Abstract: A playback unit decrypts data contents of electronic audio and video media that are supplied in entirely or partially encrypted or enciphered form by means of one or more “melody” keys for encrypting the data contents. This key is transmitted via a secure channel from an authentic source into the playback unit, and then the playback unit transfers these data contents from the digital domain into the analog domain in such a way that the data contents of the electronic audio and video media are not present at any time in unencrypted form as a digital data stream that can be copied.

Abstract: Methods, apparatus and machine readable medium are described for creating and using protected key blobs that require a particular portable token be present before use of the key or keys of the protected key blob is granted. Such protected key blobs may be used to establish a level of trust between a local user and the computing device.

Abstract: Methods, computer-readable media, and apparati for securely distributing a cryptographic key (C) from a first party(s) to a second party(s). A method embodiment of the present invention comprises the steps of combining (steps 1 and 2) the cryptographic key (C) with a transport key (T) to form a key set; encrypting (step 7) the key set to form an encrypted key set; distributing (step 8) the encrypted key set across a medium (3); and decrypting (step 9) the encrypted key set to reconstitute the cryptographic key (C) and the transport key (T).

Abstract: A method of managing a key for encrypted communication over a communication link between first and second modems, each modem having respective first and second master keys. A first key material for the first modem is transmitted to the second modem in an encrypted message using the first master key, via a time divided frame over the link. Upon receipt, a second key material is generated at the second modem and is sent to the first modem. Then, at each of the first and second modems, session keys are generated based on the key materials, preferably using a hashing algorithm. An encryptor at the first modem and a decryptor at the second modem are programmed with an identified key and a session key. Encryption is enabled at the first modem and information is transmitted in encrypted frames using the identified key. The second modem receives and decrypts the encrypted frames when frames with the identified key are received.

Abstract: A system for providing two-factor content protection includes a first device that is enabled with content protection, and a second device that is used to authenticate users of the first device. The first device uses the public key (KPUBLIC) of a public/private key pair belonging to the second device to encrypt its content protection key.

Abstract: A method and apparatus which protects software against unauthorized use which is bound to at least one certain hardware device. The hardware device includes unique hardware identification sequences like unique hardware numbers/addresses, serial numbers or other embedded hardware characterization sequences. A special license key has to be passed to the software at the first activation. The license key contains among other things encrypted hardware identification sequences which are compared with the read out sequences of the accessible hardware devices. The use of the software features is permitted if the sequences match.

Abstract: The present invention provides for token based signing of an unsigned binary which may be a stream of bits (e.g., 0's and 1's). The unsigned binary is signed using a secret key which resides in a token (e.g., a smart card), which makes the secret key available to the token holder. The unsigned binary is downloaded and verified for authenticity by the token coupled to a computing device. In one embodiment, the downloaded unsigned binary is encrypted. If the unsigned binary is authentic, it may be used to replace the prior firmware on that computing device.

Abstract: A client receives encrypted content from content server. The header of the content includes license-identifying information for identifying a license required to utilize the content. The client requests a license server to transmit the license identified by the license-identifying information. When receiving the request for a license, the license server carries out a charging process before transmitting the license to the client. The client stores the license received from the license server. The stored license serves as a condition for encrypting and playing back the content. As a result, content can be distributed with a high degree of freedom and only an authorized user is capable of utilizing the content.

Abstract: A network system for key management, including a server, a key management system providing process logic for key management system management located on the server, a key management system storage providing a secure data storage for the key management system, an application using the key management system to manage an application key, and an interface providing a means for managing the key management system.

Abstract: A method is provided for use in distributing access to a data item. The method includes allowing multiple transfers between computers of a single instance of permission to gain access to the data item, the transfers occurring across data connections and including a first transfer between a first computer and a second computer and a subsequent transfer between the second computer and a third computer, wherein at any one time only one computer retains the instance of permission and is able to use the instance of permission to gain access to the data item.

Abstract: A data structure to be used for representing the problem is selected. An instance of the problem is represented with the data structure. The data is encrypted with a sequence which is obtained by solving the problem. Alternatively, in an alternative embodiment of the present invention, a program for heuristically solving an NP-hard problem is received. A data structure that represents an instance of the problem is received. The program is applied to the instance of the problem to obtain a sequence. The data is decrypted with the sequence.

