Abstract: Disclosed herein is an electronic device network having a plurality of associated electronic devices. The electronic devices may include an update agent adapted to decipher code and/or data segments. The update agent may also be adapted to modify and/or upgrade firmware and/or software components resident in the electronic devices by employing the deciphered code and/or data segments along with contents of an update. An update generator, resident in the electronic devices may employ deciphering techniques to the code and/or date segments to extract enciphered code and/or data segments. The update generator may also process the code and/or data segments to generate an update including difference information. The update generator may also be adapted to encipher difference information in the generated update.

Abstract: In one embodiment, the present invention includes a method to establish a secure pre-boot environment in a computer system; and perform at least one secure operation in the secure environment. In one embodiment, the secure operation may be storage of a secret in the secure pre-boot environment.

Abstract: A system is provided that uses identity-based encryption (IBE) to allow a sender to securely convey information in a message to a recipient over a communications network. IBE public key information may be used to encrypt messages and corresponding IBE private key information may be used to decrypt messages. Information on which IBE public key information was used in encrypting a given message may be provided to the message recipient with the message. Multiple IBE public keys may be used to encrypt a single message. A less sensitive IBE public key may be used to encrypt a more sensitive public key, so that the more sensitive public key can remain hidden as it is sent to the recipient.

Abstract: A content distribution system encrypts a content by using different session keys assigned to user systems, encrypts each of the session keys with a public key corresponding to a decryption key unique to each user system, generates, for a group of user identification information items, header information including the encrypted session keys, and a first vector which corresponds to a session key of the session keys and is assigned to arbitrary user identification information u in the group, the first vector being set such that an inner product of the first vector and a second vector concerning the user identification information u becomes equal to zjuv (where zj is a constant value of a session key sj assigned to the user identification information u, and v is group identification information to the group), and transmits the header information and one of the encrypted contents to the user systems.

Abstract: A system for digitally signing electronic documents is disclosed. The system includes a mobile device, an application server and a database, the mobile device includes a requesting module and a digest encrypting module, the application server includes an obtaining module, a digest generating module and a merging module. The requesting module is configured for sending a request for a digital signature of an electronic document to the application server; the obtaining module is configured for obtaining the electronic document from the database; the digest generating module is configured for generating a digest of the electronic document, and sending the digest to the mobile device; the digest encrypting module is configured for encrypting the digest, generating an encrypted value, and sending the encrypted value to the application server; the merging module is configured for merging the encrypted value and the electronic document. A related computer-based method is also disclosed.

Abstract: Virtual disks management methods and systems. First, a file space is set and a first password is set. A first device code is acquired. The file space is encrypted according to the first password and the first device code to obtain an encrypted file. Thereafter, a designation of the encrypted file is received. A second password is received, and a second device code is acquired. It is determined whether the second password conforms to the first password, and whether the second device code conforms to the first device code. If so, the encrypted file is mounted as a virtual disk.

Abstract: A method and apparatus is disclosed herein for synchronizing distributed work. In one embodiment, the method comprises receiving first and second metadata entries, adding the first and second metadata entries to a set corresponding to a digital object, and providing access to first and second unique identifiers used for referencing the first and second metadata entries respectively, where the first and second unique identifiers are based on contents of the first and second metadata entries respectively.

Abstract: For the authentication of messages communicated in a distributed system from an originator to a destination a keyed-hashing technique is used according to which data to be authenticated is concatenated with a private (secret) key and then processed to the cryptographic hash function. The data are transmitted together with the digest of the hash function from the originator to the destination. The data comprises temporal validity information representing the temporal validity of the data. For example the setup key of a communication is therefore only valid within a given time interval that is dynamically defined by the communication originator. After the time interval is exceeded the setup key is invalid and cannot be reused again.

Abstract: An improved network-based system and network implemented method of distributing and controlling the release of an encapsulated content. The system comprising an archive creation tool configured to create a self-extractable archive comprising an encrypted content, distribution means adapted to distribute the archive to one or more users and a server arranged to remotely control a timed release of the content from each distributed archive by providing a decryption key in response to a key request received on or after a predetermined date and time. In this way, a publisher of the archive can control access to a content even after the archive has been distributed to one or more users. Due to executable functionality within the archive, an additional content, such as advertisements, multimedia files or other documents, can be presented to a user in response to extraction of the archive, without the need for client-based extraction software.

