Abstract: According to the invention, a subscriber to a first satellite radio service can be provided with an option to receive, over their current receiver unit, supplemental content, such as a particular show or channel, which is otherwise only available within a relevant jurisdiction as part of a subscription package to subscribers of one or more other satellite radio services. Thus, without purchasing a full subscription to another service, the subscriber of the first satellite radio service may arrange to receive supplemental content that is otherwise only available as part of a subscription package, such as a basic or general subscription package, to subscription holders of one or more other services. The invention also provides methods of broadcasting and methods of configuring dedicated and interoperable satellite radio receiver units so that the supplemental content can be received by a subscriber.

Abstract: A software defined radio device and a download server store a plurality of common keys in common key data. The download server arbitrarily determines a common key from the common key data and conveys information identifying the common key to be used to the software defined radio device. An authenticator of the software defined radio device identifies a common key from the common key data using the information identifying the common key, authenticates using the common key, and performs subsequent communications using the common key. When sending software, a hash value is attached for confirming the security. A device ID of the software defined radio device is also attached to data for confirming which software defined radio device receives the software. The software is securely downloaded by a common key encryption having smaller processing requirements than those of a public key encryption.

Abstract: Aspects of the subject matter described herein relate to a simplified login for mobile devices. In aspects, on a first logon, a mobile device asks a user to enter credentials and a PIN. The credentials and PIN are sent to a server which validates user credentials. If the user credentials are valid, the server encrypts data that includes at least the user credentials and the PIN and sends the encrypted data to the mobile device. In subsequent logons, the user may logon using only the PIN. During login, the mobile device sends the PIN in conjunction with the encrypted data. The server can then decrypt the data and compare the received PIN with the decrypted PIN. If the PINs are equal, the server may grant access to a resource according to the credentials.

Abstract: A method for operating a wireless sensor network, wherein the sensor network includes a multitude of distributed sensor nodes for sensing data within a pre-definable environment, and wherein the sensor nodes can exchange information via encrypted data transmissions over a radio Channel is—regarding the fact that during the operational phase of the network the Performance of changes in the network, in particular the composition of the sensor nodes that are integrated in the network, is allowed in a flexible way—characterized in that a subset of sensor nodes of the network is manipulated in order to establish a shared secret (x) by transferring a defined information to the sensor nodes of the subset over a secure out of band (OOB) Channel.

Abstract: The present invention relates to methods of and systems for providing conditional access to electronic content. Electronic content is provided to a user along with authorization information. The electronic content may be transmitted to the user, and the user may use the authorization information to access the electronic content. An authorization code may be provided to the user such that the user may be granted access to the content based on a comparison of the provided authorization code and a second authorization code transmitted with the electronic content, and transmission of the second authorization code may be controlled by a content provider to control access by the user.

Abstract: A network control apparatus and method is provided. The method includes operations of informing a server of capability information including an encryption/decryption method, wherein the server provides the network control apparatus with control information used to control a network device using a general-purpose control web application, transmitting to the server a control information requesting message that requests the control information, receiving from the server the control information which has been encrypted using the encryption/decryption method, decrypting the encrypted control information according to the encryption/decryption method, and transmitting a control command for controlling the network device according to the decrypted control information.

Abstract: A method and apparatus for use in encrypting and decrypting digital communications converting an initial block to final block based on freely selectable control information and secret key information having double the length of prior art keys and maintaining compatibility with the prior art encryption system.

Abstract: A network-based method for secure messaging is performed by: receiving a message sent by a sender to a recipient with a store-and-forward protocol, at a network location. The received message is decrypted at the network location with the sender's encryption key. Then the decrypted message is encrypted at the network location with the recipient's encryption key, and forwarded from the network location for delivery to the recipient.

Abstract: The present invention provides a method of wireless communication involving at least one first base station associated with a first access serving network and at least one second base station associated with a second access serving network is provided. The method may include generating a first key associated with the first access serving network and the second base station, receiving information indicating that the first key is temporary, and establishing a communication link with the second base station using the first key.

