Abstract: The present invention relates to a method for allocating an authorization key identifier in a wireless portable Internet system. In a privacy key management version 2 (PKMv2) of the wireless portable Internet system, a base station generates PAK identifier, PMK identifier, and authorization key identifier for distinguishing a primary authorization key (PAK) shared by the base station and the subscriber station in an RSA-based authorization, a pairwise master key (PMK) shared by the base station and the subscriber station in an EAP-based authorization, and authorization keys generated by the PAK and the PMK. The base station transmits PAK identifier, PMK identifier, and authorization key identifier to the subscriber station and shares them with the subscriber station. Therefore, the base station and the subscriber station may easily distinguish more than 2 authorization-related keys.

Abstract: Described are a method and system for establishing a secure communication session with third-party access at a later time. A first communication subsession is established between two original devices using a first key generated by a two-party key and security association protocol. At least one of the original devices is established as a group key server. A request from a joining device to join the secure communication session is received and a second communication subsession is established between the original devices using a second key generated by the two-party key and security association protocol. The second key is provided to the joining device to enable participation in the second communication subsession.

Abstract: Disclosed herein is an electronic device network having a plurality of associated electronic devices. The electronic devices may include an update agent adapted to decipher code and/or data segments. The update agent may also be adapted to modify and/or upgrade firmware and/or software components resident in the electronic devices by employing the deciphered code and/or data segments along with contents of an update. An update generator, resident in the electronic devices may employ deciphering techniques to the code and/or date segments to extract enciphered code and/or data segments. The update generator may also process the code and/or data segments to generate an update including difference information. The update generator may also be adapted to encipher difference information in the generated update.

Abstract: According to an embodiment on the present invention, a method for controlling a voice recorder is disclosed. The voice recorder is for recording a voice session between an origination device and a destination device. The method can be conveniently executed at a computing apparatus coupled to the origination device and to the voice recorder. The method comprises receiving at least one of a user identifier associated with a user of the origination device and a destination identifier associated with the destination device. The method further comprises generating a voice recording trigger using at least one of data associated with the user identifier and data associated with the destination identifier. The voice recording trigger is then transmitted to the voice recorder to enable the voice recorder to control recording of the voice session between the origination device and the destination device.

Abstract: A system to convert upstream burst mode data into continuous mode data in a passive optical network (PON) is provided herein. The system includes a burst mode Serializer/Deserializer (SerDes) that recovers a clock and burst mode data from an Optical Network Unit (ONU). The burst mode unit recovers the burst mode data based on a start time of burst mode data transmission by the ONU and a round-trip time between the ONU and an Optical Line Terminal (OLT). The system further includes a continuous mode SerDes that is coupled to the burst mode SerDes. The continuous mode SerDes is configured to receive the recovered clock and recovered burst mode data from the burst mode SerDes and convert the burst mode data into continuous mode data by buffering and padding the burst mode data based on the recovered clock. The continuous mode Serdes is configured to transmit the continuous mode data to the OLT.

Abstract: According to one embodiment, a communication apparatus has a transmission/reception module, a WLAN-setting data storage module, a registrar process module, a WOL-setting data storage module, and a WOL-setting data addition module. The transmission/reception module transmits and receives data to and from an external apparatus through wireless communication. The WLAN-setting data storage module stores WLAN-setting data for setting a WLAN function. The registrar process module transmits and receives data to and from the external apparatus via the transmission/reception module on the basis of the data stored in the WLAN-setting data storage module, and registers the external apparatus as an enrollee. The WOL-setting data storage module stores WOL-setting data for setting WOL function with respect to the external apparatus.

Abstract: The present invention provides an apparatus for securely acquire a circuit configuration information set corresponding to a new cryptosystem without increasing the number of reconfigurable circuits. A content playback apparatus 100 includes an FPGA 122 that is reconfigurable. The content playback apparatus 100 stores a decryption circuit program that shows the structure of a decryption circuit that executes decryption in accordance with a prescribed cryptosystem. The FPGA is reconfigured in accordance with the program to configure the decryption circuit. The playback apparatus 100 acquires, from outside, an encrypted file that has been generated by encrypting a file including a decryption circuit program corresponding to the new cryptosystem in accordance with the prescribed cryptosystem, and decrypts the encrypted file by the decryption circuit.

