Abstract: A one-time-pad encryption system where encrypted one-time-pad keys can be distributed to users on physical media or on a computer network from a central server. Each one-time-pad key has a key identification number that facilitates key management. Each encrypted data set includes a header specifying an offset within the one-time-pad key for commencement of decryption so that messages can be decrypted in any order. Before encryption begins, the length of remaining unused key is compared to the length of the data set to be encrypted. Encryption control buttons are added to a word processor and other programs as an addition to the user interface.

Abstract: A data security system and method protects stored data from unauthorized access. According to one aspect of the invention, a client computing device communicates periodically with a server. If communications is note established between the client and the server for a selected activation interval and a subsequent grace period, the data is determined to be lost, and programmed security rules are automatically executed. The server with which the client computer device communicates includes one server located inside the firewall of a particular organization, or a mirror server located outside the firewall, and thereby allow for the re-setting of the activation interval when the client is properly outside of the firewall through communication with the mirror server, as well as the to provide command an control over a lost or stolen client by pushing updated rules if communication is subsequently attempted with the mirror server.

Abstract: A method for sharing encrypted data and encryption keys through a system comprised of the following data types, but not limited to a; 1) Record and its encryption key, 2) RecordSet and its encryption key, and 3) Entity and its encryption key. A Record is encrypted using an encryption key, furthermore, the Record encryption key is encrypted using a RecordSet encryption key, and finally, both the encrypted Record and its encrypted encryption key are wrapped as a single unit, to avoid key the expensive operations of key lookup and general key operation overhead. Access control to the RecordSet encryption keys are provided by a combination of data types, but not limited to a; 1) Entity and its encryption key, 2) Ciphers, and 3) Trusted Entity Lists. For each Entity which is authorized access to access a RecordSet, an encrypted Cipher, made of both the Entity encryption key and RecordSet encryption key, is added to a Trusted Entity List.

Abstract: The present invention addresses encryption systems and methods in the de-duplication of data in a multi-tenant environment. The system provides isolation between tenants' stored data and the storage system. The tenants' data is broken down into many smaller raw data items. Fingerprints are generated for the raw data and compared to fingerprints of raw data previously stored on the storage system. The raw data and fingerprint are encrypted with a single use key (SUK) by the storage system. The SUK encrypted fingerprint is wrapped with a storage system key and stored with other fingerprints. The SUK encrypted fingerprint is also returned to the tenants and wrapped with a tenant key. The use of tenant key wraps allows the tenant data to be protected and confidential to each tenant but allows the raw data to be shared by all tenants.

Abstract: Disclosed are various embodiments for facilitating network security parameter distribution and generation in a converged network incorporating multiple heterogeneous link layer networking technologies. Embodiments are provided for connecting network devices through multiple heterogeneous link layer networking technologies using a converged network password. Embodiments are provided for connecting network devices through multiple heterogeneous link layer networking technologies using a pairing event protocol, such as, for example, a push button protocol.

Abstract: A microcontroller includes on-chip key storage slots stored in a non-volatile memory, wherein selecting which key is to be used is restricted to software, wherein a predetermined key storage slot stores a Key Encrypt Key (KEK), and a register flag is provided for determining whether the predetermined key storage slot stores a key for encrypting/decrypting data or the KEK for encrypting/decrypting a key.

Abstract: A method and system for determining priority is provided. The method includes generating a list defining specified data objects stored within a back-up/archived data storage system and applying importance levels to the specified data objects. Reliability urgency levels for the storage devices are determined and in response groups of data objects of the specified data objects are generated. Required reliability levels for each group of data objects are determined and associated erasure encoding rates are calculated. Fragment sets for the groups of data objects are generated and numbers of parity objects required for the fragment sets are determined. An erasure code algorithm is executed with respect to the groups of data objects and in response parity objects are computed on demand.

Abstract: Methods and apparatus are provided for signing data transactions using one-time authentication passcodes. User authentication passcodes are generated by generating a time-based user authentication passcode based on a forward-secure pseudorandom number, wherein the generated time-based user authentication passcode is used for authentication of the user; and generating an event-based user authentication passcode based on a forward-secure pseudorandom number, wherein the generated event-based user authentication passcode is used to sign one or more data transactions. The generation of an event-based user authentication passcode can be performed on-demand. The generation of the event-based user authentication passcode can optionally be performed substantially simultaneously with the generation of the time-based user authentication passcode.

