Abstract: A system and methods are provided for verifying proof of transit of network traffic through a plurality of network nodes in a network. Information is obtained about a packet at a network node in a network. The information may include in-band metadata of the packet. Verification information is read from in-band metadata of the packet. Updated verification information is generated from the verification information read from the packet and based on configuration information associated with the network node. The updated verification information is written back to the in-band metadata in the packet. The packet is forwarded from the network node in the network.

Abstract: There is provided an entity authentication method for a network including a first entity and a second entity, the method including: selecting, at the first entity, one or more pieces of data processed by the first entity to be used for authenticating the second entity; tagging, at the first entity, each of the one or more pieces of data selected with a respective tag generated based on a first secret key of the first entity; sending, from the first entity, a set of authentication data comprising the one or more pieces of data and the respective tags to the second entity; and authenticating, by the first entity, the second entity using a challenge-response authentication technique based on the set of authentication data and the first secret key. There is also provided a corresponding system with entity authentication for a network, and an entity in a network with entity authentication.

Abstract: A method of establishing a group trust relationship in an Internet of Things (IoT) system using a first IoT device within a group of IoT devices is provided. The method includes generating, by the first IoT device, a first set of keys corresponding to the first IoT device, deriving, by the first IoT device, a group set of keys corresponding the group of IoT devices, and discarding the first set of keys and storing the group set of keys after the first IoT device transmits data toward a base station and goes idle, wherein the group set of keys is used by each IoT device within the group of IoT devices for subsequent transmissions of data to the base station.

Abstract: In an aspect, the present disclosure relates to a relay node (RN) operatively coupled with user equipment (UE), wherein the RN is configured to create one or more tunnels to enable transmission of data messages and control messages from the UE directly to a packet data network gateway (PGW). The present disclosure relates to methods and systems for tunneling user equipment (UE) traffic by creating one or more tunnels between a relay node (RN) and packet data network gateway (PGW) to prioritize control messages over data messages, wherein the one or more tunnels are created when the UE gets attached to the relay node (RN). Further, tunneling of the one or more control/non-access stratum (NAS) messages to the PGW can be performed over one of the higher priority tunnels such that when the NAS messages are received at the PGW or HGW, they can be forwarded to a mobility management entity (MME).

Abstract: A method for determining a network configuration for the delivery of entangled photons individually to a plurality of users, the network comprising a plurality of inputs, switches, and outputs operatively connected by optical fibers; the plurality of switches being switchable between two states; the method comprising: determining the minimum number of switches necessary to deliver entangled photon pairs from a predetermined number of sources to a predetermined number of users, minimizing the loss experienced by an entangled photon passing through the switches by minimizing the number of switches that any one photon passes through by selecting only nondominated switch configurations; determining the minimum number of equivalent network switch configurations and eliminating all but one of the equivalent network switch configurations; and selecting an optimum network configuration by which the plurality of inputs and the plurality of outputs are operatively interconnected using a minimum number of switches in

Abstract: A system for secure storage of data includes a key database and a processor. The processor is configured to receive a request associated with securely storing data and encrypt the tenant service key using a tenant master key. The data is encrypted using the tenant service key. The processor is further configured to encrypt the tenant master key using a customer key and store encrypted tenant service key and encrypted tenant master key in the key database.

Abstract: A system for secure retrieval of stored data includes an encrypted key database and a processor. The encrypted key database is configured to store an encrypted tenant service key and an encrypted tenant master key. The processor is configured to request decryption of the encrypted tenant master key into an unencrypted tenant master key. The decryption of the encrypted master key is approved by a key release system. The processor is further configured to decrypt the encrypted tenant service key using the unencrypted tenant master key into an unencrypted tenant service key and authorize a response to a request using the unencrypted tenant service key.

Abstract: A machine implemented method of authenticating a communication channel between a first device and a second device by providing proof of proximity between both devices, the method comprising: generating, at the first device, an acoustic authentication signal to be received at the second device via a solid body acoustic coupling established between the first device and the second device thereby providing proof of proximity between both devices and so authenticating the communication channel between the first device and the second device.

Abstract: The invention relates to a method for enabling the user of at least one mobile terminal to access one or more of a plurality of services corresponding to a published tag by receiving published tag data and user identification data corresponding to a user who scanned the published tag and determining whether the services corresponding to the published tag data is available for users. A unique key is generated for the user, which may be provided to the user's mobile device and is indicative of the scanned published tag. The user may then present the unique key at a user terminal to obtain access to the one or more services. Moreover, because each unique key is specific to a user and/or a mobile device, a centralized secure management entity may log usage statistics of the published tags for later reference by the user.