Abstract: A method for secure bidirectional communication between two systems is described. A first key pair and a second key pair are generated, the latter including a second public key that is generated based upon a shared secret. First and second public keys are sent to a second system, and third and fourth public keys are received from the second system. The fourth public key is generated based upon the shared secret. A master key for encrypting messages is calculated based upon a first private key, a second private key, the third public key and the fourth public key. For re-keying, a new second key pair having a new second public key and a new second private key is generated, and a new fourth public key is received. A new master key is calculated using elliptic curve calculations using the new second private key and the new fourth public key.

Abstract: For the authentication of messages communicated in a distributed system from an originator to a destination a keyed-hashing technique is used according to which data to be authenticated is concatenated with a private (secret) key and then processed to the cryptographic hash function. The data are transmitted together with the digest of the hash function from the originator to the destination. The data comprises temporal validity information representing the temporal validity of the data. For example the setup key of a communication is therefore only valid within a given time interval that is dynamically defined by the communication originator. After the time interval is exceeded the setup key is invalid and cannot be reused again.

Abstract: Embodiments of the present invention provide methods and apparatus for a keying mechanism for end-to-end service control protection within wireless networks. Other embodiments may be described and claimed.

Abstract: A content playback apparatus reduces load concentration on a specific server apparatus that manages content keys of encrypted content, while protecting copyrights of the content. The content apparatus makes playback of content recorded in a recording medium sold possible after the specific server breaks down. A key acquisition control unit (204) reads a playback control information table (211) from a recording medium (102) via a reading unit (201). The key acquisition unit (204) acquires a rights key via a key acquisition intermediation unit (223) from an apparatus specified by an acquisition-destination type and a request-destination type that are stored in the playback control information table (211) and that corresponding to the content to be played. The key acquisition unit (204) generates a content key using the acquired rights key and, when required, a medium key recorded in a medium. A decryption unit (203) decrypts encrypted content using the content key.

Abstract: A quantum key distribution protocol is provided that reduces the maximum value of the leaked information amount over the same distance when an adversary makes a photon number splitting attack more than the reduction by the BB84 protocol and the SARG protocol, by making use of the advantages of the BB84 protocol and the SARG protocol. By properly proportioning the existing BB84 protocol and the SARG protocol in accordance with the rate determined by the communication distance between the sender and the receiver of the coherent light, a protocol that is more robust against photon number splitting attack than the known existing protocols can be realized, and long distance quantum key distribution, which was not possible until now, becomes possible.

Abstract: The invention relates to a method for personalizing a security element (SE) of a mobile end device (EG), in particular in the form of a smart card chip of a communication end device. The invention comprises the pre-personalizing of the security element (SE) within the framework of its production process and the final personalizing of the security element (SE) upon the first-time use of the end device (EG) by a user (N), wherein a communication link is established between the end device (EG) and a trust center (TC) of a communication network operator. Within the framework of the pre-personalization of the security element (SE), a master key (MK) unique to the security element (SE) is ascertained and transmitted to the trust center (TC). Within the frame-work of the final personalization of the security element (SE), personal data of the user are transmitted upon the first-time use of the end device (EG) to the trust center (TC) and linked there with the master key (MK) to form a modified master key (MK).

Abstract: A method and apparatus for processing a Rights Object (RO) are provided. A method for upgrading the RO includes: acquiring, by a Digital Rights Management (DRM) Agent, RO related information of the RO that requires updating from a Secure Removable Media (SRM) Agent; providing, by the DRM Agent, the RO related information to a Rights Issuer (RI), and obtaining a new RO from the RI; and interacting, by the DRM Agent, with the SRM Agent to upgrade the RO that requires updating on the SRM by means of the new RO. According to the embodiments of the present invention, the DRM Agent acquires RO related information which is stored on the SRM and does not have Move rights, and interacts with the RI to move the RO out from the SRM, so as to move the RO without the Move rights out from the SRM, thus extending an application of the RO without the Move rights.

