Abstract: A source authentication method and apparatus according to the present invention are disclosed. The source authentication method is performed with respect to a transmission packet on a message transmission side, and includes generating a first hash value to which a first hash function is applied using a message to be included in a next packet and a key value, and generating the transmission packet including the first hash value, wherein the key value is one of at least one key value generated in advance by applying a second hash function. Meanwhile, according to the present invention, effective low-cost multicast authentication may be performed by reducing a variety of loads such as buffer management, key calculation costs, and the like.

Abstract: The present invention relates to a key update method based on the amount of communication in wireless sensor networks having a hierarchy structure.

Abstract: A method and associated systems for enhanced isolation and security hardening among multi-tenant workloads. An agent running on a processor of a networked computer system on which multicast and broadcast communications have been disabled captures an address-resolution query message from a querying tenant, converts the query message to a unicast message, and forwards the converted unicast query message to a switch. The switch forwards the converted unicast message to a redirection device and in response receives an address-resolution response message only after the redirection device verifies that the query and response messages comply with security policies. The switch forwards the address-resolution response to the querying tenant in conformance with security policies.

Abstract: An information processor includes a data storage portion that stores a first capability list indicating capabilities regarding an encryption. The information processor also includes a communication portion that receives a second capability list indicating capabilities, regarding the encryption, of a device. Further, the information processor includes a processing unit that determines an algorithm, by which communications are performed with the device, by referring to the first capability list and the second capability list. The communication portion sends identification information for identifying the algorithm determined by the processing unit and a public key relying on the algorithm to the device.

Abstract: An encryption endpoint (EE) receives, via a storage I/O stack (having a key controller module (KCM)), encryption metadata identifying an encryption key and a set of region entries. Each region entry includes an identification of a region within a storage device subject to encryption with the encryption key and an identification of a correlation between the region and a corresponding region on a logical volume (LV) managed by the KCM. The EE receives, via the stack, a storage command to process a block having a first address on the storage device. It corresponds to a second address located within the corresponding region of the LV. The EE determines the second address within the LV and then cryptographically processes the block using an address-dependent cryptographic algorithm and (a) data of the block, (b) the determined second address, and (c) the encryption key.

Abstract: A method for injecting a security token into an authentication protocol response is disclosed. An authentication protocol response from a node requesting access to a network is intercepted. It is determined if the node complies with a health policy of the network. A security token is inserted into the authentication protocol response based on the compliance node.

Abstract: The present invention discloses a multicast key negotiation method suitable for group calling system and a system thereof. The method includes that: a user terminal (UT) negotiates about a unicast key with a base station (BS), derives an information encryption key and an integrity verifying key according to the unicast key, and registers a service group identifier that the UT belongs to at the BS; the BS notifies the UT the multicast key of the service group that the UT needs to apply, constructs a multicast key notification packet, and sends it to the UT; after receiving the multicast key notification packet sent by the BS, the UT obtains the multicast key of the service group that the UT needs to apply by decrypting a service group key application list, constructs a multicast key confirmation packet, and sends it to the BS; the BS confirms that the multicast key of the UT service group is built successfully according to the multicast key confirmation packet sent by the UT.

Abstract: Content retrieval techniques are described. In an implementation, a determination is made as to whether a client is permitted to receive content requested by the client. When the client is permitted to receive the content, a communication is formed to be communicated via a wide area network that includes a hash list having a hash of each of a plurality of blocks of the content, each hash being configured to enable the client to locate a corresponding one of the blocks of the content via a local area network.

Abstract: An inventive scheme for detecting parties responsible for repeated malicious activities in secure and anonymous communication is presented. The scheme comprises generating a pool of keys, distributing to and associating with each party a small number of keys chosen randomly from the pool, revoking a key when it is detected as used in a malicious activity, creating a set of parties associated with the revoked key, revoking additional keys randomly chosen among the keys not currently revoked, selecting new keys, and when a party requests an updated key, sending the updated key selected from among the new keys to the requesting party, wherein if an other malicious activity is detected, creating another set of the parties associated with the other malicious activity and identifying the parties in both sets. The steps of the inventive scheme are repeated until only one party is in the intersection set.

