Abstract: An anonymous secure messaging method and system for securely exchanging information between a host computer system and a functionally connected cryptographic module. The invention comprises a Host Security Manager application in processing communications with a security executive program installed inside the cryptographic module. An SSL-like communications pathway is established between the host computer system and the cryptographic module. The initial session keys are generated by the host and securely exchanged using a PKI key pair associated with the cryptographic module. The secure communications pathway allows presentation of critical security parameter (CSP) without clear text disclosure of the CSP and further allows use of the generated session keys as temporary substitutes of the CSP for the session in which the session keys were created.

Abstract: There is provided an authentication method for a system (10) comprising several devices (30). The method involves: a) providing each device (30) with an identity value (pi: i=1, . . . , n) and a polynomial (P) for generating a polynomial key; (b) including a verifier device (p1) and a prover device (P2)amongst said devices (30); (c) arranging for the prover device (p2) to notify its existence to the verifier device (P1); (d) arranging for the verifier device (pi) to challenge the prover device (p2) to encrypt a nonce using the prover (P2)device's polynomial (P) key and communicate the encrypted nonce as a response to the verifier device (p1); (e) arranging for the verifier device (p1) to receive the encrypted nonce as a further challenge from the prover device (pZ) and: (i ) encrypt the challenge using the polynomial keys generated from a set of stored device identities; or (ii) decrypt the challenge received using the set of polynomial keys; until said verifier device (p1) identifies an authentication match.

Abstract: A method for generating a network address in a communication network includes at least one user equipment and a network equipment. The method includes: a) providing a same shared secret key both at the at least one user equipment and at the network equipment; and b) generating at least a portion of the network address at the at least one user equipment and at the network equipment based upon at least the shared secret key.

Abstract: There is proposed a method for enabling a service made available by an electronic device (100), wherein a registration request (114) is generated (S3) by the device (100) and sent (S7) to the registration server (300). The registration server (300) thereupon generates (S8) a registration confirmation (305) and sends (S9) it to the device (100), where the service is finally enabled by receiving and saving (S10) of the registration confirmation (305) on the device (100). In this connection, a trustworthy authority (200) sets up (S6, S12) a timeframe on the registration server (300) such that the registration server (300) sends (S9) a registration confirmation (305) only for a registration request (114) received within the timeframe, and the device (100) sends (S7) the registration request (114) to the registration server (300) within the timeframe.

Abstract: An arrangement and corresponding method for authentication synchronizing cryptographic key information between a server and a client device, via data signals, where the client device at least comprises one client. The server is at least configured to generate and send to the client device a current encryption key and a next encryption key. The client device is at least configured to encrypt information on the client device using the next encryption key and the client device is at least configured to return a correct One Time Password using the current encryption key. As a consequence of the received correct One Time Password the server then knows that the client has received the current encryption key, used it and stored the information with the next encryption key.

Abstract: A method and apparatus to prove user assertions. A client request to authenticate a user assertion pertaining to user personal data may be received. The requested authentication may be generated for the client, the authentication proving the user assertion without revealing other information about the user. The requested authentication may be sent to the client.

Abstract: One embodiment of the invention provides a mobile communication network architecture that includes a first base station (e.g., a first base station controller and/or a first transceiver station), a second base station (e.g., a second base station controller and/or a second transceiver station), a mobile client, and a server coupled to the mobile client via either the first base station controller or the second base station. The first base station is coupled to an authentication center that authenticates an intended user so that the user can communicate a message between the mobile client and the server via the first base station. A credential (or status) of the authentication made at the authentication center is then transmitted from the first base station to the second base station when the mobile client moves to utilize the second base station to communicate with the server.

Abstract: Nodes of a network are each provided with a seed value and a seed identifier. Each seed value has a corresponding unique seed identifier which is maintained within the system. Within each authorized node, the seed value is combined with a local node identifier, such as a serial number or other unique identifier, to form a cryptographic key that is then used by the node to encrypt and/or decrypt data transmitted and received by that node. The cryptographic key is never transmitted over the network, and each node is able to create a different cryptographic key for use in communicating with other nodes.

