Abstract: A method, system, and computer-readable storage medium containing instructions for controlling access to data stored on a plurality of storage devices associated with a first platform. The method includes authenticating a user to access the first platform, wherein the first platform includes first and second storage devices, chipset encryption hardware, and a memory. Data stored on the storage devices are encrypted, with first data on the first storage device being encrypted by the chipset encryption hardware and second data stored on the second storage device being encrypted by another encryption mechanism. The data are decrypted and the user is allowed to access the first data and the second data.

Abstract: An apparatus, system, computer-readable medium, and method to facilitate quick transition of communications of a mobile station between network stations of a radio communication system, such as a WLAN operable to a variant of an IEEE 802 operating specification, is provided. Implementations of embodiments described herein reduce the transition duration by a pre-keying mechanism that performs authentication procedures prior to commencement of reassociation procedures. In other embodiments, a mobile station is allowed to select whether to perform pre-keying processes over an air interface with a target transition access point or whether to perform the pre-keying processes over a distribution system.

Abstract: Security in a mobile ad hoc network is maintained by using various forms of encryption, various encryption schemes, and various multi-phase keying techniques. In one configuration, an over the air, three-phase, re-keying technique is utilized to ensure that no authorized nodes are lost during re-keying and that nodes that are intended to be excluded from re-keying are excluded. In another configuration, an over the air, two-phase keying technique, is utilized to maintain backwards secrecy.

Abstract: A communication apparatus includes a short-range communication unit and a long-range communication unit that communicates via electromagnetic waves in a range wider than a communication area of the short-range communication unit. The communication apparatus further includes a session key generating unit that generates a random number and uses the random number to generate a session key. In addition, the communication apparatus includes an encrypting unit that encrypts the session key. The communication apparatus uses an encryption key transmitted from an external communication apparatus to encrypt the session key into an encrypted session key, transmits the encrypted session key to the external communication apparatus, and receives from the external communication apparatus a communication switching request signal to request a switching from a short-range communication by the short-range communication unit to a long-range communication, with the session key, the long-range communication unit.

Abstract: Disclosed is a method for encrypted communications. A first IPsec endpoint selects a security association (SA) from a security association database (SAD) by using a selector and then extracts an indexing parameter from SA. The indexing parameter is used to determine an active key location from a key storage database (KSD). Data packets are then encrypted using a key from the active key location. The first IPsec endpoint also forms a security parameter index (SPI) in a header of the data packet by using a keyID from the active key location and transmits the encrypted data packet with the header indicating the SPI to a second IPsec endpoint.

Abstract: The invention relates to a method for securely transmitting packets on a wireless link. This method advantageously uses a type II HARQ protocol. In a first step (110), a first version of a packet is transmitted, so that the receiver cannot decode it (120). The receiver generates a couple of public and private keys, and sends back to the transmitter a negative acknowledgment as well as said public key. The transmitter then transmits (130) a second version of the packet, encrypted using said public key. The receiver tries (140) to decode a combination of the first and the second versions of the packet. In case of success, a positive acknowledgment is transmitted to the transmitter and, in case of failure, the retransmission process is iterated.

Abstract: Apparatus and a method for ciphering messages in mobile telecommunications system user equipment and network are disclosed. The apparatus is arranged to store a plurality of current ciphering configurations and/or a plurality of old (previously applied) ciphering configurations and/or a plurality of new (future) ciphering configurations. Thus different ciphering configuration may be applied at different times and for different radio bearers.

Abstract: A method, an apparatus and a system for key derivation are disclosed. The method includes the following steps: a target base station) receives multiple keys derived by a source base station, where the keys correspond to cells under control of the target base station; the target base station selects a key corresponding to the target cell after knowing a target cell that a user equipment (UE) wants to access. An apparatus for key derivation and a communications system are also provided.

Abstract: An apparatus and method that reuse a pair of public and private keys. The method includes determining whether a pair of public and private keys that have already been used in a first encryption process are still usable; and reusing the pair of public and private keys in a second encryption process if the pair of public and private keys are determined as being reusable. Accordingly, it is possible to considerably reduce the amount of computation and time that is generally required to calculate a pair of public and private keys, by allowing the pair of public and private keys to be reused.