Abstract: A communication system has a plurality of nodes that perform encrypted communication via a LAN, each using an identical common cipher key. The common cipher key is replaced at fixed or irregular intervals, by being transmitted from a main node in a broadcast mode via the LAN to respective secondary nodes that are to share the key. When the key is successfully received by a secondary node, it returns a confirmation signal. The system can be configured such that a notification list of secondary nodes for which key acquisition has been confirmed is transmitted to all of the secondary nodes.

Abstract: A method for theft deterrence of a computer system is disclosed. The computer system includes a trusted platform module (TPM) and storage medium. The method comprises providing a binding key in the TPM; and providing an encrypted symmetric key in the storage medium. The method further includes providing an unbind command to the TPM based upon an authorization to provide a decrypted symmetric key; and providing the decrypted symmetric key to the secure storage device to allow for use of the computer system. Accordingly, by utilizing a secure hard disk drive (HDD) that requires a decrypted key to function in conjunction with a TPM, a computer if stolen is virtually unusable by the thief. In so doing, the risk of theft of the computer is significantly reduced.

Abstract: The present invention provides a method for communication involving a supplicant, an authenticator, and an authentication server having an established security association based on a first key. The supplicant and the authenticator also have an established security association based on a second key. The method may include modifying the second key using the first key in response to determining that a challenge response from the supplicant is valid.

Abstract: A method for protecting data for access by a plurality of users. A server encrypts data using a master key and a symmetric encryption algorithm. For each authorized user, a key encryption key (KEK) is derived from a passphrase, and the master key is encrypted using the KEK. The server posts the encrypted data and an ancillary file that includes, for each user, a user identifier and the master key encrypted according to the user's KEK. To access the data, a user enters the passphrase into a client, which re-derives the user's KEK, and finds, in the ancillary file, the master key encrypted using the user's KEK. The client decrypts the master key and then decrypts the data. A KEK may be derived from a natural language passphrase by hashing the passphrase, concatenating the result and a predetermined text, hashing the concatenation, and truncating.

Abstract: A method and system to generate fine granular integrity to huge volumes of data in real time at a very low computational cost. The invention proposes a scalable system that can receive different digital data from multiple sources and generates integrity streams associated to the original data. This invention provides full guarantees for data integrity; the order of data logged cannot be altered and content cannot be modified added or deleted without detection.

Abstract: In a method and apparatus for synchronizing the receiver and the emitter in an autocompensating quantum cryptography system it is allowed to one of the stations (for example the emitter) to define the timing of all its operations (for example the application of a signal onto the modulator used to encode the values of the bits) as a function of a time reference. This time reference can either be transmitted using a channel from the other station (for example the receiver). It can also consist of a time reference synchronized with that of the other station through using information transmitted along a channel and a synchronization unit. Preferably a time reference unit is provided at each station. One of these time reference units functions as a master, while the other one function as a slave. The slave is synchronized with the master using information transmitted over a communication channel by a synchronization unit.

Abstract: A method for securing patient identity comprising accessing an electronic medical records database including patient data for a plurality of patients. Each patient in the electronic medical records database is assigned a unique patient identifier. Patient data for a first patient, including a first patient identifier, is retrieved from the electronic medical records database. The first patient is de-identified from the patient data. De-identifying includes the creation of a first encoded patient identifier responsive to the first patient identifier. The de-identifying results in de-identified first patient data and includes the replacement of the first patient identifier with the first encoded patient identifier. The de-identified first patient data is transmitted to a data warehouse system. The method further comprises identifying a second patient in response to receiving report data that includes a second encoded patient identifier from the data warehouse system.

Abstract: The present invention makes use of techniques such as those described by Boneh and Franklin to allow for the realisation of a pseudo-asymmetric encryption scheme whereby one public encryption corresponds to a plurality of private decryption keys. This scheme therefore provides a solution to the problem of inefficient use of bandwidth in asymmetrical encryption schemes which inherently require that a plurality of encryptions of data be broadcast to a plurality of receivers. The invention further ensures that the advantage of traceability, typical found in asymmetric encryption schemes, is maintained due to the characteristic that each receiver uses a unique traceable decryption key. The traceability thus achieved by the present invention allows for the revocation of a security module which has been involved in the abusive use of conditional access data, particularly by means of clones of security modules whose security has been compromised.

