Abstract: In various embodiments, a method for signing tags associated with objects includes receiving a first identifier associated with a tag. A first signature is generated for the tag based on the identifier and a public key. The first identifier and the first signature are then stored in the tag.

Abstract: A clock signal of a master clock of a sender is transmitted to a receiver through a classical channel and is returned from the receiver. The clock signal is transmitted with strong light from a sender-side quantum unit to a receiver-side quantum unit through a quantum channel. A sender-side synchronization section establishes phase synchronization between the clock signal returned from the receiver and the clock signal detected by the sender-side quantum unit, and generates a calibration clock signal. At the receiver as well, a receiver-side synchronization section establishes phase synchronization between the clock signal detected from the classical channel and the clock signal detected by the receiver-side quantum unit, and generates a calibration clock signal.

Abstract: In an example, one or more cryptographic keys may be associated with a group. Any member of the group may use the key to encrypt and decrypt information, thereby allowing members of the group to share encrypted information. Domain controllers (DCs) maintain copies of the group's keys. The DCs may synchronize with each other, so that each DC may have a copy of the group's keys. Keys may have expiration dates, and any client connected to a DC may generate a new key when a key is nearing expiration. The various clients may create new keys at differing amounts of time before expiration on various DCs. DCs that store keys early thus may have time to propagate the newly-created keys through synchronization before other DCs are requested to store keys created by other clients. In this way, the creation of an excessive number of new keys may be avoided.

Abstract: One embodiment of the present invention provides a system that can expire encrypted-data. During operation, the system receives an expiry-request that includes object-identifying information, which can be used to identify a set of database objects that contain the encrypted-data, wherein a database object can be a table, a partition, a row, or a column in a row. Furthermore, a database object can have an expiration time, and it can be stored in an archive, which is typically used to store large amounts of data for long periods using a slower, but cheaper storage medium than the storage medium used by the database. The system then identifies a set of keys for the encrypted-data using the object-identifying information. Next, the system deletes the set of keys, thereby expiring the encrypted-data. Note that, deleting the set of keys ensures that the secure key repository does not contain any stale keys associated with expired encrypted-data.

Abstract: A system, method, and program product is provided that uses environments to control access to encryption keys. A request for an encryption key and an environment identifier is received. If the encryption key is not associated with the environment identifier, the request is denied. If they are associated, the system receives user-supplied environment authentication data items from a user. Examples of environment authentication data include passwords, user identifiers, user biometric data (e.g., fingerprint scan, etc.), smart cards, and the like. The system retrieves stored environment authentication data items from a secure (e.g., encrypted) storage location. The retrieved stored environment authentication data items correspond to the environment identifier that was received. The received environment authentication data items are authenticated using the retrieved stored environment authentication data items.

Abstract: Included are systems and methods for data authentication. At least one embodiment of a system includes a secure processor configured as a physically secure environment, the secure processor further configured to receive a control word from a headend, the secure processor further configured to encrypt the received control word using a first encryption key. Other embodiments of a system includes a transport processor configured to receive the encrypted control word, the transport processor further configured to decrypt the received control word using a first decryption key, wherein the first decryption key is compatible with the first encryption key.

Abstract: An information management apparatus capable of reliable management of distributed information and an information providing system employing the same information management apparatus has a main information reproducing system for reproducing main information recorded in a given recording medium; and a reproduction management system for managing the main information reproducing system for reproducing the main information. A receiver is provided with a unit for recording distributed information and control information limiting the number of main information reproducing cycles on a recording medium, and a main information reproducing system provided with a reproduction disabling function for limiting the reproduction of main information.

Abstract: Methods and systems are provided of managing a cryptographic key. A first key component is received from a first key custodian. A second key component is received from a second key custodian. A key operation is performed on the first and second key components to generate the cryptographic key. A cryptographic-key number is assigned to the cryptographic key. A key form is printed specifying the cryptographic key. An association is recorded between the cryptographic-key number and an electromagnetic tag identifier coupled physically with the key form.

