Abstract: A system and method is presented for enciphering information using the Advanced Encryption Standard (AES) algorithm in which a subprocessor is configured to manipulate data as it is being loaded into the subprocessor memory. Thus, unlike implementations in the prior art, which require complete loading of data into a subsystem memory before data manipulation thereby creating a potential bottleneck in memory, this invention reduces the potential bottleneck in memory.

Abstract: An approach for establishing secure multicast communication among multiple multicast proxy service nodes is disclosed. The multicast proxy service nodes, which can be distributed throughout an enterprise domain, are organized in a logical tree that mimics the logical tree arrangement of domains in a directory server system. The attributes of the multicast proxy service nodes include the group session key and the private keys of the multicast proxy service nodes that are members of the multicast or broadcast groups. The private keys provide unique identification values for the multicast proxy service nodes, thereby facilitating distribution of such keys. Because keys as well as key version information are housed in the directory, multicast security can be achieved over any number of network domains across the entire enterprise. Key information is stored in, and the logical tree is supported by, a directory service. Replication of the directory accomplishes distribution of keys.

Abstract: In general, data exchanged between users is protected using any of various encoding approaches. An example of encoding is encryption, but any kind of encoding may be used. The data used to encrypt the data exchanged between the users, referred to as a “key”, is maintained only in a key repository. Users must obtain a key from the key repository to either encode or decode, encrypt or decrypt data, after which the user's copy of the key is destroyed or otherwise rendered inoperable. A key management policy is employed to control access to the keys maintained by the key repository. Encoding algorithms may be dynamically changed over time. Users may negotiate different algorithms to be used with specific users or messages. Thus, different algorithms may be used between different sets of users depending upon what the member users of those sets negotiate among themselves. The frequency at which algorithms are changed may also be separately negotiated between users.

Abstract: The invention is a method and system in which an authentication chip having secret information stored within it, including secret data stored in multi-level flash memory, is protected from unauthorized modification of values stored in the flash memory. The secret information is stored using an internal command and can only be accessed by one or more further commands. Secret data in the information is stored in intermediate states of the multilevel flash memory between the minimum and maximum voltage level states. A validity check is performed on secret data items before allowing them to be read out by a command accessing them. The validity check involves calculation of a checksum and comparison of the result with a checksum stored using the internal command as part of the secret information.

Abstract: A cryptographic key split combiner includes a number of key split generators for generating cryptographic key splits from seed data, and a key split randomizer for randomizing the key splits to produce a cryptographic key. The key split generators can include a random split generator for generating random key splits, a token split generator for generating token key splits based on label data, a console split generator for generating console key splits based on maintenance data, a biometric split generator for generating biometric key splits based on biometric data, and a location split generator for generating location key splits based on location data. Label data can be read from storage, and can include user authorization data. A process for forming cryptographic keys includes randomizing or otherwise binding the splits to form the key.

Abstract: A method and apparatus for controlling access to digital information utilizes a location identity attribute that defines a specific geographic location. The location identity attribute is associated with the digital information such that the digital information can be accessed only at the specific geographic location. The location identity attribute further includes a location value and a proximity value. The location value corresponds to a location of an intended recipient appliance of the digital information, and may be further defined in terms of latitude, longitude and altitude dimensions. The location identity attribute is enforced by allowing access to the digital information only at the specific geographic location. As a first part of this enforcement process, the location of an appliance through which access to the digital information is sought is identified.

Abstract: Method and apparatus for encrypting transmission traffic at separate protocol layers L1, L2, and L3so that separate encryption elements can be assigned to separate types of transmission traffic, which allows the implementation of different levels of encryption according to service requirements. Encryption elements use variable value inputs, called crypto-syncs, along with semi-permanent encryption keys to protect from replay attacks from rogue mobile stations. Since crypto-sync values vary, a method for synchronizing crypto-syncs at the mobile station and base station is also presented.

Abstract: A user support system for cryptographic communication includes a key storage for storing keys used for deciphering, a deciphering part for deciphering an enciphered communication text into a deciphered communication text using a key, and a controller for starting the deciphering part only when an input communication text is the enciphered communication text and for supplying the key that is necessary for the deciphering in the deciphering part by retrieving the key from the key storage.

