Abstract: A server device initiates a traffic encapsulation key (TEK) re-key sequence for a group virtual private network (VPN), based on an upcoming expiration time for an existing TEK. The server device sends, via a push message during a first time period immediately after the initiating, a new TEK to members of the group VPN. The server device receives, during a second time period that immediately follows the first time period, a pull request, for the new TEK, from one of the members of the group VPN, and sends, to the one of the members, the new TEK, where the re-key sequence transitions all the members of the group VPN from the existing TEK key to the new TEK key before the expiration time for the existing TEK.

Abstract: Provided is a controller capable of preventing card makers from conducting unauthorized acts. The controller includes: a controller key storage unit configured to hold a controller key that has been embedded by a controller manufacturing device in advance; a decryption unit configured to receive encrypted media key information that has been generated by a key issuance center that is authorized and to decrypt the received encrypted media key by using the controller key, the encrypted key information generated through encryption of key information with use of the controller key; and an encryption unit configured to encrypt the decrypted media key again by using an individual key that is unique to the controller.

Abstract: A system for implementing secure key management is provided. The system includes a computer processor and an application configured to execute on the computer processor, the application implementing a method. The method includes populating a section of information associated with a key, the section being populated with information relating to how the key was created. The method also includes populating the section with information relating to how the key was acquired by a secure module; and binding the section to the key, wherein the key is encrypted.

Abstract: Embodiments of a wireless device and methods for rekeying with reduced packet loss in a wireless network are generally described herein. In some embodiments, during rekeying operations a new key for reception may be installed early (i.e., prior to receipt of a rekeying confirmation message). The use of the new key for transmission may be delayed until after receipt of the rekeying confirmation message. The early installation of the new key for reception may allow both the new key and old key to be active at the same time for use decrypting received packets to reduce packet loss during rekeying operations. The rekeying confirmation message may be the fourth message of a four-way handshake for rekeying. In some embodiments, two key identifiers may be alternated between four-way handshakes to prevent deletion of the old key.

Abstract: A system or computer usable program product for managing keys in a computer memory including receiving a request to store a first key to a first key repository, storing the first key to a second key repository in response to the request, and storing the first key from the second key repository to the first key repository within said computer memory based on a predetermined periodicity.

Abstract: Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for updating shared keys. In one aspect, a method includes generating, at a first server and using a first key associated with a current period of time on the first server, a first piece of information based on a first request received from a first client device; receiving, at a second server, a second request from the first client device, the second request including the generated first piece of information; and validating, at the second server and using the first key, the first piece of information, wherein the validating is performed during the current period of time on the second server and wherein to generate information the second server uses a second key different from the first key.

Abstract: The present invention discloses methods, devices, and media for secure key management in a non-secured, distributed, virtualized environment with applications to cloud-computing security and management.

Abstract: A method begins by a module to generate a secure signature on an item by selecting a first key representation index of a set of key representation indexes, wherein a first mathematical encoding of a private key generates a first plurality of key shares as a first key representation. The method continues with the module determining whether a first plurality of signature contributions have been received in response to a signature request for the item based on the first key representation index, wherein one of a first set of dispersed storage (DS) units executes a first mathematical signature function using one of the first plurality of key shares on the item to produce a signature contribution of the first plurality of signature contributions and when the first plurality of signature contributions have been received, generating the secure signature on the item from the first plurality of signature contributions.

Abstract: A method performed in a third computing device comprises: receiving a request from one of a first computing device and a second computing device; and in response to the request, facilitating establishment of a security association between the first computing device and the second computing device such that the first computing device and the second computing device can then facilitate establishment of a security association between first user equipment and second user equipment. The first computing device, the second computing device and the third computing device comprise at least a part of a key management hierarchy wherein the first computing device and the second computing device are on a lower level of the hierarchy and the third computing device is on a higher level of the hierarchy. The first and second computing devices are configured to perform a key management function for respective first and second user equipment.

