Abstract: The present disclosure is designed to properly prevent tampering of data, which might take place in a data collection route. Data managing apparatus 100 includes a reception processing unit 131 configured to receive processing history information related to a history of processing performed on collected data and encrypted information of a first hash value generated from the processing history information using a public key associated with the processing, a generation processing unit 133 configured to generate a second hash value from the processing history information, and a maintaining unit 135 configured to maintain the processing history information when the first hash value, decrypted from the encrypted information using a private key associated with the data collection process, and the second hash value match.

Abstract: Methods, system and devices are provided that generate a sequence of sub-keys for cryptographic operations from a main key. The main key is operated on only once to generate the sub-keys of the sequence, with a transformation comprising one or more one-way functions. The respective bit values of the sub-keys of the sequence are set using respective bit values of the one or more one-way functions. Advantageously, deriving sub-key bits from respective output bits of one or more one-way functions removes or at least reduces correlations between the main key and the sub-keys, as well as between sub-keys, making it harder or even impossible to recover the main key or other sub-keys from a single sub-key, for example as found using a side-channel attack.

Abstract: Embodiments provide methods, and systems for facilitating microservices for cryptographic operations. A method includes receiving, by a server system, a cryptographic service request from at least one application of a plurality of applications over a network communication channel. The cryptographic service request comprises a cryptographic operation to be performed and a cryptographic keys index being an identifier of the at least one application. The method includes generating, by the server system, a cryptographic operation command for the cryptographic operation. The method includes sending, by the server system, the cryptographic operation command to a Hardware Security Module (HSM) communicatively connected to the server system to perform the cryptographic operation. The method includes receiving, by the server system, a response from the HSM for the performed cryptographic operation.

Abstract: A networked device communication system can configure network devices (e.g., a primary and secondary database) to send and receive sequences of messages, such as replicated data, using one or more keypairs and wrapping keys. The sequences of messages can include an initial set of messages that are encrypted by a wrapping key, and further include another set of messages that are encrypted by a replaced staggered key. The sequence of messages can be configured to be decrypted without exporting keys of hardware security modules.

Abstract: Computer-implemented systems and methods for data harmonization in engineering simulation. The method may comprise receiving application preferences defining attributes associated with input data to be delivered to one or more applications from one or more data sources. A first set of attributes may be associated with data to be delivered to a first application. Application preferences may be provided to a handler in communication with the data sources. Raw data received by the handler may arrive in a variety of formats and packet sizes from the one or more data sources. Raw data may be packaged by the handler into one or more data packets having a size or format that satisfies the application preferences. One or more attributes associated with input data to be delivered to the first application may be defined. Packaged data may be transmitted over one or more data transmission channels satisfying the application preferences.

Abstract: A method including transmitting, by a processor associated with a user device, a request to determine a signature key; receiving, by the processor, a unique identifier associated with the signature key; authenticating, by the processor, received biometric information; selectively transmitting, by the processor based at least in part on a result of authenticating the biometric information, a signature request that includes the unique identifier in association with validation data to indicate that the signature key, associated with the unique identifier, is to be utilized to sign the validation data; and receiving, by the processor, signed validation data that is signed based at least in part on utilizing the signature key. Various other aspects are contemplated.

Abstract: A method including determining, by a processor, an assigned key pair associated with a user device, the assigned key pair including an assigned public key and an assigned private key; authenticating, by the processor, received biometric information; selectively transmitting, by the processor to a trusted device based at least in part on a result of authenticating the received biometric information, an encryption request to encrypt the assigned private key; and encrypting, by the processor based at least in part on selectively transmitting the encryption request, content based at least in part on utilizing the assigned public key is disclosed. Various other aspects are contemplated.

Abstract: Methods, systems, and computer programs are presented for protecting restricted actions on encryption keys that control the management of data stored by a service provider. In some implementations, a of the service provider receives a request to generate a data encryption policy (DEP) for data stored by the of the service provider for a customer, the request including a reference to a customer key and an availability key. The customer key and the availability key are root keys for encrypting a data encryption key. The data encryption key is used to encrypt the data stored by the service provider for the customer. Further, destructive changes to the availability key require receiving an approval from an account of the service provider. The of the service provider validates the DEP. The of the service provider stores the DEP based on the validation.

