communication to a remote replication appliance; and using a key stored on the remote replication appliance to enable the virtual machine to facilitate communication with the encrypted replication data stored on the storage medium; wherein facilitating communication enables the virtual machine to interact with the encrypted replication data as unencrypted data.

Abstract: A variety of techniques for performing identity verification are disclosed. As one example, a verification request is received from a remote user. The verification request pertains to a cryptographic key. In response to receiving a confirmation from a local user of the local device, a verification process is initiated. A result of the verification process is transmitted to the remote user. As a second example, a verification request can be received at the local device, from a local user of the device. A verification process with respect to the local user is initiated, and a result of the verification process is transmitted to a remote user that is different from the local user.

Abstract: A method is to detect a message compatible with the OTA (Over The Air) standard and affected by a wrong ciphering. The method may include receiving the ciphered OTA message; deciphering the OTA message; and reading a counter field of padding bytes in the deciphered OTA message and reading corresponding padding bytes in the OTA message deciphered. The method may also include detecting at least one bit in at least one of the padding bytes of the OTA message deciphered, with the at least one bit being indicative of the wrong ciphering.

Abstract: A method for controlling access to a plurality of channels by a unit comprising a security module, each channel being encrypted by a specific control word and having a channel identifier, this method comprising the steps of: tuning to a first channel having first channel identifier and receiving first messages containing a first control word; decrypting the first messages and using the first control word; storing the first control word and the first channel identifier; tuning to a second channel having second channel identifier; calculating the second control word by: calculating a root control word with an inverse cryptographic function F?1 using the first control word and the first channel identifier; calculating the second control word with the cryptographic function F using the root control word and the second channel identifier; and using the second control word to access the second channel.

Abstract: A self-healing video surveillance system is described. The self-healing video surveillance system includes one or more surveillance cameras that are configured to store configuration data of a network video recorder in operable communication with the surveillance cameras. The network video recorder includes configuration data, and a module configured to store the configuration data on the surveillance cameras and/or retrieve configuration data stored on the surveillance cameras. A new network video recorder introduced into the network retrieves the stored configuration data to self-configure with minimal or no human interaction. In embodiments, configuration data is distributed among a plurality of surveillance cameras, and may be stored in encrypted format.

Abstract: Provided are methods, apparatus and systems for the sale of digital content over a network. The disclosure herein discusses the recording of a broadcast of a digital data stream by a broadcast receiving device. A listener may select a particular digital data stream to purchase by selecting a content identifier associated with the digital data stream of interest at the recording device. Upon obtaining the selection, a purchase request message is transmitted to an intermediary communication device. The purchase request message includes at least the content identifier. After the transaction is completed at a transaction server, a purchase confirmation message including at least a digital rights management key associated with the digital data stream is returned to and received by the broadcast receiving device. Upon receipt, of the digital rights management key, the recorded digital data stream is released for reproduction.

Abstract: A method, system and computer program product for administering a secure data repository. Rather than using a specific database, an application may use an existing hierarchical file structure, such as provided by conventional operating systems, to store structured data in a number of files. To detect unauthorized, malicious or inadvertent changes to these files, either within one or more files, or by deletion, replacement or movement of files in their entirety, each file incorporates a last change timestamp and the contents of the file are digitally signed. Furthermore, every file in the secure repository is logged in an index file together with its respective change date stamp, and the index file as a whole is also digitally signed. Unauthorized changes can be identified by comparison of the file date stamps with the content of the index as well as verifying the validity of each digital signature.

Abstract: The invention provides an enciphering apparatus and method, a deciphering apparatus and method and an information processing apparatus and method by which illegal copying can be prevented with certainty. Data enciphered by a 1394 interface of a DVD player is transmitted to a personal computer and a magneto-optical disk apparatus through a 1394 bus. In the magneto-optical disk apparatus with which a change to a function is open to a user, the received data is deciphered by a 1394 interface. In contrast, in the personal computer with which a change to a function is open to a user, the enciphered data is deciphered using a time variable key by a 1394 interface, and a result of the decipherment is further deciphered using a session key by an application section.

Abstract: The invention provides a system and a method for securely providing a secret data from a sender to one or more receivers. The receiver uses a sequence of functions originating from a hierarchy of functions to migrate the secret data from an input transform space to an output transform space using a mathematical transformation under control of one or more seeds. The seeds are provided to the receiver by the sender. The sender conditionally allows the receiver to obtain the secret data by controlling the seeds.

Abstract: There is disclosed a method in which information relating to a sequence of instructions of a thread is examined to determine a security condition of the thread. It is further determined by using the security condition which processor core of a multicore processor has an appropriate security mode to fulfil the security condition. If the determining indicates that one or more processor cores of the multicore processor has the appropriate security mode are available, one of the one or more processor cores is selected as a potential processor core to execute the sequence of instructions of the thread. There is also disclosed an apparatus and a computer program product to implement the method.