Abstract: A method for a logic circuit including a plurality of components and channels which are each assigned functional properties in a circuit model to simulate how the logic circuit functions, where the circuit model, in a section of the method, is expanded by mechanisms for security analysis, and where in a further section of the method, the following method steps are implemented via a simulation unit, i.e., check whether the security property of the respective component and/or the respective channel corresponds to the security requirement of the security-relevant data and generate a security risk report if it does not correspond thereto, apply a modeled attack to a component and/or to a channel, and determine a vulnerability of the security property of the respective component and/or of the respective channel to the applied attack, and if there is vulnerability of the security property, generate an attack report.

Abstract: A client may submit a job to a service provider that processes a large data set and that employs a message passing interface (MPI) to coordinate the collective execution of the job on multiple compute nodes. The framework may create a MapReduce cluster (e.g., within a VPC) and may generate a single key pair for the cluster, which may be downloaded by nodes in the cluster and used to establish secure node-to-node communication channels for MPI messaging. A single node may be assigned as a mapper process and may launch the MPI job, which may fork its commands to other nodes in the cluster (e.g., nodes identified in a hostfile associated with the MPI job), according to the MPI interface. A rankfile may be used to synchronize the MPI job and another MPI process used to download portions of the data set to respective nodes in the cluster.

Abstract: An information processing apparatus capable of receiving an authentication request in accordance with a protocol of a plurality of protocols and a method of controlling the same are provided. The information processing apparatus stores a user identifier and a password for each user and a calculation method for each protocol, and when the apparatus receives an authentication request including authentication data from a remote computer in accordance with a protocol of the plurality of protocols, the apparatus obtains stored password corresponding to the authentication data which is included in the authentication request, obtains, stored calculation method corresponding to the protocol, converts the obtained password into a hash in accordance with the obtained calculation method, and verifies the authentication data with the hash.

Abstract: One embodiment of the present invention sets forth a technique for deferring license retrieval when streaming digital media content. The perceived delay between the time a user selects the protected digital media content to when playback of the protected digital media content begins is reduced because retrieval and playback of an unprotected version of a portion of the digital media content starts before the license and protected version of the digital media content is received. The unprotected version includes fast start streams of audio and video data that may encoded at a lower bit rate than the protected version in order to quickly transfer the fast start streams from the content server to the playback device.

Abstract: A playback management device (3) is provided for use with a receiver (2) for receiving a content signal encoded by a key (Ks) updated in a specified update period and first control information (ECM) obtained by encoding information about the key (Ks) and a playable time (Tpre) for the encoded content signal. The playback management device (3) includes: an interface (31) for collecting the first control information (ECM) from the receiver; a first decoding portion (34) for decoding the first control information (ECM) and thereby restoring the key (Ks) and the playable time (Tpre) for the encoded content signal; and a control portion (35) for determining, according to the playable time (Tpre) for the encoded content signal and the update period (Tud) for the key (Ks), whether to output the key (Ks) to the receiver (2), and outputting the restored key (Ks) to the receiver (2) when determining to output.

Abstract: A cryptographic key management service receives a request to import a first cryptographic key. In response to the request, the service creates a public cryptographic key and a private cryptographic key. The private cryptographic key is encrypted using a second cryptographic key to create an import key token. The import key token and the public cryptographic key are provided in response to the request. The service receives an encrypted first cryptographic key, which the service decrypts using the private cryptographic key to obtain the first cryptographic key. The service stores the first cryptographic key and enables its use for the performance of cryptographic operations.

Abstract: Disclosed is a method for stabilizing a quantum cryptography system, which includes: determining whether the quantum cryptography system operates in a stabilized state, on the basis of a bit error rate or a key rate of the quantum cryptography system; and readjusting an arrival time of a gate pulse or a laser operation time so that an arrival time of a single photon for a photon detector is aligned with the arrival time of the gate pulse, when the quantum cryptography system does not operate in a stabilized state. Here, the quantum cryptography system may be a two-way quantum cryptography system.

Abstract: Systems and methods for encrypting an unencrypted data set within a file are provided. The disclosed systems and methods can be configured to create a ciphertext object within the existing data structures of a native file format. The systems and methods enable the secure copying data between multiple applications while displaying a revealed form of the data to a user.