Abstract: Various embodiments are directed to a system and method for establishing a secure communication pathway between a network-connected device and a computing platform. Such configurations encompass encrypting a device-specific installation package passed to the device using a device-generated cryptography key, verifying the identity of the computing platform at the device, encrypting a response message via a platform-generated cryptography key, transmitting the response message to the computing platform, verifying characteristics of the device via the response message, and establishing a secure communication platform upon verification of the device.

Abstract: Aspects of the invention include detecting that a rekey timer has expired. The rekey timer is one of a shared key rekey timer for a current shared key between the first node and a second node, and a session key rekey timer for a session key used in a secure communication between a channel on the first node and a channel on the second node. The session key was created based on the current shared key and is used for encrypting data in the secure communication. Based on the rekey timer being the shared key rekey timer, a new shared key is obtained and stored as the current shared key. Based on the rekey timer being the session key rekey timer, a new session key that is based at least in part on the current shared key is obtained and used in the secure communication.

Abstract: A data processing system includes technology to enable implicit integrity to be used for digital communications. That technology comprises a hardware processor and an implicit integrity engine (IIE) responsive to the processor. For instance, in response to the data processing system receiving a communication that contains a message, the IIE is to automatically analyze the communication to determine whether the message was sent with implicit integrity. If the message was sent with implicit integrity, the IIE is to automatically use a pattern matching algorithm to analyze entropy characteristics of a plaintext version of the message, and to automatically determine whether the message has low entropy, based on results of the pattern matching algorithm and a predetermined entropy threshold. If the message does not have low entropy, the IIE is to automatically determine that the message has been corrupted. Other embodiments are described and claimed.

Abstract: A system is configured to derive a set of encryption keys from measured device characteristics of at least one PUF device and communicate with a remote device by performing a cryptographic operation secured by the set of encryption keys. The cryptographic operation includes segmenting a first data stream into a first plurality of data stream fragments, segmenting a first data stream fragment of the first plurality of data stream fragments into a first numeric value and a second numeric value, identifying, using the first numeric value, a first encryption key of the set of encryption keys, and applying a one-way cryptographic function to the first encryption key a first number of times determined by the second numeric value to generate a transformed fragment having a value that depends on the values of the first numeric value and the second numeric value from the first data stream fragment and a value of the first encryption key.

Abstract: The present disclosure includes methods, devises and systems for preparing and installing one or more application keys owned by application owners in a remote device. The present disclosure further proposes methods, devices and systems for secure installation of subsequent application keys on a device utilising corresponding key derivation functions to associate an application with a respective policy and identifier using significantly low bandwidth for transfer of keys for execution of the respective application on the device.

Abstract: The invention relates to a method for authenticating to a device, comprising receiving, by the device, from a chip, data; retrieving, by the device, based on the received data, a predetermined encrypted credential; sending, by the device, to the chip, a decryption request for decrypting the encrypted credential including or being accompanied with the encrypted credential to be decrypted; retrieving, by the chip, a secret key; decrypting, by the chip, the encrypted credential by using the secret key; sending, by the chip, to the device, as a decryption request response, the credential; verifying, by the device, whether the credential is or is not valid; and authenticating, by the device, only if the credential is valid, the chip.

Abstract: A relay device transfers a plurality of original data fragments corresponding to a plurality of secret sharing values of original data to a plurality of secure computation devices, transfers, to each of the secure computation devices, a request to send a result fragment based on a secure computation result corresponding to any one of the original data fragments, and transfers the result fragment. The relay device controls timing with which the original data fragments are transferred and timing with which the request to send is transferred.

Abstract: The present disclosure relates to systems, methods, and non-transitory computer-readable media that utilize pre-signed key rotation transaction requests for initiating transactions to rotate one or more cryptographic keys of a user account of a distributed digital ledger transaction network. For example, in one or more embodiments, the disclosed systems initiate a transaction to delegate a permission for rotating one or more cryptographic keys of a first user account to a second user account. Using the second user account, the disclosed systems generate and store a pre-signed key rotation transaction request. By retrieving the pre-signed key rotation transaction request from storage, the disclosed systems can initiate a key rotation transaction that exchanges the active cryptographic key of the first user account to a modified cryptographic key.

Abstract: A method is provided for managing key rotation (use of series of keys) and secure key distribution in over-the-top content delivery. The method provided supports supplying a first content encryption key to a content packaging engine for encryption of a first portion of a video stream. Once the first content encryption key has expired, a second content encryption key is provided to the content packaging engine for encryption of a second portion of a video stream. The method further provides for notification of client devices of imminent key changes, as well as support for secure retrieval of new keys by client devices. A system is also specified for implementing a client and server infrastructure in accordance with the provisions of the method.