Abstract: Methods and apparatus for determining and selecting digital coding and/or decoding technology, delivery bitrates, and resolution parameters for programming and data delivery over, e.g., a content-based network. In one embodiment, the network comprises an HFC cable or satellite network that includes a server process interfacing with a plurality of customer premises equipment (CPE), and/or associated client devices, each having different display resolution, bitrate, and/or decoding capabilities profiles. The server determines the one or more capabilities possessed by the CPE or client device, and evaluates one or more program or content choices for possible delivery to that CPE or device based on its profile. The selection process may also take into consideration network and/or CPE operational considerations, such as conservation of downstream bandwidth, CPE uprating capability, client device power consumption, and the like.

Abstract: In one embodiment, a localization beacon is inserted into a digital communication signal by a localization device. The resulting modified signal is transmitted to customer premises equipment (CPE). One or more CPE devices monitor incoming signals to detect the presence of a localization beacon. If a localization beacon having certain characteristics is not received, the one or more CPE devices are configured to disable one or more CPE features.

Abstract: A data object is encoded in a redundant code. The redundant code defines a decoding scheme for reconstructing the data object from a sub-set of the encoded data parts. At least the sub-set of the encoded data parts is encrypted using a homomorphic encryption scheme, which allows equivalents of the arithmetic operations of a reconstruction process to be performed on encrypted encoded data parts. The data parts are stored distributed over a plurality of source terminals of a communication network, for use by a target terminal of the communication network. Upon a retrieval command from the target terminal, an upload management module determines which source terminals are available and the upload management module determines causes a selected set of terminals to transmit the encrypted encoded data parts each via its own connection to the network to a decoder server.

Abstract: A method to enforce watermarking instructions by a security module in a receiving device, comprising the steps of receiving a security message by—a security module, comprising at least a content key, watermark instructions and security message signature, said watermark instruction activates or deactivates a watermarking module, decrypting—a security message with a transmission key, verifying—a security message signature, and in case of successful verification, reading a watermarking data from the watermarking module, verifying the authenticity of the watermarking data, and in case of successful verification, transmitting the watermark instructions to the watermark module and the content key to a descrambling module.

Abstract: Tenants in a multi-tenant shared deployment are provided their own distinct key spaces over which they control a key management system. In this manner, virtual key management domains are created on a per-tenant (per-customer) basis so that, whenever a particular customer's data is co-tenanted, stored, transmitted or virtualized in the IT infrastructure of the provider's datacenter(s), it is secured using key management materials specific to that customer. This assures that the entirety of a tenant's data remains secure by cryptographically isolating it from other tenants' applications. The virtual key management domains are established using a broadcast encryption (BE) protocol and, in particular, a multiple management key variant scheme of that protocol.

Abstract: A system for delivering satellite signals to a plurality of display platforms. A system in accordance with one or more embodiments of the present invention comprises a first transmission system for delivering the satellite signals to a first display platform via at least one satellite, and a second transmission system, coupled to the first transmission system, for delivering at least a portion of the satellite signals to at least one second display platform, the first transmission system and the second transmission system transmitting in a substantially simultaneous manner, wherein the second transmission system transmits a data stream formatted for compatibility with the at least one second display platform.

Abstract: The invention relates to a local digital network comprising: at least one source device intended to broadcast data over the network; and at least one receiver device intended to receive said data. The source device uses a network active encryption key to encrypt data liable to be broadcast in the network and the receiver device contains: a network active decryption key for decrypting data encrypted using said active encryption key and at least one decryption key of the network for decrypting data encrypted with the aid of an encryption key used previously in the network. The invention also relates to the installing of new devices in such a network as well as the sending of data from a source device to a receiver device.

Abstract: A process may be utilized by the DVR. The process receives a plurality of segments of a set of content and a plurality of corresponding content rule sets. Further, the process provides one or more instructions to record and encrypt the plurality of segments of the set of content on a storage medium. In addition, the process provides the plurality of content rule sets to the DRM component to be inserted into a locally generated and secured content license associated with the encryption of the set of content. The secured content license includes a master key and a list of the plurality of corresponding content rule sets that have been received in order of reception. The process receives a plurality of marker tokens from the DRM component in order to facilitate trick mode playback.

Abstract: Various embodiments utilize hardware-enforced boundaries to provide various aspects of digital rights management or DRM in an open computing environment. Against the backdrop of these hardware-enforced boundaries, DRM provisioning techniques are employed to provision such things as keys and DRM software code in a secure and robust way. Further, at least some embodiments utilize secure time provisioning techniques to provision time to the computing environment, as well as techniques that provide for tamper-resistant storage.

Abstract: A method is for processing transmission errors during contactless communication of information between a device and a reader. The information may be transmitted in the form of frames sent to a send/receive module of the reader in contactless coupling with the device and controlled by a control module coupled to the send/receive module. The information may be extracted from the frames within the send/receive module so as to be delivered to the control module. The method may include a detection of transmission errors that are to be ignored.

