Abstract: A method for managing keys making it possible for a user to access one or more given services S in a communication system, in which the user is not able to be continuously connected to this service. A key K(t) is generated, which provides access to the service of day [t] for all the t<tfin by using a one-way function in the following manner (a one-way function being defined as being a function for which it is not currently possible by computing means to obtain the inverse function). A root key K(tfin) is used and the key K(tfin-1) is generated for the day [tfin-1] prior to the day tfin, by using a function f such that K(tfin?1)=f(K(tfin)). The new value of key K(tfin-1) is used in order to generate the key for the previous day K(tfin-2) and this step is reiterated over the limited time period of day [t] to day [t+d] in order to obtain the chain K(t+d?1), K(t+d?2), etc.

Abstract: An information processing apparatus for collecting apparatus data from an apparatus connected through a network and sending the apparatus data to a server connected through the network includes a recording unit storing a secret key and a public key certificate which are encrypted by key data and commonly distributed; an obtaining unit for obtaining, from the information processing apparatus, individual identification data by which the information processing apparatus can be uniquely identified, sending a request to provide the predetermined key data through the network to the server by specifying the individual identification data, and receiving the key data encrypted by the individual identification data from the server; and a decoder for obtaining the individual identification data from the information processing apparatus, decoding the key data by using the individual identification data, and decoding the common public key certificate and the secret key by using the decoded key data.

Abstract: A computer system for authenticating, encrypting, and transmitting a secret communication, where the encryption key is transmitted along with the encrypted message, is disclosed. In an embodiment, a first transmitting processor encrypts a plaintext message to a ciphertext message using a data key, encrypts the data key using a key encrypting key, and sends a communication comprising the encrypted data key and the ciphertext message. A second receiving processor receives the communication and then decrypts the encrypted data key using the key encrypting key and decrypts the ciphertext message using the data key to recover the plaintext message.

Abstract: To improve a communication system including two communication apparatuses so as to reduce a possibility of having communication decrypted by a third party. The communication system includes a first communication apparatus and a second communication apparatus, where one of the communication apparatuses encrypts transmission subject data and transmits generated encrypted data to the other communication apparatus which decrypts received encrypted data. Each of the communication apparatuses generates an algorithm used for encryption each time it performs the encryption or decryption. In this case, each of the communication apparatuses generates the algorithm by assigning past solutions to a solution generating algorithm capable of having the past solutions assigned thereto and thereby generating a new algorithm. The past solutions are erased when they are no longer used.

Abstract: In a transmitter, data is encrypted by use of a data key, the data key is encrypted based on a first modification key, and the first modification key is encrypted based on a second modification key such that the first and second modification keys are different keys. The encrypted data, the encrypted data key, and the encrypted first modification key are transmitted to a receiver. In the receiver, the encrypted first modification key, the encrypted data key, and the encrypted data are received from the transmitter. The encrypted first modification key is decrypted based on the second modification key, the encrypted data key is decrypted based on the decrypted first modification key, and the encrypted data is decrypted by use of the decrypted data key.

Abstract: Methods and systems are disclosed for providing secured data transmission and for managing cryptographic keys. One embodiment of the invention provides secure key management when separate devices are used for generating and utilizing the keys. One embodiment of the invention provides secure storage of keys stored in an unsecured database. One embodiment of the invention provides key security in conjunction with high speed decryption and encryption, without degrading the performance of the data network.

Abstract: A data transfer device for transferring data to a removable data storage item. The data transfer device receives content data to be stored to the removable data storage item, encrypts the content data using an encryption key, and transforms at least one of predetermined reference data and the encryption key. The data transfer device also encrypts the transformed predetermined reference data using the encryption key or encrypts the predetermined reference data using the transformed encryption key, and then stores the encrypted content data and the encrypted transformed/predetermined reference data to the removable data storage item.

