Abstract: Embodiments describe a system and/or method for multiple party digital signatures. According to a first aspect a method comprises establishing a first validity range for a first key, establishing a first validity range for at least a second key, and determining if the validity range of the first key overlaps the first validity range of the at least a second key. A certificate is signed with the first validity range of the first key and the first validity range of the at least a second key if the validity ranges overlap. According to another embodiment, signage of the certificate is refused if the first validity range of the first key does not overlap with the first validity range of the at least a second key.

Abstract: Systems and methods for supporting symmetric-bilinear-map and asymmetric-bilinear-map identity-based-encryption (IBE) key exchange and encryption schemes are provided. IBE key exchange schemes use an IBE encapsulation engine to produce a secret key and an encapsulated version of the secret key. An IBE unencapsulation engine is used to unencapsulate the encapsulated key. IBE encryption schemes use an IBE encryption engine to produce ciphertext from plaintext. An IBE decryption engine is used to decrypt the ciphertext to reveal the plaintext. The IBE unencapsulation engine and decryption engines use bilinear maps. The IBE encapsulation and encryption engines perform group multiplication operations without using bilinear maps, improving efficiency. IBE private keys for use in decryption and unencapsulation operations may be generated using a distributed key arrangement in which each IBE private key is assembled from private key shares.

Abstract: A secure communication system wherein message decryption may be performed while off-line, or optionally while on-line. A sender encrypts a message based on the message key and sends it to the recipient. An envelope containing a message key is created by encrypting the message key based on a verifier, where the verifier is based on a secret of the recipient. The recipient is provided the envelope, along with the message or separately, from the sender or from another party, contemporaneous with receipt of the message or otherwise. The recipient can then open the envelope while off-line, based on their secret, and retrieve the message key from the envelope to decrypt the message. In the event the recipient cannot open the envelope, optional on-line access permits obtaining assistance that may include obtaining an alternate envelope that the recipient can open.

Abstract: Communication and validation of information transfer from a transmitter to a receiver is achieved by generating a cipher (400) from a message m (410) using parameters of an elliptic curve, a generator point P (406) on the elliptic curve and a public key Q (416) of the receiver. The cipher includes a first element that is the product kP of a random number k (404) with the generator point P and a second element that is the product of m and the x-coordinate of the product kQ. The message m is generated from two mathematically independent representations of the information and, optionally, a random number. The cipher is communicated to the receiver and decoded to recover a message m? (502). A validation token (500) is generated by the receiver and passed to the transmitter, which validates communication of the information to the receiver if the product mkQ is equal to the validation token.

Abstract: A method of verifying a pair of correspondents in electronic transaction, the correspondents each including first and second signature schemes and wherein the first signature scheme is computationally more difficult in signing than verifying and the second signature scheme is computationally more difficult in verifying than signing. The method comprises the step of the first correspondent signing information according to the first signature scheme and transmitting the first signature to the second correspondent, the second correspondent verifying the first signature received from the first correspondent, wherein the verification is performed according to the first signature scheme.

Abstract: The inventions relate to the delivery, transfer of content, and return of uniquely customized physical digital media. Digital content is specifically encrypted for use on a target player associated with a specific customer account. After use, the media is returned to a receiving location where use information is read from the media. Attention is given to cost of delivery, security of content, user experience in selecting, choosing, paying for, viewing or utilizing the content, and usage information created as a result of the content being utilized, rented, purchased, loaded or deleted.

Abstract: Systems and methods consistent with the present invention encode a list so users of the list may make inquiries to the coded list without the entire content of the list being revealed to the users. Once each item in the list has been encoded by an encoder, a bit array with high and low values may be used to represent the items in the list. The bit array may be embodied in a validation system for allowing users to query the list to determine whether an inquiry item is on the list. The validation system determines which bits to check by executing the same coding process executed by the encoder. If all the bits are high, then the inquiry item is determined to be part of the list, if at least one bit is low, then the inquiry item is determined not to be part of the original list.

Abstract: A device for determining an inverse of an initial value related to a modulus, comprising a unit configured to process an iterative algorithm in a plurality of iterations, wherein an iteration includes two modular reductions and has, as an iteration loop result, values obtained by an iteration loop of an extended Euclidean algorithm.