Abstract: An end user computer is assigned a multicast content distribution group by a network service intelligence platform. The network service intelligence platform authenticates a token sent by the user and signed by a third part content controller, and provides the user with credentials for joining the group. The credentials include an authorization key as well as identifications of the user and the requested content. The credentials are encrypted and authenticated by the third party content controller. The user includes the encrypted and authenticated credentials in a join request sent to a network resource, such as an edge router. After verifying the credentials, the network resource adds the end user computer to the multicast group.

Abstract: A method and system for distributed security for a plurality of devices in a communication network, each of the devices being responsible for generating, distributing and controlling its own keys for access to the communication network and using the keys to establish a trusted network, each device's membership to the communication network being checked periodically by other devices by using a challenge response protocol to establish which devices arc allowed access to the communication network and the trusted network.

Abstract: An apparatus and method for generating a key for a broadcast encryption. The apparatus includes a node secret generator for managing a user that receives broadcast data in a tree structure and for generating a unique node secret for each node in the tree structure. The apparatus also includes an instant key generator for temporarily generating an instant key used at all nodes in common in the tree structure, and a node key generator for generating a node key for each node by operating the node secret generated at the node secret generator and the instant key generated at the instant key generator. Thus, key update can be efficiently achieved.

Abstract: A data security system includes a single central processing unit (CPU), a plurality of different security zones corresponding to different levels of security classification, a plurality of operating systems, a communications interface, a global zone, and a memory coupled to the plurality of security zones and the global zone. The CPU includes a plurality of processing cores and each security zone is associated with a different one of the processing cores. The global zone is communicatively coupled to the communications interface and the plurality of security zones, and is associated with a different one of the processing cores than the plurality of security zones. The global zone directs communications between the communications interface and the plurality of security zones. Each processing core executes a separate one of the plurality of operating systems, thereby providing separate processing capability on the single CPU for each of the different levels of security classification.

Abstract: Methods, systems, and computer readable media for accelerating stateless IPsec traffic generation by performing ESP rehashing of ESP packets are disclosed. A first ESP packet is generated by encrypting a portion of the packet and adding ESP headers and trailers to the encrypted portion, hashing the encrypted portion and the ESP header to compute a first ESP integrity check value (ICV), and adding the ESP ICV as a trailer to the ESP packet. At least one second ESP packet is generated by modifying parameters in the first ESP packet. The first and second ESP packets are transmitted to a device under test.

Abstract: The method for the transmission of media data from a multicast service by a first apparatus to a plurality of second apparatuses is suitable for preventing reception of the media data by an unauthorized second apparatus using a security process. A first apparatus is provided which can be used to provide the media data protected by a security process. A third apparatus is provided which can be used to perform the security process with the first apparatus, performance of the security process between the first apparatus and the third apparatus and, on the basis of this, interchange of at least security data between the first apparatus and the third apparatus in order to provide the media data. A second apparatus is selected which can be used to perform at least one reception process for receiving the media data. A first data transmission link is selected which can be used to couple the first apparatus and the second apparatus at least for the purpose of transmitting the media data.

Abstract: Methods and systems are provided for trusted key distribution. A key distribution or an identity service acts as an intermediary between participants to a secure network. The service provisions and manages the distribution of keys. The keys are used for encrypting communications occurring within the secure network.

Abstract: A method and apparatus for secure generation of a short-term key SK for viewing information content in a Multicast-broadcast-multimedia system are described. A short-term key is generated by a memory module residing in user equipment (UE) only when the source of the information used to generate the short-term key can be validated. A short-term key can be generated by a Broadcast Access Key (BAK) or a derivative of BAK and a changing value with a Message Authentication Code (MAC) appended to the changing value. A short-term key (SK) can also be generated by using a private key and a short-term key (SK) manager with a corresponding public key distributed to the memory module residing in the user equipment (UE), using a digital signature.

