Abstract: A method for operating a signal receiver which authorizes controlled access, comprising providing an authentication token device having a predetermined usage limit stored therein, providing a reading device for reading the authentication token device, and for implementing the predetermined usage limit while deauthorizing the authentication token device for use with other reading devices, comprising a signal generator for communicating with a signal receiver through a wireless transmission, receiving the wireless transmission at the signal receiver, to permit access based on the received transmission, and upon exceeding the predetermined usage limit, deauthorizing further access.

Abstract: A method of protection of a near-field contactless communication system against malicious attacks. The method includes exchange of information between a reader and a contactless card of duration T, measured with respect to a starting instant t0 seen from the reader, decoding of this information by the card, sending by the card a return signal temporally set with respect to an instant t?0+T, where t?0 is the starting instant as seen by the card taking into account delays in propagation or processing of signals received from the reader, detection of the return signal by the reader, determination of the temporal setting of the return signal with respect to the starting instant t0, and interruption of communication by the reader if the temporal setting of the return signal detected is not equal to the instant t0+T with a predetermined margin of error. The return signal is a pseudo-random sequence.

Abstract: Some embodiments provide a verification system for automated verification of entities. The verification system automatedly verifies entities using a two part verification campaign. One part verifies that the entity is the true owner of the entity account to be verified. This verification step involves (1) the entity receiving a verification code at the entity account and returning the verification code to the verification system, (2) the entity associating an account that it has registered at a service provider to an account that the verification system has registered at the service provider, (3) both. Another part verifies the entity can respond to communications that are sent to methods of contact that have been previously verified as belonging to the entity. The verification system submits a first communication with a code using a verified method of contact. The verification system then monitors for a second communication to be returned with the code.

Abstract: A security method and system for maintaining security between a client and a server and a computer-readable medium storing a computer program for executing the security method are provided. The security system includes a memory which stores current authentication information; an authentication information transmission module which transmits the current authentication information to a server and receives latest authentication information from the server; an authentication information management module which authenticates the latest authentication information using the current authentication information and updates the current authentication information with the latest authentication information if the latest authentication information is successfully authenticated; and an authentication module which authenticates data received from the server using the updated current authentication information stored in the memory.

Abstract: Disclosed herein is a financial card system. The system includes a communications device on which a non-contact integrated circuit chip is installed; and an authentication terminal having a reader/writer allowing reading/writing information on the communications device and capable of transmission and reception of information with the communications device through the reader/writer. The communications device has a storage block, a common area information transmission block, and an individual area information transmission block. The reader/writer of the authentication terminal has a storage block, a common area information reception block, and an individual area information reception block.

Abstract: A system architecture provides a hardware-based root of trust solution for supporting distribution and playback of premium digital content. In an embodiment, hardware root of trust for digital content and services is a solution where the basis of trust for security purposes is rooted in hardware and firmware mechanisms in a client computing system, rather than in software. From this root of trust, the client computing system constructs an entire media processing pipeline that is protected for content authorization and playback. In embodiments of the present invention, the security of the client computing system for content processing is not dependent on the operating system (OS), basic input/output system (BIOS), media player application, or other host software.

Abstract: There is disclosed a media file distribution system and method. An asset management and delivery system and method for the distribution of digital files and data is provided. There are two major functions, with sub-functions within each. The system first serves as a fully automated management system for a company involved in video/file distribution, such as in video on demand (VOD) or other digital file industries. The system can ingest, prepare, schedule, transmit, track and report on any aspect of the business chain. Secondly, it also serves as a product for both content providers and recipients to be able to view, manage and run their entire content offering remotely from anywhere through the Internet.

Abstract: A flexible product distribution and payment system for computer network based electronic commerce is disclosed. Primary content data is made available to customers through a detachable local storage medium, such as a DVD or CD-ROM disc, or over a network connection. The primary content is capable of being accessed and played back through a computer or game console at the customer site. The primary content distribution may comprise a superset of content that is intended to be used by the customer. The customer is allowed to view and access the encoded primary content, and is charged only for the primary content that is used. Content that is encoded on the medium but that is not used by the customer remains on the medium but is not charged. A content database and customer database maintained at the primary customer site maintain records of products ordered and used by the customer, as well as identification and use patterns associated with the user.