Abstract: A database (104) maintains one or more groups (106) of digital objects (202). A user (102) wishes to retrieve one or more digital objects (202) from the database (104), without the database (104) being able to determine which particular digital objects (202) have been retrieved. In addition, the database (104) should not allow the user (102) to retrieve any digital objects (202) to which the user (102) has not been granted access. The user (102) requests the groups (106) containing the digital objects (202) the user (102) wishes to download, but does not identify the digital objects (202) within each group (106) that the user (102) is interested in. Using a symmetric key cryptosystem, the database (104) generates a key (204) for and encrypts each digital object (202) in the requested group (106) into ciphertext (206), and additionally encrypts each key (204). The database (104) transmits the ciphertexts (206) and encrypted keys (208) to the user (102).

Abstract: Methods and apparatus are provided for sending an encrypted command message from a remote keyless entry device to a receiver in a motor vehicle. The method comprises defining a key generating key within the remote keyless entry device, and using that key generating key to generate a working key. The working key is transmitted from the remote keyless entry device to the receiver during a training session without transmitting the key generating key. The working key is modified each time the remote keyless entry device is placed in the training mode. After the training session, a message encrypted with the working key can be transmitted from the remote keyless entry device to the motor vehicle receiver where the encrypted message is decrypted with the working key.

Abstract: For the authentication of messages communicated in a distributed system from an originator to a destination a keyed-hashing technique is used according to which data to be authenticated is concatenated with a private (secret) key and then processed to the cryptographic hash function. The data are transmitted together with the digest of the hash function from the originator to the destination. The data comprises temporal validity information representing the temporal validity of the data. For example the setup key of a communication is therefore only valid within a given time interval that is dynamically defined by the communication originator. After the time interval is exceeded the setup key is invalid and cannot be reused again.

Abstract: A method for providing a security code comprises providing an access location identification and security device information. A user provides access location information and access duration information to a code generator system. The access location information and access duration information is encrypted to provide an access code. The user provides a user token data to the code generator system, such that the access code is encrypted using the user token data to provide a security code. The security code is dispatched to the user.

Abstract: A method provides a collection of data structures and subroutines in a software toolkit, for developing an application for playing digital content data. The method comprises steps of receiving previously encrypted content data encrypted with an encrypted key from an external source; storing the previously encrypted content data in a library; selecting one or more encrypted content data from the library to play; and decrypting each content data selected to be played with its unique encryption key, wherein the decrypting is performed in a tamper-resistant subroutine for deterring unauthorized access to the instructions for decrypting the content data and for deterring unauthorized access to the encryption key.

Abstract: An apparatus for installing a decryption key is initially arranged so that a decryption algorithm received by a control processor is passed via a first interface path to a decryption processor. The algorithm is installed in the decryption processor together with a program decryption key. The apparatus is subsequently arranged so that encrypted working decryption keys received by the control processor are passed on to the decryption processor over the first interface path. The decryption processor decrypts the encrypted keys using the program decryption key. Decryption keys are thus obtained and are transferred via a second interface path to decryptors for use in decrypting encrypted program signals input to the decryptors.

Abstract: The present invention relates to a secure method of distributing configuration data for a programmable logic device (PLD). The configuration data is encrypted to generate encrypted configuration data. A decryption key is encrypted using a silicon key. The encrypted configuration data and the encrypted decryption key are transferred to a PLD. Within the PLD, the encrypted decryption key is decrypted using the silicon key. Then, also within the PLD, the encrypted configuration data is decrypted using the decryption key to recover the configuration data. The PLD is then configured using the configuration data. The silicon key may be communicated to the PLD by tying predetermined input pins to an active high voltage level or signal ground, to form a binary code.

