Abstract: A system and method for sending encrypted messages to a distribution list. In one embodiment, the method comprises: identifying a distribution list address in a message; determining one or more member addresses associated with the distribution list address; for each member address, determining if a public key for a member identified by the member address is available on the computing device; and if so, encrypting the message to the member; sending the encrypted message to the distribution list address only if each of the one or more member addresses associated with the distribution list identifies a member for which a public key is available on the computing device.

Abstract: This method of receiving a multimedia signal scrambled by means of a control word uses a first cryptographic entity that can be connected to any one of P second cryptographic entities to form part of a device for receiving the scrambled multimedia signal. Only second cryptographic entities of a group of N second cryptographic entities selected from a wider set of P second cryptographic entities use a session key obtained by diversifying a root key identical to the root key used to obtain the session key of the first cryptographic entity.

Abstract: Systems and methodologies that facilitate delegation of keyset management to a platform presenting a centralized health-related data repository are provided. Effectively, a central keyset manager is provided that generates, manages and distributes key material to client applications and servers deploying the platform. Thus, communications with the platform storing sensitive health-related data can be secured without incurring the costs associated with implementing and enforcing policies associated with key generation and expiration among a plurality of servers and client applications. Additionally, the innovation can scale keyset management to meet short term demand needs.

Abstract: At least one of a keystream and a message authentication code are generated with a partial KASUMI block cipher, without utilizing a full KASUMI block cipher.

Abstract: A method is provided for constructing a secret code in a processing unit when in communication with a portable security unit. Mutual authentication messages are exchanged between a linked portable security unit and processing unit. A first portion of the secret code is communicated to the processing unit. The processing unit combines the first portion and a second portion of the secret code stored in the non-volatile memory of the processing unit. The secret code is stored in a volatile memory of the processing unit. A secure operation is performed using the secret code. The portable security unit is de-linked from the processing unit. At least a portion of the secret code is deleted from the volatile memory of the processing unit.

Abstract: Various techniques are described for processing externally encrypted data by database management system. Specifically, techniques are described for incorporating encrypted data stored in a first database that was encrypted by a first database management system into a second database where the encrypted data is accessed by a second database management system. When accessing externally encrypted data incorporated into the second database, the second database management system can decrypt portions of the data as needed. Because of the manner of incorporation of externally encrypted data into the second database, specifically because the externally encrypted data need not be decrypted before being incorporated into the second database, the computational overhead and security concerns associated with conventional approaches for migrating encrypted data from one database management system to another are avoided.

Abstract: Techniques are described for establishing a secure communication channel between a server computer and a client computer. A method includes (a) at the server computer, receiving a command from a user, the command including a secret passphrase, (b) at the server computer, generating a cryptographic key for use by the client computer, (c) at the server computer, storing the cryptographic key within a locked file in encrypted form, the locked file being protected by the passphrase, (d) at the server computer, sending the locked file to the client computer over a network connection, and (e) conducting secure communications between the server computer and the client computer over the network connection, using the cryptographic key for encrypting the secure communications. A corresponding method performed by the client computer is also described. Corresponding computer program products and apparatuses are also described.

Abstract: An anonymous secure messaging method and system for securely exchanging information between a host computer system and a functionally connected cryptographic module. The invention comprises a Host Security Manager application in processing communications with a security executive program installed inside the cryptographic module. An SSL-like communications pathway is established between the host computer system and the cryptographic module. The initial session keys are generated by the host and securely exchanged using a PKI key pair associated with the cryptographic module. The secure communications pathway allows presentation of critical security parameter (CSP) without clear text disclosure of the CSP and further allows use of the generated session keys as temporary substitutes of the CSP for the session in which the session keys were created.

Abstract: A method, device and system for authenticating gateway, node and server are provided in this invention. The node receives a message sent by a gateway, wherein the message comprises a number T3 shared by the gateway and a server, and a gateway identification. The node encrypts data with a key K1 shared by the node and the server, the data including T3, the gateway identification, and a random number T1 generated by the node, and then sends the encrypted data and a node identification to the server through the gateway. The node decrypts data encrypted by the server and forwarded by the gateway with the key, determines that the server is a valid server according to a T1-related number obtained by decryption, and establishes a security channel with the gateway according to a new key obtained through the decryption.