Abstract: According to an embodiment, a quantum-key distribution apparatus includes a quantum-key sharer, a shifter, a corrector, a privacy amplifier, and an estimator. The quantum-key sharer performs photon sharing processing and acquires a photon bit string. The shifter generates a shared bit string by performing shifting processing. The corrector generates a corrected bit string by correcting errors in the shared bit string by performing error correction processing. The privacy amplifier generates an encryption key by performing privacy amplification processing that compresses the corrected bit string. The estimator estimates an encryption-key generation rate based on an output value and a given value at execution phases of respective pieces of processing of the photon sharing processing, the shifting processing, the error correction processing, and the privacy amplification processing.

Abstract: Techniques are disclosed for securing data in a cloud storage. Plaintext files are stored as secured, encrypted files in the cloud. The ciphering scheme employs per-block authenticated encryption and decryption. A unique file-key is used to encrypt each file. The file-key is wrapped by authenticated encryption in a wrapping-key that may be shared between files. A centralized security policy contains policy definitions which determine which files will share the wrapping-key. Wrapping-keys are stored in a KMIP compliant key manager which may be backed by a hardware security module (HSM). File metadata is further protected by a keyed-hash message authentication code (HMAC). A policy engine along with administrative tools enforce the security policy which also remains encrypted in the system.

Abstract: A method is disclosed comprising receiving identification information on an addressee, to whom an encrypted data object is sent by a transmission device or for whom the encrypted data object is to be provided by the transmission device for retrieval, from the transmission device to a server, associating the identification information with a key for decrypting the encrypted data object by the server, sending the key for decrypting the encrypted data object to the addressee by the server, or providing by the server the key for decrypting the encrypted data object for retrieval by the addressee.

Abstract: A negotiation processing method for a security algorithm, a control network element, and a control system where the negotiation processing method for a security algorithm includes selecting, by a control network element according to a security capability of first user equipment (UE) and a security capability of second UE, a security algorithm supported by both the first UE and the second UE, and notifying, by the control network element, the selected security algorithm to the first UE and the second UE, and hence, negotiation of a security algorithm between two UEs in proximity communication can be implemented under the control of a control network element.

Abstract: A method for detecting a fraudulent attempt to activate a new PIN, SIM Card or mobile device includes monitoring, at a first processing node associated with a network interconnecting a first network point and a second network point, a mirrored live-data flow of a live data flow passing through the first processing node in a non-intrusive manner that does not affect the first live-data flow passing through the first processing node. The live-data flow comprises data that is in active transmission between the first network point and the second network point and prior to storage of the data in a database. The first processing node detects that a transaction within the monitored live-data flow relates to an activation of the new PIN, SIM card or mobile device and compares the detected transaction to a list of known fraud situations stored in the first processing node to determine if the detected transaction relates to a known fraud situation.

Abstract: A system(s) and method(s) for secure session establishment and secure encrypted exchange of data is disclosed. The system satisfies authentication requirement of general networking/communication systems. It provides an easy integration with systems already using schemes like DTLS-PSK. The system follows a cross layer approach in which session establishment is performed in a lightweight higher layer like the application layer. The system then passes resultant parameters of such session establishment including the session keys to a lower layer. The lower layer like the transport layer is then used by the system to perform channel encryption to allow exchange of encrypted data based on a cross layer approach, over a secure session. As the exchange of data becomes the responsibility of the lower layer like the transport layer, the data is protected from replay attacks since the transport layer record encryption mechanism provides that kind of protection.

Abstract: In the communications system, a user equipment UE accesses a core network via a first network-side device by using a first air interface and connects to the first network-side device via a second network-side device by using a second air interface to access the core network. The method includes: acquiring, by the network-side device, an input parameter; calculating, by the network-side device, an access stratum root key KeNB* according to the input parameter and an access stratum root key KeNB on the first air interface, or using, by the network-side device, the KeNB as the KeNB*; and generating, by the second network-side device, an access stratum key on the second air interface according to the KeNB*, or sending, by the first network-side device, the KeNB* to the second network-side device.

Abstract: In one embodiment, a system and associated processes for transparent client-side cryptography are provided. In this system, some or all of a user's private data can be encrypted at a client device operated by the user. The client can transmit the encrypted user data to a content site that hosts a network application, such as a social networking application, financial application, or the like. The content site can store the private data in its encrypted form instead of the actual private data. When the content site receives a request for the private data from the user or optionally from other users (such as social networking friends), the server can send the encrypted user data to a client associated with the requesting user. This client, if operated by an authorized user, can decrypt the private data and present it to the authorized user.