Abstract: A method for providing security in password-based access to computer networks, the network including a server and a remote user, includes: signing a phrase by a security chip of the server using an encryption key; associating the signed phrase with the remote user; signing the phrase with an encryption key obtained by the security chip when a request for access to the computer network is received from the remote user; comparing the phrase signed with the obtained encryption key with the signed phrase associated with the remote user; and granting access to the remote user if the phrase signed with the obtained encryption key is the same as the stored signed phrase associated with the remote user. The use of the encryption key protects against “dictionary attacks”. Use of the security chip protects against offline attacks. These provide greater security for the computer network.

Abstract: A method of encryption of data in a digital television system communicated between a first decoder and a portable security module, wherein a precalculated key pair is stored in a memory of the first decoder, wherein the key pair includes a session key and an encrypted version of the session key prepared using a transport key, the encrypted version of the session key being subsequently communicated to the portable security module which decrypts the encrypted version using an equivalent transport key stored in its memory such that data communicated from at least the portable security module to the first decoder may thereafter be encrypted and decrypted by the session key.

Abstract: Authentication information is generated for a group where members within a group are able to communicate with each other, but a non-members is not able to participate in that communication. The authentication information provides the determination of whether the member belongs to the group.

Abstract: A block key to encrypt block data is generated using an ATS (arrival time stamp) appended to each of TS (transport stream) packets included in a transport stream correspondingly to the arrival time of the TS packet. The ATS is a random data depending upon an arrival time, and so a block-unique key can be generated, which enhances the protection against data cryptanalysis. A block key is generated from a combination of an ATS with a key unique to a device, recording medium or the like such as a master key, disc-unique key, title-unique key or the like. Since an ATS is used to generate a block key, any area for storage of an encryption key for each block may not be provided in a recording medium.

Abstract: A method and apparatus for performing authentication in a communications system is provided. The method includes receiving a request for authentication from a server, the request for authentication including a first and a second random challenge, and comparing the first random challenge and the second random challenge. The method further includes denying the request for authentication in response to determining that the first random challenge is substantially the same as the second random challenge, and transmitting an encoded value to the server in response to determining that the first random challenge is different from the second random challenge, wherein the encoded value is generated based on the first and second random challenge and a key that is not shared with the server.

Abstract: An IC card issuer issues an IC card and requests a card memory area operator to lend part of a memory area of the IC card to another card memory area user. The card memory area operator provides a memory area division apparatus and various data to the memory area division apparatus under the control of an operator communication apparatus 12. The card memory area user divides the memory area of the IC card into a memory area to be used by the IC card issuer and a memory area to be used by the card memory area user. The operation file registration apparatus writes file data for the card memory area user to the memory area of the card memory area user obtained by the above division.

Abstract: A peer-to-peer connection is established by a receiving computer with a sending computer on which a desired file is located. The sending computer encrypts the file using a track key specifically generated for this particular file transfer. Once encrypted, the encrypted file is preferably obfuscated. An application server sends a public key specific to the receiving computer to the sending computer. The sending computer encrypts the track key using the public key associated with the receiving computer, and the sending computer sends the encrypted track key and the encrypted file to the receiving computer. The receiving computer stores the received encrypted track key and the received encrypted file as a secured file on the receiving computer. When a file is transferred, associated business rules are also transferred to the receiving computer. Business rules act to restrict the extent to which a file is read, copied, or distributed.

Abstract: A texturing system for use in a three-dimensional graphics system has an input for receiving object data for an object to be textured. Encrypted texture data is obtained from a store a decrypted in a decryption unit. The decrypted texture data generates texture image data for a frame buffer from where it can be output for display. There is also provides a method for producing a software application for use in a three-dimensional graphics system which creates instructions for a software application and creates static texture data for use in conjunction with the instructions. The static texture data is encrypted and provided as encrypted texture data with the software instructions.

Abstract: A memory element is provided in the recording medium that is readable but not writeable by external devices, and whose content changes each time select material is recorded onto the medium. The content of this memory element forms a unique encryption key for encrypting the content encryption key. This encrypted content encryption key is further encrypted using a public key that corresponds to a private key of the intended rendering device. Although the unique encryption key is determinable by reading and processing the content of the externally read-only memory element, the decryption of the content encryption key requires both the unique encryption key and the private key of the intended rendering device.