Abstract: A security protocol for combining user and platform authentication. The security protocol includes a first handshake phase to issue attestation identity credentials, and a second handshake phase to authenticate based on the attestation identity credentials issued in the first handshake phase. The security protocol also includes a session resumption phase to resume a previous session.

Abstract: In a mobile communications system, a batch of sequence numbers is generated via an algorithm wherein each sequence number comprises a suffix and a prefix. The method comprises; calculating a new sequence number suffix from an existing sequence number suffix, calculating a prefix of a first new sequence number of the batch by addition to the prefix of the existing sequence number if the new suffix is not equal to a predetermined value or by a randomizing process if the new suffix is equal to said predetermined value, and calculating prefixes for the other sequence numbers of the batch by modular addition of integers to the prefix of said first new sequence number. The sequence numbers are used in the authentication procedure.

Abstract: In a cryptographic communication system, a prover is connected through a channel to a verifier. Elements a, b, c, d of a finite group are used as a public key and a parameter “x” as a private key, where “x” is a discrete logarithm of “b” to base “a”. The prover calculates e=a?b?, g=c?d? and h=c?d? (where ?=?+x(???) and ?, ? and ? are random values), and transmits e, g, h to the verifier, and shows that relations a??b??=e, c??d??=g, a??b??=e, and c??d??=h are established without transmitting random values ??, b?, ??, ??. The verifier determines whether the prover is capable of establishing such relations using the public key and e, g and h. The prover is said to establish a proof that “x” is not equal to discrete logarithm of “d” to base “c” only if the verifier simultaneously determines that the relations are established and g is not equal to h.

Abstract: In a distributed, multinode data processing environment, computationally more intense public key cryptography is used to establish computationally less challenging symmetric key cryptographic paths which are thus enabled for longer term communication interchanges and in particular for establishing a client's network identity.

Abstract: A secure release of a job request is managed at a document processing system that has been issued a private key and a public key. In one embodiment, the job request includes a first part specifying job information that is encrypted using a symmetric key, and a second part specifying the symmetric key that is encrypted with a recipient's public key. The document processing system begins release of the job request upon receipt of the symmetric key encrypted using its public key. The document processing system uses its private key to decrypt the encrypted symmetric key. The decrypted symmetric key is then used to decrypt the first part of the job request, thereby permitting the document processing system to complete performance of the job request.

Abstract: Methods and apparatus are provided for implementing a cryptography engine for cryptography processing. A variety of techniques are described. A cryptography engine such as a DES engine running at a clock frequency higher than that of surrounding logic can be synchronized with the surrounding logic using a frequency synchronizer. Sbox logic output can be more efficiently determined by intelligently arranging Sbox input.

Abstract: A method for distributing encrypted digital content is disclosed in the invention. Firstly, a digital content of a source is encrypted via a symmetric key encryption mechanism by using a first public key, so as to generate an encrypted digital content; the first public key is also encrypted to generate an encryption key at the source by using a second public key via an asymmetric key encryption mechanism provided from a destination, so that the encryption key may only be decrypted by using a private key compatible with the second public key at the destination. Therefore, no matter the encrypted digital content is distributed via secure or insecure routes, the ones who are not at the destination cannot access the digital content.

Abstract: A system for the encryption and decryption of data employing dual ported RAM for key storage to accelerate data processing operations. The on-chip key storage includes a dual-ported memory device which allows keys to be loaded into memory simultaneous with keys being read out of memory. Thus, an encryption or decryption algorithm can proceed while keys are being loaded into memory.

Abstract: A weighted secret sharing and reconstructing method includes encoding the secret using a predetermined code, producing voices so that different weights are assigned to errors in an error vector according to locations of the errors, encrypting the encoded secret using the error vector and distributing the encrypted encoded secret to a plurality of participants.