Abstract: In a client terminal of a communication system, a cipher session establishing section establishes a cipher session use connection between the client terminal as a source client terminal and a relay server by transmitting/receiving a cipher session establishment message between the source client terminal and the relay server, and notifies header information contained in a cipher session header to the relay server. A shared key managing section holds a client shared key with a destination client terminal, A data enciphering section performs encipherment of a data and/or MAC (Message Authentication Code) calculation of the data by using the client shared key and to output the performing result as a client cipher data. A message producing section produces a data communication message including a cipher data field in which the client cipher data is inserted and a non-cipher data field in which the cipher session header containing the header information is inserted.

Abstract: A network device includes an input circuit and a key mixing circuit. The input circuit is configured to receive i) a message and ii) a plurality of packets from a transmitting device. The message includes i) an address of the transmitting device and ii) a predetermined value for a count. Each of the plurality of packets i) is encapsulated and ii) includes the address of the transmitting device and one of a plurality of values for the count. The message is received prior to receiving the plurality of packets. The key mixing circuit is configured to generate a plurality of seeds based on the message. Each of the plurality of seeds is based on i) a predetermined key, ii) the address of the transmitting device, and iii) the predetermined value for the count. The plurality of seeds is used to decapsulate the plurality of packets.

Abstract: A control network system connected with a node having a unique identifier includes a KDC4B for distributing a first key to the node for cryptographic communication, a PS4B for supplying a function name and a second key corresponding to the unique identifier to the node by the cryptographic communication using the first key, and a PS for supplying the node with setting information used for the cryptographic communication using the second key in response to a request using the function name.

Abstract: In an embodiment, a method for generating and distributing keys retains the scalability of a group VPN, but also provides true pair-wise keying such that an attacker who compromises one of the devices in a VPN cannot use the keys gained by that compromise to decrypt the packets from the other gateways in the VPN, or spoof one of the communicating gateways. The method is resistant to collusion when co-operating attackers overtake several VPN gateways and observe the keys stored in those gateways. In an embodiment, a VPN gateway comprises a cryptographic data processor configured to encrypt and to decrypt data packets; group key management logic; and Key Generation System logic. In one approach a gateway performs, in relation to adding a group member, receiving in a security association (SA) message secret data for use in the KGS; and derives keys for secure communication with one or more peer VPN gateways using the secret data.

Abstract: When a network pages the temporary user mobile identifier of a mobile station, the mobile station sends a response to the network. Next, the network checks the authenticity of the user using a ciphering key, corresponding to the temporary user mobile identifier and a random number. If the temporary user mobile identifier is authenticated, a normal incoming call acceptance procedure is executed. If the mobile station is authenticated although the temporary user mobile identifier is wrong, the network reassigns a new temporary user mobile identifier to the mobile station and stops the current communication. In communication, the network and the mobile station mutually notify encipherment-onset time and negotiate about encipherment manner with each other. In addition, diversity handover is commenced upon a call attempt. Furthermore, if a branch replacement is necessary, the current branch is replaced by new branches capable of executing the diversity handover.

Abstract: An apparatus and method for generating a shared secret between at least two wireless portable electronic devices. A shared secret is generated by holding together the at least two devices and shaking them. An acceleration of the at least two devices is measured at least during a time window beginning at a time corresponding to when a magnitude of the acceleration exceeds a predetermined threshold. The acceleration is sampled, resulting in a plurality of vectors, such that a first vector is an initial sample of the acceleration during the time window. In some embodiments, the acceleration is measured in three dimensions. Dot products are calculated between the first vector and each of a plurality of subsequent vectors, resulting in an array of scalars. At least a portion of this array is used to generate the shared secret between the at least two devices.

