Abstract: A media-independent handover key management architecture is disclosed that uses Kerberos for secure key distribution among a server, an authenticator, and a mobile node. In the preferred embodiments, signaling for key distribution is based on re-keying and is decoupled from re-authentication that requires EAP (Extensible Authentication Protocol) and AAA (Authentication, Authorization and Accounting) signaling similar to initial network access authentication. In this framework, the mobile node is able to obtain master session keys required for dynamically establishing the security associations with a set of authenticators without communicating with them before handover. By separating re-key operation from re-authentication, the proposed architecture is more optimized for a proactive mode of operation. It can also be optimized for reactive mode of operation by reversing the key distribution roles between the mobile node and the target access node.

Abstract: The present invention provides a method and system for securing sensitive data from unauthorized access or use. The method and system of the present invention is useful in a wide variety of settings, including commercial settings generally available to the public which may be extremely large or small with respect to the number of users. The method and system of the present invention is also useful in a more private setting, such as with a corporation or governmental agency, as well as between corporation, governmental agencies or any other entity.

Abstract: A process for transmitting a message between a first electronic device and a second electronic device of an energy distribution network is described. The process includes generating, by the first electronic device, a first data encryption key identifying the second electronic device on the basis of a main data encryption key and an identification code of the second electronic device. The process further includes generating, by the first electronic device and the second electronic device, a communication key on the basis of said first data encryption key and a reference datum.

Abstract: A system for delivering messages to a receiver mobile device and a method and memory storing instructions therefor are described. The system comprises a key server arranged to: transmit a first signal responsive to receipt of a message from a sender mobile device; transmit a delivery confirmation notice responsive to receipt of a second signal from the receiver mobile device; transmit a key to the receiver mobile device responsive to receipt of the second signal from the receiver mobile device; and a message server communicatively coupled with the key server and arranged to: transmit a third signal to the receiver mobile device responsive to receipt of the first signal from the key server; transmit a fourth signal to the sender mobile device responsive to receipt of the delivery confirmation notice from the key server.

Abstract: The present invention relates electronic receipts. There is provided a method for generating an electronic receipt in a communication system providing a public key infrastructure, the method comprising the steps of receiving by a second party a request message from a first party, the request message comprising a transaction request and a first public key based on a secret owned by the first party and wherein the secret is associated with at least the secret of a further public key of the first party, electronically signing at least part of the request message with a second public key assigned to the second party to issue the electronic receipt, and providing the electronic receipt to the first party.

Abstract: A countermeasure for differential power analysis attacks on computing devices. The countermeasure includes the definition of a set of split mask values. The split mask values are applied to a key value used in conjunction with a masked table defined with reference to a table mask value. The set of n split mask values are defined by randomly generating n?1 split mask values and defining an nth split mask value by exclusive or'ing the table mask value with the n?1 randomly generated split mask values.

Abstract: A key management and node authentication method for a sensor network is disclosed. The method comprises the following steps of: 1) keys pre-distribution: before deploying the network, communication keys for establishing security connection between nodes are pre-distributed to all of nodes by a deployment server. 2) Keys establishment: after deploying the network, a pair key for the security connection is established between nodes, which includes the following steps of: 2.1) establishment of shared keys: the pair key is established between neighbor nodes in which the shared keys are existed; 2.2) path keys establishment: the pair key is established between the nodes in which there is no shared keys but there is a multi-hop security connection. 3) Node identity (ID) authentication: before formally communicating between nodes, the identity is authenticated so as to determine the legality and the validity of the identity of the other.

Abstract: Embodiments of the invention provide systems and methods for authenticating mobile devices. Device identifying information may be received for a mobile device. A base level key may also be communicated to the mobile device. The base level key may be utilized by the mobile device to derive unique transaction specific keys to encrypt subsequent communications output by the mobile device. A communication encrypted with a unique transaction specific key may be received from the mobile device. Based at least in part upon the device identifying information and the base level key, a derived key may be generated, and the derived key may be utilized to decrypt the received communication and authenticate the mobile device. In certain embodiments, the above operations may be performed by one or more computers associated with a service provider.

