Abstract: Systems and methods for attesting to information about a computing resource involve electronically signed documents. For a computing resource, a document containing information about the resource is generated and electronically signed. The document may be provided to one or more entities as an attestation to at least some of the information contained in the document. Attestation to information in the document may be a prerequisite for performance of one or more actions that may be taken in connection with the computing resource.

Abstract: Various embodiments described herein relate to network key manager which is configured to manage keys in nodes in the network, wherein the network key manager including a memory configured to store an update data structure; a processor configured to: determine which nodes are blacklisted; generate the update data structure of volatile private keys for each node that is not blacklisted, wherein the volatile private key is based upon secret information associated with the node and an index, wherein the volatile private key is used for the indexth key update; determine a neighbor node of the network key manager; remove the volatile private key for the neighbor node from the update data structure; encrypt the resulting update data structure and a new network key with the private key for the neighbor node to produce an encrypted message; and send the encrypted message to the neighbor node.

Abstract: Examples are generally directed towards providing a server polling component for remote cryptographic key erasure resilient to network outage. A set of keys received from a server are stored on data storage. The data storage sends a status request to the server. If a key enabled status is received, the data storage continues normal operations. If a key disabled status is received, a key failure action is performed. The key failure action includes deleting one or more of the keys in the set of keys or shutting down one or more storage devices of the data storage. If no response is received from the server, the data storage iteratively resends the status request at retry time intervals until a response is received from the server or until a time out period expires. On expiration of the time out period, the key failure action is performed.

Abstract: A computer-implemented method is provided for processing a video stream in the compressed domain for watermarking, scrambling and other applications. Syntax elements are generated for input video as part of a video compression process. The syntax elements are entropy coded with an arithmetic entropy encoding process to produce a compressed bitstream for the input video. Regions of frames and related syntax elements of the input video are identified as candidates for modification. Based on metadata associated with a particular user, the syntax elements, the regions, and entropy coding state of the arithmetic entropy encoding process, bytes of the input video are changed to generate a modifying bitstream that is unique to the particular user; and modifying the compressed bitstream using the modifying bitstream to produce a decodable bitstream for the input video.

Abstract: An electronic device includes a display, a memory and a processor being configured to: register a plurality of pieces of first computational data in input order; register at least one or more pieces of second computational data each time the second computational data is input, the at least one or more pieces of second computational data corresponding to the plurality of pieces of first computational data, and each piece of the second computational data including numerical value data and calculation data; when second computational data is registered, determine whether the registered second computational data is consistent with the first computational data in input order corresponding to the registered second computational data; when the registered second computational data is determined to be inconsistent with the first computational data, correct the first computational data; and resume the registration of the second computational data after the first computational data is corrected.

Abstract: In representative embodiments keys used in authentication are removed from local systems and stored on a key server system. When keys are needed for authentication, requests are routed to the key server system. In some embodiments, the keys do not leave the key server system and the key server system performs requested operations using the keys. In other embodiments, secure protocols are used to temporarily allow the local system to retrieve and use the key. In this latter situation, keys are not maintained on the local system.

Abstract: The present invention relates to data rights management and more particularly to a secured system and methodology and production system and methodology related thereto and to apparatus and methodology for production side systems and are consumer side systems for securely utilizing protected electronic data files of content (protected content), and further relates to controlled distribution, and regulating usage of the respective content on a recipient device (computing system) to be limited strictly to defined permitted uses, in accordance with usage rights (associated with the respective content to control usage of that respective content), on specifically restricted to a specific one particular recipient device (for a plurality of specific particular recipient devices), or usage on some or any authorized recipient device without restriction to any one in specific, to control use of the respective content as an application software program, exporting, modifying, executing as an application program, viewing,

Abstract: A computing device may parse a file into a plurality of nodes. The computing device may associate, based on the parsing, at least a first encryption policy with a first node of the plurality of nodes. The computing device may associate, based on the parsing, at least a second encryption policy with a second node of the plurality of nodes. Data may be encrypted, based on the associating at least the first encryption policy with a first node, within at least the first node. Data may be encrypted, based on the associating at least a second encryption policy with a second node, within at least the second node.

Abstract: A method for authenticating a client device for access to a host device based on timestamps. When the client device wants to access the host, it generates a first timestamp and sends the host device the first timestamp and the character strings from host tables related to the value of time units of the first timestamp. The host tables are known to all authorized client devices within the network. The strings are ordered according to a sequence table in the client device and the host device. When received, the host device compares the received characters strings to the character strings within its host string table based on an order determined by its host sequence table. If the character strings and order match, the host sends the client a second timestamp and the process is repeated using the second timestamp and sequence and string tables associated with, and known only to, the client device and the host device.