Abstract: A method for performing access management to facilitate a user to access applications in a single sign-on enabled enterprise solution is provided. A challenge token and a response token are transmitted between a server and a client. The challenge token and response token comprises one-way hashed data. The response token is verified at the server and the client to authenticate the user. Further, a request for service token is transmitted between the server and the client. The request for service token is encrypted at the client and decrypted at the server using a unique session key negotiated between the server and client. A service token is generated and transmitted between the server and the client. The service token is encrypted and decrypted at the server using a secret key to verify the service token. Based on the verification, the requested applications are rendered on client based user interface.

Abstract: The security level of a communications terminal can be changed during operation. A key loading device can reconstitute a key encryption key from plural split portions. The split portions can be loaded into the key loading device via various interfaces. The reconstituted key encryption key can be used to unwrap wrapped keys stored in the key loading device.

Abstract: In a Digital Rights Management (DRM) system, cryptographic keys for decrypting distributed assets (such as audio or video media) are distributed using an offline (e.g., non-Internet) method for distribution of the key generation process, with an implicit authorization to use the distributed key generation process. This is used to update an asset key for use by a client such as a media player when a key formula for generating the key for decrypting an asset has been compromised, such as by hackers.

Abstract: The present invention discloses a method for managing remote upgrading keys in an information security apparatus. A remote source apparatus generates key disabling data according to a divulged remote upgrading key and sends the key disabling data to the information security apparatus, and the information security apparatus performs the disabling operation on the divulged remote upgrading key according to the received key disabling data. Using the method disclosed in the present invention can prevent the information security apparatus from being maliciously attacked by malicious attackers by using the divulged remote upgrading key and through the remote upgrading process.

Abstract: A device, including one or more Communication Physical Unclonable Function (CPUF) and key storage devices, the CPUF devices each including: a coherent Electromagnetic (EM) radiation source; a spatial light modulator (SLM) connected to the coherent EM radiation source; a volumetric scattering medium connected to the SLM; a detector connected to the volumetric scattering medium; and one or more processors or circuits connected to the detector and one or more processors or circuits connected to the SLM. A communication protocol is also provided.

Abstract: Systems and techniques for managing software licensing are described. When a computing system service request is made, the request is intercepted and software information that may be more or less continuously updated in a managed computing environment is examined to determine the effect of the service request on software usage by the system. The software usage represented by the service request is evaluated based on licensing information to determine license usage by the system and changes in license usage based on the service request, and license usage information is determined based on the software usage and the licensing information. The license usage information may be used in connection with a system of rules to govern actions such as reporting licensing usage or allowing or preventing the use of software based on whether use of the software will violate licensing requirements.

Abstract: A device receives an encrypted key generating value from a first device and decrypts the encrypted key generating value. A temporary session key associated with the first device is generated based on the key generating value. A secure session invitation message is received from the first device. A master session key is generated and encrypted using the temporary session key associated with the first device. The encrypted master session key is transmitted to the first device.

Abstract: In one exemplary embodiment of the invention, a method for computing a resultant and a free term of a scaled inverse of a first polynomial v(x) modulo a second polynomial fn(x), including: receiving the first polynomial v(x) modulo the second polynomial fn(x), where the second polynomial is of a form fn(x)=xn±1, where n=2k and k is an integer greater than 0; computing lowest two coefficients of a third polynomial g(z) that is a function of the first polynomial and the second polynomial, where g(z)?i=0n?1(v(?i)?z), where ?0, ?1, . . . , ?n?1 are roots of the second polynomial fn(x) over a field; outputting the lowest coefficient of g(z) as the resultant; and outputting the second lowest coefficient of g(z) divided by n as the free term of the scaled inverse of the first polynomial v(x) modulo the second polynomial fn(x).

Abstract: Method for providing a mesh key which can be used to encrypt messages between a first node and a second node of a mesh network, wherein a session key is generated when authenticating the first node in an authentication server, the first node and the authentication server or an authentication proxy server using a predefined key derivation function to derive the mesh key from said session key, which mesh key is transmitted to the second node.