Abstract: Embodiments describe a system and/or method for multiple party digital signatures. According to a first aspect a method comprises establishing a first validity range for a first key, establishing a first validity range for at least a second key, and determining if the validity range of the first key overlaps the first validity range of the at least a second key. A certificate is signed with the first validity range of the first key and the first validity range of the at least a second key if the validity ranges overlap. According to another embodiment, signage of the certificate is refused if the first validity range of the first key does not overlap with the first validity range of the at least a second key.

Abstract: A method and a system for personalizing electronic elements, by replacing, in a non-volatile memory of each of the electronic elements a first secret key with a second secret key, by a secure authentication module automatically generating the second key after having restored the first one from an identifier of the element being personalized, including conditioning, on the authentication module side, the provision of the second key to a current element to the reception of a message confirming the key replacement of at least one preceding element.

Abstract: A solution for scalable key archival includes, at a network device, determining whether a key management device that is not part of a current key management device configuration has been newly added to a network. The method also includes, if the key management device has been newly added to the network, determining whether the network device has a first application program interface (API) or device driver for communicating with the key management device. The method also includes, if the network device does not have the first API, obtaining the API. The method also includes creating a binding between a virtual device driver of the network device and the key management device via the first API, the network device having a second API for communications between the virtual device driver and a security processor of the network device. The security processor communicates with the key management device using the second API.

Abstract: A packet cipher algorithm based encryption processing device includes a key expand unit and an encryption unit. The key expand unit comprises a key expand unit data registration component and at least one key expand unit data conversion component. The encryption unit comprises an encryption unit data registration component and at least one encryption unit data conversion component, and the number of the encryption unit data conversion component is the same as that of the key expand unit data conversion component, and besides, they are one to one. A sub-key output of each key expand unit data conversion component connects the corresponding sub-key input of each encryption unit data conversion component to solve the technical problems that the encryption efficiency of the prior packet cipher algorithm based encryption processing device is low and the cost is high.

Abstract: Communication and validation of information transfer from a transmitter to a receiver is achieved by generating a cipher (400) from a message m (410) using parameters of an elliptic curve, a generator point P (406) on the elliptic curve and a public key Q (416) of the receiver. The cipher includes a first element that is the product kP of a random number k (404) with the generator point P and a second element that is the product of m and the x-coordinate of the product kQ. The message m is generated from two mathematically independent representations of the information and, optionally, a random number. The cipher is communicated to the receiver and decoded to recover a message m? (502). A validation token (500) is generated by the receiver and passed to the transmitter, which validates communication of the information to the receiver if the product mkQ is equal to the validation token.

Abstract: A method of facilitating substantially simultaneous receipt of electronic content by a plurality of intended recipients is disclosed. The electronic content is encrypted. The encrypted electronic content is transmitted to the plurality of intended recipients. An acknowledgement packet is received from each of the plurality of intended recipients within a predetermined timeout period. A handicap time is calculated for transmitting a decryption key to each of the intended recipient based on a time associated with the acknowledgement packet last received. Decryption keys are transmitted to the plurality of intended recipients using a delay based on the handicap time, where a decryption key having a smaller handicap time is transmitted prior to a decryption key having a larger handicap time.

Abstract: According to one aspect of the subject matter described herein, a method for registering wireless smart devices for secure offline data transfer is provided. The method includes, for an application configured to execute on a wireless smart device and that requires access to information regarding an account that does not reside on the wireless smart device, register, at a server having access to the information regarding the account, a first wireless smart device has an account owner device (AOD) for operating in an online mode for obtaining the information regarding the account from the server and for operating in an offline mode for transferring the information regarding the account to at least one additional device via a secure offline data transfer using near field communications (NFC).

Abstract: Provided are a computer program product, system and method for a redundant key server encryption environment. A key server transmits public keys associated with the key server and at least one device to at least one remote key server. The key server receives from the at least one remote key server public keys associated with the at least one remote key server. The key server receives a request for an encryption key from a requesting device comprising one of the at least one device and generates the encryption key for use by the requesting device to unlock a storage. The key server generates a first wrapped encryption key by encrypting the encryption key with a requesting device public key associated with the requesting device. The key server generates a second wrapped encryption key by encrypting the encryption key with a public key associated with the key server.