Abstract: A new technique for accelerating the computational speed of a computer algorithm is provided. The inventive technique can be applied to video compression/decompression algorithms, optical character recognition algorithms, and digital camera zooming applications.

Abstract: A content playback apparatus reduces load concentration on a specific server apparatus that manages content keys of encrypted content, while protecting copyrights of the content. The content apparatus makes playback of content recorded in a recording medium sold possible after the specific server breaks down. A key acquisition control unit (204) reads a playback control information table (211) from a recording medium (102) via a reading unit (201). The key acquisition unit (204) acquires a rights key via a key acquisition intermediation unit (223) from an apparatus specified by an acquisition-destination type and a request-destination type that are stored in the playback control information table (211) and that corresponding to the content to be played. The key acquisition unit (204) generates a content key using the acquired rights key and, when required, a medium key recorded in a medium. A decryption unit (203) decrypts encrypted content using the content key.

Abstract: A key management of cryptographic keys has a data package including one or more cryptographic keys that are transferred to a personal device 100 from a secure processing point 150 of a device assembly line in order to store device specific cryptographic keys in the personal device 100. In response to the transferred data package, a backup data package is received by the secure processing point 150 from the personal device 100, which backup data package is the data package encrypted with a unique secret chip key stored in a tamper-resistant secret storage 125 of a chip 110 included in the personal device 100. The secure processing point 150 is arranged to store the backup data package, together with an associated unique chip identifier read from the personal device 100, in a permanent, public database 170.

Abstract: A digital signature is applied to digital data in real-time. The digital signature serves as a mark of authenticity assuring a recipient that the digital data did in fact originate from an indicated source. The digital signature may be applied to any digital data, including video signals, audio signals, electronic commerce information, data pertaining to land vehicles, marine vessels, aircraft, or any other data that can be transmitted and received in digital form.

Abstract: A method for managing key in Multimedia Broadcast/Multicast service comprising steps of defining a valid MTK ID interval for each generated MSK and sends it to a UE along with a MSK by a BMSC; after receiving the MSK, saving a valid MTK ID interval of the MSK by the UE; and defining a MTK ID for each generated MTK encrypted with the MSK and sending the MTK ID and the MTK to the UE after encrypting them with the MSK by the BMSC This MSK is valid only when the transmission of the MTK within MTK ID interval is in operation. Therefore, once the UE finds out that some newly received MTK's MTK ID is beyond said MTK ID, it deletes the MSK that is applied in said MTK transmission's encryption correspondingly.

Abstract: A system and method for controlling data communications between a server and a client device, such as a mobile device. Embodiments relate generally to a technique where stop data is provided to the client device. This stop data can be transmitted (e.g. by the client device) to the server. When processed by the server, the stop data indicates to the server that at least some of the encrypted data received by the client device from the server was not decrypted using the second key (e.g. as may be the case when the second key has been deleted). Upon receiving the stop data, the server may, for example, withhold the transmission of data encrypted with the first key to the client device until the second key is restored on the client device. In one embodiment, the stop data is provided to the client device in an encoded (e.g. encrypted) form.

Abstract: A facility for sending enhanced SMS messages is provided. The facility at a sending SMS subscriber unit encodes the original text of an SMS message to produce an encoded SMS message, and transmits the encoded SMS message for receipt by the intended recipient of the SMS message. The facility at a receiving SMS subscriber unit receives the transmitted encoded SMS message and decodes the encoded SMS message to produce the original text of the SMS message. In some instances, the facility at the receiving SMS subscriber unit may not decode the received encoded SMS message and, thus, provide the received SMS message in its received form. In some instances, the facility at the sending SMS subscriber unit may send the original text of the SMS message and have the receiving SMS subscriber unit decode (translate) the original text into a different form.

Abstract: A method and apparatus for a third party authentication server is described. The method includes receiving a record ID for a user, and a one-time key generated by the server and encrypted with a user's public key by the server. The method further includes receiving the user's authentication data from the client, and determining if the user's authentication data matches the record ID. If the authentication data matches the record ID, decrypting the one-time key with the user's private key, and returning the decrypted one-time key to the client.