Abstract: A system and method are described supporting secure implementations of 3DES and other strong cryptographic algorithms. A secure key block having control, key, and hash fields safely stores or transmits keys in insecure or hostile environments. The control field provides attribute information such as the manner of using a key, the algorithm to be implemented, the mode of use, and the exportability of the key. A hash algorithm is applied across the key and control for generating a hash field that cryptographically ties the control and key fields together. Improved security is provided because tampering with any portion of the key block results in an invalid key block. The work factor associated with any manner of attack is sufficient to maintain a high level of security consistent with the large keys and strong cryptographic algorithms supported.

Abstract: A secure solution is provided to the problem of secret key agreement. In particular, a method of reliable forward secret key sharing is disclosed between two legitimate correspondents whose profiles match sufficiently. The invention relies on a physical random function, sometimes referred to as a physical unclonable function (PUF) to provide a secure solution to the problem of secret key agreement. In one embodiment, a one-pass protocol is introduced based on Reed-Solomon codes leading to an unconditionally secure solution. In a further embodiment, the solution of the first embodiment is improved upon by providing a conditionally secure solution based on a pseudo random family of functions. In a still further embodiment, a two-pass protocol is introduced which is used exclusively for purposes of identification and authentication. In accordance with the principles of the two-pass protocol, two communications are required and unlike the one-pass protocol, the second correspondent selects the secret key K.

Abstract: A navigation system with decryption functions. The navigation system may receive from a portable data storage medium an encrypted authentication key, an encrypted first portion of a geographic database, and an unencrypted second portion of the geographic database. The navigation system may then decrypt the encrypted authentication key so as to gain access to a set of verification information and to a decryption key for decryption of the encrypted first portion. The navigation system may then use the verification information to validate use of the database, such as by ensuring that the data storage medium is authorized to hold the database or that the navigation system is authorized to access the database. In turn, the navigation system may then use the decryption key to decrypt the encrypted first portion, so as to gain access to the database as a whole. The navigation system may then use information in the database to convert location coordinates into map information for presentation to a user.

Abstract: A method and system for encrypting a first piece of information M to be sent by a sender [100] to a receiver [110] allows both sender and receiver to compute a secret message key using identity-based information and a bilinear map. In a one embodiment, the sender [100] computes an identity-based encryption key from an identifier ID associated with the receiver [110]. The identifier ID may include various types of information such as the receiver's e-mail address, a receiver credential, a message identifier, or a date. The sender uses a bilinear map and the encryption key to compute a secret message key gIDr, which is then used to encrypt a message M, producing ciphertext V to be sent from the sender [100] to the receiver [110] together with an element rP. An identity-based decryption key dID is computed by a private key generator [120] based on the ID associated with the receiver and a secret master key s.

Abstract: Systems and methodologies that facilitate delegation of keyset management to a platform presenting a centralized health-related data repository are provided. Effectively, a central keyset manager is provided that generates, manages and distributes key material to client applications and servers deploying the platform. Thus, communications with the platform storing sensitive health-related data can be secured without incurring the costs associated with implementing and enforcing policies associated with key generation and expiration among a plurality of servers and client applications. Additionally, the innovation can scale keyset management to meet short term demand needs.

Abstract: Techniques for securely and adaptively delivering multimedia content are disclosed in which a set of alternate access units for each time slot is obtained. Then, the encryption stream index of each access unit from the set of alternate access units of the previous time slot are obtained. An encryption stream index is then assigned to each access unit in the set of alternate access units in the current time slot, such that the encryption index increases over time. Thus, the invention overcomes the problem of encrypting a multimedia stream that may have multiple access units for each time slot by selecting the encryption index for each access unit such that the encryption index increases, regardless of which access unit the delivery system (e.g., server) selects for transmission.

Abstract: Techniques for securely and adaptively delivering multimedia content. It is assumed that a set of alternate access units for each time slot is obtained. Then, the encryption stream index of each access unit from the set of alternate access units of the previous time slot are obtained. An encryption stream index is then assigned to each access unit in the set of alternate access units in the current time slot, such that the encryption index increases over time. Thus, the invention overcomes the problem of encrypting a multimedia stream that may have multiple access units for each time slot by selecting the encryption index for each access unit such that the encryption index increases, regardless of which access unit the delivery system (e.g., server) selects for transmission.

Abstract: A virtual security coprocessor is created in a first processing system. The virtual security coprocessor is then transferred to a second processing system, for use by the second processing system. For instance, the second processing system may use the virtual security coprocessor to provide attestation for the second processing system. In an alternative embodiment, a virtual security coprocessor from a first processing system is received at a second processing system. After receiving the virtual security coprocessor from the first processing system, the second processing system uses the virtual security coprocessor. Other embodiments are described and claimed.

