Abstract: Secure network location awareness is provided whereby a client is able to use appropriate settings when communicating with an access node of a communications network. In an embodiment a client receives a signed message from the access node, the signed message comprising at least a certificate chain having a public key. In some embodiments the certificate chain may be only a self-signed certificate and in other embodiments the certificate chain is two or more certificates in length. The client validates the certificate chain and verifies the signature of the signed message. If this is successful the client accesses stored settings for use with the access node. The stored settings are accessed at least using information about the public key. In another embodiment the signed message also comprises a location identifier which is, for example, a domain name system (DNS) suffix of the access node.

Abstract: Sharing of user preferences is described. In an embodiment a user preference associated with a user is shared with a group of users in order to improve the relevance of results they receive. A database is used to store information detailing a number of groups of users extracted from a social network graph, where the social network graph describes connections between users. On receipt of a user preference associated with a user, a group of users containing the user is selected and the user preference is then shared with everyone in the selected group. In a further embodiment, the groups of users in the database may comprise cohesive groups of users and an extended group associated with each cohesive group. When selecting a group to share preference data with, a cohesive group containing the user is first selected and then the preference data is shared with the corresponding extended group.

Abstract: To allow down-level devices to participate in a network controlled by a protocol including CGAS or ECGAs, the CGA or ECGA authentication may be made optional to allow the down-level devices to execute non-CGA or non-ECGA versions of network protocols, while at the same time allowing the use of CGA- and/or ECGA-authenticated versions of the same protocols. To identify non-cryptographic addresses (e.g., non-CGA and non-ECGA), the address bits of a non-CGA or non-ECGA such that the address cannot be or is probably not an encoding of the hash of a public key. In this manner, a receiving node may properly identify the capabilities of the sending node, perform an appropriate authentication of the message containing the non-cryptographic address, and/or prioritize processing of information contained in the message with the non-cryptographic address.

Abstract: Dynamic host configuration protocol (DHCP) is extended in order to assist with secure network location awareness. In an embodiment a DHCP client receives a signed DHCP response message from a DHCP server, the signed message comprising at least a certificate chain having a public key. In that embodiment the DHCP client validates the certificate chain and verifies the signature of the signed message. If this is successful the DHCP client accesses stored settings for use with the server. The stored settings are accessed at least using information about the public key. In some embodiments signed DHCPOFFER messages and signed DHCPACK messages are used. In another embodiment the signed DHCP message comprises a location identifier which is, for example, a domain name system (DNS) suffix of a DHCP server.

Abstract: Sharing of user preferences is described. In an embodiment a user preference associated with a user is shared with a group of users in order to improve the relevance of results they receive. A database is used to store information detailing a number of groups of users extracted from a social network graph, where the social network graph describes connections between users. On receipt of a user preference associated with a user, a group of users containing the user is selected and the user preference is then shared with everyone in the selected group. In a further embodiment, the groups of users in the database may comprise cohesive groups of users and an extended group associated with each cohesive group. When selecting a group to share preference data with, a cohesive group containing the user is first selected and then the preference data is shared with the corresponding extended group.

Abstract: An extensible cryptographically generated network address may be generated by forming at least a portion of the network address as a portion of a first hash value. The first hash value may be formed by generating a plurality of hash values by hashing a concatenation of a public key and a modifier using a second hash function until a stop condition. The stop condition may include computing the plurality of hash values for a period of time specified by a time parameter. A second hash value may be selected from the plurality of hash values, and the modifier used to compute that hash value may be stored. A hash indicator may be generated which indicates the selected second hash value. The first hash value may be generated as a hash of a concatenation of at least the public key and the modifier. At least a portion of the node-selectable portion of the network address may include at least a portion of the first hash value.

Abstract: The hash extension technique used to generate an ECGA may be used to increase the strength of one-way hash functions and/or decrease the number of bits in any situation where some external requirement limits the number of hash bits, and that limit is below what is (or may be in the future) considered secure against brute-force attacks. For example, to decrease the length of human entered security codes (and maintain the same security), and/or to increase the strength of a human entered security code (and maintain the length of the security code), the security code may be generated and/or authenticated using an extended hash method.