Abstract: Secure bulk messaging mechanism in which, roughly described, a sender first encrypts a message once. The message can be decrypted with a message decryption key. These can be symmetric or asymmetric keys. For each recipient, the sender then encrypts the message decryption key with the recipient's public key. The sender then sends the encrypted message and the encrypted message decryption keys to a store-and-forward server. Subsequently, one or more recipients connect to the server and retrieve the encrypted message and the message encryption key that has been encrypted with the recipient's public key. Alternatively, the server can forward these items to each individual recipient. The recipient then decrypts the encrypted message decryption key with the recipient's private key, resulting in an un-encrypted message decryption key. The recipient then decrypts the message using the un-encrypted message decryption key.

Abstract: A computer system in which an encryption-decryption process performed by one encryption-decryption module can be moved to another without stopping the process for a read/write request from a host computer. The computer system has a host computer, and a storage system for storing encrypted data. The storage system provides a storage area for accepting access from the host computer. In performing a process for changing the data encrypted and stored by the destination source, the move destination encrypts the data decrypted by the move source which further encrypts and stores the data encrypted by the move destination, and after all data is stored, the move source decrypts and stores the further encrypted data.

Abstract: Embodiments describe a system and/or method for multiple party digital signatures. According to a first aspect a method comprises establishing a first validity range for a first key, establishing a first validity range for at least a second key, and determining if the validity range of the first key overlaps the first validity range of the at least a second key. A certificate is signed with the first validity range of the first key and the first validity range of the at least a second key if the validity ranges overlap. According to another embodiment, signage of the certificate is refused if the first validity range of the first key does not overlap with the first validity range of the at least a second key.

Abstract: A secure communication system wherein message decryption may be performed while off-line, or optionally while on-line. A sender encrypts a message based on the message key and sends it to the recipient. An envelope containing a message key is created by encrypting the message key based on a verifier, where the verifier is based on a secret of the recipient. The recipient is provided the envelope, along with the message or separately, from the sender or from another party, contemporaneous with receipt of the message or otherwise. The recipient can then open the envelope while off-line, based on their secret, and retrieve the message key from the envelope to decrypt the message. In the event the recipient cannot open the envelope, optional on-line access permits obtaining assistance that may include obtaining an alternate envelope that the recipient can open.

Abstract: A recursive based approach to key generation produces keys for encrypted communication. Simple mathematical operations are utilized with the inherent uncertainty of an interactive process between two endpoints to establish a common secret key. The uncertainty-based key cipher starts with some public information and some private information. The public information includes a vocabulary (alphabet) and keypad, and the private information can include an authentication code. The keypad is an abstraction that represents, for example, a set of “buttons.” These buttons will be used to translate a working key into a text that could be used to evaluate coincidences in a generated working key. Each keypad button can have more than one possible value. The number of options inside the button is the so called “uncertainty level.

Abstract: A cryptographic key is virtualized to provide a virtual cryptographic key. To virtualize the key, an operation, such as an exclusive OR operation, is used with the key and a mask. The virtual key is usable by a guest of a virtual environment in cryptographic operations.

Abstract: A trusted platform module (TPM) is a silicon chip that constitutes a secure encryption key-pair generator and key management device. A TPM provides a hardware-based root-of-trust contingent on the generation of the first key-pair that the device creates: the SRK (storage root key). Each SRK is unique, making each TPM unique, and an SRK is never exported from a TPM. Broadly contemplated herein is an arrangement for determining automatically whether a TPM has been replaced or cleared via loading a TPM blob into the TPM prior to the first time it is to be used (e.g. when a security-related software application runs). If the TPM blob loads successfully, then it can be concluded that the TPM is the same TPM that was used previously. If the TPM blob cannot be loaded, then corrective action will preferably take place automatically to configure the new TPM.

Abstract: A system and method for sending encrypted messages to a distribution list that facilitates the sending of such messages only to individuals or other entities associated with the distribution list that will be able to read the message.

Abstract: Various technologies and techniques are disclosed for managing web service developer keys. A generic key identifier can be generated based on an original web service key. The generic key identifier is used within source code of an application being developed. Upon receiving a request to run the application, the generic key identifier is transformed back into the original web service key prior to calling an associated web service. Multiple users can securely share the same application that uses the web service. When one user who does not have his own original web service key accesses the application, that user can be prompted to obtain and enter the original web service key once the key has been obtained from a provider of the web service.