Abstract: Techniques for securely updating a boot image without knowledge of a secure key used to encrypt the boot image.

Abstract: Techniques are provided for users to authenticate themselves to components in a system. The users may securely and efficiently enter credentials into the components. These credentials may be provided to a server in the system with strong authentication that the credentials originate from secure components. The server may then automatically build a network by securely distributing keys to each secure component to which a user presented credentials.

Abstract: Security in a mobile ad hoc network is maintained by using various forms of encryption, various encryption schemes, and various multi-phase keying techniques. In one configuration, an over the air, three-phase, re-keying technique is utilized to ensure that no authorized nodes are lost during re-keying and that nodes that are intended to be excluded from re-keying are excluded. In another configuration, an over the air, two-phase keying technique, is utilized to maintain backwards secrecy.

Abstract: A method and apparatus for detecting data modification in a layered operating system is disclosed. Outbound content indicators at different layers are compared to detect potential outbound data modifications. Likewise, inbound content indicators at different layers are compared to detect potential inbound data modifications. Content indicators include checksum, cryptographic hash, signature, and fingerprint indicators. Embodiments of the present invention enable detection of data modifications across an operating system's kernel and user mode spaces, prevention of modified outbound data from reaching a network, prevention of modified input data from reaching a user application, and detection of malware and faults within an operating system.

Abstract: Methods and apparatus that reduce user identification overhead for communications. In one aspect of the invention, a reciprocal transmission channel characteristic (e.g., the channel impulse response) is used to derive shared and anonymous user identification between two wireless devices. In one embodiment, subscription-less data transmissions are broadcast from a base station to multiple user equipment, each user equipment receiving its correspondingly identified subscription-less data. The use of quantization levels and/or levels of tolerance for compensating for non-ideal differences in recipient and transmitter channel characteristics are also disclosed.

Abstract: When installing and maintaining a wireless sensor network in a medical or factory environment, distribution of keying material to sensor nodes (18) is performed by a key material box (KMB) (12), such as a smartcard or the like. The KMB (12) has a random seed stored to it during manufacture, and upon activation performs an authentication protocol with a sensor node (18) to be updated or installed. The KMB (12) receives node identification information, which is used in conjunction with the random seed to generate keying material for the node (18). The KMB (12) then encrypts the keying material for transmission to the node (18), and transmits over a wired or wireless communication link in a secure manner. The node (18) sends an acknowledgement message back the KMB (12), which then updates the nodes status in look-up tables stored in the KMB (12).

Abstract: Methods and systems for providing confidentiality of communications sent via a network that is efficient, easy to implement, and does not require significant key management. The identity of each node of the routing path of a communication is encrypted utilizing an identity-based encryption scheme. This allows each node of the routing path to decrypt only those portions of the routing path necessary to send the communication to the next node. Thus, each node will only know the immediate previous node from which the communication came, and the next node to which the communication is to be sent. The remainder of the routing path of the communication, along with the original sender and intended recipient, remain confidential from any intermediate nodes in the routing path. Use of the identity-based encryption scheme removes the need for significant key management to maintain the encryption/decryption keys.

Abstract: Techniques for enabling video conferencing with interactive sharing of drawings and/or other information. In one set of embodiments, a system is provided that includes a drawing surface, a video camera embedded or integrated into the drawing surface, and a front projector. The drawing surface can capture drawings made on the surface by a user, and the video camera can capture a video stream of the user. The system can send digital information representing the captured drawings and the video stream to a remote system. The system can also receive digital information representing drawings made by a remote user and a video stream of the remote user from the remote system. The front projector can project a video signal onto the drawing surface that incorporates the captured drawings, the drawings made by the remote user, and the video stream of the remote user.