Abstract: In one example method for generating an access stratum key in a communication system, a terminal device acquires an input parameter, where the terminal device is communicably coupled to a first network-side device through a first air interface and at the same time is communicably coupled to a second network-side device through a second air interface. The terminal device has access to a core network via the first network-side device, and has access to the core network via the second network-side device which has access to the core network through the first network-side device. The terminal device calculates an access stratum root key of the second air interface according to the input parameter and an access stratum root key of the first air interface, and generates an access stratum key of the second air interface according to the access stratum root key of the second air interface.

Abstract: A method tor regulating production of an object, the method comprising allocating access rights and a production quota to a user, the production quota to be fulfilled on an authorised production device using an encrypted unique job token embedded or comprised within or derived from the object and associated with the user and production device, receiving a user request to produce the object at the authorised production device, authenticating the user, decrypting the encrypted unique job token using a private key of the user and a private key of the production device, determining whether the production quota for the user related to the object has been met and on the basis of the determination, authorising the user request to produce the object at the authorised production device.

Abstract: An apparatus for use in a digital messaging system includes a storage device and a processor coupled to the storage device. The storage device storing software instructions for controlling the processor that when executed by the processor configured the processor to: generate a first message comprising a payload portion; encrypt the payload portion of the message; derive a first session key from a domain-specific key; and sign the message using the first session key.

Abstract: Systems, apparatuses, methods, and computer program products are disclosed for session authentication. An example method includes determining, by decoding circuitry, a set of optical path lengths to use for measurement. The example method further includes receiving, by the decoding circuitry, a set of time-bin qubits. The example method further measuring, by the decoding circuitry and based on the determined set of optical path lengths, the set of time-bin qubits to generate a set of bits. The example method further includes generating, by session authentication circuitry, a session key based on the generated set of bits.

Abstract: A self-correcting memory system comprising an integrated circuit including memory and memory content authentication functionality, which is operative to compare content to be authenticated to a standard and to output “authentic” if the content to be authenticated equals the standard and “non-authentic” otherwise; and error correction functionality which is operative to apply at least one possible correction to at least one erroneous word entity in said memory, yielding a possibly correct word entity, call said authentication for application to the possibly correct word entity, and if the authentication's output is “authentic”, to replace said erroneous word entity in said memory, with said possibly correct word entity thereby to yield error correction at a level of confidence derived from the level of confidence associated with the authentication.

Abstract: Disclosed are various embodiments for an authentication service. A unique identifier is associated with a device access token for a client to be authenticated. An authentication identifier is sent to an authenticated client. The client to be authenticated communicates the authentication identifier and unique identifier to the authentication service to complete authentication.

Abstract: This disclosure describes systems on a chip (SOCs) that prevent side channel attacks on encryption and decryption engines of an electronic device. The SoCs of this disclosure concurrently operate key-diverse encryption and decryption datapaths to obfuscate the power trace signature exhibited by the device that includes the SoC. An example SoC includes an encryption engine configured to encrypt transmission (Tx) channel data using an encryption key and a decryption engine configured to decrypt encrypted received (Rx) channel data using a decryption key that is different from the encryption key. The SoC also includes a scheduler configured to establish concurrent data availability between the encryption and decryption engines and activate the encryption engine and the decryption engine to cause the encryption engine to encrypt the Tx channel data concurrently with the decryption engine decrypting the encrypted Rx channel data using the decryption key that is different from the encryption key.

Abstract: Various methods and systems are provided for autonomous signing management for a key distribution service (“KDS”). In operation, a key request from a KDS client device is received at a KDS server. The key request is associated with a security token of a signing entity caller or verifying entity caller, and a signature descriptor. The signature descriptor supports signing data with an encryption key and verifying a signature with a decryption key. The signing entity caller or the verifying entity caller is authenticated based on the corresponding security token and signature descriptor. The encryption key or the decryption key associated with the key request is generated. The encryption key or the decryption key is generated based on authenticating using the security token and the signature descriptor. The encryption key or the decryption key is communicated to a KDS client device the KDS client to sign data or decrypt a signature.