Abstract: A device for determining an inverse of an initial value related to a modulus, comprising a unit configured to process an iterative algorithm in a plurality of iterations, wherein an iteration includes two modular reductions and has, as an iteration loop result, values obtained by an iteration loop of an extended Euclidean algorithm.

Abstract: According to one embodiment, encrypting passwords includes performing the following for each input password of a plurality of input passwords to yield encrypted passwords, where at least two input passwords have different lengths and the encrypted passwords have the same length. An input password and a random number are received at logic configured to perform a key derivation operation comprising a pseudorandom function. An encryption key is derived from the input password and the random number according to the key derivation operation. The encryption key and a user identifier are received at logic configured to perform a cipher-based message authentication code (CMAC) function. An encrypted password is generated from the encryption key and the user identifier according to the CMAC function.

Abstract: An encryption system and a method for automatically changing an encryption key. The key is changed in response to an amount of data that has been encrypted. When the amount of data encrypted with a first key reaches or exceeds a byte count threshold, the first key is deactivated and a new key is generated and used for subsequent data encryption.

Abstract: Techniques for securing data access are presented. A sender encrypts data into a first integer value. A first knot is selected along with first and second keys. The first knot, first integer value, first key, and second key are used to produce a final knot. The final knot is transmitted as a graphical image to a receiver over a network. The receiver uses the first knot, final knot, first key, and second key to derive the first integer value. The first integer value is decrypted to produce the original data that the sender intended to send securely to the receiver.

Abstract: An authentication program on a network authenticator establishes a secure communication channel with an embedded device. The authentication program receives security credentials from an embedded device. The authentication program receives from the embedded device via the secure communication channel either a secret for the embedded device or a request to generate the secret for the embedded device. The authentication program registers the secret for the embedded device.

Abstract: In a key-insulated cryptosystem according to the present invention, a plurality of external devices are associated with a number of updates of a terminal secret key which has already been updated, and a different piece of secret information is stored in each of the external devices. In addition, a key-updating method in the key-insulated cryptosystem according to the present invention includes steps of: selecting one of the external devices depending on the number of updates of the terminal secret key; and causing the selected external device to generate key-updating information used for updating the terminal secret key based on the number of updates and the stored secret information.

Abstract: Method and system for storing data in a storage device accessible through a storage area network is provided. The method includes receiving data from a host system; generating a first encryption key for encrypting data information that describes the received data; generating a second encryption key that encrypts the first encryption key and the encrypted data information; generating an encryption packet that includes the second encryption key, the first encryption key and the data information; storing the encryption packet at one or more memory locations; and periodically refreshing the encryption packet without periodically encrypting the received data for securely storing the received data.

Abstract: Embodiments of the present invention enable a user to engage in secure communications using digital certificates and other cryptographic technologies in an easy way with a minimum of distracting interaction. In some embodiments of the present invention, webmail is enabled to allow users to obtain and use S/MIME certificates to secure his or her e-mails. Embodiments of the present invention can also be implemented to other forms of messaging, such as text messages, instant messages, etc.

Abstract: Providing for analysis of artifacts of electronic devices to generate data that is substantially unique to a particular device or to a class of devices is described herein. In some aspects, analyzed artifacts are chosen based on reliable reproducibility of such data over many analyses. The substantially unique data can be associated with a particular electronic device(s) to distinguish such devices from other devices. In some aspects, the generated data is first transformed into an identifier, such as a number, word, string of data, etc., to distinguish the electronic device in remote communication, to provide a key in an encryption/decryption algorithm, and so on. The data can be reproduced by reanalyzing the artifacts, and thus need not be stored for future consumption, mitigating risks involved in storing sensitive data.

Abstract: An electronic device and an encryption method thereof are provided. The electronic device includes a control unit which encrypts an encryption key using an inherent key, and transmits the encrypted encryption key and a key index corresponding to the inherent key to a recording medium. Accordingly, encrypted content stored in a recording medium can be decrypted when an electronic device is malfunctioning or replaced with a new one.

