Abstract: Given a set of elliptic curve points defined over a field F(p) and represented in projective coordinate, a method is presented which allows the embedding of data bits in both the X-coordinate and the Z-coordinate of the elliptic curve point when represented in projective coordinate. This makes the number of points that satisfy an elliptic curve equation and which can be used in the corresponding cryptosystem proportional to p2 rather than p. This can be used to either increase security by making the bit positions where data bits are embedded known only to the sender and receiver. Alternatively, it can be used to increase the number of data bits that can be encrypted per single elliptic curve point encryption. In another alternative, it can also be used to reduce p. Also, it can be used as a countermeasure by randomizing the bit positions where data bits are embedded. A similar formulation can be developed for elliptic curves over fields F(2m), as well as special elliptic curves such as Montgomery curves.

Abstract: An e-mail firewall (105) applies policies to e-mail messages (204) between a first site and a plurality of second sites in accordance with a plurality of administrator selectable policies (216). The firewall comprises a simple mail transfer protocol (SMTP) relay (202) for causing the e-mail messages (204) to be transmitted between the first site and selected ones of the second sites. A plurality of policy managers (216) enforce-administrator selectable policies. The policies comprise at least a first source/destination policy (218), a first content policy (202) and a first virus policy (224). The policies are characterized by a plurality of administrator selectable criteria (310), and a plurality of administrator selectable exceptions (312) to the criteria.

Abstract: A system to ease secure email communication by providing a unique email address of a user's choice, along with a private and public key pair which are generated and then associated with the email address. Along with the key pair, an plug-in to her preferred mail client is delivered to the user. The plug-in will allow for automatic retrieval of recipient's public keys from a server and encryption of mails to recipients whose email address is associated with a public key. Also, the email plug-in will perform automatic decryption of incoming mail, if necessary, plus additional functionality based on the existence of public and private keys.

Abstract: In a secret information management system, a secret information management apparatus comprises a secret distribution unit which secretly distributes a data key k using a (k, n) threshold secret sharing scheme and creates n distributed keys B1, B2, . . . , Bn in the decryption of data D input from a user terminal, an encryption unit which creates n encrypted distributed keys EP1(B1), EP2(B2) . . . , EPn(Bn) using n distributed manager public keys P1, P2, . . . Pn, and an encrypted data storage unit which stores encrypted data EK(D), an encrypted data key EPx(K) and the n encrypted distributed keys in association with each other.

Abstract: The invention describes a method of setting up a secure environment in wireless Universal Plug and Play (UPnP) networks, comprising a UPnP security console and UPnP controlled devices defined in the UPnP Device Security specification, wherein the entry of information concerning the UPnP security bootstrap as required in the UPnP Device Security specification (particularly an initialization public/private key pair) into the devices is realized via a short-range key transmitter (SKT). A special user-friendly implementation of the UPnP TakeOwnership procedure renders any user interaction other than entering information from a SKT into the devices superfluous. The invention further describes a security system for wireless UPnP networks, comprising a short-range key transmitter (SKT), a security console and a controlled device as defined in the UPnP device security specification.

Abstract: A method of distributing the public key of an asymmetric key pair with a private key and the public key from a mobile station to a key managing computer, the method include the steps of: communicating a password (OTP) from the key managing (203) computer to the mobile station (209) of a registered user (201) by a secure channel (202) to thereby provide a shared secret; at the mobile station and at the key managing computer, generating a first code (MAC1) and a second node (MACT1), respectively, based on the same predefined generation method, which codes (MAC1; MACT1) are generated from the password (OTP); by the mobile station (209), transmitting the public key and the first code (MAC1) to the key managing computer (203); at the key managing computer (203), receiving the public key and the first code (MAC1) from the mobile station (209); checking the authenticity of the registered user (201) based on comparing the first code (MAC1) and the second code (MACT1).

Abstract: Systems, methods and apparatus of email communication are described.

Abstract: A data distribution system is provided which supplies customers with an executable for requested secured data files to provide the customer with fulfillment software, obviating the need for the customer to download fulfillment software prior to requesting secure data. The data distribution system is characterized by server technology which can dynamically encrypt secured data files just prior to a customer request to download the data file. A framework for building a universal data distribution infrastructure is provided which employs Requesters.