Abstract: A wireless communication network performs quantum authentication for a wireless User Equipment (UE). In the wireless communication network, network quantum circuitry generates and transfers qubits. UE quantum circuitry receives and processes the qubits and determines polarization states for the qubits. The UE quantum circuitry exchanges cryptography information with the network quantum circuitry and generates cryptography keys based on polarization states and cryptography information. The UE quantum circuitry transfers the cryptography keys to UE network circuitry. The network quantum circuitry exchanges the cryptography information with the UE quantum circuitry. The network quantum circuitry generates the cryptography keys based on the polarization states and the cryptography information and transfers the cryptography keys to network authentication circuitry.

Abstract: A system and method that utilize an encryption engine endpoint to encrypt data in a data storage system are disclosed. In the system and method, the client controls the encryption keys utilized to encrypt and decrypt data such that the encryption keys are not stored together with the encrypted data. Therefore, once data is encrypted, neither the host of the data storage system, nor the encryption engine endpoint have access to the encryption keys required to decrypt the data, which increases the security of the encrypted data in the event of, for example, the data storage system being accessed by an unauthorized party.

Abstract: The present invention relates to a method of securely using a first tenant secret key stored under an encrypted form in a first token (TKA) of a first tenant (A) identified by a first tenant identifier (UIDA) and having said first tenant secret key, wherein: each tenant identifier (UIDT) for a tenant (T) comprises a first value and, when said tenant (T) is allowed to use a secret key of a parent tenant (Tp) identified by a parent tenant identifier (UIDTP), said parent tenant identifier, appended before said first value, and said first token (TKA) has been generated from said first tenant identifier (UIDA) and a first tenant secret key encrypted with said first tenant identifier (UIDA) and with a first tenant customer master key (CMKA), said first tenant customer master key (CMKA) having been derived from said first tenant identifier (UIDA) and a secure domain master key (SDMK), said method comprising the following steps performed by a secure device storing said secure domain master key (SDMK), on request of a

Abstract: A security keys broker residing on a core mobile communication network may manage security keys associated with network-enabled devices, such as Internet-of-Things devices. The security keys broker may authenticate, encrypt, or decrypt communications with the network-enabled devices using the associated security keys. Characteristics of the communications with the network-enabled devices may be determined, and the security keys broker may determine insecure communications based on the characteristics. Responsive to determining that an insecure communication has occurred, the security keys broker may update one or more of the security keys.

Abstract: Secure, semi-classical authentication schemes are presented. An authentication token is generated by applying a pre-determined measurement to a plurality of random quantum states to obtain a sequence of classical measurement outcomes. The token is validated by receiving the classical measurement outcomes and verifying whether the sequence corresponds to a statistically plausible result for the pre-determined measurement of the plurality of quantum states.

Abstract: A system includes at least one processor and at least one memory communicatively coupled to the at least one processor. The at least one processor is configured to encrypt each secret part of at least one set of secret parts into a corresponding singly-encrypted secret part. The at least one processor is also configured to encrypt each corresponding singly-encrypted secret part into a corresponding doubly-encrypted secret part using a corresponding at least one public key, each public key belonging to a corresponding one of at least one public/private keypair. At least a subset of the secret parts of the at least one set of secret parts are used to reconstruct a secret.

Abstract: The present disclosure relates to a quantum key distribution (QKD) method based on a tree QKD network. The method includes: judging a position of a parent node of the source node S0 and a position of a parent node of the destination node Sd; if the parent node is a trusted relay node, directly transferring an initial shared key of the source node S0 and the parent node to the destination node Sd according to an exclusive OR (XOR) relay scheme, and ending the process; and if the parent node is an untrusted relay node, emitting, by the source node S0 and the destination node Sd, photons to a measuring-device-independent quantum key distribution (MDI-QKD) receiver of the parent node through a QKD emitter, generating a shared key by an MDI-QKD method, then transmitting the shared key according to the XOR relay scheme, and ending the process.

Abstract: Apparatus and methods are provided for a quantum-tunneling enabled case, or cases, for making a plurality of silicon-based electronic devices quantum-resilient. The case may include a plurality of silicon-based electronic devices. The case may also include a quantum random number generator that generates encryption keys. The keys may be for use in encrypting transmission transmitted from the electronic devices. The communications transmitted from the plurality of silicon-based electronic devices may be routed to the case prior to being transmitted to their intended recipient. The case may encrypt the communications received at the case using random numbers generated by the quantum random number generator. The case may transmit the encrypted communications to their intended recipients.

