Abstract: The present invention constructs a compound type combined public key system on the basis of a combined public key CPK system. The combined key is combined by an identity key and a randomly defined key. The randomly defined key can be defined by a center, called a system key; and can be self-defined, called updating key. Combination of the identity key and the system key generates a first-order combined key. The first-order combined key is then combined with the updating key to generate a second-order combined key. The first-order combined key can be used for centralized digital signature and key exchange. The second-order combined key can be used for distributed digital signature, to provide individual with convenient key exchange and absolute privacy. A combining matrix, as a trust root, provides proof of integrity of identity and key, with no need of third party proof.

Abstract: A network communication system has terminal devices belonging to a group, the terminal devices generating, if there is a leaving terminal device leaving from the group, an updated group encryption key corresponding to a new group encryption key, from a deletion key corresponding to the leaving terminal device and a group encryption key, and, after the leaving terminal device leaves the group, communicating by using the updated group encryption key; and a group management server generating the updated group encryption key corresponding to the new group encryption key from the deletion key corresponding to the leaving terminal device and the group encryption key, and, after the leaving terminal device leaves the group, communicating by using the updated group encryption key.

Abstract: Methods of managing a key cache are provided. One method may include determining whether a given key has previously been loaded to a trusted platform module (TPM), loading the given key to the TPM and generating a key cache object corresponding to the given key if the determining step determines the given key has not previously been loaded to the TPM and restoring the given key to the TPM based on the key cache object corresponding to the given key if the given key has previously been loaded. Another method may include extracting a key from a TPM if the TPM does not have sufficient memory to load a new key, the extracted key corresponding to a least frequently used key cache object within the TPM. Another method may include restoring a key to a TPM, the restored key having been previously loaded to and extracted from the TPM.

Abstract: Authentication and access control device (104) includes a first security key sub-system (110, 112, 114, 116, 118). The first security key sub-system is responsive to an input signal for providing a first key code required for permitting a user access to a controlled resource. The device advantageously also includes a second security key sub-system (110, 112, 114, 116, 118) for providing a second key code different from the first key code. The second key code is useful for authenticating the user or facilitating secure use of a particular controlled resource (102).

Abstract: Described are a method and system for establishing a secure communication session with third-party access at a later time. A first communication subsession is established between two original devices using a first key generated by a two-party key and security association protocol. At least one of the original devices is established as a group key server. A request from a joining device to join the secure communication session is received and a second communication subsession is established between the original devices using a second key generated by the two-party key and security association protocol. The second key is provided to the joining device to enable participation in the second communication subsession.

Abstract: In a method of temporarily registering a second device with a first device, in which the first device includes a temporary registration mode, the temporary registration mode in the first device is activated, a temporary registration operation in the first device is initiated from the second device, a determination as to whether the second device is authorized to register with the first device is made, and the second device is temporarily registered with the first device in response to a determination that the second device is authorized to register with the first device, in which the temporary registration requires that at least one of the second device and the first device delete information required for the temporary registration following at least one of a determination of a network connection between the first device and the second device and a powering off of at least one of the first device and the second device.

Abstract: In a method of registering a plurality of client devices with a device registration server for secure data communications, a unique symmetric key is generated for each of the client devices using a cryptographic function on a private key of the device registration server and a respective public key of each of the client devices, and a broadcast message containing the public key of the device registration server is sent to the client devices, in which the client devices are configured to generate a respective unique symmetric key from the public key of the device registration server and its own private key using a cryptographic function, and in which the unique symmetric key generated by each client device matches the respective unique symmetric key generated by the device registration server for the respective client device.

Abstract: Aspects of the present disclosure are directed to methods and systems for protecting sensitive data in a hosted service system. The system includes a host system and the host system includes a key management system (KMS) and a metadata service system (MSS). The KMS and the MSS are communicatively coupled to each other. The system further includes a database management system (DBMS) having a database, a query pre-parser, and a results handler. The query pre-parser and the results handler are communicatively coupled to the KMS and the MSS, and the system also includes a processing application adapted to process at least some data received from a tenant system.