Abstract: An apparatus and method for transmitting a plurality of key data. When a Short-Term Key Message (STKM) is received, a mobile equipment transmits the received STKM to a smart card. The smart card determines whether there are a plurality of key data in the STKM, detects the plurality of key data when there are the plurality of key data, generates individual information for identifying each of the plurality of detected key data, generates a response message having the plurality of detected key data and the generated individual information, and transmits the response message to the mobile equipment. Therefore, a plurality of key data can be included and transmitted in one message.

Abstract: Communicating keys between network devices on a network using asymmetric cryptographic techniques, for which asymmetric keys may be derived from a single (same) password. Knowledge or partial knowledge of the password may be the only information shared between parties prior to execution of a key exchange, and may be the only criteria by which one party will base trust in the other. A first network device may encrypt a key using a password-based key derived from a password, and authenticate a second device based on the second network device's ability to decrypt the encrypted key using a key derived from the same password. Knowledge of the password may be conveyed by the second device to the first device—a session key may be generated as a function of the decrypted key, and a function of this session key may be communicated from the second device to the first device.

Abstract: Digital content protection can be effectively implemented through use of an anchor point and binding records in a user domain. An anchor point domain may include a secure anchor point, and data storage to store digital property instances and rights objects. The secure anchor point may be configured to receive a title pre-key from the rights object and use a binding key to decrypt the title pre-key to yield a title key. The binding key may include data uniquely associating the encrypted digital property instance with the secure anchor point.

Abstract: Systems and methods of providing opportunistic security for physical communication channels are disclosed. One disclosed method is for opportunistic secure communication on a main channel between a sender device and a receiver device when an eavesdropper device is listening on an eavesdropper channel. This example method includes transmitting, in a first time period in which signal quality on the main channel is better than signal quality on the eavesdropper channel, symbols that are randomly selected from a set of symbols. The method also includes transmitting, in a second time period in which signal quality on the main channel is not better than signal quality on the eavesdropper channel, coding information associated with the randomly selected symbols. The method also includes reconciling the randomly selected symbols using the coding information.

Abstract: A set of equipment for secure direct information transfer over the Internet contains information transmitting terminal devices for collaborating with an information forwarding network, taking part in the information traffic. The individual information transmitting terminal devices are equipped with a sender partial unit, a receiver partial unit and a storage partial unit comprising an ID-register containing a device identification signal, a C-register for storing a coding key and a D-register for storing a decoding key. The C-register containing the coding key is connected to the sender partial unit, and a coding key and a collaborating decoding key are allocated to each individual information transmitting terminal device.

Abstract: Methods and apparatus are provided to allow Internet Key Exchange (IKE) phase 1 keying materials to be periodically refreshed in a secure manner without requiring user interaction. A client and server perform authentication and key exchange during set up of a secure connection. A token is passed to the client by the server during or after the initial user authentication phase. The token is stored both at the client and at the server. Instead of requiring user credentials, the token can be used to securely prove the identity of the client.

Abstract: A sink device including a first data processing unit and a second data processing unit authenticates the processing units, when turned on, to generate first authentication keys having the same data. When a data request is issued from the sink device to the source device, device authentication is made between the source device and the first data processing unit to generate second authentication keys having the same data. The source device encrypts an exchange key using the second authentication key, and sends the encrypted exchange key to the first data processing unit. The first data processing unit decrypts the encrypted exchange key using the second authentication key, encrypts the decrypted exchange key using the first authentication key, and sends the encrypted exchange key to the second data processing unit. The second data processing unit decrypts the encrypted exchange key using the first authentication key to obtain an exchange key.

Abstract: In the telemedical system securely sharing encryption keys for enabling secure exchange of the encrypted biological data between the measurement terminal and the server to prevent the data from being stolen by the malicious third party, a service key is transferred to the second adapter attached to a measurement terminal from the server via the first adapter attached to the management apparatus. First, the first adapter attached to the management apparatus receives the service key from the server. Next, the first adapter is temporarily detached from the management apparatus and is attached to the measurement terminal to store the symmetric key. The first adapter is detached from the measurement terminal, and is attached to the management apparatus again. The service key received in the first adapter is encrypted using the symmetric key, and the encrypted key is transmitted to the second adapter attached to the measurement terminal.

