Abstract: A technique for dynamically creating and deleting groups to support secure group communication sessions is provided herein. A request for creation of a dynamic group that enables group members to participate in a secure group communication session is received by a network authentication device such as a key server. Creation of the dynamic group includes generating a lifetime attribute indicating when the dynamic group is to exist based on timing information provided in the request, along with security policies required for generating the keys, and generating a unique group ID associated with the dynamic group for distribution to the group members. The keys for the secure group communication session are supplied, along with security policies, in response to a request containing the unique group ID identifying the dynamic group. The dynamic group is deleted in response to determining from the lifetime attribute that the secure group communication session has expired.

Abstract: A system and method for securing wireless communications are provided. A method for secure communications by a first user includes estimating a channel between the first user and a second user based on a pilot signal transmitted by the second user, determining a first threshold and a second threshold based on the estimate of channel, selecting a first subset of channel estimates, signaling the first subset of channel estimates to the second user, receiving a second subset of channel estimates from the second user, for each channel estimate in the second subset of channel estimates, quantizing the channel estimate based on a relationship between a gain of the channel estimate and the first threshold and the second threshold, generating a first secret key based on quantized channel estimates, verifying that the first secret key matches a second secret key generated by the second user, and transmitting information to the second user.

Abstract: The present invention provides a method and system for securing a digital data stream. A first key of a first asymmetric key pair from a key store remote from a host node is received at the host node. A dynamically generated key is received at the host node, which is used to encipher the digital data stream. The dynamically generated key is enciphered with the first key of the first asymmetric key pair. The enciphered digital data stream and the enciphered dynamically generated key are stored remotely from the host node and the key store.

Abstract: Systems and methods for remotely loading encryption keys in card reader systems are provided. One such method includes storing, at a card reader, a device identification number for identifying the card reader, a first magnetic fingerprint of a data card, and a second magnetic fingerprint of the data card, wherein each of the first and second fingerprints includes an intrinsic magnetic characteristic of the data card, encrypting, using a first encryption key derived from the second fingerprint, information including the device identification number and first fingerprint, sending the encrypted information to an authentication server, receiving, from the authentication server, a score indicative of a degree of correlation between the first fingerprint and second fingerprint, and receiving, when the score is above a preselected threshold, a second encryption key from the authentication server, the second encryption key encrypted using a third encryption key derived from the first fingerprint.

Abstract: Techniques for securing content in an untrusted environment are provided. Content is encrypted and stored with a content delivery service in an encrypted format. Encrypted versions of a content encryption/decryption key and a first key are also housed and distributed by the content delivery service. The first key is used to decrypt the encrypted version of the content encryption/decryption key. The content delivery service is unaware of the content encryption/decryption key and the first key; and the content held by the content delivery service is encrypted with the content encryption/decryption key. Principals securely share, create, manage, and retrieve the encrypted versions of the content encryption/decryption key and the first key from the content delivery service using secure communications. The encrypted content is obtainable via insecure communications from the content delivery service.

Abstract: Spread of a forged storage medium is prevented suppressing an authentic storage medium's damage and trouble of a owner to the minimum. When there is an update request of user key data, the update history of the user key data concerning the shown above-mentioned medium identifier IDm is referred to. When judged that the update of the user key data concerning the shown medium identifier IDm not being performed within a predetermined period, the update of user key data is performed. The request of a update is refused when judged that the update of the user key data concerning the shown medium identifier IDm being performed within a predetermined period.

Abstract: An embodiment of the invention provides a data encryption method for an electrical device. The method comprises: generating an identification code corresponding to the electrical device; generating a temporary key according to the identification code; encrypting first data to generate a first secret key according to the temporary key and a first encryption mechanism; and encrypting the first secret key by a second encryption mechanism to generate an encrypted key.

Abstract: Methods, a client entity, network entities, a system, and a computer program product perform authentication between a client entity and a network. The network includes at least a bootstrapping server function entity and a network application function entity. The client entity is not able to communicate with both of the network entities in a bidirectional manner. The 3GPP standard Ub reference point between the client entity and the bootstrapping server function entity is not utilized for authentication purposes, such as authentication using GAA functionality for unidirectional network connections.

