Abstract: The secure backup system is in a mobile telecommunication network and has at least one mobile station with data, a backup entity for storing a backup file of the data, and cryptographic means for encrypting and decrypting the data. The cryptographic means contains a decryption key consisting of at least a first key part, a second key part and a key recreation key part. The key parts are stored in different entities.

Abstract: Methods and apparatus are provided for authenticating a remote service to another service on behalf of a user. A user client authorizes a remote application client to perform one or more actions with a server on behalf of the user client. The user client provides one or more keys to a remote authentication service; receives an identifier of the remote application client, where the remote authentication client is remote from the server; and notifies the remote authentication service that the remote application client is authorized to obtain a response from the remote authentication service regarding a challenge from the server, where the response is based on at least one of the one or more keys stored by the remote authentication service on behalf of the user client.

Abstract: An LSI includes a first decryptor which receives first encrypted key data, and decrypts the first encrypted key data using a first cryptographic key, thereby generating first decrypted key data, a second cryptographic key generator which generates a second cryptographic key based on a second ID, a second encryptor which encrypts the first decrypted key data using the second cryptographic key, thereby generating second encrypted key data, and a second decryptor which decrypts the second encrypted key data using the second cryptographic key, thereby generating second decrypted key data. At a time of key setting, the second encryptor stores the second encrypted key data in a storage unit. At a time of key usage, the second decryptor reads the second encrypted key data from the storage unit.

Abstract: A method for verifying a first identity and a second identity of an entity, said method comprising: receiving first identity information at a checking entity; sending second identity information from the entity to said checking entity; verifying that the first and second identities both belong to said entity; and generating a key using one of said first and second identity information.

Abstract: A system for securing information, includes a processor and storage device. The storage device stores information encrypted with one of a first private rolling key and a first public rolling key of an a first asymmetric rolling crypto-key, along with the one first rolling key. The processor has the logic to direct transmission, via a network, of proof of knowledge of the stored one first rolling key to authenticate a user, and of a request for the other of the first private rolling key and the first public rolling key. The processor receives the other first rolling key via the network, responsive to the directed transmission. The processor then decrypts the stored encrypted information with the received other first rolling key, and generates a second asymmetric rolling crypto-key having a second private rolling key and a second public rolling key. The processor encrypts the information with one of the second private rolling key and the second public rolling key.

Abstract: An embodiment pertains generally to a method of delivering keys in a server. The method includes generating a subject key pair, where the subject key pair includes a subject public key and a subject private key. The method also includes retrieving a storage key and encrypting the subject private key with the storage key as a wrapped storage private key. The method further includes storing the wrapped storage private key.

Abstract: Methods and systems are provided for trusted key distribution. A key distribution or an identity service acts as an intermediary between participants to a secure network. The service provisions and manages the distribution of keys. The keys are used for encrypting communications occurring within the secure network.

Abstract: A method for enhancing data encryption using multiple-key lists is disclosed. A first multiple-key list and a second multiple-key list for a decryption key are created, wherein each multiple-key list comprises plural partial decryption keys. Content to be accessed is encrypted using an encryption key corresponding to the decryption key. The first multiple-key list is stored in a hidden area of a memory device storing the content. The second multiple-key list is stored in the memory device. When the memory device is installed on an electronic device, an application installed in the electronic device is activated to select a first partial decryption key from the first multiple-key list stored in the hidden area and a second partial decryption key from the memory device, re-organizes and codes the first and second partial decryption keys to recover the decryption key, and decrypts the content using the decryption key, enabling the electronic device to access the content.

Abstract: According to one embodiment, an information processing apparatus includes a receiving device including a tuner unit which receives broadcast program data, a first nonvolatile memory which stores an encryption key, and an encryption unit which encrypts the broadcast program data, which is received by the tuner unit, based on the encryption key, and a second nonvolatile memory which is provided on a system board, which is electrically connected to the receiving device, and stores key recovery data for recovering the encryption key which is stored in the first nonvolatile memory.

Abstract: In a secret information management system for managing a secret information of a user, the secret information is divided into a plurality of divided data by using a secret sharing scheme, such that the secret information can be recovered from a prescribed number of the divided data, and a part of the plurality of divided data is stored into a terminal of the user as user's divided data while a rest of the plurality of divided data are stored into one or more of deposit servers. Then, a plurality of re-divided data different from the plurality of divided data are generated, from a combination of the prescribed number of the divided data among the divided data stored in the deposit servers by using the secret sharing scheme, and a part of the plurality of re-divided data is stored into the terminal as newly generated user's divided data while a rest of the plurality of re-divided data are stored into the deposit servers as newly generated divided data.

Abstract: Provided is an information processing apparatus including a content encryption section generates a content encrypted with a device key, a first storage section storing board determination information for determining whether the board is a board at the time of shipment or a replacement board, a second storage section capable of storing board specific information used to generate the device key, a third storage section storing apparatus specific information, a recording section associating the board and apparatus specific information each other and recording them through the connection section in the external storage apparatus, and an updating section reading from the external storage apparatus the board specific information associated with the apparatus specific information, and updating content of the second storage section and the board determination information of the first storage section, when the board is determined to be the replacement board on the basis of the board determination information.