Abstract: Transparent caller name authentication is provided to authorized third parties by creating an Public Key Infrastructure (PKI) certificate chain. An owner of a registered caller name can authorize third parties to use the caller name by issuing a PKI sub-certificate to each authorized third party. An authenticated caller name displays the owner's name to the called party. Outsourcing and mobile employment is thereby facilitated, and called party confusion is reduced.

Abstract: A method in accordance with one embodiment of the invention can include receiving a request for a public key from a local node. Furthermore, the public key and a private key that corresponds to the public key can be generated. The public key can be sent to the local node. An encrypted session key can be received from the local node. The encrypted session key can be decrypted using the private key. Additionally, the decrypted session key can be sent to the local node that enables the local node to have secure wireless communication with a remote node. The remote node can generate the encrypted session key using the public key.

Abstract: An information processing device creates a hash value from an event log every time the event occurs. The information processing device generates a digital signature by encrypting the hash value with its own private key. The device transmits the signature-bound event log obtained by binding the digital signature with the event log to a log management apparatus. The log management apparatus decrypts the hash value from the event log of the received signature-bound log information using a device public key. The apparatus also generates a new hash value from the event log verifies the coincidence of the decrypted hash value and the new hash value, and authenticates signature-bound event logs for which this coincidence has been verified. The apparatus stores signature-bound event logs that have been authenticated. Every time an event occurs, the device transmits an event log bound with a digital signature that is created using its private key.

Abstract: An image retrieval system that provides secured image data in response to a query specified by a user. The system includes a data retrieval unit, an encryption unit, and an output unit. The data retrieval unit is configured to retrieve image data relevant to the specified query from a collection of image data. The encryption unit is configured to encrypt at least a portion of the retrieved image data according to the specified query. The output unit is configured to output the at least partially encrypted image data to the user. The image data represents an image formed of one or more regions each having a keyword associated therewith. The encrypted portion is decryptable by the user only when the user is authorized to view the entire image.

Abstract: Embodiments of the present invention enable a user to engage in secure communications using digital certificates and other cryptographic technologies in an easy way with a minimum of distracting interaction. In some embodiments of the present invention, webmail is enabled to allow users to obtain and use S/MIME certificates to secure his or her e-mails. Embodiments of the present invention can also be implemented to other forms of messaging, such as text messages, instant messages, etc.

Abstract: Methods and systems for communicating information between computer networks in which the information to be communicated is required at one location (e.g. for processing) but only available at another location. The information may be absent deliberately (for privacy reasons) or may simply be unavailable as an artifact of the computer network(s) involved. The required information, such as the internal client IP address, is inserted into the outgoing network communication in a manner that does not to materially affect the normal transit or utility of the network communication (e.g. as custom headers). The information is preferably inserted in an encrypted form, so that it may pass over a public network and be invulnerable to unauthorised scrutiny.

Abstract: An electronic device and an encryption method thereof are provided. The electronic device includes a control unit which encrypts an encryption key using an inherent key, and transmits the encrypted encryption key and a key index corresponding to the inherent key to a recording medium. Accordingly, encrypted content stored in a recording medium can be decrypted when an electronic device is malfunctioning or replaced with a new one.

Abstract: Embodiments of the invention provide for shielding a sensitive file on a computer that can connect to a server computer via a network. The computer may determine whether it complies with security compliance requirements sent from another computer or not in response to a read instruction or a write instruction of the sensitive file by application software, and encrypt the sensitive file with an encryption key.

Abstract: A user private key is stored in a database of the user terminal. A user public key and user information are stored in the user management DB. The encryption/decryption unit encrypts an authority private key specific to a first authority given to a user, by using a user public key associated with user information to indicate a user. The secret sharing unit shares in secret an authority private key into two or more shared authority private keys. The encryption/decryption unit encrypts the shared authority private keys, by using an authority public key specific to each of second authorities to manage the first authority in a shared manner. The authority management DB stores the encrypted authority private key and authority public key in association with the first authority, and stores the encrypted shared authority private keys in association with the second authorities.

