Abstract: A method and apparatus cryptographically process data including a plurality of data segments. The cryptographic process includes (a) receiving a plurality of data segments, (b) selecting, for each data segment, a set of encryption information based on data contained in a predetermined portion of the data segment to be encrypted, and (c) encrypting each data segment using the set of encryption information selected for the data segment. At least one of an encryption algorithm, an encryption key, and an encryption parameter may be changed for each data segment based on the data contained in the predetermined portion. The predetermined portion may include a first predetermined portion for selecting a first set of encryption information, and a second predetermined portion for selecting a second set of encryption information, the encryption information including an encryption algorithm, an encryption key, and optionally an encryption parameter.

Abstract: The present invention is directed to a method for establishing a symmetric encryption key between a first device and a second device. The symmetric encryption key is a function of a phase difference of the signals emitted between the first device and the second device and distance between the first device and the second device.

Abstract: A short-range communication tag includes a transmitter, a clock circuit providing a clock value and a memory containing a unique identification value. The tag further includes a processor which generates encryption keys with a period of K seconds and combines the unique identification value with the encryption key, according to a predetermined encryption method, to generate an obfuscated unique identification value. The tag further includes a short-range transmitter to transmit the tag identification value.

Abstract: This present application relates to data encryption and decryption technology, and especially relates to a data encryption and decryption method and apparatus. The described encryption method comprises: packeting plaintext data to be encrypted, randomly assigning an encryption function to each group of the plaintext data, encrypting each group of the plaintext data with the encryption function respectively, and arranging the encrypted data according to its corresponding position in the plaintext data to form a ciphertext. The encryption apparatus includes: packet module, encryption function random assignment module and encryption processing module. This application also provides a data decryption method and apparatus. This invention randomly assigns an encryption function to the plaintext to be encrypted, and uses the assigned encryption function to encrypt the plaintext data to arrange and form a ciphertext, greatly strengthening the security of data storage, and achieving the perfect secrecy of data.

Abstract: A method and apparatus for preventing a user from interpreting optional stored data information even when the user extracts the optional stored data, by managing data associated with a flash memory in a flash translation layer, the method comprising searching at least one page of the flash memory when writing data to the flash memory, determining whether authority information corresponding to respective searched pages includes an encryption storage function, generating, corresponding to respective searched pages, a page key according to an encrypting function when the authority information includes the encryption storage function encrypting the data using the generated page key and storing the encrypted data in the respective searched pages, and storing the data in the respective searched pages without encryption when the authority information does not include the encryption storage function.

Abstract: An arrangement on monitoring of authentication, in particular for motor vehicles, includes a first communication apparatus and at least a second communication apparatus, between which a wireless communication channel can be set up. The communication apparatus items have means for authentication and encryption, with which the exchangeable data may be encrypted via the communication channel. The items of communication apparatus have storage means in which one of the digital keys usable for authentication and encryption can be stored, and in that in the storage device there is either in addition to the digital key and/or in the individual key at least one piece of information regarding at least one past communication between the first communication apparatus and the second apparatus that can be stored in memory.

Abstract: A method for hindering detection of information unintentionally leaked from a secret held in a memory unit is described, the method including receiving a triggering event waiting for at least a first amount of time to pass after the receipt of the triggering event, the memory unit being in a non-operational state during the at least a first amount of time after the at least a first amount of time has passed, changing at least one first condition under which the memory unit operates, thereby causing the memory unit to enter an operational state, waiting for a second amount of time to pass after the changing at least one first condition, and changing, after the second amount of time, at least one second condition under which the memory unit operates, thereby causing the memory unit to enter the non-operational state, wherein access to the secret information is enabled only during the second amount of time, and detection of secret information unintentionally leaked is limited during the first amount of time.

Abstract: Techniques are disclosed for securely classifying or decoding data. By way of example, a method of determining a most likely sequence for a given data set comprises a computer system associated with a first party performing the following steps. An encrypted model is obtained from a second party. The encrypted model is utilized to determine cost values associated with a particular sequence of observed outputs associated with the given data set. The cost values are sent to the second party. At least one index of a minimum cost value determined by the second party from the cost values sent thereto is obtained from the second party. A minimum cost sequence resulting from the at least one index is determined as the most likely sequence.

