Abstract: For providing a simple network access process which can be used for accessing network with focus on a single service a process for providing network access for a user via a Network Provider (NP) to a Service Provider (SP) is claimed, the process including: establishing a connection between the user and the Network Provider (NP) by user's request to access the Service Provider (SP); authenticating of the user by a user's Identity Provider (IdP) on request of the Network Provider (NP); transmitting data from the Identity Provider (IdP) to the Network Provider (NP), so that the Network Provider (NP) has the information that the Service Provider (SP) or a third party is payee of the access fees; and providing the access for the user via the Network Provider (NP) to the Service Provider (SP) by the Network Provider (NP).

Abstract: A method for executing applications on an untrusted device includes selecting one or more applications as sensitive applications. One or more instruction sequences of the said one or more sensitive applications are modified by an external dongle. The one or more sensitive applications are executed on the untrusted device according to the modified instruction sequences. Whether correct execution of the instructions of the said modified instruction sequences has occurred is checked by the external dongle.

Abstract: A method for executing a secure application on an untrusted user equipment having storage means with at least one protected region includes establishing a secure or authenticated communication channel between a trusted device and the user equipment. Secure application information of the secure application is provided via the communication channel to be executed on the user equipment. Correctness of the secure application information is checked. Execution of the secure application is initiated on the user equipment via the communication channel such that the secure application is stored in the protected region of the storage means.

Abstract: A method for executing a secure application on an untrusted user equipment having storage means with at least one protected region includes establishing a secure or authenticated communication channel between a trusted device and the user equipment. Secure application information of the secure application is provided via the communication channel to be executed on the user equipment. Correctness of the secure application information is checked. Execution of the secure application is initiated on the user equipment via the communication channel such that the secure application is stored in the protected region of the storage means.

Abstract: A method for executing applications on an untrusted device includes selecting one or more applications as sensitive applications. One or more instruction sequences of the said one or more sensitive applications are modified by an external dongle. The one or more sensitive applications are executed on the untrusted device according to the modified instruction sequences. Whether correct execution of the instructions of the said modified instruction sequences has Occurred is checked by the external dongle.

Abstract: A method and system for providing service access to a user, includes the steps of: a) Registering a local identity provider located in al local network at a global identity provider with a local identifier of the local identity provider, b) Requesting service access requiring identity authentication to a service provider by a user located in the local network, c) Requesting an identity management service from the global identity provider by the service provider, d) Redirecting the user's access request to the local identity provider according to the provided local identifier within the local network, e) Checking if the local identifier corresponds to the local network of the user, f) Providing the requested identity management service to the service provider by the global identity provider in accordance with a result of the checking according to step e), and g) Granting service access for the user to the service provider.

Abstract: Method for supporting a reputation mechanism in a network including one or more domains with one or more users being connected to the domains, one or more Identity Providers that manage identity information, and at least one entity that functions as Web Service Consumer for the users. When a user requests a Web Service Consumer of one of the domains for a web service provided by a Web Service Provider, the requested Web Service Consumer requests its known Identity Providers regarding a recommendation of the Web Service Provider. The Identity Providers function as recommendation aggregators by collecting reputation assessments of the Web Service Provider from entities registered on the Identity Providers who return an aggregated recommendation to the requested Web Service Consumer that determines a trust assessment about the Web Service Provider. A privacy homomorphism is employed for providing an encrypted exchange of recommendation related information.

Abstract: A key exchanging apparatus transmits the contribution data to the plurality of counterpart apparatuses, generates a signer contribution confirmation signature with respect to a contribution data set including all the contribution data received from the plurality of counterpart apparatuses, generates auxiliary data and auxiliary data validity certification sentence from the contribution data set and the contribution random number, transmits the auxiliary data, the auxiliary data validity certification sentence and the contribution confirmation signature to the plurality of counterpart apparatuses, verifies validity of auxiliary data by using the counterpart identifier set, the counterpart public key set, the contribution confirmation signature set including the data received from the plurality of counterpart apparatuses, the auxiliary data set and the auxiliary data validity certification sentence set, and generates a public key from the contribution data set and the auxiliary data received from the plurality

Abstract: A method for supporting management and exchange of distributed data of a user or an entity, in particular user profile information data, is characterized in that a protocol is provided that employs SAML (Security Assertion Markup Language) as bearer protocol in such a way that SAML messages function as containers for DST (Data Service Template) or DST-like messages in order to compose SAML DST messages, wherein the DST or DST-like messages include data processing information, and wherein for the DST or DST-like messages unified protocol namespaces are defined as the protocol specific namespaces.

Abstract: A method coordinating home services is provided, including receiving a request for home services from a customer over a network and forwarding the request from the customer to a home services coordinator over the network. A reputation system assists the home services coordinator to select a service provider based on customer needs, preferences, and a reputation of the service provider. Information sufficient to permit the service provider to select a home delivery provider that can satisfy customer needs is provided to the selected service provider over the network. The selected home delivery provider is provided with access to customer data and with access to a customer physical system over the network, to provide the service. Feedback is requested from the customer after the service has been delivered, and is used in the reputation system to update the customer preferences and the reputation of the service provider.

