Abstract: The method for archiving a document includes a step of encryption of the document with a symmetric key, a step of transmission of said encrypted document to an archiving operator, and a step of transmission of the symmetric encryption key of said document to an escrow operator distinct from the archiving operator. The method may also include a step of encrypting of the symmetric key with a key consisting of a dual key comprising asymmetric keys. Depending on whether it is applied to personal archiving or to document transmission, during the step of encryption with the asymmetric key, the asymmetric key is that of the user having transmitted said document or that of the recipient of the document.

Abstract: The disclosure relates to a countermeasure method in an electronic component, wherein binary data are transmitted between binary data storage units, binary data being transmitted in several transmission cycles comprising a first cycle comprising: randomly selecting bits of the data, transmitting the selected bits and transmitting bits, each having a randomly chosen value, instead of transmitting non-selected bits of the data. A last transmission cycle comprises transmitting bits of the data that have not been transmitted during a previous cycle.

Abstract: Systems and methods for authentication generate keys from secret credentials shared between authenticating parties and authenticators. Generation of the keys may involve utilizing specialized information in the form of parameters that are used to specialize keys. Keys and/or information derived from keys held by multiple authorities may be used to generate other keys such that signatures requiring such keys and/or information can be verified without access to the keys. Keys may also be derived to form a hierarchy of keys that are distributed such that a key holder's ability to decrypt data depends on the key's position in the hierarchy relative to the position of a key used to encrypt the data. Key hierarchies may also be used to distribute key sets to content processing devices to enable the devices to decrypt content such that sources or potential sources of unauthorized content are identifiable from the decrypted content.

Abstract: A scalable access filter that is used together with others like it in a virtual private network to control access by users at clients in the network to information resources provided by servers in the network. Each access filter uses a local copy of an access control data base to determine whether an access request is made by a user. Each user belongs to one or more user groups and each information resource belongs to one or more information sets. Access is permitted or denied according to access policies which define access in terms of the user groups and information sets. The first access filter in the path performs the access check, encrypts and authenticates the request; the other access filters in the path do not repeat the access check. The interface used by applications to determine whether a user has access to an entity is now an SQL entity. The policy server assembles the information needed for the response to the query from various information sources, including source external to the policy server.

Abstract: In the field of computer software (code) security, it is known to include verification data such as hash values in or associated with the code to allow subsequent detection of tampering by a attacker with the code. This verification technique is used here in a “White Box” cryptographic process by tying the verification data to the content of functional table lookups present in the object (compiled) code, where values in the table lookups are selectively masked (prior to the source code being compiled into the subject code) by being subject to permutation operations.

Abstract: A content protection query module (CPQM) dynamically queries content protection items supported on the client device. The CPQM automatically identifies content protection configurations, based on the results of the queries. Using a variety of business rules and policies, the CPQM may select a content protection configuration from the configurations for packaging and providing protected content to the client device. The CPQM may instruct the client device to expect the protected content in the selected configuration, thereby enabling the client device to configure itself, as appropriate, for such configuration. The client device may include a media player that selects based on the instructions which DRM module to employ, providing the DRM module with instructions regarding where to obtain decryption keys/licenses for the content, and even instructing the DRM module which decryption mechanism to employ to decrypt the received protected content.

Abstract: Multi-party messaging is disclosed. A plurality of public keys is requested from a first server, wherein the plurality of public keys is associated with a plurality of recipients. A message containing one or more components is encrypted using a symmetric key. The symmetric key is encrypted, using each of the respective public keys, resulting in a plurality of encrypted symmetric keys. The encrypted message and the encrypted symmetric keys are encapsulated in an encapsulation. The encapsulation is transmitted to a second server.

Abstract: Provided is a method in which a first device authenticates a public key of a second device. The method includes: receiving a first value generated based on the public key of the second device and a password displayed on a screen of the second device and the public key of the second device, from the second device; generating a second value based on the public key of the second device and a password input to the first device by a user of the first device according to the password displayed on the screen of the second device; and authenticating the public key of the second device based on the first value and the second value.