Abstract: This disclosure pertains generally to client authentication. One aspect of the disclosure relates to a first server for presenting evidence to a Domain Controller (DC) of a first authentication context being submitted from a client to the first server to obtain a delegable credential, wherein the credential can be used to request a second authentication context from that client to a second server. Another aspect relates to the first server providing a pass-thru with evidence to a DC. The evidence relates to a first authentication context being submitted from a client to the first server that it obtained a delegable credential. The pass-thru is used in combination with the credential to request a second authentication context from the client to a second server.

Abstract: A public key infrastructure comprises a client side to request and utilize certificates in communication across a network and a server side to administer issuance and maintenance of said certificates. The server side has a portal to receive requests for a certificate from a client. A first policy engine to processes such requests in accordance with a set of predefined protocols. A certification authority is also provided to generate certificates upon receipt of a request from the portal. The CA has a second policy engine to implement a set of predefined policies in the generation of a certificate. Each of the policy engines includes at least one policy configured as a software component e.g. a Java bean, to perform the discreet functions associated with the policy and generate notification in response to a change in state upon completion of the policy.

Abstract: Embodiments are directed towards enabling cryptographic key management without disrupting cryptographic operations. Embodiments may be employed to generate cryptographic keys based on at least one key parameter that may be provided by an administrator. The administrator may generate key managers and key request users that may be linked to particular cryptographic keys. The cryptographic keys may be stored on key exchange servers separate from the key management server. Responsive to a request for a cryptographic key, the key exchange servers may authenticate the key request user associated with the request. The key request may be validated based on at least one key parameter and a portion of the key request. The key exchange server may generate the requested cryptographic keys providing them to the key request user over the network.

Abstract: An encoding/decoding operation portion includes an encoding/decoding operation circuit and an avoiding path for detouring the encoding decoding operation circuit and can select between encoding or decoding input data in the encoding/decoding operation circuit and detouring the encoding/decoding operation circuit to output the input data without change. Only one wire has to be provided from a selector to a key storage portion and an initialization-vector storage portion. With this construction, it is possible to realize an encoding/decoding circuit which can suppress an increase in the number of wires used to transmit a content of key data to the key storage portion and the initialization-vector storage portion and does not cause complication of circuit layout.

Abstract: In accordance with certain aspects, data is received from a calling program. Ciphertext that includes the data is generated, using public key encryption, in a manner that allows the data to be obtained from the ciphertext only if one or more conditions are satisfied. In accordance with another aspect, a bit string is received from a calling program. Data in the bit string is decrypted using public key decryption and returned to the calling program only if one or more conditions included in the bit string are satisfied.

Abstract: Embodiments described herein provide communication control features and functionality, but are not so limited. In an embodiment, a computing environment includes an access control component that can use a number of access states to control access to computing data and/or services. In one embodiment, a server computer can control access to data and/or services using a number of access states including, but not limited to: an allowed state, a blocked state, a device discovery state, and/or a quarantined state. Other embodiments are available.

Abstract: A method for providing an IP key, for encoding messages between a user terminal MS or a PMIP client and a home agent HA, wherein an authentication server only provides the mobile IP key when the authentication server recognizes, by a correspondingly encoded parameter, that the user terminal MS itself is not using mobile IP (PMIP).

Abstract: One exemplary embodiment involves receiving, at a server, a request for a document key for accessing a document on a client device, wherein the request comprises an identity of an access policy and information about the document. The exemplary method further comprises determining, at the server, whether access to the document is permitted according to the access policy. If access to the document is permitted, the exemplary method involves computing, at the server, the document key using the information about the document, wherein the document key is document specific, wherein, prior to the computing of the document key, the document key is not stored for access by the server. The exemplary method further involves responding to the request by providing the document key for use in accessing the document on the client device.