Abstract: A system, apparatus, and method are directed to providing and securely viewing secure content. In one embodiment, a secure player provides secure screening/previewing of secure content, such as a motion picture, by a member of an awards organization. A content key is employed to selectively encrypt at least a portion of a content stream. The content key is encrypted with a screener key. The encrypted content key is embedded into the secure content. The screener key is encrypted using public/private key pair that is bound to the secure player. The secure content may be distributed on a medium, such as a DVD, high definition DVD, or over a network, or the like. The secure player is configured to receive the medium, screener key, and a screener identity. The screener identity and screener key are employed by the secure player to decrypt and enable secure viewing of the content.

Abstract: A system that enables a cloud-based data repository to function as a secure ‘drop-box’ for data that corresponds to a user is provided. The ‘drop box’ can be facilitated through the use of cryptographic keying technologies. For instance, data that is ‘dropped’ by or on behalf of a particular user can be encrypted using a public key that corresponds to a user-specific private key. Thus, although the data resides within the large pool of ‘cloud-based’ data, it is protected since it can only be decrypted by using the private key, which is kept secret. The innovation can further facilitate user-centric secure storage by partitioning the cloud-based repository into multiple partitions, each of which corresponds to specific indexing criteria.

Abstract: An information holding medium stores the common key of the user used in the common-key encryption method. In response to a user authentication request sent from an information processing apparatus, the user is authenticated by the common-key encryption method by using the common key stored in the information holding medium of the user. Only when the user has been authenticated, predetermined processing for making the information processing apparatus authenticate the user by the public-key encryption method is performed.

Abstract: Example systems, methods, computer-readable mediums, and other forms of a secure foreign enterprise printing system are provided. An example system may include a wireless telephonic logic for communicating with a wireless network web services provider and a wireless network communication logic configured to communicate a print request to the wireless network web services provider using the wireless telephonic logic. The print item may be stored in a first enterprise and may be printed on an image forming device that is located in a second enterprise. The example system may also include an encryption logic configured to facilitate providing security for the print item as it travels from the first enterprise to the image forming device.

Abstract: A key establishment protocol includes the generation of a value of cryptographic function, typically a hash, of a session key and public information. This value is transferred between correspondents together with the information necessary to generate the session key. Provided the session key has not been compromised, the value of the cryptographic function will be the same at each of the a correspondents. The value of the cryptographic function cannot be compromised or modified without access to the session key.

Abstract: A playback unit decrypts data contents of electronic audio and video media that are supplied in entirely or partially encrypted or enciphered form by means of one or more “melody” keys for encrypting the data contents. This key is transmitted via a secure channel from an authentic source into the playback unit, and then the playback unit transfers these data contents from the digital domain into the analog domain in such a way that the data contents of the electronic audio and video media are not present at any time in unencrypted form as a digital data stream that can be copied.

Abstract: One aspect of the present invention establishes a session key by a receiving unit R transmitting a plurality of quantities for storage in a public repository. A sending unit S: 1. retrieves the plurality of quantities; and 2. computes and transmits to the unit R a plurality of sender's quantities; and 3. using at least one of the plurality of public quantities, computes the session key K. The unit R, using the sender's quantities: 1. computes and transmits to the unit S at least one receiver's quantity; and 2. computes the session key. Another aspect provides a digital signature. Before transmitting a signed message, the unit S stores a plurality of quantities in the public-repository. A unit R, that receives the message and the digital signature, verifies their authenticity by: 1. retrieving the quantities from the repository; 2. using the digital signature and the quantities, evaluates expressions in at least two (2) different relationships; and 3.

Abstract: A method of operating an identity based directoryless key-code cryptographic communication system having two users A and B and a universal authority U, involving the generation of a public modulus M, being the product of two primes P and Q, and the operation of a publicly available secure one way hash function, #. User A presents his identity to U who uses #, M, P and Q to generate a decryption key, r, which is only made available to A. User B, who wishes to transmit a message to A, can encrypt data by using the #, M and A's identity. User A can recover the data by using r.

Abstract: A method, system, and service of authenticating a public key certificate for a relying party (RP). A Certificate Authority (CA), who issued the certificate, is a member of a Public Key Infrastructure (PKI) having a Certificate Policy (CP). First quality levels required of the CA by the RP are accessed by a certificate classification service (CCS) and corresponding second quality levels possessed by the CA are ascertained by the CCS. At least one quality characteristic pertaining to the second quality levels relates to at least one element of the CP. The ascertained second quality levels are compared by the CCS with the corresponding accessed first quality levels. A result of the comparing, communicated by the CCS to the RP, is that the certificate is authenticated if the comparing has determined that each first quality level is not less than each corresponding second quality level.

