Abstract: Maps and/or signs are embedded with plural-bit data in the form of digital watermarks. In one implementation, an apparatus is provided to read two or more digital watermarks embedded within a map. Each of the two or more digital watermarks includes location information for a respective map location. The two or more digital watermarks are embedded through alterations to data representing the map; the alterations are generally imperceptible to a human observer of the map. The apparatus includes: a global positioning system receiver to determine a physical location of said apparatus; an input to receive data corresponding to at least a portion of the respective map area; a processor or electronic processing circuitry to extract the location information from the input data and to correlate the physical location with the extracted location information; and an output to output an indication of a relative correlation between the physical location and watermark location information.

Abstract: A method for controlling access to a target application in accordance with an exemplary embodiment is provided. The method includes determining whether a user is within a predetermined distance from at least one predetermined base device. The method further includes determining whether the predetermined base device is within a predetermined geographical region. The method further includes receiving user access information associated with the user and authenticating the user access information. The method further includes authorizing a user computer only when the user is within the predetermined distance from the predetermined base device, and the predetermined base device is within the predetermined geographical region, and the user access information corresponds to predetermined user access information associated with the user. The method further includes allowing the user computer to access the target application when the user computer has been authorized.

Abstract: A recoverable data storage apparatus includes a hand-portable housing configured with an input/output (I/O) port presented outwardly therefrom, a data storage means retained within the housing and operatively coupled with the input/output port, and a client agent embodied as device-executable code residing on the data storage device and configured. When executed on a network-linked host computing device, the client agent is configured to establish communication with a remote server and receive data indicating a possession status of the data storage apparatus. A device tracking system includes a data network means, a hardware portion, and a software portion. The hardware portion includes at least, (1) a server device operatively coupled with the network means, and (2) a data storage device with an externally presented input/output port configured to operatively couple with a host device.

Abstract: The present invention relates to a method of authentication for Media Gateway, comprising: setting up an initial key for validating initial digital signatures between a Media Gateway and a Media Gateway Controller; generating a new shared key having a specific lifetime by performing signaling communication between said Media Gateway and said Media Gateway Controller with said initial key; authenticating calls and responses between said Media Gateway and said Media Gateway Controller with said new shared key; and updating said shared key between said Media Gateway and said Media Gateway Controller if the lifetime of said shared key is expired. The invention can authenticate each call, update the shared key periodically, and prevent calling invalidly effectively.

Abstract: Concurrent recipient resolution and certificate acquisition. If a client-entered input data may be resolved without further client input, the server resolves the input data into a recipient entry that has an associated routing address. The server then transmits a response to the client that includes the associated full display name, routing address and certificate. If the server determines that the recipient entry cannot be resolved without further input from the client, the server identifies a number of possible recipient entries, and for each possible recipient generates a token, which is then communicated to the client. The server receives a subsequent request from the client identifying a selected one of the possible associated recipients using the associated token. The server then acquires a certificate associated with the selected recipient using the token, and then sends the certificate to the client.

Abstract: A method and system for controlling distribution of content within a personal domain that makes use of a determination of the relative proximity to a source device or the geographic locations of the receiving devices. The location information may be determined using a Global Positioning System (GPS) or wireless triangulation systems. Usage rights for devices in the network are determined using the location or proximity determination.

Abstract: One aspect involves receiving by a tag of wireless communications that utilize a first security provision, and wireless communications that utilize a second security provision different from the first security provision. A different aspect involves receiving by an entity of an authentication request that is based on a first digital certificate unknown to the entity, and determining by the entity, without external authentication of the first digital certificate, whether the first digital certificate is in a trust relationship with a second digital certificate that is different from the first digital certificate and that is known to the entity.