Abstract: A method and apparatus for establishing security associations between nodes of an ad hoc wireless network includes two authentication steps: an initial first contact step (authentication, authorization, and accounting (AAA)-based authentication), and a “light-weight” step that reuses key material generated during first contact. A mesh authenticator within the network provides two roles. The first role is to implement an 802.1X port access entity (PAE), derive transient keys used for encryption with a supplicant mesh point via a four-way handshake and take care of back end communications with a key distributor. The second role is as a key distributor that implements a AAA-client and derives keys used to authenticate a mesh point during first contact or fast security association. The key distributor and the on-line authentication server can communicate to one another without these messages being transported over mesh links.

Abstract: A method for transmitting data, a receiving method, related devices, and an aircraft equipped with the devices. The method includes determining an authentication word of the data; processing the data to obtain processed data; and transmitting the processed data on a transmission channel.

Abstract: The present invention provides a method for protecting the first message of a security protocol and the method includes the following steps: 1) initialization step; 2) the initiating side sends the first message; 3) the responding side receives the first message. The method for protecting the first message of the security protocol provided by the present invention can implement that: 1) Pre-Shared Master Key (PSMK), which is shared by the initiating side and responding side, and the security parameter in the first message are bound by using computation function of Message Integrality Code (MIC) or Message Authentication Code (MAC), and thus the fabrication attack of the first message in the security protocol is avoided effectively; 2) during computing the MIC or MAC of the first message, only PSMK and the security parameter of the first message are selected to be computed, and thus the computation load of the initiating side and the responding side is effectively reduced and the computation resource is saved.

Abstract: A method that provides efficient integration of infrastructure for federated single sign on (e.g. Liberty ID-FP framework) and generic bootstrapping architecture (e.g. 3GPP GAA/GBA architecture) uses an integrated proxy server (IAP). The IAP is inserted in the path between a user and a service provider (SP). The IAP differentiates type of access and determines corresponding operative state to act as a liberty enabled server or as a GAA/GBA network application function. A Bootstrapping, Identity, Authentication and Session Management arrangement (BIAS) leverages on 3GPP GAA/GBA infrastructure to provide an integrated system for handling Liberty Federated SSO and 3GPP GAA/GBA bootstrapping procedures at the same time. This method and arrangement provides improved use of infrastructure elements and performance for authenticated service access.

Abstract: A system and method for secure communication is provided. A first hash-based message authentication code is generated from a shared secret and a first counter value stored in storage of a computing device. A second hash-based message authentication code is generated from such shared secret and a second counter value. An encryption key is derived from a function of the first hash-based message authentication code and the second hash-based message authentication code. A message is encrypted using the encryption key, and communicated via a network interface of the computing device.

Abstract: A system including a temporal key module, a nonce module, a security module, and an encryption module. The temporal key module generates a first temporal key used to encrypt a plurality of packets. The nonce module generates a nonce for each packet encrypted based on the first temporal key. Each nonce includes a packet number that is different than packet numbers associated with other nonces generated by the nonce module. The packet number is greater than N bits in length, where N is an integer greater than 40. The security module determines when the packet number included in the nonce generated by the nonce module is greater than or equal to a predetermined threshold. The encryption module encrypts more than 2(N?1) packets using the first temporal key and the nonces without reusing a value of the packet number.

Abstract: A user authentication method and system. A computing system receives from a user, a first request for accessing specified functions executed by a specified software application. The computing system enables a security manager software application and connects the specified software application to a computing apparatus. The computing system executes first security functions associated with the computing apparatus. The computing system executes second security functions associated with additional computing apparatuses. The computing system determines if the user may access the specified functions executed by the specified software application based on results of executing the first security functions and the second security functions. The computing system generates and stores a report indicating the results.

Abstract: A method and system is provide for performing a certificate validity check between a vehicle receiving a message and an entity transmitting the message in a vehicle-to-entity communication system. The message includes a digital certificate. A determination is made whether the digital certificate is expired. A determination is made whether the digital certificate is listed in a local certificate revocation list stored in a memory of the vehicle in response to a determination that the digital certificate is not expired, otherwise, disregarding the message. An elapsed time is determined since a last freshness check in response the digital certificate not listed in the local certificate revocation list. The elapsed time is compared to a threshold requirement. The digital message is accepted for additional processing in response to the freshness check meeting the threshold requirement, otherwise, the message is disregarded.