Abstract: Computer-implemented methods and apparatus to perform a valid transfer of an electronic mobile ticket on a mobile device by a ticketing application system of a ticket processing center. One method includes: receiving a first electronic message from a first user, where the first message includes an encrypted electronic mobile ticket and a mobile device number of a second user, and where the electronic mobile ticket is encrypted with a key shared between the first user and the ticketing application system; decrypting the encrypted electronic mobile ticket; generating an electronic mobile ticket encrypted with a key shared by the ticketing application system and the second user; and transmitting a second electronic message that includes the electronic mobile ticket encrypted with the key shared between the ticketing application system and the second user to a mobile device of the second user.

Abstract: In one embodiment, a system and associated processes for transparent client-side cryptography are provided. In this system, some or all of a user's private data can be encrypted at a client device operated by the user. The client can transmit the encrypted user data to a content site that hosts a network application, such as a social networking application, financial application, or the like. The content site can store the private data in its encrypted form instead of the actual private data. When the content site receives a request for the private data from the user or optionally from other users (such as social networking friends), the server can send the encrypted user data to a client associated with the requesting user. This client, if operated by an authorized user, can decrypt the private data and present it to the authorized user.

Abstract: A method and apparatus for re-synchronizing a stream cipher during soft handoff. Transmitted quasi-secret keying information is used with a secret key to reinitialize a stream cipher generator located in a base station and a stream cipher generator located in a travelling mobile station. Since the quasi-secret keying information is uniquely determined according to each base station in the wireless telephone system, a base station's quasi-secret keying information and a shared secret key can also be used to create a new key. Thus, as the mobile station travels from one base station to another base station, a unique new key is generated for each base station.

Abstract: A method and an apparatus for encrypting/decrypting packet data of a precise time synchronization protocol and a time synchronization system are illustrated. The method is suitable for the time synchronization system using a precise time protocol. The time synchronization system includes a master node and a slave node, wherein the slave node synchronizes its time with the master node. In the method for encrypting/decrypting packet data of the precise time synchronization protocol, an encryption/decryption hardware device is disposed on the hardware protocol layer of each of the master node and the slave node. The hardware protocol layer is under the data link layer, and includes the data link layer. A synchronization message is encrypted by using the encryption/decryption hardware devices of the master node to generate a frame data, and the frame data is decrypted by using the encryption/decryption hardware devices of the slave node to obtain the synchronization message.

Abstract: A network component comprising at least one processor configured to implement a method comprising deriving a Master Session Key (MSK) using a secret key and at least one parameter obtained from an Extensible Authentication Protocol (EAP) sequence, deriving a first Pairwise Master Key (PMK) and a second PMK from the MSK, authenticating with a home gateway (HG) using the first PMK, and authenticating with an end point using the second PMK. Included is an apparatus comprising a node comprising an access controller (AC) and a protocol for carrying authentication for network access (PANA) Authentication Agent (PAA), wherein the AC is configured to manage authentication for a UE, and wherein the PAA is configured to implement a PANA to forward authentication information related to the UE.

Abstract: A communication device receives secure communication frames on which a security transform has been performed to permit authentication. The communication device maintains an authentication history and a local time varying parameter. In multi-hop communication, the communication device provisionally verifies the freshness of a received secure communication frame by verifying that identifying information extracted from the frame is not already present in the authentication history and that a received time varying parameter extracted from the frame is not older than the local time varying parameter by more than a certain margin. If these freshness tests both pass, the frame is authenticated. If authentication succeeds, the frame is transmitted on the next hop without performance of a new security transform.

Abstract: Systems, methods and computer readable media for authenticating one or more client devices (1) to a server (5). A shared unpredictable secret (50) is generated. The shared unpredictable secret (50) is stored in the client device (1) and in the server device (5). The client device (1) proves possession of the correct shared unpredictable secret (50) to the server (5). The shared unpredictable secret (50) is replaced by a new shared unpredictable secret (54) each time the client device (1) logs in to the server device (5).