Abstract: A method, system, and computer program product for using hidden buffer formatting and passing obfuscated encryption key values to detect tampering with and/or prevent unauthorized inspection of a data buffer. The method comprises receiving an unencrypted sequence to be encrypted, selecting a layout version to associate to an encryption method and a checksum method, then encrypting the unencrypted sequence using the encryption method to form an encrypted sequence, and calculating, using the checksum calculation method, an unencrypted sequence checksum. Further, storing the encrypted sequence to form a hidden buffer payload, which hidden buffer has its own hidden buffer payload checksum. Encryption keys are not stored in program data, nor sent in the hidden buffers. Instead obfuscated encryption key values are used to generate keys on the fly. The receiver of a hidden buffer and obfuscated encryption key values can detect tampering or data corruption of the payload for further processing.

Abstract: A key recovery request for a device is received at a key recovery service and a particular one-time recovery credential in a sequence of multiple one-time recovery credentials is identified. In the sequence of multiple one-time recovery credentials, previous one-time recovery credentials in the sequence are indeterminable given subsequent one-time recovery credentials in the sequence. A recovery key associated with the device is also identified. The particular one-time recovery credential in the sequence is generated based on the recovery key, and is returned in response to the key recovery request. The particular one-time recovery credential can then be used by the device to decrypt encrypted data stored on a storage media of the device.

Abstract: A system for establishing an encrypted multicast communication session over a communications network can include a client means (e.g., a radio, laptop, workstation, phone, PDA) and a server means. The client means can transmit a request for a first user to join a pre-defined collaborative group, including at least the first user and a second user. The client means can transmit a request for a first user to create or select a collaborative group based on specified criteria. The system can also include a server means that can retrieve, select or generate an encryption key for the collaborative group and transmit the encryption key to the first user via the client means. The server can transmit the encryption key to the second user via a second client means. The client means can communicate via multicast, encrypting end-to-end above the network layer using the encryption key received from the server means.

Abstract: Wireless devices in proximity are securely paired with one another autonomously by generating a common cryptographic key directly from a time-varying wireless environment shared among the wireless devices. The shared key can be used by the wireless devices to authenticate each wireless device's physical proximity and then to facilitate confidential communication between the wireless devices. The algorithm used to create the shared key is secure against a computationally unbounded adversary and its computational complexity is linear in the size of the shared key.

Abstract: Information is encrypted using randomly generated information, a multiple step process, and additional secured logic. Upon receiving a credit card authorization request with a credit card number (or other sensitive or valuable information), the present technology may randomly select an encryption key from a set of encryption keys. A randomly generated encryption index may then be generated. The credit card number may then be encrypted using the encryption key a number of times as indicated by the randomly generated index. A cryptographic salting key may be selected from a set of cryptographic salting keys and salting modification logic may be accessed. The selected salting key may then be applied to the encrypted credit card number. After the salting, the salting modification logic may be applied to the salted encryption string.

Abstract: A method of transmitting messages from a sender to a recipient over a wireless channel, the messages including a sequence counter and a frame counter. The method comprises establishing initial values of the sequence counter and the frame counter at the sender. Initial values of the frame counter and the sequence counter are provided to the recipient. The sender sends compressed messages including the value of the sequence counter and not the frame counter and monitors for an acknowledgement of receipt by the recipient. When no acknowledgment is received, the sender sends uncompressed messages until an acknowledgement of receipt is received from the recipient. The sequence counter is incremented and the next value of the frame counter is established as the integer next larger than previous value of the frame counter which is congruent to the sequence counter modulo 256.

Abstract: A method, system, and apparatus for agile generation of one time passcodes (OTPs) in a security environment, the security environment having a token generator comprising a token generator algorithm and a validator, the method comprising generating a OTP at the token generator according to a variance technique; wherein the variance technique is selected from a set of variance techniques, receiving the OTP at a validator, determining, at the validator, the variance technique used by the token generator to generate the OTP, and determining whether to validate the OTP based on the OTP and variance technique.

Abstract: A method and apparatus for performing an automatic wireless connection with a second digital device by a first digital device is provided. The method includes acquiring, by the first input device, random information used for the wireless connection; checking a status of a Wireless Local Area Network (WLAN); storing the checked status; setting the WLAN to an Ad-hoc mode; setting a Service Set Identifier (SSID) of the WLAN using the random information; setting a security key of the WLAN using the random information; and setting an Internet Protocol (IP) address of the WLAN using the random information.