Abstract: A method, system and apparatus for performing user identification, digital signatures and other secure communication functions in which keys are chosen essentially at random from a large set of vectors and key lengths are comparable to the key lengths in other common identification and digital signature schemes at comparable security levels. The signing technique of an embodiment of the identification/digital signature scheme hereof uses a mixing system based on multiplication in a ring and reduction modulo an ideal q in that ring; while the verification technique uses special properties of products of elements whose validity depends on elementary probability theory. The security of the identification/digital signature scheme comes from the interaction of reduction modulo q and the difficulty of forming products with special properties.

Abstract: A method and apparatus is provided for securely transferring first and second data from a user to first and second parties respectively. More particularly, the user encrypts the first data using a first encryption key associated with the first party, and then encrypts the second data using, as encryption parameters, both public data of the first party and third data comprising the encrypted first data. The third data is then provided, preferably via the second party, to the first party, and the encrypted second data is provided to the second party. The first party uses a first decryption key to decrypt the encrypted first data, as provided to the first party in the third data, whereby to recover the first data. The first party also uses the third data, along with private data related to the aforesaid public data, to generate a second decryption key which is then provided to the second party to enable it to decrypt the encrypted second data.

Abstract: The invention, electronic book security and copyright protection system, provides for secure distribution of electronic text and graphics to subscribers and secure storage. The method may be executed at a content provider's site, at an operations center, over a video distribution system or over a variety of alternative distribution systems, at a home subsystem, and at a billing and collection system. The content provider or operations center and/or other distribution points perform the functions of manipulation and secure storage of text data, security encryption and coding of text, cataloging of books, message center, and secure delivery functions. The home subsystem connects to a secure video distribution system or variety of alternative secure distribution systems, generates menus and stores text, and transacts through communicating mechanisms. A portable book-shaped viewer is used for secure viewing of the text.

Abstract: Methods for transferring among key holders in encoding and cryptographic systems the right to decode and decrypt messages in a way that does not explicitly reveal decoding and decrypting keys used and the original messages. Such methods are more secure and more efficient than typical re-encoding and re-encryption schemes, and are useful in developing such applications as document distribution and long-term file protection.

Abstract: A secure data mirroring capability in a storage system includes encrypting data blocks in a primary volume in preparation for a data mirroring operation. The encrypted data blocks are mirrored to a secure secondary volume. Host systems provide keys from which encryption keys are produced for encrypting the data blocks. Access to data on the secure secondary volume requires decryption using the key that was used to produce the encrypted data blocks.

Abstract: A copy protection method and a copy protection system are disclosed. The system includes a private key verifier receiving a media certificate that includes a private key identification of a compliant playing device and searching for an actual private key corresponding to the private key identification, an intermediate key decryptor receiving an encrypted intermediate key and decrypting the intermediate key with the actual private key, a media key decryptor obtaining an original media key by decrypting the decrypted intermediate key with a media identification; and a media data decryptor receiving an encrypted media data set and decrypting the media data set with the original media key. The method and system of the present invention are applicable to all types of digital media data, and it makes no assumption of any specific media properties.

Abstract: The present invention relates to a method of encryption and decryption comprises the steps of: selecting a generator and a first element of a first non abelian group, respectively, computing a first inner automorphism which is used as a first public key, and generating a second public key by using a secret key being a first integer and the first public key; expressing a plain text by a product of generator of a second non abelian group, computing a second inner automorphism by using an arbitrary second integer and the first public key, computing a third inner automorphism by using the second integer and the second public key, and generating a ciphertext by using the third inner automorphism; and generating a fourth inner automorphism by using the secret key and the second inner automorphism, and decrypting the ciphertext by using the fourth inner automorphism.

Abstract: In a device for calculating a result of a modular exponentiation, the Chinese Residue Theorem (CRT) is used, wherein two auxiliary exponentiations are calculated using two auxiliary exponents and two sub-moduli. In order to improve the safety of the RSA CRT calculations against cryptographic attacks, a randomization of the auxiliary exponents and/or a change of the sub-moduli are performed. Thus, there is a safe RSA decryption and RSA encryption, respectively, by means of the calculating time efficient Chinese Residue Theorem.