Abstract: A method, comprising: receiving an encrypted segment of media data with an encrypted segment key over a unidirectional over-the-air (OTA) broadcast channel; providing an attestation request to an authenticator; receiving an attestation response from the authenticator based on an interaction with hardware to authenticate a user; decrypting, after receiving the attestation response, the encrypted segment of media data using a segment key to generate a decrypted segment of media data, wherein the segment key is based on the encrypted segment key.

Abstract: A key configuration method includes acquiring, by a first device, a public key of a second device through a secure medium; sending, by the first device, information used for obtaining a shared key to the second device; and obtaining, by the second device, a shared key using a private key of the second device and the information that is used for obtaining a shared key. The first device obtains the shared key using the information used for obtaining a shared key or using a private key of the first device. The present disclosure ensures that the public key of the second device reaches the first device, avoids that an attacker masquerades as the second device to establish a secure connection with the first device, so that the attacker cannot listen to a message between the first device and the second device.

Abstract: A shared networked storage may be separated from a key vault system. A storage request with data to be stored and the storage request with a confidentiality rating may be received. The confidentiality rating may indicate a level of confidentiality the data is associated with. The storage request with the data and the confidentiality rating may be received via a shared networked storage access interface by a security layer. The data to be stored by the key vault system and the confidentiality rating may be encrypted on request of the security layer and into a data container. The shared networked storage may be categorized into Cloud zones. Each Cloud zone may be assigned a trust level. The data container may be stored in one of the Cloud zones of the shared networked storage. The trust level of the one of the Cloud zones may correspond to the confidentiality rating.

Abstract: An electronic block cipher device for encrypting or decrypting a message block of digital data comprising a storage unit storing multiple substitution boxes in the form of look-up tables, the multiple substitution boxes together forming a substitution layer of a block cipher, the substitution layer being arranged to take a substitution layer input and transforming it into a substitution layer output, at least one substitution box being arranged to receive as input a combination of at least part of the outputs of more than one further substitution boxes in the same substitution layer, a control unit configured to apply the block cipher to the message block of digital data by applying a sequence of block cipher rounds to the message block, one of the block cipher rounds comprising the substitution layer.

Abstract: A secure server detects a login from a user originating from a first device. A second user-registered device is sent a message. The second device: translates the message into light-based communication that is captured by a camera of the first device, translates the message back into the original message, and sends the translated message to the secure server. The secure server authenticates the message and sends an indication to the first device that the second device is permitted to access the first device. In an embodiment, information passed between the first and second devices continue using light-based communications.

Abstract: A method of providing an electronically generated key includes the steps of generating an account for a resident; allowing the resident to access a software application; receiving a request from the resident for an electronic pass; and generating the electronic pass. The method further includes the steps of electronically detecting the electronic pass at a reader; determining whether the electronic pass is valid; and activating a relay if the electronic pass is valid. A device for receiving the request and for activating the relay is also provided.

Abstract: Provided is a process of operating a zero-knowledge encrypted database, the process including: obtaining a request for data in a database stored by an untrusted computing system, wherein the database is stored in a graph that includes a plurality of connected nodes, each of the nodes including: an identifier, accessible to the untrusted computing system, that distinguishes the respective node from other nodes in the graph; and an encrypted collection of data stored in encrypted form, wherein: the untrusted computing system does not have access to an encryption key to decrypt the collections of data, the encrypted collections of data in at least some of the plurality of nodes each include a plurality of keys indicating subsets of records in the database accessible via other nodes in the graph and corresponding pointers to identifiers of the other nodes.

Abstract: Methods are provided for using a hardware module connectable to multiple computer systems, where the multiple computer systems are connectable to a server within a common network. The method includes: providing a network address of the server in persistent memory of the hardware security module; providing an encrypted secret entity in the persistent memory of the hardware security module; providing a private key in the persistent memory of the hardware security module; and based on the hardware security module being connectable to one of the computer systems, the method includes: establishing a secure connection between the hardware security module and the server; retrieving, via the secure connection, a wrapping key from the server and storing it in volatile memory of the hardware security module; and decrypting the encrypted secret entity with the wrapping key and storing the decrypted secret entity in the volatile memory of the hardware security module.