Abstract: The present invention relates to an apparatus and a method for protecting the copyright of an information signal recorded on a recording medium such as a DVD (Digital Video Disc) for presenting the signal to the user or an information signal transmitted through transmission media such as the Internet and for preventing an illegal copy of such an information signal. To put it in detail, information on copyright protection which is read out from the recording medium and information on copyright protection which is encrypted to make the information difficult to alter is used. If both of the information do not match each other, the information on copyright protection is judged to have been altered in an attempt to play back the information signal which is obtained as a result of an illegal copy operation in which case, the operation to play back the information signal is disabled.

Abstract: An executing device for conducting playback is high during the playback of contents. The executing device is equipped with a highly efficient processor and reduces the processing load involved in verification by using, for the verification, only a predetermined number of encrypted units selected randomly from multiple encrypted units constituting encrypted contents recorded on a DVD. In addition, the executing device is capable of improving the accuracy of detecting unauthorized contents by randomly selecting a predetermined number of encrypted units every time the verification is performed.

Abstract: This invention provides for a transaction card for use at a terminal and for initiating an internet transaction with a SSL protected server, wherein the card comprises a smartcard including an application arranged for extending an SSL connection from the said protected server into the smartcard and, further, the invention can provide for a related terminal, server and related transaction initiation and establishment methods, for extending the said SSL connection as noted above.

Abstract: A system including a secure LSI 1 establishes a communication path to/from a server 3 (UD1), and receives a common key-encrypted program generated by encryption with a common key and transmitted from the server 3 (UD6 and UD7). The received common key-encrypted program is decrypted to generate a raw program, and the raw program is re-encrypted with an inherent key to newly generate an inherent key-encrypted program, which is stored in an external memory.

Abstract: A providing apparatus provides information required for secure communication to first and second devices. The providing apparatus includes a receiving unit that receives a first parameter used by the first device for the secure communication and a second parameter used by the second device for the secure communication from a connection apparatus via which the first device is connected to the second device, a generating unit that generates the information required for the secure communication based on the parameters received from the connection apparatus, and a transmitting unit that transmits the information required for the secure communication, generated by the generating unit, to the first and second devices.

Abstract: A system and method are described for securing over the air communications between a service and a communication device. For example, one embodiment of a method for creating a security token on a communication device for communication between the communication device and a service includes combining a device identification of the communication device with a device capability to create a device information, the device capability known by the service. The method further includes encrypting the device information.

Abstract: A system including a secure LSI 1 establishes a communication path to/from a server 3 (UD1), and receives a common key-encrypted program generated by encryption with a common key and transmitted from the server 3 (UD6 and UD7). The received common key-encrypted program is decrypted to generate a raw program, and the raw program is re-encrypted with an inherent key to newly generate an inherent key-encrypted program, which is stored in an external memory.

Abstract: In a domain comprising a plurality of devices, the devices in the domain sharing a common domain key, a method of enabling a entity that is not a member of the domain to create an object that can be authenticated and/or decrypted using the common domain key, the method comprising providing to the entity that is not a member of the domain a diversified key that is derived using a one-way function from at least the common domain key for creating authentication data related to said object and/or for encrypting said object, the devices in the domain being configured to authenticate and/or decrypt said object using the diversified key.

Abstract: A reception intensity measuring unit measures a reception intensity of a radio wave received by a radio reception unit under control of a connection control unit. When it is judged that the reception intensity of the received radio wave is larger than a reception intensity set in advance, the reception intensity measuring unit controls a transmission intensity changing unit to lower a transmission intensity of a radio wave to be transmitted from a radio transmission unit. When the transmission intensity of the radio wave to be transmitted from the radio transmission unit is lowered by the transmission intensity changing unit, an authentication processing unit executes authentication processing with another apparatus via the radio reception unit and the radio transmission unit and controls an authentication data registering unit to register authentication data, which is obtained as a result of the authentication processing, in a memory.