Abstract: This relates to wireless communications, and in particular to the generation of keying material for security purposes. In particular, A method of performing authentication for a user terminal. The method comprises performing an Authentication and Key Agreement procedure for authenticating the user terminal in a cellular access network, wherein a core network of the cellular network comprises a Home Subscriber Server; determining in a Bootstrapping Server Function that the user terminal requires keying material for use outside the cellular access network. The method also comprises transferring authentication information directly from the Home Subscriber Server to the Bootstrapping Server Function; and generating session keys in the Bootstrapping Server Function using said authentication information, wherein said session keys are also generated in the user terminal.

Abstract: Methods and apparatus are provided for key pairing between peer D2D UEs in different eNBs or D2D areas. A method may comprise: receiving at a first access network node serving a first D2D area from a first user equipment in the first D2D area, a request for keys for a D2D communication between the first user equipment and a second user equipment, wherein the request comprises an identification of a second D2D area where the second user equipment is located and being different from the first D2D area; identifying a second access network node serving the second D2D area based on the identification; sending to the second access network node, a request for a security context of the second user equipment; and receiving from the second access network node the security context for obtaining the keys for the D2D communication.

Abstract: The HOMOMORPHIC DATABASE OPERATIONS APPARATUSES, METHODS AND SYSTEMS (“HEDO”) transform transaction storage requests and homomorphic model queries using HEDO components into homomorphic model query results. In some implementations, the disclosure provides a processor-implemented method of securely querying a shared homomorphically encrypted data repository and performing cross-table homomorphic joins.

Abstract: A device management apparatus includes a setting information acquisition unit that acquires setting information of one or more security setting items from a device; a policy information acquisition unit that acquires policy information defining a single piece of compliant information, a plurality of pieces of compliant information, or a compliant range, for each security setting item; a determination unit that determines whether each of the setting information of the one or more security setting items conforms, based on the policy information; a change unit that changes, when the setting information of any security setting item does not conform, the setting information so as to conform; and a distribution unit that distributes the changed setting information of the security setting item to the device.

Abstract: A method of leveraging security-as-a-service for cloud-based file sharing includes receiving, at a cloud-based file sharing server external to an enterprise network and having connectivity to the enterprise network, instructions from an enterprise network to validate a file uploaded by a first user associated with the enterprise network before allowing the file to be downloaded. The file sharing server may then receive the file from the first user and forward the file to a cloud-based security-as-a-service (SECaaS) server that is also external to the enterprise network and has connectivity to the enterprise network. The file sharing server receives a determination of validation from the cloud-based SECaaS server and allows a second user to download the file based on the determination. To make the determination, the SECaaS server retrieves cryptographic keying material from a cloud-based key management server, and decrypts the file.

Abstract: Credentials sent over a back channel during the authentication of a user to a RESTful service can elevate the trust the recipient system can place in the user's identity. The addition of an identity credential of higher strength can increase confidence in user identities electronically presented with a lower strength credential. Attributes from either credential can be used to determine authorization to a protected resource.

Abstract: Techniques and logic are presented for encrypting and decrypting applications and related data within a multi-processor system to prevent tampering. The decryption and encryption may be performed either between a system bus and a processor's individual L1 cache memory or between a processor's instruction and execution unit and their respective L1 caches. The logic may include one or more linear feedback shift registers (LFSRs) that may be used for generation of unique sequential address related codes to perform the decryption of instructions and transformation logic that may be used for generation of equivalent offset address related codes to perform decryption and encryption of data. The logic may also be programmable and may be used for test purposes.

Abstract: In an embodiment, a security engine of a processor includes an identity provider logic to generate a first key pair of a key pairing associating system user and a service provider that provides a web service and having a second system coupled to the system via a network, to perform a secure communication with the second system to enable the second system to verify that the identity provider logic is executing in a trusted execution environment, and responsive to the verification, to send a first key of the first key pair to the second system. This key may enable the second system to verify an assertion communicated by the identity provider logic that the user has been authenticated to the system according to a multi-factor authentication. Other embodiments are described and claimed.

