Abstract: A method of transferring data between a first device and a second device comprises: bringing a first object into an activation zone of a near-field communication module so as thereby to establish a near-field communication link between the module and the first object. The near-field communication module sends a control signal to at least one of the first and second devices to begin a second communication session through a second, different channel between the first and second devices and the data is transferred between the first device and the second device in the second communication session. The second communication session is ended if the first object is removed from the activation zone.

Abstract: This disclosure relates to characterising data sets that are distributed as multiple data subsets over multiple computers such as by determining a gradient of an objective function. A computer determines a partial gradient of the objective function over a data subset stored on the computer and determines random data. The computer then determines an altered gradient by modifying the partial gradient based on the random data and encrypts the altered gradient such that one or more operations on the altered gradient can be performed based on the encrypted gradient and sends the encrypted gradient. Since the partial gradient is altered based on random data and encrypted it is difficult for another computer to calculate the data that is stored on the first computer. This is an advantage as it allows to preserve the privacy of the data stored on the first computer while still allowing to characterise the data set.

Abstract: A plurality of devices, having common access to a first key under which a set of data objects used by the plurality of devices are encrypted, is caused to replace the first key with a second key by at least causing a device of the plurality of devices to encrypt a subset of the set of data objects that are not selected for electronic shredding, allow access to a data object of the subset regardless of whether the data object is encrypted using the first key or the second key. At a time after the data object becomes accessible by using the second key, each of the plurality of devices is verified have common access to the second key, and the plurality of devices is caused to lose access to the first key.

Abstract: A data management system stores data related to a plurality of users. The data management system initially stores the data in an encrypted format. The data management system automatically periodically re-encrypts the data in accordance with a re-encryption policy. The re-encryption policy includes re-encryption periodicity data defining a periodicity for automatically re-encrypting the data.

Abstract: A server receives a request from a client to establish a secure session. The server analyzes the request to determine a set of one or more properties of the request. The server selects, based at least in part on the determined set of properties, one of multiple certificates for a hostname of the server, where each of the certificates is signed using a different signature and hash algorithm pair. The server returns the selected certificate to the client.

Abstract: A device for secure transmission of vehicle data over vehicle datalinks that may be shared with passenger devices and are connected to a publicly shared network is provided. The device comprises a processor embedded within a portion of an Ethernet cable for a vehicle. A plurality of applications resides in the processor and comprises a VPN application, and a VPN address and certificate update application. A first Ethernet transceiver communicates with the processor through the VPN application and also communicates with onboard electronic equipment. A second Ethernet transceiver communicates with the processor through the VPN application and also communicates with an external datalink. The VPN application automatically establishes a VPN when the datalink is available, provides an authentication certificate to verify that the device is a correct and legitimate node, and verifies a VPN hosting certification to determine whether the device is communicating with a correct and legitimate external facility.

Abstract: One embodiment provides a method for enabling computation of a signature of an information set given change information by storing information in a hierarchical data structure, the method including: utilizing at least one processor to execute computer code that performs the steps of: receiving change information relating to a first node within the hierarchical data structure; accessing a database comprising at least one key, wherein the at least one key comprises a crypto-hash and is assigned to a node within the hierarchical data structure; identifying a node key within the database that is assigned to the first node; computing a node crypto-hash for the first node after modifying the first node using the received change information; modifying the node key based upon the computed node crypto-hash; and updating the database with the modified node key. Other aspects are described and claimed.

Abstract: A network control apparatus and method is provided. The method includes operations of informing a server of capability information including an encryption/decryption method, wherein the server provides the network control apparatus with control information used to control a network device using a general-purpose control web application, transmitting to the server a control information requesting message that requests the control information, receiving from the server the control information which has been encrypted using the encryption/decryption method, decrypting the encrypted control information according to the encryption/decryption method, and transmitting a control command for controlling the network device according to the decrypted control information.

Abstract: A device may receive a message, associated with establishing a secure session, including a first certificate chain associated with a server device. The device may generate a first certificate fingerprint associated with the first certificate chain and determine a policy identifier associated with a security policy on which the first certificate chain is to be validated. The device may identify a second certificate fingerprint associated with a second certificate chain that has been validated based on the security policy. The device may determine whether the first certificate fingerprint matches the second certificate fingerprint.

