Abstract: A method provides end-to-end security for transport of a profile to a target device (e.g., a mobile computing device) over at least one communications network that includes a plurality of nodes. In accordance with the method, the profile is encrypted for transport between the target device and an initial node of the network through which the profile is transported. The encryption is an end-to-end inner layer encryption performed prior to hop-to-hop encryption. The encrypting uses a public key of a public, private key pair. The private key is derivable from a seed securely provisioned in the target device using a public key algorithm. The encrypted profile is transmitted over the communications network to the target device.

Abstract: Methods and systems for group licensing of homogeneous and heterogeneous devices features are disclosed. Licensing servers manage the generation and distribution of licenses to devices, and enforce validation rules that prevent granting devices licenses that do not comply with group licensing limits.

Abstract: A method of provisioning DRM credentials on a client device, comprising receiving DRM credentials at an update server from a key generation system, the DRM credentials having been encrypted by the key generation system, receiving a DRM credential request from a client device, the DRM credential request comprising a digital signature, a device class certificate, and an authorization token, authenticating the DRM credential request by validating the digital signature and the device class certificate, extracting and validating the authorization token, and providing the DRM credentials to the client device.

Abstract: A system and method for issuing a license for a device through a license server is provided. A server receives identification information for a device that communicates to the server if a first license binding identity and/or a first display identity has changed. A previous license for the device is revoked and a previous license credit is returned to a user's credit pool if the first license binding identity and/or the first display identity has changed. A license request is received, which includes a second license binding identity identifying the device. If the second license binding identity is the same as the first license binding identity, the previous license for the device is issued. If the second license binding identity is not the same as the first license binding identity, a new license for the device is issued and a new license credit is deducted from the user's credit pool.

Abstract: A method provides end-to-end security for transport of a profile to a target device (e.g., a mobile computing device) over at least one communications network that includes a plurality of nodes. In accordance with the method, the profile is encrypted for transport between the target device and an initial node of the network through which the profile is transported. The encryption is an end-to-end inner layer encryption performed prior to hop-to-hop encryption. The encrypting uses a public key of a public, private key pair. The private key is derivable from a seed securely provisioned in the target device using a public key algorithm. The encrypted profile is transmitted over the communications network to the target device.

Abstract: The invention relates to a method of authenticating a user equipment in a communications network. The method involves sending a message from a network entity to the user equipment. This message includes a set of options for an authentication procedure for authenticating an internet protocol communication over a first interface between the user equipment and the network entity; said options including a “shared key”-based authentication procedure. The method also involves selecting an option from the set. In the event that the “shared-key”-based authentication procedure is selected, a shared secret from a security key established in a generic bootstrapping architecture (GBA) is generated over a second interface between the user equipment and a bootstrapping service function. The shared secret is then used to compute and verify authentication payloads in the key-based authentication procedure for the communication over the first interface.

Abstract: A method provides end-to-end security for transport of a profile to a target device (e.g., a mobile computing device) over at least one communications network that includes a plurality of nodes. In accordance with the method, the profile is encrypted for transport between the target device and an initial node of the network through which the profile is transported. The encryption is an end-to-end inner layer encryption performed prior to hop-to-hop encryption. The encrypting uses a public key of a public, private key pair. The private key is derivable from a seed securely provisioned in the target device using a public key algorithm. The encrypted profile is transmitted over the communications network to the target device.

Abstract: A method and system is provided for embedding cryptographically modified versions of secret in digital certificates for use in authenticating devices and in providing services subject to conditional access conditions.

Abstract: A method of provisioning DRM credentials on a client device, comprising receiving DRM credentials at an update server from a key generation system, the DRM credentials having been encrypted by the key generation system, receiving a DRM credential request from a client device, the DRM credential request comprising a digital signature, a device class certificate, and an authorization token, authenticating the DRM credential request by validating the digital signature and the device class certificate, extracting and validating the authorization token, and providing the DRM credentials to the client device.

Abstract: A client, method and system for registering a DRM client is disclosed. The method (100) includes the steps of: initiating (110) a registration request via a DRM client with an encrypted registration message including an asymmetric key cryptographic identity, a customer identifier and an application specific information (AINFO) field including a digital signature and a device certificate chain; validating (120) information in the application specific information (AINFO) field by a DRM registration server; and receiving (130) a registration response, the registration response being encrypted and including access information, to obtain content. Advantageously, this method provides an enhanced and reliable means of authentication.