Abstract: A method for efficiently decrypting asymmetric SSL pre-master keys is divided into a key agent component that runs in user mode, and an SSL driver running in kernel mode. The key agent can take advantage of multiple threads for decoding keys in a multi-processor environment, while the SSL driver handles the task of symmetric decryption of the SSL encrypted data stream. The method is of advantage in applications such as firewalls with deep packet inspection in which all encrypted data traffic passing through the firewall must be decrypted for inspection.

Abstract: This specification describes technologies relating to imparting cryptographic information in network communications.

Abstract: According to one embodiment, a conditional access (CA) control system comprises circuitry that is adapted to: (i) transmit information including a unique identifier assigned to a digital device and mating key generator values to the remote source, (ii) receive a mating key from the remote source, the mating key being based on the transmitted unique identifier and mating key generator values, the mating key being used to encrypt data used for scrambling either additional key information or program data prior to transmission to the digital device, and (iii) transmit the mating key generator values and the encrypted data to the digital device, the mating key generator values are used to regenerate the mating key in the digital device.

Abstract: In general, the subject matter described in this specification can be embodied in methods, systems, and program products for providing access to secured resources. A token providing system stores a primary authentication token that is used to obtain temporary authentication tokens. The token providing system provides, to application programs that are unable to access the primary authentication token, the temporary authentication tokens. The token providing system receives, from a first application program of the application programs, a first request to obtain a first temporary authentication token. The first request does not include the primary authentication token. The token providing system transmits a second request to obtain the first temporary authentication token. The second request includes the primary authentication token. The token providing system receives the first temporary authentication token.

Abstract: Methods for effecting transmitter and receiver synchronization are disclosed. A method includes reading an authentication key value that is calculated by a receiver that is to receive protected content from a transmitter, determining if there has been a change in the authentication key value calculated by the receiver since it was last read and determining if a counter associated with the transmitter has a zero value. A re-authentication of the receiver is initiated if the counter associated with the transmitter has a non zero value and the authentication key value that is calculated from the receiver has changed.

Abstract: A novel method and apparatus for protection of streamed media content is disclosed. In one aspect, the apparatus includes control means for governance of content streams or content objects, decryption means for decrypting content streams or content objects under control of the control means, and feedback means for tracking actual use of content streams or content objects. The control means may operate in accordance with rules received as part of the streamed content, or through a side-band channel. The rules may specify allowed uses of the content, including whether or not the content can be copied or transferred, and whether and under what circumstances received content may be “checked out” of one device and used in a second device. The rules may also include or specify budgets, and a requirement that audit information be collected and/or transmitted to an external server. In a different aspect, the apparatus may include a media player designed to call plugins to assist in rendering content.

Abstract: Erroneous deletion of data due to a collision of digest information during data de-duplication using digest information is prevented. When backup data is stored on a backup server 1100, digest information of the backup data is generated and stored in a digest information management table 4200. In addition, when a backup data storage request is made to the backup server 1100, a digest information verification control sub-program 1127 generates digest information of data to be backed up, and performs verification against the digest information of the backed up data already stored on the backup server 1100. If, by this verification, it is found that backed up data having the same digest information is already stored, de-duplication is realized by reusing the existing backed up data without newly storing the data to be backed up.

Abstract: A system, method, and computer program product for managing limited-use software on a host computer having an operating system is disclosed. A software application can be installed in the operating system as a virtualized application using light weight virtualization technology. Rights usage information for the software application is received, the rights usage information comprising a rule describing permitted use of the software application on the host computer. A determination is made whether to enable the virtualized application based at least in part on the rights usage information. Responsive to the determination, the virtualized application is enabled to be executed on the host computer.

Abstract: A system and method providing for appending of a note or instruction to the contents of an email such that the note or instructions is only appended to emails of selected recipients of a group of recipients, with only the email going to the other recipients of the group of recipients is provided.

Abstract: A method for using multiple channels to access a resource, wherein a first user requests a resource that requires an indication of approval from a second user, a token value is transmitted to the first user on the first channel, and the second user transmits the token value and a second authentication parameter over a second channel. The token value is used to associate the first authentication parameter to the second authentication parameter, whereby the first user is allowed access to the resource on the first. The first and second user may be independently authenticated in some implementations and not independently authenticated in other implementations.

