Abstract: An integrated circuit card includes a memory storing service data relating to at least one service. At least part of the memory comprises data in file structures within one directory including at least a first file and a second file. The service data is grouped together in at least one service slot. Each service slot is divided into a profile part and a data part. Each profile part has a slot number and is arranged to function as an authorization mechanism. Each profile part is stored in the first file and comprises a unique application identifier. Each data part is at least partly stored in the second file and comprises data related to a given service. And the memory stores at least one key to protect write access to the first and second files. A secure application module and a terminal are also provided for controlling service actions to be carried out by the terminal on the integrated circuit card.

Abstract: An apparatus and method for reducing the overhead of a block cipher includes shortening the length of the initialization vector so that its length is less than the length of each block of information processed by the block cipher. The block cipher is utilized in cipher block chaining mode. The shortened vector is loaded into the block cipher with other pseudo-random bits. Cipher block chaining prevents the overall cycle length of the block cipher from decreasing. Thus, channel burden of repeatedly transmitting the initialization vector is reduced because it is shorter, but security is not unduly diminished because cycle length is not diminished. Late entry can be achieved. Also, combination of this method with coasting can increase accurate synchronization even in severely corrupted channels. Security level versus amount of vector shortening can be selected.

Abstract: A system and method for protecting a non-volatile storage element of an electronic system from an unauthorized write access is described. The method features the operational steps of entering a mode of operation in which an authentication process is performed, placing a security circuit of the electronic system in a first predetermined state of operation before leaving the mode of operation, checking the current state of the security circuit, and halting further operations of the electronic system if the security circuit exists in a state of operation other than the first predetermined state of operation.

Abstract: A method for encryption and decryption of analog signal, wherein encryption and decryption are performed in analog domain. The transmitter creating digital representations with unique behavior; producing computation instructions for each digital representation; randomly generating analog identification signals with random waveform appearance and yet preserving common behavior as in said digital representation; encryption through partitioning said analog signal and inserting said analog identification signals prior to, in between, and/or after said partitioned analog signal segments. As a result, encrypted analog signal sequence becomes totally destructed to unauthorized receivers.

Abstract: A system and method for providing access to an encrypted communication involves recording the session during which the communication is encrypted, replaying the session to recover data used to recover a session key, accessing a server to retrieve secret information also used to generate the session key, and recreating the session key using the recovered data and secret information. The system and method includes provision for authenticating parties to the key recovery, protecting communications required to retrieve the secret key, and establishing a record of the key recovery to serve as an audit trail.

Abstract: In order to encrypt plaintext data while maintaining high security, the plaintext data is received and divided into a plurality of plaintext data blocks, each of which has the same bit length. A preset master key is used to obtain a set of round subkeys, and each of the plaintext data blocks is encrypted by using the preset master key and combining the encrypted blocks to thereby provide cipheitext data having a bit length which is identical to that of the plaintext data.

Abstract: A personal computer having a security function is provided.

Abstract: A group key management system and method for providing secure many-to-many communication is presented. The system employs a binary distribution tree structure. The binary tree includes a first internal node having a first branch and a second branch depending therefrom. Each of the branches includes a first member assigned to a corresponding leaf node. The first member has a unique binary ID that is associated with the corresponding leaf node to which the first member is assigned. A first secret key of the first member is operable for encrypting data to be sent to other members. The first member is associated with a key association group that is comprised of other members. The other members have blinded keys. A blinded key derived from the first secret key of the first member is transmitted to the key association group. Wherein, the first member uses the blinded keys received from the key association group and the first secret key to calculate an unblinded key of the first internal node.

Abstract: During a transaction using a magnetic card (16), test data is written to the card (16) at a constantly increasing frequency rate. The test data is then read from the card (16) and the high frequency cut-off point f0 of the card (16) (i.e. the maximum write frequency above which it is no longer possible to read the test data from the card (16)), is determined. The high frequency cut-off point f0 of a magnetic card (16) will gradually decrease over the lifetime of the card as the quality of the magnetic stripe (35) of the card (16) deteriorates. The high frequency cut-off point f0 of the card (16) is compared with the high frequency cutoff point f0′ of the card (16) in the previous transaction using the card (16). If the difference between the cut-off frequencies f0 and f0′ lies within a predetermined acceptable range, the card (16) is regarded as authentic and the transaction is allowed to proceed.

Abstract: Improved key management is provided by a public key replacement apparatus and method for operating over insecure networks. An active public key and the mask of a replacement public key are provided by a key server to nodes where the active key is used to encrypt and verify messages. To replace the active public key with the replacement public key, a key replacement message is sent to the node. The key replacement message contains the replacement public key and contains the mask of the next replacement key. The mask of the replacement public key may be generated by hashing or encrypting. The key replacement message is signed by the active public key and the replacement public key. Nodes are implemented by a computer, a smart card, a stored data card in combination with a publicly accessible node machine, or other apparatus for sending and/or receiving messages.