Abstract: Disclosed are alternate embodiments of various components of a barrier operator system. and methods of operation, including of the mechanical drive subsystem with segmented and self-locking rail unit, rail mounting supports, belt and chain drive tensioning, and drive assembly carriage and interface; the electronics and software routines for controlled operation of the various barrier operator functions; wall console communications with the barrier operator; encryption and decryption of access codes; establishment and monitoring of travel limits and barrier speed and force profiles; thermal protection of barrier operator drive motors; and establishment and control of communications from the barrier operator to accessories by way of a wireless adapter.

Abstract: A processor including instruction support for implementing hash algorithms may issue, for execution, programmer-selectable hash instructions from a defined instruction set architecture (ISA). The processor may include a cryptographic unit that may receive instructions for execution. The instructions include hash instructions defined within the ISA. In addition, the hash instructions may be executable by the cryptographic unit to implement a hash that is compliant with one or more respective hash algorithm specifications. In response to receiving a particular hash instruction defined within the ISA, the cryptographic unit may retrieve a set of input data blocks from a predetermined set of architectural registers of the processor, and generate a hash value of the set of input data blocks according to a hash algorithm that corresponds to the particular hash instruction.

Abstract: A method of controlling an apparatus comprising a plurality of features and adapted to receive messages via a first network interface, wherein said method is implemented in a filter superposed on the top of an existing architecture of the apparatus. The method comprises the following steps: receiving network management message via said first network interface; interrogating said message in order to identify a feature said network management message relates to and filtering the received management message such that said management message is rejected if the identified feature is classified as disabled and said management message is allowed top go through if said feature is classified as enabled.

Abstract: A method and circuit for implementing known scrambling relationship among multiple serial links, and a design structure on which the subject circuit resides are provided. A transmit Linear Feedback Shift Register (LFSR) is provided with each of the multiple serial links for scrambling transmitted data. A receive Linear Feedback Shift Register (LFSR) is provided with each of the multiple serial links for descrambling received data. Each of the transmit LFSRs is initialized to a unique value. Each transmit LFSR conveys a current unique value to a receive LFSR for synchronizing the transmit LFSR and receive LFSR to begin scrambling and descrambling data.

Abstract: A system and method for the secure storage of executable code and the secure movement of such code from memory to a processor. The method includes the storage of an encrypted version of the code. The code is then decrypted and decompressed as necessary, before re-encryption in storage. The re-encrypted executable code is then written to external memory. As a cache line of executable code is required, a fetch is performed but intercepted. In the interception, the cache line is decrypted. The plain text cache line is then stored in an instruction cache associated with a processor.

Abstract: A system and method for decrypting encrypted media that have changing initialization vectors and keys is disclosed. As encrypted media is received and played back, the encrypted frames can be monitored (e.g., checked) to detect whether or not initialization vectors are prepended to them. If a prepended initialization vector is detected, the prepended initialization vector is used to facilitate the decryption of the encrypted frame. If no prepended initialization vector is detected, a new initialization vector is generated by using a last portion of bytes of the preceding encrypted frame and the new initialization vector is used to facilitate the decryption of the encrypted frame. A signal byte can be included to signal whether the frame is encrypted or not, whether an initialization vector is included, and other information about the encrypted frame.

Abstract: An authentication apparatus for a non-real-time IPTV system decrypts a first encrypted value included in a contents request message received from a device using a preset session key, and then verifies the validity of the contents request message. If the verification results of the contents request message are valid, the authentication apparatus encrypts a variation between timestamps of the authentication apparatus and the device using the session key, and then generates a second encrypted value. After verification information by which the device is capable of verifying the authentication apparatus has been generated using the second encrypted value, the authentication apparatus sends verification information, together with contents corresponding to the contents request message, to the device.

Abstract: A multi-mode Trusted Computing Platform (TCP) comprising a Field Programmable Gate Array (FPGA) device that includes a Type-1-compliant root of trust (ROT), a memory containing a Type-1 security boot image and at least one lower-security boot image, and a memory containing a Type-1-associated operating system (OS) image and at least one lower-security-associated OS image. The TCP is configured to execute a multi-stage boot process that, depending on the presence of one or more valid external inputs, selects and initiates either a Type-1 TCP computing mode or a lower-assurance computing mode.