Abstract: An apparatus and method for implementing a secure quantum cryptography system using two non-orthogonal states. For each qubit, the to emitter station prepares a quantum system in one of two non-orthogonal quantum states in the time-basis to code bit values. Intra- and inter-qubit interference is then used to reveal eavesdropping attempts. Witness states are used to help reveal attacks performed across the quantum system separation.

Abstract: A verification information generation system includes first and second data processing apparatuses. The first data processing apparatus has a unit holding first secret information, a unit receiving information associated with the second secret information from the second apparatus, a unit generating key information on the basis of the first secret information and the information associated with the second secret information, a unit generating key derivation auxiliary information allowing the key information to be derived from the second secret information, a unit generating verification information on the basis of information to be verified and the key information, and a unit outputting the information to be verified, the verification information, and the key derivation auxiliary information. The second secret information is information which is set in advance in the second data processing apparatus.

Abstract: A digital signature is applied to digital data in real-time. The digital signature serves as a mark of authenticity assuring a recipient that the digital data did in fact originate from an indicated source. The digital signature may be applied to any digital data, including video signals, audio signals, electronic commerce information, data pertaining to land vehicles, marine vessels, aircraft, or any other data that can be transmitted and received in digital form.

Abstract: A key management of cryptographic keys has a data package including one or more cryptographic keys that are transferred to a personal device 100 from a secure processing point 150 of a device assembly line in order to store device specific cryptographic keys in the personal device 100. In response to the transferred data package, a backup data package is received by the secure processing point 150 from the personal device 100, which backup data package is the data package encrypted with a unique secret chip key stored in a tamper-resistant secret storage 125 of a chip 110 included in the personal device 100. The secure processing point 150 is arranged to store the backup data package, together with an associated unique chip identifier read from the personal device 100, in a permanent, public database 170.

Abstract: Systems and methods for obtaining information on a key in the BB84 (Bennett-Brassard 1984) protocol of quantum key distribution are provided. A representative system comprises a quantum cryptographic entangling probe, comprising a single-photon source configured to produce a probe photon, a polarization filter configured to determine an initial probe photon polarization state for a set error rate induced by the quantum cryptographic entangling probe, a quantum controlled-NOT (CNOT) gate configured to provide entanglement of a signal with the probe photon polarization state and produce a gated probe photon so as to obtain information on a key, a Wollaston prism configured to separate the gated probe photon with polarization correlated to a signal measured by a receiver, and two single-photon photodetectors configured to measure the polarization state of the gated probe photon.

Abstract: Embodiments of methods and apparatus for providing an insertion and integrity protection system associated with a wireless communication platform are generally described herein. Other embodiments may be described and claimed.

Abstract: A system and method of deploying a master key for a first communication device and second communication device. The first communication device receives a request message from the second communication device through a wireless communication network, and creates a master key algorithm based on configuration parameters of the request message. The first communication device further generates a master key according to the master key algorithm, verifies whether the master key created by the first communication device is correct, and installs the master key in the first and second communication devices when the master key is correct.

Abstract: In a secure cryptographic environment, a private key in a private/public key cryptographic scheme needs to be backed up and recovered in case of a loss or corruption of the private key. To back up the private key, multiple key segments are generated based on the private key which are distributed to a corresponding number of trusted individuals, each of whom has knowledge of only his or her key segment. The key can be restored only when all of the trusted individuals provide the respective key segments, based on which the original private key is reconstructed. In addition, each trusted individual is uniquely identifiable by a personal identification number. Advantageously, the private key which is secret can be backed up and restored without any individual having knowledge of the full key.

Abstract: This invention relates to a method for generating a shared secret value between entities in a data communication system, one or more of the entities having a plurality of members for participation in the communication system, each member having a long term private key and a corresponding long term public key. The method comprises the steps of generating a short term private and a corresponding short term public key for each of the members; exchanging short term public keys of the members within an entity. For each member then computing an intra-entity shared key by mathematically combining the short term public keys of each the members computing an intra-entity public key by mathematically combining its short-term private key, the long term private key and the intra-entity shared key.

Abstract: A system and method for controlling data communications between a server and a client device, such as a mobile device. Embodiments relate generally to a technique where stop data is provided to the client device. This stop data can be transmitted (e.g. by the client device) to the server. When processed by the server, the stop data indicates to the server that at least some of the encrypted data received by the client device from the server was not decrypted using the second key (e.g. as may be the case when the second key has been deleted). Upon receiving the stop data, the server may, for example, withhold the transmission of data encrypted with the first key to the client device until the second key is restored on the client device. In one embodiment, the stop data is provided to the client device in an encoded (e.g. encrypted) form.