Abstract: A seed value is received and a resource encryption key is generated from the seed value. The resource encryption key may be sent to an application server such that the application server system is able to encrypt a resource using the resource encryption key. Authentication credentials and a wrapped key are received and the wrapped key is decrypted to generate an unwrapped key that includes the resource identifier, the resource encryption key, and the user identifier in unencrypted form. The user identifier is accessed from the unwrapped key it is determined that the received authentication credentials correspond to the accessed user identifier. The resource encryption key is sent in unencrypted form to the application server system such that the application server system can decrypt the resource using the resource encryption key in unencrypted form.

Abstract: A data processing apparatus is disclosed, that comprises a large capacity memory means for storing a plurality of files, a memory means for storing move/copy history when a particular file is moved/copied from the large capacity memory means to a non-volatile memory, a reference means for referencing the history information stored in the memory means when the particular file is moved/copied from the large capacity memory means to the non-volatile memory, and a control means for prohibiting the particular file from being moved/copied from the large capacity memory means to the non-volatile memory when the reference means has detected that the history information is stored in the memory means.

Abstract: Authentication credentials are received at a key server system. A service associated with the wrapped key is identified. A master key is accessed based on the identified service, the master key being associated with the identified service. The wrapped key is decrypted to generate an unwrapped key that includes the resource identifier, the resource encryption key, and the user identifier in unencrypted form. The user identifier is identified accessed from the unwrapped key. The received authentication credentials are determined to correspond to the accessed user identifier. In response to determining that the received authentication credentials correspond to the accessed user identifier, the resource encryption key are sent in unecrypted to the application server system such that the application server system can decrypt the resource using the resource encryption key in unencrypted form.

Abstract: A system, method, and server computer configured to authenticate a consumer device. The consumer device is authenticated via a mobile gateway using challenge-response authentication. If the consumer device is successfully authenticated, a secure channel is established between the consumer device and a first entity. The secure channel allows for secure communication between the consumer device and the first entity.

Abstract: A key generation device according to the present invention hierarchically constructs a Y-ary tree structure where n reception devices are assigned to leaves, and forms subgroups where individual intermediate nodes existing between the leaves and a root of the Y-ary tree structure are defined as parent nodes. By providing new parameters to the individual intermediate parameters, the subgroups can be formed flexibly. In a case where no excluded customer exists or the number of excluded customers is small, the size of a header to be delivered and the calculation amount of an operation that a customer needs to perform can be reduced.

Abstract: The present invention relates to a key management method to establish selective secret information in multiple disjoint groups, more specifically to a method of reducing the broadcast size in access hierarchies and localize and facilitate management in said access hierarchies. The key management method selects a number of subgroups. Each subgroup supports an instance of a key distribution method for receiving distributed key material, and is capable of computing a usage security key based on the distributed key material and predefined user group key material.

Abstract: A method, computer program product, and data storage system for associating an encryption key with each of a plurality of storage objects within a data storage system, thus defining a plurality of encryption keys. Each of the plurality of encryption keys is appended to include a key identifier tag, thus defining a plurality of tagged encryption keys. The key identifier tag included within each tagged encryption key identifies the storage object with which the tagged encryption key is associated.

Abstract: The invention provides a method of transferring data from a data array within a main memory of a computer to an accelerator for processing, the embodiment of the method comprising: at the accelerator, requesting data from the main memory and generating a data stream between the main memory and the accelerator, the generated data stream including data from the data array; and, using an offset to determine the scheduling of array elements within the generated data stream.

Abstract: A method for determining a time delay for sending an update request by a computing device is described. A first update request is sent by a computing device at the termination of a first random delay. A first load data is received. A second update request is sent by the computing device at the termination of a maximum update parameter. A second load data is received. The first load data is compared with the second load data. A next update time is adjusted if the first load data differs from the second load data.

Abstract: A multicast key distribution method, an update method, and a base station based on unicast conversation key, the distribution method includes the following steps: 1) the base station composes groups of multicast key distribution; 2) the base station broadcasts the groups of multicast key distribution to all terminals; 3) the terminals acquire the multicast conversation key through calculation. The present invention solves the problem that the efficiency of the multicast key distribution based on unicast conversation key is low in the prior art, and provides a multicast key distribution method based on unicast conversation key.