Abstract: A method for connecting a seeker group member to one or more target entities through a network server is provided. The method includes the following steps: (a) receiving a requirement from the seeker group member, (b) obtaining a group associated with the seeker group member, (c) obtaining a list of group members associated with the group, (d) querying contacts of the group members based on the requirement to obtain one or more matching target entities, (e) identifying one or more connected members who are already connected to the one or more matching target entities, (f) communicating a search result to each of the one or more connected members, (g) receiving a response selected from an acceptance or a rejection, (h) communicating referrals from the one or more connected members to the seeker group member, and (i) communicating introductory messages for connecting the matching target entities and the seeker group member through the connected members.

Abstract: Embodiments of the invention relate to systems and methods for provisioning and using a multi-purpose device. The device contains information regarding a plurality of memberships. The device contains one or more membership certificate chains, comprising multiple certificates, wherein a membership provider certificate is signed by a private key associated with a membership root certificate authority, and wherein a member certificate is signed by a private key associated with the membership provider certificate. The member certificate includes member attributes regarding the user, such as member benefit information. The device also includes a payment certificate chain, comprising multiple certificates, wherein a payment provider certificate is signed by a private key associated with a payment root certificate authority, and wherein a payment certificate is signed by a private key associated with the payment provider certificate.

Abstract: A client negotiates multiple cryptographic keys with a server. One of the cryptographic keys is used to encrypt communications that the server can decrypt. Another of the cryptographic keys is used to encrypt communications that, while sent to the server, are not decryptable to the server. The server is configured to forward communications that it is unable to decrypt to another computer system having an ability to decrypt the communications.

Abstract: A system for protecting data stored in the cloud includes a computing device that generates a plaintext encryption key and encrypts the plaintext encryption key using a credential of a customer that uses a cloud application. The computing device encrypts plaintext data using the encryption key and forwards the encrypted data to a cloud computer system that hosts the cloud application. The plaintext data can be received from a cloud application client that runs in the computing device or from another computing device that hosts the cloud application client. The encrypted encryption key can be stored in and retrieved from a key server.

Abstract: Provided are methods and systems for controlling a phase characteristic of entangled photon pairs. The phase characteristic may be a relative phase difference between photons of the entangled photon pair. Also provided are methods and systems for stabilizing distributed interferometers used in quantum communication systems.

Abstract: A method and apparatus are provided. Information associated with a lawful interception of communication data of a user equipment is received. Security information associated with the communication data of the user equipment is provided in response to the received information. The security information is based on a first secret which is shared between a communication network provider and the user equipment.

Abstract: A method of adding a new device (221) to a device group (210), the device group (210, 220) including a plurality of devices, wherein each device in the device group possesses a device group key and device keys of all other devices in the device group for encryption of messages, except its own device key. The method includes: establishing a secure connection between the new device (221) and a first device (211) in the device group (210); sending, by the first device (211) in the device group (210), the device group key and device keys of all other devices (212, 213, . . . , 21N) in the device group (210) to the new device (221); distributing, by one of the other devices (212, 213, . . . , 21N) in the device group (210), the device key of the first device (211) in the device group (210) to the new device (221); generating and distributing, by one of the devices (211, 212, 213, . . . , 21N) in the device group (210), a device key of the new device (221) to all other devices (211, 212, 213, . . .

Abstract: A system for producing a public ring that is fully homomorphically encrypted. The system comprises a processor which generates a first presentation G of a ring, where G=x,y|x2=0,y2=0,xy+(p+1)yx=1, where x and y are generators and p is a first private prime number. The system further generates a second presentation H of the ring. H is defined as follows: H=x,y,t|x2=0,y2=0,t=m1yx,xy+m2yx+t=1. In addition, m1 and m2 are positive integers and p+1=m1+m2, wherein t is a generator and the first presentation G and the second presentation H are isomorphic. The system further produces a public ring ? that is fully homomorphically encrypted, where: H ^ = ? x , y , t ? N · 1 = 1 , x 2 = 1 , y 2 = 0 , xyx = x , yxy = y , tx = 0 , yt = 0 , t 2 = t + m 2 2 - m 2 m 1 ? tyx ? , N=pq and further, q is a second private prime number, and the public ring ? is further, publically available. A corresponding method is also disclosed.