Abstract: A method is disclosed for enabling stateless server-based pre-shared secrets. Based on a local key that is not known to a client, a server encrypts the client's state information. The client's state information may include, for example, the client's authentication credentials, the client's authorization characteristics, and a shared secret key that the client uses to derive session keys. By any of a variety of mechanisms, the encrypted client state information is provided to the client. The server may free memory that stored the client's state information. When the server needs the client's state information, the client sends, to the server, the encrypted state information that the client stored. The server decrypts the client state information using the local key. Because each client stores that client's own state information in encrypted form, the server does not need to store any client's state information permanently.

Abstract: Stateless hardware security modules facilitate securing data transfers between devices in a data communication system. The stateless hardware security module may communicate with other devices via a secure communication channel to securely transfer information between the client device and another device. As a result, sensitive information such as cryptographic keys and data may be securely routed between the client device and another device. The stateless hardware security module may support a limited set of key management operations to facilitate routing of information between the client device and another device. However, the stateless hardware security module does not need to maintain state information for the keys it maintains and/or uses. As a result, the stateless hardware security module may be advantageously integrated into a variety of client devices.

Abstract: At a transmitter, a program is encrypting according to a one program key, the program key is encrypted, and the encrypted program, the encrypted program key, and non-encrypted PSI data to a receiver are transmitted. At a receiver, the encrypted program, the encrypted program key, and the non-encrypted PSI data are received, the encrypted program key is decrypted, the encrypted program is located according to the non-encrypted PSI data, and the located encrypted program is decrypted according to decrypted program key.

Abstract: Provided is a method of efficiently processing a Short-Term Key Message (STKM) in the mobile broadcast supporting the mobile terminal. A structure of a response message according to processing the STKM in the smart card is also provided. In particular, a variety of information necessary for reproducing in the player is included in the response message and delivered to the mobile terminal, thereby the mobile terminal can easily obtain the desired information through the response message. Therefore, when the STKM is processed in the mobile terminal, there is no need to process operations except for a resending check, and the information does not need to be stored separately.

Abstract: A method and apparatus for storing and retrieving program material for subsequent replay is disclosed. The method comprises the steps of receiving a data stream comprising the program material encrypted according to a first encryption key, decrypting the program material; re-encrypting the program material according to a second encryption key; and storing the re-encrypted material in a media storage device. The program material is played back by retrieving the re-encrypted material from the media storage device and decrypting the re-encrypted program material. In one embodiment, the second encryption key is derived from metadata describing replay rights. In a further embodiment, the media storage device also stores the second encryption key which has been further encrypted by a key that is unique to the device used to receive the program material.

Abstract: Arrangements which permit the employment of dedicated user-access management architecture with more than text-based access. Particularly contemplated herein are arrangements for accepting user identifiers that are then communicated to an intermediate user-delineating architecture (i.e., architecture configured for permitting access to encrypted data or sections of a computer on a user-specific basis) in a manner to permit the user-delineating architecture to perform its own task of unlocking data or sections of a computer.

Abstract: A system comprises a first operating environment and a second operating environment. The first and second operating environments exchange information in encrypted form using a shared encryption key (K3). The first and second operating environments cooperate to change the encryption key K3 using another shared encryption key (K4). The encryption key K4 is changed upon the encryption key K3 being changed.

Abstract: In one embodiment, a method is provided that may include encrypting, based least in part upon at least one key, one or more respective portions of input data to generate one or more respective portions of output data to be stored in one or more locations in storage. The method of this embodiment also may include generating, based at least in part upon the one or more respective portions of the output data, check data to be stored in the storage, and/or selecting the one or more locations in the storage so as to permit the one or more respective portions of the output data to be distributed among two or more storage devices comprised in the storage. Many modifications, variations, and alternatives are possible without departing from this embodiment.