Abstract: The protection of data on a client mobile computing device by a server computer system such as within an enterprise network or on a separate mobile computing device is described. Security tools are described that provide different security policies to be enforced based on a location associated with a network environment in which a mobile device is operating. Methods for detecting the location of the mobile device are described. Additionally, the security tools may also provide for enforcing different policies based on security features. Examples of security features include the type of connection, wired or wireless, over which data is being transferred, the operation of anti-virus software, or the type of network adapter card. The different security policies provide enforcement mechanisms that may be tailored based upon the detected location and/or active security features associated with the mobile device. Examples of enforcement mechanisms are adaptive port blocking, file hiding and file encryption.

Abstract: A security system assesses the response time to requests for information to determine whether the responding system is in physical proximity to the requesting system. Generally, physical proximity corresponds to temporal proximity. If the response time indicates a substantial or abnormal lag between request and response, the system assumes that the lag is caused by the request and response having to travel a substantial or abnormal physical distance, or caused by the request being processed to generate a response, rather than being answered by an existing response in the physical possession of a user. If a substantial or abnormal lag is detected, the system is configured to limit subsequent access to protected material by the current user, and/or to notify security personnel of the abnormal response lag.

Abstract: In a random number sequence sharing apparatus, a reception unit receives a radio signal including a radio wave from a pre-designated radio star at a pre-designated observation time, a sending unit sends the received radio signal to another random number sequence sharing apparatus, an acceptance unit accepts a radio signal sent from the another sharing apparatus, an analysis unit separates the two radio signals into a plurality of independent components by independent component analysis, a selection unit selects two independent components temporally different by difference in time required for the radio wave to arrive at both sharing apparatuses from the radio star, a sampling unit averages the two selected independent components after adjusting the temporal difference and bit-samples the average, and an output unit outputs a sequence of the bit samples as a random number sequence to be shared.

Abstract: A system and method for strong authentication achieved in a single round trip is disclosed, which reduces the amount of time needed for a mobile node to be authenticated by the network. In an embodiment of the present invention, the, authentication time is approximately three times faster than for 3GPP.

Abstract: To allow viewers to view a plain document depending on levels of the authorized powers of the viewers without inserting identifiers into the plain document. An encrypting device includes devices for: storing encrypting role information which includes encrypting keys and key IDs of the encrypting keys; grasping the encrypting range of the plain document, and creating an encrypted part by encrypting the encrypting range using the encrypting key in the encrypting role information; creating the encrypting information configured with one, two, or more record(s) containing the front position and rear position of the encrypted part, the key ID corresponding to the encrypting key that is applied for the encrypted part, and the processing order of the encrypted part; creating the encrypted document by combining an encrypted document main body configured with a document containing the encrypted part with the encrypting information; and storing the encrypted document to a prescribed medium.

Abstract: Systems and methods for communicating and authenticating end-to-end management keys to stations to facilitate communications between stations in the network. A nonce based upon a pseudo-random number generated by the station(s) can be included with the end-to-end management key (EMK). The station(s) can compare the nonce to the generated pseudo-random number to authenticate the EMK.

Abstract: Systems and methods for authenticating key rotation communications. Key rotation communications can include a key counter known to both a headend device and a station. Comparison between a local key counter and the key counter included in the key rotation communication can be used to authenticate the key rotation communication.

Abstract: A method and a corresponding device for generating true random numbers for use in encryption of a message for secure transmission of said message from a sending device to a receiver, or for authentication of a sent message. An optical image represented by optical data is obtained by an optical sensor and processed in order to improve the stochasticity of the optical data. The thus processed data is then used for generating random numbers which can be used as an encryption key, or for generating an encryption key, for subsequent use in an encryption algorithm for encrypting the message. The method is implemented in a digital pen (DP) to be used in an information management system.

Abstract: Provided is a method for providing a location-based service using a location token. The method includes the steps of: a) receiving an encrypted token message including constraints for location information access from a terminal; b) decoding and storing the transmitted token message in a token database; c) creating a location token accessible to the transmitted token message and transmitting the location token to the terminal; d) extracting a token message number in the location token transmitted from a location-based service server, checking constraints of a user and updating an exception list; and e) acquiring location information of the terminal and transmitting the location information to the location-based service server.