Abstract: The present invention provides an optical communication method and an optical communication system in which eavesdropping is more difficult than in conventional techniques. An optical communication system in one embodiment of the present invention comprises: a photon pair generator which generates a correlated photon pair; a polarizer which is provided on an optical path of one photon of the correlated photon pair and direction of which is changeable based on information to be transmitted; a shutter which is provided between the photon pair generator and the polarizer on the optical path of the one photon of the correlated photon pair and which is capable of blocking the one photon of the correlated photon pair; and a photon detector which is provided on an optical path of another photon of the correlated photon pair.

Abstract: Shown and depicted is preventing sensitive information from being exfiltrated from an organization using hypervisors. A Data Loss Prevention system is composed using virtual machines or domains to segment memory between domains which are assumed to be untrusted and domains which are known to be trusted. Sensitive information is cypher text when observed by software in Untrusted Domains, and clear text when observed by software in Trusted Domains. Sensitive information is unencrypted when it is in the address space of a protected process running inside a trusted domain.

Abstract: Methods, systems, computer-readable media, and apparatuses for providing control word and associated entitlement control message (ECM) functionalities are presented. In some embodiments, a computing device may cache concurrently a first set of control words and a first set of entitlement control messages (ECMs) associated with the first set of control words. The computing device may encrypt a transport stream with a particular control word of the first set of control words. The computing device may insert a particular ECM, of the first set of ECMs, corresponding to the particular control word into the transport stream sent to a device downstream from the computing device. In some embodiments, a computing device may reuse control words and associated ECMs.

Abstract: A key exchange device includes an initial setup unit that generates a verification key that serves as a public key and a signature key based on a discretionary random tape, a session identifier based on a first random tape, and a secret key based on a second random tape; an arithmetic unit that generates an encrypted second random tape by an arithmetic operation of a pseudo-random function having the second random tape and the secret key as variables and an encrypted third random tape by an arithmetic operation of the pseudo-random function having a third random tape and the secret key as variables; a key encapsulation processing unit that generates a key-encapsulated public key and a key-encapsulated secret key based on the encrypted second random tape to transmit the key-encapsulated public key to an other party of key exchange and decrypts a session key using the key-encapsulated public key and a key-encapsulated ciphertext received from the other party of key exchange; and a verification processing unit t

Abstract: A device-local key derivation scheme generates, during a first boot session for an electronic device, a sealing key that is derived at least in part from a device-generated random seed and an internal secret that is unique to the electronic device. After generating the sealing key, access to the internal secret is disabled for a remainder of the first boot session and until a second boot session is initiated. At runtime, the sealing key is used to sign a module manifest that describes the software that is authorized to access the sealing key, and the module manifest containing the sealing key is persisted in non-volatile memory of the electronic device. The module manifest can be used to validate software during a subsequent boot session and to authorize software updates on the electronic device without relying on an external entity or external information to protect on-device secrets.

Abstract: A secure distributed gambling system and method is described. The system includes a plurality of mobile computing devices and a plurality of secure gambling microprocessors. Each of the plurality of secure gambling microprocessors is coupled with a different one of the plurality of mobile computing devices to provide a plurality of secure stand-alone gambling platforms. A gambling management system is communicatively coupled with one or more of the plurality of secure stand-alone gambling platforms to maintain gambling integrity.

Abstract: A distributed, deduplicated storage system according to certain embodiments is arranged in a parallel configuration including multiple deduplication nodes. Deduplicated data is distributed across the deduplication nodes. The deduplication nodes can be networked together and communicate with one another according using a light-weight, customized communication scheme (e.g., a scheme based on FTP or HTTP). In some cases, deduplication management information including deduplication signatures and/or other metadata is stored separately from the deduplicated data in deduplication management nodes, improving performance and scalability.

Abstract: In one embodiment, a particular node operates a distributed routing protocol in a shared-media communication network, and distributes timeslot allocations using the routing protocol, where the particular node as a parent node allocates a pool of timeslots available to child nodes of the parent node. The parent node specifically allocates particular timeslots from the pool to particular child nodes according to particular flows from a source to a target in the shared-media communication network in order to meet a defined time budget for a resultant time-synchronized path from the source to the target.

Abstract: A device that identifies entry into a new service area, transmits a service area update request to a network device associated with a network, receives a control plane message from the network indicating control plane device relocation or a key refresh due to a service area change in response to transmitting the service area update request, and derives a first key based in part on data included in the control plane message and a second key shared between the device and a key management device. Another device that receives a handover command from a network device associated with a network, the handover command indicating a new service area, derives a first key based on data included in the handover command and on a second key shared between the device and a key management device, and sends a handover confirmation message that is secured based on the first key.