Abstract: An augmented pseudo-noise sequence (10) is generated from a two or more pseudo-noise sequences, using LFSRs or other such devices. A segment (16) of a one pseudo-noise sequence (14), having an arbitrary length, is inserted into another pseudo-noise sequence (12) at an arbitrary position, making the augmented sequence difficult to decipher by a third party. Additional segments of arbitrary length can also be inserted at arbitrary positions for further complexity.

Abstract: A cryptographic key split combiner, which includes a number of key split generators for generating cryptographic key splits and a key split randomizer for randomizing the cryptographic key splits to produce a cryptographic key, and a process for forming cryptographic keys. Each of the key split generators generates key splits from seed data. The key split generators may include a random split generator for generating a random key split based on reference data. Other key split generators may include a token split generator for generating a token key split based on label data, a console split generator for generating a console key split based on maintenance data, and a biometric split generator for generating a biometric key split based on biometric data. All splits may further be based on static data, which may be updated, for example by modifying a prime number divisor of the static data. The label data may be read from a storage medium, and may include user authorization data.

Abstract: A data processing method and apparatus are proposed for used in the encryption, decryption and authentication of messages. A memory for storing input information, a set of operations and a processor for executing the operations on the stored input information are provided. The input information is utilized to select the order and number of operations performed. The operations are devised such that any possible input string will be interpreted as a valid program and the memory is extensible. Furthermore, data is output as a function of the input information. As a result the state of the memory generated during execution is indeterminate prior to execution and the process evolves differently for each possible input string. Accordingly, the process performed by the module cannot be described by an algorithm.

Abstract: A method for verifying control accesses between a device on a non-proprietary bus and a device on a proprietary bus is disclosed. A gateway controller is connected between a proprietary bus and a non-proprietary bus. A determination is made as to whether or not a non-proprietary device is registered to more than one gateway controller. In response to a determination that the non-proprietary device is registered to more than one gateway controller, another determination is made as to whether or not the non-proprietary device is a portable device. In response to a determination that the non-proprietary device is a portable device, another determination is made as to whether or not a number of acceptable duplication has been exceeded. In response to a determination that the number of acceptable duplication has been exceeded, a flag is set to indicate a control access violation has occurred.

Abstract: A method and system for electronic messaging in which a sender of an electronic message receives a return receipt, without having to send the message contents to a third party. The sender contacts a server to obtain an encryption key to encrypt the message. The server returns an encryption key along with key retrieval information to the sender. The key retrieval information can be used to obtain from the server the decryption key corresponding to the returned encryption key. The sender encrypts the message using the encryption key and sends the message, along with the key retrieval information, to the recipient. The recipient sends the key retrieval information to the server to retrieve the corresponding decryption key. The recipient then decrypts the encrypted message received from the sender using the decryption key. When the recipient sends a request to obtain the decryption key, the server notifies the sender when the key has been successfully retrieved.

Abstract: The invention is a method and system in which an authentication chip having secret information stored within it, including secret data stored in multi-level flash memory, is protected from unauthorised modification of values stored in the flash memory. The secret information is stored using an internal command and can only be accessed by one or more further commands. Secret data in the information is stored in intermediate states of the multi-level flash memory between the minimum and maximum voltage level states. A validity check is performed on secret data items before allowing them to be read out by a command accessing them. The validity check involves calculation of a checksum and comparison of the result with a checksum stored using the internal command as part of the secret information.

Abstract: A method, an apparatus and a computer program product for adaptive, content-based watermark embedding of a digital audio signal (100) are disclosed. Corresponding watermark extracting techniques are also disclosed. Watermark information (102) is encrypted (120) using an audio digest signal, i.e. a watermark key (108). To optimally balance inaudibility and robustness when embedding and extracting watermarks (450), the original audio signal (100) is divided into fixed-length frames (1100, 1120, 1130) in the time domain. Echoes (S′[n], S″[n]) are embedded in the original audio signal (100) to represent the watermark (450). The watermark (450) is generated by delaying and scaling the original audio signal (100) and embedding it in the audio signal (100). An embedding scheme (104) is designed for each frame (1100, 1120, 1130) according to its properties in the frequency domain.