Abstract: A method performed in a network element coupled between a subscriber end station and an AAA server for avoiding AAA processing by at least temporarily suppressing AAA access-request messages for a rejected subscriber end station. The network element receives subscriber session-request messages from the subscriber end station. Subscriber session-request messages include information for verifying an identity that the network element transmits to the AAA server as AAA access-request messages. The network element receives AAA access-response messages corresponding to the AAA access-request messages. Responsive to an AAA access-response message, the network element determines that additional AAA access-request messages should be, at least temporarily, suppressed with regards to the subscriber end station. Responsive to determining, the network element suppresses any additional AAA access-request messages from being transmitted to the AAA server.

Abstract: For a data transfer, security is negotiated via a control channel operating in accordance with a first protocol. The data is transmitted responsive to the security negotiation on a data channel operating in accordance with a second protocol. For example, a described implementation involves using a security control protocol and a separate secure data transfer protocol that operate cooperatively, but independently, to provide flexible application layer security with highly efficient data transfers.

Abstract: In a system for storing and retrieving a plurality of records, the plurality of records associated with a ledger, a client issues read and write requests associated with one of the plurality of records, a plurality of record servers responds to the requests received from the client, and a management server maintains and coordinates, between the client and the record servers, information associated with the ledger, records, and record servers.

Abstract: A method and system for resolving addresses of a message including looking up, from a source directory, a group name associated with a message address of the message, looking up through a cache of user names mapped to user addresses, a user address for each of the looked up user names and returning an associated user address, and addressing the message to each looked up user addresses. Expanding group address by looking up user name in for group from source directory, looking up user address for each user name from user cache, addressing message to looked up user, address, and transmitting message to looked up user address.

Abstract: A content distribution method with broadcast encryption, comprising an encryption process that includes the computation of a ciphertext using a differential ciphertext generation method. The ciphertext needs to be recomputed whenever the subscriber set changes. The differential ciphertext generation method computes the new ciphertext by reusing previously preserved computational results of a previous ciphertext, thereby improving the efficiency of the system. A content distribution method with broadcast encryption also comprises a decryption process that includes the reconstruction of the encryption secret that is used for decrypting the encrypted content. A wide window point addition method is used in the encryption secret reconstruction. The wide window point addition method reuses previously preserved computational results of group-divided point additions of public parameters, thereby improving the efficiency of the system.

Abstract: This method of receiving a multimedia signal scrambled by means of a control word uses a first cryptographic entity that can be connected to any one of P second cryptographic entities to form part of a device for receiving the scrambled multimedia signal. Only second cryptographic entities of a group of N second cryptographic entities selected from a wider set of P second cryptographic entities use a session key obtained by diversifying a root key identical to the root key used to obtain the session key of the first cryptographic entity.

Abstract: A method, apparatus, and system for sending and receiving a security policy of multicast sessions are provided. The method for sending the security policy of multicast sessions includes: after a Datagram Transport Layer Security (DTLS) session is set up between a sender and a receiver, receiving a security policy request from the receiver, constructing a security policy response according to a security policy, multiplexing the security policy response and Secure Real-Time Transport Protocol (SRTP) multicast session data, and sending the multiplexed data to the receiver.

Abstract: A method and apparatus for providing network security using role-based access control is disclosed. A network device implementing such a method can include, for example, an access control list. Such an access control list includes an access control list entry, which, in turn, includes a user group field. Alternatively, a network device implementing such a method can include, for example, a forwarding table that includes a plurality of forwarding table entries. In such a case, at least one of the forwarding table entries includes a user group field.

Abstract: A system and method for generating a set of IP addresses for access multi-homing in an Internet access network. A generating host obtains from the network a set of IPv6 subnet prefixes for a plurality of available Internet Service Providers, ISPs. The generating host generates a single IPv6 interface identifier from the subnet prefixes and cryptographically binds the subnet prefixes with the single IPv6 interface identifier. A remote peer verifies that all of the IP addresses belong together by independently generating the IPv6 interface identifier from the same set of subnet prefixes and comparing the result with the IPv6 interface identifier generated by the generating host.