Abstract: Systems and methods are provided for intrusion detection, specifically, identifying masquerade attacks in large scale, multiuser systems, which improves the scoring systems over conventional masquerade detection systems by adopting distinct alignment parameters for each user. For example, the use of DDSGA may result in a masquerade intrusion detection hit ratio of approximately 88.4% with a small false positive rate of approximately 1.7%. DDSGA may also improve the masquerade intrusion detection hit ratio by about 21.9% over convention masquerade detection techniques and lower the Maxion-Townsend cost by approximately 22.5%. It will also improve the computational overhead.

Abstract: A module with an embedded universal integrated circuit card (eUICC) can include a received eUICC profile and a set of cryptographic algorithms. The received eUICC profile can include an initial shared secret key for authentication with a wireless network. The module can receive a key K network token and send a key K module token to the wireless network. The module can use the key K network token, a derived module private key, and a key derivation function to derive a secret shared network key K that supports communication with the wireless network. The wireless network can use the received key K module token, a network private key, and the key derivation function in order to derive the same secret shared network key K derived by the module. The module and the wireless network can subsequently use the mutually derived key K to communicate using traditional wireless network standards.

Abstract: Systems and methods are provided for determining customized markup content to deter malicious attackers and/or to decrease electronic submissions from robots. In some embodiments, markup content may be randomized with unique identifiers, reordering of markup elements, and/or insertion of hidden markup elements. The modifications to markup content may have no impact on human usability of the markup content. However, the customized markup content may render the content unusable by a programmed, automated attacker that cannot parse and/or recognize the content. Thus, automated attackers are deterred from using markup content, while human users remain unaffected.

Abstract: A network control apparatus and method is provided. The method includes operations of informing a server of capability information including an encryption/decryption method, wherein the server provides the network control apparatus with control information used to control a network device using a general-purpose control web application, transmitting to the server a control information requesting message that requests the control information, receiving from the server the control information which has been encrypted using the encryption/decryption method, decrypting the encrypted control information according to the encryption/decryption method, and transmitting a control command for controlling the network device according to the decrypted control information.

Abstract: The present disclosure describes techniques for configuring and participating in encrypted audio calls, audio conferences, video calls, and video conferences. In particular, a call initiator generates a meeting identifier and a first meeting key, which are encrypted using a first encryption key and distributed to one or more participants of the call. The one or more participants decrypt the meeting identifier and the first meeting key, and use that information to participate in the encrypted call. Further, participants respond to the encrypted communication data by encrypting their reply data with the first meeting key. The call initiator decrypts the reply data using the first meeting key.

Abstract: A device for wireless communication includes key logic configured to obtain a candidate group key corresponding to a data link group. The device also includes a wireless interface configured to transmit an announcement message to one or more devices of the data link group during a paging window designated for the data link group. The announcement message includes a multicast message and indicates availability of the candidate group key, and the announcement message.

Abstract: In an example embodiment, a submission of confidential data is received from a user. Then, the confidential data is encrypted using a first public key generated as part of a first public key-first private key pair. The encrypted confidential data is stored in a first column of a first submission table in a confidential information database. An identification of the user is encrypted using a second public key different than the first public key, the second public key generated as part of a first public key-first private key pair. Then, the encrypted identification of the user is stored in a second submission table in the confidential information database. The first private key is provided to a first component to decrypt the confidential information, without providing the second private key to the first component.

Abstract: A Secure Input/Output (I/O) Module (SIOM) is networked-enabled providing secure communications with terminals and peripherals integrated into the terminals. Communications between devices are securely made through encrypted communication sessions provisioned, defined, and managed through a secure protocol using the network-based SIOM. In an embodiment, a single-tenant network-based SIOM is provided. In an embodiment, a hybrid dual single-tenant and multi-tenant network-based SIOM is provided. In an embodiment, a multi-tenant network-based SIOM is provided. In an embodiment, a cloud-based SIOM is provided.

Abstract: Systems, apparatuses, and methods for providing data security for data that is stored in a cloud-level platform. In one embodiment, each session is associated with specific session “keys” for use in encrypting and decrypting data. The session specific keys are generated by a client application and the client public key of a public/private key pair is provided to the cloud platform as part of a user authentication process. If the user is properly authenticated, then the platform creates its own set of keys and sends the server public key of a public/private key pair to the client. When the client requests a data record or document, the platform can determine if the user is authorized to have access to the entire data record or document or only to certain fields or portions of the record or document. Based on that determination, the platform may selectively encrypt certain fields or portions of the record or document with the client public key.

