Abstract: Techniques for authentication are provided. A first authentication request transformed with a private portion of a first type split private key is received. A first user is authenticated for a first level of network access based upon the first request being transformed with the first type of split private key. A second authentication request that is transformed with a private portion of a second type private key is also received. A second user is authenticated for a second level of network access based upon the second request being transformed with the second type of split private key.

Abstract: A computing system includes data encryption in the data path between a data source and data storage devices. The data storage devices may be local or they may be network resident. The data encryption may utilize a key which is derived at least in part from an identification code stored in a non-volatile memory. The key may also be derived at least in part from user input to the computer. In a LAN embodiment, public encryption keys may be automatically transferred to a network server for file encryption prior to file transfer to a client system.

Abstract: A system and method for database security provides, a database security method that receives an encryption property from an application and receives information relating to a database server. The method then requests security access to a database server using the strongest encryption algorithm server may support. If this request gets turned down, then the method determines the strongest encryption algorithm the server actually supports using the information the database server sent back and calculates the encryption keys. The method then caches the encryption algorithm along with the encryption keys in a persistent storage. For subsequent connections, the method checks the persistent storage first and retrieves the encryption algorithm and encryption keys from the persistent storage if the cache values are available, and sends the cached value to database server. By doing this, the database driver doesn't need to synchronize the encryption algorithm with server and calculate the encryption keys again.

Abstract: A method of storing a data set on a storage device carrying a file of random data comprising the steps of: selecting, in dependence on a user input passphrase, a first location within the file of random data for storing a file index (FI); selecting a second location within the file of random data for storing the data set; encrypting the data set (D); storing the encrypted data set at the second selected location in the file of random data; making an entry in the file index in respect of the data set, the entry comprising an indication of the second selected location; encrypting the file index; and storing the encrypted file index at the first selected location in the file of random data. Also computer programs for carrying out such methods and storage devices arranged to operate using such methods.

Abstract: This invention provides a bandwidth-efficient mechanism whereby the source or originating node(s) (the invention supports multiple source nodes, each creating single or multiple broadcast message(s)) may utilize broadcast addressing service to efficiently reach multiple receiver nodes and still control which receiver node(s) may access the broadcast data or message. This method is realized by a novel and efficient key distribution technique.

Abstract: A system is provided that uses identity-based encryption (IBE) to allow a sender to securely convey information in a message to a recipient over a communications network. IBE public key information may be used to encrypt messages and corresponding IBE private key information may be used to decrypt messages. Information on which IBE public key information was used in encrypting a given message may be provided to the message recipient with the message. Multiple IBE public keys may be used to encrypt a single message. A less sensitive IBE public key may be used to encrypt a more sensitive public key, so that the more sensitive public key can remain hidden as it is sent to the recipient.

Abstract: Networks consist of administrative domains each including an administrative server and at least one mobility agent deployed therein. The mobility agents offer connectivity to a mobile node via Advertisement messages in a form verifiable by the mobile node. Each Advertisement message is signed by a private key of the advertising mobility agent and accompanied by a certificate that contains a public key of the advertising mobility agent and is signed by a private key of the administrative server of the advertising mobility agent. Thus, if the mobile node has the public key of the administrative server, it can authenticate the Advertisement message. If the mobile node does not have the public key, it requests the public key when it registers with the mobility agent. The public key of the administrative server is sent in a certificate signed by the private key of the administrative server ultimately responsible for authentication of the mobile node.

Abstract: An information processing device is arranged to acquire a first public key certificate and a first secret key from a server device by acquiring an individual identification information which is uniquely discriminable for the information processing device from the information processing device and transmitting the individual identification information to the server device. The information processing device is arranged to determine whether the information processing device is permitted to transmit device information to the server device through an encryption communication using the first public key certificate and the first secret key, by acquiring the individual identification information from the information processing device and comparing the acquired individual identification information with the individual identification information associated with at least one of the first public key certificate and the first secret key.

Abstract: A system, method and software module for secure electronic communication services, wherein a public key (25) of private-public-key pair (30,25) is associated with an email address (24), internet name or other registered unique identifier; the registered user of the unique identifier holds the private-key (30) securely, and the respective public-key (25) is made accessible on a key server (6) for look-up and retrieval by other users, for encryption of communications to be sent to the holder of the private-key, and optionally for message confidentiality, message integrity and authentication of sender and recipient, without requiring certificates.