Abstract: The present disclosure is directed to a method for sending and receiving an encrypted message and a system thereof. The method includes steps of encrypting a message, transforming the encrypted message into network address, sending the network address to a receiver, and accessing a server according to the network address by the receiver, and a server decrypting the message, presenting the decrypted message to the receiver, and thereafter preventing the message from being accessed. Advantages include that any mobile phone capable of connection to a wireless network can read an encrypted message without installation of a decryption software on a mobile phone of a receiver.

Abstract: A method for generating a network address in a communication network includes at least one user equipment and a network equipment. The method includes: a) providing a same shared secret key both at the at least one user equipment and at the network equipment; and b) generating at least a portion of the network address at the at least one user equipment and at the network equipment based upon at least the shared secret key.

Abstract: In one embodiment, a device within a first network may learn a plurality of multicast traffic sources, and may join a first source-specific group for a particular group and a second source-specific group for the particular group. Subsequently, the device may receive multicast traffic from within the first network from at least one of the source-specific groups, select which received traffic to transmit down a non-source-specific shared multicast tree of a second network for the particular group, and transmit the selected traffic down the shared multicast tree for the particular group. In one embodiment, a receiver device in the second network may join the non-source-specific shared multicast tree to receive the traffic for the particular group.

Abstract: Methods are provided for processing a packet received by a mesh-enabled access point (MAP). When a first MAP receives a packet it can determine whether the packet is destined for a mesh portal based on the destination address. If so, the first MAP can retrieve an encryption key corresponding to the mesh portal, use the encryption key to encrypt the packet and set a mesh forwarding flag in the packet to indicate that the packet is destined for a mesh portal, and is encrypted with an encryption key corresponding to the mesh portal, and then forward the packet to the next hop MAP towards the a mesh portal. The mesh forwarding flag indicates that the packet is destined for a mesh portal, is encrypted with an encryption key corresponding to the mesh portal, and is to be forwarded to the next hop MAP without performing decryption/re-encryption processing on the packet. When a MAP receives a packet, the first MAP it determines whether a mesh forwarding flag is set in the packet.

Abstract: In one embodiment, a system that employs IGMP (Internet Group Management Protocol) snooping and client tracking to forward an IP multicast flow between a distribution (e.g., wired or backbone) network and a wireless network without the need to configure a VLAN on either infrastructure. A single IP multicast flow is forwarded natively on the distribution network (e.g., from an IP Multicast enabled router) to an AP, and the AP replicates and forwards the multicast flow to a plurality of domains on the wireless network.

Abstract: A switching equipment stores identification information of communication established with respect to an infrastructure network system in a storage unit, and when an access request is received from a terminal device, the switching equipment adds the stored identification information to the access request and transfers the access request to a 1× Radius server. When the terminal device having requested the access is authenticated, the 1× Radius server notifies a PANA PAA of address information of the terminal device associated with the identification information added to the access request. The PANA PAA approves the same network access as the switching equipment with respect to the terminal device in the received address information.

Abstract: The key distribution system comprises a terminal and a server which establish encrypted communication with each other by use of a common key cryptography using a communication secret key. To issue a new communication secret key, the terminal generates a secret value and encrypts it with a public key and sends the encrypted secret value to the server. The server decrypts the encrypted secret value with a private key paired with the public key. The server issues the new communication secret key, and encrypts it with a common key cryptography using the secret value, and sends the encrypted new communication secret key to the terminal. The terminal decrypts the encrypted new communication secret key with the secret value, thereby obtaining the new communication secret key. Thereafter, the terminal and the server use the new communication secret key.

Abstract: A method for a base station to provide multicast broadcast services (MBSs). The method includes: obtaining an MBS authorization key (MAK); generating a number as an MBS group traffic encryption key (MGTEK); using a service credit number (SCN) to count an amount of service time or MBS content data; generating an MBS traffic key (MTK) based on at least the MAK and the MGTEK; encrypting MBS content data with the MTK; and transmitting the encrypted MBS content data to provide the MBSs.

Abstract: A digital content protection apparatus and method for digital rights management (DRM) are provided in which a content file including a plurality of content parts is imported such that a header is included which stores location information required for decoding each of the content parts. Therefore, the number of content parts constituting the content file can be recognized, and a license that is required for the use of each of the content parts can be acquired by analyzing header information without necessitating the parsing of the transport packets of the content file. Accordingly, preparation time for using content can be reduced.