Abstract: A content broker can receive a request from a user's client device for access to a data stream, and determines whether the client device has a sufficient number of credits to consume the digital content. If the client device does not have a sufficient number of credits, the broker can provide the client device an opportunity to earn credits. The broker can send to the client device an advertisement stream, and a corresponding challenge query that includes a set of instructions for generating a challenge-response that proves the client device has consumed the advertisement stream. If the broker receives a valid challenge response from the client device, the broker can assign a predetermined number of credits to the user's account.

Abstract: The system has a user terminal. A client provides access for the user terminal to data entries stored in a database. A database holds information consisting of one or more data entries and data identifications connected to the data entries. The client forms data identification for a certain data entry to be stored in the database from a unique user name and a master password. A pair of the data identification and the data entry is stored. Access for the user terminal is provided to a data entry stored in a database by using the master password, and the unique user name.

Abstract: A data-publishing system facilitates broadcasting a data stream so that each client device obtains a personalized data stream. During operation, a publisher can generate an encoded data stream that does not include a reproducible version of the data stream's contents, and generates an encoding sauce to provide to at least one data-brokering system. When a broker receives a request from a client device for access to the data stream, the broker validates the client device's access to the data stream, and uses the encoding sauce to generate a secret sauce for the client device. The client device can process the encoded data stream using instructions in the secret sauce to produce a personalized data stream that includes a reproducible version of the data stream's contents.

Abstract: A method relates to receiving, by an authentication server, an authentication request from a client device via a public network, selecting a first private key of the authentication server from a first range of numbers and a second private key of the authentication server from a second range of numbers, receiving, from the client device, a first public key of the client device and a second public key of the client device, calculating a third private key of the authentication server in view of the second private key of the authentication server and a numerical value of the password, receiving a third public key of the client device, calculating a session key of the authentication server in view of the second public key of the client device, the third public key of the client device, and the third private key of the authentication server, and validating the session key.

Abstract: The present disclosure is directed to methods and systems of providing a user-selectable list of disparately hosted applications. A device intermediary to a client and one or more servers may receive a user request to access a list of applications published to the user. The device may communicate to the client the list of published applications available to the user, the list comprising graphical icons corresponding to disparately hosted applications, at least one graphical icon corresponding to a third-party hosted application of the disparately hosted applications, the third party hosted application served by a remote third-party server. The device may receive a selection from the user of the at least one graphical icon. The device may communicate, from the remote third party server to the client of the user, execution of the third party hosted application responsive to the selection by the user.

Abstract: An initiating key-agreement device (100) and a responding key-agreement device (200) are provided, configured to generate a symmetric key shared between them. The devices are configured for generating in electronic form a private random value (112, 212), obtaining in electronic form a public set of bivariate polynomials (122) and computing a univariate polynomial (124, 222) by summing the univariate polynomials obtained by substituting the private random value (112, 212) into the polynomials of the public set (122). The devices are configured to send their computed univariate polynomial to the other device, and to compute or reconstruct the shared symmetric key (214, 312) by substituting its generated private random value (112, 212) in the received univariate polynomial.

Abstract: A communication apparatus functioning as a master device denies participation by new communication apparatuses in a network in communication parameter configuration mode based on participation statuses of communication apparatuses functioning as slave devices in the network. The communication apparatus functioning as a master device establishes the network in communication parameter configuration mode between the communication apparatuses participating in the network, and configures communication parameters.

Abstract: A method and system configured to produce a cryptographic signature on a message, under a key, at a user computer wherein the key is shared between the user computer, which stores a first key-share, and an authentication computer, which stores a second key-share and a first authentication value. The user computer encodes the message to produce a blinded message, produces the first authentication value from a user password and a secret value, and produces a second authentication value by encoding the first authentication value and a nonce. The authentication computer uses the nonce to determine if the first authentication value is correct and, if so, encodes the blinded message using the second key-share to produce a partial signature. The user computer produces a signature on the message under the key by encoding the partial signature and the message using the first key-share and an unblinding function.

Abstract: A method and system configured to produce a cryptographic signature on a message, under a key, at a user computer wherein the key is shared between the user computer, which stores a first key-share, and an authentication computer, which stores a second key-share and a first authentication value. The user computer encodes the message to produce a blinded message, produces the first authentication value from a user password and a secret value, and produces a second authentication value by encoding the first authentication value and a nonce. The authentication computer uses the nonce to determine if the first authentication value is correct and, if so, encodes the blinded message using the second key-share to produce a partial signature. The user computer produces a signature on the message under the key by encoding the partial signature and the message using the first key-share and an unblinding function.