Abstract: A mechanism is provided for managing access authorization to forums open to anonymous users within an organization. A token distributor application provides a unique token to each member of a community or organization. The application is trusted by all members to not store an association between the authenticated user and the token when a token is assigned. The only control exerted by the token distributor is to block users who have already obtained a token from receiving another token. The communication tool or collaboration space may accept creation of a new anonymous identity, such as a nickname, to any individual supplying a token assigned by the token distributor application. An administrator may ban users by token. A banned user cannot access the communication tool or collaboration space using a nickname associated with a banned token.

Abstract: A method determines an elliptical curve, suitable for a cryptographic method. An elliptical curve to be tested is prepared. The order of a twisted elliptical curve associated with the elliptical curve to be tested is determined. It is automatically checked whether the order of the twisted elliptical curve is a strong prime number. If the order of the twisted elliptical curve is a strong prime number, the elliptical curve to be tested is selected as an elliptical curve suitable for cryptographical methods.

Abstract: A data processing system features a hardware trusted platform module (TPM), and a virtual TPM (vTPM) manager. When executed, the vTPM manager detects a first request from a service virtual machine (VM) in the processing system, the first request to involve access to the hardware TPM (hTPM). In response, the vTPM manager automatically determines whether the first request should be allowed, based on filter rules identifying allowed or disallowed operations for the hTPM. The vTPM manager may also detect a second request to involve access to a software TPM (sTPM) in the processing system. In response, the vTPM manager may automatically determine whether the second request should be allowed, based on a second filter list identifying allowed or disallowed operations for the sTPM. Other embodiments are described and claimed.

Abstract: A method and apparatus for distributing certification statements. Digital certificates are stored in a plurality of entries in a repository. Certification statements that include revocation status information for the stored digital certificates are received and stored in corresponding entries of the repository. Upon receiving a client request for a digital certificate, the digital certificate and corresponding revocation status information is sent to the client.

Abstract: Embodiments of the invention provide a method and an apparatus for automatic, secure, and confidential distribution of an asymmetric key security credential in a utility computing environment. In one method embodiment, the present invention provides an asymmetric key at a management server, the asymmetric key automatically associated with a logical device identifier of a provisionable resource. Additionally, an isolated virtual network is established between the management server and the provisionable resource for providing the asymmetric key to the provisionable resource. Then, after the asymmetric key is provided to the provisionable resource the isolated virtual network between the management server and the provisionable resource is dissolved.

Abstract: An authentication loading control feature enables a service provider to control the number of authentication procedures or percentage of time that authentication procedures are performed by a network element adapted to perform authentication procedures (e.g., a Serving GPRS Support Node (SGSN) of a UMTS network); and an information recapture feature enables the network element to obtain, in the absence of authentication, UE information that conventionally would have been received as a part of the authentication procedure as needed, for example and without limitation, to support charging and lawful intercept functions.

Abstract: An input personal identification number (PIN) is encrypted, identification information to identify a computer that has generated an encrypted PIN is associated with the encrypted PIN, and the associated information is sent to a recording medium. When the recording medium is again connected to the computer, it is checked whether the identification information is present in the recording medium. If the identification information is present in the recording medium, the encrypted PIN associated with the identification information is decrypted. These processes can be performed on both computer side and recording medium side.

Abstract: Systems and methods are provided for securing payment card information. A user may present a payment card such as a credit card to point-of-sale equipment. The point-of-sale equipment may encrypt the payment card information. An encryption algorithm may be used that takes as inputs a first part of the payment card information, a tweak formed by a second part of the payment card information, and an encryption key. The encrypted payment card information may be conveyed to a gateway over a communications network. The gateway may identify which encryption algorithm was used in encrypting the payment card information and may re-encrypt the payment card information using a format preserving encryption algorithm. A network-based service may be used to remotely perform functions for the gateway.