Abstract: Systems and methods for broadcast and multicast retransmissions within a protected wireless communications system are described. Retransmitted broadcast or multicast frames are designated by modification of fields or subfields in the MAC header of the frame which are constituent parts of the additional authentication data used to generate encryption keys. Such modifications cause legacy receivers to disregard the retransmitted frames or render legacy receivers to be unable to decrypt the retransmitted frame, avoiding the generation of duplicate frames. Non-legacy receivers recognizing the modification conventions can restore the MAC header to the original state and can reconstruct the original encryption keys and decrypt the retransmitted frames. A non-legacy transmitter can retransmit a frame without the need to re-encrypt the frame.

Abstract: In one embodiment, a method can include: receiving rules in an interoperability server, the rules being related to access control for an endpoint coupled to a variable source content stream via a multicast network; and sending to the endpoint using in-band controls of the variable source content stream via the multicast network: a description of content streams available for selection by the endpoint; a procedure for selecting an available content stream; and permission for accessing the selected content stream, the permission being based on the rules.

Abstract: A method of handling mobility of a sender in a multicast packet sending scenario. The method comprises firstly establishing a multicast tree across a packet data network and transmitting multicast packets from the sender to a plurality of receivers via said multicast tree. Prior to a mobility event in respect of said sender, a suitable transfer anchor node is identified within said network, and the tree re-rooted to that transfer anchor node. Subsequently, multicast packets are transmitted from said sender to said transfer anchor node and injected into the multicast tree at said transfer anchor node. Following said mobility event, said sender continues to send multicast packets to said transfer anchor node for injection into the multicast tree.

Abstract: A method, apparatus, and article of manufacture limit unauthorized access to digital services. A hidden non-modifiable identification number is embedded into a nonvolatile memory component. The hidden number uniquely identifies a device containing the nonvolatile memory component and access to digital services is based on rights associated with the hidden number. Access to the nonvolatile memory is isolated such that access to the identification number is limited to a fixed state custom logic block. The custom logic block has hardware configured to use the hidden number and other information to provide an output that is a function of the hidden number and that can be used to confirm an identity of a device without revealing information that can be used to impersonate the device.

Abstract: Various embodiments of a system and method of digital rights management with authorized device groups are described. Various embodiments may include a system including a digital rights management (DRM) component configured to receive a private key of an authorized device group. In various embodiments, the receipt of the private key of the authorized device group may indicate the system is an authorized member of a group of devices permitted to access content items protected by a common public key associated with the authorized device group. In various embodiments the DRM component may be configured to, for each given content item of multiple content items that are encrypted with different content keys, decrypt an encrypted content key from the given content item with the private key of the authorized device group and decrypt content from the given content item with the decrypted content key.

Abstract: In at least one implementation a method includes receiving an identifier associated with a device, entering the identifier into a network controller device, inviting the device associated with the identifier to join a network, admitting the device associated with the identifier to the network, sending the device associated with the identifier a name of the network, and confirming that the device has joined the network as a device recognized by the network controller device.

Abstract: A method of distributing group identifiers IDs (GIDs) in a power line communication (PLC) network, a method of receiving the GIDs, an authentication apparatus, and a PLC apparatus are provided. The authentication apparatus includes: an authentication mode storing unit which stores an authentication mode having a value including one of an authentication authorized mode and an authentication unauthorized mode; a GID request receiver which receives a GID request message from a PLC apparatus; and a GID transmitter which, if the authentication mode is the authentication authorized mode, transmits a GID corresponding to the PLC apparatus to the PLC apparatus. Authentication is realized in a PLC media access control layer distributing the GIDs between a PLC apparatus and an authentication apparatus, so manually inputting a GID into the PLC apparatus is not necessary. Further, the GIDs are distributed via the authentication apparatus, thereby centrally managing the GIDs.