Abstract: A method of encrypting and storing a data item; said method comprising: a data encryption step wherein the data item is encrypted to form an encrypted data item; a mathematical disassembly step wherein the encrypted data item is mathematically disassembled into two or more encrypted data item component parts comprising at least a first component part and a second component part; storing at least a one of the component parts at a location separate from the others of the component parts.

Abstract: Disclosed herein are a finite-field division operator, an elliptic curve cryptosystem having the finite-field division operator, and a method for operating the elliptic curve cryptosystem. The method for operating an elliptic curve cryptosystem may include, setting, by a key setting unit, a length of a key of a cryptographic algorithm, generating, by the key setting unit, first setup information that indicates a number of words corresponding to the key length, and generating, by the key setting unit, second setup information that indicates a number of repetitions of an operation by a finite-field division operator corresponding to the key length.

Abstract: A communication control system includes a first communication control device and a second signal processing device. The first communication control device is connected to a client terminal device and a network communication grid. The second communication control device is connected to a server terminal device and the network communication grid.

Abstract: A method applied to processing of access stratum (AS) security for terminal handover from a source cell to a target cell, including obtaining a derivation parameter, deriving a target AS root key based on a source AS root key and derivation parameter, and calculating, based on the target AS root key, an AS security key used in the target cell. The source AS root key is an AS root key used in the source cell, the target AS root key is an AS root key used in the target cell, the derivation parameter is used to derive an AS root key and corresponds to a RAN node or a RAN node group or an area in which the target cell is located, and cells at a same RAN node, RAN node group, or area have a same derivation parameter.

Abstract: An intelligent electronic device (IED) of an electric power distribution system includes processing circuitry and a memory that includes a tangible, non-transitory, computer-readable comprising instructions. The instructions, when executed by the processing circuitry, are configured to cause the processing circuitry to receive operating data associated with the electric power distribution system, determine whether the operating data matches with expected operating data, generate a connectivity association key (CAK) based on the operating data in response to a determination that the operating data matches with the expected operating data, and establishing a connectivity association based on the CAK.

Abstract: Blockchain-based service data encryption methods and apparatuses are provided wherein by a first derived key is obtained by a node device of a key receiver, the first derived key distributed by a node device of a key distributor, wherein the first derived key is derived from a derived key of the key distributor based on a service data permission type of the key receiver and service data is encrypted based on the first derived key to obtain encrypted service data. The encrypted service data is sent to a blockchain, so that the encrypted service data is recorded in a distributed database of the blockchain after the blockchain performs consensus verification on the encrypted service. Because the derived key of the key distributor can decrypt the service data encrypted by the first derived key, the key distributor can decrypt, monitor, and manage service data uploaded by the key receiver.

Abstract: A quantum communications system includes a communications system that operates with a quantum key distribution (QKD) system, which includes a transmitter node, a receiver node, and a quantum communications channel coupling the transmitter node and receiver node. The transmitter node may be configured to transmit to the receiver node a bit stream of optical pulses, and switch between first and second QKD protocols based upon at least one channel condition.

Abstract: Techniques are provided to import a cryptographic key into a key vault in which an application programming interface for the key vault does not support importing existing cryptographic keys into the key vault. A key management system obtains a cryptographic key from a first key vault. The cryptographic key includes a key value and attributes which describe the cryptographic key. The key management system imports the cryptographic key into a second key vault by generating a surrogate key in the second key vault which corresponds to the cryptographic key. The surrogate key includes a key attribute having a value which corresponds to the key value of the cryptographic key.

Abstract: A method of making a payment in which payment data is received by a user's terminal from a point-of-sale terminal, a secret of a payment application is received by the terminal from the operator's server system, a trust card is activated in the user's terminal by utilizing said secret of the payment application, and data of the trust card is transmitted from the user's terminal to the point-of-sale terminal for making the payment transaction. A trust card is created in the server system, data of the trust card is transmitted to the terminal to be used for making the payment transaction, the secret of the payment application is formed in the server system, and access to the secret of the payment application is provided to the terminal for activating the trust card for making the payment transaction.

Abstract: Embodiments described herein provide cryptographic techniques to enable a recipient of a signed message containing encrypted data to verify that the signer of the message and the encryptor of the encrypted data are the same party, or at the least, have joint possession of a common set of secret cryptographic material. These techniques can be used to harden an online payment system against interception and resigning of encrypted payment information.

