Abstract: A method of transmitting data to a receiver via a network includes transmitting a sequence of first data packets to the receiver via the network, each first data packet including payload data and identification data, the identification data identifying the respective first data packet, the identification data being different for each first data packet. The method also includes transmitting a corresponding second data packet for each first data packet to the receiver via the network, each second data packet including the data enabling identification of the corresponding first data packet and additional data related to the corresponding first data packet, the data enabling identification of the corresponding first data packet enabling the receiver to associate each second data packet with the corresponding first data packet.

Abstract: A network security interface component includes a first network interface, a second network interface separate from the first network interface, and a unidirectional connection connecting the first network interface to the second network interface. The network security interface component also includes an authentication module connected between the first network interface and the unidirectional connection. The unidirectional connection is configured to allow data transfer from the first network interface to the second network interface via the unidirectional connection and to prevent data transfer from the second network interface to the first network interface via the unidirectional connection. The authentication module is configured to add authentication data to data received at the first network interface by which the data received at the first network interface can be authenticated.

Abstract: A method of transmitting data to a receiver via a network includes transmitting a sequence of first data packets to the receiver via the network, each first data packet including payload data and identification data, the identification data identifying the respective first data packet, the identification data being different for each first data packet. The method also includes transmitting a corresponding second data packet for each first data packet to the receiver via the network, each second data packet including the data enabling identification of the corresponding first data packet and additional data related to the corresponding first data packet, the data enabling identification of the corresponding first data packet enabling the receiver to associate each second data packet with the corresponding first data packet.

Abstract: The resource metering system comprises: an end-point device (25) consuming a resource, in particular for usage in a building (2) or in an outdoor lighting system, said device comprising a detection unit that produces status information and an indicator of usefulness; a smart meter (20) comprising: a communication circuitry provided with an interface adapted for receiving from said device status information and said indicator of usefulness; a metrology device connected to a medium (17) that provides the resource to said device; and a control circuitry connected to the metrology device for collecting resource consumption data, the control circuitry being connected to the communication circuitry and adapted to produce monitoring data to be securely transmitted to a server (10) after processing the status information and said indicator. Monitoring data are used when determining consumption tariffs, so as to encourage energy efficient usage of the device.

Abstract: It is described a method for encrypting and a method for decrypting at least a portion (155) of a dataset being stored in a memory (150), wherein the dataset has at least two dimensions. The described multi-dimensional cryptographic methods comprise forming a first keystream (165) being assigned to a first dimension of the dataset and forming a second keystream (175) being assigned to a second dimension of the dataset. The encrypting method further comprises encrypting each data packet of the portion (155) of the dataset by using a combination of the first keystream (165) and the second keystream (175). The decrypting method further comprises decrypting each data packet of the portion (155) of the dataset by using a combination of the first keystream (165) and the second keystream (175).

Abstract: A method for securing communications between a first node (N1) and a second node (N2) in a network (1) further comprising a management device (2) provided with root keying materials, the method comprising the following steps: the management device generating, based on root keying materials, a first node keying material shares comprising a number of sub-elements and the first node keying material shares being arranged for generating a first complete key, the management device selecting a subset of sub-elements of the first keying material shares, the number of sub-elements selected being less or equal than the total number of sub-elements of the first keying material shares, and the selected sub-elements forming a first node partial keying material shares or symmetric-key generation engine, the first node generating, based on the first node symmetric-key generation engine and on an identifier of the second node, a first key, used for securing communications with the second node.

Abstract: A coin share generator (5) is employed in a system for performing a threshold coin tossing scheme. The coin share generator (5) comprises a coin determining unit (6) for determining a coin value, and a coin share generating unit (7) for generating a coin share based on a coin value and a private key associated with a set of attributes, to obtain a coin share associated with the set of attributes. The system further comprises a coin share verifier (8) that has a coin share determining unit (9) for determining a coin share to be verified, wherein the coin share is associated with a set of attributes, and a coin share verifying unit (10) for verifying a validity of the coin share, taking into account the set of attributes associated with the coin share.

Abstract: The invention relates to a method for identifying compromised nodes in a ZigBee network comprising a general trust center, divided in at least two security domains, each security domain corresponding to a spatial or temporal area, and being associated with a different root keying material, and each node being identified by an identifier, the method comprising: upon detection of a node (U1) entering into a security domain (SD), the general trust center (TC) distributing to the node at least one keying material share corresponding to the entered security domain, and upon detecting corruption of at least two security domains, determining, for each security domain, based on information registered by the base station (BTS), a respective set of nodes having received keying material corresponding to said security domain,—comparing the respective sets of nodes and identifying the common nodes as being compromised.

Abstract: The invention provides a method of generating arbitrary numbers given a seed, characterized by providing a challenge derived from the seed to a physical token, receiving an initial response from the physical token, combining the initial response with helper data associated with the challenge to produce a stable response, and generating the arbitrary numbers using a pseudo-random number generator using the stable response as a seed for the generator. Preferably one or more of these pseudo-random permutations are used as one or more round function(s) in a Feistel block cipher. The generated arbitrary numbers may also be used to create a cryptographic key.

Abstract: The resource metering system comprises: an end-point device (25) consuming a resource, in particular for usage in a building (2) or in an outdoor lighting system, said device comprising a detection unit that produces status information and an indicator of usefulness; a smart meter (20) comprising: a communication circuitry provided with an interface adapted for receiving from said device status information and said indicator of usefulness; a metrology device connected to a medium (17) that provides the resource to said device; and a control circuitry connected to the metrology device for collecting resource consumption data, the control circuitry being connected to the communication circuitry and adapted to produce monitoring data to be securely transmitted to a server (10) after processing the status information and said indicator. Monitoring data are used when determining consumption tariffs, so as to encourage energy efficient usage of the device.