Abstract: A server receives identifying information of a user of a client device and data encrypted with a public key of a group, where the encrypted data includes an encrypted session key for secure content. The server determines whether the user is a member of the group using the identifying information of the user. If the user is a member of the group, the server decrypts the encrypted session key using a private key of the group, and causes the client device to obtain a session key to access the secure content.

Abstract: The user device includes: a recording unit which stores system parameters as respective parameters given in advance, a disclosure public key, a user public key, a user private key, a member certificate, and an attribute certificate; an input/output unit which receives input of the document from the user and an attribute the user intends to disclose; a cryptograph generating module which generates a cryptograph based on the inputted document, the attribute to be disclosed, and each of the parameters; a signature text generating module which generates a zero-knowledge signature text from the generated cryptograph; and a signature output module which outputs the cryptograph and the zero-knowledge signature text as the signature data. The user public key and the attribute certificate are generated by using a same power.

Abstract: Data encryption systems and methods. The system includes a storage device storing data and an encryption/decryption module. The encryption/decryption module randomly generates a device key seed according to the occurrence time of a specific operation or the interval between two specific operations on the storage device, and applies the device key seed to data encryption.

Abstract: Secure bulk messaging mechanism in which, roughly described, a sender first encrypts a message once. The message can be decrypted with a message decryption key. These can be symmetric or asymmetric keys. For each recipient, the sender then encrypts the message decryption key with the recipient's public key. The sender then sends the encrypted message and the encrypted message decryption keys to a store-and-forward server. Subsequently, one or more recipients connect to the server and retrieve the encrypted message and the message encryption key that has been encrypted with the recipient's public key. Alternatively, the server can forward these items to each individual recipient. The recipient then decrypts the encrypted message decryption key with the recipient's private key, resulting in an unencrypted message decryption key. The recipient then decrypts the message using the unencrypted message decryption key.

Abstract: A method is disclosed for establishing a secure communication session using composite key cryptography. The method comprises generating a first plurality of secret keys all of which are known only to a first communicating party and each one of which is shared with exactly one of a plurality of stewards, and generating a second plurality of secret keys all of which are known only to a second communicating party and each one of which is shared with exactly one of the plurality of stewards. The first and second communicating parties each send information to the other through different stewards, each communication leg being encrypted using a secret key known only to the respective communicating party and steward. These communications are usable to distribute cryptographic seeds to the communicating parties for use in generating a temporary session key that can be used to encrypt direct communications between the parties.

Abstract: A security system may include a plurality of electronic devices, each having a unique identification (ID) associated therewith and configured to generate a temporary security code based upon the unique ID. The system may further include at least one mobile wireless communications device including a first Near-Field Communication (NFC) circuit, and a mobile controller configured to receive the temporary security code from a given electronic device from among the plurality of electronic devices. The system may also include an access control device associated with a personnel access position and including a second NFC sensor and a security controller. The security controller may be configured to receive the temporary security code from the first NFC sensor via NFC communications, selectively grant personnel access based upon the received temporary security code, and determine the unique ID associated with the given electronic device.

Abstract: Embodiments of the present invention disclose a peer enrollment method, a route updating method, a communication system, and relevant devices to improve security of a peer-to-peer (P2P) network. The peer enrollment method includes: receiving an enrollment request from a peer, where the enrollment request carries identity information of the peer; verifying the identity information of the peer, and if the verification succeeds, obtaining peer location information of the peer and generating a peer credential according to the peer location information; and sending the peer credential carrying the peer location information to the peer so that the peer joins the P2P network according to the peer credential. Embodiments of the present invention further provide a route updating method, a communication system, and relevant devices. Embodiments of the present invention may improve security of the P2P network effectively.

Abstract: Methods and systems for transferring information to a device include assigning a unique identifier to a device and generating a unique key for the device. The device is located at a first site, and the unique identifier is sent from the device to a second site. The unique key is obtained at the second site, and it is used for encrypting information at the second site. The encrypted information is sent from the second site to the device, where it can then be decrypted.