Abstract: A method and system for symmetric key subscription. A register R issues to a subject A a possession that stores a first symmetric key X or comprises a deriving means configured to derive the first symmetric key X. The register R receives from a counterparty B a request for a subscription to a symmetric key with respect to the subject A. In response to the received request, the register R derives a second symmetric key Y from both the first symmetric key X and a first value N. The register R transmits to the counterparty B the second symmetric key Y derived by the register R.

Abstract: This invention allows connection of an apparatus with a low security level without lowering the security level of a network even when such apparatus issues a connection request. This invention is directed to an access point which makes wireless communications with a station using an encryption method (AES). Upon reception of a connection request message including information indicating an encryption method (WEP) that can be used by a station, the access point checks if the encryption method (WEP) recognized based on the received connection request message is different from the encryption method (AES). When it is determined that the two encryption methods are different, the access point launches a controller which makes wireless communications with the station using that encryption method (WEP).

Abstract: A method for generating a network address in a communication network includes at least one user equipment and a network equipment. The method includes: a) providing a same shared secret key both at the at least one user equipment and at the network equipment; and b) generating at least a portion of the network address at the at least one user equipment and at the network equipment based upon at least the shared secret key.

Abstract: A digital security bubble encapsulation is disclosed. A public key and a device identifier of at least one recipient is requested from a first server. A message containing one or more components is encrypted using a symmetric key. The symmetric key is encrypted with a public key received in response to the request. The encrypted message, the encrypted symmetric key, and the device identifier are encapsulated in a digital security bubble encapsulation. The digital security bubble encapsulation is transmitted to a second server.

Abstract: A cipher processing apparatus for arithmetic operations of an FO function and an FL function comprising: an FL function operating unit for generating a 2N-bit output based on a first extension key; a partial function operating unit for generating an N-bit output based on second and third extension keys; an N-bit intermediate register for storing an output of the partial operating unit; a 2N-bit first data register for storing data based on the output of the FL function operating unit; and a controller for making the partial function operating unit perform six cycles, inputting an output of the intermediate register to the FL function operating unit, and storing the data based on the output of the FL function operating unit in the first data register, in a first case in which the FL function uses a result of an arithmetic operation of the FO function.

Abstract: A system for encrypted communication with external entities is configured to frustrate side channel attacks attempting to determine an encryption key. The system has a device with an encryption key stored in memory, an external entity with identity data for transmission to the device to initiate communication such that in response the device applies a one way function to the encryption key and the identity data to generate a variant key used to authenticate communications between the device and the external entity. The device is configured to limit the number of times the encryption key is allowed to be retrieved from the first memory to a pre-determined threshold.

Abstract: A method and apparatus to prove user assertions. A client request to authenticate a user assertion pertaining to user personal data may be received. The requested authentication may be generated for the client, the authentication proving the user assertion without revealing other information about the user. The requested authentication may be sent to the client.

Abstract: In accordance with certain aspects, data is received and a digital signature is generated and output. The digital signature can be a digital signature of the data and one or more conditions that are to be satisfied in order for the data to be revealed, or a digital signature over data generated using a private key associated with a bound key that is bound to one or more processors.

Abstract: Systems and methods are described for over-encrypting symmetrically pre-encrypted content for off-line delivery to playback devices using portable media drives in accordance with embodiments of the invention. One embodiment of the method of the invention includes symmetrically pre-encrypting the content, receiving a request to issue content for playback on at least one playback device associated with a user account, where each playback device includes a processor containing a private key assigned to the playback device by a conditional access system, generating a content key and over-encrypting at least a portion of the symmetrically pre-encrypted content in response to the request, obtaining a public key for each playback device, encrypting a copy of the content key using the public key of each playback device associated with the user account, and delivering the over-encrypted content and the at least one encrypted copy of the content key to a playback device associated with the user account.