Abstract: A content transmission method, a content reception method, an apparatus and a computer program using same, that improve the efficiency of descrambling a scrambled content, make the management of cryptography keys for descrambling easy, and protect the copyright of contents, are provided. A content transmission apparatus 3 that encrypts and transmits contents and a content reception apparatus 5 that receives the encrypted contents are provided. The content transmission apparatus 3 includes a content scrambling unit 7 that encrypts contents using a scrambling key Ks, a content key , a work key Kw, a master key Km, and a multiplexing unit 9 that transmits multiplexed contents. The content reception apparatus 5 includes a separating unit 13 that receives and separates the multiplexed encrypted content, and a content descrambling unit 15 that obtains the contents by descrambling encrypted information separated by the separating unit 13.

Abstract: A local area network server may issue security certificates to client devices on the network for two-way authentication across the network. The certificates may be issued through a transaction performed over the network and, in some cases, may be automated. The server may have a self signed or a trusted security certificate which may serve as a basis for issuing certificates to various clients. After a certificate is issued, future communications on the network may be authenticated by both the server and client, and the communications may be encrypted using the certificates.

Abstract: A final agent of the message provides a first encryption key to a first agent, interposed between a message sender and the final agent. The first agent but not the final agent knows an identity of the sender. The final agent provides a second encryption key to a second agent, interposed between the sender and the final agent. The second agent knows an identity of the sender. The first agent generates a third encryption key and provides the first encryption key and the third encryption key to the sender. The second agent generates a fourth encryption key and provides the second encryption key and the fourth encryption key to the sender. The first agent receives from the sender a message encrypted with the first, second, third and fourth keys, and in response, decrypts the message based on the third key. Afterwards, the first agent provides the message decrypted based on the third key to the second agent. In response, the second agent decrypts, based on the fourth key, the message provided by the first agent.

Abstract: Techniques for generating a multi-factor asymmetric key pair having a public key and split private key with multiple private portions, at least one of the multiple portions being a multiple factor private key portion, are provided. First and second asymmetric key pairs are generated, each having a private key and a public key. A text string and the first private key are cryptographically combined to make a first private key portion of the split private key. This first private key portion is a multiple factor private key portion. A second private key portion of the split private key is generated based upon the generated first private key portion and the second private key.

Abstract: A device includes: a storage unit configured to store predetermined data; a converter configured to convert the predetermined data stored in the storage unit into data in a predetermined format; a first image processor configured to convert the data in the predetermined format into data in a printable format; a printer configured to print an image based on the data in the printable format; an image capturer configured to capture the image printed by the printer; a second image processor configured to analyze image data corresponding to the image captured by the image capturer; and a storage controller configured to control the storage unit to store the predetermined data included in the data in the predetermined format acquired through analysis by the second image processor.

Abstract: A method, device and system for securely managing debugging processes within a communication device, such as a set top box or other multimedia processing device. For example, a security processor (SP) within the communication device manages the lifetime (LT) of any access token issued for use in activating debugging privileges within the communication device. The security processor authenticates an issued access token and securely delivers appropriate debug authorization information to the device controller. The security processor uses its secure, internal timer to count down the lifetime and update the remaining lifetime of the issued access token during the processing of each command by the security processor. In addition to securely managing the issuance of the access token and it's remaining lifetime, the updating process reduces any impact on the normal communications within the device. The method overcomes the issue of the communication device not having a secure internal clock.

Abstract: A method for encryption key management including accepting authenticated unencrypted data into a processor of a server computing device that is configured as a private key secure processor vault, the operation of which is isolated from other components of the server computing device thereby preventing unauthorized access to the processor and the data contents therein; encrypting the authenticated unencrypted data based on an existing private key stored in the processor thereby converting it to encrypted data; and transmitting the encrypted data out of the processor. A system and computer program product is also provided.

Abstract: Trusted entity authentication includes creating a public-private pair in a secure environment; storing the private key within a device during its manufacture in the secure environment; linking the public key with other information in the secure environment, receiving input within the device comprising verification data of an entity, identifying within the device a verification status based on the verification data and data prestored within the device; independent of the verification status identified, generating a digital signature for a message including an indication of the identified verification status using the private key; outputting the digital signature for transmission with an EC; identifying upon receipt of the EC the information linked with the public key by authenticating the message with the public key, and considering the identified information and the indicated verification status.