Abstract: A method and system for providing service access to a user, includes the steps of: a) Registering a local identity provider located in al local network at a global identity provider with a local identifier of the local identity provider, b) Requesting service access requiring identity authentication to a service provider by a user located in the local network, c) Requesting an identity management service from the global identity provider by the service provider, d) Redirecting the user's access request to the local identity provider according to the provided local identifier within the local network, e) Checking if the local identifier corresponds to the local network of the user, f) Providing the requested identity management service to the service provider by the global identity provider in accordance with a result of the checking according to step e), and g) Granting service access for the user to the service provider.

Abstract: A method for managing data in a preferably non real-time sensor network, wherein the network comprises a multitude of sensor nodes to sense data, wherein the network is divided into clusters with each consisting of several sensor nodes, wherein within each cluster a sensor node acts as aggregator node to aggregate the sensed data of the rest of the sensor nodes of the cluster, and wherein always a pre-configurable number of neighbored clusters are combined to groups and the data aggregated within a cluster are stored by the aggregator node of the cluster itself and in addition by another aggregator node of a cluster of the respective group is characterized in that the data is encrypted with homomorphic methods before being stored persistently.

Abstract: A method for establishing a secret key between two nodes in a communication network, in particular in a wireless local area network (WLAN), includes concealment of the fact that a key exchange occurs, one of the nodes—first node (B)—broadcasts one or more packets (Pi) that can be received by the other node—second node (A)—, wherein the packets (Pi) contain each a first key (Ki) and wherein the packets (Pi) are each encrypted with a second key (ki) before being sent, the second node (A) randomly chooses one packet (Pm) from the packets (Pi) received and breaks the encryption of the chosen packet (Pm) in order to obtain the first key (Km), and the second node (A) initiates a key exchange protocol, wherein the second node (A) encrypts the message to be sent for initiating the key exchange protocol with the revealed key (Km).

Abstract: A method for aggregating data in a network, particularly in a wireless sensor network, wherein the network (1) includes a plurality of sensor nodes (Ni) to measure data and at least one sink node (S) at which the data measured by the sensor nodes (Ni) are aggregated, and wherein each sensor node (Ni) encrypts its measured data with a key k and forwards the result towards the sink node (S), is characterized in that, in the context of a key distribution within the network (1), a master key K is chosen, and that the master key K is autonomously split up by the network (1) into individual keys ki to be used by the sensor nodes (Ni) for encrypting measured data, with the sum of all individual keys ki being equal to the master key K.

Abstract: Method for supporting a reputation mechanism in a network including one or more domains with one or more users being connected to the domains, one or more Identity Providers that manage identity information, and at least one entity that functions as Web Service Consumer for the users. When a user requests a Web Service Consumer of one of the domains for a web service provided by a Web Service Provider, the requested Web Service Consumer requests its known Identity Providers regarding a recommendation of the Web Service Provider. The Identity Providers function as recommendation aggregators by collecting reputation assessments of the Web Service Provider from entities registered on the Identity Providers who return an aggregated recommendation to the requested Web Service Consumer that determines a trust assessment about the Web Service Provider. A privacy homomorphism is employed for providing an encrypted exchange of recommendation related information.

Abstract: A method for supporting management and exchange of distributed data of a user or an entity, in particular user profile information data, is characterized in that a protocol is provided that employs SAML (Security Assertion Markup Language) as bearer protocol in such a way that SAML messages function as containers for DST (Data Service Template) or DST-like messages in order to compose SAML DST messages, wherein the DST or DST-like messages include data processing information, and wherein for the DST or DST-like messages unified protocol namespaces are defined as the protocol specific namespaces.

Abstract: Provided is an account issuance system that can open an account owner in a service server to the outside without revealing personal information. Terminal 1 transmits joint identification information set by a user to account server 3. After having received the joint identification information from terminal 1, account server 3 generates a public ID to enable a third party different from the user to identify the user by using the joint identification information and a unique ID, and transmits the public ID to user terminal 1. After having received the public ID, user terminal 1 transmits the public ID to service server 2. After having received the public ID from user terminal 1, service server 2 sets the public ID so that the public ID can be opened to the outside.

Abstract: A method for authentication of elements of a group, especially for authentication of sensor nodes in a preferably wireless sensor network is disclosed. The group has one specific element—leading element—with which each of the group elements can exchange information and wherein the authentication of the group elements takes place with regard to the leading element. The leading element sends an authentication request to the group elements wherein the authentication request is the same for all the group elements. The group elements each send authentication responses—based on the authentication request—to the leading element, with the authentication responses being different for each group element.

Abstract: For providing a simple network access process which can be used for accessing network with focus on a single service a process for providing network access for a user via a Network Provider (NP) to a Service Provider (SP) is claimed, the process including: establishing a connection between the user and the Network Provider (NP) by user's request to access the Service Provider (SP); authenticating of the user by a user's Identity Provider (IdP) on request of the Network Provider (NP); transmitting data from the Identity Provider (IdP) to the Network Provider (NP), so that the Network Provider (NP) has the information that the Service Provider (SP) or a third party is payee of the access fees; and providing the access for the user via the Network Provider (NP) to the Service Provider (SP) by the Network Provider (NP).

Abstract: A method for performing delegation of resources, in particular services, wherein a user—resource owner—has access to a resource offered by a service provider and wherein the resource is delegated to at least one other user—delegate—by using delegation credentials, is characterized in that the method includes the steps of defining authorization rules for the delegate regarding resource access restrictions and registering the authorization rules at an identity provider thereby employing the delegation credentials, performing an authentication of the delegate at the service provider, and performing an authorization of the delegate at the identity provider based on the authorization rules. Furthermore, a corresponding system is disclosed.