Abstract: It relates to an information processing unit, a terminal unit, an information processing method, a key generation method and a program that enable reduction of the number of keys to be held by users and aims at providing an information processing unit capable of generating a directed-graph representing an encryption key generation logic to derive a set-key for encrypting a content or a content-key. The technique relates to a scheme that divides a set of user terminals into some subsets, allocates a set-key and an intermediate-key to each subset, and upon input of an intermediate-key correlated with a subset, outputs the set-key corresponding to the subset and the intermediate-key of the subset associated by the directed-edge. Further, it relates to a technique of replacing the directed-edge in the directed-graph with a shorter directed-edge. The effect of reducing the number of intermediate-keys held by each user is expected from the technique.

Abstract: There is provided a system and method for updating a basic input output system (BIOS). An exemplary method comprises obtaining a BIOS update package comprising a BIOS image update, a BIOS Signature, and a plurality of Public Key regions, wherein each Public Key region comprises a Public Key area and a signature area. The exemplary method also comprises updating a current Public Key with a new Public Key if the new Public Key is identified in one of the Public Key regions. The exemplary method additionally comprises validating the BIOS Signature using the current Public Key.

Abstract: A method for aggregating data in a network, particularly in a wireless sensor network, wherein the network (1) includes a plurality of sensor nodes (Ni) to measure data and at least one sink node (S) at which the data measured by the sensor nodes (Ni) are aggregated, and wherein each sensor node (Ni) encrypts its measured data with a key k and forwards the result towards the sink node (S), is characterized in that, in the context of a key distribution within the network (1), a master key K is chosen, and that the master key K is autonomously split up by the network (1) into individual keys ki to be used by the sensor nodes (Ni) for encrypting measured data, with the sum of all individual keys ki being equal to the master key K.

Abstract: Systems, methods, and machine-readable media for providing an encryption key to a user are provided. The system may include a key storage module, an interface module, and an authentication module. The key storage module may be configured to store an encryption key for a user on an encryption key server, wherein the encryption key is used with user data on a data storage server. The interface module may be configured to receive a request for the encryption key from a client machine associated with the user. The authentication module may be configured to authenticate the user, wherein the interface module may further be configured to transmit the encryption key to the client machine in response to authenticating the user.

Abstract: A group key management approach based on linear geometry is disclosed.

Abstract: A key management system includes secured data stored on a first system secured by a control key stored securely on a key server. The secured data is secured against attacks such as unauthorized use, modification or access, where authorization to access the secured data is determined by knowledge of an access private key of an access key pair. When an authorized user is to access the secured data, the first system generates a request to the key server, signed with the access private key, wherein the request is for a decryption control key and the request includes a one-time public key of a key pair generated by the first system for the request. The first system can decrypt the decryption control key from the response, using a one-time private key. The first system can then decrypt the secured data with the decryption control key remaining secured in transport.

Abstract: An approach is provided that allows an administrator to set a new password at a wireless access point, such as a traditional WAP or a wireless router. The wireless access point creates a message that includes the new password. The message is encrypted using the old password that was previously set for the wireless network. The encrypted message is wirelessly transmitted from the wireless access point to the active client devices (those clients currently accessing the wireless network). The clients decrypt the message using the old password that was previously provided to the clients. The clients retrieve the new password from the message. The clients construct a new message that is encrypted using the new password. The new message is wirelessly transmitted from the clients to the wireless access device and serves as an acknowledgement.

Abstract: A device for determining an inverse of an initial value related to a modulus, comprising a unit configured to process an iterative algorithm in a plurality of iterations, wherein an iteration includes two modular reductions and has, as an iteration loop result, values obtained by an iteration loop of an extended Euclidean algorithm.

Abstract: A database management system (1) comprises up to fifty or more workstations (2), each for a user. The environment may, for example, be a hospital and the system manages medical records in a secure manner. Each user has a private key issued by a KGC (5). A database controller (3) updates a secure database (3) with data and associated signatures generated by the user workstations (2). Thus every record of the secure database (3) has a signature to provide full traceability and non-repudiation of data edits/updates. It is important for the system (1) that the signatures are verified on a regular basis, say every hour. Such a task would be extremely processor-intensive if the database (3) is large. However this is performed by a verification processor (4) of the system (1) in a much shorter time than heretofore, t1+n(&Dgr;), where t1 is the time for one verification, n is the number of signatures, and &Dgr; is a time value which is a very small proportion of t1 (less than 1%).

Abstract: This specification describes technologies relating to imparting cryptographic information in network communications.