Abstract: Disclosed herein are a private key generation apparatus and method, and storage media storing programs for executing the methods on a computer. The private key generation apparatus includes a root private key generation unit and a sub-private key generation unit. The root private key generation unit sets a root master key and predetermined parameters capable of generating private keys, and generates a first sub-master key set capable of generating a number of private keys equal to or smaller than a preset limited number. The sub-private key generation unit generates private keys with the root private key generation unit by receiving the first sub-master key set from the root private key generation unit, to generate a private key corresponding to a user ID using the first sub-master key set, and issues the private key to a user.

Abstract: A system and method for writing a new or replacement public key to a bootloader stored in a memory segment in the memory of a vehicle ECU without having to rewrite the entire bootloader. The method includes defining a key table in the bootloader memory segment includes a number of vacant memory slots that are available to store replacement public keys if they are needed. The key table is a separate section of the bootloader memory segment so that the key table memory slots are not used by the bootloader code.

Abstract: The present invention is a computer-implemented key exchange system and methods for improving the usability of encryption technologies such as Public Key Infrastructure (PKI). One aspect of the present invention includes registering users, verifying user identity, and classifying users such that the users may send a communications such that communication recipients can verify the user identity and classification of the communication sender. Another aspect of the present invention includes users initiating relationships with other users, approving the establishment of relationships, and exchanging encryption keys between users after the establishment of a relationship.

Abstract: A secure component communication management system provides secure, trusted communication between components in a hypervisor based virtual computing environment. A hypervisor security extension generates a container level private key/public key pair. The hypervisor security extension container injects the container level public key into one or more VM(s) that are to securely receive trustworthy data. The hypervisor security extension container encrypts data to transmit to VMs with the container level private key, and injects the encrypted data into one or more target VM(s), such that the injected data is trusted by the VM(s). The one or more VM(s) receive the container level public key and data encrypted with the container level private key, injected by the hypervisor security extension container. These VM(s) use the public key to decrypt injected data encrypted with the private key, such that the decrypted data is trusted.

Abstract: The state of firmware for devices on a provisioned host machine can be validated independent of the host CPU(s) or other components exposed to the user. A port that is not fully exposed or accessible to the user can be used to perform a validation process on firmware without accessing a CPU of the host device. The firmware can be scanned and a hashing or similar algorithm can be used to determine validation information, such as hash values, for the firmware, which can be compared to validation information stored in a secure location. If the current and stored validation information do not match, one or more remedial actions can be taken to address the firmware being in an unknown or unintended state.

Abstract: A computer-implemented method for secure third-party data storage may include 1) identifying, at a server-side computing device, a request from a client system to access an encrypted file stored under a user account, 2) identifying, in response to the request, an asymmetric key pair designated for the user account that includes an encryption key and a decryption key that has been encrypted with a client-side key, 3) receiving, from the client system, the client-side key, 4) decrypting the decryption key with the client-side key, and 5) using the decryption key to access an unencrypted version of the encrypted file. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: In one exemplary embodiment of the invention, a method for computing a resultant and a free term of a scaled inverse of a first polynomial v(x) modulo a second polynomial fn(x), including: receiving the first polynomial v(x) modulo the second polynomial fn(x), where the second polynomial is of a form fn(x)=xn±1, where n=2k and k is an integer greater than 0; computing lowest two coefficients of a third polynomial g(z) that is a function of the first polynomial and the second polynomial, where g(z)?i=0n?1(v(?i)?z), where ?0, ?1, . . . , ?n?1 are roots of the second polynomial fn(x) over a field; outputting the lowest coefficient of g(z) as the resultant; and outputting the second lowest coefficient of g(z) divided by n as the free term of the scaled inverse of the first polynomial v(x) modulo the second polynomial fn(x).

Abstract: Method for providing a mesh key which can be used to encrypt messages between a first node and a second node of a mesh network, wherein a session key is generated when authenticating the first node in an authentication server, the first node and the authentication server or an authentication proxy server using a predefined key derivation function to derive the mesh key from said session key, which mesh key is transmitted to the second node.

Abstract: A server receives identifying information of a user of a client device and data encrypted with a public key of a group, where the encrypted data includes an encrypted session key for secure content. The server determines whether the user is a member of the group using the identifying information of the user. If the user is a member of the group, the server decrypts the encrypted session key using a private key of the group, and causes the client device to obtain a session key to access the secure content.