Abstract: A verifiable security mode is provided for securing data on a storage device, such as a hard disk drive. When the verifiable security mode is enabled, only authenticated accesses to data stored on the storage device are permitted after entering a password. An end user is prevented from disabling the verifiable security mode. The verifiable security mode can be set to allow or disallow an administrator from disabling the verifiable security mode. The verifiable security mode can be implemented, for example, in firmware on a hard disk drive (HDD).

Abstract: The present invention is a method for secure and flexible key schedule generation, which includes loading a key schedule algorithm and a cryptographic algorithm into a cryptographic engine. The method further includes loading the cryptographic algorithm, when selected, into a cryptographic co-processor. The method further includes loading the key schedule algorithm into a separate virtual machine.

Abstract: A medical ad hoc wireless network (10) is deployed in a healthcare medical facility surrounding individual patients and including wireless nodes (A, B, . . . , Z). Before deployment, each node (A, B, . . . , Z) is pre-initialized with a public key certificate (22) and offers a trust and symmetric key distribution service (32). In joining the ad hoc network (10), a node (B) authenticates and registers to one randomly self-chosen node (A) by using certified public keys (20). Such node (A) becomes Trusted Portal (TPA) of the node (B). The node (B) dynamically registers to a new self-chosen TP node when its old TP node leaves the ad hoc network (10). The network (10) supports symmetric key authentication between nodes registered to the same TP node. Additionally, it supports symmetric key authentication between nodes registered to different TP nodes.

Abstract: When an SIP interface unit of a server apparatus receives an SIP message for call connection from a client apparatus and an SIP message analyzing unit can confirm that the SIP message is normal, a call controller recognizes that an RTP communication is carried out between the client apparatus and another client apparatus and instructs an encrypting capability management unit to determine RTP encrypting information which is used between the client apparatuses. The encrypting capability management unit determines the RTP encrypting information between these client apparatuses based on the instruction. With this arrangement, there can be provided a client-server distributed system that can realize an encrypting security function without requiring a certificate authentification function at a low cost in order to deliver an encrypting key as well as without necessity of holding or managing a certificate and preparing an authenticating server in a system.

Abstract: In a communication apparatus, a storage device stores encryption keys for encrypted communication with another communication apparatus on a network. A determination is made based on a storage state of encryption keys stored in the storage device whether to provide first encryption key information and second encryption key information wherein the first encryption key information is for encrypted communication using a common encryption key among all communication apparatuses on a network and the second encryption key information is for encrypted communication using an encryption key different for each communication apparatus on the network. Communication parameters including the first encryption key information and the second encryption key information are provided to an apparatus that request for provision of communication parameters based on the determination.

Abstract: This specification describes technologies relating to imparting cryptographic information in network communications.

Abstract: The invention provides a method for ciphering and transmitting data, to be used by a communication device being arranged to transmit data through a first data port (241, 2002) according to a first transmission protocol, and to form ciphered exploiting a ciphering algorithm being fed with a first set of ciphering parameters, comprising a ciphering parameter CP5; said device being further arranged to transmit data through a second data port (242, 2003) according to an alternative transmission protocol, said method comprising the steps of: defining an alternative ciphering parameter, ACP, having a bit length equal to the bit length of CP5, forming a second set of ciphering parameters by substituting said CP5 with said ACP in said first set of ciphering parameters, forming ciphered data by subjecting the data to said ciphering algorithm being fed with said second set of ciphering parameters, transmitting said ciphered data through said second data port (242, 2003).

Abstract: A method and apparatus for updating data, the method including: receiving a forced update command to forcibly update at least one of a first digital rights management (DRM) module and a first device key stored in the device; receiving a DRM package including at least one of a second DRM module and a second device key based on the forced update command; and updating the at least one of the first DRM module and the first device key based on the received DRM package.

Abstract: Encryption keys in a communication system are updated according to rekey groups having a common set of encryption keys or CKRs. Each group includes a number of radios with active and inactive keysets. A database records the relationships between rekey groups and keys, and the status of their keysets. An operator first determines one or more keys to be updated. New keys are then transmitted to each radio in one or more rekey groups using respective rekey messages. The new keys are stored in the inactive keysets of the radios. The inactive keysets are then activated using respective changeover messages. Deployment of new keys is carried out by software in the form of automated update tasks.