Abstract: A blockchain test configuration may provide a simple and secure infrastructure for testing applications. One example method of operation may comprise one or more of transmitting a request to a network of nodes to test a test package associated with an application. The method may also include receiving results based on the test of the test package and recording the results in a blockchain.

Abstract: A method includes receiving, at an access point of a network, a first message from a wireless device. The method further includes determining a device type of the wireless device. In response to determining that the device type satisfies a criterion, the method includes sending, to the wireless device, a second message granting the wireless device access to the network subject to a first restriction level and sending a network access request to a second device associated with an operator of the access point. The method may further include receiving a response to the network access request from the second device and determining, based on the response, whether to grant the wireless device access to the network subject to a second restriction level.

Abstract: In many secure communication systems, group keys are updated on a regular basis in order to maintain high security level. Decryption and encryption keys are typically updated simultaneously in policy enforcement points (PEPs). Such approach makes the respective communication system prone to dropping of network traffic. According to at least one embodiment, re-keying is performed by installing, at a first phase, a new decryption key at the PEPs without removing an old decryption key previously installed in the PEPs. At a second phase, a new encryption corresponding to the new decryption key is installed and an old encryption key corresponding to the old decryption is removed. At a third stage, the old decryption key and any other old decryption keys are removed from the PEPs.

Abstract: A technique for key sharing among multiple key servers connected to one another over a communication network is provided herein. Each key sever of the multiple key servers stores respective cryptographic keys, and provides the keys to a local device group connected with the key server, to enable the device group to encrypt messages with the keys. Each key server acts as a proxy for the other key servers in order to receive other keys from the other key servers over the network, and provide the other keys to the device group for use to decrypt messages received from other local device groups respectively connected with the other key servers that were encrypted with the other keys and to check message integrity. The multiple key servers may share keys with each other directly, or alternatively, indirectly through a central key server, as needed to support secure communications between their respective device groups.

Abstract: System, device, and method of provisioning cryptographic assets to electronic devices. A delegation message is generated at a first provisioning server. The delegation message indicates provisioning rights that are delegated by the first provisioning server to a second provisioning server with regard to subsequent provisioning of cryptographic assets to an electronic device. The delegation message includes an association key unknown to the first provisioning server, encrypted using a public key of the electronic device. The delegation message further includes a public key of the second provisioning server. The electronic device locally generates the association key, which is unknown to the first provisioning server. The delegation message is delivered to the electronic device. Based on the delegation message, cryptographic assets are provisioned by the second provisioning server to the electronic device, using the association key.

Abstract: A system includes a security device, configured for cryptographic processing, coupled to receive incoming data from a plurality of data sources (e.g., data from different customers), wherein the incoming data includes first data from a first data source; a controller (e.g., an external key manager) configured to select a first set of keys from a plurality of key sets, each of the key sets corresponding to one of the plurality of data sources, wherein the first set of keys is used by the security device to encrypt the first data; and a common encrypted data storage, coupled to receive the encrypted first data from the security device.

Abstract: A system enforces policies in connection with requests to access resources. Users are provided the ability to obtain information about the policies the system enforces. Some of the users have associated restrictions such that, when those users request information about the policies, the information provided is incomplete. The information provided may lack information about one or more policies that apply to the users.

Abstract: One feature pertains to a method for extracting a secret key during a secure boot flow of an integrated circuit. Specifically, the secure boot flow includes powering ON a first volatile memory circuit to generate a plurality of initial logical state values, deriving secret data based on the plurality of initial logical state values, storing the secret data in a secure volatile memory circuit that is secured by a secure execution environment (SEE), clearing the plurality of initial logical state values in the first volatile memory circuit, executing a cryptographic algorithm at the SEE to extract a secret key based on the secret data, and storing the secret key in the secure volatile memory circuit. The secure boot flow controls access to the first volatile memory circuit to secure the secret data and the plurality of initial logical state values from the insecure applications.