Abstract: A method and apparatus for secure generation of a short-term key SK for viewing information content in a Multicast-broadcast-multimedia system are described. A short-term key is generated by a memory module residing in user equipment (UE) only when the source of the information used to generate the short-term key can be validated. A short-term key can be generated by a Broadcast Access Key (BAK) or a derivative of BAK and a changing value with a Message Authentication Code (MAC) appended to the changing value. A short-term key (SK) can also be generated by using a private key and a short-term key (SK) manager with a corresponding public key distributed to the memory module residing in the user equipment (UE), using a digital signature.

Abstract: A method for managing keys in a computer memory including receiving a request to store a first key to a first key repository, storing the first key to a second key repository in response to the request, and storing the first key from the second key repository to the first key repository within said computer memory based on a predetermined periodicity.

Abstract: The present invention relates to a method, an apparatus, and a system for protecting cloud data security. A key management center encrypts original data M sent by a first terminal using a key K, and uploads encrypted data C1 to a cloud server. When the key management center receives a request from a second terminal for the data M, it generates encrypted data C2, which is generated by first encrypting C1 with a key Kb of the second terminal and then decrypted by the key K that was used to encrypt the original data M to generate C1. The key management center then sends the encrypted data C2 to the second terminal. The second terminal decrypts the encrypted data C2 using its own key Kb to obtain the original data M.

Abstract: A system and method for researching an identity of a source of activity that is indicative of pestware is described. In one embodiment the method comprises monitoring, using a kernel-mode driver, API call activity on the computer; storing information related to the API call activity in a log; analyzing, heuristically, the API call activity to determine whether one or more weighted factors associated with the API call activity exceeds a threshold; identifying, based upon the API call activity, a suspected pestware object on the computer; identifying, in response to the identifying the suspected pestware object, a reference to an identity of an externally networked source of the suspected pestware object; and reporting the identity of the externally networked source to an externally networked pestware research entity.

Abstract: The present invention relates to a roaming electronic transaction terminal. It also relates to a secure system for electronic transactions comprising one or more roaming terminals. The terminal (1) has an application package support (2) and a coupler (3) for carrying out the read and write operations on a medium that are required for the electronic transactions in conjunction with the application package. The coupler (3) comprises means for creating a write time window and a read time window on the basis of a secure input signal, all writing and all reading being disabled outside of the corresponding windows. The invention applies notably for the securing of terminals carrying out checks and contractual transactions on supports equipped with processors and memories, it being possible for these supports to be through contactless read and write cards comprising for example transport entitlements, payment means or any other entitlements to be turned to account.

Abstract: A server, method and/or computer-readable medium system for secure communication includes a certificate authority for generating certificates signed by the certificate authority and associated public and private keys for a client. The server further includes a directory of client attributes and client virtual attributes. At least one of the client virtual attributes is for, when receiving a query for a client that cannot be located in the directory, requesting the certificate authority to dynamically generate a certificate and associated public and private key for the client, and for storing the dynamically generated certificate and public key as a client attribute in the directory.

Abstract: Enhanced cryptographically generated addresses (ECGA) for MIPv6 incorporate a built-in backward key chain. The backward key chain prevents time-memory attacks to discover a network address and helps prevent spoofing a network address of a mobile node. The backward key chain also provides a means to authenticate network addresses of a mobile node.

Abstract: A method of generating a public key in a secure digital communication system, having at least one trusted entity CA and subscriber entities A. The trusted entity selects a unique identity distinguishing each entity A. The trusted entity then generates a public key reconstruction public data of the entity A by mathematically combining public values obtained from respective private values of the trusted entity and the entity A. The unique identity and public key reconstruction public data of the entity A serve as A's implicit certificate. The trusted entity combines the implicit certificate information with a mathematical function to derive an entity information f and generates a value kA by binding f with private values of the trusted entity. The trusted entity transmits the value kA to the entity to permit A to generate a private key from kA, A's private value and A's implicit certificate.

Abstract: A method of generating a public key in a secure digital communication system, having at least one trusted entity CA and subscriber entities A. The trusted entity selects a unique identity distinguishing each entity A. The trusted entity then generates a public key reconstruction public data of the entity A by mathematically combining public values obtained from respective private values of the trusted entity and the entity A. The unique identity and public key reconstruction public data of the entity A serve as A's implicit certificate. The trusted entity combines the implicit certificate information with a mathematical function to derive an entity information ƒ and generates a value kA by binding ƒ with private values of the trusted entity. The trusted entity transmits the value kA to the entity to permit A to generate a private key from kA, A's private value and A's implicit certificate.