Abstract: A communication device capable of preventing interference due to collision of signals of a plurality of communication devices (slaves) is provided. The communication device characterized by having a receiving part which receives a request signal by radio, a counter which starts count of a count value on reception of the request signal, a comparing part which compares the count value and a comparison value, and a transmitting part which transmits an acknowledge signal by radio in accordance with a result of the comparison is provided.

Abstract: Nodes of a network are each provided with a seed value and a seed identifier. Each seed value has a corresponding unique seed identifier which is maintained within the system. Within each authorized node, the seed value is combined with a local node identifier, such as a serial number or other unique identifier, to form a cryptographic key that is then used by the node to encrypt and/or decrypt data transmitted and received by that node. The cryptographic key is never transmitted over the network, and each node is able to create a different cryptographic key for use in communicating with other nodes.

Abstract: A method of securing a telecommunication terminal that is connected to a module used to identify a user of the terminal is described. The method includes a step including executing a procedure in which the terminal is matched to the identification module, consisting in: securely loading a first software program including a data matching key onto the identification module; securely loading a second software program which can operate in conjunction with the first software program onto the telecommunication terminal; transmitting a data matching key that corresponds to that of the first software program to the second software program; storing the transmitted data matching key in the secured storage zone of the telecommunication terminal; and conditionally submitting every response from the first software program to a request from the second software program upon verification at the true value of the valid possession of the data matching key by the second program.

Abstract: A method determines an elliptical curve, suitable for a cryptographic method. An elliptical curve to be tested is prepared. The order of a twisted elliptical curve associated with the elliptical curve to be tested is determined. It is automatically checked whether the order of the twisted elliptical curve is a strong prime number. If the order of the twisted elliptical curve is a strong prime number, the elliptical curve to be tested is selected as an elliptical curve suitable for cryptographical methods.

Abstract: The present invention relates to a content protection apparatus and method using binding of additional information to an encryption key. The content protection apparatus includes an encryption unit for creating an encryption key required to encrypt data requested by a user terminal and then generating encrypted data in which the data is encrypted. An additional information management unit manages additional information including authority information about the encrypted data. A White-Box Cryptography (WBC) processing unit generates a WBC table required to bind the encryption key corresponding to the encrypted data to the additional information. A bound data generation unit generates bound data in which the encrypted key is bound to the additional information, using a cipher included in the WBC table.

Abstract: A control network system connected with a node having a unique identifier includes a KDC4B for distributing a first key to the node for cryptographic communication, a PS4B for supplying a function name and a second key corresponding to the unique identifier to the node by the cryptographic communication using the first key, and a PS for supplying the node with setting information used for the cryptographic communication using the second key in response to a request using the function name.

Abstract: Certain embodiments allow security keys to be maintained across mobile device states, or communication events, such as hand-over, and system idle and sleep power savings modes. By monitoring the lifetime of security keys, keys may be refreshed in an effort to ensure key lifetimes will not expire during a hand-over process or other device unavailable state.

Abstract: A method, system, and apparatus for agile generation of one time passcodes (OTPs) in a security environment, the security environment having a token generator comprising a token generator algorithm and a validator, the method comprising generating a OTP at the token generator according to a variance technique; wherein the variance technique is selected from a set of variance techniques, receiving the OTP at a validator, determining, at the validator, the variance technique used by the token generator to generate the OTP, and determining whether to validate the OTP based on the OTP and variance technique.

Abstract: The pseudorandom number generating system repeatedly performs simple transformation of a non-secure pseudorandom number sequence that may be generated quickly, and thus may quickly generate a highly secure pseudorandom number sequence having a long period. Furthermore, the encryption system and the decryption system do not generate a large encryption function difficult to be deciphered based on a shared key 122, but prepare multiple functions 126, which perform fast, different types of transformation, and select a combination of functions determined based on information of the shared key 122, and make the selected functions transform a text multiple times, thereby encrypt the text. Each of the functions is fast, and thus transformation by the entire combination is also fast. Furthermore, since the combination of functions and repetitive count can be changed, future improvement in specification is easy. Moreover, security is high since which functions are applied in what order is unknown.