Abstract: This invention relates to a method and system for providing digital security by means of a reconfigurable physical uncloneable function, RPUF. The RPUF comprises a physical system constituted by distributed components arranged to generate a first response when receiving a first challenge at a point of the physical system. The physical reconfiguring of the RPUF comprises redistributing the components such that they generate a second response, which differs from said first response, when again applying the first challenge at the point. The reconfiguration step is further utilized in providing secure storage for digital items. The digital item is data of any kind, including data that needs to be accessed and updated, i.e. which is dynamic in nature. The method is exemplified by implementations such as secure storage of a key, a secure counter and a seed generator.

Abstract: A method for digitally signing of electronic documents which are to be kept secure for a very long time, thereby taking into account future cryptographic developments which could render currently cryptographic key-lengths insufficient. A double signature is issued for each document. A first digital signature ensures the long term security, while a second digital signature ensures the involvement of an individual user. Thereby, the second digital signature is less computationally intensive in its generation than the first digital signature.

Abstract: The present invention relates to a method for operating a first node in a network, the network including a plurality of nodes, the method comprising (a) the first node having a first identifier joining the network by transmitting the first identifier to a second node having a second identifier, (b) the first node generating a first key on the basis of the second identifier (c) the first node authenticating the second node by means of the first key, (d) the first node communicating with a third node if the first and second keys are equal.

Abstract: The invention relates to a method for securely broadcasting sensitive data in a wireless sensor networks comprising a central device, called trust center, and a plurality of sensor nodes, the trust center being initialized with a cryptographic hash chain and each node being initialized with a node key and the anchor of the trust center hash chain, the method comprising the following steps: the trust center broadcasting a first secure message to the nodes, each node, after reception of the first message, creating a first acknowledgment message, and transmitting it back to the trust center, the trust center checking whether all the nodes have transmitted respective first acknowledgment message, and in case all messages have been received, the trust center securely broadcasting sensitive data in a third message, the nodes checking, based on elements included in the first message, whether sensitive data actually originates from the trust center.

Abstract: The invention relates to a method for identifying compromised nodes in a ZigBee network comprising a general trust center, divided in at least two security domains, each security domain corresponding to a spatial or temporal area, and being associated with a different root keying material, and each node being identified by an identifier, the method comprising: upon detection of a node (U1) entering into a security domain (SD), the general trust center (TC) distributing to the node at least one keying material share corresponding to the entered security domain, and upon detecting corruption of at least two security domains, determining, for each security domain, based on information registered by the base station (BTS), a respective set of nodes having received keying material corresponding to said security domain,—comparing the respective sets of nodes and identifying the common nodes as being compromised.

Abstract: The present invention relates to a method for securing communications between a resource-restricted device (1) and a receiving device (2) according to a wireless protocol, the method comprising the following steps: -storing, in a first part (11) of a non-volatile memory of the resource-restricted device (1), at least one encrypted payload, -storing, in a second part (12) of the non-volatile memory of the resource-restricted device (1), a pointer pointing towards an encrypted payload stored in the memory, -when a transmission is to be performed by the resource-restricted device (1), sending the encrypted payload indicated by the pointer, and storing, in the second part (12) of the non-volatile memory an updated pointer indicating a next-to-be-used encrypted payload stored in the memory.

Abstract: A method for securing communications between a first node (N1) and a second node (N2) in a network (1) further comprising a management device (2) provided with root keying materials, the method comprising the following steps: the management device generating, based on root keying materials, a first node keying material shares comprising a number of sub-elements and the first node keying material shares being arranged for generating a first complete key, the management device selecting a subset of sub-elements of the first keying material shares, the number of sub-elements selected being less or equal than the total number of sub-elements of the first keying material shares, and the selected sub-elements forming a first node partial keying material shares or symmetric-key generation engine, the first node generating, based on the first node symmetric-key generation engine and on an identifier of the second node, a first key, used for securing communications with the second node.

Abstract: A variety of circuits, methods and devices are implemented for secure storage of sensitive data in a computing system. A first dataset that is stored in main memory is accessed and a cache memory is configured to maintain logical consistency between the main memory and the cache. In response to determining that a second dataset is a sensitive dataset, the cache memory is directed to store the second dataset in a memory location of the cache memory without maintaining logical consistency with the dataset and main memory.

Abstract: This invention relates to a method and system for providing digital security by means of a reconfigurable physical uncloneable function, RPUF. The RPUF comprises a physical system constituted by distributed components arranged to generate a first response when receiving a first challenge at a point of the physical system. The physical reconfiguring of the RPUF comprises redistributing the components such that they generate a second response, which differs from said first response, when again applying the first challenge at the point. The reconfiguration step is further utilized in providing secure storage for digital items. The digital item is data of any kind, including data that needs to be accessed and updated, i.e. which is dynamic in nature. The method is exemplified by implementations such as secure storage of a key, a secure counter and a seed generator.

Abstract: It is described a method for encrypting and a method for decrypting at least a portion (155) of a dataset being stored in a memory (150), wherein the dataset has at least two dimensions. The described multi-dimensional cryptographic methods comprise forming a first keystream (165) being assigned to a first dimension of the dataset and forming a second keystream (175) being assigned to a second dimension of the dataset The encrypting method further comprises encrypting each data packet of the portion (155) of the dataset by using a combination of the first keystream (165) and the second keystream (175). The decrypting method further comprises decrypting each data packet of the portion (155) of the dataset by using a combination of the first keystream (165) and the second keystream (175).