Abstract: A method for managing key in Multimedia Broadcast/Multicast service comprising steps of defining a valid MTK ID interval for each generated MSK and sends it to a UE along with a MSK by a BMSC; after receiving the MSK, saving a valid MTK ID interval of the MSK by the UE; and defining a MTK ID for each generated MTK encrypted with the MSK and sending the MTK ID and the MTK to the UE after encrypting them with the MSK by the BMSC This MSK is valid only when the transmission of the MTK within MTK ID interval is in operation. Therefore, once the UE finds out that some newly received MTK's MTK ID is beyond said MTK ID, it deletes the MSK that is applied in said MTK transmission's encryption correspondingly.

Abstract: A method for generating a cryptographically generated address (CGA) comprises steps of: generating, in a network node located on a communication path between a first node and a second node, the network node having unique information of the first node, a cryptographically generated address (CGA) for the first node using the unique information of the first node; and assigning the CGA to the first node. The network node further comprises a generator of CGA for the first node using the unique information of the first node, and an output for assigning the CGA to the first node.

Abstract: The presented messaging protocol uses three new public keys in a signed and encrypted message to achieve backward security and recovery in an environment where an attacker now and then obtains the security parameters in exposed, decrypted form. Backward security is understood to mean that an adversary cannot decrypt those captured encrypted messages that the user has decrypted prior the exposure. The recovery of the protocol means that the attacker at some point of time after the exposure cannot any more decrypt messages created after the exposure. The invention can be used e.g. in encrypted email communication. New to the current state of the art is that a message contains history data: a list of recently used public keys and their Diffie-Hellman counterparts.

Abstract: Ad hoc network formation is provided in connection with using face recognition and simple device pairing to build a network. Upon determining the identity of an individual using, for instance, a software recognition program, various protocols may be used to implement the formation of the ad hoc network.

Abstract: A method and apparatus are provided for remotely controlling access to pornographic content of an image in a first device, the method including acquiring content of the image, determining whether the content of the image is pornographic by analyzing at least one image frame constituting the contents of the image, blocking access to the content of the image when the content is determined to be pornographic, extracting at least one representative problematic image frame from the content of the image; transmitting the at least one representative problematic image frame to a second device; receiving control commands from the second device and controlling access to the content of the image blocked in the first device, based on the control commands.

Abstract: A system, method and media drive for selectively encrypting a data packet. The system includes an encryption key for use in encrypting the data packet, a verification data element derived from the encryption key, an encryption engine for selectively encrypting the data packet using the encryption key, and a verification engine in electronic communication with the encryption engine. The verification engine is configured to receive the encryption key and the verification data element, determine when the verification data element corresponds to the encryption key as received by the verification engine, and prohibit encryption of the data packet by the encryption engine when the verification data element does not correspond to the encryption key as received by the verification engine.

Abstract: A method of protecting a password being used to establish interaction between a user and an application includes detecting a request for the password from the application by receiving a notification from the user indicating the request. The method further includes combining the password with information identifying the application, so as to produce a protected password, and authenticating to the application using the protected password. The method may also include a mutual authentication capability between user and the application.

Abstract: Multicast networks are partitioned into hierarchical security domains. Each security domain may comprise one or more lower security domains. Each security domain includes a security broker that distributes a group key and translates multicast data destined to the security domain, if necessary. A primary security broker at the second level of the hierarchical multicast system distributes the top security key to all peer members, including all peer security domain brokers to establish trust relationships. For each security domain boundary with security domain border routers, a multicast virtual link in configured that connects the security domain border routers and the security broker for the security domain to reduce the latency in forwarding multicast data. It can also make the backbone of the security domain contiguous so that multicast data can travel unchanged across the backbone. The multicast data is forwarded to the security domain through the security broker with security translation.