Abstract: In a method of determining a pair of numbers comprising a first number and a second number, in which the first number may be a first key and the second number may be a second key of an encryption system and the second number is the multiplicative inverse with respect to a modulus of the first number, said modulus being equal to the product of a first prime number and a second prime number, the first number is selected first. Thereafter, a first sub-number for the second number is computed as a multiplicative inverse of the first number with respect to a first sub-modulus that is equal to the first prime number minus 1 divided by the greatest common divisor of the first prime number minus 1 and the second prime number minus 1. Then, a second sub-number for the second number is computed as multiplicative inverse of the first number with respect to a second sub-modulus that is equal to the second prime number minus 1, with said first sub-modulus and said second sub-modulus being relatively prime.

Abstract: A transfer unit and an image output control unit are provided in order to check and prevent any alteration or forgery of image file data in a memory card. The transfer unit transfers a digital signature of the image file data stored in the memory card, a secret key used for the digital signature or a public key paired to the secret key, together with the image file data and a property file, to an image control apparatus. The image output control unit controls an image output in accordance with the information transferred by the transfer unit.

Abstract: A method and system for installing, activating and customizing proprietary information contained within the secure domain of a personal security device such as a smart card over a network using a communications pipe.

Abstract: A method and system to emulate a trusted platform module to execute trusted operations. A virtual machine monitor is executed to support a virtual machine session. An operating system is loaded into the virtual machine session. The trusted platform module is emulated to hold a key associated with the virtual session and to execute trusted operations.

Abstract: A method of providing improved security in a communication system used to transfer information between at least a pair of correspondents. The communication between the correspondents generally comprises steps of generating key pairs in accordance with the arithmetic properties of a chosen algorithm, communicating one of the keys, being a public key, to the other party by way of a certificate, generation and transmission of a signature using a private key of the key pairs by one of the correspondents and transmitting the signature to the other correspondent and verification of the signature by the recipient. The invention provides for the additional step of verifying the public key conform to the arithmetic properties dictated by the requirements of the selected algorithm.

Abstract: The applicants have recognized an alternate method of performing modular reduction that admits precomputation. The precomputation is enabled by approximating the inverse of the truncator T, which does not depend on the scalar. The applicants have also recognized that the representation of a scalar in a ?-adic representation may be optimized for each scalar that is needed. The applicants have further recognized that a standard rounding algorithm may be used to perform reduction modulo the truncator. In general terms, there is provided a method of reducing a scalar modulo a truncator, by pre-computing an inverse of the truncator. Each scalar multiplication then utilizes the pre-computed inverse to enable computation of the scalar multiplication without requiring a division by the truncator for each scalar multiplication.

Abstract: Systems and techniques to enable secure and efficient recovery of encrypted content may include accessing a public key of a user and another user and encrypting data using the public keys. The another user may be the user's manager. Systems and techniques may include generating a session key, encrypting data using the session key, and encrypting the session key using the public keys of at least two users. A data structure such as a directory may be accessed to obtain information such as one or more public keys.

Abstract: A method for use in a distribution system having a key management center, a distribution station and a reception terminal. The method updates a pair of distribution keys unique to the reception terminal, where the distribution public key is used to encrypt distribution data, and the distribution secret key is used to decrypt encrypted data. In the key updating method, the reception terminal acquires an update secret key prior to data distribution, and the key management center acquires an update public key making a pair with the update secret key, generates a new pair of distribution keys, encrypts a new distribution secret key by using the update public key, transmits an encrypted secret key to the reception terminal and updates to the new distribution public key. The reception terminal receives the encrypted secret key and restores the new distribution secret key by decrypting it using the update secret key and updates to the new distribution secret key.

Abstract: A method provides a collection of data structures and subroutines in a software toolkit, for developing an application for playing digital content data. The method comprises steps of receiving previously encrypted content data encrypted with an encrypted key from an external source; storing the previously encrypted content data in a library; selecting one or more encrypted content data from the library to play; and decrypting each content data selected to be played with its unique encryption key, wherein the decrypting is performed in a tamper-resistant subroutine for deterring unauthorized access to the instructions for decrypting the content data and for deterring unauthorized access to the encryption key.

Abstract: Secure storage for downloaded content on a subscriber computer is keyed to a trusted digital rights management operating system, a trusted application, a trusted user or a combination thereof. A one-way hash function is applied to a seed supplied by an application to produce a hashed seed that is used to generate the application storage key. A one-way hash function is applied to a seed supplied by a user to produce a first hashed seed that is passed to a keyed hash function, which is keyed to an identity for the user, to produce a second hashed seed. The second hashed seed is used to generate the user storage key. An operating system storage key is generated from an unhashed seed. One of the storage keys is used to encrypt the downloaded content. An access predicate attached to the content when it is downloaded is associated with the storage key to enforce certain limitations on the access of the content.