Abstract: Dynamic host configuration protocol (DHCP) is extended in order to assist with secure network location awareness. In an embodiment a DHCP client receives a signed DHCP response message from a DHCP server, the signed message comprising at least a certificate chain having a public key. In that embodiment the DHCP client validates the certificate chain and verifies the signature of the signed message. If this is successful the DHCP client accesses stored settings for use with the server. The stored settings are accessed at least using information about the public key. In some embodiments signed DHCPOFFER messages and signed DHCPACK messages are used. In another embodiment the signed DHCP message comprises a location identifier which is, for example, a domain name system (DNS) suffix of a DHCP server.

Abstract: Secure network location awareness is provided whereby a client is able to use appropriate settings when communicating with an access node of a communications network. In an embodiment a client receives a signed message from the access node, the signed message comprising at least a certificate chain having a public key. In some embodiments the certificate chain may be only a self-signed certificate and in other embodiments the certificate chain is two or more certificates in length. The client validates the certificate chain and verifies the signature of the signed message. If this is successful the client accesses stored settings for use with the access node. The stored settings are accessed at least using information about the public key. In another embodiment the signed message also comprises a location identifier which is, for example, a domain name system (DNS) suffix of the access node.

Abstract: Systems and methods for trustworthy enforcement of privacy enhancing technologies within a data processing system enable data processing systems to communicate a believable statement that privacy is being protected in a trustworthy fashion. The invention includes providing for trustworthy enforcement of privacy enhancing technologies by establishing a standardized scheme for a privacy certification and routine inspection of data processing systems implementing privacy enhancing technologies. The regime of certification and inspection may be coupled with other technologies such as cryptography, tamper-evident computing, and runtime security enforcement.

Abstract: To allow down-level devices to participate in a network controlled by a protocol including CGAS or ECGAs, the CGA or ECGA authentication may be made optional to allow the down-level devices to execute non-CGA or non-ECGA versions of network protocols, while at the same time allowing the use of CGA- and/or ECGA-authenticated versions of he same protocols. To identify non-cryptographic addresses (e.g., non-CGA and non-ECGA), the address bits of a non-CGA or non-ECGA such that the address cannot be or is probably not an encoding of the hash of a public key. In this manner, a receiving node may properly identify the capabilities of the sending node, perform an appropriate authentication of the message containing the non-cryptographic address, and/or prioritize processing of information contained in the message with the non-cryptographic address.

Abstract: The hash extension technique used to generate an ECGA may be used to increase the strength of one-way hash functions and/or decrease the number of bits in any situation where some external requirement limits the number of hash bits, and that limit is below what is (or may be in the future) considered secure against brute-force attacks. For example, to decrease the length of human entered security codes (and maintain the same security), and/or to increase the strength of a human entered security code (and maintain the length of the security code), the security code may be generated and/or authenticated using an extended hash method.

Abstract: An extensible cryptographically generated network address may be generated by forming at least a portion of the network address as a portion of a first hash value. The first hash value may be formed by generating a plurality of hash values by hashing a concatenation of a public key and a modifier using a second hash function until a stop condition. The stop condition may include computing the plurality of hash values for a period of time specified by a time parameter. A second hash value may be selected from the plurality of hash values, and the modifier used to compute that hash value may be stored. A hash indicator may be generated which indicates the selected second hash value. The first hash value may be generated as a hash of a concatenation of at least the public key and the modifier. At least a portion of the node-selectable portion of the network address may include at least a portion of the first hash value.

Abstract: In telecommunications systems, the traffic can be protected from eavesdropping and the use of a false identity can be prevented by verifying the authenticity of the terminal equipment by means of an authentication procedure. Verifying the authenticity of the terminal equipment is especially important in the mobile communications systems. In the authentication procedure, the network checks the authenticity of the identity stated by the subscriber device. Additionally, the subscriber device can check the authenticity of the network identity. In the systems in accordance with prior art, the secret information required for making the authentication must be transferred via unsecure transfer networks and given to the visited networks. The information makes it possible to make unlimited number of authentications in an unlimited time.

Abstract: In the method in accordance with the present invention, the subscriber identifier to be sent to the transmission network is encrypted using a cipher key common to a specific group of subscribers, and a random number is attached to the identifier to be sent to the network. For example, a subscriber group may consist of the subscribers to a single given operator. The section of the identifier specifying the subscriber group is sent to the network in a non-encrypted format, in which case the network is able to direct the encrypted message to such a network element where it can be deciphered.