Abstract: Disclosed is a file sharing method and system using encryption and decryption. A client hashes keywords related to files using a symmetric key algorithm, and encodes the hashed keywords. Then, the client encodes the files using the hashed keywords, and uploads to a file sharing server a ciphertext D including an encoded file m and the encoded keywords KW1, . . . , KWn. In order to download a desired file, the client transmits to the file sharing server a query Q derived from the hashed keyword KW related to the desired file. The client receives from the file sharing server a set SD of ciphertexts created from the same keyword as that queried, decodes the keyword, and decodes the file m using the decoded keyword KW.

Abstract: The invention relates to a method, a system, an electronic device and a computer program for providing at least one content stream to an electronic device applying Digital Rights Management (DRM). In the method a master integrity key is obtained in a streaming node. An encrypted master integrity key is obtained in an electronic device. The encrypted master integrity key is decrypted in the electronic device. At least one session integrity key is formed in the streaming node and in the electronic device using at least the master integrity key and the integrity of at least one content stream is protected between the streaming node and the electronic device using the at least one session integrity key.

Abstract: Secure establishment of a key associated with a first facility identifier is facilitated. The key is shared between a device and an operator of a first facility, via a public key management infrastructure of a payment system operating according to the payment standard, during a first transaction, substantially in accordance with the payment standard, between the device and the first facility. Controlling access to a first facility is facilitated, via the device, using the key associated with the first facility identifier, substantially without reference to an issuer of the device and substantially without use of asymmetric keys of the device, during a plurality of subsequent transactions, substantially in accordance with the payment standard, between the device and the first facility.

Abstract: A distributed key encryption system and method is provided in which a key storage server provides a session key to the source and destination computers by encrypting the session key with unique distributed private keys that are associated with the respective source and destination computers by unique private key identifiers The destination computer then decrypts the encrypted session key using it's distributed private key and then decrypts the communication using the decrypted session key.

Abstract: A method includes receiving an authentication request from a mobile station (401) and determining whether to forward the request to an authentication agent. When it is determined to forward the request, the request is forwarded to the authentication agent (107). A random number and a random seed are received from the authentication agent (107). The random number and the random seed are forwarded to the mobile station (401). A response to the random number and the random seed from the mobile station (401) is received and forwarded to the authentication agent (107). The authentication agent (107) compares the response with an expected response. When the authentication agent (107) authenticates the mobile station (401), a derived cipher key is received from the authentication agent (107).

Abstract: Apparatus and methods for performing quantum computations are disclosed. Such quantum computational systems may include quantum computers, quantum cryptography systems, quantum information processing systems, quantum storage media, and special purpose quantum simulators.

Abstract: A trusted authority delegates authority to a device. This delegation of authority is effected by providing a yet-to-be completed chain of public/private cryptographic key pairs linked in a subversion-resistant manner. The chain terminates with a penultimate key pair formed by public/private data, and a link towards an end key pair to be formed by an encryption/decryption key pair of an Identifier-Based Encryption, IBE, scheme. The private data is securely stored in the device for access only by an authorized key-generation process that forms the link to the end key pair and is arranged to provide the IBE decryption key generated using the private data and encryption key. This key generation/provision is normally only effected if at least one condition, for example specified in the encryption key, is satisfied. Such a condition may be one tested against data provided by the trusted authority and stored in the device.

Abstract: A method and apparatus for encrypting a Mode-S extended squitter exploiting a provided key. The key includes a control key segment, an address key segment, a first message key segment, and a first parity/identity key segment. Adding modulo two the control segment to the control key segment produces an intermediate control segment. Adding modulo two the address segment to the address key segment produces an intermediate address segment. Adding modulo two the message segment to the first message key segment produces an intermediate message segment. Adding modulo two the parity/identity segment to the first parity/identity key segment produces an first intermediate parity/identity segment. Concatenating the intermediate control segment, the intermediate address segment, the intermediate message segment, and the intermediate parity/identity segment produces an intermediate extended squitter.