Abstract: A method and system for controlling distribution of content within a personal domain that makes use of a determination of the relative proximity to a source device or the geographic locations of the receiving devices. The location information may be determined using a Global Positioning System (GPS) or wireless triangulation systems. Usage rights for devices in the network are determined using the location or proximity determination.

Abstract: A method and apparatus for distribution of digital certificates. A limited access to networks by use of existing identity information allows distribution of digital certificates.

Abstract: The present invention relates to a method and a device (104) for authenticating a plurality of physical tokens (101, 102, 103). A basic idea of the invention is to supply a sequence of interconnected devices (108, 109, 110), each device comprising a physical token (101, 102, 103), with a challenge of the respective physical token created during enrollment of said respective physical token, wherein the sequence of interconnected devices is arranged such that a data set supplied to the sequence is cryptographically processed with a response of a token comprised in a device and passed on to a token comprised in a subsequent device which further cryptographically processes the processed data set with its response until a response of a final physical token has been used to further cryptographically process the data set.

Abstract: Methods and apparati are provided for determining a “Squared Tate pairing” for hyperelliptic curves and using the results to support at least one cryptographic process. The improved techniques provide increased efficiency and an alternative method to the conventional method of implementing the Tate pairing for Jacobians of hyperelliptic curves. With the Squared Tate pairing for hyperelliptic curves, one may obtain a significant speed-up over a contemporary implementation of the Tate pairing for hyperelliptic curves. The Squared Tate pairing for hyperelliptic curves can be substituted for the Tate pairing for hyperelliptic curves in any applicable cryptographic application.

Abstract: A system and method for authentication in a wireless mobile communication system are provided, in which a mobile station calculates a CMAC value having a first number of bits, transmits to a base station a ranging request message including a partial CMAC value being a second number of upper bits of the CMAC value having the first number of bits, and receives a ranging response message indicating whether authentication is successful or failed from the base station.

Abstract: A method for security authentication within a wireless network is disclosed. A method within an adhoc mesh network for two devices to quickly determine roles (i.e. which is the authenticator and which is the supplicant) while establishing a security association is provided for. The invention further provides for the inclusion of cached key information in the role negotiation process and the application of role negotiation to a shortened three-way handshake.

Abstract: An encryption system, method, and computer program product are provided. After the receipt of encrypted content, a plurality of coordinates associated with a location of a device are identified. In use, the content is decrypted utilizing the coordinates.

Abstract: A mechanism for providing a mobile node with reliable information for location privacy decisions in connection with an address update process that gives the correspondent node a chance to deduce the location of the mobile node is provided. According to one embodiment of the invention, an indication is given when an address update process needs to be performed for optimizing routing between a mobile node and a correspondent node. In response to the indicating step, the correspondent node may be authenticated, the authentication yielding identity information about the correspondent node. Based on the identity information, a route optimization decision may be made based on whether or not the address update process is to be performed, and the address update process may be carried out depending on the decision.

Abstract: A method includes receiving an authentication request from a mobile station (401) and determining whether to forward the request to an authentication agent. When it is determined to forward the request, the request is forwarded to the authentication agent (107). A random number and a random seed are received from the authentication agent (107). The random number and the random seed are forwarded to the mobile station (401). A response to the random number and the random seed from the mobile station (401) is received and forwarded to the authentication agent (107). The authentication agent (107) compares the response with an expected response. When the authentication agent (107) authenticates the mobile station (401), a derived cipher key is received from the authentication agent (107).

Abstract: An information subscribing system for portable terminal device 20 having autonomous network access, wherein the portable terminal device 20 communicates to the transmission authentication control protocols platform 2 in conjunction with the information distribution platform 1 over a network connection, the transmission authentication control protocols platform 2 permits the portable terminal device 20 to perform subscribing and searching for the information stored on the information distribution platform 1.