Abstract: A telecommunications system and method is disclosed for downloading encrypted network information, such as Base Transceiver Station (BTS) coordinates, in a point-to-point manner between the network and a Mobile Station (MS) with location calculation capabilities. When an MS registers with the network, the MS shall indicate as part of the “early classmark” process its location calculation capabilities and the type algorithm to be used for deciphering the network information. As a result of a mobile originating request for assistance data, the network shall encrypt and download the network information to the MS. The MS deciphers the network information in order to position itself.

Abstract: A method of generating a recovery key encryption key (RKEK) in a secure manner by an integrated circuit (IC) and a key recovery escrow agent includes the steps of generating by the IC a first number having a private component and a public component, and generating by the escrow agent a second number having a private component and a public component. The public component of the first number is provided to the escrow agent, and the public component of the second number is provided to the integrated circuit. A Diffie-Hellman modulo-exponentiation mathematical operation is performed by the integrated circuit using the private component of the first number, the public component of the first number and the public component of the second number to create the RKEK. A similar operation is performed by the escrow agent using the private component of the second number, the public number of the second number and the public component of the first number to create the RKEK at its end.

Abstract: A method and apparatus for an authenticated electronic userid comprising an adapted digital signature is provided. According to an aspect of the present invention, the adapted digital signature is generated using a secure hash function and an adaptation algorithm. According to one embodiment, a method for creating an adapted digital signature comprises retrieving an originator key, said originator key corresponding to a local userid; running a digital signature engine to create a digital signature, said digital signature based on at least said originator key and remote user information; retrieving a word from a word list, said word corresponding to at least a portion of said digital signature; and returning at least said word as said adapted digital signature.

Abstract: A cryptographic key split combiner, which includes a number of key split generators for generating cryptographic key splits and a key split randomizer for randomizing the cryptographic key splits to produce a cryptographic key, and a process for forming cryptographic keys. Each of the key split generators generates key splits from seed data. The key split generators may include a random split generator for generating a random key split based on reference data. Other key split generators may include a token split generator for generating a token key split based on label data, a console split generator for generating a console key split based on maintenance data, and a biometric split generator for generating a biometric key split based on biometric data. All splits may further be based on static data, which may be updated, for example by modifying a prime number divisor of the static data. The label data may be read from a storage medium, and may include user authorization data.

Abstract: Methods and system for providing secure emergency access to network devices. The methods and system described herein can be used to provide secure emergency access to network devices such as routers, telephony switching hubs, etc. Secure emergency access helps close security holes for providing access to configuration parameters in a network device by using an encrypted unit-unique password. The secure emergency access includes generating an encrypted emergency unit-specific password for a specific network device using a unique serial number for the specific network device and a global password used for a type of network device that includes the specific network device. The encrypted emergency unit-specific password is valid only on the specific network device with the unique serial number. The encrypted emergency unit-specific password is used to regain access to a specific network device for which an original password has been lost or misplaced.

Abstract: A cryptographic key split combiner, which includes a number of key split generators for generating cryptographic key splits and a key split randomizer for randomizing the cryptographic key splits to produce a cryptographic key, and a process for forming cryptographic keys. Each of the key split generators generates key splits from seed data. The key split generators may include a random split generator for generating a random key split based on reference data. Other key split generators may include a token split generator for generating a token key split based on label data, a console split generator for generating a console key split based on maintenance data, and a biometric split generator for generating a biometric key split based on biometric data. All splits may further be based on static data, which may be updated, for example by modifying a prime number divisor of the static data. The label data may be read from a storage medium, and may include user authorization data.

Abstract: Systems, methods and computer program products reduce effective key length of a symmetric key cipher by deriving an intermediate value from an initial key, using a one-way cryptographic function. Predetermined bit locations of the intermediate value are selected to obtain an intermediate key. An intermediate shortened key is derived from the intermediate key by setting predetermined bit locations of the intermediate key to predetermined values. A diffused intermediate shortened key is derived from the intermediate shortened key using the one-way cryptographic function. Predetermined bit locations of the diffused intermediate shortened key are then selected to obtain a shortened key. In first embodiments, the one-way cryptographic function is a one-way hash function. Second embodiments use the symmetric key cipher itself to perform the one-way cryptographic function.