Abstract: Described is a technology by which computer data secrets sealed by a trusted platform module (TPM) or like device may be securely migrated from a physical source computing machine to a physically different destination machine. For example, migration of TPM secrets allows migration of a virtual machine from one physical machine to another. A destination machine receives a set of data sealed at a source machine. The set of data includes a migration key and a secret sealed by the migration key. The destination machine performs attestation with a key server to attest that the destination machine is entitled to access the sealed secret, via credentials, known good configuration and/or other policy compliance. The key server unseals the migration key, and provides a returned key (e.g., the migration key or a session key) to the destination machine for unsealing the secrets.

Abstract: Data processing apparatus distributes a public key certificate and information about a private key to a user terminal as activation information separately from a terminal module. In the case where the public key certification is vulnerable, it transmits only the activation information again.

Abstract: A method for provisioning a device such as a token. The device issues a certificate request to a Certification Authority. The request includes a public cryptographic key uniquely associated with the device. The Certification Authority generates a symmetric cryptographic key for the device, encrypts it using the public key, and creates a digital certificate that contains the encrypted symmetric key as an attribute. The Certification Authority sends the digital certificate to the device, which decrypts the symmetric key using the device's private key, and stores the decrypted symmetric key.

Abstract: A content syndication access control solution is provided. An illustrative content syndication access control system comprises: a syndication subscriber for acquiring a authorized content syndication feed; content syndication providing means for authorizing the syndication subscriber according to a public key and submitting content to a syndication server; and the syndication server for performing an authorization on content items according to the public key and a symmetric key and encrypting the authorized content items and the symmetric key, and generating the content syndication feed according to the encrypted content items and the symmetric key. By means of the system, the granularity of access control can become finer, and the consolidated content feed maintains all access control information, so existing access control remains valid.

Abstract: A communications system for registering tolls, with vehicles which have communications devices for wirefree communication between the vehicles and the toll operator which is assigned to them and has a corresponding communications device. In this context, the vehicles transmit toll information relevant to the toll operator in a toll-registration area which is assigned to the toll operator, and the toll operator determines or bills the tolls to be charged therefrom. If the vehicles communicate, by means of their communication devices, with other toll operators outside the toll registration area of the toll operator assigned to them, in order to register tolls, the exchange of toll-related information takes place only when a certificate of the assigned toll operator is successfully transmitted and on the basis of a public key or a private key.

Abstract: A method of operating by a second processing unit a content recorded by a first processing unit, said first and second processing units having a specific key being managed by a central server. The processing units have access to a removable storage memory intended to record a content ciphered by a content key accompanied by a file associated to the content. The content key is produced by means of a cascaded deciphering starting from the specific key of the first unit of at least two constants provided by the central server and a variable. The content is restored by the second processing unit by means of a cascaded deciphering starting from the specific key of the second unit by using the constants and the variable stored in the file accompanying the content and a transcoding key calculated by the central server.

Abstract: A computing system includes data encryption in the data path between a data source and data storage devices. The data storage devices may be local or they may be network resident. The data encryption may utilize a key which is derived at least in part from an identification code stored in a non-volatile memory. The key may also be derived at least in part from user input to the computer. In a LAN embodiment, public encryption keys may be automatically transferred to a network server for file encryption prior to file transfer to a client system.

Abstract: An apparatus and method is provided for a direct anonymous attestation scheme from short-group signatures. The method may include the creation of a group public/private key pair for a trusted membership group defined by an issuer; and assigning a cryptographic pair that is combined with a unique private member value to form a private membership key. A trusted member device generates the unique private member value during a join procedure of a trusted membership group. In one embodiment, the private member value of the private membership key is unknown to the issuer. A member may sign a message with the private membership key to form a short-group digital signature that is verified using a public key of the trusted membership group to maintain anonymity of trusted member devices. A size of the private membership key may be reduced to enable storage within a trusted platform module. Other embodiments are described and claimed.