Abstract: A method for provisioning a device such as a token. The device issues a certificate request to a Certification Authority. The request includes a public cryptographic key uniquely associated with the device. The Certification Authority generates a symmetric cryptographic key for the device, encrypts it using the public key, and creates a digital certificate that contains the encrypted symmetric key as an attribute. The Certification Authority sends the digital certificate to the device, which decrypts the symmetric key using the device's private key, and stores the decrypted symmetric key.

Abstract: An electronic encryption endpoint device includes a management interface, a storage device interface and a controller. The management interface is capable of operating as a control interface (e.g., connecting to an array controller). The storage device interface is arranged to communicate with a set of storage devices. The controller is arranged to (i) receive a key encryption key through the management interface, (ii) decrypt a portion of a key table entry of a key table using the key encryption key to extract a data encryption key from the portion of the key table entry, the data encryption key being initially encrypted within the portion of the key table entry prior to decrypting the portion of the key table entry, and (iii) encrypt data using the data encryption key and store the encrypted data in the set of storage devices through the storage device interface.

Abstract: A data decryption apparatus that decrypts encrypted data, includes a first data-receiving unit that receives a first data set, in which information on an encryption specification is embedded, through a first communication path; a time-information obtaining unit that obtains time information on a reception of the first data set by the first data receiving unit; a time-information storage unit that stores the time information with the information on the encryption specification associated therewith; a second data-receiving unit that receives a second data set through a second communication path, the second data set being encrypted based on the encryption-specification and appended by time information on performing data encryption; and an encryption-specification selecting unit that selects an encryption specification for use in decryption of the second data set based on the time information stored in the time-information storage unit and the time information appended to the second data set.

Abstract: The invention relates to a method for ensuring data transmission security between a first and a second communication device in short-range wireless communication. To set up a secure data transmission connection, the communication devices conduct a key exchange stage to generate at least one shared key between the communication devices. After said key exchange stage at least a first and a second check string is formed, said strings being based at least on a unique short random string and on the keys generated in each communication device at said key exchange stage. Thus, the security of the connection that is set up is ensured by comparing the correspondence of said check strings. The invention also relates to a communication system and a communication device, in which the method will be applied.

Abstract: A primary key may be used for a first attempt by a remote node to decrypt incoming messages from a master. In the event the decrypt attempt fails at the remote node, a secondary key may then be used to attempt to decrypt the message. Initially, the primary and secondary keys may be the same. A field tool, such as a hand-held programming unit operated by a technician at a remote node location, may change the secondary key, but may not cause any change to the primary key. The secondary key may remain so changed until a new primary key is verified and/or authenticated and the secondary key is overwritten with the new primary key. The primary key may only be changed/set by the master via an encrypted request. A technician may not use a field tool to change a primary key.

Abstract: A system that incorporates teachings of the present disclosure may include, for example, a server having a controller to implement an Elliptic Curve Diffie-Hellman (ECDH) cryptosystem and manage a key exchange, authentication, and certificate exchange with a communication device also implementing the ECDH cryptosystem, wherein the server communicates over a network that provides an encrypted communication link for the communication device. Other embodiments are disclosed.

Abstract: The present invention relates to a method for allocating an authorization key identifier in a wireless portable Internet system. In a privacy key management version 2 (PKMv2) of the wireless portable Internet system, a base station generates PAK identifier, PMK identifier, and authorization key identifier for distinguishing a primary authorization key (PAK) shared by the base station and the subscriber station in an RSA-based authorization, a pairwise master key (PMK) shared by the base station and the subscriber station in an EAP-based authorization, and authorization keys generated by the PAK and the PMK. The base station transmits PAK identifier, PMK identifier, and authorization key identifier to the subscriber station and shares them with the subscriber station. Therefore, the base station and the subscriber station may easily distinguish more than 2 authorization-related keys.

Abstract: A provider system is disclosed for providing a sequence of public keys to a receiver system, wherein each public key of the sequence is related to a private key and is applicable for a public key cryptography procedure. The provider system can include a computing unit and a sending unit. The computing unit can be configured to generate the sequence of public keys and related keys and compute a plurality of data sets, where a data set of the plurality of data sets includes a public key and a proof value. The proof values can result from applying a hash function to a following data set that includes a further public key following in the sequence. The sending unit can be configured to provide the plurality of data to a receiver system.