Abstract: A method and apparatus are provided for locating network resources over a communication network. The method includes receiving a digital certificate identifying a first entity and extracting information from at least one predetermined field of the digital certificate. The extracted information is used as input to a location generation function to create a resource locator (e.g., a URL). The network resource is contacted over the communication network in accordance with a communication protocol using the resource locator to obtain requested information concerning the first entity.

Abstract: A method of pushing data from a client to a key collector, comprising preparing one or more SOC keys and one or more SOC IDs at a client, pushing the one or more SOC keys and one or more SOC IDs from the client to one or more key collectors, receiving an acknowledgement at the client from the one or more key collectors in response to pushing the one or more SOC keys and one or more SOC IDs to the key collectors, and installing the one or more SOC keys and one or more SOC IDs on a system-on-chip.

Abstract: A method is provided for updating identity data on devices. The method provides for acquiring a device comprising a component associated with a component identifier and having a One Time Programmable Key installed on the component, submitting the component identifier and the One Time Programmable Key to an External Trust Authority, receiving new identity data tied to the component identifier from the External Trust Authority that is encrypted with the One Time Programmable Key, loading the new identity data onto an Update Server, receiving a request at the Update Server from the device that requests new identity data, and providing the new identity data upon receipt of the request, upon which the device decrypts and installs the identity data using the One Time Programmable Key installed on the component within the device.

Abstract: A conditional access system (CAS) computer in a downloadable CAS receives a downloadable management certificate (DMC) and determines, using the DMC, security information including a DMC key size and an expiration time of a DMC subordinate certificate authority (sub-CA) certificate, for the client device. The CAS computer then determines whether the DMC is valid based on the expiration time of the DMC sub-CA certificate. If the DMC is determined to be valid, the CAS server sends a cryptographic identity for the client device and a CAS client to the client device protected using the DMC. At a later time, if the DMC key size is considered to be still sufficiently secure, the validity of the DMC is extended by issuing a new DMC sub-CA certificate with the same public key as the original DMC sub-CA certificate.

Abstract: Methods and systems for group licensing of homogeneous and heterogeneous devices features is disclosed. Licensing servers manage the generation and distribution of licenses to devices, and enforce validation rules that prevent granting devices licenses that do not comply with group licensing limits.

Abstract: A method enables selected features of a software product residing on an end user electronic device with a license delivered from a licensing provider to a service provider of the end user electronic device. The method includes requesting at least one license to authorize a first service provider. An encrypted installation key uniquely associated with the first service provider is received as well as an authorization agent module for installation on one or more authorization agent devices associated with the first service provider. The encrypted installation key and the authorization agent module are installed on the authorization agent devices. A device-unique identifier (DUID) is generated for each authorization agent device based on hardware characteristics of the respective authorization agent devices. The DUID and the encrypted installation key are sent from the authorization agent device to a licensing provider to obtain the requested license.

Abstract: A method of authentication and authorization over a communications system is provided. Disclosed herein are systems and methods for creating a cryptographic evidence, called authentication/authorization evidence, AE, when a successful authentication/authorization between a client and an authentication server is complete. There are a variety of methods for generating AE. For instance, the AE can be data that is exchanged during the authentication signaling or data that results from it. A distinctive point being that AE results from the authentication process and is used as prior state for the following TLS exchange. An example for creation of AE, is as follows: EAP authentications typically result in an Extended Master Session Key (EMSK). The EMSK can be used to create an Evidence Master Key (EMK) that can then be used to create AE for a variety of servers.

Abstract: A method and system is provided for embedding cryptographically modified versions of secret in digital certificates for use in authenticating devices and in providing services subject to conditional access conditions.

Abstract: A system and method for issuing a license for a device through a license server is provided. A server receives identification information for a device that communicates to the server if a first license binding identity and/or a first display identity has changed. A previous license for the device is revoked and a previous license credit is returned to a user's credit pool if the first license binding identity and/or the first display identity has changed. A license request is received, which includes a second license binding identity identifying the device. If the second license binding identity is the same as the first license binding identity, the previous license for the device is issued. If the second license binding identity is not the same as the first license binding identity, a new license for the device is issued and a new license credit is deducted from the user's credit pool.

Abstract: A real-time management networking system for a manufacturing environment, e.g., chemical, assembly, automobile, electronic, petroleum. In a specific embodiment, the system has a spatial region, which is adapted for one or more manufacturing equipment devices. The one or more manufacturing equipment devices is associated with a manufacture of a product. In a specific embodiment, the manufacturing equipment is able to generate a high frequency noise, which causes interference with a conventional data signal, which is often unshielded. In a specific embodiment, the system has a power line gateway device provided within a desired region of the spatial region.