Abstract: A method of method of installing a wireless communications network configures a client device to connect wirelessly to an access point arranged to provide a wireless communications network. The method comprises running an installation program on the client device for configuring the client device to attach to the wireless communications network. The installation program is automatically provided with wireless network configuration information comprising at least a wireless network identifier which identifies traffic using the wireless communications network. The automatic provision of the wireless network configuration information formation comprising said wireless network identifier is implemented by connecting an installation device comprising non-volatile memory which stores said information, and configuring said installation program to utilise the information stored on said installation device.

Abstract: An alternative design is given for an optimized quantum cryptographic entangling probe for attacking the BB84 protocol of quantum key distribution. The initial state of the probe has a simpler analytical dependence on the set error rate to be induced by the probe than in the earlier design. The new device yields maximum information to the probe for a full range of induced error rates. As in the earlier design, the probe contains a single CNOT gate which produces the optimum entanglement between the BB84 signal states and the correlated probe states.

Abstract: A technique for securing message traffic in a data network using a protocol such as IPsec, and more particularly various methods for distributing security policies among peer entities in a network while minimizing the passing and storage of detailed policy or key information except at the lowest levels of a hierarchy.

Abstract: Methods, devices and systems for generating a plurality of public keys from one private key with the same generator of a group are described. A public key cryptosystem is also disclosed for generating a plurality of anonymous public keys all of which relate to the same party used for secure communications. Those anonymous public keys are generated using the same generator from one single private key. With the invention, computation is reduced, memory can be saved and security level can be improved.

Abstract: Disclosed herein are a digital file encryption method, a digital file decryption method, a digital file processing apparatus, and an encryption format conversion apparatus. The digital file encryption method includes encrypting a file using specific encryption information, storing the encrypted file in a file system, and storing the encryption information in a stream provided by the file system. Accordingly, since file lengths before and after encryption are identical to each other, an application needs not to consider a header length or perform offset correction when using an encrypted file.

Abstract: A method is provided for generating a group key, including sharing a plurality of secret keys with a plurality of nodes adjacent to a first node of the plurality of nodes, obtaining a plurality of function values using the plurality of secret keys and a result value using the plurality of function values, broadcasting the result value, receiving a plurality of result values generated using a method by which the result value has been obtained, from nodes of the plurality of nodes except for a corresponding node, and obtaining a group key using a plurality of function values extracted from the plurality of function values and the plurality of result values.

Abstract: A system and method securely replicates a configuration database of a security appliance. Keys stored on an original configuration database of an original security appliance are organized as a novel key hierarchy. A replica or clone of the original security appliance may be constructed in accordance with a cloning technique of the invention. Construction of the cloned security appliance illustratively involves sharing of data between the appliances, as well as substantially replicating the key hierarchy on a cloned configuration database of the cloned appliance.

Abstract: A method and a system for encrypted transmission or authentication between at least two units via an insecure communication channel, comprising the steps of: (a) in an initiation procedure, producing a common original value to be used in the respective units; (b) synchronising a counting value in each unit; (c) generating a key on the basis of the original value and the counting value in each unit, independently of other units; and (d) using the thus generated key in a subsequent encrypted transmission or authentication operation.

Abstract: Two processing elements in a single platform may communicate securely to allow the platform to take advantage of the certain cryptographic functionality in one processing element. A first processing element, such as a bridge, may use its cryptographic functionality to request a key exchange with a second processing element, such as a graphics engine. Each processing element may include a global key which is common to the two processing elements and a unique key which is unique to each processing element. A key exchange may be established during the boot process the first time the system boots and, failing any hardware change, the same key may be used throughout the lifetime of the two processing elements. Once a secure channel is set up, any application wishing to authenticate a processing element without public-private cryptographic function may perform the authentication with the other processing element which shares a secure channel with the first processing element.

Abstract: A method of performing IBE cryptography comprising the steps of a key generation server transmitting a master public key to a processor, the processor generating or retrieving a fresh master public key derived from the master public key transmitted by the key generation centre, and the processor using the fresh master public key to generate a public key for transmitting a message to a recipient device having a corresponding private key. The processor may store the fresh master public key in a read only memory for repeated use or it may dynamically generate it. To dynamically generate the fresh master public key the processor multiplies the original master public key by a curve co-factor. The processor may be incorporated into a hand-held card, and it may transfer information to a linked second processor for performing some of the calculations.