Abstract: A system is configured to receive a request for a customization packet associated with a user device; retrieve data associated with the device; encode portions of the network data using a group of keys, where each portion is encoded using a different one of the keys, and where each key corresponds to a different set of fields, of one or more sets of fields within the packet; store the encoded portions in the one or more sets of fields within the packet; and transmit, to a content provider, the packet, where the packet enables the content provider to decode all or a portion of the network data using one of the keys, and where all or the portion of the decoded network data enables the content provider to generate customized content for the device.

Abstract: A control network system connected with a node having a unique identifier includes a KDC4B for distributing a first key to the node for cryptographic communication, a PS4B for supplying a function name and a second key corresponding to the unique identifier to the node by the cryptographic communication using the first key, and a PS for supplying the node with setting information used for the cryptographic communication using the second key in response to a request using the function name.

Abstract: Techniques and tools for implementing protocols for secure multi-party communication after quantum key distribution (“QKD”) are described herein. In example implementations, a trusted authority facilitates secure communication between multiple user devices. The trusted authority distributes different quantum keys by QKD under trust relationships with different users. The trusted authority determines combination keys using the quantum keys and makes the combination keys available for distribution (e.g., for non-secret distribution over a public channel). The combination keys facilitate secure communication between two user devices even in the absence of QKD between the two user devices. With the protocols, benefits of QKD are extended to multi-party communication scenarios. In addition, the protocols can retain benefit of QKD even when a trusted authority is offline or a large group seeks to establish secure communication within the group.

Abstract: An encoding/decoding operation portion includes an encoding/decoding operation circuit and an avoiding path for detouring the encoding decoding operation circuit and can select between encoding or decoding input data in the encoding/decoding operation circuit and detouring the encoding/decoding operation circuit to output the input data without change. Only one wire has to be provided from a selector to a key storage portion and an initialization-vector storage portion. With this construction, it is possible to realize an encoding/decoding circuit which can suppress an increase in the number of wires used to transmit a content of key data to the key storage portion and the initialization-vector storage portion and does not cause complication of circuit layout.

Abstract: A computer-implemented method for providing users with customized renewal policies may include 1) determining that a license for a software product installed on a user's computing system has expired or will expire within a predetermined amount of time, 2) in response to determining that the license for the software product has expired or will expire, monitoring, via a local module installed on the computing system, computing activities of the user, 3) evaluating the user's computing activities to determine that the user is investigating a competitor's software product that is capable of performing one or more functions performed by the installed software product, 4) creating, based on the user's investigation of the competitor's software product, a customized renewal policy for renewing the license to the installed software product, 5) inviting the user to renew the license under the customized renewal policy.

Abstract: A light access authentication method and system, the method includes: the trustful third party writes the MSG cipher text formed by enciphering MSG into the first entity; the second entity attains the MSG cipher text from the first entity, and attains the key from the trustful third party after attaining the MSG cipher text; the MSG cipher text is deciphered according to the key, and the MSG plaintext is attained. The embodiment of the present invention can be widely applied at a condition limited by the equipment and environment, and the access authentication is simplified and lightened.

Abstract: A method for a voter to vote using an electoral system. An electoral system includes a computing system for accessing a database having first and second data sets correlated to a roster of eligible voters and to a voting record that is associated with each of those eligible voters. The method of voting includes the voter providing indentifying information, which causes the computing system to verify that the voter is on the roster of eligible voters and eligible to vote in the election. The voter interacts with the computing system to cast a preliminary vote and then commits the preliminary vote. The voter may also interact with the computing system to perform a government accountability program in which elected officials may be voted on for sanctions or removal from office when the elected official has lost the confidence of the associated electoral district.