Abstract: A watchlisting module is configured to securely and efficiently create, modify, manage, and store a watchlist. The watchlisting module is configured to generate a watchlist consisting of watchlist entries. Each watchlist entry encapsulates information about an entity to be associated with the watchlist. The watchlist entry includes information about the entity including a unique identifier for the watchlist, a unique identifier of the watchlist entry, a unique identifier for the entity, and access control information for membership process related to the watchlist. The watchlist entry also includes a State Lock. Watchlisting module is configured to utilize the State Lock to secure and verify a watchlist entry.

Abstract: An IC chip, a board, information processing equipment, and a storage medium are provided that can prevent, even when information is transferred between a plurality of programs, leaking of the right protection algorithm of information in connection with the transfer. A security board is included an IC chip having a secure module. The secure module receives an encryption key request signal, and generates a communication encryption key every time when the encryption key request signal is received, the communication encryption key being used to encrypt information to be transferred between a plurality of programs. The number of times the communication encryption key is supplied is counted. If the counted number is equal to or less than a predetermined number, the communication encryption key is supplied to outside. If the counted number exceeds the predetermined number, the supply of the generated communication encryption key to outside is stopped.

Abstract: In computing point multiples in elliptic curve schemes (e.g. kP and sQ) separately using, for example, Montgomery's method for the purpose of combining kP+sQ, several operations are repeated in computing kP and sQ individually, that could be executed at the same time. A simultaneous scalar multiplication method is provided that reduces the overall number of doubling and addition operations thereby providing an efficient method for multiple scalar multiplication. The elements in the pairs for P and Q method are combined into a single pair, and the bits in k and s are evaluated at each step as bit pairs. When the bits in k and s are equal, only one doubling operation and one addition operation are needed to compute the current pair, and when the bits in k and s are not equal, only one doubling operation is needed and two addition operations.

Abstract: In an embodiment, a method for generating and distributing keys retains the scalability of a group VPN, but also provides true pair-wise keying such that an attacker who compromises one of the devices in a VPN cannot use the keys gained by that compromise to decrypt the packets from the other gateways in the VPN, or spoof one of the communicating gateways. The method is resistant to collusion when co-operating attackers overtake several VPN gateways and observe the keys stored in those gateways. In an embodiment, a VPN gateway comprises a cryptographic data processor configured to encrypt and to decrypt data packets; group key management logic; and Key Generation System logic. In one approach a gateway performs, in relation to adding a group member, receiving in a security association (SA) message secret data for use in the KGS; and derives keys for secure communication with one or more peer VPN gateways using the secret data.

Abstract: Computer-implemented methods and apparatus to perform a valid transfer of an electronic mobile ticket on a mobile device by a ticketing application system of a ticket processing center. One method includes: receiving a first electronic message from a first user, where the first message includes an encrypted electronic mobile ticket and a mobile device number of a second user, and where the electronic mobile ticket is encrypted with a key shared between the first user and the ticketing application system; decrypting the encrypted electronic mobile ticket; generating an electronic mobile ticket encrypted with a key shared by the ticketing application system and the second user; and transmitting a second electronic message that includes the electronic mobile ticket encrypted with the key shared between the ticketing application system and the second user to a mobile device of the second user.

Abstract: A secure Internet Protocol (IP) telephony system, apparatus, and methods are disclosed. Communications over an IP telephony system can be secured by securing communications to and from a Cable Telephony Adapter (CTA). The system can include one or more CTAs, network servers, servers configured as signaling controllers, key distribution centers (KDC), and can include gateways that couple the IP telephony system to a Public Switched Telephone Network (PSTN). Each CTA can be configured as secure hardware and can be configured with multiple encryption keys that are used to communicate signaling or bearer channel communications. The KDC can be configured to periodically distribute symmetric encryption keys to secure communications between devices that have been provisioned to operate in the system and signaling controllers.

Abstract: A security system includes an appliance to be secured, including a processor and a first wireless transceiver for accessing a data network with a first power requirement; and a second wireless transceiver receiving power to operate even if the appliance is off, hibernates or sleeps, the second wireless transceiver operating at a second power requirement lower than the first power requirement, the second wireless transceiver communicating a signal indicating a security status of the appliance.