Abstract: The present invention provides a system and method for a set of Extensible Authentication Protocols (EAPs) that can serve Confidentiality, Authentication, Authorization and Accounting (CAAA) issues at an affordable cost. According to one embodiment of the invention, a system and method is provided to generate random sequences (through prime numbers) which can be used in the authentication process of certificateless extensible authentication protocols (EAPs) for mobile and wireless communications. The invention also provides a light weight security with better performance in comparison to the lower layer chip level security provided by 2G, 3G or 4G applications.

Abstract: A light-weight resilient mechanism is used to synchronize server secure keying data with member devices in a highly-scalable distributed group virtual private network (VPN). A server device generates an initial secure keying data set, for the VPN, that includes a first version identifier, and sends, to member devices and via point-to-point messages, the secure keying data set. The server device sends, to the member devices, heartbeat push messages including the first version identifier. The server device generates an updated secure keying data set with a second version identifier and sends, to the member devices, a key push message that includes the updated data set. The server device sends, to the member devices, heartbeat push messages including the second version identifier. Member devices may use the first and second version identifiers to confirm that secure keying data sets are current and quickly identify if updates are missed.

Abstract: An encrypted program received in an MPEG transport stream is decrypted by receiving an address in the MPEG transport stream, reading a key from a memory in accordance with the received address, and decrypting the encrypted program based on the key.

Abstract: The invention relates to a method of authentication and session key agreement for secure data transmission between a first and second data communication entity in an electronic data transmission system. Furthermore, the invention relates to an electronic transmission system to perform a method of authentication and session key agreement.

Abstract: The disclosed technology provides a system and method of synchronizing cryptographic operation between a transmitter and a receiver. A transmitter can communicate encrypted data to a receiver according to a first communications protocol, and communicate a transmitter number and a portion of the encrypted data to the receiver according to a second communications protocol. The receiver can be in communication with a memory space containing locations that are each associated with an encrypted data and that can contain a previous receiver number. The receiver can receive transmitted encrypted data and an associated transmitter number and can search the memory space to find a location wherein the encrypted data associated with the location is entirely, or in part, the same as the transmitted encrypted data. When such a location is found, the receiver can compare the transmitter number with the previous receiver number stored in the location.

Abstract: Methods, networks and nodes for dynamically establishing encrypted communications between a first node having a first identification and a first private key and a second node having a second identification and a second private key. A first signal comprising information indicative of the first identification of the first node is transmitted, then, upon receipt of the first signal by the second node, a second signal comprising information indicative of the second identification of the second node and a first portion of a symmetric key is transmitted, then, upon receipt of the second signal by the first node, a third signal comprising a second portion of the symmetric key is transmitted.

Abstract: A software defined radio device and a download server store a plurality of common keys in common key data. The download server arbitrarily determines a common key from the common key data and conveys information identifying the common key to be used to the software defined radio device. An authenticator of the software defined radio device identifies a common key from the common key data using the information identifying the common key, authenticates using the common key, and performs subsequent communications using the common key. When sending software, a hash value is attached for confirming the security. A device ID of the software defined radio device is also attached to data for confirming which software defined radio device receives the software. The software is securely downloaded by a common key encryption having smaller processing requirements than those of a public key encryption.

Abstract: Methods for increasing encryption synchronization availability include collecting encryption synchronization data from a first superframe received at a gateway. The encryption synchronization data is for decrypting media in a second superframe also received at the gateway. The encryption synchronization data from the first superframe is used to form a composite encryption synchronization codeword for decrypting media in a third superframe formed by the gateway, wherein the third superframe includes the composite encryption synchronization codeword and at least a portion of the media from the second superframe. The third superframe is sent to a receiving device so that media in the third superframe can be decrypted by the receiving device using the composite encryption synchronization codeword that is included in the same superframe as the media that is being decrypted.

