Abstract: A method in a first entity for authenticating itself to a second entity by proving to the second entity that it is in possession of a full secret without sending the full secret to the second entity, the method comprising: receiving in the first entity an input from a user, the full secret having been divided into at least a first factor and a second factor and the input relating to the second factor of the full secret; reconstructing in the first entity the full secret from at least the first factor and the input; and carrying out a calculation in the first entity using the reconstructed full secret and sending the results of the calculation to the second entity, wherein the results provide an input to a pairing calculation in the second entity. The second entity carries out the pairing calculation to determine whether the client is in possession of the secret. The first entity may be a client and the second entity may be a server.

Abstract: A method and system for transmission of digital content via e-mail with point of use digital rights management is disclosed. The secured access rights to the digital content may be customized for individual recipients by the sender, and may evolve over time. The access rights are enforced according to a time-dependent scheme. A key server is used to arbitrate session keys for the encrypted content, eliminating the requirement to exchange public keys prior to transmission of the digital content. During the entire process of transmitting and receiving e-mail messages and documents, the exchange of cryptographic keys remains totally transparent to the users of the system. Additionally, electronic documents may be digitally signed with authentication of the signature.

Abstract: A system and method for providing an indication of randomness quality of random number data generated by a random data service. The random data service may provide random number data to one or more applications adapted to generate key pairs used in code signing applications, for example. In one aspect, the method comprises the steps of: retrieving random number data from the random data service; applying one or more randomness tests to the retrieved random number data to compute at least one indicator of the randomness quality of the random number data; associating the at least one indicator with at least one state represented by a color; and displaying the color associated with the at least one indicator to a user. The color may be displayed in a traffic light icon, for example.

Abstract: A system, business methodology and apparatus for facilitating controlled dissemination of digital works is disclosed. An audio and video organizer, entertainment, and communication unit that plays back audio and video media content received from a central storage server. The unit relies on a smartcard, which has a personalized key that unlocks encrypted content. Using the unit, a user can purchase music or other types of media using a appropriate ordering method. The central storage server then transmits a double-encrypted, compressed audio file to the unit, where it is decrypted based on the smartcard key, and available for listening.

Abstract: A device for use in a system with multiple receiving units, and multiple intermediate units each configured to communicate with the device and at least some of the multiple receiving units, includes a communication module configured to send information toward and receive information from the receiving units and the intermediate units, a memory, and a processor coupled to the memory and the communication module.

Abstract: Systems and methods for screening applicants are disclosed herein. A method of screening applicants is performed by a screening server. The server begins by receiving a selection of screening services and an applicant profile that identifies an applicant. The screening continues by generating screening results specified by the selection of screening services based on the applicant profile. A property manager is then notified that the screening results are available for the applicant based upon the applicant profile. The screening results are then provided to the property manager based upon the applicant profile. Based on these screening results, the screener or property manager can make a decision about the applicant and communicate a decision action to the applicant.

Abstract: Systems for instant messaging private tags preferably comprise a parser for parsing an instant message for sensitive data and an encryption engine for encrypting the sensitive data. A modified uuencoder is also preferably included for converting the encrypted sensitive data into a data stream that complies with an XML format. Other systems and methods are also provided.

Abstract: Secure communication of information in a communication network may comprise acquiring a security code from a second communication device by a first communication device and receiving media containing the security code such as a pin code from the first communication device. The security code may be translated into an IP address corresponding to the second communication device. The received media may be routed to the second communication device based on the IP address of the second communication device. In this regard, the IP address of the second communication device remains anonymous or unknown to the first communication device. A duration for which the security code is valid may be limited to a specific time period and/or for a particular number of uses. Notwithstanding, the security code may be acquired out-of-band.

Abstract: A system and method for remote device registration, to monitor and meter the injection of keying or other confidential information onto a device, is provided. A producer who utilizes one or more separate manufacturers, operates a remote module that communicates over forward and backward channels with a local module at the manufacturer. Encrypted data transmissions are sent by producer to the manufacturer and are decrypted to obtain sensitive data used in the devices. As data transmissions are decrypted, credits from a credit pool are depleted and can be replenished by the producer through credit instructions. As distribution images are decrypted, usage records are created and eventually concatenated, and sent as usage reports back to the producer, to enable the producer to monitor and meter production at the manufacturer.

Abstract: A data processing system 2 includes a single instruction multiple data register file 12 and single instruction multiple processing circuitry 14. The single instruction multiple data processing circuitry 14 supports execution of cryptographic processing instructions for performing parts of a hash algorithm. The operands are stored within the single instruction multiple data register file 12. The cryptographic support instructions do not follow normal lane-based processing and generate output operands in which the different portions of the output operand depend upon multiple different elements within the input operand.

Abstract: A mechanism is provided which allows to de-duplicate encrypted data such that the de-duplication ratio for encrypted data is similar to the de-duplication ration of the corresponding un-encrypted data and the purpose of encryption is not obfuscated, i.e. only the originator of the data (the client) can decrypt—and hence read—the data. This is achieved by interwoven the de-duplication algorithm with the encryption algorithm in a way that the data are encrypted with a key that is generated from the unencrypted data. Afterwards, that key is itself encrypted with an encryption key being private to a particular client. Due to the fact that the private key is not effecting the encrypted data stream, it can still be de-duplicated efficiently.