Abstract: Authentication and signature process with reduced number of calculations. The process involves a first entity called the “prover”, which possesses a public key v and a secret key s, these keys verify the relation v=s?t (mod n), where n is an integer called modulus and t is a parameter, and a second entity called a “verifier”, which knows the public key v. This process implies exchange of information following a “zero-knowledge protocol” between the verifier and the prover and cryptographic calculations on this information, some calculations being carried out “modulo n”. The process of the invention is characterised by the fact that the modulus n is specific to the prover that communicates this modulus to the verifier.

Abstract: A system and method for communicating information between a first party and a second party, comprising identifying desired information, negotiating, through an intermediary, a comprehension function for obscuring at least a portion of the information communicated between the first party and the second party, communicating the encrypted information to the second party, and decrypting the encrypted information using the negotiated comprehension function. Preferably, the intermediary does not itself possess sufficient information to decrypt the encrypted information, thus allowing use of an “untrusted” intermediary. The comprehension function may be dynamic with respect to its response to the negotiated comprehension function, and thus permit limitations on the use of the information by the second party. For example, the decryption of the encrypted information may be time limited.

Abstract: A gateway for connecting a public network to an internal network is provided. The gateway comprises a control unit for controlling transmission of incoming and/or outgoing data between a remote device in the public network and an internal device in the internal network; a public port connected to the public network; an internal port connected to the internal network; and a storage unit storing a list of public key identifiers and respectively associated internal network addresses of internal devices; wherein the control unit is adapted for identifying a destination of the incoming data, which are addressed to a public network address of the gateway, by determining an internal network address of the internal device based on public key information included in the incoming data and the list of public key identifiers and associated internal network addresses.

Abstract: Encryption, having sufficient concealment, is carried out through chaotic computation using integer arithmetic. There is provided a cipher generating device, for carrying out computation, for plain text information, to apply chaotic noise obtained using a mapping function for generating chaotic noise based on encrypted key data, to generate a cipher. This cipher generation device comprises parameter generation means 102 for generating a parameter string for use in chaotic computation based on the key data, chaotic noise generating means 103 for carrying out chaotic computation using the parameter string generated by the parameter generating means 102 and obtaining the chaotic noise, and scheduling means 104 for carrying out scheduling of the parameter string so as to cause a change in the parameter string every fixed cycle the parameter string is used in the chaotic computation.

Abstract: A key management interface that allows for different key protection schemes to be plugged into a digital rights management system is disclosed. The interface exposes the functionality of signing data, decrypting data encrypted using a public key, and re-encrypting data encrypted using the public key exported by the interface to a different authenticated principal (i.e., a different public key). Thus, a secure interface can be provided such that the data does not enter or leave the interface in the clear. Such an interface exports private key operations of signing and decryption, and provides security and authentication for the digital asset server in licensing and publishing. During publishing, a client can encrypt asset keys such that only a specified entity can decrypt it, using a plug-in, for example, that implements the aforementioned interface.

Abstract: A method of providing a secure communication between first and second devices is described. The method includes encrypting a random key using an encryption key at a first device and transferring the encrypted random key to the second device for encryption of data communicated from the second device to the first device. The encrypted data received from the second device is decrypted using the random key. The method typically includes transferring a control word encrypted with an encryption key to the second device for decryption, and encryption using the random key. The encrypted control word received from the second device is then decrypted using the random key. The invention extends to a method of enabling a decoder, and to a decoder, to decode a data stream. It also extends, inter alia, to a method of authenticating an enabling device and to an enabling device.

Abstract: An n person secret sharing solution computes n unique keys to be distributed to the secret owners along with an exponentiated version of the secret. The custodian performs an exponent/modulo operation each time one of the keys is received from one of the secret owners. Alternatively, n+1 keys are created by the custodian, and the custodian retains one key after distributing the remaining n keys to the secret owners. After the custodian has received and processed the n keys from the secret owners, he performs an exponent/modulo operation using his own retained key. According to another aspect, a k out of n secret sharing solution involves computing and storing a database having an entry for each unique combination of k keys that could be returned from among the n keys. After k keys have been received, the custodian looks up in the database the entry corresponding to the particular unique combination of secret owners who returned keys.