Abstract: An apparatus and method for generating a shared secret between at least two wireless portable electronic devices. A shared secret is generated by holding together the at least two devices and shaking them. An acceleration of the at least two devices is measured at least during a time window beginning at a time corresponding to when a magnitude of the acceleration exceeds a predetermined threshold. The acceleration is sampled, resulting in a plurality of vectors, such that a first vector is an initial sample of the acceleration during the time window. In some embodiments, the acceleration is measured in three dimensions. Dot products are calculated between the first vector and each of a plurality of subsequent vectors, resulting in an array of scalars. At least a portion of this array is used to generate the shared secret between the at least two devices.

Abstract: A sending apparatus includes an encryption unit and a sending unit. The encryption unit encrypts each of data packets on the basis of a frame number of a frame and a determined cryptographic key. The sending unit transmits a frame including the data packets encrypted. A receiving apparatus includes a receiving unit and a decoding unit. The receiving unit receives the frame. The decoding unit decodes each of the data packets on the basis of the frame number of the frame and a determined decoding key.

Abstract: In one embodiment, a system and associated processes for transparent client-side cryptography are provided. In this system, some or all of a user's private data can be encrypted at a client device operated by the user. The client can transmit the encrypted user data to a content site that hosts a network application, such as a social networking application, financial application, or the like. The content site can store the private data in its encrypted form instead of the actual private data. When the content site receives a request for the private data from the user or optionally from other users (such as social networking friends), the server can send the encrypted user data to a client associated with the requesting user. This client, if operated by an authorized user, can decrypt the private data and present it to the authorized user.

Abstract: A Searchable Symmetric Encryption (SSE) mechanism is described which allows efficient dynamic updating of encrypted index information. The encrypted index information includes pointer information that is encrypted using a malleable encryption scheme. The SSE mechanism updates the encrypted index information by modifying at least one instance of the pointer information without decrypting the pointer information, and thereby without revealing the nature of the changes being made. In one implementation, the SSE mechanism includes a main indexing structure and a deletion indexing structure. An updating operation involves patching applied to both the main indexing structure and deletion indexing structure.

Abstract: A method and apparatus for generating shared session keys. The method and apparatus does not rely on strong random number generation. The first node sends a timestamp and random sequence to the second node. The second node generates a message authentication code (MAC) using this data and a shared secret key. The MAC is then used to encrypt a reply containing a second timestamp and second random sequence from the second node. The first node receives this message and decrypts it by generating the same MAC. Both nodes then generate a session key using the shared set of timestamps and random sequences.

Abstract: The systems, methods and apparatuses described herein permit encrypted media content to be displayed by an apparatus for a restricted time period. The apparatus may comprise a communication interface configured to couple to a controlling device to transmit a first nonce and to receive the encrypted media content and an association encryption envelope. The association encryption envelope may comprise at least a second nonce and a first time restriction expressed as a first time interval. The apparatus may further comprise a counter, a storage configured to store a value of the counter representing a time of when the first nonce is transmitted, and an engine configured to perform operations according to the first time restriction.

Abstract: The present invention provides means and method for Single Sign-On authentication of a user accessing a service network through an access network when the user has been already authenticated by a core network where the user holds a subscription. Therefore, a number of means are provided in different entities distributed between the core network and the service network, as well as in the user's equipment, for carrying out the proposed method. The Single Sign-On authentication takes place upon matching in the service network a shared key for the user submitted from the core network with another shared key for the user derived at the user's equipment.

Abstract: A configuration for encapsulating data that is unreadable after a predetermined timeout. To encapsulate data a random data key is generated and split into shares. A threshold number of shares are needed to reconstruct the key. The shares are stored at random locations within one or more networks. Each location is configured to delete the stored data after a predetermined time period. Encapsulated data is created by creating a vanishing data object (VDO) comprising the encrypted data, and data sufficient to locate at least a threshold number of key shares from their stored locations. The VDO becomes inaccessible after enough shares of the data are deleted such that the data key cannot be restored. However, if prior to timeout a sufficient number of data key shares are located and retrieved the data key can be reconstructed. The reconstructed data key is then used to decrypt the original data.