Abstract: A communication method is disclosed as including the steps of (a) associating sensor with an object; (b) associating a mobile phone or personal digital assistant with a secure token capable of communication contactlessly with the sensor; (c) setting a number of rules of possible allowable ways of interaction between the object and the mobile pone; (d) the sensor obtaining information relating to the object; (e) the secure token initiating and establishing information contactless communication with the sensor and receiving from the sensor the information obtained by the sensor; and (f) the secure token issuing an output on the basis of the rules of possible or allowable ways of interaction and the information received from the sensor.

Abstract: A security authentication for PC client is provided according to the present invention, wherein said method includes: PC client sends a registry request to a server with a user ID and a password; The server makes first authentication based on the user ID and password, if the authentication succeeds, a field used for re-authentication will be created and returned to the PC client through an authentication successful message; When initiating a call, the PC client transmits the user ID and the field used for re-authentication acquired when registered to media gateway controller; The media gateway controller transfers the user ID and field used for re-authentication to the server, which makes second authentication according to the user ID and the field used for the second authentication, if the authentication fails, the call will be rejected, otherwise the call will be accepted and returns information of the called subscriber.

Abstract: The present invention relates to a method for allocating an authorization key identifier in a wireless portable Internet system. In a privacy key management version 2 (PKMv2) of the wireless portable Internet system, a base station generates PAK identifier, PMK identifier, and authorization key identifier for distinguishing a primary authorization key (PAK) shared by the base station and the subscriber station in an RSA-based authorization, a pairwise master key (PMK) shared by the base station and the subscriber station in an EAP-based authorization, and authorization keys generated by the PAK and the PMK. The base station transmits PAK identifier, PMK identifier, and authorization key identifier to the subscriber station and shares them with the subscriber station. Therefore, the base station and the subscriber station may easily distinguish more than 2 authorization-related keys.

Abstract: The pocket portable electronic entity (400) includes: connection element (420) for removable connection to a host station (300), first members (460, 470, 471) for secure communication with a remote server (100) via the connection element and the host station, second members (450, 455) for communication between the secure first communication element and a second portable electronic entity (500), and elements (440, 445) for communicating to the remote server via the secure first communication means data received from the second portable electronic entity via the second communication members.

Abstract: A conditional access system in which entitlement control messages (ECMs) containing the encryption keys used to encrypt a program transmission, are sent to a set-top box over a secure communications channel separate from the channel used for transmission of the encrypted program.

Abstract: The invention discloses a method of reading data (dat) from a first transponder (TAG1) into a transceiver (REA). Said (dat) are only transmitted from the first transponder (TAG1) to the transceiver (REA) when a second transponder (TAG2) is present within the RFID communication range of the transceiver (REA) and if a positive authentication procedure between the two transponders (TAG1, TAG2) within the RFID communication range of the transceiver (REA) takes place. The second transponder (TAG2) is preferably a stationary transponder (TAG2), whereas the first transponder (TAG1) may be a mobile transponder The invention further relates to transponders (TAG1, TAG2) as well as to a transceiver (REA) used in such a method of reading data (dat). Furthermore, the invention relates to a poster (POS), to which a first transponder (TAG1) is attached, and to a poster wall (WAL) for attaching such a poster (POS) and a second transponder (TAG2).

Abstract: The present invention is an authenticating system including: a client (hereinafter, referred to as C) including a creator for, by employing a first hash algorithm (hereinafter, referred to as 1A), creating a first hash value (hereinafter, referred to as 1V) from authentication information including an ID and a password, and creating 2V from the 1V and a random number, and a receiver for receiving the random number and an 1A identifier from a server (hereinafter, referred to as S), transmitting the ID and the 2V to the S, and receiving an authentication result from the S; and the S including a storage for storing 3V created from the authentication information by employing an 2A identifier and the 2A ID by ID, and a device for transmitting the random number and the 1A identifier to a PC, receiving the ID and the 2V from the PC, determining whether the 2A identifier, which corresponds to the ID, coincides with the 1A identifier, creating 4V from the 3V and the random number by employing the 1A in a case where it