Abstract: A method comprising receiving a product key at a service provider, where the product key is (1) received from a first content provider, and (2) encrypting a first content controlled by the first content provider. The method encrypts the product key within a first secure device at the service provider using a storage key and stores the encrypted product key at the service provider.

Abstract: A system, device, and method of using a power line communication device that is communicatively connected to a low voltage power line to establish communications with one or more electronic utility meters is provided. In one embodiment the method includes setting an encryption key parameter to a first encryption key used by the one or more electronic utility meters, establishing communications via one or more low voltage power lines with at least some of the utility meters using the first encryption key, assessing the quality of communications with at least some of the utility meters, transmitting communications quality data to a remote computer system; receiving information of one or more assigned meters from the remote computer system; and storing information of the assigned meters in memory.

Abstract: A system and method of retrieving a watermark in a watermarked signal are disclosed. The watermarked signal comprises odd and even overlapped blocks where the watermark is contained in the even blocks. The method comprises, for each k-th even block, subtracting the two adjacent odd numbered blocks from the k-th even block of the watermarked signal to retrieve s*k(n), transforming s*k(n) into the frequency domain to generate Sk(f), calculating a phase of Sk(f) as ?(f) and a phase of Sk(f) as ?(f), calculating the difference ?(f) between ?(f) and ?(f), unwrapping ?(f) to obtain the phase modulation {tilde over (?)}k(f), and using a Viterbi search to retrieve the watermark embedded in {tilde over (?)}k(f).

Abstract: A network publishing authorization protocol, for use in a network connected to a printer, a server and a publisher of network publications. The protocol authorizes the printing of a publication at the printer. It includes the steps of: addressing the publication to a user; signing the publication using a private key; sending the publication to the printer; and confirming that the publication may be printed at the printer, by verifying the private key signature. Confirmation may take place at the printer or at the server.

Abstract: A computing system includes data encryption in the data path between a data source and data storage devices. The data storage devices may be local or they may be network resident. The data encryption may utilize a key which is derived at least in part from an identification code stored in a non-volatile memory. The key may also be derived at least in part from user input to the computer. In a LAN embodiment, public encryption keys may be automatically transferred to a network server for file encryption prior to file transfer to a client system.

Abstract: An encryption/decryption system capable of supplying data only to a user making a request. A computer encrypts data with a common key, encrypts the common key with a public key, and transmits the encrypted data and the encrypted common key. A copy machine receives these data, encrypts challenge data with the public key, and transmits the encrypted challenge data to an IC card. The IC card decrypts the encrypted challenge data with a private key, and feeds the decrypted challenge data back to the copy machine. The copy machine transmits the IC card an encrypted common key of reception data offering decrypted challenge data identical to the original challenge data. The IC card decrypts the encrypted common key and feeds the decrypted common key back to the complex copy machine. The complex copy machine decrypts the encrypted data with the common key.

Abstract: A public key cryptographic system and method is provided for a password or any other predefined personal secret information that defeats key factoring and spoofing attacks. The method adopts a new technique of encrypting a password or any predefined secret information by a numeric function of itself, replacing the fixed public key of the conventional RSA encryption. The whole process involving key generation, encryption, decryption and password handling is discussed in detail. Mathematical and cryptanalytical proofs of defeating factoring and spoofing attacks are furnished.

Abstract: A method includes receiving an authentication request from a mobile station (401) and determining whether to forward the request to an authentication agent. When it is determined to forward the request, the request is forwarded to the authentication agent (107). A random number and a random seed are received from the authentication agent (107). The random number and the random seed are forwarded to the mobile station (401). A response to the random number and the random seed from the mobile station (401) is received and forwarded to the authentication agent (107). The authentication agent (107) compares the response with an expected response. When the authentication agent (107) authenticates the mobile station (401), a derived cipher key is received from the authentication agent (107).

Abstract: An information provision exchange service system that can securely prevent the transmission of information that can be used to identify a user to another party and enable users to provide and exchange information between themselves free from confidentiality concerns. A server checks registered personal information to determine whether or not information that can be used to identify any of the users using a plurality of communication terminals is included in information exchanged between the communication terminals via a communication network, and replaces the information that can be used to identify a user with other information if the information that can be used to identify the user is detected in the information exchanged between the communication terminals via the communication network.