Abstract: The AAA server generates and delivers a new HA-RK before expiry of the old HA-RK, thus eliminating the time gap between expiry of the old HA-RK and obtaining of the new HA-RK and making the MIP registration seamless. In the system, if the remaining lifetime of the old HA-RK is less than or equal to the lifecycle of the MSK in the EAP process, a new HA-RK is delivered; otherwise, no new HA-RK needs to be delivered. If both a new HA-RK and an old HA-RK are valid on the network entity at a time, then only the old HA-RK applies and the new HA-RK is not active until expiry of the old HA-RK. Alternatively, both the new HA-RK and the old HA-RK are active concurrently, and are differentiated by an SPI.

Abstract: A method for operating a security device includes a microcontroller, a protected memory area, in which at least one item of protection-worthy information is stored, and a unit, the microcontroller being connected to the protected memory area via the unit, the at least one item of protection-worthy information being accessed by the microcontroller via the unit when the method is carried out.

Abstract: A distributed peer-to-peer document archive system provides version-control, security, access control, linking among stored documents and remote access to documents usually associated with centralized storage systems while still providing the simplicity, personalization and robustness to network outages associated with personal and peer-to-peer storage systems. A “keyring” is an encrypted repository that allows a user to recover and access a user's entire digital archive with a single master key. After the key is created, it does not need to be updated, and can be stored in a safe, safety-deposit box or other secure location. In the event the user's computer is stolen or destroyed, the user need only install the system on a new machine and import the master key. The system will then use that key to browse nearby servers to find and decrypt all files necessary to recreate the full digital archive in its most recent state.

Abstract: This disclosure relates to systems and methods for enabling the use of secret digital or electronic information without exposing the sensitive information to unsecured applications. In certain embodiments, the methods may include invoking, by a client application executing in an open processing domain, a secure abstraction layer configured to interface with secret data protected by a secure processing domain. Secure operations may be securely performed on the secret data by the secure abstraction layer in the secure processing domain based on an invocation from a client application running in the open processing domain.

Abstract: Systems and methods may provide introducing a first root of trust on a platform to a second root of trust on the same platform. In one example, the method may include using an authenticated code module to transfer a first encryption key from a first root of trust on a platform to a second root of trust on the platform, receiving a challenge response from the first root of trust at the second root of trust, and using the first encryption key to verify the challenge response.

Abstract: A method and system for mutually authenticating a first node and a second node operating in a wireless communication network enables mutual authentication when the first node and the second node are unable to directly authenticate each other. The method includes identifying, at the first node, a third node that can authenticate both the first node and the second node (step 215). Authentication data for authenticating the first node with the third node is then transmitted from the first node to the third node (step 220). Keying material that is received from the third node is then processed at the first node (step 225). A shared secret mutual authentication protocol is then processed, whereby the first node and the second node are mutually authenticated by proving that they each have authenticated with the third node and each have the keying material (step 230).

Abstract: A method, apparatus, and/or system are provided for establishing trust between an accessory device and a host device, using a global key known to both the host device and the accessory device, so that content protection for subscriber-based mobile broadcast services is provided. A secure link may be established between the accessory device and the host device so that when the accessory device receives encrypted content via a secured forward link only network, the accessory device may decrypt the content at the forward link only stack. The content is then re-encrypted/re-secured using one or more derived encryption keys and then sent to the host device where it may be decrypted and played back. A global key, unique to the particular device type of the host device, is employed to ultimately derive the session encryption keys used to re-encrypt/re-secure the content conveyed from the accessory device to the host device.

Abstract: The disclosure discloses a method for protecting security of layer-3 mobility user plane data in Next Generation Network (NGN), includes: performing authentication by a terminal with an authentication server; after the authentication is passed, obtaining a shared key material by both the terminal and the authentication server; generating, by the terminal and the authentication server, a mobility data security key according to the shared key material; transmitting, by the authentication server, the generated mobility data security key to a mobility data transmission module; protecting security of the layer-3 mobility user plane data, by the terminal and the mobility data transmission module, by using the mobility data security key. The disclosure also discloses a system for protecting security of layer-3 mobility user plane data in NGN.

Abstract: Embodiments of the present invention provide a key insulation method and device. The key insulation method includes: randomly selecting a first parameter s from Z*q, acquiring a helper initial key from a helper, and generating an initial user private key according to the first parameter s, a preset first cryptographic hash function H1, and the helper initial key; and acquiring a helper updated key for a time segment i from the helper, and updating a user private key for a time segment j according to the helper updated key for the time segment i to obtain a user private key for the time segment i. According to the key insulation method and device provided by the embodiments, in a process of generating an initial key and a process of updating a key, lifecycle is not involved, which improves flexibility of a key system.