Abstract: A transmitting node produces synchronization data to be inserted into plain text and encrypts the thus generated data into multi-valued data so as to transmit the data. The synchronization data indicates the position of a running key used for encryption. A receiving node decrypts a signal including the synchronization data using the running key and detects the synchronization data from the signal to confirm synchronization of the running key between transmitting and receiving nodes. Then, the receiving node transmits a synchronization confirmation signal to the transmitting node. If the transmitting node does not receive the synchronization confirmation signal, it determines that synchronization of the running key is shifted, and re-synchronization is performed. To perform re-synchronization, a running key ahead of the position of the running key associated with synchronization data that has been stored is generated.

Abstract: Embodiments of a wireless device and methods for rekeying with reduced packet loss in a wireless network are generally described herein. In some embodiments, during rekeying operations a new key for reception may be installed early (i.e., prior to receipt of a rekeying confirmation message). The use of the new key for transmission may be delayed until after receipt of the rekeying confirmation message. The early installation of the new key for reception may allow both the new key and old key to be active at the same time for use decrypting received packets to reduce packet loss during rekeying operations. The rekeying confirmation message may be the fourth message of a four-way handshake for rekeying. In some embodiments, two key identifiers may be alternated between four-way handshakes to prevent deletion of the old key.

Abstract: Systems and methods that facilitate introducing devices having digital characteristics to one another, to mitigate a man-in-the-middle attack. A keytote component supplies initial session keys for communication between devices, and includes a plurality of interfaces that can facilitate such communication. The keytote component can receive a key from a first device via one of a plulrality of communication interfaces associated with the keytote component. The user can then physically carry the keytote component to the vicinity of a second device for transferring the key thereto. As such, a man-in-the-middle attack can be mitigated, as an encrypted channel can be established in an insecure environment.

Abstract: The details of an apparatus and method for determining uplink ciphering activation time in universal mobile telecommunications system user equipment are disclosed herein. The ciphering activation time is determined for radio bearers other than RB2 by measuring the data rate on each target radio bearer during the time that it takes for a polling or RRC message sent from the user equipment UE to be acknowledged by the network UTRAN. For RB2, the uplink ciphering activation time is determined by taking into account the size of the RRC response message and the data already queued on RB2 for transmission.

Abstract: A method, an apparatus and a system for key derivation are disclosed. The method includes the following steps: a target base station) receives multiple keys derived by a source base station, where the keys correspond to cells under control of the target base station; the target base station selects a key corresponding to the target cell after knowing a target cell that a user equipment (UE) wants to access. An apparatus for key derivation and a communications system are also provided.

Abstract: An encryption key distribution method for service and content protection in a mobile broadcasting system, and a system for the same which includes generating, by a network, a first encryption key when the broadcast service is first provided; transmitting a generalized rights object message, which includes identification information for identifying the generated first encryption key, to the terminal; generating a second encryption key before the lifetime of the first encryption key expires; and transmitting the generalized rights object message, which includes identification information for identifying the generated second encryption key, to the terminal.

Abstract: A method and system for encrypting data in a wireless communication system are provided. The system includes a first node for generating a first encryption key using a plurality of encryption key parameters when performing authentication with a second node, for changing a second parameter among the plurality of encryption key parameters to generate a second encryption key being identical to the first encryption key, if a first parameter among the plurality of encryption key parameters is changed during re-authentication between the first node and the second node, for generating the second encryption key using the changed first parameter and the changed second parameter, and for encrypting data to be transmitted to the second node using the second encryption key.

Abstract: A key management of cryptographic keys has a data package including one or more cryptographic keys that are transferred to a personal device 100 from a secure processing point 150 of a device assembly line in order to store device specific cryptographic keys in the personal device 100. In response to the transferred data package, a backup data package is received by the secure processing point 150 from the personal device 100, which backup data package is the data package encrypted with a unique secret chip key stored in a tamper-resistant secret storage 125 of a chip 110 included in the personal device 100. The secure processing point 150 is arranged to store the backup data package, together with an associated unique chip identifier read from the personal device 100, in a permanent, public database 170.