Abstract: Provided is a health care system including a key management server that receives from a server a request for a decryption key, with first identification information identifying a measuring apparatus, second identification information identifying vital sign data, and third identification information identifying the server. The key management server generates the decryption key using the first identification information, and stores fourth identification information identifying a server predetermined as a destination of the decryption key, and fifth identification information indicating the category of the vital sign data in correspondence with the fourth identification information. The key management server transmits the decryption key to the server, when the received third identification information matches the fourth identification information, and the received second identification information matches the fifth identification information.

Abstract: Described herein is an information transmission apparatus for encrypting and transmitting first data and second data, the information transmission apparatus including: encryption element for deriving a second key from a first key by using an irreversible function, encrypting the first data by using the first key to generate encrypted first data and encrypting the second data by using the second key to generate encrypted second data; and transmission element for transmitting the encrypted first data, the encrypted second data and the first key.

Abstract: A method and system for remotely maintaining data that is critical for license enforcement. The data consists of named values, is kept on a user's trusted platform, and encrypted with the use of keys that are stored in two special registers. One register is exclusively readable by a trusted program, and holds a long-term secret. Another register is exclusively writable, and changed often, so that old backups of the named values can only be read if suitable permissions are obtained. It uses a hierarchy of servers that act as vendors and have contractual obligations. Vendor certificates specify that certain named values are stored on users' trusted platforms, but owned and controlled by servers (with the cooperation of the users).

Abstract: A platform feature licensing module (e.g., a USB Smart Card Token) securely stores and communicates a platform feature enabling license, corresponding to a selectable platform feature, to an authenticated platform. The module includes a secure microcontroller, a secure communication port, and secure non-volatile memory in which is stored the platform feature enabling license. The module is configured to securely communicate with, and to authenticate the identity of the platform, via an integrated embedded controller embedded into the platform. The integrated embedded controller enables the selectable platform feature in response to a platform feature enabling license received from the platform feature licensing module. The integrated embedded controller and platform feature licensing module communicate securely using a predetermined public-key cryptography technique, with each having a PKI-based key pair to provide authentication and cryptographic services.

Abstract: This invention concerns a consumable authentication method for validating the existence of an untrusted chip. A random number is encrypted using a first key and sent to an untrusted chip. In the untrusted chip it is decrypted using a secret key and re-encrypted together with a data message read from the untrusted chip. This is decrypted so that a comparison can be with the generated random number and the read data message.

Abstract: Published resources are made available in an encrypted form, using corresponding resource keys, published through resource key files, with the publications effectively restricted to authorized peer systems only by encrypting the resource keys in a manner only the authorized peer systems are able to recover them. In one embodiment, the resource keys are encrypted using encryption public keys of the authorized peer systems or the groups to which the authorized peer system are members. In one embodiment, the encryption public keys of individual or groups of authorized peer systems are published for resource publishing peer systems through client and group key files respectively. Group encryption private keys are made available to the group members through published group key files. Further, advanced features including but not limited to resource key file inheritance, password protected publication, obfuscated publication, content signing, secured access via gateways, and secured resource search are supported.

Abstract: The disclosure encrypts and decrypts data using public key infrastructure with and allows an authorized third party to access and decrypt the encrypted data as required without requiring private key escrow. The disclosure utilizes a user private key, a user public key, a master private key, a master public key, and a session key generated by the system. The data is encrypted utilizing the session key. The session key is encrypted once utilizing the user public key and again utilizing the master public key. The encrypted data and the encrypted session keys are included in a data packet that is transmitted from one data processing system to another. The session key is decrypted utilizing the user private key. The data is decrypted utilizing the session key. When the authorized third party requires access to the data on the destination processing system, the session key is decrypted with the master private key and the data is decrypted with the session key.

Abstract: There is provided a quantum-key distribution method between a plurality of users or groups. A center prepares a predetermined number of entangled states consisting of qubits equal to the number of the users, and generates quantum states consisting of the qubits belonging to each of the entangled states and corresponding to each of the users. The center transmits each of the quantum states to each of the users after an authentication process. Each of the users receiving the quantum state makes public an axis used to measure each of the qubits constituting the quantum states. The number of users in each group measuring the qubits with a predetermined axis is represented by module 4. If the sum of the module 4 of each group is even, each group collects the qubit measurement results of the users and acquires each group key. Therefore, it is possible to provide a high-security quantum-key distribution method between an unspecified number of users or groups.