Abstract: A communication device, a communication system and an authentication system for preventing a disguising act by an illegal man-in-the-middle and improving the safety and certainty of authentication processing are provided. A slave (20) transmits an authentication request including device information to a master (10). The master (10) receives the authentication request and displays the device information included in the authentication request on a screen of a display section (13). The user visually checks the device information displayed on the screen of the display section 13 (13), determines whether or not to verify the authentication, and instructs the master (10) of the determination result via an input section (14). The master (10), instructed to verify or not to verify the authentication, transmits a response in accordance with the instruction to the slave (20).

Abstract: Techniques for providing different levels of access based upon a same authentication factor are provided. A first message is received that is transformed with a first portion of a split private key, the first portion based upon a user password and another factor, and the split private key associated with an asymmetric key pair having a public key and the split private key. The user is authenticated for a first level of network access based upon the received first message being transformed with the first portion. A second message is received that is transformed with a second portion of the split private key, the second portion based upon the password only and not combinable with the first portion to complete the split private key. The user is authenticated for a second level of network access different that the first level based upon the received second message being transformed with the second portion.

Abstract: A method of controlling a memory device connectable to a host for sending out a command to the memory device, has storing a plurality of first keys which are accessible by a plurality of passwords, respectively, encrypting a second key for encrypting and decrypting data to produce an encrypted second key by using one of the first keys, and storing the encrypted second key, decrypting the encrypted second key by using one of the first keys and encrypting or decrypting data by the second key upon receipt of a command from the host to encrypt or decrypt the data, and receiving, upon receipt of a command for renewing the second key from the host, a renewed second key, encrypting the renewed second key with one of the first keys, and storing the encrypted renewed second key.

Abstract: Techniques for authentication are provided. A first authentication request transformed with a private portion of a first type split private key is received. A first user is authenticated for a first level of network access based upon the first request being transformed with the first type of split private key. A second authentication request that is transformed with a private portion of a second type private key is also received. A second user is authenticated for a second level of network access based upon the second request being transformed with the second type of split private key.

Abstract: The cloning source of an authorized receiving device cannot be identified. A key distribution system 1 concerning the present invention includes: a communication channel 10; a key distribution center 11; a server 12; and receiving devices 13a to 13n. The key distribution center 11 distributes, to the server 12, the information necessary for distributing shared keys SK to the receiving devices 13a to 13n, and distributes the individual information group EMMG necessary for receiving the shared keys SK from the server 12. The server 12 generates the shared keys SK, generates the common information ECM based on the shared keys SK and the system secret variable group set SPGS, and distributes the common information ECM to the receiving devices 13a to 13n. The receiving devices 13a to 13n obtain the shared keys SK based on the individual information group EMMG and the common information ECM and outputs them to outside.

Abstract: A secured network connection requires three authentication routines. A system access authentication routine requires a client network device to submit user authentication information to a network server. Upon successful user authentication, the network server creates a Client Service Access Pass, embeds this pass into a dynamic web page transmitted to the client device. A client application access authentication routine requires that the dynamic web page pass the Client Service Access Pass to an instantiated client application, which in turn submits it back to a service server on the network server for authentication. Upon success authentication, the network server destroys the Client Service Access Pass, creates a Media File Access Pass, and sends this pass to the client application. A media file access authentication routine requires the client application to submit the Media File Access Pass along with any file access requests to the network server.

Abstract: A method of and device (110) for granting access to content on a storage medium (101), comprising obtaining cryptographic data (Y) from a property (102), such as a wobble, of the storage medium (101), reading helper data (W) from the storage medium (101), and granting the access based on an application of a delta-contracting function to the cryptographic data (Y) and the helper data (W). The delta-contracting function allows the choice of an appropriate value of the helper data (W), such that any value of the cryptographic data (Y) which sufficiently resembles said original primary input value leads to the same output value. Substantially different values of the cryptographic data (Y) lead to different values of the output.