Abstract: A method and apparatus for digital content access control comprises determining the occurrence of a synchronization event that triggers synchronization of information used by one or more content provisioners to create an authenticated digital content request that is based at least in part on a digital content request comprising a request for digital content with information used by one or more content repositories to validate the authenticated digital content request and to return the digital content based at least in part on the validation. The method also comprises determining the information in response to the sychronization event and sending the information to at least one of the group comprising the one or more content provisioners and the one or more content repositories.

Abstract: Published resources are made available in an encrypted form, using corresponding resource keys, published through resource key files, with the publications effectively restricted to authorized peer systems only by encrypting the resource keys in a manner only the authorized peer systems are able to recover them. In one embodiment, the resource keys are encrypted using encryption public keys of the authorized peer systems or the groups to which the authorized peer system are members. In one embodiment, the encryption public keys of individual or groups of authorized peer systems are published for resource publishing peer systems through client and group key files respectively. Group encryption private keys are made available to the group members through published group key files. Further, advanced features including but not limited to resource key file inheritance, password protected publication, obfuscated publication, content signing, secured access via gateways, and secured resource search are supported.

Abstract: Security and mobility overlay architecture (SAMOA) includes security management and secure transport functions for fixed or mobile security subscriber units (SSUs). SSUs within SAMOA are authenticated, authorized, and provided with shared session keys by the security management function. The keys allow each SSU to communicate with the secure transport network, which provides secure connections to other SSUs. Because shared-key, rather than public-key session keys are preferably used, the problems associated with public-key certificate authorities and hierarchies are avoided. The security management function and the secure transport network can be layered efficiently on top of existing Internet protocol (IP) networks and are thus applicable to a wide range of systems that support IP, including 3G wireless, wireless LANs (e.g., 802.11x), wired LANs, and dial-up networks.

Abstract: Methods and apparatus are provided for implementing a cryptography engine for cryptography processing. A variety of techniques are described. A cryptography engine such as a DES engine can be decoupled from surrounding logic by using asynchronous buffers. Bit-sliced design can be implemented by moving expansion and permutation logic out of the timing critical data path. An XOR function can be decomposed into functions that can be implemented more efficiently. A two-level multiplexer can be used to preserve a clock cycle during cryptography processing. Key scheduling can be pipelined to allow efficient round key generation.

Abstract: An encryption system (1) and a method for encrypting and decrypting sensitive data during a data interchange between at least two electronic appliances communicating with one another. The encryption system (1) has a data stream module (2) for providing a synchronous data stream as raw material for key generation, a data module (5) for preparing the data for the encryption/decryption, a key generator (6) to which an agreed information portion of the data stream from the data stream module (2) is supplied, an encryption/decryption unit (7) which is connected to the data module (5) and to the key generator (6) and which encrypts/decrypts the sensitive data using a keyword, and an output unit (7) for forwarding the encrypted/decrypted data, the key generator (6) taking the data stream supplied to it and producing a respective keyword for each message which is to be encrypted/decrypted simultaneously on the appliances communicating with one another.

Abstract: Embodiments of the present invention address deficiencies of the art in respect to configuring a computing appliance and provide a method, system and computer program product for device certificate based virtual appliance configuration. In one embodiment of the invention, a virtual appliance secure configuration method can be provided. The method can include mounting non-volatile storage to the virtual appliance, retrieving a device certificate from the mounted storage and extracting a signature from the device certificate, activating the virtual appliance in a network domain and acquiring an adapter address and unique identifier for the virtual appliance, and authenticating the signature with the adapter address and unique identifier to ensure a unique active instance of the virtual appliance.

Abstract: A logical tree structure and method for managing membership in a multicast group provides scalability and security from internal attacks. The structure defines key groups and subgroups, with each subgroup having a subgroup manager. Dual encryption allows the sender of the multicast data to manage distribution of a first set of encryption keys whereas the individual subgroup managers manage the distribution of a second set of encryption keys. The two key sets allow the sender to delegate much of the group management responsibilities without compromising security because a key from each set is required to access the multicast data. Security is further maintained via a method in which subgroup managers can be either member subgroup managers or participant subgroup managers. Access to both keys is provided to member subgroup managers whereas access to only one key is provided to participant subgroup managers.