Abstract: An arrangement for the cipher controlled exploitation of data resources (e.g., securely storing and retrieving sensitive data or securely registering and logging on a computer system) includes the steps of providing a subscriber identity module carrying a security algorithm; generating at least one, e.g., two, random values; subjecting the random value to the at least one security algorithm to generate at least one, e.g., two, session keys; processing the session keys via a mixer function such as a hash function to produce a cipher key; and using the cipher key thus produced for exploiting the data resources.

Abstract: When a network pages the temporary user mobile identifier of a mobile station, the mobile station sends a response to the network. Next, the network checks the authenticity of the user using a ciphering key, corresponding to the temporary user mobile identifier and a random number. If the temporary user mobile identifier is authenticated, a normal incoming call acceptance procedure is executed. If the mobile station is authenticated although the temporary user mobile identifier is wrong, the network reassigns a new temporary user mobile identifier to the mobile station and stops the current communication. In communication, the network and the mobile station mutually notify encipherment-onset time and negotiate about encipherment manner with each other. In addition, diversity handover is commenced upon a call attempt. Furthermore, if a branch replacement is necessary, the current branch is replaced by new branches capable of executing the diversity handover.

Abstract: An optical communication apparatus that can perform stable intensity and phase modulation on an optical pulse at high speed is provided, as well as a quantum key distribution system using the apparatus. Using multilevel signals for the electric signals (RF1, RF2) to be applied to two arms of a two-electrode Mach-Zehnder modulator, phase modulation is performed on an optical pulse in accordance with the average of the levels of the signals (RF1, RF2), and intensity modulation is performed on the optical pulse in accordance with the voltage difference between the signals (RF1, RF2), whereby stable high-speed multilevel modulation can be realized. The cryptographic key generation rate in a decoy quantum key distribution system is enhanced.

Abstract: Disclosed is a traffic encryption key (TEK) management method for automatically generating a TEK for a multicast or broadcast service by a base station to periodically update a TEK used by a subscriber station. The base station transmits the first Key Update Command message for updating a group key encryption key (GKEK) for encrypting the TEK and the second Key Update Command message for updating the TEK to the subscriber station to update the TEK. The base station establishes an M & B TEK Grace Time which is different from a TEK Grace Time established by the subscriber station, transmits the first message including a new GKEK to the subscriber station through a primary management connection before the M & B TEK Grace Time, and transmits the second message including a new TEK encrypted with the new GKEK thereto through a broadcast connection after the M & B TEK Grace Time.

Abstract: A method and an apparatus reduce overhead for data integrity checks in a wireless communication system. When receiving a message, a first Integrity Check Value (ICV) is compared with a second ICV to detect an integrity error in the message. When the integrity error exists in the message, a frequency of the integrity error is counted. When the frequency of the integrity error is more than a threshold, a key update procedure is performed. Therefore, the overhead of the information for integrity check may be reduced in the wireless communication system.

Abstract: An embedded program on an embedded device determines whether a security key has been assigned to the embedded device. If the security key has not been assigned, the embedded program uses a random number that is provided by a manufacturer of the embedded device and that is stored in memory of the embedded device to obtain the security key for the embedded device. The security key is stored in the memory of the embedded device. The security key is used to establish secure connections with other devices.

Abstract: A file that has been encrypted using a symmetric key and that has a corresponding access control entry with the symmetric key encrypted using the public key of a public/private key pair can be accessed. An encrypted key cache is also accessed to determine whether an access control entry to symmetric key mapping exists in the cache for the access control entry corresponding to the file. If such a mapping exists in the cache, then the mapped-to symmetric key is obtained form the cache, otherwise the encrypted symmetric key is decrypted using the private key of the public/private key pair. The encrypted key cache itself can also be encrypted and stored as an encrypted file.