Abstract: A communication apparatus communicates with another communication apparatus by using a first key. The communication apparatus includes a processing unit that conducts a handshake process for a key exchange with the another communication apparatus and a key encryption unit that conducts an encryption process by using a second key. The processing unit conducts a first handshake process with the another communication apparatus without exchanging information on the first key while serving as a reception side of key information. Then, the processing unit conducts a second handshake process with the another communication apparatus to transmit the information on the first key encrypted by the key encryption unit by using the second key to the another communication apparatus.

Abstract: There is disclosed a method that includes providing encrypted information to a plurality of receiving devices, and transmitting by one of a multicast and broadcast a release key to the plurality of receiving devices to enable access to the encrypted information, wherein the release key is received at or about the same time by the plurality of receiving devices. The release key may be transmitted and or received over a multicast or broadcast network. The release key may be transmitted and/or over a distributed network. The transmission of the release key may be synchronized using a timing mechanism.

Abstract: According to an embodiment, an information processing device includes a key set generating unit configured to generate a key set including at least a public key and a master key; a secret key generating unit configured to generate different secret keys for each server device accessing the information processing device by using the master key included in the key set; a secret key providing unit configured to provide each of the secret keys generated by the secret key generating unit to a corresponding server device; and a public key providing unit configured to provide the public key to a verification device to make the verification device verify signature information generated by using the secret key in each of the server devices.

Abstract: A method of generating a public key in a secure digital communication system, having at least one trusted entity CA and subscriber entities A. For each entity A, the trusted entity selects a unique identity distinguishing the entity A. The trusted entity then generates a public key reconstruction public data of the entity A by mathematically combining public values obtained from respective private values of the trusted entity and the entity A. The unique identity and public key reconstruction public data of the entity A serve as A's implicit certificate. The trusted entity combines the implicit certificate information with a mathematical function to derive an entity information ƒ and generates a value kA by binding with ƒ with private values of the trusted entity. The trusted entity transmits the value kA to the entity to permit A to generate a private key from kA, A's private value and A's implicit certificate.

Abstract: A method, device, and system including a digital rights management (DRM) license manager to protect software applications from unauthorized use. The DRM license manager system binds essential application data to a software license. This binding is achieved by adding an encryption key to a software license and encrypting the application data with that key. The essential application data is any kind of data which is required for proper operation of the program, such as media files, game levels or state tables. The DRM license manager system performs a check and decrypt operation of the essential application data during program run time. It requires that the license is available on the system. It also ensures that the decryption operation can only take place if the conditions defined in the license are met.

Abstract: Systems and techniques for mapping compound keys. In one aspect, a method includes receiving a first compound key, mapping the first compound key to a first surrogate key, mapping the first surrogate key to a second surrogate key, mapping the second surrogate key to a second compound key, and making the second compound key available for data processing activities.

Abstract: The present invention is directed to realize a stable and highly-efficient quantum communication without being influenced by the jitter of the heralding signal. In regard to the quantum encryption transmitting apparatus 200, the pulse-driven heralded single-photon source 201 generates a photon pair, outputs one photon of the photon pair, and outputs the other photon of the photon pair as a heralding signal. The timing adjuster 202 synchronizes the heralding signal with a clock signal for pulse driving the pulse-driven heralded single-photon source 201, and outputs as a trigger signal. The quantum communication modulating unit 203 implements the signal modulation to a quantum signal, in timing with the trigger signal, and transmits the quantum signal to the quantum encryption receiving apparatus 300 via the quantum communication path 101. The heralding signal transmitting unit 205 transmits the heralding signal to the quantum encryption receiving apparatus 300 via the heralding signal communication path 102.

Abstract: Provided is a polarization coding quantum cryptography system. The quantum cryptography includes a light source, a quantum channel, an optical path selector, and a path-dependent polarization selector. The light source generates a signal light. The quantum channel is used as a path to transmit the signal light to a receiver unit. The optical path selector is disposed between the light source and the quantum channel to transmit the signal light to one of a plurality of propagation paths. The path-dependent polarization selector is disposed between the optical path selector and the quantum channel. Herein, the path-dependent polarization selector is configured to determine the polarization direction of the signal light according to the propagation path of the signal light.