Abstract: Disclosed is a method of registering only an authorized optical network terminal among a plurality of optical network terminals with the same serial number, in an optical line terminal, using a public key encryption algorithm, in a Gigabit Passive Optical Network (GPON). According to an exemplary aspect, a GPON system encrypts a physical layer OAM message transmitted/received for serial number registration of an optical network terminal, using a key distributed according to a public key encryption algorithm, and authenticates registration of the optical network terminal using the encrypted physical layer OAM message. Accordingly, it is possible to securely authenticate registration of an authorized optical network terminal and block registration of unauthorized optical network terminals.

Abstract: Devices are provided with secret information to indicate which other devices are eligible to establish communication sessions. Information leaks about the eligibility of devices are prevented when no communication sessions are established. Each device makes a set of preference information items publicly available. Each preference information item selects an eligible device in cloaked way. Each protected information item contains protected information such as an encrypted random number that can be decrypted only by the eligible device. When a request to establish a communication is processed by a first and second device, the first and second device indicate which of their preference information items should be used. The devices then each attempt to decrypt the protected information from the other one's indicated preference information item and each combines the result with the protected information used to make the preference information item that it indicated to the other.

Abstract: In an example, a method for secure publication of content is described. The method may include encrypting content with a media key. The method may also include providing the encrypted content to a client device associated with a private key and a public key. The private key may be stored at the client device. The method may also include encrypting the media key with the public key. The method may also include providing the encrypted media key to the client device.

Abstract: A mechanism is described that enables encrypted end-point communications in a VoIP network to be accessed by a service provider. The mechanism includes a session information retrieval component which gathers session information such as encryption keys for each session that traverses a network element. The encryption keys may be used to decrypt data to make it available for lawful interception. A media stream monitoring component monitors media streams and verifies that the identified keys for each session are valid, to ensure continuity in compliance with LI regulations. Advantageously a security alert component may be used to controls further session operation for those sessions identified as potential security risks. With such an arrangement, the service provider can satisfy the legal requirement to provide interception, verify that the accuracy of the legal interception support and take appropriate steps to handle security risks.

Abstract: A system and method of encrypting digital content in a digital container and securely locking the encrypted content to a particular user and/or computer or other computing device is provided. The system uses a token-based authentication and authorization procedure and involves the use of an authentication/authorization server. This system provides a high level of encryption security equivalent to that provided by public key/asymmetric cryptography without the complexity and expense of the associated PKI infrastructure. The system enjoys the simplicity and ease of use of single key/symmetric cryptography without the risk inherent in passing unsecured hidden keys. The secured digital container when locked to a user or user's device may not open or permit access to the contents if the digital container is transferred to another user's device. The digital container provides a secure technique of distributing electronic content such as videos, text, data, photos, financial data, sales solicitations, or the like.

Abstract: In an encrypted storage system employing data deduplication, encrypted data units are stored with the respective keyed data digests. A secure equivalence process is performed to determine whether an encrypted data unit on one storage unit is a duplicate of an encrypted data unit on another storage unit. The process includes an exchange phase and a testing phase in which no sensitive information is exposed outside the storage units. If duplication is detected then the duplicate data unit is deleted from one of the storage units and replaced with a mapping to the encrypted data unit as stored on the other storage unit. The mapping is used at the one storage unit when the corresponding logical data unit is accessed there.

Abstract: A key management and node authentication method for a sensor network is disclosed. The method comprises the following steps of: 1) keys pre-distribution: before deploying the network, communication keys for establishing security connection between nodes are pre-distributed to all of nodes by a deployment server. 2) Keys establishment: after deploying the network, a pair key for the security connection is established between nodes, which includes the following steps of: 2.1) establishment of shared keys: the pair key is established between neighbor nodes in which the shared keys are existed; 2.2) path keys establishment: the pair key is established between the nodes in which there is no shared keys but there is a multi-hop security connection. 3) Node identity (ID) authentication: before formally communicating between nodes, the identity is authenticated so as to determine the legality and the validity of the identity of the other.