Abstract: A cryptographic key split combiner, which includes a number of key split generators for generating cryptographic key splits and a key split randomizer for randomizing the cryptographic key splits to produce a cryptographic key, and a process for forming cryptographic keys. Each of the key split generators generates key splits from seed data. The key split generators may include a random split generator for generating a random key split based on reference data. Other key split generators may include a token split generator for generating a token key split based on label data, a console split generator for generating a console key split based on maintenance data, and a biometric split generator for generating a biometric key split based on biometric data. All splits may further be based on static data, which may be updated, for example by modifying a prime number divisor of the static data. The label data may be read from a storage medium, and may include user authorization data.

Abstract: A method for protecting digital content from copying and/or other misuse as it is transferred between one or more computationally constrained devices over insecure links, includes preliminarily authenticating that both a content source and a content sink are compliant devices, and transferring content between compliant devices. In a further aspect of the invention, in the background, concurrently with the transfer of content, at least a second cryptographic process is performed. In an embodiment, establishing a preliminary control channel includes exchanging random challenges between devices, encrypting, under a shared secret key, and hashing the exchanged random challenges, exchanging the results of the encryption and hash functions and then verifying that the appropriate results have been generated.

Abstract: A cryptographic key split combiner, which includes a number of key split generators for generating cryptographic key splits and a key split randomizer for randomizing the cryptographic key splits to produce a cryptographic key, and a process for forming cryptographic keys. Each of the key split generators generates key splits from seed data. The key split generators may include a random split generator for generating a random key split based on reference data. Other key split generators may include a token split generator for generating a token key split based on label data, a console split generator for generating a console key split based on maintenance data, and a biometric split generator for generating a biometric key split based on biometric data. All splits may further be based on static data, which may be updated, for example by modifying a prime number divisor of the static data. The label data may be read from a storage medium, and may include user authorization data.

Abstract: A method of communicating from a transmitter to a receiver over a communication medium. For the transmitter, the method includes the step of formatting data into a data stream to be communicated across the communications medium. This data stream comprises a plurality of headers (PACK HEADER). Moreover, for each of the plurality of headers, the method performs two steps. First, the method modifies information encoded by the header by performing a bitwise logical operation between selected bits of the header (B) with a predetermined bit pattern (A). Second, the method transmits the plurality of headers on to the communications medium. For the receiver, the method includes the step of receiving the plurality of headers from the communications medium. Additionally, for each of the received headers, the receiver recovers the information encoded by the header.

Abstract: A method and apparatus for performing cryptographic computations employing recursive algorithms to accelerate multiplication and squaring operations. Products and squares of long integer values are recursively reduced to a combination of products and squares reduced-length integer values in a host processor. The reduced-length integer values are passed to a co-processor. The values may be randomly ordered to prevent disclosure of secret data.

Abstract: A flash memory includes an encoded cryptographic key “k” stored therein. A protected ROM, an external access to which is inhibited, includes a decoding program stored therein to decode the cryptographic key “k”. The cryptographic key “k” is decoded by using the decoding program. With the cryptographic key “k” as decoded, data is encrypted and stored in the flash memory. Data read out from the flash memory is output after decrypted with the cryptographic key “k.” In order to check an area having the decoding program stored therein, data which forms the decoding program is processed by using a hash function stored in the ROM, and a processing result and an expected value are compared with each other. When the processing result and the expected value matches with each other, the aforementioned area is determined as being in a normal condition.

Abstract: The device has a control unit with memory devices and a nonvolatile memory connected to the control unit for data exchange purposes. Data are stored in encrypted form in the nonvolatile memory. The key or keys for encrypting the data are stored in the memory devices or are generated by an algorithm executed in the control unit. An address pointer that indicates the address of a valid key in the control unit is stored in the nonvolatile memory and/or in a volatile memory of the control unit.

Abstract: A security device for vehicle disclosed is of a type generating a seed that is used suitably in order to generate a key by being encoded and that is decreased in regularity. Namely, the security device for vehicle according to the present invention has a construction that generates from vehicle control data the seed used for generating an authentication key on the vehicle side and a key on the user side by being encoded. By such construction, the seed is generated from the vehicle control data concerning the constituent elements of the vehicle that are kept in a state of operation. Since the vehicle control data itself is a type that momentarily changes in correspondence with the state of operation of the constituent elements of the vehicle, the generated seed exhibits substantially no regularity thereby becoming a very good kind of random number.