Abstract: A method, apparatus and computer program product are provided to facilitate authentication of a request, such as by a mobile terminal, while also supplying information about the user to a service, website, application or the like A method, apparatus and computer program product may provide for interworking a bootstrapping architecture, such as Generic Bootstrapping Architecture, and a shared identity service, such as OpenID architecture In this regard, a method, apparatus and computer program product may provide for a secure session with a service provider through Generic Bootstrapping Architecture while being able to supply the service provider with the user information and/or accessing a user account using OpenID architecture.

Abstract: A method comprises maintaining, in a first node serving a mobile terminal over a connection protected by at least one first key, said first key and information about the key management capabilities of the mobile terminal. Upon relocation of the mobile terminal to a second node the method includes: if, and only if, said key management capabilities indicate an enhanced key management capability supported by the mobile terminal, modifying, by said first node, the first key, thereby creating a second key, sending, from the first node to the second node, the second key, and transmitting to the second node the information about the key management capabilities of the mobile terminal.

Abstract: A mechanism is provided which allows to de-duplicate encrypted data such that the de-duplication ratio for encrypted data is similar to the de-duplication ration of the corresponding un-encrypted data and the purpose of encryption is not obfuscated, i.e. only the originator of the data (the client) can decrypt—and hence read—the data. This is achieved by interwoven the de-duplication algorithm with the encryption algorithm in a way that the data are encrypted with a key that is generated from the unencrypted data. Afterwards, that key is itself encrypted with an encryption key being private to a particular client. Due to the fact that the private key is not effecting the encrypted data stream, it can still be de-duplicated efficiently.

Abstract: Embodiments are directed to switching of stations STA, access points APs and PCPs that are communicating through a wireless link from one frequency band to another. One embodiment is directed to switching of stations STA that are communicating through a tunneled direct link setup (TDLS) link from one frequency band to another. A multiband element may be added to a TDLS discovery request and TDLS discovery response frames to allow each of the stations communications through a TDLS to determine if the other station has multiband capability. In one embodiment, a pairwise transient key (PTK) is created for both a current band in which the stations STA are communicating and a new band over which the stations may communicate in the future. In this way there is no need to calculate a new pairwise transient key PTK for the new frequency band.

Abstract: A method for digital content protection comprises generating a plurality of frame keys, retrieving a plurality of frames from digital content, and at least one of encrypting and decrypting the digital content with a different frame key that dynamically changes for each frame of the plurality of frames. A storage device comprises a computer-readable medium including encrypted digital content stored thereon, wherein the encrypted digital content is encrypted with a frame key that is different for each frame of the encrypted digital content. A content player comprises a computer-readable medium including instructions stored thereon, that when executed cause a processor to decrypt encrypted digital content by reconstructing a plurality of frame keys that are different from each other that are used to decrypt each frame of the encrypted digital content.

Abstract: A block encrypting device of the present invention includes: a mixing means (101) that applies universal hash function-based permutation to the (n+m)-bit plaintext to generate a first intermediate variable of n bits and a second intermediate variable of m bits; a first tweakable unit block encrypting means (102) that encrypts the first intermediate variable by use of an encrypting function of an m-bit tweakable n-bit block cipher, using the second intermediate variable as the tweak to generate a third intermediate variable of m bits and a fourth intermediate variable of (n?m) bits; a second tweakable unit block encrypting means (103) that encrypts an n-bit intermediate variable formed by connecting the second intermediate variable and the fourth intermediate variable, by use of the encrypting function, using the third intermediate variable as the tweak to generate a fifth intermediate variable of n bits; and an inverse mixing means (104) that applies universal hash function-based inverse-permutation to result

Abstract: A method, an apparatus and a system for preventing DDoS (Distributed Denial of Service) attacks in a cloud system. The method for preventing DDoS attacks in a cloud system includes: monitoring, by a protection node in a cloud system, data traffic input into virtual machines, where the cloud system includes the protection node and multiple virtual machines, and data streams communicated between the virtual machines pass through the protection node; extracting data streams to be input into virtual machines if it is detected that the data traffic input into the virtual machines is abnormal; sending the extracted data streams to a traffic cleaning apparatus for cleaning; receiving the data streams cleaned by the traffic cleaning apparatus; and inputting the cleaned data streams into the virtual machines. The technical solutions provided in the embodiments of the present disclosure can effectively prevent DDoS attacks between virtual machines in the cloud system.

Abstract: Embodiments of the present invention address deficiencies of the art in respect to access control and provide a method, system and computer program product for access control management for a composite application. In a first embodiment, a method for role-based access control management for a composite application can be provided. The method can include selecting a component for deployment in a composite application and parsing a security policy for the component to identify a mapping between a specific role for the component and a virtual role for the composite application. Binding logic can be generated from the security policy and the component can be deployed into the composite application. Finally, security access operations for the virtual role can be processed through method calls to operations defined in the binding logic.

Abstract: System(s) and method(s) are provided to configure access rights to wireless resources and telecommunication service(s) supplied through a set of access points (APs). Access to wireless resources is authorized by access attributes in access control list(s) (ACL(s)) while a profile of service attributes linked to the ACL(s) regulate provision of telecommunication service(s). Access and service attributes can be automatically or dynamically configured, at least in part, in response to changes in data that directly or indirectly affects an operation environment in which the set of APs is deployed. Automatic or dynamic configuration of access or service attributes enable control or coordination of wireless service provided through the set of APs; degree of control or coordination is determined at least in part by enablement or disablement of disparate services for disparate devices at disparate access points at disparate times and with disparate service priority.