Abstract: A memory element is provided in the recording medium that is readable but not writeable by external devices, and whose content changes each time select material is recorded onto the medium. The content of this memory element forms a unique encryption key for encrypting the content encryption key. This encrypted content encryption key is further encrypted using a public key that corresponds to a private key of the intended rendering device. Although the unique encryption key is determinable by reading and processing the content of the externally read-only memory element, the decryption of the content encryption key requires both the unique encryption key and the private key of the intended rendering device.

Abstract: An e-mail firewall (105) applies policies to e-mail messages (204) between a first site and a plurality of second sites in accordance with a plurality of administrator selectable policies (216). The firewall comprises a simple mail transfer protocol (SMTP) relay (202) for causing the e-mail messages (204) to be transmitted between the first site and selected ones of the second sites. A plurality of policy managers (216) enforce administrator selectable policies. The policies, such as encryption and decryption policies, comprise at least a first source/destination policy (218), at least a first content policy (202) and at least a first virus policy (224). The policies are characterized by a plurality of administrator selectable criteria (310), a plurality of administrator selectable exceptions (312) to the criteria and a plurality of administrator selectable actions (314, 316, 322) associated with the criteria and exceptions.

Abstract: A method and system for generating asymmetric crypto-keys usable by network users to transform messages is provided. The system includes a first network station associated with a user, a second network station associated with a trusted entity, and a third network station associated with a sponsor. The trusted entity authorizes the sponsor to generate the asymmetric crypto-key. The sponsor generates a symmetric crypto-key and associated user identification. The sponsor both stores the generated symmetric crypto-key and the associated user identification and transmits the symmetric crypto-key and the associated user identification to the trusted entity. The trusted entity then distributes the symmetric crypto-key and user identification to the user. The user then presents the user identification to the sponsor. The sponsor then generates a challenge and transforms the challenge with the stored symmetric crypto-key. The sponsor transmits the transformed challenge to the user.

Abstract: A secure electronic messaging system permits communication between registered users, with the assistance of a key server. The system requires a recipient to submit key retrieval information to a key server, and obtain decryption key information. The decryption key information is necessary for the recipient to form the decryption key which is used to read a message encrypted by the sender. The decryption key information may be an encrypted version of a decryption key, or portions thereof, or may be portions of an unencrypted version of a decryption key, among others. Typically, the key retrieval information may either be sent to the recipient by the sender, or may be generated by the recipient, based on information sent by the sender.

Abstract: A method and apparatus for securely communicating data employs a third-party to facilitate decryption by the recipient. It is necessary for the recipient to interact with the third-party to decrypt received encrypted data. The third-party is unable to decrypt or read the encrypted data and records whether the recipient requested a decryption key generated by the third-party. The third party logs the request from the second party for the decryption key. The originator may then obtain the delivery status of the data from the third party to facilitate proof of submission, proof of delivery, or any other suitable information.

Abstract: An image generation apparatus includes an image file generating unit operable in one of first, second and third modes, wherein (a) if the first mode is selected, the image file generating unit generates a first image file including image data and first verirfication data used to verify whether the image data is falsified or not, (b) if the second mode is selected, the image file generating unit generates a second image file including the image data, additional information of the image data and second verification data used to verify whether the additional information is falsified or not, and (c) if the third mode is selected, the image file generating unit generates a third image file including the image data, the additional information, the first verification data and the second verification data.

Abstract: A cryptosystem is described which automatically provides an extra “message recovery” recipient(s) when an encrypted message is generated in the system. The system is typically configured such that the extra recipient or “message recovery agent” (MRA)—an entity which itself has a public key (i.e., a MRA public key)—is automatically added, under appropriate circumstances, as a valid recipient for an encrypted message created by a user. In a corporate setting, for example, the message recovery agent is the “corporate” message recovery agent designated for that company (firm, organization, or other group) and the user is an employee (or member) of that company (or group). In operation, the system embeds a pointer (or other reference mechanism) to the MRA public key into the public key of the user or employee, so that encrypted messages sent to the company's employees from outside users (e.g., those individuals who are not employees of the company) can nevertheless still be recovered by the company.

Abstract: To obtain a digital license for rendering a piece of digital content, a license requester contacts a license provider and sends a license request. The license provider checks the license request for validity and negotiates with the license requestor terms and conditions for the requested license. The license provider generates the requested license and issues the generated license to the license requestor.