Abstract: According to one embodiment, an apparatus may store a plurality of tokens. The apparatus may receive a subject token indicating an attempt to authenticate a user. The apparatus may determine at least one token-based rule based at least in part upon a token in the plurality of tokens and the subject token. The at least one token-based rule may indicate a plurality of attributes required to access a resource. The apparatus may determine a second plurality of attributes represented by the plurality of tokens and the subject token. The apparatus may determine at least one missing attribute, which may be in the plurality of attributes but not in the second plurality of attributes. The apparatus may then request the at least one missing attribute, and in response, receive at least one token representing the at least one missing attribute.

Abstract: A process for testing an integrated circuit includes collecting a set of points of a physical property while the integrated circuit is executing a multiplication, dividing the set of points into a plurality subsets of lateral points, calculating an estimation of the value of the physical property for each subset, and applying to the subset of lateral points a step of horizontal transversal statistical processing by using the estimations of the value of the physical property, to verify a hypothesis about the variables manipulated by the integrated circuit.

Abstract: A method for improving the security of secret authentication data during authentication transactions is provided that includes converting the secret authentication data of a user into scrambled secret authentication data by associating a different text-string with each item of information included in the secret authentication data. The method also includes capturing the scrambled secret authentication data with a communications device, and conducting an authentication transaction with the captured authentication data.

Abstract: A hash module of a mail sender creates a hash data context structure. The hash module processes the headers and the body of an e-mail message in the order required, for example by the DKIM specification, until the data to be hashed has been input. The hash module converts the context structure into printable characters and the encoded structure is transmitted over the Internet or other network to the next participating system. The token authority's hash module decodes the context back into binary form. After ensuring business logic is satisfied, it generates additional headers required for signature, which are then added to the developing hash. The hash module finalizes the hash function and creates the hash value. The authorization module creates the signature and returns it to the e-mail module, which attaches the signature to the message and transmits it to the destination mailbox provider, which verifies the token.

Abstract: A method, device and system for securely managing debugging processes within a communication device, such as a set top box or other multimedia processing device. For example, a security processor (SP) within the communication device manages the lifetime (LT) of any access token issued for use in activating debugging privileges within the communication device. The security processor authenticates an issued access token and securely delivers appropriate debug authorization information to the device controller. The security processor uses its secure, internal timer to count down the lifetime and update the remaining lifetime of the issued access token during the processing of each command by the security processor. In addition to securely managing the issuance of the access token and it's remaining lifetime, the updating process reduces any impact on the normal communications within the device. The method overcomes the issue of the communication device not having a secure internal clock.

Abstract: This invention provides a system, method and computer program product to allow a user to access administrative security features associated with the use of a security token. The administrative security features provide the user the ability to unlock a locked security token, diagnose a security token, activate and deactivate a security token, request a replacement security token or temporary password or report the loss of a security token. The invention comprises a client application which integrates into the standard user login dialog associated with an operating system. A portion of the user dialog is linked to a remote server to access the administrative services.

Abstract: Digital cash token protocols employ two pairs of private and public keys. Each public key is certified separately and the protocols do not use any blind signature schemes. As a result, the digital cash token protocols provide strong protection of user privacy by using two certified public keys instead of a blind signature. One pair of certified keys consists of one master user private key and one master user public key. A second pair of certified keys consists of one pseudonym user private key and one pseudonym user public key. The use of a master key pair and a pseudonym key pair circumvents the need for blind signatures. As a result, the proposed protocols do not require blind signatures and do not add additional overhead and security requirements necessitated by conventional blind signature schemes. The protocols use public key protocols and digital signatures and symmetric key protocols, which may be readily implemented in standard information security based systems based on cryptographic constructs.

Abstract: An Asynchronous Enhanced Shared Secret Provisioning Protocol (ESSPP) provides a novel method and system for adding devices to a network in a secure manner. A registration process is launched by at least one of two network devices together. These two devices then automatically register with each other. When two devices running Asynchronous ESSPP detect each other, they exchange identities and establish a key that can later be used by the devices to mutually authenticate each other and generate session encryption keys. An out-of-band examination of registration signatures generated at the two devices can be performed to help ensure that there was not a man-in-the-middle attacker involved in the key exchange.