Abstract: For the transmission of an MBMS content to a plurality of user equipment units, the use of a p2m channel may only be beneficial if the number of joined user equipment units exceeds a threshold. However, counting is made difficult due to the fact that idle mode UE, also a non joined UE, may reply to the notification, and hence pretend a higher number of UEs which are ready and able to receive the MBMS content. According to the present invention, when joining the MBMS service, a number which is only known to the user equipment unit, as well as to those RNCs which will deliver the MBMS service for which the UE has joined, is provided to the UE. Whenever the UE replies to a service notification, it uses this number. The RNC determines a corresponding number and in case the number received from the UE matches the number determined by the RNC, the UE is counted. Advantageously, an integrity protection may be provided for the notification reply for joined UEs which are still in the idle mode.

Abstract: A network-based data protection scheme for a mobile device utilizes encryption techniques and a remote key server that stores encryption keys on behalf of the mobile device. The mobile device stores encrypted data, preferably having no unencrypted counterpart stored therewith. On an as-needed basis, the mobile device requests a decryption key (or an encrypted version of a decryption key) from the key server, where the decryption key can be used by the mobile device to decrypt the encrypted information. The key server transmits the decryption key to the mobile device after authenticating the user of the mobile device.

Abstract: An information processing system and method using an encryption key block sets sub-trees classified based on data processing ability of the devices (capability) in a key tree in which respective keys are corresponded to a root, nodes and leaves of a tree in which a plurality of devices are constituted as the leaves, generates a sub-enabling key block which is effective for an entity in a managing subject of each sub-tree (entity), and generates an enabling key block decodable only by the entities having common capability. Also, an information processing system and method using an encryption key block manages a partial tree of a key tree (sub-tree), generates a sub-enabling key block based only on a key set corresponding to nodes or leaves included in the sub-tree, and generates an enabling key block decodable only by selected entities by using the sub-enabling key block.

Abstract: Methods, systems and communication nodes for protecting Session Initiation Protocol (SIP) message payloads are described. Different protection techniques can be used to protect SIP payloads depending upon, for example, whether a recipient client application resides in a user equipment or an application server and/or whether a recipient client application resides in a same SIP/IP domain as the target SIP application server which is sending the SIP payloads.

Abstract: A security circuit includes an electrical fuse read only memory (ROM) including a plurality of electrical fuse units. The electrical fuse units are arranged to correspond to bit values of an initial security key before the electrical fuse ROM is programmed.

Abstract: An improved network-based system and network implemented method of distributing and controlling the release of an encapsulated content. The system comprising an archive creation tool configured to create a self-extractable archive comprising an encrypted content, distribution means adapted to distribute the archive to one or more users and a server arranged to remotely control a timed release of the content from each distributed archive by providing a decryption key in response to a key request received on or after a predetermined date and time. In this way, a publisher of the archive can control access to a content even after the archive has been distributed to one or more users. Due to executable functionality within the archive, an additional content, such as advertisements, multimedia files or other documents, can be presented to a user in response to extraction of the archive, without the need for client-based extraction software.

Abstract: A new technique for accelerating the computational speed of a computer algorithm is provided. The inventive technique can be applied to video compression/decompression algorithms, optical character recognition algorithms, and digital camera zooming applications.

Abstract: A content playback apparatus reduces load concentration on a specific server apparatus that manages content keys of encrypted content, while protecting copyrights of the content. The content apparatus makes playback of content recorded in a recording medium sold possible after the specific server breaks down. A key acquisition control unit (204) reads a playback control information table (211) from a recording medium (102) via a reading unit (201). The key acquisition unit (204) acquires a rights key via a key acquisition intermediation unit (223) from an apparatus specified by an acquisition-destination type and a request-destination type that are stored in the playback control information table (211) and that corresponding to the content to be played. The key acquisition unit (204) generates a content key using the acquired rights key and, when required, a medium key recorded in a medium. A decryption unit (203) decrypts encrypted content using the content key.

Abstract: A digital broadcasting system and a method for processing data in the same are disclosed. A method for controlling a digital television (DTV) located in one independent space among a plurality of independent spaces physically separated from one another is disclosed. The DTV includes an access point (AP) card.