Abstract: Apparatus and methods for efficiently distributing and storing access control clients within a network. In one embodiment, the access clients include electronic Subscriber Identity Modules (eSIMs), and an eSIM distribution network infrastructure is described which enforces eSIM uniqueness and conservation, distributes network traffic to prevent “bottle necking” congestion, and provides reasonable disaster recovery capabilities. In one variant, eSIMs are securely stored at electronic Universal Integrated Circuit Card (eUICC) appliances which ensure eSIM uniqueness and conservation. Access to the eUICC appliances is made via multiple eSIM depots, which ensure that network load is distributed. Persistent storage is additionally described, for among other activities, archiving and backup.

Abstract: When installing and maintaining a wireless sensor network in a medical or factory environment, distribution of keying material to sensor nodes (18) is performed by a key material box (KMB) (12), such as a smartcard or the like. The KMB (12) has a random seed stored to it during manufacture, and upon activation performs an authentication protocol with a sensor node (18) to be updated or installed. The KMB (12) receives node identification information, which is used in conjunction with the random seed to generate keying material for the node (18). The KMB (12) then encrypts the keying material for transmission to the node (18), and transmits over a wired or wireless communication link in a secure manner. The node (18) sends an acknowledgement message back the KMB (12), which then updates the nodes status in look-up tables stored in the KMB (12).

Abstract: A system that enables a cloud-based data repository to function as a secure ‘drop-box’ for data that corresponds to a user is provided. The ‘drop box’ can be facilitated through the use of cryptographic keying technologies. For instance, data that is ‘dropped’ by or on behalf of a particular user can be encrypted using a public key that corresponds to a user-specific private key. Thus, although the data resides within the large pool of ‘cloud-based’ data, it is protected since it can only be decrypted by using the private key, which is kept secret. The innovation can further facilitate user-centric secure storage by partitioning the cloud-based repository into multiple partitions, each of which corresponds to specific indexing criteria.

Abstract: Systems and/or methods of selectively terminating security in mobile networks are presented. User equipment (UE) can specify cipher termination location capabilities for encrypting/decrypting data packets to a base station in a mobile network. The mobile network can subsequently determine at which node in the network to terminate the cipher in part according to the capabilities provided and deliver the determined location to the UE. The determined cipher termination location can be provided in response to a request to initiate communications, the initial request can specify the capabilities. The UE can utilize the location to support disparate types of networks and to intelligently deal with hand-offs and other functions of the mobile network.

Abstract: A method for transmitting deferred media information in an Internet Protocol (IP) multimedia subsystem (IMS) includes: a sending party of the media information sends a key generation parameter encrypted with a Ka to a mailbox application server of a receiving party of the media information, the mailbox application server stores or saves the encrypted key generation parameters, and sends the encrypted key generation parameters to a key management server (KMS); the KMS generates a media key K and forwards it to the sending party through the mailbox application server of the receiving party; the receiving party obtains the encrypted key generation parameter from the mailbox application server and sends it to the KMS; the KMS generates the K and sends it to the receiving party; the receiving party decrypts the encrypted media information by using the K. A corresponding system is also disclosed.

Abstract: Techniques for enabling video conferencing with interactive sharing of drawings and/or other information. In one set of embodiments, a system is provided that includes a drawing surface, a video camera embedded or integrated into the drawing surface, and a front projector. The drawing surface can capture drawings made on the surface by a user, and the video camera can capture a video stream of the user. The system can send digital information representing the captured drawings and the video stream to a remote system. The system can also receive digital information representing drawings made by a remote user and a video stream of the remote user from the remote system. The front projector can project a video signal onto the drawing surface that incorporates the captured drawings, the drawings made by the remote user, and the video stream of the remote user.

Abstract: Disclosed herein is an information processing apparatus that serves as a server that performs data transmission in response to receipt of media information from a user device. The information processing apparatus includes: an encrypted transmission data storage database that stores a transmission data identifier and encrypted transmission data such that the transmission data identifier and the encrypted transmission data are associated with each other; and a control section configured to acquire, from a key management server, an encrypted unit key obtained by encrypting a unit key that is used to encrypt the transmission data, and transmit the acquired encrypted unit key and the encrypted transmission data to the user device.