Abstract: The method and apparatus are used for cryptographically converting a digital input block into a digital output block. The apparatus 400 comprises first input means 410 for obtaining the digital input block and second input means 440 for obtaining a key K1. Cryptographic processing means 420 of the apparatus 400 convert the digital input block into the digital output block by merging a selected part M1 of the digital input block with the key K1 and producing a data block B1 which non-linearly depends on M1 and K1. The merging is performed in one, sequentially inseparable step. Output means 430 are used to output the digital output block of which a selected part is derived from B1.

Abstract: A field programmable gate array (FPGA) and a decryption circuit are implemented within a common integrated circuit (IC) or within separate ICs enclosed within a common IC package. The decryption circuit decrypts an input FPGA program encrypted in accordance with a particular encryption key and then writes the decrypted FPGA program into the FPGA. Thus an FPGA program encrypted in accordance with a particular encryption key can be used to program only those FPGAs coupled with a decryption circuit capable of decoding the encrypted FPGA program in accordance with that particular encryption key. Since the decryption circuit and the FPGA are implemented in the same IC, or within the same IC package, the decrypted FPGA program the decryption circuit produces cannot be readily intercepted and copied.

Abstract: A cryptographic processing apparatus for performing cryptographic processing using input data to generate output data is provided. The cryptographic processing apparatus includes a storage unit for storing chain data which is used for reflecting present cryptographic processing on next cryptographic processing, and for renewing the chain data each time cryptographic processing is performed, a merging unit for merging the chain data stored in the storage unit with the input data to generate merged data, and a main cryptographic processing unit for performing main cryptographic processing using the merged data to generate output data and for outputting intermediate data generated during a generation of the output data, wherein the storage unit renews the chain data by storing the intermediate data outputted by the main cryptographic processing unit as the new chain data, which is used for the next cryptographic processing.

Abstract: A wireless communications system (110) with increased privacy. The system (110) transmits an encrypted signal between a base station (112) and a wireless terminal (122). In the forward channel, the base station (112) includes an encryptor (130) with a long code mask generator (200) that generates a rolling long code mask. The wireless terminal (122) similarly includes a decryptor (164) with a long code mask generator (208) that creates a rolling long code mask.

Abstract: To provide a method of generating internal crypto-keys to be set initially in a feedback-shift-registers of a pseudo-random-sequence generator of a stream cipher system with sufficient security and sufficiently high speed as well, the method comprises: a step of outputting m sets of first conversion results, obtaining i-th set of the first conversion results by processing (i−1)-th set of the first conversion results with a first one-way-function; a step of outputting m sets of second conversion results, obtaining i-th set of the second conversion results by processing (i−1)-th sets of the second conversion results with a second one-way function; and a step of outputting j-th internal crypto-key by XORing j-th set of the first conversion results and (m−j+1)-th set of the second conversion results.

Abstract: A method of generating a recovery key encryption key (RKEK) in a secure manner by an integrated circuit (IC) and a key recovery escrow agent includes the steps of generating by the IC a first number having a private component and a public component, and generating by the escrow agent a second number having a private component and a public component. The public component of the first number is provided to the escrow agent, and the public component of the second number is provided to the integrated circuit. A Diffie-Hellman modulo-exponentiation mathematical operation is performed by the integrated circuit using the private component of the first number, the public component of the first number and the public component of the second number to create the RKEK. A similar operation is performed by the escrow agent using the private component of the second number, the public number of the second number and the public component of the first number to create the RKEK at its end.

Abstract: A computer implemented process for data encryption or data decryption using a computer is disclosed.

Abstract: A roaming user needing an his authentication credential (e.g., private key) to access a computer server to perform an electronic transaction may obtain the authentication credential in an on-demand fashion from a credential server accessible to the user over a computer network. In this way, the user is free to roam on the network without having to physically carry his authentication credential. Access to the credential may be protected by one or more challenge-response protocols involving simple shared secrets, shared secrets with one-to-one hashing, or biometric methods such as fingerprint recognition. If camouflaging is used to protect the authentication credential, decamouflaging may be performed either at the credential server or at the user's computer.