Abstract: Data encrypted with a scrambling key Ks are transmitted from a service provider via a master device to a plurality of client devices having unique identifiers, administered by the master device. A set of partial keys comprising a respective partial key for each respective one of the plurality of clients is calculated at the service provider, by applying a predetermined function to the unique identifiers of all clients but for the identifier of the respective one of the plurality of clients. This set of partial keys is transmitted to the master device, which transmits to each respective clients the respective partial key calculated therefore. Each client can then derive the scrambling key from the respective partial key received from the master device by reference to its own unique identifier, and use the result to decrypt the data.

Abstract: The claimed subject matter provides a system and/or method that asynchronously disseminates multimedia content to disparate clients. The disclosed system can include a component that receives multimedia content supplied by a multimedia publisher, encrypts or applies a time sensitive lock to the received multimedia content, disseminates the encrypted or locked multimedia content to the disparate clients, and a time subsequent, generates and distributes to the disparate clients a counterpart to the time sensitive lock necessary to unlock and play the disseminated and encrypted or locked multimedia content on the clients.

Abstract: During the export processing for the video content (S107), the content receiving terminal causes an encryption key for content stored in the recording medium, to be present in the content receiving terminal (S103, S105, and S106). Only when the export processing is completed or when suspension processing is normally performed, the content receiving terminal writes the content encryption key in the recording medium (S111 and S112). When the export processing is abnormally suspended, since the content encryption key is not stored in the recording medium, the other video reproducing terminals cannot reproduce the video content for which the export is incomplete.

Abstract: A tree is used to partition stateless receivers in a broadcast content encryption system into subsets. Two different methods of partitioning are disclosed. When a set of revoked receivers is identified, the revoked receivers define a relatively small cover of the non-revoked receivers by disjoint subsets. Subset keys associated with the subsets are then used to encrypt a session key that in turn is used to encrypt the broadcast content. Only non-revoked receivers can decrypt the session key and, hence, the content.

Abstract: Systems and methods for providing autonomous security are configured to modify an original header associated with an original data packet wherein key information is added; encrypt original data associated with the original data packet in response to the key information; and form an encrypted data packet including the modified header and the encrypted data, wherein the encrypted data packet is a same size as the original data packet.

Abstract: System and method for generating and distributing an encryption/decryption key are disclosed and may include generating one or more keys by a key generator integrated within a chip. The generated one or more keys may be communicated directly from the key generator, via an on-chip broadcast serial link, to one of a plurality of on-chip addressable encryption/decryption devices. A particular one of the plurality of on-chip addressable encryption/decryption devices processes one or more received packets that include its own address utilizing the one or more keys. The at least one key may be serialized and encapsulated into a key packet. The encapsulating may include encapsulating an address of the one of the plurality of on-chip addressable encryption/decryption devices in the key packet.

Abstract: A system is described for encryption and decryption of digital data prior to the digital data entering the memory of a digital device by generating a key, sub-key and combining the sub-key with mixed digital data, where the encryption and decryption occurs between the memory controller and the input output register.

Abstract: A key management of cryptographic keys has a data package including one or more cryptographic keys that are transferred to a personal device 100 from a secure processing point 150 of a device assembly line in order to store device specific cryptographic keys in the personal device 100. In response to the transferred data package, a backup data package is received by the secure processing point 150 from the personal device 100, which backup data package is the data package encrypted with a unique secret chip key stored in a tamper-resistant secret storage 125 of a chip 110 included in the personal device 100. The secure processing point 150 is arranged to store the backup data package, together with an associated unique chip identifier read from the personal device 100, in a permanent, public database 170.

Abstract: A method is provided for viewing a bookmarked video clip. The method includes establishing communication over a broadband network with a first network element on which at least one bookmark resides. The bookmark includes metadata identifying a bookmarked video clip of a video program and specifies a network address at which the bookmarked video clip is located. Upon user request, metadata associated with a specified bookmark is received. Communication is established with a second network element on which the specified bookmarked video clip is located using the network address of the specified bookmarked video clip provided in the metadata. The bookmarked video clip is received from the second network element. The bookmarked video clip is encrypted in accordance with a digital rights management scheme. The bookmarked video clip is decrypted and rendered.