Abstract: A version number is associated with an encrypted key executable to allow real time updating of keys for a system which facilitates users signing on to multiple websites on different domains using an encrypted ticket. Two keys may be used at each site during updating of keys, each having an associated one digit Hex version tag. When a key is to be updated with a new key, the existing or old key is provided an expiration time. A second key is provided from the system in a secure manner with a new version number and made the current key which provides decryption of the encrypted ticket. The system tracks both keys while they are concurrent. After the existing key expires, only the second, or updated key is used to provide login services for users. The system periodically flushes old keys.

Abstract: A method includes receiving an authentication request from a mobile station (401) and determining whether to forward the request to an authentication agent. When it is determined to forward the request, the request is forwarded to the authentication agent (107). A random number and a random seed are received from the authentication agent (107). The random number and the random seed are forwarded to the mobile station (401). A response to the random number and the random seed from the mobile station (401) is received and forwarded to the authentication agent (107). The authentication agent (107) compares the response with an expected response. When the authentication agent (107) authenticates the mobile station (401), a derived cipher key is received from the authentication agent (107).

Abstract: An enabling key block (EKB) used in an encrypted key distributing tree structure is generated by forming a simplified 2-branch or multi-branch type tree with a terminal node or leaf which is capable of decrypting on the basis of a key corresponding to a node or a leaf of the Simplified tree. Further, the EKB includes a tag for indicating a position of an encrypted key in the tree. The tag not only discriminates position but also stores data for judging the presence of encrypted key data within the EKB. As such, a considerable reduction in data quantity is realized, and the decrypting process in a device is also simplified.

Abstract: Certain aspects of the invention for producing a secure key may comprise a secure key generator that receives a first, second and third input keys and utilizes these keys to generate a first output key. The first, second and third input keys may be a customer key, customer key selection and key variation, respectively. The first output key may be generated so that it is unique, differs from the first input key and is not a weak or semi-weak key. The first, second and third input keys may be mapped to generate mapped output key data and an intermediate key generated based on the first input key. The intermediate key and the output key data may be scrambled to create a scrambled output. At least a portion of the output key data may be masked and XORed with the scrambled output to generate the first output key.

Abstract: The cryptographic resources are supplied by at least one cryptographic source having a specific access interface. The application is presented with a mutualized interface substantially independent of the cryptographic sources and of their respective access interfaces. A translation module is placed between the mutualized interface and each interface for accessing a cryptographic source to provide access to the cryptographic resources from the application via the mutualized interface.

Abstract: The present invention provides for trusted side-band communications between components in a computer system, so that use of the system bus may be avoided. Two components may be connected by means other than a bus (e.g., an infrared port, a wire, an unused pin, etc.), whereby these components may communicate without the use of the system bus. The non-bus communication channel may be referred to as “side-band.” The side-band channel may be used to communicate information that might identify the user's hardware (e.g., a public key) or other information that the user may not want to be easily intercepted by the public at large. Communication over the side-band channel may also be used to verify that the participants in a communication are within a defined positional relationship to each other.

Abstract: A method of electronically signing a document includes initializing a user, including generating an asymmetric key pair including a private signing key and a public signing key, and storing the private signing key and the public signing key; and providing an electronic signature, including receiving document data corresponding to at least one selected portion of the document, binding the stored private signing key and the document data to create an electronic signature, and providing the electronic signature for a recipient.

Abstract: The objective of the present invention is to propose an accounting method of the consumption of transmitted services per time unit to a decoder in a system implementing a content encrypted by control words, the latter being modified according to a period named crypto-period. This method consists in verifying if the time-current (TC) is comprised in a time variable (Rdate) representative of the authorisation time of use of the service and, if this is the case, decrypting and returning the control words to the decoder, and if it is not the case, debiting an amount (CT) corresponding to a time of use (AT) and recharging the time variable (Rdate) with a corresponding time.

Abstract: In a distributed computing architecture, a method and system for authenticating a message as originating from an unaltered or unmodified node is provided. Prior to sending a messages, a black box software module in a node validates the node to determine whether the node has been altered or modified without authorization. Once validated, the black box alters a message, using a black box protection scheme, in such a manner that the message can be subsequently authenticated. The black box module sends the altered message to a peer node, whose own black box authenticates the message using an authentication scheme corresponding to the protection scheme. Because validation is performed, each node may assume that the message originated from an unaltered node. The protection and/or validation scheme can be changed in regular intervals so that attackers do not have time to reverse engineer the black box.