Abstract: A method pairs electronic equipment, particularly, in a wireless network system. The method includes: providing first and second wireless electronic equipment to be paired which store a first and a second public key, respectively, and providing a user with a wireless portable electronic device which stores a third public key. Then, the portable electronic device transmits the third public key in turn to the first and second electronic equipment, and receiving from the first and second equipment the first and second public keys, respectively. Moreover, the portable electronic device calculates first and second numbers starting from the first and second public keys, respectively. The same first and second numbers is independently calculated by the first and second electronic equipment, respectively, starting from the third public key and representing secret numbers shared between the portable device and the first and second electronic equipment.

Abstract: A multi-stage technique of establishing a plurality of secure strings of symbols is disclosed. In the first stage, the illustrative embodiment establishes a first-stage string of symbols with each other node. The first-stage strings are chosen from a first, small, key space, which means that they can be established more quickly than a highly secure key from a large key space. The advantage of the first-stage strings is that it enables the user to transmit secure messages more quickly than messages secured with highly secure strings. The disadvantage of the illustrative embodiment is that the first-stage strings are not as secure as strings from a larger key space. This disadvantage is mitigated, however, by the fact that the first-stage strings are only used for a short amount of time—until the second-stage strings are established in the second stage.

Abstract: Apparatus and method for producing quantum entangled signal and idler photon pairs is provided. The apparatus makes use of a nonlinear optical fiber to generate the entangled photons. The use of an external broad band light source for alignment of any downstream measurement apparatuses is disclosed. One or more polarized output signals can be generated at both the signal and idler wavelengths using the alignment source, allowing the downstream measurement apparatuses to be aligned using classical light. Multiple signal and idler wavelengths can be generated and aligned using such a system.

Abstract: Enhanced security is provided in an RFID system comprising a plurality of RFID devices and at least one reader which communicates with one or more of the devices. In one aspect of the invention, a first command is transmitted from the reader to write a first data unit to a memory of given one of the RFID devices. A reply is received in the reader from the given RFID device indicating that a second data unit determined based on contents of the first data unit is available in the memory to be accessed by the reader. A second command is transmitted from the reader to the given RFID device to allow the reader to read the memory to thereby obtain the second data unit. The first and second data units comprise information exchanged as part of a cryptographic protocol carried out between the reader and the given RFID device. In an illustrative embodiment, the cryptographic protocol may comprise a challenge-response authentication protocol.

Abstract: Technologies are generally described for a hardware cryptographic unit that employs hardware public physically unclonable functions. A source computer can encrypt a message using a simulation of a hardware cryptographic unit. The encrypted message can then be sent to a destination computer. The destination computer can then use the hardware cryptographic unit to decrypt the message. The source computer can use a simulation of the hardware cryptographic unit to transform an input value into a simulation output. The simulation output can be transmitted from the source computer to the destination computer where all possible input values can be rapidly run through the hardware cryptographic unit until the output of the hardware cryptographic unit matches the simulated output. The input value that generated the matching output is now a shared secret between the source computer and destination computer without ever having been transmitted in the clear over the communication channel.

Abstract: The invention concerns a method implemented in a communication network comprising a source device including: a first symmetrical key for encrypting data to be transmitted to a display device connected to the network; and the first symmetrical key encrypted with a second symmetrical network key known only to at least one display device connected to the network. When the source device needs to renew its first symmetrical key to encrypt new data, it generates a random number, then it calculates a new symmetrical key based on the first symmetrical key and on the random number. It then encrypts the data to be transmitted with the new symmetrical key and transmits to a display device, via the network: the data encrypted with the new symmetrical key, the random number, and the first encrypted symmetrical key with the second symmetrical network key.

Abstract: The present invention is directed toward secure access systems. Specifically, a method and system is provided that enhances the security of unidirectional communication protocols used in access control systems, such as the Wiegand protocol. The enhancements may include obfuscation of data, a two-way packet-mode communications, and blind synchronization of pseudo-random number generators.

