Abstract: In connection with network elements in a network, enhancing security by measuring proximity between elements, that are communicating with each other, by using facilities of secure devices and secure elements in the network. In some embodiments, secured information stored in a device certificate comprises a device processing delay, and the device processing delay is used in calculating a net response time which is compared to a threshold.

Abstract: A method for enforcing use of certificate revocation lists in validating certificates, the lists being associated with a series of list generation indices such that each list is assigned one index which advances according to a time of generation of the list, the lists and the indices being cryptographically signed, the method including receiving one of the lists and an associated index as an identifier of the one list, checking the certificates against the list, associating each of the certificates, which have been checked against the list, with the index, receiving an enforcement generation index (EGI) associated with a latest list in use, storing the EGI as a last known EGI, and refusing performance of an action associated with a certificate if the one index of the one certificate is earlier in the series than the last known EGI. Related apparatus and methods are also included.

Abstract: A system for scrambling/descrambling packets of a stream of content, each packet having a must stay clear (MSC) section, the system including an input handler including a receiving module to receive the stream, a characteristic analyzer to analyze the stream in order to determine a data independent characteristic of each packet, and a scrambling /descrambling device operationally associated with the input handler, the scrambling/descrambling device including a receiving module to receive the data independent characteristic for each packet from the input handler, and an Initial Value module to determine an Initial Value for each packet as a function of the data independent characteristic of one of the packets being processed, wherein the scrambling/descrambling device is adapted to scramble and/or descramble the packets based on the Initial Value and a Control Word. Related apparatus and methods are included.

Abstract: A method and an apparatus for protecting digital content, in which an output format for received compressed encrypted digital content is determined based, at least in part, on a rule determining whether clear compressed output format is allowed. When the clear compressed output format is not allowed, the content is received in a form in which it has been encrypted by at least two different encryption methods, and processing of the content comprises a combination of decrypting in accordance with one of the encryption methods and decompression in an atomic operation.

Abstract: A method for hindering detection of information unintentionally leaked from a secret held in a memory unit is described, the method including receiving a triggering event waiting for at least a first amount of time to pass after the receipt of the triggering event, the memory unit being in a non-operational state during the at least a first amount of time after the at least a first amount of time has passed, changing at least one first condition under which the memory unit operates, thereby causing the memory unit to enter an operational state, waiting for a second amount of time to pass after the changing at least one first condition, and changing, after the second amount of time, at least one second condition under which the memory unit operates, thereby causing the memory unit to enter the non-operational state, wherein access to the secret information is enabled only during the second amount of time, and detection of secret information unintentionally leaked is limited during the first amount of time.

Abstract: A system and a method for providing variable security mechanisms for securing digital content, in which a single security mechanism is not used for all content. Instead, at least one characteristic or feature of the security mechanism is varied between units, instances or categories of content. Therefore, even if unauthorized access is gained to a single unit of content, the overall integrity and security of the system for content distribution is not compromised. Preferably, security is provided though a general mechanism, which is then varied in order to provide variable, dissimilar security schemes for different types of content. By “type of content”, it is meant any of a single unit of content, a single instance of content or a single category of content. For example, for a category of content, the content may be characterized according to the identity of the content itself, such as the title of a movie for example, and/or according to the owner of a particular copy of the content.

Abstract: A method for producing a certificate, the certificate including data, the method including choosing a seed s, the seed s including a result of applying a function H to the data, generating a key pair (E,D), such that E=F(s,t), F being a publicly known function, and including s and t in the certificate. Related methods, and certificates produced by the various methods, are also described.

Abstract: A method and system for assigning a key to a device, the method including providing a device having a processor ID (CID) and an associated processor key (CK) and including a memory, at a first time, storing a personalization data ID (PDID) and associated personalization data (PD) in the memory, at a later time, sending the CID and the PDID to a security provider and receiving an activation value (AV) back from the security provider, the activation value AV being based, at least in part, on the CK and a personalization data key (PDK) associated with the PDID and the PD, computing, in the device, a result, based, at least in part, on the CK and the activation value, the result being produced by applying a first function g to the CK and the AV, such that the result=g(CK, AV), and storing the result in the memory, wherein a second function ƒ is used to compute the value of AV, such that AV=ƒ(CK, PDK), and ƒ includes an inverse function of function g, such that g(CK, ƒ(CK, PDK))=PDK, thereby assigning the personal

Abstract: A method for preventing rendering of content at overlapping time periods on more rendering devices than permitted by a license associated with the content is disclosed.

Abstract: A system and a method for providing variable security mechanisms for securing digital content, in which a single security mechanism is not used for all content. Instead, at least one characteristic or feature of the security mechanism is varied between units, instances or categories of content. Therefore, even if unauthorized access is gained to a single unit of content, the overall integrity and security of the system for content distribution is not compromised. Preferably, security is provided though a general mechanism, which is then varied in order to provide variable, dissimilar security schemes for different types of content. By “type of content”, it is meant any of a single unit of content, a single instance of content or a single category of content. For example, for a category of content, the content may be characterized according to the identity of the content itself, such as the title of a movie for example, and/or according to the owner of a particular copy of the content.