Abstract: Systems and methods of direct delivery of content descrambling keys using chip-unique code are described herein. One such method includes receiving a unique chip identifier from a digital subscriber communications terminal; determining a chip key associated to the chip identifier; encrypting a service instance using the chip key; and transmitting the encrypted service instance. One such system includes a chip key server configured to store a plurality of chip identifiers, each identifier associated with a chip key, and configured to receive a unique chip identifier from a digital subscriber communications terminal; and an encryptor configured to encrypt a service instance using the chip key associated with the unique chip identifier, the chip key provided by the chip key server.

Abstract: In one embodiment, a capable node in a low power and lossy network (LLN) may monitor the authentication time for one or more nodes in the LLN. The capable node may dynamically correlate the authentication time with the location of the one or more nodes in the LLN in order to identify one or more authentication-delayed nodes. The node may then select, based on the location of the one or more authentication-delayed nodes, one or more key-delegation nodes to receive one or more network keys so that the key-delegation nodes may perform localized authentication of one or more of the authentication-delayed nodes. The capable node may then distribute the one or more network keys to the one or more key-delegation nodes.

Abstract: A method for exchanging strong encryption keys between devices using alternate input methods. At least two devices that want to communicate with one another are set in key exchange mode. The at least two devices are to communicate with one another using a short range radio or personal area network. The at least two devices negotiate with one another to determine which of the at least two devices will generate an encryption key, wherein device A represents the negotiated device and device B represents the non-negotiated device. Device A generates the encryption key and transmits the encryption key to device B using an out-of band transmission channel. The out-of-band transmission channel may be transmitting the encryption key via audio tones. A validation process determines whether the transmission of the encryption key via the out-of-band transmission channel was successful.

Abstract: A system and method for secure transport of data, the method comprising: sharing of key information with a key distributor, wherein the key information is for enabling decryption of first and second encrypted data, the key distributor being for making one or more decryption keys available to an authorized user; creating a container object, the container object comprising: first encrypted data having a first encryption based on at least a part of said key information; second encrypted data having a second encryption based on at least a part of said key information, wherein the first encryption is different to the second encryption; and metadata relating to the first encrypted data and the second encrypted data; and sending the container object to a data store or otherwise making the container object available, to allow user access to said data container object.

Abstract: Systems and methods for document control using public key encryption are provided. An interface program serves as a software interface between user applications used to create and access documents and a data storage system that stores the documents in an encrypted form. When a document is saved for the first time, information corresponding to the destruction of that document is obtained either from a user or in accordance with predefined criteria. The document is encrypted and stored with a pointer to an encryption key on a token/key server. When the document is subsequently accessed, the interface program will read the pointer and attempt to retrieve the key. If the key has expired in accordance with the destruction policy, the document is inaccessible. Otherwise, the document is decrypted using the key. Multiple documents may be saved according to the same destruction policy and even the same key, thereby greatly enhancing the ability to “destroy” documents regardless of their location with minimal process.

Abstract: Multiple peer domain name system (DNS) servers are included in a multi-master DNS environment. One of the multiple peer DNS servers is a key master peer DNS server that generates one or more keys for a DNS zone serviced by the multiple peer DNS servers. The key master peer DNS server can also generate a signing key descriptor that identifies the set of one or more keys for the DNS zone, and communicate the signing key descriptor to the other ones of the multiple peer DNS servers.

Abstract: A communication apparatus generates authentication information for a terminal apparatus. Before establishing communication with the terminal apparatus, the communication apparatus writes information related to the communication apparatus and the authentication information into a storage medium, The terminal apparatus, to which the storage medium has been presented, transmits and receives signals to and from the communication apparatus, based upon the information related to the communication apparatus that has been written into the storage medium, and permits data communication based upon the authentication information written into the storage medium.