Abstract: A privacy-preserving device-tracking system and method to assist in the recovery of lost or stolen Internet-connected mobile devices. The function of such a system seem contradictory, since it is desirable to hide a device's legitimately-visited locations from third-party services and other parties to achieve location privacy, while still enabling recovery of the device's location(s) after it goes missing by tracking the device to determine its location. An exemplary embodiment uses a DHT for storing encrypted location information and other forensic information in connection with indices that are successively determined based on initial pseudorandom seed information (i.e., state) that is retained by the owner of the device. Using the seed information, the software can determine indices mapped to location information stored after the device went missing, enabling the device to be located.

Abstract: The present invention relates to the field of security of electronic data and/or communications. In one form, the invention relates to data security and/or privacy in a distributed and/or decentralised network environment. In another form, the invention relates to enabling private collaboration and/or information sharing between users, agents and/or applications. Embodiment(s) of the present invention enable the sharing of key(s) and/or content between a first user and/or agent and a second user and/or agent. Furthermore, embodiment(s) of the present invention have application in sharing encrypted information via information sharing services. A number of inventions, aspects and embodiments are disclosed herein.

Abstract: Method for operating a smart grid including a plurality of smart meters configured to monitor at least one physical measured quantity and to provide measurement results of the at least one physical measured quantity to a central entity, includes the following steps: partitioning the smart grid into groups of smart meters, such that each of the smart meters belongs to exactly one group, all smart meters of one of the groups encrypt their measured value by applying a bihomomorphic encryption scheme and send it to the central entity, one smart meter per group is designated as key aggregator to which all smart meters of that group send their key employed for the encryption, the key aggregator computes the aggregation of all received keys and sends the aggregated key to the central entity, the central entity aggregates all received encrypted measured values and decrypts the aggregation by employing the aggregated key.

Abstract: A data encryption service is provided over the Internet. Users specifying only authorized users' identity information can share encrypted information without sharing passwords or accessing public key certificates. A user sends data to be encrypted to a trusted EWS, along with authorization information. An encrypted data envelope including signed encrypted data blocks, authorization information, and a digital signature is returned to the user. When a second user attempts to access the data inside the encrypted data envelope, it is transmitted to the EWS. If the EWS authenticates the second user, determines that tampering has not occurred, and verifies the second user's identity against the authorization information in the data envelope, then the data are returned. The encrypted data envelope can be expressed as a raw byte stream or encoded within an HTML file to enable browser-based data envelope submission and retrieval.

Abstract: A method begins with a processing module obtaining data to store and determining whether substantially similar data to the data is stored. When the substantially similar data is not stored, the method continues with the processing module generating a first encryption key based on the data, encoding the first encryption key into encoded data slices in accordance with an error coding dispersal storage function, and storing the encoded data slices in a dispersed storage network (DSN) memory. The method continues with the processing module encrypting the data using an encryption key of the substantially similar data in accordance with an encryption function to produce encrypted data, compressing the encrypted data in accordance with a compression function to produce compressed data, storing the compressed data when the substantially similar data is stored.

Abstract: A method, computer program, and system for delivering digital content to a user interface. A method according to an embodiment includes: generating a starting content on the user interface including at least one clickable content, each of the at least one clickable content being previously associated with a first key; upon selection of a clickable content associated with a first key, determining a second key, associated with a destination content, from the first key; determining an executable asset program from the second key, an execution of the asset program generating the display of a predefined asset content; attaching the second key to the executable asset program according to a hiding mechanism; executing the executable asset program to display the predefined asset content, and releasing the second key during the execution of the program.

Abstract: Methods and apparatus involve two keys to decode data that are generated during original encoding of the data. The keys are stored on computing devices separate from one another, and the encrypted data, which maintains security until such time as the original data requires decoding. Because the keys can be relatively large, its stored form may have padding bits to align with the file form of the encoded data. Representative keys include a dictionary corresponding to symbols representing the data and a weighted path decoder that correlates the symbols of the dictionary to underlying original bits. A “fast approximation” of compression of current data involves using information obtained from an earlier compression of similar data. Creating the two keys for the original data can also include creating a master key for decoding a plurality of later-encoded files. A second key also works in conjunction with the master key during decoding.