Abstract: This application discloses a communications method. The method may include: receiving, by a receiving party, indication information sent by a first device, where the indication information is used to indicate at least one intermediate sequence number; receiving a data packet of the bearer sent by the first device; and skipping the at least one intermediate sequence number based on the indication information, deciphering, by using the old key, a data packet that is located on the bearer and whose sequence number is followed by the at least one intermediate sequence number, and deciphering, by using the new key, a data packet that is located on the bearer and whose sequence number follows the at least one intermediate sequence number.

Abstract: In a network system for wireless communication an enrollee accesses the network via a configurator. The enrollee acquires a data pattern that represents a network public key via an out-of-band channel by a sensor. The enrollee derives a first shared key based on the network public key and the first enrollee private key, and encodes a second enrollee public key using the first shared key, and generates a network access request. The configurator also derives the first shared key, and verifies whether the encoded second enrollee public key was encoded by the first shared key, and, if so, generates security data and cryptographically protects data using a second shared key, and generates a network access message. The enrollee processor also derives the second shared key and verifies whether the data was cryptographically protected and, if so, engages the secure communication based on the second enrollee private key and the security data.

Abstract: Secure computation of a random number sequence in a cryptographic device. The computation is secured by receiving a homomorphic ciphertext seed vector, selecting an initial internal state from the seed vector, the initial internal state composed of a subset of elements of the seed vector, updating an internal state from a previous internal state using multivariate functions accepting elements of the previous internal state as inputs to produce a homomorphic ciphertext from homomorphic ciphertext input values, generating an intermediate result vector of homomorphic ciphertexts from the homomorphic ciphertext internal state multivariate functions accepting the elements of the internal state as inputs to produce a homomorphic ciphertext from homomorphic ciphertext input values, and decrypting the intermediate result vector elements into plaintext vector elements, thereby producing a plaintext deterministic random sequence vector corresponding to plaintext seed elements used to produce the seed vector.

Abstract: Embodiments of the present invention are directed to methods, apparatuses, computer readable media and systems for obtaining authorization for a plurality of split shipments associated with a single order. In particular, embodiments of the present invention allow a merchant to submit a separate split shipment authorization request for each of the plurality of split shipments. The split shipments authorization requests are linked to the original order using verifiable linking data. The linking data may be extracted from a previous (e.g., initial) split shipment authorization request and/or a previous (e.g., initial) split shipment authorization request. The linking data may be validated by an authorizing entity (e.g., a payment processing network computer or an issuer computer) to ensure validity of a split shipment authorization request. Additionally, the split shipment authorization requests may be validated using one or more predefined split shipment rules.

Abstract: Embodiments comprise construction of a collection of pseudorandom number generators (PRNGs), with either a known or unknown cardinality, using unique brine values that comprise a salt value for the collection and also different index values for each PRNG for the collection. The additive parameters of such PRNGs are based on the respective brine values of the PRNGs, thereby ensuring that the PRNGs in the collection have different state cycles. Embodiments make it likely that PRNGs from different collections have distinct additive parameters by choosing a pseudorandom salt value for each collection. According to embodiments, a stream of generators in a collection is created by a spliterator that carries a salt value for the collection and combines the salt value with index values for the generators to produce brined additive parameters for the PRNGs in the stream. According to embodiments, such a stream may be executed by multiple threads in parallel.

Abstract: The present invention discloses data secure method, applied to a storage device, and performed by a controller of the storage device. The data secure method comprises: receiving a buffer clear command from an external processing unit, wherein the buffer clear command indicates that a first secure area corresponding to a first physical address range of a buffer memory of the storage device is required to be cleared, and a first secure key is corresponding to the first secure area for accessing the first secure area; and in response to the buffer clear command, configuring a secure unit of the storage device to cause the secure unit to use one or more second keys different from the first secure key when accessing the first physical address range.

Abstract: A first communicator of a first communication device is configured to use a first wireless channel and execute first key-exchange processing at a timing at which a first key-exchange timer expires. A second communicator of the first communication device is configured to use a second wireless channel and execute second key-exchange processing at a timing at which a second key-exchange timer expires. When streaming data are transmitted by using one wireless channel of the first wireless channel and the second wireless channel and a difference between a first key-exchange timer value and a second key-exchange timer value is greater than a predetermined range, a control circuit is configured to change a wireless channel used for transmission to the other wireless channel before key-exchange processing in the one wireless channel is started.