Abstract: There is provided a system and method for distributors to use an interoperable key chest. There is provided a method for use by a distributor to obtain content access authorizations from a key chest or central key repository (CKR), the method comprising receiving a user request from a user device for access to an encrypted content identified by a content identification, transmitting a key request to the CKR including the content identification, receiving an encrypted first key from the CKR, decrypting the encrypted first key using a second key to retrieve the first key, and providing a DRM license for the encrypted content to the user device using the first key for use by the user device to decrypt the encrypted content using the first key. By generating such DRM licenses, distributors can unlock protected content even sourced from distributors using different DRM schemas.

Abstract: Various embodiments facilitate program content access management. One embodiment is a system with a secure content provider communicatively coupled to a first system and a second system, operable to stream encrypted content over the first system, and operable to communicate access control information over the second system; and a receiving device coupled to the first system and the second system, operable to receive the encrypted program content from the first system, operable to receive the access control information over the second system such that the encrypted program content is decrypted based on the access control information to generate program content, and operable to communicate the program content to a presentation device.

Abstract: The present invention provides for an authenticity marker to be embedded within web page and/or email content which allows a user to validate that the content originates from the true source of the content and is not merely a copy. The method includes a user requesting content in the form of a web page and/or email from a server using a web browser or email client. The server receives the request, retrieves the content and forwards it to an authentication server. The authentication server inserts into the retrieved content a unique fractal icon and/or information only known between the owner of the content and the user.

Abstract: Described herein is a technique of protecting users against certain types of Internet attacks. The technique involves obtaining certificates from visited web sites and qualifying communications with those web sites based on the content of the certificates.

Abstract: Delivering a Direct Proof private key to a device installed in a client computer system in the field may be accomplished in a secure manner without requiring significant non-volatile storage in the device. A unique pseudo-random value is generated and stored in the device at manufacturing time. The pseudo-random value is used to generate a symmetric key for encrypting a data structure holding a Direct Proof private key and a private key digest associated with the device. The resulting encrypted data structure is stored on a protected on-line server accessible by the client computer system.

Abstract: In some embodiments, a method includes receiving a modifiable electronic document. The method includes generating a new version of the modifiable electronic document. The method also includes encrypting the new version of the modifiable electronic document using an encryption key that is used to encrypt the modifiable electronic document and different versions of the modifiable electronic document. The method includes saving the new version of the modifiable electronic document.

Abstract: Digital certificate public information is extracted using a processor from at least one digital certificate stored within at least one digital certificate storage repository. The extracted digital certificate public information is stored to at least one dynamically-created certificate public information directory. At least a portion of the digital certificate public information stored within the at least one dynamically-created certificate public information directory is provided in response to a digital certificate public information request.

Abstract: A resource in unencrypted form and a wrapped key are received in a request from an application server system and at a key server system. The wrapped key includes a resource encryption key and a user identifier that have been encrypted using a master key. The user identifier identifies a user that is permitted to use the resource encryption key to decrypt the resource. The request does not include the user identifier. The wrapped key is decrypted to access the resource encryption key. The resource in unencrypted form is encrypted into an encrypted resource with the resource encryption key. The encrypted resource is sent to the application server system.

Abstract: A method and system for pre-shared-key-based network access control are disclosed. The method includes the following steps: 1) security policy negotiation is implemented between a REQuester (REQ) and Authentication Access Controller (AAC); 2) identity authentication and uni-cast key negotiation are implemented between REQ and AAC; 3) a group-cast key is notified between REQ and AAC. Applying the method and system, rapid bidirectional authentication can be implemented between a user and network.

Abstract: A distributed Rivest Shamir Adleman (RSA) signature generation method in an ad-hoc network and a node of an ad-hoc network. The distributed RSA signature generation method in an ad-hoc network includes distributing key share information, which is generated using a maximum distance separable (MDS) code and a random symmetric matrix, to a plurality of nodes; generating, in a fewer number of nodes than the plurality of nodes, a partial signature using the distributed key share information; transmitting the partial signature to a signature generation node; and generating an RSA signature using the partial signature, in the signature generation node.

Abstract: Provided are a method, system, and article of manufacture for configuring host settings to specify encryption and a key label referencing a key encrypting key to use to encrypt an encryption key provided to a storage drive to use to encrypt data from the host. User settings are received to configure a data class having data attributes with encryption settings. The data class is stored with the received user encryption settings. A job is received indicating a data set to store to a removable storage medium. A data class is determined having data class attributes matching data attributes of the data set indicated in the job. A determination is made from the determined data class whether to encrypt the data.