Abstract: A database system comprising: a memory containing multiple data records, wherein each of the data records has a data record asymmetric key pair for cryptographic encryption and decryption, wherein each data record asymmetric key pair comprises a data record public key and a data record private key, wherein the data contained in each of the multiple data records is encrypted by the data record public key, wherein the data record private key of each data record asymmetric key pair is encrypted with the public key of another asymmetric key pair; a set of user accounts, wherein each of the user accounts has a user asymmetric key pair for encryption and decryption, wherein each user asymmetric key pair has a user public key and a user private key; wherein data is added to a data record by encrypting it with the data record public key; wherein access to the data record is granted to a user account by encrypting the data record private key with the public key of an asymmetric cryptographic key pair whose encrypted p

Abstract: The disclosure discloses a method for protecting security of layer-3 mobility user plane data in Next Generation Network (NGN), includes: performing authentication by a terminal with an authentication server; after the authentication is passed, obtaining a shared key material by both the terminal and the authentication server; generating, by the terminal and the authentication server, a mobility data security key according to the shared key material; transmitting, by the authentication server, the generated mobility data security key to a mobility data transmission module; protecting security of the layer-3 mobility user plane data, by the terminal and the mobility data transmission module, by using the mobility data security key. The disclosure also discloses a system for protecting security of layer-3 mobility user plane data in NGN.

Abstract: This invention provides a user friendly, email encryption system allowing users to send and receive encrypted messages for registered and unregistered users. Encrypted messages can be sent to registered or non-registered users by transmitting the encrypted message to cloud system servers. The cloud system servers acquire certificates from certificate authorities or any end-to-end exchange of keys between the sender and the recipient of the encrypted message. For registered users, messages sent by senders are encrypted by the sender and sent to the cloud system servers which decrypt the message and re-encrypt the message with the recipient's key. For non-registered users, once the encrypted message is decrypted at the cloud system servers, another message is sent to the non-registered informing them that an encrypted message awaits them if they select a link in the message which allows them to log into the cloud system servers and view the original message.

Abstract: A method, system and apparatus for authenticating a communication request sent from a client computing device. The communication request is initially blocked by a firewall preventing delivery to a server. A first logging event corresponding to the communication request is created. The communication request and the logging event are stored in a firewall. The server is notified of the first logging event. The communication request corresponding to the first logging event is authenticated. A port in the firewall is enabled if the communication request is authenticated.

Abstract: A method of managing devices in a dispersed data storage network is disclosed. A device list is maintained including entries for every device in the dispersed data storage network. Each entry lists a public key, a network address, and hardware identifier for the corresponding device. On startup each device sends a request to join the network. The request includes the device's public key, network address, and hardware identifier. The request is compared with the device list, and, based on the comparison, and, in some cases, administrator action, the request is granted or denied.

Abstract: A system and method for authenticating data. Data may be received that is individually encrypted in a first encryption layer by each of a plurality of users using user-specific private keys. The received data may be encrypted together in a second encryption layer to create multi-layered encrypted data. The multi-layered encrypted data may be transferred to a beneficiary device to determine if the encrypted data is authentic. At the beneficiary device, the second encryption layer may be decrypted to expose the first encryption layer. Then, the first encryption layer may be decrypted using public keys that only decrypt data encrypted by private keys assigned to a plurality of authorizers pre-designated to authenticate the data. If the first encryption layer is properly decrypted using the authorizers' decryption keys, it may be determined that the users are the pre-designated authorizers.

Abstract: In a mobile communication system, a radio device is configured to transmit notification information transmitted from a distribution server, to a mobile station, by use of broadcast communication. The distribution server 10 includes a key transmitter unit 12 configured to transmit a public key of the distribution server 10 to the mobile station UE; the radio device RNC, Node B includes a notification information transmitter unit 22, 42, 42A configured to transmit, to the mobile station UE, the notification information transmitted from the distribution server 10; and the mobile station UE includes an authentication unit 36 configured to authenticate the validity of the received notification information in reference to an electronic signature for the notification information.

Abstract: An embodiment generally relates to a method of strong encryption. The method includes generating a first cryptographic key based on a random number and generating a second cryptographic key based on a password. The method also includes encrypting private data with the first cryptographic key to arrive at wrapped private data and encrypting the first cryptographic key with the second cryptographic key to arrive at a wrapped first cryptographic key.