Abstract: An approach to cryptographic security uses a “fuzzy” credential, in contrast to a “hard” credential, to eliminate cryptographic algorithmic repeatability on a device that may be subject to physical attacks. By eliminating repeatability performed at an algorithmic (e.g., gate or software) level, a device inherently lacks one of the fundamental setup assumptions associated with certain classes of side channel, fault injection, timing, and related attacks, thus helps to protect the system against such attacks while preserving the cryptographic security of the system.

Abstract: Linear Feedback Shift Registers (LFSRs) based 2p state with p>2 or p?2 scramblers, descramblers, sequence generators and sequence detectors in binary implementation are provided. An LFSR may apply devices implementing a binary XOR or EQUIVALENT function, a binary shift register and binary inverters and binary state generator, wherein at least an output of one shift register element in a first LFSR is connected to a device implementing a reversible binary logic function is a second LFSR. They may also apply 2p state inverters using binary combinational logic are applied. Memory based binary 2p state inverters are also applied. Non-LFSR based n-state scramblers and descramblers in binary logic are also provided. A method for simple correlation calculation is provided. Communication systems and data storage systems applying the provided LFSR devices are also disclosed.

Abstract: In a transmitter, data is encrypted by use of a data key, the data key is encrypted based on a first modification key, and the first modification key is encrypted based on a second modification key such that the first and second modification keys are different keys. The encrypted data, the encrypted data key, and the encrypted first modification key are transmitted to a receiver. In the receiver, the encrypted first modification key, the encrypted data key, and the encrypted data are received from the transmitter. The encrypted first modification key is decrypted based on the second modification key, the encrypted data key is decrypted based on the decrypted first modification key, and the encrypted data is decrypted by use of the decrypted data key.

Abstract: A cryptographic system (500) that includes a data stream receiving device (502) configured for receiving a modified data stream representing data entries encrypted using a chaotic sequence of digits. The system also includes user processing device (503, 505) configured for receiving user access information specifying an initial value for the chaotic sequence of digits and data field location information associated with selected ones of the data entries. The system further includes a synchronized pair of chaotic sequence generators (300) coupled to the user processing devices configured for generating encryption and decryption sequences based on the initial value and the data field location information. The system additionally includes an encryption device (504) and a decryption device (506) coupled to the chaotic sequence generators and the data stream receiving device, the decrypter configured for generating an output data stream from the modified data stream by applying the decryption sequences.

Abstract: A method for performing an encrypted voice call between a first terminal and a second terminal supporting a Voice over Internet Protocol (VoIP)-based voice call. In the method, the first and second terminals generate and store a bio key using biographical (bio) information of a user in advance before performing a voice call, the first terminal sends a request for a voice call to the second terminal and establishing a session, the first and second terminals exchange and store a bio key stored in each terminal, and the first and second terminals generate a session shared key using the exchanged bio key and starting a Secure Real-time Transport Protocol (SRTP) session, and a restored bio key by acquiring bio information from received data. User authentication is then performed by comparing the bio key with the restored bio key.

Abstract: An anonymous secure messaging method and system for securely exchanging information between a host computer system and a functionally connected cryptographic module. The invention comprises a Host Security Manager application in processing communications with a security executive program installed inside the cryptographic module. An SSL-like communications pathway is established between the host computer system and the cryptographic module. The initial session keys are generated by the host and securely exchanged using a PKI key pair associated with the cryptographic module. The secure communications pathway allows presentation of critical security parameter (CSP) without clear text disclosure of the CSP and further allows use of the generated session keys as temporary substitutes of the CSP for the session in which the session keys were created.

Abstract: An apparatus and method for preventing information leakage attacks through a polarized cryptographic bus architecture. The polarized cryptographic bus architecture randomly changes the polarity of the target bit such that the leaked information cannot be consistently averaged to yield statistical key material. Further, to increase the prevention of information leakage attacks, a set of dual rails is used to write data to a given register bit.