Abstract: A method for securing encryption keys is described, the method including providing a first device and a second device, the first device including first secure hardware and first insecure hardware, and the second device including second secure hardware and second insecure hardware, generating in the first secure hardware at least two period keys, the at least two period keys stored in the first secure hardware, generating in the first secure hardware a plurality of session keys, the session keys being stored in either the first secure hardware or the first insecure hardware, encrypting at least one of the plurality of session keys generated in the first device according to a first of the two period keys included in the first secure hardware, encrypting at least one of the plurality of session keys generated in the first device according to a second of the two period keys included in the first secure hardware, generating in the second secure hardware at least two period keys, the at least two period keys stored

Abstract: A method for enforcing use of certificate revocation lists in validating certificates, the lists being associated with a series of list generation indices such that each list is assigned one index which advances according to a time of generation of the list, the lists and the indices being cryptographically signed, the method including receiving one of the lists and an associated index as an identifier of the one list, checking the certificates against the list, associating each of the certificates, which have been checked against the list, with the index, receiving an enforcement generation index (EGI) associated with a latest list in use, storing the EGI as a last known EGI, and refusing performance of an action associated with a certificate if the one index of the one certificate is earlier in the series than the last known EGI. Related apparatus and methods are also included.

Abstract: A system and a method for providing variable security mechanisms for securing digital content, in which a single security mechanism is not used for all content. Instead, at least one characteristic or feature of the security mechanism is varied between units, instances or categories of content. Therefore, even if unauthorized access is gained to a single unit of content, the overall integrity and security of the system for content distribution is not compromised. Preferably, security is provided through a general mechanism, which is then varied in order to provide variable, dissimilar security schemes for different types of content. By “type of content”, it is meant any of a single unit of content, a single instance of content or a single category of content. For example, for a category of content, the content may be characterized according to the identity of the content itself, such as the title of a movie for example, and/or according to the owner of a particular copy of the content.

Abstract: A method for producing a certificate, the certificate including data, the method including choosing a seed s, the seed s including a result of applying a function H to the data, generating a key pair (E,D), such that E=F(s,t), F being a publicly known function, and including s and t in the certificate. Related methods, and certificates produced by the various methods, are also described.

Abstract: A method for producing an output from an input encoding the output, the method including choosing functions G, F, and H, providing an input x, choosing a random number r, computing x?=G(x, r), sending x? to a computation unit, computing, in the computation unit, y?=F(x?), receiving y? from the computation unit, and computing the output w=H(y?, r), wherein G, F, and H are chosen such that w is not dependent on the choice or r. Related apparatus and methods are also described.

Abstract: A system for scrambling/descrambling packets of a stream of content, each packet having a must stay clear (MSC) section, the system including an input handler including a receiving module to receive the stream, a characteristic analyzer to analyze the stream in order to determine a data independent characteristic of each packet, and a scrambling /descrambling device operationally associated with the input handler, the scrambling/descrambling device including a receiving module to receive the data independent characteristic for each packet from the input handler, and an Initial Value module to determine an Initial Value for each packet as a function of the data independent characteristic of one of the packets being processed, wherein the scrambling/descrambling device is adapted to scramble and/or descramble the packets based on the Initial Value and a Control Word. Related apparatus and methods are included.

Abstract: An intermediate certificate authority (ICA) for a hierarchical certificate authority structure (HCAS), the HCAS having a plurality of levels, the levels including a root level, at least one intermediate level, and a leaf level, the root level having a root certificate authority, the ICA being in the at least one intermediate level, the ICA including a certificate receiving module to receive a first certificate signed by a certificate authority in a level above the level of the ICA, the first certificate certifying an aspect of the ICA, the first certificate having an expiration time, and a certificate signing module to sign a second certificate for a member of the HCAS, prior to the expiration time of the first certificate, such that the second certificate expires after the expiration time of the first certificate, the member being in a level below the level of the ICA, the second certificate certifying an aspect of the member. Related apparatus and methods are also described.

Abstract: A method for producing a certificate, the certificate including data, the method including choosing a seed s, the seed s including a result of applying a function H to the data, generating a key pair (E,D), such that E=F(s,t), F being a publicly known function, and including s and t in the certificate. Related methods, and certificates produced by the various methods, are also described.

Abstract: A method for determining proximity between a first device and a second device, the method comprising providing a first device storing a first device private key, the first device having an associated secure first device certificate storing secured information, the secured information comprising a first device public key corresponding to the first device private key, providing a second device storing a second device private key, the second device having an associated secure second device certificate storing secured information, the secured information comprising a second device public key corresponding to the second device private key, and a second device processing delay, providing a copy of the second device certificate to the first device, establishing a secure authenticated channel between the first device and the second device, sending a proximity challenge from the first device to the second device, the proximity challenge including a numeric challenge value, receiving the proximity challenge at the seco

Abstract: A method for protecting digital content is described. The method includes receiving compressed encrypted digital content (810), determining an output format based, at least in part, on all of the following: a user-requested output format; received control information; and a rule determining whether a clear compressed output format is allowed (820); and producing output from the compressed digital content (830) based on a result of the determining (820), wherein, if the rule does not allow clear compressed output format, the compressed encrypted digital content is provided in a form which prevents production of clear compressed output in the producing step. Related apparatus and methods are also described.