Abstract: There is provided an authentication method for a system (10) comprising several devices (30). The method involves: a) providing each device (30) with an identity value (pi: i=1, . . . , n) and a polynomial (P) for generating a polynomial key; (b) including a verifier device (p1) and a prover device (P2)amongst said devices (30); (c) arranging for the prover device (p2) to notify its existence to the verifier device (P1); (d) arranging for the verifier device (pi) to challenge the prover device (p2) to encrypt a nonce using the prover (P2)device's polynomial (P) key and communicate the encrypted nonce as a response to the verifier device (p1); (e) arranging for the verifier device (p1) to receive the encrypted nonce as a further challenge from the prover device (pZ) and: (i ) encrypt the challenge using the polynomial keys generated from a set of stored device identities; or (ii) decrypt the challenge received using the set of polynomial keys; until said verifier device (p1) identifies an authentication match.

Abstract: Various embodiments described herein each provide one or more of systems, methods, software, and data structures that facilitate document-authorized access to a shared workspace. Some of these embodiments provide access to a shared workspace, such as a document review comment repository, through data embedded within a document. Mere possession of a document with a key, or other data element, allows a possessor of the document to participate in a workflow process.

Abstract: Disclosed are a server and a client processing a security program by using a real-time distribution method and method of controlling the server and the client. A method of controlling a server processing a security program by using a real-time key distribution method according to an exemplary embodiment of the present invention includes: analyzing a security program for transmitting the security program to a client; decomposing a code of the analyzed security program into code blocks; encrypting the code blocks by using an encryption key; changing an original header of the security program to a first header; and transmitting a packed program including the encrypted code blocks and the changed first header to the client.

Abstract: A method for managing shared random numbers in a secret communication network including at least one center node and a plurality of remote nodes connected to the center node, includes: sharing random number sequences between the center node and respective ones of the plurality of remote nodes; when performing random numbers sharing between a first remote node storing a first random number sequence shared with the center node and a second remote node storing a second random number sequence shared with the center node, distributing a part of the second random number sequence from the center node to the first remote node; and sharing the part of the second random number sequence between the first remote node and the second remote node.

Abstract: In some embodiments, a method and apparatus for distributing private keys to an entity with minimal secret, unique information are described. In one embodiment, the method includes the storage of a chip secret key within a manufactured chip. Once the chip secret key is stored or programmed within the chip, the chip is sent to a system original equipment manufacturer (OEM) in order to integrate the chip within a system or device. Subsequently, a private key is generated for the chip by a key distribution facility (KDF) according to a key request received from the system OEM. In one embodiment, the KDF is the chip manufacturer. Other embodiments are described and claimed.

Abstract: A countermeasure for differential power analysis attacks on computing devices. The countermeasure includes the definition of a set of split mask values. The split mask values are applied to a key value used in conjunction with a masked table defined with reference to a table mask value. The set of n split mask values are defined by randomly generating n?1 split mask values and defining an nth split mask value by exclusive or'ing the table mask value with the n?1 randomly generated split mask values.

Abstract: The present disclosure provides for the use of non-alphanumeric, non-biometric inputs to authenticate a user accessing secured data or functions on an electronic device. In one embodiment, an authentication screen is invoked by use of a gesture input via a touch-sensitive structure. In such an embodiment, an authentication screen may be invoked with no outward appearance on the display as to the existence of the data or function for which access is sought. The authentication may be based upon a gesture, a sequence of selected objects, or another non-alphanumeric, non-biometric input.

Abstract: A method for symmetric receive-side scaling (RSS) in a network device having an ingress side RRS router and an egress side RSS router and a plurality of queues for handling packets. The method comprises identifying an internet protocol (IP) version being used for the network. The transport layer headers (TLHs) existence status is identified. A secret key by each of the egress side RSS router and the ingress side RSS router is identified. The key is based on the identification of the IP version and the TLHs existence status. The secret key ensures that packets sent from a source to a destination and packets sent from the destination to the source are routed by the egress side RSS router and the ingress side RSS router to a common queue among the plurality of queues. The secret key is stored at a storage in the network device. The secret key is used by the ingress side RSS router and the egress side RSS router for routing packets.