Abstract: A recursive verification protocol to reduce the time variance due to delays in the network by putting the subject node at most one hop from the verifier node provides for an efficient manner to test wireless sensor nodes. Since the software signatures are time based, recursive testing will give a much cleaner signal for positive verification of the software running on any one node in the sensor network. In this protocol, the main verifier checks its neighbor, who in turn checks its neighbor, and continuing this process until all nodes have been verified. This ensures minimum time delays for the software verification. Should a node fail the test, the software verification downstream is halted until an alternative path (one not including the failed node) is found. Utilizing techniques well known in the art, having a node tested twice, or not at all, can be avoided.

Abstract: In a communication system (100), a method and apparatus provides for message integrity regardless of the operating version of an authentication center (198) or an interface (197) between the authentication center (198) and a mobile switching center (199). The method and apparatus include generating a cellular message encryption algorithm (CMEA) key, and generating a CMEA-key-derived integrity key (CIK) based on the CMEA key for message integrity between a mobile station and a base station. The mobile station transmits a registration message to the base station, and determines an operating version of the authentication center (198) in communication with the base station based on whether the mobile station receives a registration accepted order or some elements of an authentication vector from the base station. The CIK is generated based on the CMEA key, if the mobile station receives a valid registration accepted order from the base station.

Abstract: A method for securely storing at least one user's private information item, such as a private key for cipher processing, includes the steps of providing a communication network wherein the user is allotted a respective subscriber identity module and the subscriber identity module stores at least one security algorithm; producing a cipher key via the at least one security algorithm; and providing a remote storing location accessible by the user via the communication network wherein the user's private information items are stored as files encrypted via the cipher key.

Abstract: A method for rejoining a second group of nodes with a first group of nodes is described. A first state of a first group key associated with a first group of nodes is received. The first state of the first group key is multicast to a second group of nodes. The first group key is rekeyed to a second group key associated with the second group of nodes. A second state of the second group key is multicast to the second group of nodes. A third state of a third group key associated with the first group of nodes is received. A rekey command is multicast to the second group of nodes if the third state is different from the second state. The second group key is rekeyed to the third group key.

Abstract: A decryption apparatus (109) comprises a key stream generator (111) generating a local decryption key stream. It furthermore comprises a synchronization value receiver (201) receiving key stream synchronization values. A synchronization processor (203) implements a state machine which may operate in a synchronized state (303) wherein the communication is decrypted using the local key stream, a non-synchronized state (301) wherein the local key stream is not synchronized, or in an uncertain synchronization state (305) wherein the communication is decrypted using the local key stream and wherein the local key stream is synchronized to each new received synchronization value. The synchronization processor (203) furthermore comprises a transition controller (213) operable to transition from the synchronized state to the non-synchronized state in response to a first criterion and to the uncertain synchronization state in response to a second criterion.

Abstract: A wireless system and method to control the cryptographic keying material that has been compromised in the network; exclude captured nodes from the network; and update compromised keying material in uncompromised devices are described. This system and method is useful in alpha-secure key distribution systems comprising a multitude of alpha-secure keying material shares to be controlled, revoked or updated.

Abstract: Systems and methods for updating status of digital certificate subkeys. A request is made to a key server to verify if a given key is revoked. If it is not, then the key with its subkeys is acquired from the key server. If one or more subkeys or signatures of the subkeys are different in the acquired key, then the key is replaced.

Abstract: Disclosed embodiments include a method for synchronizing a cryptosystem. In one embodiment, the method uses existing control data that is transmitted as part of a connection establishment process in a wireless communication system. In one embodiment, messages that are normally sent between a base station and a remote unit during the setup of both originating and terminating calls are parsed to detect a particular control message that indicates the start of telephony data transmission. Detection of this message indicates a point at which encryption/decryption can begin, and is used to synchronize the cryptosystem. Synchronizing a cryptosystem involves generating an RC4 state space in a keyed-autokey (“KEK”) encryption system. In one embodiment, Lower Medium Access Channel (“LMAC”) messages are used according to a wireless communication protocol. This is convenient because the LMAC messages are passed through the same Associated Control Channel (“ACC”) processing that encrypts and decrypts the telephony data.

Abstract: The details of an apparatus and method for determining uplink ciphering activation time in universal mobile telecommunications system user equipment are disclosed herein. The ciphering activation time is determined for radio bearers other than RB2 by measuring the data rate on each target radio bearer during the time that it takes for a polling or RRC message sent from the user equipment UE to be acknowledged by the network UTRAN. For RB2, the uplink ciphering activation time is determined by taking into account the size of the RRC response message and the data already queued on RB2 for transmission.