Abstract: A technique to manage members of a group of decoders having access to broadcast data, each group member sharing a common broadcast encryption scheme (BES) comprising the steps of, in a stage for a decoder to become a group member, receiving keys pertaining to the position in the group according to the BES, receiving a current group access data comprising a current group access key, and in a stage of accessing broadcast data, using the current group access data to access the broadcast data, and in a stage of renewing the current group access key, sending a first group message comprising at lease a next group access key encrypted so that only non-revoked decoders can access it, said group message being further encrypted by the current group access key, updating the current group access key with the next group access key.

Abstract: Some embodiments of a system and a method to automatically deploy message queues on-demand in a computing system have been presented. An application server may configure an application messaging service according to a set of rules in a configuration file. In response to applications requesting to access messaging queues for the first time, the application server may automatically deploy messaging queues on-demand following the set of rules in the configuration file.

Abstract: A system and a method are described that reduce or eliminate inefficiencies caused by double encryption in network tunnel communications. In particular, a set of virtual tunnels may be established that require a lower level of encryption in comparison to a full-encryption tunnel. Upon determining that a session is end-to-end encrypted, the system and method described herein may assign the session to one of the virtual tunnels instead of the full-encryption tunnel. By intelligently assigning sessions to virtual tunnels when encryption has already been applied, double encryption may be avoided, which will improve throughput and decrease processor usage. However, in cases where a session is not end-to-end encrypted, the full-encryption tunnel may be utilized to ensure secure communications are maintained between gateways.

Abstract: A one-way key switching method and an implementation device. The method comprises: after obtaining a new key and before deducing or determining that at least n receivers obtain the new key, a sender setting the sending direction of the new key as unavailable and keeping the sending direction of an original key as available; after obtaining the new key and before deducing or determining that at least n receivers obtain the new key, before the original key is invalid, the sender starting up a key switching process, i.e. setting the sending direction of the original key as unavailable and setting the sending direction of the new key as available; where N?n?1, N is the total number of the receivers corresponding to the sender.

Abstract: A plurality of devices have common access to a cryptographic key. The cryptographic key is rotated by providing the devices simultaneous access to both the cryptographic key and a new cryptographic key and then revoking access to the cryptographic key. Keys stored externally and encrypted under the cryptographic key can be reencrypted under the new cryptographic key. Keys intended for electronic shredding can be left encrypted under the old cryptographic key.

Abstract: According to an aspect of the present disclosure, an access point sends timing information related to updating of a group key. A wireless station communicates with the access point according to the timing information to receive an updated group key. The updated group key is thereafter used for processing of multicast packets. Due to the use of the timing information, the wireless station can operate in a power-down mode, and yet receive at least the required group keys. In one embodiment, the timing information specifies a future time instance at which the update group may be available. In an alternative embodiment, a version number is associated with each value of the group key and the version number of the currently operative group key (in the access point) is broadcast to the wireless stations.

Abstract: Provided is a transmitting terminal capable of sharing an encryption key among a number of specific apparatuses using fewer resources and securely. A transmitting terminal (400) has an inquiry ID generation unit (420) which embeds an encryption key in logical results of an XOR between an ID of a receiving terminal and random blocks according to predetermined key embedding rules in order to generate an inquiry ID. The key embedding rules are stipulations for inverting the values of bit positions corresponding to each bit value of the encryption key, in the block position correspondence relationships between the bit positions of the encryption key and the positions of the blocks into which the logical result of the XOR have been partitioned and the bit position correspondence relationships between the bit values of the encryption key and the bit positions within the blocks, which have been predefined.

Abstract: A scalable medium access control (“MAC”) module is provided that avoids conflict resource reservation so that network performance does not degrade as the number of hops or nodes in a wireless network increases. The MAC also provides different access schemes for traffic with different quality of service (“QoS”) requirements such that QoS is guaranteed and network resources are efficiently utilized. Furthermore, the resource allocation scheme determines the routing path as resources is allocated for data traffic, thereby achieving more robust layer-2 routing at the MAC layer. Finally, the scalable MAC is compliant with both WiMedia MAC and IEEE 802.15.3 MAC.

Abstract: A system and method are provided for updating persistent data in a wireless communications device. The wireless communications device receives patch manager run time instructions from an airlink interface. A run-time engine is launched. The run-time engine receives the patch manager run time instructions with dynamic instruction sets and new code sections, including updated persistent data. The run-time engine processes the dynamic instruction sets. In response to processing the dynamic instruction sets, the run-time engine selectively updates persistent data in the system software. The updated persistent data may, for example, be selected from the following: radio frequency (RF) calibration data, nonvolatile system and user configuration data, resource data, nonvolatile system and user application data, and arbitrary data.