Abstract: A recursive based approach to key generation produces keys for encrypted communication. Simple mathematical operations are utilized with the inherent uncertainty of an interactive process between two endpoints to establish a common secret key. The uncertainty-based key cipher starts with some public information and some private information. The public information includes a vocabulary (alphabet) and keypad, and the private information can include an authentication code. The keypad is an abstraction that represents, for example, a set of “buttons.” These buttons will be used to translate a working key into a text that could be used to evaluate coincidences in a generated working key. Each keypad button can have more than one possible value. The number of options inside the button is the so called “uncertainty level.

Abstract: A cryptanalysis method comprising: (A) Performing a ciphertext-only direct cryptanalysis of A5/1 and (B) Using results of Step (A) to facilitate the decryption and/or encryption of further communications that are consistent with encryption using the session key and/or decryption using the session key, wherein the cryptanalysis considers part of the bits of the session key to have a known fixed value, and wherein the cryptanalysis finds the session key. An efficient known plaintext attack on AS/2 comprises trying all the possible values for R4, and for each such value solving the linearized system of equations that describe the output; The solution of the equations gives the internal state of RI, R2, and R3; Together with R4, this gives the full internal state which gives a suggestion for the key.

Abstract: An electronic signature device includes a processor, a memory, a user input device including a first biometric input device, and a device interface, all communicatively connected by at least one bus. A method of personalizing the electronic signature device to a user includes receiving a digitized biometric signature of the user via the first biometric input device. A cryptographic key is generated. A biometric electronic template is generated based on the digitized biometric signature. The cryptographic key and the biometric electronic template are stored in the memory.

Abstract: The disclosed is a method for synchronization of the running key that is generated from a shared key and that is used for encryption and decryption in communications encrypted with the shared key using a multi-valued signal. In the method for synchronization, the transmitting node transmits a signal that is formed of a multi-valued signal and that has a predetermined fixed pattern before transmitting data encrypted with the shared key. The receiving node generates a bit discrimination threshold signal that allows for bit discrimination and that has a fixed length, shifts bit by bit the phase of the bit discrimination threshold signal while monitoring bit discrimination with respect to a fixed pattern signal that is to be received, and sets the phase of the bit discrimination threshold signal when the phase of the fixed pattern signal matches the phase of the bit discrimination threshold signal.

Abstract: A system for protecting data in a security system generates and encodes a backup key for encoding long-lived secrets. The system generates a distribution plan for distributing cryptographic splits of the encoded backup key to selected persons based on geographic and organizational diversity. The distribution plan specifies a number M of the cryptographic splits to be generated and a number N of the cryptographic splits required to recover the backup key. The system processes utilize an init file comprising system parameters and state files each comprising parameters reflecting a state of the secure system after a transaction. Any of the state files may be used for any of the system processes. The state files and the init file are encoded by the backup key, thus protecting the long-lived secrets.

Abstract: An apparatus, system and method provides an out-of-synchronization detection by using a network layer checksum. A process operating at an upper layer verifies that a checksum embedded in a network layer header is correct before encrypting and transmitting a data packet containing the header and a payload. The data packet is received through a wireless communication channel at a receiver and decrypted. A calculated checksum is calculated on the received payload at the receiver and compared to the received checksum embedded in the header. A key stream used at the receiver for decrypting the received encrypted data packets is determined to be out of synchronization with a key stream used at the transmitter to encrypt the data packets if the calculated checksum is not equal to the network layer checksum.

Abstract: There is described a computer network system in which a computer is in network communication with a server. In order to install a software package on the computer, installation software forming part of the software package is executed which requests entry of an email address for the user of the software package on the computer. The entered email address is then transmitted to the server, which in response sends an email to the email address including a Uniform Resource Locator (URL) addressing a local web server forming part of the software package, with installation information being appended to the URL. When the user of the computer accesses the URL using a web browser, the local web server automatically sends the installation information to the installation software. In this way, it is established that the user of the software package has access to the entered email address.