Abstract: Systems and methods using a cryptographic key loader embedded in a removable data storage device are provided. In one embodiment, the removable data storage device can include a dedicated key memory storing one or more cryptographic keys for cryptographic processing of data by a host system. The removable data storage device can further include a dedicated data memory storing data subject to cryptographic processing by the host system. When the removable data cartridge is interfaced with the host system, the cryptographic key(s) and the data subject to cryptographic processing can become accessible to host system.

Abstract: Facilitating authentication on communication between a mobile terminal and a server is achieved. The communication is made through a Serving GPRS Support Node (SGSN) of a network in which the mobile terminal is operating. A Home Public Land Mobile Network (PLMN) of the mobile terminal generates a ciphering key for encryption of packet-switched data between the mobile terminal and the server. As part of a message from a network entity in the Home PLMN to the SGSN in which the SGSN expects to receive the ciphering key, alternative data is communicated in place of the ciphering key. Secure communication between the mobile terminal and the server is performed by applying encryption using a ciphering key generated by a network entity in a Home PLMN of the mobile terminal in messages between the mobile terminal and the server.

Abstract: A system or method for enrolling a signature may include transmitting a user's public key and a time stamp to a client device. The method may further include receiving an encrypted time stamp and encrypted signature data associated with the user, wherein the signature data is encrypted using the user's public key. The encrypted time stamp may be decrypted using the user's private key, and the received encrypted signature data may be validated based on the decrypted time stamp. If the received encrypted signature data is determined to be valid, the encrypted signature data may be stored and digitally signed with the user's private key. The encrypted signature data may be further digitally certified with an administrator's private key.

Abstract: Apparatus, systems, and/or methods may provide for identifying unencrypted data including a plurality of bits, wherein the unencrypted data may be encrypted and stored in memory. In addition, a determination may be made as to whether the unencrypted data includes a random distribution of the plurality of bits, for example based on a compressibility function. An integrity action may be implemented when the unencrypted data includes a random distribution of the plurality of bits, which may include error correction including a modification to ciphertext of the unencrypted data. Independently of error correction, a diffuser may generate intermediate and final ciphertext. In addition, a key and/or a tweak may be derived for a location in the memory. Moreover, an integrity value may be generated (e.g., as a copy) from a portion of the unencrypted data, and/or stored in a slot of an integrity check line based on the location.

Abstract: A method relates to receiving, by a processing device, a first request to decrypt encrypted data stored on an encrypted portion of a drive, transmitting, to a decryption server, a second request comprising an encrypted first encryption key, wherein the encrypted first encryption key is produced by encrypting a first encryption key using a public key of an asymmetric key pair, receiving the first encryption key from the decryption server, decrypting an encrypted second encryption key using the first encryption key to produce a second encryption key, and decrypting the encrypted data using the second encryption key to produce data.

Abstract: A communication system includes a terminal having a first storage section for storing a number of pieces of content information, a second storage section for storing a number of pieces of the content information, a storage control section for placing a content ID stored in the second storage section into purchase information for each terminal and stored in the second storage section, an access control section for controlling access to the content information corresponding to the content ID stored in the second storage section, and an accounting setting section for setting an amount of a fee to be imposed on the terminal in response to the purchase information.

Abstract: Threat detection instrumentation is simplified by providing and updating labels for computing objects in a context-sensitive manner. This may include simple labeling schemes to distinguish between objects, e.g., trusted/untrusted processes or corporate/private data. This may also include more granular labeling schemes such as a three-tiered scheme that identifies a category (e.g., financial, e-mail, game), static threat detection attributes (e.g., signatures, hashes, API calls), and explicit identification (e.g., what a file or process calls itself). By tracking such data for various computing objects and correlating these labels to malware occurrences, rules can be written for distribution to endpoints to facilitate threat detection based on, e.g., interactions of labeled objects, changes to object labels, and so forth.

Abstract: A computer system can send a secure request over a named-data network to a remote device by generating an Interest with encrypted name components. During operation, the computer system can receive or obtain a request for data, such as from a local user or from a local application. If the system cannot satisfy the request locally, the system can determine at least a routable prefix and a name suffix associated with the request. The system can generate the secure Interest for the request by determining an encryption key that corresponds to a session with the remote computer system, and encrypts the name suffix using the session encryption key. The system then generates an Interest whose name includes the routable prefix and the encrypted name suffix, and disseminates the Interest over a named-data network to send the request to the remote computer system.