Abstract: A method and apparatus for securely communicating data employs a third-party to facilitate decryption by the recipient. It is necessary for the recipient to interact with the third-party to decrypt received encrypted data. The third-party is unable to decrypt or read the encrypted data and records whether the recipient requested a decryption key generated by the third-party. The third party logs the request from the second party for the decryption key. The originator may then obtain the delivery status of the data from the third party to facilitate proof of submission, proof of delivery, or any other suitable information.

Abstract: A convenient and secure system and method for access to any number of password-protected computer applications, web sites and forms without adding to the user cognitive load and without circumventing the inherent security of such password-protection schemes. An existing password field on a device display is overlaid with password wallet pop-up field which allows a wallet “master” key to unlock the wallet. An application-specific and/or user-specific password is automatically retrieved from the wallet and entered into the password field with no other user action required.

Abstract: A copy protection (CP) key used by a sending source, such as a POD, to encrypt content such as audio and/or video information is derived by a first key generator associated with a first processor and is locally encrypted by the first processor using a locally generated bus encryption key to produce a bus encrypted CP key that is sent over a local unsecure bus to a second processor, such as a graphics processor. The second processor decrypts the bus encrypted copy key using a decryption engine to obtain the CP key. The second processor receives the encrypted content and in one embodiment, also uses the same decryption engine to decrypt the encrypted content. The first and second processors locally exchange public keys to each locally derive a bus encryption key used to encrypt the CP key before it is sent over the unsecure bus and decrypt the encrypted CP key after it is sent over the bus.

Abstract: The data processing system is realizable by executing a step of ciphering contents keys used for decoding ciphered contents data by applying mutually different ciphering keys before storing ciphered contents keys in memory as header data of the corresponding contents data. One of the ciphered contents keys comprises ciphered data ciphered by a ciphering key provided for by enabling key block comprising such data composition which is solely decodable by specific device by way of disposing related keys in such corresponding nodes on the path ranging from roots to leaves of a key tree structure for distributing keys. The other ciphered contents key comprises such data ciphered by a specific key proper to a corresponding storage device to enable the device for reproducing contents data to properly and selectively utilize data of ciphered key, whereby enabling the data processing system to properly reproduce decoded contents data.

Abstract: An information processing apparatus, an information processing method, and an information providing medium are provided. Encrypted information, an encrypted first key for decrypting the encrypted information, and a second key for decrypting the first key are processed to store the information in a storage medium. To be more specific, cross certification is executed with the storage medium, the first key is decrypted by the second key, the decrypted first key is encrypted, and the decrypted first key and the encrypted information are stored in the storage medium. The novel constitution prevents unauthorized replication of information by use of a low-cost, general-purpose semiconductor memory.

Abstract: A method and apparatus for enabling use of multiple digital rights management scenarios (DRM). Unencrypted data representing digital content is examined to identify at least segments of content for encryption. The identified segments of content are duplicated and then encrypted using a first encryption method associated with a first DRM to produce first encrypted segments. Duplicates are encrypted using a second encryption method associated with a second DRM to produce second encrypted segments. A set of pointers are generated that point to the first and second encrypted segments content. A file is then created containing first and second encrypted segments of content, pointers and unencrypted content along with DRM rights data to produce a selectively encrypted multiple DRM enabled file.

Abstract: A security key, such as an encryption key, is generated so as to make it more difficult for eavesdroppers to identify the key. Specifically, a cryptographically secure random number generator generates a random bit sequence that is included in a seed. This random seed is provided along with a negotiated master secret to a key generation module. The key generation module may implement a pseudo random function that is in accordance with the Transport Layer Security (TLS) protocol or the Wireless Transport Layer Security (WTLS) protocol. This key may then be used to encrypt a plain text message to form an encrypted data packet. The encrypted data packet also includes the random seed in unencrypted form. The encrypted data packet may be transmitted over a public network to a recipient with reduced risk of eavesdropping.

Abstract: An apparatus for and method of controlling propagation of decryption keys is provided. One embodiment of the present invention includes an encryption key propagation control system wherein a generation number is identified with each decryption key and the generation number is queried each time a request is made to forward the decryption key to another user. The generation number is decremented at each request, and once it reaches zero, further requests are refused by the control system.