Abstract: A system and method are provided for storing a data element from a first resource in a queue at a second resource. A combination of a data element XN+1 and a signature SQ=S[N] are signed at a first resource to obtain a signature S[XN+1,S[N]], where N is an integer. The data element data element XN+1 and the signature S[XN+1,S[N]] are sent from the first resource to the second resource to be stored in the queue at the second resource. The signature S[XN+1,S[N]] is stored at the first resource as the new value for SQ.

Abstract: A method including the steps of receiving a registration identifier for a client; generating a registration key based on the registration identifier; and transmitting the registration key to the client.

Abstract: An apparatus and method for improved security in wire or wireless communication systems includes scrambling the audio signal, combining a masking signal with the scrambled audio signal, and then transmitting the scrambled masked signal. To recover the original audio, a receiver must by synchronized and know the characteristics of the masking signal and the scrambling technique. Such a receiver removes the masking signal, descrambles the audio and thus recovers the original audio. Any attempted interception of the communication would hear white noise, and even if the white noise mask where removed, the communication would still have the security level of the scrambling. The mask removes any remnants of the original audio that might be used to try to locate and intercept the communication.

Abstract: An authentication method and process are provided. One aspect of the process of the present invention includes authorizing a first on-line revocation server (OLRS) to provide information concerning certificates issued by a certificate authority (CA) that have been revoked. If the first OLRS is compromised, a second OLRS is authorized to provide certificate revocation information, but certificates issued by the CA remain valid unless indicated by the second OLRS to be revoked.

Abstract: An authentication system for a distributed network having multiple clients and a server enables a user to log on at any one of the clients with a password and receive his/her associated public/private key pair. The client computes a hash of the user ID to produce a first hash value H(ID) and a hash of the user ID concatenated with the user password P to produce a second hash value H(ID/P). The client constructs a message M containing the hash value H(ID), the hash value H(ID/P), and a randomly generated session key SK. The client encrypts the message M using the server's public key and sends the encrypted message to the server. The server decrypts the message using its private key to recover the message M. The server initially checks to see if the hash values are subject to a hostile cryptographic attack. If the check is negative, the server generates key source material S as a function of the hash value H(ID), the hash value H(ID/P), and a private value that is confidential to the server.

Abstract: In accordance with a first aspect, a remote server receives video programming in a first encrypted form and stores the video programming. After the remote server receives a request from a subscriber station for transmission of the video programming, the remote server decrypts the video programming, re-encrypts the video programming into a second encrypted form, and then transmits the video programming to the subscriber station. In accordance with a second aspect, a remote server receives video programming in a first encrypted form, decrypts the video programming, re-encrypts the video programming into a second encrypted form, and then stores the video programming. After the remote server receives a request from a subscriber station, the remote server simply transmits the video programming. In accordance with a third aspect, a remote server receives video programming in a first encrypted form and stores the video programming.

Abstract: A method and system for protecting a multipurpose data string used for both decrypting data and for authenticating a user utilizes a remote storage element that contains a long random data string or password protected by a short easy to remember access data, such as a personal identification number or other user authentication mechanism. The remote storage element contains data used for both initially encrypting secret private keys and for later decrypting the encrypted secret private keys, or other secret data, so they can be used to decrypt data transferred within a computer network, or be used for digitally signing data transferred within a computer network.

Abstract: A memory containing an authenticated search tree that serves for authenticating membership or non membership of items in a set. The authenticated search tree including a search tree having nodes and leaves and being associated with a search scheme. The nodes including dynamic search values and the leaves including items of the set. The nodes are associated, each, with a cryptographic hash function value that is produced by applying a cryptographic hash function to the cryptographic hash values of the children nodes and to the dynamic search value of the node. The root node of the authenticated search tree is authenticated by a digital signature.

Abstract: A method and apparatus for operating a set of resources under the control of a secure processor, e.g. security module, having a command authentication means and a command execution means, to achieve secure control of the resources. The secure processor stores a set of command primitives for functional control of the resources. A set of defined commands for invoking command primitives has either a secured command format including a command sequence ID, a command code, and a set of command data items or a non-secured command format including a command code and a set of command data items. The secure processor stores a command set up table including command type flags to designate each command as a secured command or a non-secured command. An application program running in an external device includes a plurality of the defined commands in either secured command format or the non-secured command format and these are sent one at a time to the secure processor for execution.

Abstract: This invention describes a secure method for consistently reproducing a digital key using a biometric, such as a fingerprint. The digital key is linked to the biometric only through a secure block of data, known as the protected filter. The key cannot be released from the protected filter other than via the interaction with the correct biometric image. Once generated, the digital key may be used in a system as an encryption/decryption key, or as a personal identification number (PIN).