Abstract: A method for sharing and updating a key using a watermark is disclosed. The method includes receiving an image to be encoded from an image input device encoding the image, and inserting a master key value as a watermark into the encoded image, for use as an input of a key derivation function.

Abstract: The invention provides a system and a method for securely providing a secret data from a sender to one or more receivers. The receiver uses a sequence of functions originating from a hierarchy of functions to migrate the secret data from an input transform space to an output transform space using a mathematical transformation under control of one or more seeds. The seeds are provided to the receiver by the sender. The sender conditionally allows the receiver to obtain the secret data by controlling the seeds.

Abstract: A client apparatus receives a message including a random number from a server apparatus during the handshake of agreement process, creates a biometric negotiation message including the biometric authentication method information and sends the biometric negotiation message to the server apparatus. Then, the client apparatus executes a biometric authentication based on biometric authentication method information notified from the server apparatus and encrypts the random number based on the private key. In addition, the client apparatus generates an authenticator from a result of the biometric authentication, the biometric authentication method information, the encrypted random number, and the client certificate, and sends to the server apparatus an authentication context including these. The server apparatus verifies the authentication context and establishes a secure session in one handshake.

Abstract: As provided herein, when using an untrusted network connection, a secure online environment can be created for a remote machine by connecting to a trusted computer with a trusted network connection. A proxy server is installed on a first computing device and shared encryption keys are generated for the first device and a portable storage device. A connection is initiated between a second computing device (e.g., remote device), connected to an untrusted network, and the first computing device, comprising initiating a proxy server protocol from the portable storage device (e.g., attached to the second device), using the second computing device. A secure connection between the first and second devices is created using the encryption keys.

Abstract: Embodiments may include receiving a protected version of content including different encryption chains including encrypted blocks of content. The protected version of content may include decryption information for decrypting the encrypted chains; the decryption information may include initialization vectors that are distinct from the content. Embodiments may also include performing chained decryption on a particular sequence of data blocks including multiple encryption chains from the protected version of the content and at least some of the initialization vectors. Some of the initialization vectors may be positioned between the encryption chains within the particular sequence such that during the chained decryption the initialization vectors are decrypted in sequence with the data blocks of the encryption chains. The chained decryption may result in a sequence of decrypted data blocks including decrypted initialization vectors.

Abstract: A method for initializing encrypted communications using a common reference string and a shared password, includes determining a secret key of a peer using a first message, a second message and the common reference string, wherein the first message and the second message each comprise a tuple of elements of a cyclic group G of prime order p, a blinding encryption of the shared password, and a hash projection key.

Abstract: The present invention provides for authenticating a message. A security function is performed upon the message. The message is sent to a target. The output of the security function is sent to the target. At least one publicly known constant is sent to the target. The received message is authenticated as a function of at least a shared key, the received publicly known constants, the security function, the received message, and the output of the security function. If the output of the security function received by the target is the same as the output generated as a function of at least the received message, the received publicly known constants, the security function, and the shared key, neither the message nor the constants have been altered.

Abstract: An information processing device including a receiving unit that receives a first random number from another information processing device; a generating unit that generates a second random number; a time-variant-key generating unit that generates a time variant key for encryption according to the second random number; an encrypting unit that encrypts the first random number with the time variant key; and a transmitting unit that transmits the first random number encrypted by the time variant key and the second random number to the other information processing device.

Abstract: At least one of a keystream and a message authentication code are generated with a partial KASUMI block cipher, without utilizing a full KASUMI block cipher.

Abstract: A method and apparatus for client authentication using a pseudo-random number generation system. The pseudo-random number generation utilizes a secret key as well as state information as input into the hash function to generate a pseudo-random number. The state information that is part of the input can be any number of prior generated pseudo-random numbers. The authentication allows for synchronization of the client and server by exchanging state information. The authentication is not dependent on any absolute time and consequently the client and servers are not required to maintain a reliable shared time base.