Abstract: The debugging unit writes a public key of the key issuing server and an initializing program given from outside, to the storage unit. The instruction executing unit reads and executes the initializing program stored in the storage unit. The debug disabling unit disables the debugging unit. The public-key encrypting unit encrypts the random number by the public key in the storage unit, the random number generated by the random number generating unit after the debugging unit is disabled. The transmitting unit transmits the encrypted random number to the key issuing server. The receiving unit receives an individual key encrypted by the random number from the key issuing server. The individual-key writing unit decrypts the encrypted individual key by the random number to obtain the individual key and write the individual key to the storage unit.

Abstract: An apparatus for generating a key for access control of content in a distributed environment network is provided. The apparatus includes a first key distributor configured to generate first encrypted keys by encrypting a first key corresponding to a key for write authorization using each public key of members having write authorization among members included in an access control list including information of at least one user and distribute the access control list and information about access authorization and the first encrypted keys to the members having write authorization, and a second key distributor configured to generate second encrypted keys by encrypting a second key corresponding to a key for read authorization using the first key using each public key of members having read authorization among members included in the access control list and distribute the access control list and second encrypted keys to the members having read authorization.

Abstract: A secure, open-air communication system utilizes a plurality of “decoy” data signals to hide one or more true data signals. The true data signal(s) are channel hopped with the plurality of decoy data signals to form a multi-channel “scrambled” output signal that is thereafter transmitted in an open-air communication system. The greater the number of decoy signals, the greater the security provided to the open-air system. Further security may be provided by encrypting both the true and decoy signals prior to scrambling and/or by utilizing a spatially diverse set of transmitters and receivers. Without the knowledge of the channel assignment(s) for the true signal(s), an eavesdropper may be able to intercept (and, with time, perhaps descramble) the open-air transmitted signals, will not be able to distinguish the true data from the decoys without also knowing the channel assignment(s).

Abstract: Conventionally, an encryption key for encrypting data to be backed up in a tape cannot be allocated for each logical data management unit. To solve the problem, provided is a storage system including: a disk storage device; a tape storage device in which a tape storage medium is loaded; and a controller for controlling the disk storage device and the tape storage device, in which the controller is configured to: generate, upon reception of a request for setting a tape group including one or more tape storage media, a first encryption key used for encrypting data stored in the tape group set by the request; and hold information for correlating the generated first encryption key with the tape group.

Abstract: The present subject matter is related to trusted computing, and more particularly to migration of virtual trusted platform module keys that are rooted in a hardware trusted platform module. Some embodiments include a trusted platform virtualization module that may perform one or more of inbound and outbound trusted platform module key migrations. Such migrations may be performed between a virtual trusted platform module and either a hardware or a virtual trusted platform module.

Abstract: System and method for forwarding a ciphering key to a decipher application comprising capturing a first message carrying the ciphering key from a first network interface, identifying a network node associated with the first network interface, identifying a monitor responsible for processing messages captured from interfaces coupled to the network node, and forwarding the ciphering key to the monitor. In an alternative embodiment, the method may further comprise capturing second messages carrying encrypted messages from a second network interface, and deciphering the second messages using the ciphering key. The method may also comprise identifying user equipment associated with the first messages, and selecting a deciphering application running on the monitor using a user equipment identity.

Abstract: A system and method for controlling message attachment handling functions on a mobile device is described herein. An attachment handling control can be set to identify one of a number of selected attachment handling control modes. Depending on the attachment handling control mode identified, a request for the attachment structure that includes a decrypted session key for an encrypted message received at the mobile device may or may not be automatically sent to a remote server. This may provide the user with increased control over the content of an encrypted message that the remote server may access when determining the attachment structure for a message.

Abstract: Cryptographic keys are distributed to computer systems to be remotely managed by a management node. First secure channels are established between the management node and trusted computing platforms associated with the computer systems. Cryptographic keys are sent to the trusted computing platforms via the first secure channels, wherein the cryptographic keys are stored in the trusted computing platforms and retrieved from the trusted computing platforms by the computer systems. Second secure channels are established with the computer systems using the retrieved cryptographic keys. Commands are remotely executed on one or more of the computer systems via the second secure channels.