Abstract: Systems and methods for enhanced quantum key distribution (QKD) using an actively compensated QKD system. The method includes exchanging quantum signals between first and second QKD stations and measuring the quantum signal error. An error signal SE representative of the system visibility error is then generated. An error-signal threshold STH that defines a system visibility error limit is then selected. Those qubits measured with the condition SE>STH are called “above-threshold” qubits, while those qubits measured with the condition SE?STH are called “below-threshold” qubits. Only below-threshold qubits are stored and used to form the final quantum key. This is accomplished by sending a blanking signal SB to the memory unit where the qubits are stored. The blanking signal prevents above-threshold qubits from being stored therein. The raw quantum key so formed has few errors and thus forms a longer final quantum key for a given number of exchanged quantum signals.

Abstract: Aspects of a method and system for securing a network utilizing IPsec and MACsec protocols are provided. In one or more network nodes, aspects of the invention may enable conversion between Ethernet packets comprising payloads secured utilizing IPsec protocols and Ethernet packets secured utilizing MACsec protocols. For example, IPsec connections may be terminated at an ingress network node and IPsec connections may be regenerated at an egress network node. Packets secured utilizing MACsec protocols may be detected based on an Ethertype. Packets comprising payloads secured utilizing IPsec protocols may be detected based on a protocol field or a next header field. The conversion may be based on a data structure stored by and/or accessible to the network nodes. Aspects of the invention may enable securing data utilizing MACsec protocols when tunneling IPsec secured data through non-IPsec enabled nodes.

Abstract: A method for sending encrypted data in response to a request for an I/O operation. The method includes the steps of requesting a data encryption key, the request including one or more identifiers unique to the I/O operation; receiving a data encryption key attached with a first key use fingerprint, independently generating a second key use fingerprint in response to the one or more identifiers; comparing the first and the second key use fingerprints; and if the first key use fingerprint matches the second key use fingerprint, using the data encryption key to encrypt the data to be sent. In one embodiment, the one or more identifiers include at least one of a target identifier, a LUN identifier, and a LBA range identifier.

Abstract: When being triggered by a call setting request that has been made, dummy information that is different from information to be transmitted and is information used for creating a path on which encrypted communication is to be performed is generated. The path on which the encrypted communication is to be performed is established by using the generated dummy information. A responding process of responding to the call setting request is performed after the path on which the encrypted communication is to be performed has been established. Thus, in the case where information that is obtained after the responding process of responding to the call setting request is encrypted and transmitted, it is possible to transmit the information while maintaining the real-time characteristics of the information to be transmitted.

Abstract: A system for propagating encryption key information between wireless communication devices without the requirement of pairing each and every device. A wireless communication device may be paired with at least one device in a group of devices. When a secure link is established between these devices, a determination may be made as to whether encryption key information should be passed from one device to another. The additional encryption key information may allow a wireless communication device to create a secure link with other devices without having to first establish a trusted relationship (e.g., go through a pairing process) with the other devices.

Abstract: A method for processing data including the steps of providing a scrambling key for a current data to be scrambled, the current data being a piece of information that is from a plurality of pieces of information; providing an identification token of another piece of information from the plurality of pieces of information; and, scrambling the current data to be scrambled with the scrambling key and the identification token of a last piece of information to create a scrambled current data. A system and an article of manufacture for processing data is also disclosed.

Abstract: Security is secured according to the type of a license so that unnecessary processing load is reduced. A license accumulation control unit (102) and a license transfer control unit (103) identifies a usage-rule type (204) which indicates whether or not a license (200) includes a usage rule (205) which requires updating each time a content is used, and encrypts the license (200) by using different encrypting methods depending on whether or not the usage rule (205) is included in the license (200). The license accumulation control unit (102) encrypts a content key: with a domain key when the license 200 does not include the usage rule (205); and with a license management device unique key, when the usage rule (205) is included, and accumulates the encrypted key in a license accumulation unit (110).

Abstract: An approach is provided for refreshing keys in a communication system. An application request is transmitted to a network element configured to provide secure services. A message is received, in response to the application request, indicating refreshment of a key that is used to provide secure communications with the network element. A refreshed key is derived based on the received message.