Abstract: Methods, a client node and a key server node are provided for distributing from the key server node, and acquiring at the client node, self-healing encryption keys. The client node and the key server node are part of a key distribution network that comprises a plurality of client nodes. An encryption key is obtained from a combination of a forward key with a backward key, wherein the backward key is distributed at a time separated from the time of the forward key by a self-healing period. The forward and backward keys are updated in a multicast rekey message, at a given time, encrypted by an encryption key defined for a previous time. Optionally, when a sibling of the client node joins or leaves the key distribution network, a unicast rekey message is used to renew the forward and backward keys at the client node.

Abstract: In a procedure for delivering streaming media, a Client first requests the media from an Order Server. The Order Server authenticates the Client and sends a ticket to the Client. Then, the Client sends the ticket to a Streaming Server. The Streaming Server checks the ticket for validity and if found valid encrypts the streaming data using a standardized real-time protocol such as the SRTP and transmits the encrypted data to the Client. The Client receives the data and decrypts them. Copyrighted material adapted to streaming can be securely delivered to the Client. The robust protocol used is very well suited for in particular wireless clients and similar devices having a low capacity such as cellular telephones and PDAs.

Abstract: In a secure cryptographic environment, a private key in a private/public key cryptographic scheme needs to be backed up and recovered in case of a loss or corruption of the private key. To back up the private key, multiple key segments are generated based on the private key which are distributed to a corresponding number of trusted individuals, each of whom has knowledge of only his or her key segment. The key can be restored only when all of the trusted individuals provide the respective key segments, based on which the original private key is reconstructed. In addition, each trusted individual is uniquely identifiable by a personal identification number. Advantageously, the private key which is secret can be backed up and restored without any individual having knowledge of the full key.

Abstract: Systems and methods for document control using public key encryption are provided. An interface program serves as a software interface between user applications used to create and access documents and a data storage system that stores the documents in an encrypted form. When a document is saved for the first time, information corresponding to the destruction of that document is obtained either from a user or in accordance with predefined criteria. The document is encrypted and stored with a pointer to an encryption key on a token/key server. When the document is subsequently accessed, the interface program will read the pointer and attempt to retrieve the key. If the key has expired in accordance with the destruction policy, the document is inaccessible. Otherwise, the document is decrypted using the key. Multiple documents may be saved according to the same destruction policy and even the same key, thereby greatly enhancing the ability to “destroy” documents regardless of their location with minimal process.

Abstract: A secret information server 300 on a network 10 and a client apparatus 100 constitute an authentication information generating system. The secret information server 300 has a function to confirm the validity of a user in accordance with user identification information received from the client apparatus 100 and a function to hold the secret information database of each user and to send the secret information database of a user whose validity has been confirmed to the client apparatus 100 of the user. The client apparatus 100 has a main memory 120 having a domain A where an application or a main OS is executed and a domain B which has a program execution environment mutually independent of that for the domain A. The secret information database received from the secret information server 300 is saved in the domain B, and authentication information is generated by using the secret information database.

Abstract: A system is comprised of a user and a group, wherein the group is comprised of a group leader and a group of M members where M is equal to or greater than one. The group leader generates a group public key and a group leader “master” private key. The group leader creates a personalized watermarked or decryption key, also referred to as an individual private key, for each group member. The individual private key uniquely identifies each group member. The group leader distributes the individual private keys to each of the group members. Each group member receives from a user a message encrypted using the group public key. Each of the group members uses its individual private key to decrypt the encrypted message sent by the user to the group.

Abstract: A system and method for controlling data communications between a server and a client device, such as a mobile device. Embodiments relate generally to a technique where stop data is provided to the client device. This stop data can be transmitted (e.g. by the client device) to the server. When processed by the server, the stop data indicates to the server that at least some of the encrypted data received by the client device from the server was not decrypted using the second key (e.g. as may be the case when the second key has been deleted). Upon receiving the stop data, the server may, for example, withhold the transmission of data encrypted with the first key to the client device until the second key is restored on the client device. In one embodiment, the stop data is provided to the client device in an encoded (e.g. encrypted) form.