Abstract: In an embodiment, a server determines to update at least one group session key (GSK) parameter for a given multicast group, the at least one GSK parameter configured to permit encryption, decryption and/or authentication of multicast messaging exchanged between members of the given multicast group during a multicast communication session. The server sends a notification to a plurality of multicast group members of the given multicast group that an update of the at least one GSK parameter for the given multicast group is available. At least one of the multicast group members receives the notification and sends a provisioning request to retrieve the updated at least one GSK parameter, the provisioning request including information specific to the given multicast group member. The server generates and encrypts the updated at least one GSK parameter and sends the encrypted at least one GSK parameter to the at least one multicast group member.

Abstract: Systems and methods for updating status of digital certificate subkeys. A request is made to a key server to verify if a given key is revoked. If it is not, then the key with its subkeys is acquired from the key server. If one or more subkeys or signatures of the subkeys are different in the acquired key, then the key is replaced.

Abstract: Methods and systems are provided for trusted key distribution. A key distribution or an identity service acts as an intermediary between participants to a secure network. The service provisions and manages the distribution of keys. The keys are used for encrypting communications occurring within the secure network.

Abstract: Various methods and apparatuses for managing count values (e.g. key counts) to manage a TEK in various communication environments are disclosed. Also, various methods and apparatuses for generating and maintaining a traffic key encryption key by using key count values are disclosed.

Abstract: A mobile terminal for use with a cellular or mobile telecommunications network includes a normal execution environment (operating system) (30) and a secure execution environment (32) comprising a Mobile Trusted Module (MTM). The mobile terminal enables the software of the terminal in the secure execution environment (32) to be updated. The terminal 1 may be provided with minimal software initially in the secure execution environment (32), and is operable to subsequently update the software by over the air transmission of software. Also disclosed is a method for managing rights in respect of broadcast, multicast and/or unicast (downloaded) data, relevant in particular to managing access to a broadcast video data stream complying with a mobile digital broadcast scheme. The method defines a service protection platform implemented on mobile terminals having both normal execution environment (i.e. the operating system) and secure execution environment.

Abstract: A method of operation in a mobile communication system includes a mobile station, a first network capable of serving the mobile station as a home network and a second network capable of serving the mobile station as a visited network, including carrying out in the home network the steps of: generating a random seed (RS), modifying the random seed by combination with an authentication key (K) held by the home network and the mobile station to form session keys (KS and KS?), sending the session keys (K?S and K?S?) to the visited network to permit authentication of the mobile station, and characterized in that the following steps are carried out in the home network: providing a further modification key (SMK), and carrying out a further key modification (of KS and KS?) in the production of the session key (K?S and K?S?) using the further modification key (SMK).

Abstract: A method of handling inter-system handover security for a communication device in a wireless communication system includes creating a first security key set for security with a serving network, creating a second security key set with a deactivating state, receiving an inter-system handover command for an inter-system handover from the serving network to a target network, selecting either the first security key set or the second security key set during the inter-system handover, and using the selected security key set for security with the target network, wherein the selected security key set is identical with a third security key set that is used by the target network for security with the communication device.

Abstract: A home network system includes: a plurality of wireless devices cooperated with a home network, each device having a tag attached thereto to identify it; a tag reader for reading tag information from the tag of each wireless device; and a network manager for storing a shared key and identifying each wireless device connected to the home network using the tag information and supporting information exchange between the wireless devices by using the shared key.

Abstract: The invention intends to achieve new additions of terminals that use a wireless LAN with a simple process, while preventing leakage of data indicating cipher keys. The access point is notified of the cipher systems adaptable to the terminals. The access point narrows the cipher systems adaptable to itself, sets the cipher keys and notifies them, and also determines the station IDs for the cipher keys each. Thereafter, when the access point modifies the cipher systems based on the security policy, the access point adopts the station IDs corresponding to the cipher systems each. Therefore, the terminals specify the cipher systems based on the station IDs, and perform wireless communications by using the cipher keys notified in advance.