Abstract: Techniques for assuring a receiver's non repudiation of a communication are provided via cooperation with a secure device. A secure device operates within a local environment of a receiver and exchanges certificates with a sender via the receiver. The sender encrypts data in a communication with the receiver. Separately, the sender sends an encrypted version of a decryption key to the receiver. The receiver presents the encrypted version of the key to the secure device and the secure device supplies the decryption key for use by the receiver to decrypt the previously sent encrypted data.

Abstract: The method includes the steps of receiving at the PEAD first digital data representing the transaction request. The PEAD provides information to the user regarding an ability to approve the transaction request. When the transaction request is approved by the user, the PEAD receives second digital data representing the electronic service authorization token. A remote agent server may provided a bridge between the electronic transaction system and the PEAD. In another embodiment, the private key is stored on the portable device, encrypted. The decryption key is stored outside of the device, at a trusted 3rd party location. When the user attempts to make a signature the software sends a request for the decryption key, along with the user's password or pass phrase keyed in at the keyboard of the PDA, smart phone, or cell phone, to a server belonging to the trusted 3rd party.

Abstract: A method for secure communications. At least one encryption key can be generated based on a pass-phrase that associates a unique identifier of a client system with a customer. Customer data encrypted with the at least one encryption key can be received such that the customer data is uniquely associated with both the client system and with the customer. The client system cannot decrypt the customer data if the unique identifier of the client system is changed. The client system cannot decrypt the customer data if the customer is changed.

Abstract: The present invention provides a method of integrating existing strong encryption methods into the processing of a .ZIP file to provide a highly secure data container which provides flexibility in the use of symmetric and asymmetric encryption technology. The present invention adapts the well established .ZIP file format to support higher levels of security and multiple methods of data encryption and key management, thereby producing a highly secure and flexible digital container for electronically storing and transferring confidential data.

Abstract: A method for electronically storing and retrieving at a later date a true copy of a document stored on a remote storage device comprises: sending a document in electronic format from a document owner's computing device to a store entity for storing the document; generating a digest of the document while the document is at the store entity by applying a hash function to the document; signing the digest electronically with a key while said document is at the store entity; generating a receipt that includes the digest and the key; sending the receipt to the document owner; and verifying, at the document owner's computing device, that the received receipt corresponds to the document sent from the owner's computing device.

Abstract: A public key infrastructure comprises a client side to request and utilize certificates in communication across a network and a server side to administer issuance and maintenance of said certificates. The server side has a portal to receive requests for a certificate from a client. A first policy engine to processes such requests in accordance with a set of predefined protocols. A certification authority is also provided to generate certificates upon receipt of a request from the portal. The CA has a second policy engine to implement a set of predefined policies in the generation of a certificate. Each of the policy engines includes at least one policy configured as a software component e.g. a Java bean, to perform the discreet functions associated with the policy and generate notification in response to a change in state upon completion of the policy.

Abstract: A source computer is associated with multiple certificates. The source signs each certificate with a separate private key. From time to time, the source generates (a) new key pair(s) to replace (an) old one(s). The source uses the new private key(s) to sign the associated certificate(s). The source then requests a connection to a destination computer, the request being associated with the multiple certificates which identify the source. The source also transmits the new public key(s). The destination receives the request, and checks the certificates for validity. If less than all but at least a threshold number of the certificates are valid, the destination notes that one or more new public keys are being distributed. The destination accepts the connection, receives the new public key(s) associated with the invalid certificate(s), and replaces the corresponding old public key(s).

Abstract: A method and system for preventing replay-type attacks on a vehicle communications system that sends short message service (SMS) messages between a call center and a fleet of vehicles. The method uses separate sequence counters maintained at the call center and at each of the vehicles in the fleet to help prevent or at least minimize the effects of unauthorized third party interference; such as replay-type attacks. Each wireless message is embedded with a sequence counter that is provided by the sender and is compared by the recipient with a separate sequence counter for purposes of validation. Some optional features that can be used in conjunction with the sequence counters include a tolerance window feature, a consecutive message feature, and a proximity feature, to name but a few.

Abstract: Examples of a system, method, and apparatus for encrypting and recording content are presented. When content is recorded to storage media, the content is encrypted with a content instance key. This content instance key is encrypted with the public key of a first set-top box and a duplicate of the content instance key is encrypted with the public key of other than said first set-top box. A private key corresponding with the public key of the first set-top box may be used to decrypt the content instance key, or a private key corresponding to the public key of other than the first set-top box may be used to decrypt the duplicate of the content instance key so that the encrypted content from the removable storage media may be made available in the clear.