Abstract: The present invention provides for trusted side-band communications between components in a computer system, so that use of the system bus may be avoided. Two components may be connected by means other than a bus (e.g., an infrared port, a wire, an unused pin, etc.), whereby these components may communicate without the use of the system bus. The non-bus communication channel may be referred to as “side-band.” The side-band channel may be used to communicate information that might identify the user's hardware (e.g., a public key) or other information that the user may not want to be easily intercepted by the public at large. Communication over the side-band channel may also be used to verify that the participants in a communication are within a defined positional relationship to each other.

Abstract: A method and apparatus for transferring a message securely from a sender to a recipient over a network and includes at each transfer: creating a message; retrieving the public key of the recipient from an external key server just prior to sending the message; signing the message using the private key of the sender; encrypting the signed message using a public key encryption algorithm and the public key of the recipient producing an encrypted signed message; generating an E-mail message addressed to the recipient; attaching the encrypted signed message as an attachment to the E-mail message; and, transmitting the E-mail message to the recipient.

Abstract: A method for managing access to scrambled broadcast or transmitted events received from a variety of service providers (including broadcast television networks, cable television networks, digital satellite systems). Each service provider employs the same public key for descrambling the access information message thereby permitting a user to access events from various service providers without changing the smart card. The method may also be expanded to manage access to a scrambled package of broadcast events.

Abstract: The present invention relates to a method for proving the correctness of a query result produced by a data publisher while preserving the privacy of the query result. The method comprises delivering a public key of a public key/private key pair from a data owner to a client and delivering data and cryptographic metadata to at least one data publisher, wherein the metadata is associated both with the data and the public key of the public key/private key pair. The method further comprises receiving a query from the client, returning a query result and a verification object from the data publisher to the client in response to the query, and verifying the correctness of the query result, wherein the correctness of the query result is verified utilizing the verification object and the public key.

Abstract: Provided is an authentication system for improving user-friendliness. An IC card (100) of the authentication system (10) includes: a key/certificate storage unit (120) connected to a terminal device (200) and capable of storing a key pair and a temporary certificate or a permanent certificate while correlating them; a CE temporary public key certificate acquisition unit (170); and a CE public key/certificate acquisition control unit (150) connected to a CE device (300). When the key/certificate storage unit (120) has a key pair not correlated either to a temporary certificate or a permanent certificate, the CE temporary public key certificate acquisition unit (170) acquires a temporary certificate corresponding to the key pair from a public key certificate issuing station (400) by using the mobile terminal (200) and causes the key/certificate storage unit (120) to store it.

Abstract: A method and apparatus for distributed authorization by anonymous flexible credential are provided. Pseudonym authority issues a root pseudonym to a user. The user may generate large amount of derived pseudonym from the root pseudonym. The user may obtain resource credentials from resource protectors by using derived pseudonyms. The user may select a set of resource credentials, generate a flexible credential from this set of resource credentials and request access to the resource corresponding to the set of resource credentials to a resource protector by using the flexible credential and a derived pseudonym. Revocation list for each resource may be maintained in the system such that any one of resource credentials of any user may be revoked without affecting other resource credentials of that user.

Abstract: One aspect involves receiving by a tag of wireless communications that utilize a first security provision, and wireless communications that utilize a second security provision different from the first security provision. A different aspect involves receiving by an entity of an authentication request that is based on a first digital certificate unknown to the entity, and determining by the entity, without external authentication of the first digital certificate, whether the first digital certificate is in a trust relationship with a second digital certificate that is different from the first digital certificate and that is known to the entity.

Abstract: A logical tree structure and method for managing membership in a multicast group provides scalability and security from internal attacks. The structure defines key groups and subgroups, with each subgroup having a subgroup manager. Dual encryption allows the sender of the multicast data to manage distribution of a first set of encryption keys whereas the individual subgroup managers manage the distribution of a second set of encryption keys. The two key sets allow the sender to delegate much of the group management responsibilities without compromising security because a key from each set is required to access the multicast data. Security is further maintained via a method in which subgroup managers can be either member subgroup managers or participant subgroup managers. Access to both keys is provided to member subgroup managers whereas access to only one key is provided to participant subgroup managers.