Abstract: A facility for interacting with data networks using a permanent network identifier persistently stored within a computing system is described. In one example facility, in response to each opportunity to connect to a data network, the facility identifies information for the data network, and determines whether the determined identifying matches any of a set of approved data networks. In response to determining that it does, the facility establishes a connection with the first data network using the computing system's permanent network identifier, and conducts the established connection with the first data network using the computing system's permanent network identifier. In response to determining that it does not, the facility establishes a connection with the data network using a temporary network identifier that is different from the computing system's permanent network identifier, and conducts the established connection with the data network using the temporary network identifier.

Abstract: Systems, methods, and other embodiments associated with rotating keys for a memory are described. According to one embodiment, a memory system comprises a memory controller configured to control access to a memory and to process memory access requests. Rekeying logic is configured to rotate a first key that was used to scramble data in the memory and re-scramble the data with a second key by: determining when the memory controller is in an idle cycle and performing a rekeying operation on a portion of the memory during the idle cycle, and pausing the rekeying operation when the memory controller is not in an idle cycle to allow memory access requests to be performed and resuming the rekeying operation during a next idle cycle.

Abstract: Improvement of the security of communication is facilitated. A server receives from an on-vehicle device, encrypted data obtained by encrypting ECU information using key information (111-1#C), and identification information (112-1#C). Thereafter, the server determines from the identification information (112-1#C), whether identification information of a next key to be used after identification information (112-1) is stored. The server determines that the identification information of the next key to be used after the identification information (112-1) is not stored, and obtains key information (111-2#S) and identification information (112-2#S) to identify key information (111-2) as the next key. The server encrypts the key information (111-2#S) and the identification information (112-2#S) using key information (111-1#S), and transmits encrypted data and identification information (112-1#S) to the on-vehicle device.

Abstract: Authentication of a user or a wireless transmit/receive unit may be based on an obtained measure of authentication strength, which may referred to as an assurance level. For example, a user, via a WTRU, may request access to a service controlled by an access control entity (ACE). The user may be authenticated with a user authenticator and assertion function (UAAF), producing a result. A user assertion may be provided that includes the user authentication result, a user assurance level, and/or a user freshness level. The WTRU may be authenticated with a device authenticator and assertion function (DAAF), producing an associated result. A device assertion may be provided that may include the device authentication result, a device assurance level, and/or a device freshness level. The assertions may be bound together to receive access to a service or resource.

Abstract: Various embodiments of the present invention are directed to systems, methods, and computer program products for managing connections between a mobile device and a network server over a network connection in a bandwidth-efficient manner. In one embodiment, a mobile device includes a processor, and there are a plurality of services executed by the processor, each of the services receiving information updates over a network connection from a server. At least one update interval function executed by the processor assigns an update interval to each of the services, the update intervals governing when each of the respective services request updated information over the network connection.

Abstract: A method to dynamically group devices based on device information, which is associated with a system for monitoring the device information that communicates information between a device and an enterprise. Information is collected from a device information source to obtain an actual status of a device. The actual status of the device is compared to a stored status of the device. The stored status is stored on a server of the enterprise. The enterprise determines if the actual status has been changed from the stored status. When a change is detected, the method performs at least one of the acts of automatically disassociating the device from a group that reflects the stored status and automatically associating the device with a new group to reflect the actual status.

Abstract: Improvement of the security of communication is facilitated. A server receives from an on-vehicle device, encrypted data obtained by encrypting ECU information using key information (111-1#C), and identification information (112-1#C). Thereafter, the server determines from the identification information (112-1#C), whether identification information of a next key to be used after identification information (112-1) is stored. The server determines that the identification information of the next key to be used after the identification information (112-1) is not stored, and obtains key information (111-2#S) and identification information (112-2#S) to identify key information (111-2) as the next key. The server encrypts the key information (111-2#S) and the identification information (112-2#S) using key information (111-1#S), and transmits encrypted data and identification information (112-1#S) to the on-vehicle device.