Abstract: A network storage server receives write requests from clients via a network and internally buffers data blocks written by the write requests. At a consistency point, the storage server commits the data blocks to nonvolatile mass storage. In the consistency point process, a storage operating system in the network storage server compresses the data blocks, encrypts selected data blocks, and stores the compressed and (possibly) encrypted data blocks in the nonvolatile mass storage facility. Data blocks can also be fingerprinted in parallel with compression and/or encryption, to facilitate deduplication. Data blocks can be indexed and classified according to content or attributes of the data. Encryption can be applied at different levels of logical container granularity, where a separate, unique cryptographic key is used for each encrypted data container. To facilitate deduplication, the system creates an additional, shared encryption key for each data block duplicated between two or more logical containers.

Abstract: A method of providing security of a relay station is disclosed, by which the security can he provided for the relay station in a broadband wireless access system having the relay station. In a mobile communication system to relay a signal transfer between a base station and a mobile station, the present invention includes the steps of performing a relay station authentication from an authentication server using an authentication protocol, receiving a master key from the authentication server, deriving an authentication key from the received master key, deriving a message authentication code (MAC) key using the derived authentication key, and relaying a signal exchanged between the mobile station and the base station using the derived message authentication code key.

Abstract: A transmitting/receiving system includes a transmitting apparatus that transmits, to another apparatus, first encrypted data obtained by encrypting stream data including consecutive unit data items in accordance with a first encryption technique prescribing that, when the stream data is encrypted for each item, keys used for encrypting the items are updated, and a receiving apparatus that receives and decrypts the first data from the transmitting apparatus in accordance with a first decryption technique. The transmitting apparatus includes an encryptor that outputs second encrypted data obtained by generating data including a predetermined number of keys, and encrypting the data in accordance with a second encryption technique, a transmitter that transmits the second data from the encryptor to the receiving apparatus.

Abstract: An embodiment pertains generally to a method of delivering keys in a server. The method includes generating a subject key pair, where the subject key pair includes a subject public key and a subject private key. The method also includes retrieving a storage key and encrypting the subject private key with the storage key as a wrapped storage private key. The method further includes storing the wrapped storage private key.

Abstract: A system and method for controlling data communications between a server and a client device, such as a mobile device. Embodiments relate generally to a technique where stop data is provided to the client device. This stop data can be transmitted (e.g. by the client device) to the server. When processed by the server, the stop data indicates to the server that at least some of the encrypted data received by the client device from the server was not decrypted using the second key (e.g. as may be the case when the second key has been deleted). Upon receiving the stop data, the server may, for example, withhold the transmission of data encrypted with the first key to the client device until the second key is restored on the client device. In one embodiment, the stop data is provided to the client device in an encoded (e.g. encrypted) form.

Abstract: A method, computer readable medium, and system for integrating security in network communications includes generating a private key and a public key by encrypting the private key with a first encryption. The generated private key and public key are provided in an initial response to an initial request over the secure connection. At least one additional received request is validated based on the public key and a requesting signature signed using the key received with the at least one additional request. An additional response with a responding signature signed using the private key is provided in response to the validated additional request.

Abstract: The invention relates to a method, a system, an electronic device and a computer program for providing at least one content stream to an electronic device applying Digital Rights Management (DRM). In the method a master integrity key is obtained in a streaming node. An encrypted master integrity key is obtained in an electronic device. The encrypted master integrity key is decrypted in the electronic device. At least one session integrity key is formed in the streaming node and in the electronic device using at least the master integrity key and the integrity of at least one content stream is protected between the streaming node and the electronic device using the at least one session integrity key.

Abstract: An encryption processing part of a controller of each of user devices specifies components of content as encryption target parts, creates an encryption key creation key by reading out a public key, for each of the encryption target parts, of a second user who is allowed to view the encryption target part, raising a secret key of an administrator of the content data to the power of the public key thus read out, and calculating a remainder, encrypts random numbers each corresponding to each of the encryption target parts by using the encryption key creation key, creates an encryption key for each of the encryption target parts, and encrypts, by using the encryption key created for each of the encryption target parts, each of the encryption target parts corresponding to the encryption key.