Abstract: A network system includes a server, an access point connected to the server for transmitting wireless data or receiving wireless data for the server, and a station for receiving wireless data from the access point and transmitting wireless data to the access point. The station has a first key. A ciphering key updating method includes: authenticating the station with the first key; if authentication succeeds, the station transmitting identification data to the access point; and if the identification data matches registration data stored in the server, transmitting a second key to replace or update the first key.

Abstract: A cryptographic key split combiner, which includes a number of key split generators (42, 48, and 56) for generating cryptographic key splits (32, 34, 36, 38, and 64) and a key split randomizer for randomizing the cryptographic key splits to produce a cryptographic key (62), and a process for forming cryptographic keys. Each of the key split generators (42, 48 and 56) generates key splits (32, 34, 36, 38, and 64) from seed data (40, 44, 46, 50, 52, 54, 58, and 60). The key split generators may include a random split generator (42) for generating a random key split (32) based on reference data (40) and encryption date/time (44).

Abstract: A method of providing cryptographic information and flow control includes first determining a target domain from an IP address. An organization policy is looked up from a credential store, and an algorithm and credentials specified for the target domain are looked up in a domain-credential map. Any further credentials that are provided and that are permitted by the organizational policy are added. A working key is then generated, and information is received in the form of a receive packet. Any packet header is stripped from the receive packet and the remaining data is encrypted. Key splits are retrieved from the credential store, and are combined to form a key-encrypting key. The working key is the encrypted with the key-encrypting key, and a CKM header is encrypted. The encrypted CKM header is concatenated to the beginning of the encrypted data to form transmit data, and the packet header and the transmit data are concatenated to form a transmit packet.

Abstract: By recording a digital signature and a public key certificate when recording data on an information recording medium, a recording device having recorded content can be specified. If recording media including illegally recorded data are distributed, the recording device used for the recording can be specified and can be excluded from the system. An information playback device verifies the validity of the digital signature and public key certificate when reading data, specifies a content recorder, and verifies no falsification in the digital signature and the public key certificate before playing back the data. This structure can efficiently exclude the playback of content recorded by an invalid recording device.

Abstract: A system and method for securely exchanging plurality of information items used to generate a plurality of encryption keys used in a public key-and-private key system. In accordance with the principles of the invention, elements of exchanged information items, such as public key and synchronizing indictors are encrypted before the exchange. The information item element is encrypted using an encryption key determined from information items that were previously exchanged. The encryption of information items used to determine subsequent encryption keys provides additional security to the encryption key used in the transmission of informational data as the encrypted elements of the information item must be decrypted before the data message encryption key can be decrypted. The process of exchanging encrypted information items can be repeated until an agreed upon number of encrypting keys is determined.

Abstract: A communication device which can be freely inserted into and extracted from a slot of a terminal device has its part exposed from the terminal device when inserted into the slot applied a color according to a kind of the communication device and includes a radio unit adapted to a predetermined mobile communication service, applied a color according to a kind of the mobile communication service and storing information necessary for the connection to a specific provider.

Abstract: A system for communicating electronically over a communications medium regarding an account includes (a) maintaining information pertaining to the account in a database such that the information is retrievable by a unique identifier, the information including security features of a device that generates digital signatures using a private key of a public-private key pair, (b) associating the public key of the device with the unique identifier in the database, (c) receiving an electronic communication including the unique identifier and a digital signature for a message generated by a suspect device (d) authenticating the message using the public key associated with the unique, (e) upon successful authentication of the message, identifying the security features retrievable by the unique identifier as being the security features of the genuine device, and (f) gauging the risk that said generated digital signature was fraudulently sent based on said identified security features of the genuine device.

Abstract: A content provider 101 distributes a secure container 104 storing content data encrypted using content key data, content key data encrypted using distribution key data, and encrypted usage control policy data indicating the handling of the content data to a SAM 1051 of a user home network 103 etc. The SAM 1051 etc. decrypts the content data and usage control policy data stored in the secure container 104 and determines the purchase mode and usage mode and other handling of the content data based on said decrypted usage control policy data.