Abstract: A system, method and media drive for selectively encrypting a data packet. The system includes an encryption key for use in encrypting the data packet, a verification data element derived from the encryption key, an encryption engine for selectively encrypting the data packet using the encryption key, and a verification engine in electronic communication with the encryption engine. The verification engine is configured to receive the encryption key and the verification data element, determine when the verification data element corresponds to the encryption key as received by the verification engine, and prohibit encryption of the data packet by the encryption engine when the verification data element does not correspond to the encryption key as received by the verification engine.

Abstract: A method of protecting a password being used to establish interaction between a user and an application includes detecting a request for the password from the application by receiving a notification from the user indicating the request. The method further includes combining the password with information identifying the application, so as to produce a protected password, and authenticating to the application using the protected password. The method may also include a mutual authentication capability between user and the application.

Abstract: An encoding circuit is disclosed which comprises: a data-for-encoding storing register that stores n-bit data for encoding; a data-for-calculation storing register that stores m-bit data for calculation generated by shifting the data for encoding; a shifter that shifts the data for encoding stored in the data-for-encoding storing register, and shifts and inputs the shifted data into the data-for-calculation storing register; a first coefficient register that stores m-bit first coefficient data indicating a first coefficient for executing encoding; a first logic circuit that is inputted with the data for calculation stored in the data-for-calculation storing register and the first coefficient data stored in the first coefficient register and outputs the logical product for each bit of the data for calculation and the first coefficient data; and a second logic circuit that is inputted with m-bit data outputted from the first logic circuit and outputs the exclusive logical sum of the m-bit data as the encoded da

Abstract: A computer system is disclosed that contains cryptographic keys and cryptographic key identifiers. The system has a repository cryptographic engine that communicates securely with a remote cryptographic engine, and the repository cryptographic engine is associated with a user data store. The user data store includes a hidden link including a session key identifier encrypted with a protection key. The hidden link is associated with a remote data entity. A key data store associated with the repository server includes a session key encrypted with a session-key-protection key. The session key is used to encrypt and decrypt the remote data entity. The system also includes a repository key exchange module operable to exchange the session key with a remote key exchange module.

Abstract: An online service and system are provided through which digital content publishers can package, protect, market and sell their content through on-line retailers, and through which on-line retailers can both build a unique inventory of digital content with all associated marketing metadata to sell through their on-line stores and seamlessly integrate the digital content into their on-line shopping cart. The system provides publishers with abstract fulfillment such that they only.

Abstract: According to one embodiment of the invention, there is provided an information recording and reproducing apparatus which records information in a recording medium and reproduces information recorded in the recording medium, the information recording and reproducing apparatus includes a first recording section which records in the recording medium an encrypted encryption key aggregate where at least one encryption key for encrypting each of a plurality of pieces of information has been encrypted and registered and information encrypted using the encryption key, a second recording section which records encrypted first private key information used to encrypt or decrypt the encryption key into the recording medium and which, if the encrypted encryption key aggregate has not been recorded in the recording medium, records the first private key information into the recording medium only when the encrypted encryption key aggregate is recorded in the recording medium.

Abstract: An access control method is described for an encrypted program transmitted by an operator to a plurality of groups of subscribers, where each group of subscribers has a group key KG, and each subscriber is able to receive from the operator an operating key KT, enciphered by the group key KG for decryption of the transmitted program. The method further involves linking the enciphered operating key KT to a random value R to generate a secret code, transmitting the secret code to subscribers prior to transmission of the encrypted program, and transmitting the random value R to subscribers for calculation of the operating key KT.

Abstract: One embodiment of the present invention provides a system that manages secret keys for messages. During operation, the system receives a desired expiration time T from an encrypter, and possibly a nonce N, at a server that manages keys. If N is not sent by the encrypter, it is generated by a key managing server. Next, the system chooses a secret ST, with an expiration time close to T, and an identifier IDS from a database for which secret ST can be retrieved using the identifier IDS. If such an ST is not already in the database, the server generates a new ST and IDS. The system then calculates a hash H=h(N,ST), and sends H and IDS from the server to the encrypter. The encrypter then encrypts M with H to form {M}H, and communicates ({M}H, N, IDS) to a message reader. The message reader then sends N and IDS to the server. The server then uses IDS to lookup ST, recalculates H=h(N,ST), and sends H to the message reader, thereby enabling the message reader to decrypt {M}H to obtain M.