Abstract: The present invention provides a method, a migration server and a terminal device mor migrating specifically encrypted access objects (such as e.g. a license) between mobile terminals such as e.g. computers and/or cellular telephones. Method for migrating a specifically encrypted access object from a first terminal unit to a second terminal unit is performed according to the invention, by a migration server of a communication network. The method comprises receiving via said communication network, a first specifically encrypted access object of said first terminal unit and identification data related to said first terminal unit and to a content said first specifically encrypted access object is destined for (e.g. an application). Then identification data related to said second terminal unit and a request for issuing a second specifically encrypted access object for said second terminal unit are received at the server via a communication network.

Abstract: The present method for using communication channel round-trip response time for digital asset management utilizes a predetermined distance between a sending device and a receiving device to prevent unauthorized receipt of digital content when the unauthorized receiving device is located beyond the predetermined distance. When the receiving device requests digital content from the sending device, the sending device replies with a request for an acknowledgement. The receiving device sends the requested acknowledgement. The time between sending the request for an acknowledgement and receipt of the acknowledgement is the actual round-trip response time.

Abstract: An approach is provided that allows an administrator to set a new password at a wireless access point, such as a traditional WAP or a wireless router. The wireless access point creates a message that includes the new password. The message is encrypted using the old password that was previously set for the wireless network. The encrypted message is wirelessly transmitted from the wireless access point to the active client devices (those clients currently accessing the wireless network). The clients decrypt the message using the old password that was previously provided to the clients. The clients retrieve the new password from the message. The clients construct a new message that is encrypted using the new password. The new message is wirelessly transmitted from the clients to the wireless access device and serves as an acknowledgement.

Abstract: A method of protecting a broadcast frame, the method comprising broadcasting a beacon and a maintenance beacon frame (MBF) from an access point (AP) to a plurality of terminals during a maintenance beacon waiting period (MBWP); and broadcasting broadcast management frames (BMFs) from the AP to the plurality of terminals during a broadcast management frame waiting period (BMFWP), wherein the MBF comprises a BMFs message integrity code (MIC) field including a BMFs MIC calculated from concatenated BMFs to be sent in a current beacon interval.

Abstract: An authentication and mass subscriber management technique is provided by employing a key table derived as a subset of a larger key pool, a network edge device, and authentication tokens attached on both the network edge device and on a subscriber's computing device. The network edge device and subscriber's computing device are provided with secure, tamper-resistant network keys for encrypting all transactions across the wired/wireless segment between supplicant (subscriber) and authenticator (network edge device). In an embodiment of the invention, a secure, secret user key is shared between a number of subscribers based upon commonalities between serial numbers of those subscribers' tokens. In another embodiment of the invention, a unique session key is generated for each subscriber even though multiple subscribers connected to the same network connection point might have identical pre-stored secret keys.

Abstract: A system and method for providing a message service. Position information and/or security information is inserted into messages before transmission. A receiving mobile terminal may open the received message depending on its position or knowledge of the security information.

Abstract: An improved approach to public key passing is provided to inhibit man-in-the-middle (MITM) attacks during an exchange of public keys over one or more public networks. In one embodiment, a method for securely passing public keys includes encrypting a first user public key, wherein the first user public key is associated with a first user device. The method also includes passing the encrypted first user public key to a first gateway server over a secure communication link. The method further includes receiving an encrypted second user public key from the first gateway server over the secure communication link, wherein the second user public key is associated with a second user device, and wherein the second user device is associated with a second gateway server. In addition, the method includes decrypting the second user public key.

Abstract: A system and method that tracks surplus reduction actions is disclosed. Managers and other decision makers take various actions regarding employees. Actions are recorded and tracked in a data store. Included with the action is an identifier, such as a digital signature, of the decision maker that performed the action. Affected (i.e., surplus) employees are notified that they have been selected as surplus. Affected employees acknowledge such identification as well as any confidentiality and non-compete obligations. Affected employees electronically sign non-compete agreements and such digital signatures are also recorded in the data store evidencing the employees' acknowledgment of such confidentiality and non-compete obligations. Electronic keys, such as user IDs and passwords, may also be sent to employees that acknowledge surplus actions and non-compete obligations. These electronic keys enable the affected employees to access materials, such as job databases and other relocation and employment information.