Abstract: A method of read or write access by an electronic component of data, including generating a first secret key for a first data of an ordered list of data to access, and for each data of the list, following the first data, generating a distinct secret key by means of a deterministic function applied to a secret key generated for a previous data of the list, and the application of a cryptographic operation to each data to be read or to be written of the list, carried out by using the secret key generated for the data.

Abstract: In an automated data storage library, selective encryption for data stored or to be stored on removable media is provided. One or more encryption policies are established, each policy including a level of encryption, one or more encryption keys and the identity of one or more data cartridges. The encryption policies are stored in a policy table and the encryption keys are stored in a secure key server. A host requests access to a specified data cartridge and the cartridge is transported from a storage shelf in the library to a storage drive. Based on the identity of the specified cartridge, the corresponding encryption policy is selected from the table and the appropriate encryption key is obtained from the key server. The storage drive encrypts data in accordance with the key and stores the data on the media on an encryption table within the specified data cartridge.

Abstract: Methods and systems for maintaining the confidentiality of data provided by an organization for storage on a third party database system are provided. The data can be encrypted on an internal network of the organization and sent to the third party database system for storage. The third party database system can associate metadata with the encrypted data and can store the encrypted data. Accordingly, when a request for the encrypted data is received from a computing device communicating with an internal network of the organization, the encrypted data and associated metadata can be sent to the computing device. A key that is stored on an internal network of the organization can be called through an applet, which utilizes information within the metadata to locate the key on the internal network of the organization.

Abstract: A semiconductor device having a plurality of on-chip processors, a plurality of key RAMs, a plurality of key RAM controllers, a fuse bank, a fuse bank controller and a boot controller is described. The boot controller is arranged to, in a first programming stage, allocate a first array of fuses in the fuse bank in dependence on the size of a first device key for storing the first device key in the fuse bank and, during boot-time, provide the first device key to a first key RAM controller. The fuse bank controller is arranged to program the first array of fuses with the first device key in the first programming stage, provide the first device key to the boot controller during boot-time, and prevent access to the first device key in the fuse bank during run-time. The first key RAM controller is arranged to, during boot-time, store the first device key in the first key RAM, and, during run-time, restrict access to the first device key in the first key RAM to exclusive access by the first on-chip processor.

Abstract: A method for updating a group traffic key used for encrypting and decrypting multicast data in a wireless communication system is described. The method includes receiving, from the base station, a first message comprising a new group security seed; and updating the group traffic key based on the new group security seed.

Abstract: Example embodiments provide various techniques for locating cryptographic keys stored in a cache. The cryptographic keys are temporarily stored in the cache until retrieved for use in a cryptographic operation. The cryptographic key may be located or found through reference to its cryptographic key identifier. In an example, a particular cryptographic key may be needed for a cryptographic operation. The cache is first searched to locate this cryptographic key. To locate the cryptographic key, the cryptographic key identifier that is associated with this cryptographic key is provided. In turn, the cryptographic key identifier may be used as an address into the cache. The address identifies a location of the cryptographic key within the cache. The cryptographic key may then be retrieved from the cache at the identified address and then used in the cryptographic operation.

Abstract: A sensor network includes a sensor management server which is mutually connected with many sensor terminals. The sensor management server includes: a key delivery module for transmitting a key update message to the respective sensor terminals; a communication volume detection module for detecting a communication volume used for transmitting the key update message; and a multiplicity determination module for specifying a numerical value as a multiplicity, which represents the lower limit number of key update messages transmitted to the respective sensor terminals, according to the detected communication volume. The multiplicity determination module specifies the multiplicity such that the communication volume for transmitting or retransmitting the key update message takes the minimum value, and the key delivery module transmits the key update message by using the minimum communication volume that corresponds to the specified multiplicity.

Abstract: Reduction of audio truncation when transcoding speech data from one coding format to another. Embodiments include receiving packets of a first communication session containing first encrypted speech data encoded according to a vocoder of a first type and encrypted using an encryption protocol, and containing a first encryption protocol identification information distributed among the received packets. Further embodiments include extracting the first encryption protocol identification information from the received packets and processing the received packets based on the first encryption identification information. Embodiments include transmitting one or more voice header packets containing a second encryption protocol identification information in a second communication session as well as transmitting packets in the second communication session containing second encrypted speech data encoded according to a vocoder of a second type.