Abstract: There is provided a system and method for an interoperable keychest. There is provided a method for use by a central key repository (CKR) or keychest to provide content access authorizations to distributors, comprising receiving a key information file including a first encrypted second key for decrypting with a first key and a content identification, decrypting the first encrypted second key using a first key to retrieve the second key, receiving, from a distributor, a key request including the content identification, encrypting the second key using a third key to generate a second encrypted second key, and transmitting the second encrypted second key to the distributor in response to the receiving of the key request. In this manner, key management for protected distributors using different DRM schemas or systems may be simplified and made interoperable.

Abstract: A system and method securely replicates a configuration database of a security appliance. Keys stored on an original configuration database of an original security appliance are organized as a novel key hierarchy. A replica or clone of the original security appliance may be constructed in accordance with a cloning technique of the invention. Construction of the cloned security appliance illustratively involves sharing of data between the appliances, as well as substantially replicating the key hierarchy on a cloned configuration database of the cloned appliance.

Abstract: A mesh station applying for access to a network includes a list of peer stations in messages of an authenticated key establishment protocol. A mesh key distributor derives a key delivery key and generates a top level key, and then delivers the top level key to the mesh station. Following the key establishment protocol, the mesh key distributor also creates pairwise keys for use between the mesh station and the peer stations listed in its peer list. The list of peers permits the identifier for the peer to be bound into the derived key, which helps ensure that the key used between each pair of peers is unique. Once the mesh key distributor finishes creating a key for one of the stations on the peer list, the mesh key distributor sends a message to the peer to initiate a key push.

Abstract: A method of performing IBE cryptography comprising the steps of a key generation server transmitting a master public key to a processor, the processor generating or retrieving a fresh master public key derived from the master public key transmitted by the key generation centre, and the processor using the fresh master public key to generate a public key for transmitting a message to a recipient device having a corresponding private key. The processor may store the fresh master public key in a read only memory for repeated use or it may dynamically generate it. To dynamically generate the fresh master public key the processor multiplies the original master public key by a curve co-factor. The processor may be incorporated into a hand-held card, and it may transfer information to a linked second processor for performing some of the calculations.

Abstract: A hybrid broadcast encryption method is provided. The hybrid broadcast encryption method includes setting initialization values, generating a node secret using the initialization values; generating a private secret using the node secret; sending the node secret and the private secret; generating a broadcast message based on a revoked group; encrypting a session key using a key encryption key (KEK) which is allocated to every user group and the broadcast message; and broadcasting to every user the encrypted session key and the broadcast message.

Abstract: A data processing system accepts a removable hardware device, which becomes electrically engaged with a system unit within the data processing system, after which the removable hardware device and the hardware security unit mutually authenticate themselves. The removable hardware device stores a private key of a first asymmetric cryptographic key pair and a public key of a second asymmetric cryptographic key pair that is associated with the hardware security unit, and the hardware security unit stores a private key of the second asymmetric cryptographic key pair and a public key of the first asymmetric cryptographic key pair that is associated with the removable hardware device. In response to successfully performing the mutual authentication operation between the removable hardware device and the hardware security unit, the system unit is enabled to invoke cryptographic functions on the hardware security unit while the removable hardware device remains electrically engaged with the system unit.

Abstract: To authenticate a user having an associated asymmetric crypto-key having a private/public key pair (D,E) based on a one-time-password, the user partially signs a symmetric session key with the first portion D1 of the private key D. The authenticating entity receives the partially signed symmetric session key via the network and completes the signature with the second private key portion D2 to recover the symmetric session key. The user also encrypts a one-time-password with the symmetric session key. The authenticating entity also receives the encrypted one-time-password via the network, and decrypts the received encrypted one-time-password with the recovered symmetric session key to authenticate the user.

Abstract: A first infrastructure system device other than a mobile station generates key material and forwards the key material to a second infrastructure system device other than a mobile station. A determination is made as to whether a mobile station for which the key material is directed is active on the system, and if so the key material is forwarded to a base station where the mobile station is active. The base station forwards the key material to the mobile station.

Abstract: Apparati, methods, and computer-readable media for strengthening a one-time pad encryption system. A method embodiment of the present invention comprises the steps of encrypting plaintext (1) with an OTP key (2) in an XOR operation to produce ciphertext (3); and obfuscating the ciphertext (3) with an AutoKey (4) in an XOR operation to produce AutoKeyed ciphertext (5), wherein the AutoKey (4) is a reusable key.