Abstract: A passive start and entry system includes a controller that determines the desired encryption for a last authenticated identification device during the period in which responses are received from any proximate identification devices. This process allows for the transmission of encrypted data to the last authenticated device without delay upon the expiration of the wait period.

Abstract: A portable storage device, for example a secure smart card, contains network identification information for a processing unit that is connectable to a data communications network, which processing unit includes a device reader for reading the portable storage device. The portable storage device includes storage and an access controller. The storage holds a network identity for the processing unit and at least one encryption key. The access controller is operable to control access to the storage by implementing key-key encryption. An embodiment of the invention thus provides a medium not only for storing a network identity for processing unit, but also for other secure information such as an encryption key associated therewith.

Abstract: A method, and deterministic random bit generator system operating in accordance with the method, for generating cryptographic keys and similar secret cryptographic inputs which are hard to guess. A seed is input from an entropy source; and an initial state is generated as a function of the seed. When a request to generate a cryptographic key is received a current state, where the current state is initially the initial state, is mixed to generate an out put string and a next state and the current state is set to the next state. The requested cryptographic key is generated from the string; and output. These steps can be repeated to generate successive output strings with assurance of forward and backward secrecy. An encryption system including such a generator is also disclosed.

Abstract: A content including replay condition information is encrypted using first key information while being recorded to a recording medium. The first key information is encrypted using the replay condition information and second key information while being recorded to the recording medium together with the replay condition information. The replay condition information and the first key information are read from the recording medium, and the first key information is decrypted using the replay condition information and the second key information. The content read from the recording medium is decrypted using the decrypted first key information.

Abstract: Wireless devices are easily configured with logical network and security settings. Configuration commands are received at master and slave wireless devices. The devices switch to predetermined logical network and security settings to allow communication between the master and slave devices. The master device selects a logical network and/or security setting and sends the setting(s) to the slave device. Both devices then switch to the selected setting(s) and use the setting(s) for future communications.

Abstract: An enhanced GPS receiver is provided for secure location information communication. The GPS receiver includes a GPS signal receiving unit, a GPS signal processing unit, and en encryption module. The GPS signal receiving unit is used to receive the GPS signals. The GPS signal processing unit coupled to the GPS receiving unit is used to obtain the location information of the mobile device. The encryption module encrypts the location information by using a GPS chip identification number embedded in the GPS receiver as an encryption key. The GPS receiver further optionally includes a compression module for compressing the location information before encryption.

Abstract: From a printer, a print client previously acquires printer position information on the printer. For example, when trying to transmit print data to the printer, the print client generates print transmitting data by adding printer position information on the printer to the print data and transmits the print transmitting data. The printer which has received this print transmitting data prints the print data only when the printer position information contained in the print transmitting data coincides with printer position information at this point in time. Consequently, the security of the print transmitting data transmitted from the print client to the printer via a network is ensured.

Abstract: Security tools are described that provide different security policies to be enforced based on a location associated with a network environment in which a mobile device is operating. Methods for detecting the location of the mobile device are described. Additionally, the security tools may also provide for enforcing different policies based on security features. Examples of security features include the type of connection, wired or wireless, over which data is being transferred, the operation of anti-virus software, or the type of network adapter card. The different security policies provide enforcement mechanisms that may be tailored based upon the detected location and/or active security features associated with the mobile device. Examples of enforcement mechanisms are adaptive port blocking, file hiding and file encryption.

Abstract: Presented herein are systems and methods for integrating secure identification logic into cell phones. A registration is received, wherein said registration includes an identifier identifying a mobile terminal. Information is transmitted to the mobile terminal, wherein a password is a function of the information.