Abstract: A random wave envelope is created from a set of bounded random numbers by additively combining a triangle, a square and a sine wave. The random wave envelope is then used to create a sequence of wave random numbers from the wave envelope, which are used to generate random-variant keys for encryption in place of the pre-placed encryption key. An ambiguity envelope is thus created over the transmission of data packets as random-variant-keys are used that are distinct and separate for each packet and may also be distinct and separate for each incoming and outgoing packet. The random-variant keys are only created at the time of the actual use for encrypting or decrypting a data packet and not before and then discarded after one time use. The random-variant keys may be used in wireless network using wireless access points, cellular phone and data networks and ad hoc mobile wireless networks.

Abstract: An image processing system includes an image processing apparatus and a decryption server interconnected via a network. When a portable recording medium having an encrypted target file and access information to access a decryption server that decrypts this encrypted target file, recorded therein, is connected to a connector of an image processing apparatus, the image processing apparatus reads out the encrypted target file and the access information from the portable recording medium connected thereto, accesses the decryption server according to the access information, then transmits the encrypted target file to the decryption server. The decryption server decrypts the encrypted target file received therefrom, and returns it to the image processing apparatus. The image processing apparatus executes processing on the decrypted target file that is returned therefrom.

Abstract: There is provided an authentication method for a system (10) comprising several devices (30). The method involves: a) providing each device (30) with an identity value (pi: i=1, . . . , n) and a polynomial (P) for generating a polynomial key; (b) including a verifier device (p1) and a prover device (P2)amongst said devices (30); (c) arranging for the prover device (p2) to notify its existence to the verifier device (P1); (d) arranging for the verifier device (pi) to challenge the prover device (p2) to encrypt a nonce using the prover (P2)device's polynomial (P) key and communicate the encrypted nonce as a response to the verifier device (p1); (e) arranging for the verifier device (p1) to receive the encrypted nonce as a further challenge from the prover device (pZ) and: (i ) encrypt the challenge using the polynomial keys generated from a set of stored device identities; or (ii) decrypt the challenge received using the set of polynomial keys; until said verifier device (p1) identifies an authentication match.

Abstract: A method for generating a network address in a communication network includes at least one user equipment and a network equipment. The method includes: a) providing a same shared secret key both at the at least one user equipment and at the network equipment; and b) generating at least a portion of the network address at the at least one user equipment and at the network equipment based upon at least the shared secret key.

Abstract: A method of operating by a second processing unit a content recorded by a first processing unit, said first and second processing units having a specific key being managed by a central server. The processing units have access to a removable storage memory intended to record a content ciphered by a content key accompanied by a file associated to the content. The content key is produced by means of a cascaded deciphering starting from the specific key of the first unit of at least two constants provided by the central server and a variable. The content is restored by the second processing unit by means of a cascaded deciphering starting from the specific key of the second unit by using the constants and the variable stored in the file accompanying the content and a transcoding key calculated by the central server.

Abstract: A method performed in a third computing device comprises: receiving a request from one of a first computing device and a second computing device; and in response to the request, facilitating establishment of a security association between the first computing device and the second computing device such that the first computing device and the second computing device can then facilitate establishment of a security association between first user equipment and second user equipment. The first computing device, the second computing device and the third computing device comprise at least a part of a key management hierarchy wherein the first computing device and the second computing device are on a lower level of the hierarchy and the third computing device is on a higher level of the hierarchy. The first and second computing devices are configured to perform a key management function for respective first and second user equipment.

Abstract: Hierarchical cryptography expressed in a general semiordered structure other than a tree structure is implemented. In information generation, random numbers ?v and (?vj)j?w(v)?Zq are generated; main information kv=?v?i?{1, . . . , N-1}\w(v)vibi*+bN* is calculated; and derivation information kvj=?vj?i?{1, . . . , N-1}\w(v)vibi*+bj* is calculated for each j?w(v). In information derivation, random numbers ?u and (?uj)j?w(u)?Zq are generated; main information ku=?u?i?w(v)\w(u)uikvi+kv is calculated; and derivation information kuj=?uj?i?w(v)\w(u)uikvi+kvj is calculated for each j?w(v).

Abstract: Apparatus and methods for provisioning of customer premise equipment (CPE) equipped with a secure microprocessor to receive e.g., digital video content by entering unique identification of the CPE at one or more servers located at the headend or other location of a content-based network. In one embodiment, the CPE comprises a download-enabled (e.g., DCAS) host with embedded cable modem and embedded set-top box functionality, and the provisioning includes enabling DOCSIS functionality of the CPE, assigning an IP address to the CPE and providing the CPE with a client image for the conditional access system chosen by the network operator. In one variant, the network operator can deactivate a provisioned device while connected to the network, as well when disconnected from the network. The network operator can also add, delete or replace conditional access client image in a provisioned device.