Abstract: To reduce a frequency of recording communication management information for communication disconnection countermeasure. A digital content distribution system includes a license server (101) that issues a license, and a user terminal (103) that controls use of content based on the issued license. The license server (101) judges, according to the license to be issued, whether or not the communication management information for the communication disconnection countermeasure needs to be recorded, and notifies the user terminal of a result of the judgment. This enables the user terminal (103) to reduce the frequency of recording the communication management information.

Abstract: A security system for controlling access to encrypted information, comprising: a memory for storing at least one decryption key for use in decrypting an encrypted item of information, the decryption key being associated with a security code which can be used to determine whether the security system is authorized to send encrypted copies of the decryption key to others. If the security system is authorized to send an encrypted copy of the decryption key, it encrypts the decryption key and propagates the encrypted copy of the decryption key. Each time the security system propagates a decryption key, it includes as part of the decryption key an identifier indicating the identity of a sender's key. A user can append a control word against their identity in the decryption key to instruct the security system to initiate a message to them or an agent informing them of the propagation of the key and giving information concerning that propagation.

Abstract: A content key, an authentication key, and a program data etc. are transmitted with an enabling key block (EKB) in an encrypted key constitution of a tree structure. The EKB has a constitution in which a device as a leaf of the tree holds a leaf key and a limited node key, and a specific enabling key block (EKB) is generated and distributed to a group specified by a specific node to limit devices that can be renewed. As the devices that do not belong to the group cannot perform decryption, the security for distributing keys etc. can be secured. Thus, distribution of various kinds of keys or data is executed in an encryption key constitution of a tree structure to realize an information processing system and method enabling to distribute data efficiently and safely.

Abstract: According to the present invention there is provided a datacast distribution system which allows for the distribution of movies, music, games, application software, and the like using a new or existing terrestrial digital video broadcasting (DVB-T) network or the like.

Abstract: Computer apparatus comprising a receiver for receiving an integrity metric for a computer entity via a trusted device associated with the computer entity, the integrity metric having values for a plurality of characteristics associated with the computer entity; a controller for assigning a trust level to the computer entity from a plurality of trust levels, wherein the assigned trust level is based upon the value of at least one of the characteristics of the received integrity metric.

Abstract: A device of the same general physical size and shape as a standard audio cassette tape, but which accepts digital information from any of a variety of sources—including for example: Internet transmission, a digital computer, or memory cards (especially digital memory cards)—and plays this digital information through any, for example, standard audio tape cassette player. The device operates by converting the digital representation of the sound into magnetic signals which are presented to the read/write head of the cassette player equipment. The device allows the user of the cassette player to regulate the audio playback using conventional equipment controls such as: START, STOP, REWIND, FAST REWIND, FORWARD, FAST FORWARD, etc.

Abstract: A secure computing system is provided which utilizes a unique combination of Public Key Infrastructure (PKI), Virtual Private Networking (VPN), and server-based computing on thin client devices. The combination of technology and components provide secure computing through Defense-in-Depth using commercial off-the-shelf components.

Abstract: A system and method are described supporting secure implementations of 3DES and other strong cryptographic algorithms. A secure key block having control, key, and MAC fields safely stores or transmits keys in insecure or hostile environments. The control field provides attribute information such as the manner of using a key, the algorithm to be implemented, the mode of use, and the exportability of the key. A MAC algorithm is applied across the key and control for generating a MAC field that cryptographically ties the control and key fields together. Improved security is provided because tampering with any portion of the key block results in an invalid key block. The work factor associated with any manner of attack is sufficient to maintain a high level of security consistent with the large keys and strong cryptographic algorithms supported.

Abstract: A method and an arrangement maintain end-to-end synchronization on a telecommunications connection transmitting data in frames substantially in real time and using synchronized end-to-end encryption, wherein at least a part of the telecommunications connection is a packet-switched connection, in which case the reproduction delay of the data to be transmitted can be increased by adding one or more extra frames to the frame string being transmitted, wherein the arrangement defines, based on the number of received frames, an initialization vector value corresponding to a frame received at the receiving end of the telecommunications connection and used in decrypting the frame, adjusts the reproduction delay to mark the frame to be added to increase the reproduction delay as an extra frame, and defines the initialization vector value to count only the frames not marked as extra frames in the number of received frames.