Abstract: In a mutual authentication method for use between a recording apparatus which records copied contents on a recording medium having an arithmetic processing function, and the recording medium, the method includes a step of storing in the recording medium at least first information which depends on the recording medium, and second information which is to be shared by the recording apparatus in executing mutual authentication with the recording apparatus and depends on the recording medium, and a step of generating by the recording apparatus authentication information used in mutual authentication with the recording medium on the basis of the first information obtained from the recording medium, and executing mutual authentication between the recording apparatus and the recording medium using the generated authentication information and the second information.

Abstract: A secure communications system (100, FIG. 1) with a compromised communications node can quickly recover from the compromised condition by sending re-keying messages using a key encryption key hierarchy (200, FIG. 2). Each communications node (330, FIG. 3) includes a memory (300, FIG. 3) with a list of tier-group specific key encryption keys, and whenever a message arrives that is encrypted with a key encryption key in the list, the communications node decrypts the message. When the message includes a new traffic encryption key, the communications node has been re-keyed. Key encryption keys are managed hierarchically such that many communications nodes can be re-keyed with very few broadcast messages, thereby saving communications resources.

Abstract: Methods and systems in accordance with the present invention allow users' private keys corresponding to their digital certificates to be stored and archived outside of the control of a Certificate Authority (“CA”). A CA may have a policy that a user's private key must be archived in order to receive a digital certificate upon a registration request from the user. Typically, the CA knows that the user's private key is archived because it implements the archival of the key, for example, on a data recovery manager and associated internal database that the CA controls. Methods and systems in accordance with the present invention allow for the enforcement of such a policy while allowing the archival of the private keys to be outside of the control of the CA by having a data recovery manager supply a digitally signed proof of archival token with a digital certificate request to a CA. The CA is assured that the key has been archived.

Abstract: An IC card issuer issues an IC card and requests a card memory area operator to lend part of a memory area of the IC card to another card memory area user. The card memory area operator provides a memory area division apparatus and various data to the memory area division apparatus under the control of an operator communication apparatus 12. The card memory area user divides the memory area of the IC card into a memory area to be used by the IC card issuer and a memory area to be used by the card memory area user. The operation file registration apparatus writes file data for the card memory area user to the memory area of the card memory area user obtained by the above division.

Abstract: To prevent piracy, audiovisual content is encrypted prior to transmission to consumers. A low-cost, high-security cryptographic rights module (such as a smartcard) enables devices such as players/displays to decode such content. Security-critical functions may be performed by the cryptographic module in a manner that allows security compromises to be addressed by upgrading or replacing cryptographic modules, thereby avoiding the need to replace or modify other (typically much higher-cost) components. The security module contains cryptographic keys, which it uses to process rights enablement messages (REMs) and key derivation messages (KDMs). From a REM and KDM, the security module derives key data corresponding to content, uses public key and/or symmetric cryptography to re-encrypt the derived key data for another device, and provides the re-encrypted key data to the decoding device. The decoding device then uses cryptographic values derived from the re-encrypted key data to decrypt the content.

Abstract: A system, apparatus, and method are directed to providing and securely viewing secure content. In one embodiment, a secure player provides secure screening/previewing of secure content, such as a motion picture, by a member of an awards organization. A content key is employed to selectively encrypt at least a portion of a content stream. The content key is encrypted with a screener key. The encrypted content key is embedded into the secure content. The screener key is encrypted using public/private key pair that is bound to the secure player. The secure content may be distributed on a medium, such as a DVD, high definition DVD, and the like. The secure player is configured to receive the medium, screener key, and a screener identity. The screener identity and screener key are employed by the secure player to decrypt and enable secure viewing of the content.

Abstract: The invention related to method for providing connection security for the transmission between communicating parties in a telecommunication network, the method comprising the steps of: exchanging security parameters between communicating parties, providing connection security for messages based on these security parameters, and transmitting said messages between communicating parties. It is characteristic for the method according to the invention that it further comprises the steps of: reaching agreement between communicating parties on an interval for recalculation of the security parameters, monitoring of the interval for recalculation by the communicating parties, recalculating the security parameters at the agreed interval, and providing connection security for messages based on the latest recalculated security parameters.