Abstract: An image encryption apparatus encrypts a digital image by specifying a partial region from the digital image, converting the selected partial region into a processing image based on an encryption key, and specifying a position of the partial region by regularly converting a pixel value of the processing image.

Abstract: Embodiments described herein are generally directed to methods and devices in which computing devices, and mobile devices in particular, establish a shared encryption key for a device group comprising at least three mobile devices. In accordance with one example embodiment, a public key of a mobile device is computed using a shared password as performed in accordance with authentication acts of a password-authenticated key exchange protocol, and transmitted to at least one other mobile device of the group. A public value is computed as a function of a mobile device private key and of a public key of at least one other mobile device of the device group, in accordance with a group key establishment protocol. The public values of the mobile devices of the device group are used to compute a shared encryption key.

Abstract: A network component comprising at least one processor configured to implement a method comprising deriving a Master Session Key (MSK) using a secret key and at least one parameter obtained from an Extensible Authentication Protocol (EAP) sequence, deriving a first Pairwise Master Key (PMK) and a second PMK from the MSK, authenticating with a home gateway (HG) using the first PMK, and authenticating with an end point using the second PMK. Included is an apparatus comprising a node comprising an access controller (AC) and a protocol for carrying authentication for network access (PANA) Authentication Agent (PAA), wherein the AC is configured to manage authentication for a UE, and wherein the PAA is configured to implement a PANA to forward authentication information related to the UE.

Abstract: The XZ-elliptic curve cryptography system and method provides a computerized method that allows for the encryption of messages through elliptic polynomial cryptography and, particularly, with the embedding of either a symmetric secret key or a public key in the message bit string. The method of performing XZ-elliptic polynomial cryptography is based on the elliptic polynomial discrete logarithm problem. It is well known that an elliptic polynomial discrete logarithm problem is a computationally “difficult” or “hard” problem.

Abstract: A primary key may be used for a first attempt by a remote node to decrypt incoming messages from a master. In the event the decrypt attempt fails at the remote node, a secondary key may then be used to attempt to decrypt the message. Initially, the primary and secondary keys may be the same. A field tool, such as a hand-held programming unit operated by a technician at a remote node location, may change the secondary key, but may not cause any change to the primary key. The secondary key may remain so changed until a new primary key is verified and/or authenticated and the secondary key is overwritten with the new primary key. The primary key may only be changed/set by the master via an encrypted request. A technician may not use a field tool to change a primary key.

Abstract: A communication device receives secure communication frames on which a security transform has been performed to permit authentication. The communication device maintains an authentication history and a local time varying parameter. In multi-hop communication, the communication device provisionally verifies the freshness of a received secure communication frame by verifying that identifying information extracted from the frame is not already present in the authentication history and that a received time varying parameter extracted from the frame is not older than the local time varying parameter by more than a certain margin. If these freshness tests both pass, the frame is authenticated. If authentication succeeds, the frame is transmitted on the next hop without performance of a new security transform.

Abstract: A storage unit stores a symmetric key table that indicates a plurality of kinds of symmetric keys usable for the communications between terminal apparatuses. A MAC frame processing unit receives a packet broadcast from the terminal apparatus. A verification unit verifies the version of the symmetric key table containing a symmetric key by which to generate a digital signature appended to the received packet. A detector detects that the version of the symmetric key table verified is older than the version of the symmetric key table stored in the storage unit. When the number of detections is a predetermined number or above in a unit time, the MAC frame processing unit generate a packet that stores the symmetric key table stored in the storage unit. The MAC frame processing unit broadcasts the packet generated.

Abstract: There is disclosed a system, architecture and method for encryption and decryption of a record. In an embodiment, a method comprises identifying a target record to be encrypted; analyzing one or more clear text linguistic attributes of the target record; generating a linguistic encryption key based on the analysis of one or more clear text linguistic attributes; and encrypting the target record with the linguistic encryption key, the linguistic encryption key operable to decrypt the encrypted target record in a reverse operation.