Abstract: An exemplary method includes transmitting, by a software application subsystem, a request to an encryption services subsystem to route a message generated by an originating software application to a recipient software application through a message broker subsystem, acquiring, by the software application subsystem, data representative of a current encryption configuration of the message broker subsystem from the encryption services subsystem in response to the request, and determining, by the software application subsystem, during a run time of the originating software application whether to encrypt the message before the message is transmitted to the message broker subsystem for routing to the recipient software application, the determination based at least in part on the current encryption configuration of the message broker subsystem. Corresponding methods and systems are also disclosed.

Abstract: Method to secure the communication of components within self-service automats that are linked to each other by a bus system, having a transmitter and a receiver, characterized in that data are exchanged as tuples (C, A, R, N, Z) on the transport layer of the bus system where C are the message data M encrypted with an encryption key, A are the message data M authenticated with an authentication key, R represents the role of a component on the bus system of active or passive participants, N represents a message counter, Z represents a session counter.

Abstract: A method and system for server-side key generation for non-token clients is described.

Abstract: A computer-implemented system processes secure electronic documents from one or more content providers in accordance with subscriber instructions has a processor and modules operative within the processor. A monitoring module obtains a provider GUID, a subscriber GUID, and a transaction ID from public metadata associated with a transaction received from a particular content provider. A determination module determines any designees of the subscriber and contact information one or more of the subscriber and any designees. A transaction module distributes a transaction addressed to at least one of the subscriber and any designees. Each distributed transaction includes data that is used for management, tracking, and alerting. Also described is a station for constructing transactions for distribution to subscribers through such a system, and management of local-advertising to users of such a system. An end-to-end system and method are described.

Abstract: A user accessing a protected resource is authenticated using multiple channels, including a mobile device of the user. A user attempting to access a protected resource is authenticated by receiving a request from a mobile device of the user to access the protected resource; receiving a public key from the mobile device of the user; providing a provision token to the mobile device, wherein the provision token is used by the user to access the protected resource using a second device; and confirming the provision token to a provider of the protected resource to authorize the user to access the protected resource. The user then communicates with the provider using a second device to authorize the provisioning token. A transaction signing protocol is also provided.

Abstract: The inventions relate to the delivery, transfer of content, and return of uniquely customized physical digital media. Digital content is specifically encrypted for use on a target player associated with a specific customer account. After use, the media is returned to a receiving location where use information is read from the media. Attention is given to cost of delivery, security of content, user experience in selecting, choosing, paying for, viewing or utilizing the content, and usage information created as a result of the content being utilized, rented, purchased, loaded or deleted.

Abstract: Methods and systems for enabling content to be securely and conveniently distributed to authorized users are provided. More particularly, content is maintained in encrypted form on sending and receiving devices, and during transport. In addition, policies related to the use of, access to, and distribution of content can be enforced. Features are also provided for controlling the release of information related to users. The distribution and control of contents can be performed in association with a client application that presents content and that manages keys.

Abstract: A computer-implemented method for secure third-party data storage may include 1) identifying, at a server-side computing device, a request from a client system to access an encrypted file stored under a user account, 2) identifying, in response to the request, an asymmetric key pair designated for the user account that includes an encryption key and a decryption key that has been encrypted with a client-side key, 3) receiving, from the client system, the client-side key, 4) decrypting the decryption key with the client-side key, and 5) using the decryption key to access an unencrypted version of the encrypted file. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: Methods and systems for secure electronic communication involve, for example, using a processor coupled to memory to receive a request message from a user's communication device processor including a session key encrypted with a public key of a public/private key pair without sending a private key of the public/private key pair to, or storing the private key on, the user's communication device. Using the processor, the request message is decrypted with a private key of the public/private key pair and the session key is retrieved from the decrypted request message. Thereafter, also using the processor, a response message is generated and encrypted with the retrieved session key and sent to the user's communication device processor.

Abstract: In a communication system in which two communication entities seek to have a private or confidential communication session, a trust relationship needs first be established. The trust relationship is based on the determination of a shared secret which in turn is generated from contextual information. The contextual information can be derived from the circumstances surrounding the communication session. For example, the contextual information can include topological information, time-based information, and transactional information. The shared secret may be self-generated or received from a third party. In either event, the shared secret may be used as key material for any cryptographic protocol used between the communication entities.