Abstract: A method for rejoining a second group of nodes with a first group of nodes is described. A first state of a first group key associated with a first group of nodes is received. The first state of the first group key is multicast to a second group of nodes. The first group key is rekeyed to a second group key associated with the second group of nodes. A second state of the second group key is multicast to the second group of nodes. A third state of a third group key associated with the first group of nodes is received. A rekey command is multicast to the second group of nodes if the third state is different from the second state. The second group key is rekeyed to the third group key.

Abstract: A method for secure data transmission in wireless sensor network includes that: the network user determines a master key and inputs it into a central node and a device node; after the central node and the device node have authorized each other, the central node generates a new session key and sends it to the device node; while the central node and the device node communicate with each other, the data sending party uses the new session key to encrypt the data for transmission and verify the integrity of the data, and the data receiving party uses the session key to decrypt the data and verify the integrity of the data.

Abstract: Security is secured according to the type of a license so that unnecessary processing load is reduced. A license accumulation control unit (102) and a license transfer control unit (103) identifies a usage-rule type (204) which indicates whether or not a license (200) includes a usage rule (205) which requires updating each time a content is used, and encrypts the license (200) by using different encrypting methods depending on whether or not the usage rule (205) is included in the license (200). The license accumulation control unit (102) encrypts a content key: with a domain key when the license 200 does not include the usage rule (205); and with a license management device unique key, when the usage rule (205) is included, and accumulates the encrypted key in a license accumulation unit (110).

Abstract: An information processor includes a data processing section that executes a processing of storing subsequently generated data, which is subsequently generated or acquired using information read from an information recording medium, onto a storage unit. The data processing section is configured to execute a processing of storing onto the storage unit encrypted subsequently generated data as encrypted data that is encrypted with a unit key as an encryption key corresponding to a content management unit to which the subsequently generated data belongs, and execute a processing of acquiring an encrypted bind unit key and storing the encrypted bind unit key onto the storage unit, the encrypted bind unit key being encrypted data of a bind unit key including as its constituent data the unit key and one of key information acquired from the information processor and identification information acquired from the information recording medium.

Abstract: The present invention concerns the generation of a key necessary to decrypt audio/video contents by genuine decoding units. It concerns in particular a method to secure the reception of a broadcast content managed by a control center and encrypted by at least one content key, said content key or a data allowing to recover said content key being transmitted to the decoding units encrypted by a transmission key common to the decoding units, each decoding unit having at least one environment parameter known by the control center, said decoding unit receiving from the control center a first message common to all decoding units and comprising the encrypted transmission key and a second message, pertaining to said decoding unit and comprising correction data dedicated to said decoding unit, the decryption of the transmission key being made using the environment parameter and the correction data.

Abstract: Methods, systems and computer readable mediums are provided for recovering keys. A key transport session key is generated, and a key encryption key is derived based on a server master key and an identification associated with a token. The key transport session key is encrypted with the key encryption key as a first wrapped key transport session key. An encrypted storage session key and an encrypted private key are retrieved from an archive. The encrypted storage session key is decrypted with a server storage key as a storage session key. The encrypted private key is decrypted with the storage session key. The decrypted private key is encrypted with the key transport session key as a wrapped private key. The wrapped private key and the first wrapped key transport session key are forwarded.

Abstract: A sentinel value is combined with a data segment, and encrypted. A digest of the encrypted combined data segment is calculated, and used in conjunction with an encryption key to generate a masked key. This masked key is then appended to the encrypted combined data segment and transmitted to an encoder. When the data segment is retrieved, the original encryption key can be recovered and used to decrypt the data segment. The sentinel value can then be extracted from the data segment and checked for integrity. The data segment can then be delivered, discarded, flagged, or otherwise handled based on the integrity of the sentinel value.

Abstract: A communication network (22) includes a central node (30) loaded with a trusted key (26) and key material (56) corresponding to an asymmetric key agreement protocol (48). The network (22) further includes vulnerable nodes (32) loaded with key material (69) corresponding to the protocol (48). Successive secure connections (68, 70) are established between the central node (30) and the vulnerable nodes (32) using the key material (56, 69) to generate a distinct session key (52) for each of the secure connections (68, 70). The trusted key (26) and one of the session keys (52) are utilized to produce a mission key (39). The mission key (39) is transferred from the central node (30) to each of the vulnerable nodes (32) via each of the secure connections (68, 70) using the corresponding current session key (52). The mission key (39) functions for secure communication within the communication network (22).