Abstract: A method and system to allow user generation of a private-public key pair and an associated user generated certificate to establish the identity of a user based upon signing the user generated certificate with a private key of a private-public key pair associated with a certificate issued by a Certification Authority (CA). The user generated certificate thereby allows the user that generated the certificate to establish a secure session with a third party without multiple use of the certificate issued by the CA, typically for use on another network infrastructure. The method and system are particularly useful for establishing a secure session, such as a Secure Socket Layer session using a personal computer, where the CA certificate is associated with a wireless identity module of a wireless device.

Abstract: Methods for transferring among key holders in encoding and cryptographic systems the right to decode and decrypt messages in a way that does not explicitly reveal decoding and decrypting keys used and the original messages. Such methods are more secure and more efficient than typical re-encoding and re-encryption schemes, and are useful in developing such applications as document distribution and long-term file protection.

Abstract: Upon receipt of a service data request from a client, a license server offering a key to decrypt a content transmits a user information request to the client. On receiving the user information request, the client displays a message prompting its user to enter such user information as the user's personal information and accounting information. The user information thus entered is sent from the client to the license server. On receiving the user information, the license server assigns a leaf of a key-managed hierarchical tree structure to the client, generates a set of node keys as a device node key, sends to the client the device node key together with a leaf ID and a private key of the client in question, and records the user information in correspondence with the leaf ID.

Abstract: Between a transmitting device and a receiving device, a first authentication and key exchange procedure depending on a radio link layer network is carried out, and then a whole or a part of a second authentication and key exchange procedure depending on the copyright protected contents data is carried out by using the cipher communication using a first encryption key that is shared between the transmitting device and the receiving device by the first authentication and key exchange procedure, so that the contents data transfer by the cipher communication using a second encryption key can be carried out only between legitimate pair of the transmitting device and the receiving device that can successfully complete the first authentication.

Abstract: Techniques for securely and adaptively delivering multimedia content. It is assumed that a set of alternate access units for each time slot is obtained. Then, the encryption stream index of each access unit from the set of alternate access units of the previous time slot are obtained. An encryption stream index is then assigned to each access unit in the set of alternate access units in the current time slot, such that the encryption index increases over time. Thus, the invention overcomes the problem of encrypting a multimedia stream that may have multiple access units for each time slot by selecting the encryption index for each access unit such that the encryption index increases, regardless of which access unit the delivery system (e.g., server) selects for transmission.

Abstract: A plurality of message processors exchange public and secret information. Based on the exchanged information, each message processor computes a key sequence such that any one of a plurality of keys may be derived from the key sequence depending on key derivation data. A first message processor generates key derivation data that can be used to derive a particular key from among the plurality of keys. The first message processor sends a security token that includes the generated key derivation data to express to at least one other message processor how to derive the particular key from the computed key sequence. At least a second message processor receives the security token expressing how to derive the particular key from the computed key sequence. The first and/or second message processors apply the key derivation data to the computed key sequence to derive the particular key.

Abstract: Disclosed is a method of internally encrypting data in a relational database, comprising the steps of providing a security dictionary comprising one or more security catalogs, receiving data from a user associating said data with a database column and at least one authorized user, generating a working encryption key, internally encrypting said working encryption key using a public key from an authorized user, storing said encrypted working key in a security catalog, and using said working key to internally encrypt said data.

Abstract: A data stream, such as a digital motion picture, is encrypted in units of one or more blocks, each block having an assigned encryption key. A plurality of encryption keys is assigned to the complete data stream, with a synchronization index provided to map each individual encryption key to its starting data block. Encryption keys and associated synchronization indices are provided separately from the data stream, using one or more additional data transfer mechanisms. An optional offset, randomly generated, allows variation in intervals between data blocks at which encryption by a specific encryption key can be performed.

Abstract: In a tree-structural key distribution system, renewed data of a master key and medium key are sent along with a key renewal block (KRB). KRB is such that each of devices included as leaves of a tree structure has a leaf key and restricted node key. A specific KRB can be generated for a group identified by a specific node and distributed to the group to restrict a device for which the key can be renewed. Any device not belonging to the group cannot decrypt the key, whereby the security of key distribution can be assured. Especially in a system using a generation-managed master key, a master key renewed with KRB can be distributed.