Abstract: The public key of an RSA (asymmetric) software key pair is maintained confidentially on an authentication server, while the corresponding private key is maintained in encrypted, unstructured form on a mobile communication device (e.g. smartphone). The mobile device cannot verify locally whether a decrypted private key is correct, and a brute force, dictionary, or other attack that yields the correct private key among many decrypted keys does not allow determining which private key is correct without access to the authentication server. A relatively-long (128+ bit, e.g. 512-bit) public key exponent is used to make brute-force local verification of the private key impractical. The unstructured private key can secure other resources such as RSA keys used for digital signing. The enhanced security provided for the private key adds computational and logistical cost, but is of particular use if the mobile device controls access to external resources such as secure websites.

Abstract: Systems, methods, and other embodiments associated with wireless authentication using beacon messages are described. According to one embodiment, an access point controller includes a transmitter configured to wirelessly transmit a beacon message. The beacon message is configured to announce to a remote device that a wireless access point is available to provide access to a network. The beacon message includes a security identifier that identifies a public key for the wireless access point.

Abstract: A data storage unit may store an encrypted medium device key Enc (Kcu, Kmd_i), and a medium device key certificate (Certmedia). A controller further includes: an information recording unit configured to store a controller key (Kc) and first controller identification information (IDcu). A key generation unit executes a one-way function calculation based on the controller key and the first controller identification information to generate a controller unique key (Kcu). An identification information generating unit executes a one-way function calculation based on the controller key and the first controller identification information to generate second controller identification information (IDcntr). A key encryption unit encrypts the medium device key (Kmd_i) by the controller unique key (Kcu) to generate encrypted medium device key Enc (Kcu, Kmd_i).

Abstract: A method for secure bidirectional communication between two systems is described. A first key pair and a second key pair are generated, the latter including a second public key that is generated based upon a shared secret. First and second public keys are sent to a second system, and third and fourth public keys are received from the second system. The fourth public key is generated based upon the shared secret. A master key for encrypting messages is calculated based upon a first private key, a second private key, the third public key and the fourth public key. For re-keying, a new second key pair having a new second public key and a new second private key is generated, and a new fourth public key is received. A new master key is calculated using elliptic curve calculations using the new second private key and the new fourth public key.

Abstract: Techniques for assuring a receiver's non repudiation of a communication are provided via cooperation with a secure device. A secure device operates within a local environment of a receiver and exchanges certificates with a sender via the receiver. The sender encrypts data in a communication with the receiver. Separately, the sender sends an encrypted version of a decryption key to the receiver. The receiver presents the encrypted version of the key to the secure device and the secure device supplies the decryption key for use by the receiver to decrypt the previously sent encrypted data.

Abstract: A terminal for managing digital rights of a memory card inserted into the terminal and has a processor and a memory, the digital rights allowing the terminal to access digital contents. The terminal includes a processor configured to manage a digital rights and to exchange information with the memory card, the information including a terminal ID and a memory card ID; perform a mutual authentication procedure with the memory card; receive, from a contents provider, a trigger message which indicates to the terminal that a digital rights for the memory card is prepared in the contents provider; if a parameter included in the trigger message does not indicate the memory card, perform a procedure for obtaining a digital rights for the terminal; and if a parameter included in the trigger message indicates the memory card, perform a procedure for requesting a digital rights for the memory card.

Abstract: A computer-implemented method represents a list of informational items using a bit array. The method converts an informational item to a cryptographic value using a cryptographic algorithm and extracts a plurality of n-bit samples from the cryptographic value. The n-bit samples includes at least a first field and a second field. The first field identifies a group of bits of the bit array and the second field identifies one or more individual bits within the group of bits. The individual bits are set to a pre-determined value according to the first field identifying the group of bits and the second field identifying the individual bits within the group of bits.

Abstract: Systems and/or methods that facilitate secure electronic communication of data are presented. A cryptographic component facilitates securing data associated with messages in accordance with a cryptographic protocol. The cryptographic component includes a randomized exponentiation component that facilitates decryption of data and generation of digital signatures by exponentiating exponents associated with messages. An exponent is divided into more than one subexponent at an exponent bit that corresponds to a random number. Exponentiation of the first subexponent can be performed based on a left-to-right-type of exponentiation algorithm, and exponentiation of the second subexponent can be performed based on a right-to-left square-and-multiply-type of exponentiation algorithm. The final value is based on the exponentiations of the subexponents and can be decrypted data or a digital signature, which can be provided as an output.