Abstract: A device for preventing logging of client input data in a computer system, characterized in that it includes a first transmission interface used to connect the smart electronic device, a second transmission interface used to connect the computer system, and a data encryption chip for encryption of the input data. The data encryption chip is set between the first and second transmission interfaces and is used to encrypt data input from the first transmission interface, and then transmit the encrypted data to the computer system via the second transmission interface. The device allows for the use of a smart electronic device as a real keyboard, and the computer system permits the data encryption chip to encrypt the data input by the smart electronic device, which are then sent to the computer system, helping to prevent logging of keying data with higher efficacy and applicability.

Abstract: Provided are methods, apparatus and systems for the sale of digital content over a network. The disclosure herein discusses the recording of a broadcast of a digital data stream by a broadcast receiving device. A listener may select a particular digital data stream to purchase by selecting a content identifier associated with the digital data stream of interest at the recording device. Upon obtaining the selection, a purchase request message is transmitted to an intermediary communication device. The purchase request message includes at least the content identifier. After the transaction is completed at a transaction server, a purchase confirmation message including at least a digital rights management key associated with the digital data stream is returned to and received by the broadcast receiving device. Upon receipt, of the digital rights management key, the recorded digital data stream is released for reproduction.

Abstract: A system protects documents at rest and in motion using declarative policies and encryption. A document at rest includes documents on a device such as the hard drive of a computer. A document in motion is a document that is passing through a policy enforcement point. The policy enforcement point can be a server (e.g., mail server, instant messenger server, file server, or network connection server).

Abstract: A method of alerting a user of a scheduled event on a network includes transmitting a promotion to a first consumer premises equipment (“CPE”), the promotion being associated with event scheduling metadata, and causing the event scheduling metadata to be transmitted from the first CPE to a second CPE based on a selection of the promotion at the first CPE. The method further includes causing a reminder message to be transmitted from the second CPE to the first CPE based on the event scheduling metadata.

Abstract: A broadcast reception system, apparatus, and method for a Conditional Access System (CAS) function without a cablecard are provided. A security processor for performing a CAS function without using a cablecard includes a security processor for receiving Entitlement Control Message (ECM) information and Entitlement Management Message (EMM) information from a set-top box, extracting a Control Word (CW) using the ECM information and the EMM information, encrypting the CW, and transmitting the encrypted CW to the set-top box.

Abstract: A data source may be configured to provide usage data including subscriber identifiers and associated information indicative of subscriber device locations and usage. A data warehouse server may be configured to perform operations including: decrypting subscriber identifiers included in usage data received from the data source using a two-way rolling key groups algorithm; re-encrypting the subscriber identifiers decrypted from the usage data to create secure encrypted identifiers using a one-way secured encryption algorithm; and correlating the subscriber identifiers in the decrypted usage data with the corresponding re-encrypted identifiers.

Abstract: The present invention provides a broadcast receiving apparatus that receives a broadcast wave containing multiple channels. The apparatus comprises, among other things, a selecting unit that selects a channel from the broadcast wave; a determination unit that determines, for all channels that can be selected by the selecting unit, whether or not the obtaining unit can obtain an encrypted second-type encryption key that can be decrypted by the decrypting unit using the updated first-type encryption key; and an updating unit that updates the computer program stored in the memory to the updated program in the case where the determination unit has determined that the obtainment is possible for all the channels.

Abstract: In a downloadable conditional access system (DCAS), preferably all DCAS-specific code is implemented in a configurable secure (CS) processor that is in communication with the host processor. Preferably, no DCAS-specific code is executed in the host processor. The host processor delivers commands to the CS processor, which the CS processor performs to configure itself in accordance with the particular DCAS encryption scheme used by the DCAS. Once configured, the CS processor executes a DCAS software module that has been downloaded to the CS processor, which looks for the corresponding EMMs and ECMs, processes them to obtain the CW, and then uses the CW to decrypt the content stream.

Abstract: Embodiments of the invention provide an improved method and an improved receiver for obtaining a control word. Two or more subkeys are obtained in a receiver. Each subkey was encrypted under control of a key received in an entitlement message or transformed under control of a seed received in an entitlement message. After decryption or transformation, the subkeys are combined to obtain the control word. Typically at least one of the entitlement messages is a positive entitlement message and at least one of the entitlement messages is a negative entitlement message. Embodiments of the invention can be used in a conditional access system such as a Pay-TV system.

Abstract: A method and apparatus for brokering the enablement of the communication of encrypted media programs from a plurality of independent broadcasters to a plurality of receivers is disclosed. The system makes use of a pairing key for each provided service, which is differently encrypted by a pairing server and by the broadcaster providing the service. The encrypted versions of the pairing key are decrypted in a first receiver module using information known to the pairing service but not the broadcaster and in a second receiver module using information known to the broadcaster. The pairing key is used to cryptographically bind the first and second receiver modules.

Abstract: A video processing device for decrypting a compressed video signal includes a key storage device for storing at least one decryption key. A decryption processing device retrieves the at least one decryption key from the key storage device, and decrypts an encrypted elementary bit stream into at least one elementary bit stream, wherein first portions of the encrypted elementary bit stream are encrypted and second portions of the encrypted elementary bit stream are unencrypted.