Abstract: Methods and apparatus permit a one-way downloadable security for electronic signals such as cable television, free-to-air, direct broadcast satellite, electronic device enablement, and other services. The system can allow a broadcast transmission capability (1) to provide an encrypted signal to an individual reception capability (2) in a manner that maintains the full security of a traditional decryption key process while completely eliminating any need for a trusted authority. By including a nascent decryption key generator that may create a secure, key-based environment from an unsecure individualized information transmission (12), a sequence of key(s) from a root key(s) to a derived key(s) to a temporary key(s) and ultimately to a fully random key(s) can be generated in activating a device or a decryption capability for a subscriber.

Abstract: Providing a mobility key for a communication session for a mobile station includes facilitating initiation of the communication session. A master key for the communication session is established, where the master key is generated at an authentication server in response to authenticating the mobile station. A mobility key is derived from the authentication key at an access node, where the mobility key is operable to authenticate mobility signaling for the communication session.

Abstract: A method for secure identity processing using biometrics is provided. A public key and a unique serial number are received from a BIOTOKEN. A random number is generated. The random number and the unique serial number are transmitted to the BIOTOKEN. A serial number received from the BIOTOKEN is compared with the unique serial number and if there is a match, an encrypted symmetric key, transmitted by the BIOTOKEN, is decrypted using the public key. An encrypted random number and encrypted biometric data associated with a user are decrypted using the decrypted symmetric key. The decrypted random number is compared with the transmitted random number, if there is a match, the decrypted biometric data is validated and the received serial number and the public key are transmitted to a certification authority if the biometric data is validated. An authentication certificate associated with the BIOTOKEN is issued by the certification authority.

Abstract: The embodiments described herein provide methods for producing products with certificates and keys. In one embodiment, a requesting entity transmits a request for a plurality of certificates and corresponding keys to a certifying entity that generates the certificates and corresponding keys. The request preferably includes information for use by the certifying entity to verify an identity of the requesting entity rather than information to verify unique product identifiers of the respective products. The requesting entity then receives the plurality of certificates and corresponding keys from the certifying entity, preferably in a plurality of organized sets instead of in a single series of certificates. The requesting entity then stores the certificates and corresponding keys in respective products. Each stored certificate is thereafter useable for both identification and authentication of the respective product in which it is stored.

Abstract: Methods, systems, and computer program products for implementing a roaming controlled wireless network and services is provided. The method includes assigning an identifier and key to a multi-mode network-enabled communications device, the identifier and key inaccessible to an end user of the communications device. The method further includes assigning an identifier and key to a gateway device. The method further includes configuring an auto-provisioning element on each of the devices and remotely provisioning activation of roaming controlled communications services for the end user of the communications device. The remote provisioning includes transmitting a signal to one of the devices configured with the auto-provisioning element, which causes the devices to exchange identifiers and keys via a wireless local network. In response to exchanging the identifiers and keys between the devices, the communications device is permitted to communicate over the wireline network via the gateway device.

Abstract: A document access control scheme uses digital “skeleton keys” to distribute access permissions for encrypted documents in a manner that does not require that rights management files (RMFs) be associated with each document. Multiple skeleton keys can be issued for the same document. The skeleton keys themselves can be opened by one or more other skeleton keys for different levels of document access.

Abstract: A quantum key distribution (QKD) cascaded network with loop-back capability is disclosed. The QKD system network includes a plurality of cascaded QKD relays each having two QKD stations Alice and Bob. Each QKD relay also includes an optical switch optically coupled to each QKD station in the relay, as well as to input ports of the relay. In a first position, the optical switch allows for communication between adjacent relays and in a second position allows for pass-through communication between the QKD relays that are adjacent the relay whose switch is in the first position.

Abstract: The present invention relates to at least a method of authenticating a user in a communication network including contacting an authentication entity in a first authentication of a user seeking access to the communication network; supplying to the user first information, the first information being generated based on privacy information of the user and shared information, the shared information being shared among all access nodes of a group of access nodes, the group of access nodes including at least a first access node and a second access node, and verifying the privacy information in a second authentication of the user by applying the shared information to the first information. The present invention further relates to a corresponding apparatus.