Abstract: A method performed by a network device may include generating and storing a first public key and a first private key in a first device, transmitting a serial number and the first public key from the first device to a second device, generating, by the second device, a second public key and a second private key, transmitting the second public key from the second device to the first device and transmitting the serial number, the first public key, the second public key and the second private key to a third device, establishing and authenticating a connection between the first device and the third device using the first public key and the second public key and transmitting encrypted configuration information with the two key pairs from the third device to the first device.

Abstract: Usage rights for a digital work are established prior to creation of the corresponding content. The rights can be associated with the content after the content is created. A content creation, such as a video recorder or a still camera, device can store labels of the rights and can associate usage rights with content in real time as the content is created.

Abstract: A method for pairing a first element and a second element, wherein the first element and the second element form a first decoding system among a plurality of receiving decoding systems in a broadcasting network. Each receiving decoding system is adapted to descramble scrambled audiovisual information received over the broadcasting network. A first key unique in the broadcasting network is selected. A second key is determined according to the first key, such that a combination of the first key and the second key enables to decrypt broadcasted encrypted control data that is received to be decrypted by each receiving decoding system, the encrypted control data being identical for each receiving decoding system. The first key and the second key are assigned respectively to the first element and the second element.

Abstract: Techniques are disclosed for sharing information in a wide variety of contexts. An information sharing system is described that allows both an explicit capture process and an implicit capture process to add information items to a staging area. Further, the information sharing system supports both implicit and explicit consumption of information items that are stored in said staging area. A rules engine is provided to allow users to create and register rules that customize the behavior of the capture processes, the consuming processes, and propagation processes that propagate information from the staging areas to designated destinations. Techniques are also described for achieving exactly-once handling of sequence of items, where the items are maintained in volatile memory. Techniques are also provided for recording DDL operations, and for asynchronously performing operations based on the previously-performed DDL operations.

Abstract: An access management system for managing network access of an end-user to one or more online content sources of a number of content providers. The system comprises a content proxy unit that stores the concealed addresses of the content sources. The content proxy unit is designed to receive a request for accessing one or more content sources from the end-user. The system further comprises an access management unit that stores an access rights record of the end-user. The access management unit is designed to authorize the request according to the access rights record of the end user. If the request is authorized, the content proxy unit facilitates the accessing using the concealed addresses of the requested content sources.

Abstract: A transaction processing service operates as an intermediary between acquirers of financial transaction requests and issuing institutions that process the financial transaction requests. The intermediary service enables a customer to selectively change the status of an account's associated with a payment instrument by activating or deactivating the account. The intermediary service may manage account status locally using a rules module. Alternatively, the issuing institution may manage account status, while the intermediary service provides an interface for customers. A customer communicates with the intermediary service to direct the service to change the account status. The intermediary service determines the account's issuing institution and provides an indication to the issuing institution of the current status of the account (or of the change in status).

Abstract: A self-service terminal comprises: a plurality of session initiation devices, each associated with an initiation token, so that a customer can initiate a transaction using one of a plurality of different initiation tokens. The terminal further comprises a plurality of session suppliers, each session supplier being associated with one of the session initiation devices, and each session supplier being operable: (i) to receive from its associated session initiation device, information from an initiation token provided by a customer, and (ii) to create an electronic access token based on the received information. The terminal also comprises a session supplier aggregate operable to receive an electronic access token from one of the session suppliers for each session to be created; and a session component operable (i) to receive the electronic access token from the session supplier aggregate and (ii) to create a session based on the received electronic access token.

Abstract: A system for securely communicating content as streaming data is provided. The system includes a closed network created on a public network, and a dedicated device for receiving twice-encrypted streamed content from the closed network. Upon authentication of the dedicated device, a content enabling component in the closed network twice-encrypts previously once-encrypted streamed content by using randomly selected encryption algorithms, and streams the twice-encrypted streamed content to the dedicated device during a closed network communication session and through a closed connection established between the closed network and the dedicated device. The dedicated device includes a content enabling component having a unique content enabling component identifier and a unique decryption key.