Abstract: A method of generating a dynamic group key of a group formed of a plurality of nodes, the method including: unicasting a public key that is based on respective secret keys of each of a plurality of general nodes excluding a master node, which is one of the plurality of nodes, wherein the unicasting is performed by the general nodes; broadcasting to the group an encryption value obtained by exponentially-calculating a secret key of the master node to the plurality of public keys, wherein the broadcasting is performed by the master node upon receiving the plurality of public keys; and obtaining a group key by using an inverse power-calculation of the respective secret keys of each of the general nodes based on the encryption value, wherein the obtaining is performed by the general nodes.

Abstract: A network and related methods for transmitting processes in a network secretly and securely is described. The network use keys, through path-key establishment and a key pool bootstrapping, to ensure that packets are transmitted and received properly and secretly in the presence of one or more adversarial nodes.

Abstract: A method of controlling traffic flow through a service node located within a packet network, which traffic flow originates at a plurality of sending nodes and is destined for a receiving node. The service node is one of a multiplicity of service nodes configured in a tree or other acyclic structure, e.g. of an overlay network. The method comprises receiving a challenge from said receiving node or a downstream service node, generating and caching a further challenge, and combining that further challenge with the received challenges to generate a modified challenge. The modified challenge is then sent to a sending node or to an upstream service node. Subsequently, a request is received, destined for said receiving node and originating at a sending node. A solution accompanying said request is validated using the cached further challenge, and the request forwarded towards said receiving node only if the solution is valid. Otherwise, the request is dropped.

Abstract: In one embodiment of the invention, a system and method for error tolerant delivery of data is provided. A data file is received for transmission which includes metadata and data. The metadata includes mandatory portions and optional portions, which are grouped together, respectively. The mandatory portions of the metadata include file control data. The file is parsed into packets and transmitted as a data stream to a plurality of receiver devices. In some cases this data stream may be transmitted multiple times for redundancy. Once the data stream is received, the receiver device may look for transmission errors in the control data of the data stream. If such an error is present the data stream is discarded; otherwise, the receiver device converts the data stream back into the native file format and stored for later playback or queued processing.

Abstract: This specification describes technologies relating to imparting cryptographic information in network communications.

Abstract: An adaptive security policy based scalable video service apparatus includes a video streaming server, an adaptive security policy server and a terminal. The video streaming server receives a service demand via a network and generates an encrypted streaming data. The adaptive security policy server analyzes a media structure and the service demand, by using a service profile received from the video streaming server, so as to generate a security policy description. The terminal generates and transmits the service demand to the video streaming server or the adaptive security server, obtains the encrypted streaming data from the video streaming server and decrypts the encrypted streaming data for playback, storing and retransmission.

Abstract: A secure Internet Protocol (IP) telephony system, apparatus, and methods are disclosed. Communications over an IP telephony system can be secured by securing communications to and from a Cable Telephony Adapter (CTA). The system can include one or more CTAs, network servers, servers configured as signaling controllers, key distribution centers (KDC), and can include gateways that couple the IP telephony system to a Public Switched Telephone Network (PSTN). Each CTA can be configured as secure hardware and can be configured with multiple encryption keys that are used to communicate signaling or bearer channel communications. The KDC can be configured to periodically distribute symmetric encryption keys to secure communications between devices that have been provisioned to operate in the system and signaling controllers.

Abstract: A method of encrypting a unique cryptographic entity (UCE), where a client device receives a global-key (GK-) encrypted UKD comprising a GK-encrypted UCE and a GK-encrypted unit key number (UKN). The client device verifies that the GK-encrypted UKN is the same as a pre-provisioned value and then decrypts the GK-encrypted UKD using a global key (GK). The client device then re-encrypts the decrypted UKD using a device user key (DUK) to determine a DUK-encrypted UCE and a DUK-encrypted UKN. The DUK-encrypted UKN is verified as not equal to the GK-encrypted UKN. The DUK-encrypted UKN is then appended to the DUK-encrypted UCE to form a DUK-encrypted UKD and stored in a memory.