Abstract: Methods, apparatuses, computer program products, devices and systems are described that carry out accepting at least one indication of an interaction involving at least one member of a network; creating a persona corresponding to the at least one member of a network, wherein the persona is at least partly based on the indication of an interaction; and presenting the persona for use in the interaction involving the at least one member of the network.

Abstract: A network device (110) is provided which is configured to determine a shared cryptographic key of key length (b) bits shared with a second network device (120) from a polynomial and an identity number of the second network device. A reduction algorithm is used to evaluate the polynomial in the identity number of the second network device and reduce module a public modulus and modulo a key modulus. The reduction algorithm comprises an iteration over the terms of the polynomial. In at least the iteration which iteration is associated with a particular term of the polynomial are comprised a first and second multiplication. The first multiplication is between the identity number and a least significant part of the coefficient of the particular term obtained from the representation of the polynomial, the least significant part of the coefficient being formed by the key length least significant bits of the coefficient of the particular term.

Abstract: Systems, methods, and computer-readable storage media are provided for securely storing and accessing content within a public cloud. A processor manufacturer provides processors having secure enclave capability to a cloud provider. The provider makes available a listing of processor identifiers (CPUIDs) for processors available for storing content and having secure enclave capability. A content owner provides CPUIDs for desired processors from the listing to the manufacturer which provides the content owner with a processor-specific public code encryption key (CEK) for encrypting content to be stored on each processor identified. Each processor is constructed such that content encrypted with the public CEK may only be decrypted within a secure enclave thereof. The content owner encrypts the desired content with the public CEK and returns the encrypted content and the CPUID for the appropriate processor to the cloud provider. The cloud provider then stores the encrypted content on the particular processor.

Abstract: Disclosed are a method and device for implementing a microwave device trusteeship. The method includes: a plurality of all-outdoor units (AOUs) are configured into a trusteeship mode; res the AOUs already configured into the trusteeship mode are respectively connected to the ports of the service units of an IP device; by accessing the IP device by the AOUs configured into a trusteeship mode, the connected AOUs are configured at the corresponding ports of the service unit of the IP device, and the virtual slot numbers of the connected AOUs are generated; and the IP device selects at least two AOUs from the plurality of AOUs already configured into a trusteeship mode to form a protection group, and sets a transmission unit number for each selected corresponding AOU, so as to virtually set each of the selected AOUs as a transmission unit of the IP device.

Abstract: Embodiments of the present application relate to a method, a system, and a computer program product for authenticating a service. A method for authenticating a service is provided. The method includes receiving a first service request from a first terminal, generating a first link address that is used to link to an access location based on the received first service request, determining a preset terminal identifier corresponding to a second terminal, the preset terminal identifier being a terminal identifier preset by the user, sending the first link address to the second terminal, receiving a first link request, determining an issued terminal identifier based on the first link request, comparing the determined issued terminal identifier with the preset terminal identifier of the second terminal, and performing a next processing operation on the first service request based on the comparison result.

Abstract: Techniques and mechanisms described herein facilitate the management of digital rights for media content item presentation. According to various embodiments, a request for a content decryption key may be received at a media application implemented at a computing device. The request may be transmitted by a media content player implemented at the computing device. The request may be transmitted in accordance with a designated key exchange protocol. A license for an encrypted media content item corresponding with the requested content decryption key may be identified at the media application. Based on information included in the license, encrypted key material may be decrypted to create the requested content decryption key via a processor at the computing device. The requested content decryption key may be provided to the media content player.

Abstract: Techniques and logic are presented for encrypting and decrypting applications and related data within a multi-processor system to prevent tampering. The decryption and encryption may be performed either between a system bus and a processor's individual L1 cache memory or between a processor's instruction and execution unit and their respective L1 caches. The logic may include one or more linear feedback shift registers (LFSRs) that may be used for generation of unique sequential address related codes to perform the decryption of instructions and transformation logic that may be used for generation of equivalent offset address related codes to perform decryption and encryption of data. The logic may also be programmable and may be used for test purposes.

Abstract: The present invention provides a method for creating an electronic document file comprising monitoring creation and changes of an electronic document file, receiving a policy file including document level set-up information and security policy, searching for words associated with business information from the text data retrieved from the electronic document file, computing an exposure score of the electronic document file based on the number of times for words associated with business information being searched and document level set-up information, assigning a document level to the electronic document file based on the exposure score, and inserting a watermark to text of the electronic document file to be displayed on the client device based on the user's personal information received from the server. Accordingly, leakage of business documents for electronic document files including business information can be prevented by providing pre-security and post-security measures stronger than conventional measures.