Abstract: A set of equipment for secure direct information transfer over the Internet contains information transmitting terminal devices for collaborating with an information forwarding network, taking part in the information traffic. The individual information transmitting terminal devices are equipped with a sender partial unit, a receiver partial unit and a storage partial unit comprising an ID-register containing a device identification signal, a C-register for storing a coding key and a D-register for storing a decoding key. The C-register containing the coding key is connected to the sender partial unit, and a coding key and a collaborating decoding key are allocated to each individual information transmitting terminal device.

Abstract: A key terminal apparatus includes a crypto-processing LSI that performs predetermined crypto-processing. Unique information identifying the crypto-processing LSI is embedded in the crypto-processing LSI. A predetermined master key corresponding to a predetermined key is embedded in the crypto-processing LSI. The crypto-processing LSI (a) receives an encrypted manufacturer key from the manufacturer key storage unit, (b) decrypts the encrypted manufacturer key using the predetermined master key to generate a manufacturer key, (c) generates a unique manufacturer key identical to the predetermined unique manufacturer key, based on the unique information embedded in the crypto-processing LSI and the generated manufacturer key, and (d) decrypts the received encrypted device key using the generated identical unique manufacturer key to generate a predetermined device key.

Abstract: In the telemedical system securely sharing encryption keys for enabling secure exchange of the encrypted biological data between the measurement terminal and the server to prevent the data from being stolen by the malicious third party, a service key is transferred to the second adapter attached to a measurement terminal from the server via the first adapter attached to the management apparatus. First, the first adapter attached to the management apparatus receives the service key from the server. Next, the first adapter is temporarily detached from the management apparatus and is attached to the measurement terminal to store the symmetric key. The first adapter is detached from the measurement terminal, and is attached to the management apparatus again. The service key received in the first adapter is encrypted using the symmetric key, and the encrypted key is transmitted to the second adapter attached to the measurement terminal.

Abstract: A system provides secure communications between a user operated device and a computerized device. The user operated device transfers an enable security message to the computerized device, and in response, the computerized device sends a first communications enablement message to the user operated device and displays a second communications enablement message on a display of the computerized device for viewing by a user operating the user operated device. The user operated device receives the first communications enablement message from the computerized device and receives the second communications enablement message from the user and establishes a secure communications session between the user operated device and the computerized device using the first communications enablement message and the second communications enablement message. The communications enablement messages can contain key material that enable encryption between the user operated device and the computerized device.

Abstract: The present invention advantageously provides a system and method for management of cryptographic keys and certificates for a plurality of vehicles. Each vehicle of the plurality of vehicles generates public/private key pairs, requests multiple time-distributed certificates, creates an encrypted identity, and surrenders expired certificates. An assigning authority receives the public/private key pairs, the request for multiple time-distributed certificates, the encrypted identity, and the expired certificates from said vehicle. The assigning authority authorizes the vehicle with an authorizing authority, validates the expired certificates, proves ownership, and distributes the requested time-distributed certificates to said vehicle. Validation can comprise checking expired certificates against misused, compromised and/or previously surrendered certificates.

Abstract: This invention relates to a method for generating a shared secret value between entities in a data communication system, one or more of the entities having a plurality of members for participation in the communication system, each member having a long term private key and a corresponding long term public key. The method comprises the steps of generating a short term private and a corresponding short term public key for each of the members; exchanging short term public keys of the members within an entity. For each member then computing an intra-entity shared key by mathematically combining the short term public keys of each the members computing an intra-entity public key by mathematically combining its short-term private key, the long term private key and the intra-entity shared key.

Abstract: Stateless hardware security modules facilitate securing data transfers between devices in a data communication system. The stateless hardware security module may communicate with other devices via a secure communication channel to securely transfer information between the client device and another device. As a result, sensitive information such as cryptographic keys and data may be securely routed between the client device and another device. The stateless hardware security module may support a limited set of key management operations to facilitate routing of information between the client device and another device. However, the stateless hardware security module does not need to maintain state information for the keys it maintains and/or uses. As a result, the stateless hardware security module may be advantageously integrated into a variety of client devices.