Abstract: A security apparatus including a number input device (302), an address register (312) responsive to the number input device, an encryption schema memory (316) addressable by the address register to produce an output code and a relative address code, and address incrementing logic (310) responsive the relative address code and operative to increment the address register. The apparatus also preferably includes a PIN register (304) coupled to the number input device, a public code register (306) coupled to the number input device, and merging logic (308) merging outputs of the PIN register and the public code register to be input to the address register. The apparatus also preferably includes an output shift register operative to shift out the output code of the encryption schema memory. The encryption schema memory can be read only memory, writeable memory, or both.

Abstract: A method and system for tracking communications in a client-server environment. The method includes the steps of sending a first request from the client to the server over a first connection, sending a first key from the server to the client over the first connection, sending the first key from the client and a second request to the server over a second connection, and sending a response to the second request and a second key distinct from the first key from the server to the client over the second connection. The system includes a client for establishing a terminal connection with a server and a server in communication with the client. The server further includes key generator means generating a plurality of keys for transmission to the client, authentication means in communication with the key generator means receiving the keys from the client to recognize the keys at the server, and discarding means linked to the key generator means for disposing of previously transmitted keys.

Abstract: Some of these problems with digital information protection systems may be overcome by providing a mechanism which allows a content provider to encrypt digital information without requiring either a hardware or platform manufacturer or a content consumer to provide support for the specific form of corresponding decryption. This mechanism can be provided in a manner which allows the digital information to be copied easily for back-up purposes and to be transferred easily for distribution, but which should not permit copying of the digital information in decrypted form. In particular, the encrypted digital information is stored as an executable computer program which includes a decryption program that decrypts the encrypted information to provide the desired digital information, upon successful completion of an authorization procedure by the user.

Abstract: Wireless communication method and apparatus which can perform the wireless transmission/reception of encrypted data without previous provision of a cryptographic key and without any system for registering a cryptographic key. Under control of a communication control section 504 in PC 1, the PC 1 transmits its own identification information to a printer 2 and receives identification information of the printer 2. The PC 1 has an encrypting/decrypting section 502 which generates a cryptographic key by using the identification information of the printer 2 and its own secret algorithm read out of an identification information storage section 510. According to a cryptographic program using such a cryptographic key, data is encrypted and transmitted toward the printer 2.

Abstract: A system and method for transmitting encrypted documents from a document server to a client computer across network allows a user to select and view fewer than all of the sections of the document so that not all of the encrypted document need be transmitted. An encryption module and encryption key generator allows the document server to generate encryption information for each encrypted section of the secure document and store that information in a key file on the client computer. A decryption module on the client computer accesses the key file to decrypt for viewing the selected document sections transmitted from the server.

Abstract: A network computer client device (NC) maintains a root internet service provider (ISP) certificate which includes the ISP's public key and which is digitally signed by a root authority using the root authority's private key. The NC also maintains a root public key. When an ISP desires to write onto the smart card inserted into an NC, it sends ISP account information to be written including a digital signature portion created with the ISP's private key to the NC. The NC performs a cryptographic verification of the ISP account information using the ISP's public key found in the root ISP certificate. If this verification is successful, the NC writes the ISP account information to the smart card. If this verification fails, the ISP account information is not written to the smart card.

Abstract: Circuitry which performs modular mathematics to solve the equation C=M.sup.k mod n and n is performed in a manner to mask the exponent k's signature from timing or power monitoring attacks. The modular exponentation function is performed in a normalized manner such that binary ones and zeros in the exponent are calculated by being modulo-squared and modulo-multiplied.

Abstract: A service information receiving apparatus (1) for receiving scrambled charged service information transmitted as being multiplexed on an FM broadcast radio wave from an FM broadcasting station (3) causes a control section (43) to perform a predetermined arithmetic operation by using a variable key as one of descramble keys affixed to the scrambled charged service information received by a service information receiving section (40) and a half-fixed key as one of descramble keys, which is stored in an IC card (2) detachably attached to a receiving apparatus main body, thereby preparing a new descramble key, which is used to descramble the received charged service information.