Abstract: This disclosure pertains generally to client authentication. One aspect of the disclosure relates to a first server for presenting evidence to a Domain Controller (DC) of a first authentication context being submitted from a client to the first server to obtain a delegable credential, wherein the credential can be used to request a second authentication context from that client to a second server. Another aspect relates to the first server providing a pass-thru with evidence to a DC. The evidence relates to a first authentication context being submitted from a client to the first server that it obtained a delegable credential. The pass-thru is used in combination with the credential to request a second authentication context from the client to a second server.

Abstract: A robust digital fingerprint of a file ensures that one able to produce the robust digital fingerprint has possession of the file. A client obtains information that is unpredictable to the client and uses that information to modify the file and generate a robust digital fingerprint from the modified file. A server, with access to the same unpredictable information, verifies the generated robust digital fingerprint. An algorithm for generating the robust digital fingerprint has a property that different representations of the same content will produce matching digital fingerprints.

Abstract: Systems and methods for a smart card accessible over a personal area network (PAN). An example method may include: communicatively coupling a device to the PAN, storing a digital certificate that identifies a user, logging the user on to an additional device within the PAN, and providing an encryption service for the additional device, by: receiving a message to be encrypted, encrypting the message, sending the encrypted message to the additional device via the PAN, receiving an encrypted version of an additional message, decrypting the additional message using the private key associated with the user to produce an unencrypted version of the additional message, and sending the unencrypted version of the additional message to the additional device via the PAN.

Abstract: A method for establishing an encrypted communication channel is described. Query IDs are generated at a first device. Each query ID identifies a keyword in a set of keywords. Query IDs are received, at a second device. A second set of keywords is determined by the second device based on the query IDs. Match IDs are determined based on the second set. Each match ID identifies a keyword in the second set. An encryption key is generated based on the second set. A response is sent which includes the match IDs and an encrypted message. At the first device, the second set is determined based on the match IDs. The second set includes keywords of the first set of keywords identified by the match IDs. The encryption key is generated at the first device and the encrypted message is decrypted. Apparatus and computer readable media are also described.

Abstract: A data leak protection system and methods thereof are described that identify and analyze a digital fingerprint for a data package, the digital fingerprint characterizing the data package based on a corpus of data within the data package. In one embodiment, an asset descriptor is configured to identify one or more assets within the corpus of data while a contextual analyzer frames the one or more assets into the prevailing contextual environment. Then, a domain identifier further identifies a data perimeter based on the assets identified for the prevailing contextual environment. A comparison of the digital fingerprint to a collection of domain specific identifiers allows further actions responsive to a digital fingerprint falling outside of the data perimeter for an identified contextual environment. In one example, a data leak triggers quarantining of the data package for further manual processing.

Abstract: A method and system configured to produce a cryptographic signature on a message, under a key, at a user computer wherein the key is shared between the user computer, which stores a first key-share, and an authentication computer, which stores a second key-share and a first authentication value. The user computer encodes the message to produce a blinded message, produces the first authentication value from a user password and a secret value, and produces a second authentication value by encoding the first authentication value and a nonce. The authentication computer uses the nonce to determine if the first authentication value is correct and, if so, encodes the blinded message using the second key-share to produce a partial signature. The user computer produces a signature on the message under the key by encoding the partial signature and the message using the first key-share and an unblinding function.

Abstract: According to an embodiment, a quantum key distribution device includes a sharer, a key distillation processor, a first manager, and a second manager. The sharer is configured to share a photon string with the another quantum key distribution device using quantum key distribution via a quantum distribution channel, and obtain a photon bit string corresponding to the photon string. The key distillation processor is configured to generate a link key from the photon bit string. The first manager is configured to store the link key as a link transmission key. The second manager is configured to store, in a storage, a first application key from an application key to be used in cryptographic data communication, encrypt a second application key from the application key, using the link transmission key, and send the encrypted second application key to another quantum key distribution device via a classical communication channel.

Abstract: For authenticating at least one terminal requesting access to at least one resource, an authentication server performs: obtaining for each terminal at least one piece of authentication information; transmitting to a gateway device at least one checking function, or coefficients thereof. Each piece of authentication information is representative of a value such that, when inputted to respective checking function(s), the checking function(s) return(s) a predefined value.