Abstract: A key calculation method and a shared key generation method, the key calculation method including: generating two keys to perform a key calculation; calculating a first value based on coefficients having an identical coefficient value among coefficients included in each of the two keys; and performing a coordinates operation or an exponentiation operation based on the first value, wherein the calculating of the first value is performed with respect to each of coefficient values included in the two keys, excluding 0.

Abstract: A secure channel is established to enable access to switched video service on a media server using a bridge component between the media server and a switched video network. Multiple tuners can be coupled with the media server. Each of the multiple tuners can have an associated unique certificate and corresponding public key. The secure channel for switched video service can be established for each of the multiple tuners.

Abstract: A server, e.g., a client (105, 107, 109), receives a request for a digital signature to be applied to digital information, obtains a representation of the information, determines a designation of key pair(s) to be applied thereto; and transmits a request for the digital signature to a front end server (103a, 103b). The front end server determines one or more of whether the client is authentic and authorized, the user identifier is authentic, and the user identifier is permitted to make the request. If so, the front end server transmits a request to generate a digital signature to a back end server (101). The back end server determines one or more of whether the front end server is authentic and the designated key pair correspond to the requesting front end server. If so, the back end server generates the digital signature based on the information and the key pair(s).

Abstract: A method and a circuit for protecting a numerical quantity contained in an integrated circuit on a first number of bits, in a modular exponentiation computing of a data by the numerical quantity, including: selecting at least one second number included between the unit and said first number minus two; dividing the numerical quantity into at least two parts, a first part including, from the bit of rank null, a number of bits equal to the second number, a second part including the remaining bits; for each part of the quantity, computing a first modular exponentiation of said data by the part concerned and a second modular exponentiation of the result of the first by the FIG. 2 exponentiated to the power of the rank of the first bit of the part concerned; and computing the product of the results of the first and second modular exponentiations.

Abstract: A public key cryptography (PKI or other similar system) is used to sent partial or multiple of encryption or decryption algorithm (cipher or decipher) to the data sender or receiver to encrypt or decrypt the data to be sent or received and destroy itself after each or multiple use. Since the encryption algorithm is protected, it can be devised very small in size in compare to the data to be sent and the user can afford to use large key size in it's transmission to increase protection without significant compact to the overall speed. Without knowing the encryption algorithm, which may also be changing from time to time, it will be impossible to use brut force to break the code provided that the algorithm scheme is designed properly. It is due to that there are unlimited numbers of new or old algorithms with countless variations and it takes years of supper fast computing time to break even few algorithms.

Abstract: Embodiments of apparatus, articles, methods, and systems for secure platform voucher service for software components within an execution environment are generally described herein. An embodiment includes the ability for a Virtual Machine Monitor, Operating System Monitor, or other underlying platform capability to restrict memory regions for access only by specifically authenticated, authorized and verified software components, even when part of an otherwise compromised operating system environment. A provisioning remote entity or gateway only needs to know a platform's public key or certificate hierarchy in order to receive verification proof for any component in the platform. The verification proof or voucher helps to assure to the remote entity that no man-in-the-middle, rootkit, spyware or other malware running in the platform or on the network will have access to the provisioned material.

Abstract: A method and a system for privacy-preserving SNA. A plurality of vertices of a first subgraph of a graph is encrypted with a first key of a commutatively encryption scheme. A plurality of vertices of a second subgraph encrypted with a second key of the commutatively encryption scheme are received and encrypted commutatively with the first key. A plurality of commutatively encrypted vertices of the first subgraph and a plurality of commutatively encrypted vertices of the second subgraph are used for computing centrality metrics preserving the privacy of the graph and its structure.

Abstract: An efficient pseudo-random function and an efficient limited number of times authentication system using such a function are realized. A pseudo-random function calculating device comprises a key creating means and a pseudo-random function calculating means. The key creating means creates a public key made of a set of at least a first component and a second component as components constituting an element of a finite group and a secret key made of an integer and secretly saves the created secret key in a secret key memory section but makes the public key public. The pseudo-random function calculating means outputs the element of a finite group as function value of the pseudo-random function upon receiving an integer as input.