Abstract: A system for efficiently reauthenticating a client of a network. In a specific embodiment, the system includes an authentication server and a Security GateWay (SGW) in communication with the client. The SGW includes reauthentication information associated with the client. In a more specific embodiment, the authentication server includes an Authentication, Authorization, and Accounting (AAA) server. The SGW further includes one or more routines for employing the reauthentication information to reauthenticate the client. The AAA server performs initial authentication of the client to enable client access to the network, which yields the reauthentication information. The reauthentication information includes one or more keys and/or counters, such as an authorization key, an encryption key, and a master key, which is/are predetermined by the AAA server.

Abstract: A communication system 100 includes a group of user devices, a first device separate from the group of user devices, a first satellite, a peer-to-peer network 130 in communication with the user devices and the satellite 106 and a content delivery network 120 in communication with the user devices. The content delivery network encrypts the content in response to a first encryption-decryption information and communicates the content to the plurality of user devices through a satellite. At each of the plurality of the group of user devices the content is encrypted in response to a second encryption-decryption information. A first user device communicates a content request to the group of user devices. At least one of the group of user devices communicates the content to the first user device through the peer-to-peer network. The first user device requests the encryption-decryption information from a content delivery network through a terrestrial network.

Abstract: A security token includes (a) a personal data memory configured to store digital identity credentials related to personal data of a user; (b) an input appliance configured to check said personal data; (c) a key record data memory configured to store at least one identity credential of an authentication server or of an application operator; (d) a transmitter and receiver unit configured to create a secure channel directly or indirectly to said authentication server or application operator to handle said key record relating to said authentication server or application operator, respectively; (e) a control unit configured to control the transmitter and receiver unit and the key record data memory in view of said handling, wherein the control unit is configured to perform one of: interpreting, deciphering, creating, checking, renewing, withdrawing and further key record handling actions. A method for authentication of a user using the security token is also disclosed.

Abstract: An apparatus, system, and method for image processing are disclosed, each of which obtains a mark from image data, detects additional information in the mark, determines whether the mark is detected in the mark to generate a determination result, and controls processing performed by an image processing apparatus with respect to the image data based on the determination result.

Abstract: A product mark including a public key certificate issued with respect to an information-recording-medium manufacturing entity or information-recording-medium manufacturing equipment, and an encrypted volume ID calculated by computation based on a product-mark-associated value such as a hash value generated on the basis of the product mark, and a volume ID as an identifier set with respect to a given set of discs to be manufactured, are generated. The product mark and the encrypted volume ID are set as information for generating a key used for decryption of encrypted content, and recorded onto a disc by a reflective-film-removal recording method. Due to this configuration, the product mark and the encrypted volume ID as key generating information cannot be read from a pirated disc produced by physically copying a pit pattern on the basis of a legitimate commercial disc, thereby making it possible to prevent unauthorized reproduction or use of content.

Abstract: The present embodiments provide methods, apparatuses, and systems to distribute content over a network. Some embodiments provide methods to distribute content within a local media network. These methods receive a request for a first content to be transferred to a sink device, request from the source an access criteria for a first content that is protected according to a first digital rights management (DRM), forward the access criteria to the sink device, receive an evaluation of the access criteria from the sink device regarding at least whether the sink device can interpret the first DRM, determine according to the evaluation received from the sink device whether the sink device can utilize the first content that is protected according to the first DRM, and initiate a transfer of the first content from the source device to the sink device when the sink device can utilize the first content.

Abstract: The present invention provides a method for protecting software based on network, which combines a client program that communicates with a server in C/S (or B/S) architecture with a key device, the client program authenticates a user using the key device for protecting software, the method includes the steps of: running the client program; authenticating the user using the key device by the client program; and continuing to run the client program with a server if the user has passed the authentication. In the prior art, the username and password are easy to intercept in transmission as plain text over network. In the method, the client program is combined with a key device. In addition, the complete client program cannot be executed without involving the server. Therefore, the strength of software protection is increased.

Abstract: The present invention provides a data transmitting apparatus in which a device information obtaining unit obtains device information of a device connected to the data transmitting apparatus; a verification unit verifies validity of a data receiving apparatus, based on the device information obtained by the device information obtaining unit; and a control unit performs control as to whether to obtain the device information through a wireless communication unit or obtain the device information through a wire communication unit, and as to whether to transmit image information encrypted by a first encryption unit from the wireless communication unit or transmit image information encrypted by a second encryption unit from the wire communication unit when the verification unit verifies that the data receiving apparatus is authorized.