Abstract: A method of secure communication in a transmitter, includes determining a method of generating a training sequence that is shared with a receiver. The method further includes generating the training sequence based on the method of generating the training sequence, and secret information. The method further includes communicating with the receiver based on channel information derived from the training sequence.

Abstract: A communication system includes an information processing device and a management device including a challenge input device, an encryption device, and a combination data output device. The challenge input device inputs challenge data output by the information processing device. The encryption device creates combination data including the challenge data and the predetermined data, and encrypts the combination data in units of blocks. The encryption device creates the combination data such that at least one block of the combination data includes both at least a part of the challenge data and at least a part of the predetermined data. The combination data output device outputs the combination data encrypted by the encryption device to the information processing device. The information processing device is provided with a challenge output device, a challenge storage, a combination data input device, a decryption device, and a data utilizing device.

Abstract: Securely installing and booting software of a device to run OS authorized according to a ticket that is validated by a nonce generated by application processor (AP) in booted OS stage prior to entering a restore mode is described. AP in booted OS stage generates a pre-flight nonce that is stored in a trusted location (effaceable storage). AP in booted OS stage performs one-way hash of pre-flight nonce and sends the hashed pre-flight nonce to ticket authorization server. AP enters restore mode. AP in first stage bootloader receives a ticket from the ticket authorization server including a signed copy of the hashed pre-flight nonce. AP in first stage bootloader validates the signed ticket by comparing one-way hash of the pre-flight nonce stored in the trusted location and the hashed nonce in the signed ticket. Pre-flight nonce expires after timeout period and upon reboot of AP. Other embodiments are also described.

Abstract: A method, system, and media are provided for securely communicating data. One embodiment of the method includes encrypting a data stream by way of a first algorithm; creating at least two subsets of data from the data stream by extracting one or more data portions from the encrypted data stream, thereby leaving a remaining portion and an extracted portion; communicating the remaining portion to a destination by way of a first communications channel; encrypting the extracted portion utilizing a second algorithm; communicating the encrypted extracted portion to the destination by way of a second communications channel; and providing for recombining the remaining portion and the encrypted extracted portion to facilitate recovery of the encrypted data stream.

Abstract: A method and apparatus for authenticating a client is described. In one embodiment, an identity provider server authenticates the client that is redirected from a relying party server. The identity provider server authenticates the client without receiving a replayable credential from the client. Upon authentication of the client, the identity provider server transmits a token of authentication to the client.

Abstract: Nodes of a network are each provided with a seed value and a seed identifier. Each seed value has a corresponding unique seed identifier which is maintained within the system. Within each authorized node, the seed value is combined with a local node identifier, such as a serial number or other unique identifier, to form a cryptographic key that is then used by the node to encrypt and/or decrypt data transmitted and received by that node. The cryptographic key is never transmitted over the network, and each node is able to create a different cryptographic key for use in communicating with other nodes.

Abstract: A method in a receiver includes receiving from a transmitter a sequence of communication packets, which carry data encrypted with an encryption scheme. The encryption scheme depends on a counter value that is incremented independently by each of the transmitter and the receiver. Attempts are made to decrypt the data of a received packet multiple times using different, respective counter values, to produce multiple respective decrypted outputs. A decrypted output in which the data has been decrypted correctly is identified, the counter value is corrected, and the data of the received packet is recovered from the identified decrypted output.

Abstract: A network device includes an input circuit and a key mixing circuit. The input circuit is configured to receive i) a message and ii) a plurality of packets from a transmitting device. The message includes i) an address of the transmitting device and ii) a predetermined value for a count. Each of the plurality of packets i) is encapsulated and ii) includes the address of the transmitting device and one of a plurality of values for the count. The message is received prior to receiving the plurality of packets. The key mixing circuit is configured to generate a plurality of seeds based on the message. Each of the plurality of seeds is based on i) a predetermined key, ii) the address of the transmitting device, and iii) the predetermined value for the count. The plurality of seeds is used to decapsulate the plurality of packets.