Abstract: A method for generating a network address, called a multi-key cryptographically generated address (MCGA), enables the network address to be claimed and defended by multiple network devices. The network address can be generated by (a) obtaining a cryptographically generated identifier using public keys corresponding to the network devices, and (b) applying an address generation function to the cryptographically generated identifier. The address generation function may be a one-way coding function or cryptographic hash of the public keys from all hosts that will advertise or claim the right to use the address. A message that claims authority over the MCGA may include an encrypted digest of the message which is encrypted using the private key of the sender. Authentication of the sender may be achieved by obtaining a test digest from the message using the digest function, decrypting the encrypted digest, and comparing the decrypted digest to the test digest.

Abstract: A lightweight security framework is disclosed that combines PKI with symmetric key cryptography to exploit the system asymmetry in hierarchical sensor networks. The framework provides protocols for public key exchange, session and group key generation, pair-wise key generation, and network resource protection in a low-cost security architecture. The security framework shifts much of the security-related computational load off of the resource-constrained sensor nodes and on to resource-rich base station nodes. The method is based on the generation and management of two kinds of symmetric keys from a set of bootstrapping asymmetric keys on each node.

Abstract: The present invention provides a method of integrating existing strong encryption methods into the processing of a .ZIP file to provide a highly secure data container which provides flexibility in the use of symmetric and asymmetric encryption technology. The present invention adapts the well established .ZIP file format to support higher levels of security and multiple methods of data encryption and key management, thereby producing a highly secure and flexible digital container for electronically storing and transferring confidential data.

Abstract: Public-key cryptography is realized by means of PKI in which biometrics data, in which biological information of users is converted to numerical values, are used to authenticate users that transmit and receive data, and based on the biometrics data, identical secret keys (common secret keys) are generated in each of the user terminal devices that are used by the users without releasing the secret keys onto the network.

Abstract: A processing system may include a processing unit and nonvolatile storage responsive to the processing unit. The nonvolatile storage may include a candidate boot code module and an authentication code module. The processing unit may be configured to execute code from the authentication code module before executing code from the candidate boot code module. The authentication code module may have instructions which, when executed by the processing unit, cause the processing unit to read a processor identifier from the processing unit and determine whether the processor belongs to a predetermined set of processors associated with a specific vendor, based at least in part on the identifier, before executing any instructions from the candidate boot code module. The processing system may also test authenticity of the candidate boot code module before executing any instructions from the candidate boot code module. Other embodiments are described and claimed.

Abstract: Cryptographic systems and methods are provided in which authentication operations, digital signature operations, and encryption operations may be performed. Authentication operations may be performed using authentication information. The authentication information may be constructed using a symmetric authentication key or a public/private pair of authentication keys. Users may digitally sign data using private signing keys. Corresponding public signing keys may be used to verify user signatures. Identity-based-encryption (IBE) arrangements may be used for encrypting messages using the identity of a recipient. IBE-encrypted messages may be decrypted using appropriate IBE private keys. A smart card, universal serial bus key, or other security device having a tamper-proof enclosure may use the authentication information to obtain secret key information. Information such as IBE private key information, private signature key information, and authentication information may be stored in the tamper-proof enclosure.

Abstract: A magnetic disk drive is provided capable of reducing a processing load even in a mode of, for example, reproduction during recording. In one embodiment, a magnetic disk drive includes a storage unit for storing certificate information that relates to the magnetic disk drive and corresponds to a root key of a certification organization. The certificate information is used on the host side to perform authentication processing of the magnetic disk drive.

Abstract: In a monitoring apparatus adapted to monitor an image forming apparatus, a data acquisition module acquires monitoring information from at least one image forming apparatus. An HTTP server module produces a new encryption key pair including a public key and a private key. The public key is used to encrypt notification information in the user-site centralized monitoring apparatus. The private key is incorporated together with a bunch of private keys produced in the past into a data reading program. Preparations are made so that the data reading program can be downloaded.

Abstract: An identification tag for authenticating a product is associated with the product and has authentication data transmissible to a reader device. The authentication data include source data including a tag identifier that uniquely identifies the identification tag and a signature value that is a result of a private key encryption of a representation of the source data, where the private key encryption uses a private key of a public key encryption method.