Abstract: A client application allows a user of a telecommunication device to retrieve contact data of a particular individual from a server to initiate contact with the particular individual without viewing content designated as private by the particular individual. The retrieved contact data includes encrypted content and non-encrypted content. The telecommunication device sends a directory request to the server requesting contact data from an electronic directory stored on the server. If the directory request is validated by the server, the telecommunication device receives the requested contact data from the server. The telecommunication device also receives a decryption key and a key expiration parameter from the server. The client application executing on the telecommunication device can use the decryption key within a time period defined by the key expiration parameter to decrypt encrypted contacted data on the telecommunication device to initiate contact with the particular individual.

Abstract: The present subject matter related to trusted computing, and more particularly, to virtual trusted platform module keys rooted in a hardware trusted platform module. Some embodiments include a trusted platform virtualization module operable to capture virtual machine trusted platform module calls and operates to generate, maintain, and utilize hardware trusted platform module keys on behalf of the one or more virtual machines. Some embodiments include virtual trusted platform module keys having a public portion on top of an private portion including an encrypted hardware trusted platform module key.

Abstract: A method for managing a group signature scheme includes in a setup procedure for group initialization, generating, by a group manager, a group public key. In a join procedure for the group manager to add a new member to the group, the method includes generating by the new member, user information, and providing the generated user information to the group manager, and computing, by the group manager, membership information for the new member based on the user information received by the new member and on the group public key, and providing to the new member the computed membership information. In particular, the membership information is computed, by the group manager, as a function of the inverse of a given hash function of the user information. In a signing procedure for a group member to sign a message on behalf of the group, the method includes: using, by the group member, the membership information and the user information.

Abstract: A file server receives a request from a client to mount an encrypted file system. The file server informs the client that the requested file system is encrypted and, in turn, receives a session ticket from the client that includes a security protocol mounting selection. The file server decrypts the client's user's encrypted private key, and then decrypts the requested encrypted file system using the private key. In turn, the file server sends the decrypted file system to the client over a secure channel, which is based upon the security protocol mounting selection. In one embodiment, a key distribution center server receives a request from the client for the client's user to access the encrypted file system at the file server. The key distribution center server retrieves an intermediate key; includes the intermediate key in a session ticket; and sends the session ticket to the client.

Abstract: Both a management server and a validation server are installed. Both a terminal and a terminal register setting information which is usable in an encrypted communication in the management server. When carrying out the encrypted communication, the management server searches the registered setting information for coincident setting information. The management server generates keys for the encrypted communications which can be used by the terminals, and delivers these generated keys in combination with the coincident setting information. The management server authenticates both the terminals in conjunction with the validation server. Since the terminals trust such results that the management server has authenticated the terminals respectively, these terminals need not authenticate the respective communication counter terminals.

Abstract: Tools are provided for distributing access-restricted content in an internet protocol television (“IPTV”) environment based on portable entitlement keys. Such tools can include a decoder, an encoder, and a network entitlement handler. The decoder may be configured to receive a key associated with entitlement information, and transmit the entitlement information over a network. The encoder may be configured to receive content from content providers, and to encode the content to create IP-compatible content, with access restrictions based on entitlement. The network entitlement handler may be configured to receive a request for requested content from the decoder; receive the access-restricted content including (including the requested content) from the encoder; and transmit the requested content over the network to the decoder using IP, when the decoder is entitled to receive the requested content.

Abstract: A user private key is stored in a database of the user terminal. A user public key and user information are stored in the user management DB. The encryption/decryption unit encrypts an authority private key specific to a first authority given to a user, by using a user public key associated with user information to indicate a user. The secret sharing unit shares in secret an authority private key into two or more shared authority private keys. The encryption/decryption unit encrypts the shared authority private keys, by using an authority public key specific to each of second authorities to manage the first authority in a shared manner. The authority management DB stores the encrypted authority private key and authority public key in association with the first authority, and stores the encrypted shared authority private keys in association with the second authorities.

Abstract: A system for dealing in an original data content and an edited data content. A data content is handled as an object, and the data content is edited by editing a data content, functioning as an object, in accordance with an edit program. The edited data content is expressed by the original data content and the editing scenario which describes editing detail by the edit program. Only the encrypted editing scenario is dealt in. Upon receipt of the encrypted editing scenario, a user decrypts the encrypted editing scenario using a crypt key obtained from a key management center, and obtains the original data content from the database in accordance with the editing scenario and re-constitutes the edited data content. In case there is the one who wishes sale of the editing scenario, its utilization right is sold by auction.