Abstract: A cryptographic key is virtualized to provide a virtual cryptographic key. To virtualize the key, an operation, such as an exclusive OR operation, is used with the key and a mask. The virtual key is usable by a guest of a virtual environment in cryptographic operations.

Abstract: Method to secure the communication of components within self-service automats that are linked to each other by a bus system, having a transmitter and a receiver, characterized in that data are exchanged as tuples (C, A, R, N, Z) on the transport layer of the bus system where C are the message data M encrypted with an encryption key, A are the message data M authenticated with an authentication key, R represents the role of a component on the bus system of active or passive participants, N represents a message counter, Z represents a session counter.

Abstract: A method and system for server-side key generation for non-token clients is described.

Abstract: A method and apparatus for storing and retrieving program material for subsequent replay is disclosed. The method comprises the steps of receiving a data stream comprising the program material encrypted according to a first (CW) encryption key, decrypting the program material; re-encrypting the program material according to a second encryption key, and storing the re-encrypted material in a media storage device. The program material is played back by retrieving the re-encrypted material from the media storage device and decrypting the re-encrypted program material. In one embodiment, the media storage device also stores the second encryption key which has been further encrypted by a key that is unique to the device used to receive the program material.

Abstract: A system to improve communication security in cluster machine processing may include interconnected computers that can jointly process data. The system may also include a shared secret key used by each of the interconnected computers to encrypt, decrypt, and/or authenticate data being sent, or received, from one of the interconnected computers to another of the interconnected computers. The system may further include a new shared secret key used by each of the interconnected computers to encrypt, decrypt, and/or authenticate data being sent, or received, from one of the interconnected computers to another of the interconnected computers. In addition, the new shared secret key may coexist with the shared secret key without adversely affecting the joint processing of data performed by the plurality of interconnected computers.

Abstract: Parallel compression is performed on an input data stream by processing circuitry. The processing circuitry includes hashing circuitry, match engines, pipeline circuitry and a match selector. The hashing circuitry identifies multiple locations in one or more history buffers for searching for a target data in the input data stream. The match engines perform multiple searches in parallel for the target data in the one or more history buffers. The pipeline circuitry performs pipelined searches for multiple sequential target data in the input data stream in consecutive clock cycles. Then the match selector selects a result from the multiple searches and pipelined searches to compress the input data stream.

Abstract: A network memory system is disclosed. The network memory system comprises a first appliance configured to encrypt first data, store the encrypted first data in a first memory device. The first appliance also determines whether the encrypted first data exists in a second appliance and transmits a store instruction comprising the encrypted first data based on the determination that the encrypted first data does not exist in the second appliance. The second appliance is configured to receive the store instruction from the first appliance and store the encrypted first data in a second memory device. The second appliance is further configured to receive a retrieve instruction comprising a location indicator indicating where the encrypted first data is stored, process the retrieve instruction to obtain encrypted response data, and decrypt the encrypted response data.

Abstract: In a communication system in which two communication entities seek to have a private or confidential communication session, a trust relationship needs first be established. The trust relationship is based on the determination of a shared secret which in turn is generated from contextual information. The contextual information can be derived from the circumstances surrounding the communication session. For example, the contextual information can include topological information, time-based information, and transactional information. The shared secret may be self-generated or received from a third party. In either event, the shared secret may be used as key material for any cryptographic protocol used between the communication entities.

Abstract: A system and method for controlling data communications between a server and a client device, such as a mobile device. Embodiments relate generally to a technique where stop data is provided to the client device. This stop data can be transmitted (e.g. by the client device) to the server. When processed by the server, the stop data indicates to the server that at least some of the encrypted data received by the client device from the server was not decrypted using the second key (e.g. as may be the case when the second key has been deleted). Upon receiving the stop data, the server may, for example, withhold the transmission of data encrypted with the first key to the client device until the second key is restored on the client device. In one embodiment, the stop data is provided to the client device in an encoded (e.g. encrypted) form.