Abstract: A method for managing key in Multimedia Broadcast/Multicast service comprising steps of defining a valid MTK ID interval for each generated MSK and sends it to a UE along with a MSK by a BMSC; after receiving the MSK, saving a valid MTK ID interval of the MSK by the UE; and defining a MTK ID for each generated MTK encrypted with the MSK and sending the MTK ID and the MTK to the UE after encrypting them with the MSK by the BMSC This MSK is valid only when the transmission of the MTK within MTK ID interval is in operation. Therefore, once the UE finds out that some newly received MTK's MTK ID is beyond said MTK ID, it deletes the MSK that is applied in said MTK transmission's encryption correspondingly.

Abstract: The presented messaging protocol uses three new public keys in a signed and encrypted message to achieve backward security and recovery in an environment where an attacker now and then obtains the security parameters in exposed, decrypted form. Backward security is understood to mean that an adversary cannot decrypt those captured encrypted messages that the user has decrypted prior the exposure. The recovery of the protocol means that the attacker at some point of time after the exposure cannot any more decrypt messages created after the exposure. The invention can be used e.g. in encrypted email communication. New to the current state of the art is that a message contains history data: a list of recently used public keys and their Diffie-Hellman counterparts.

Abstract: A system (100) and method (500) system to authenticate a peer in a peer-to-peer network is provided. The system can include a first peer (110) to locally create a secret key (112) and use the secret key to produce a public-key pair (120) comprising an identifier name (113) and a small public-key (115), and a second peer (160) to locally authenticate the identifier name of the public-key pair by requesting (405) the first peer to produce a unique dataset that does not reveal the secret-key and yet validates that the public-key pair was generated with the secret-key when the large public-key is applied to a portion of the unique dataset without using an external authentication system.

Abstract: New devices (101) are added to an existing domain by obtaining domain information (e.g., domain name and private domain password) from devices (101) already in the domain that preferably are in close proximity. Once the domain information has been transferred from the device already in the domain to the device being added to the domain, the device being added to the domain contacts a key issuer (105) to complete its registration into the domain. The key issuer returns a DRM domain private key (206) as well as a DRM certificate (202). Both are utilized by the device to obtain and render digital content (204).

Abstract: A storage medium is readable by a computer. The storage medium stores a program of instructions executable by the computer to perform a function for data managing. The function includes: receiving an encryption key from a first user terminal; encrypting the encryption key; issuing a first registration code for the encryption key; registering the encrypted encryption key with the encrypted encryption key associated with the first registration code; sending the first registration code to the first user terminal; and when a second registration code sent from a second user terminal is identical with the first registration code, decrypting the registered and encrypted encryption key and sending the decrypted encryption key to the second user terminal.

Abstract: A system, method and media drive for selectively encrypting a data packet. The system includes an encryption key for use in encrypting the data packet, a verification data element derived from the encryption key, an encryption engine for selectively encrypting the data packet using the encryption key, and a verification engine in electronic communication with the encryption engine. The verification engine is configured to receive the encryption key and the verification data element, determine when the verification data element corresponds to the encryption key as received by the verification engine, and prohibit encryption of the data packet by the encryption engine when the verification data element does not correspond to the encryption key as received by the verification engine.

Abstract: A system and method for secure transport of data, the method comprising: sharing of key information with a key distributor, wherein the key information is for enabling decryption of first and second encrypted data, the key distributor being for making one or more decryption keys available to an authorised user; creating a container object, the container object comprising: first encrypted data having a first encryption based on at least a part of said key information; second encrypted data having a second encryption based on at least a part of said key information, wherein the first encryption is different to the second encryption; and metadata relating to the first encrypted data and the second encrypted data; and sending the container object to a data store or otherwise making the container object available, to allow user access to said data container object.

Abstract: A solution for scalable key archival includes, at a network device, determining whether a key management device that is not part of a current key management device configuration has been newly added to a network. The method also includes, if the key management device has been newly added to the network, determining whether the network device has a first application program interface (API) or device driver for communicating with the key management device. The method also includes, if the network device does not have the first API, obtaining the API. The method also includes creating a binding between a virtual device driver of the network device and the key management device via the first API, the network device having a second API for communications between the virtual device driver and a security processor of the network device. The security processor communicates with the key management device using the second API.