Abstract: It is an object of the present invention to enhance the security and reduce the data amount of data to be handled in a group signing system, in which when the group public key which includes: a description for four groups: group 1, group 2, group T, and group E of the same order number; a description of bilinear mapping from group 1 and group 2 to group T; each generator of group 1, group 2, group T, and group E; and a signature public key of a signature scheme using group 1, group 2, and group T, is input, the member secret key including an integer not larger than the order number, member evidence which is a value given by multiplying the generator of group E by the member secret key, and an element of group 1 or group 2 which is a value given by multiplying the generator of the group 1 or the group 2 by the member secret key are sent to the member-certificate issuing device, and thereafter upon receipt of a signature for the member secret key, which is verifiable by the signature public key, from the member

Abstract: Embodiments of the invention relate to reading at least one locked, encrypted computer file encrypted by an encryption filter driver running on an operating system of a computer system, with an added kernel driver, while the operating system is running and reading at least one locked, unencrypted computer file in a computer system with an operating system with an added kernel driver while the operating system is running. An exemplary embodiment includes getting the handle of the locked, encrypted computer file, causing encryption key information associated with the locked, encrypted computer file to be processed, and reading data from the locked, encrypted computer file by using the added kernel driver.

Abstract: A digital message is sent from a sender to a recipient in a public-key based cryptosystem comprising an authorizer. The authorizer can be a single entity or comprise a hierarchical or distributed entity. In some embodiments, no key status queries or key escrow are needed. The recipient can decrypt the message only if the recipient possesses up-to-date authority from the authorizer. Other features are also provided.

Abstract: This invention relates to a method to protect an assembly implementing a cryptographic calculation process which uses a homographic function f of type: f(z)=(az+b)/(cz+d) when (cz+d) is not equal to 0 and f(?d/c)=a/c the function f operating on masked variables, wherein, for any k, if x is an input and y=f(x+k) is an output of the function f, to pass directly from a masked value x+m_i (additive masking of type XOR) to a masked value y+m_j, the method consists in comprises of performing this operation using a composition of several transformations operating on GF(2^k) with addition of the infinite, defined as (ax+b)/(cx+d), and of transformations which exchange two points.

Abstract: A method and system for key recovery for a private key of a digital certificate for a client.

Abstract: A system and method of covertly monitoring a communications device, the method that includes using a separate monitoring device to monitor a monitored communications device, without any indication of the monitoring being received by the monitored communications device.

Abstract: The system for receiving broadcast digital data (in particular pay television services) comprises a master digital terminal (1), and at least one slave digital terminal (2) connected to the master terminal by a link (3) and able to receive protected digital data. The slave digital terminal can access the protected data only if information necessary for accessing the data and received by the master digital terminal is sent by way of link (3) to the slave digital terminal within a predetermined deadline. This information is in particular access entitlements to television services or keys for descrambling the service.

Abstract: Verification facilitating company or companies X and verifying company or companies (e.g., credit service company or companies) Y may respectively manage member ID(s) and password(s) of user(s) 1 in mutually separate and mutually secret fashion. User(s) 1 may send member ID(s) to verification facilitating company or companies X from mobile telephone(s) 2, and verification facilitating company or companies X may use originating telephone number(s) and/or member ID(s) to carry out first-stage identity check(s). In the event of positive verification of identity as a result of such identity check(s), verification facilitating company or companies X may issue one-time ID(s) to user(s) 1 and may communicate such one-time ID(s) to verifying company or companies (e.g., credit service company or companies) Y. User(s) 1 may send one-time ID(s) and password(s) to verifying company or companies (e.g., credit service company or companies) Y from company or companies (e.g., store or stores) Z.

Abstract: A method and apparatus for managing and backing-up a set of security keys are disclosed. The keys are generated first at a backup site and then are transmitted from the backup site to the primary site. The primary site then uses these keys to generate message authentication code for messages generated at the primary site. A portion of the key information is transmitted to a client site in the message. The client site then provides the message authentication code back to the service in a subsequent request. The message authentication code generated at the primary site is readable by the backup site. The primary site then takes the portion of the key information and uses this to verify the received message authentication code. In alternative embodiments the actual values used for generating the message authentication code are not transmitted in the message nor are the exposed to the public side of the service.

Abstract: A technique carries out seed (or key) derivation within an electronic apparatus (e.g., a hand holdable electronic apparatus such as a token, an authentication server, etc.). The technique involves acquiring a stored representation of a derived seed, the stored representation of the derived seed resulting from an earlier-performed cryptographic operation based on a higher-level seed. The technique further involves (i) performing a current cryptographic operation based on a stored representation of the higher-level seed, the current cryptographic operation resulting in a current representation of the derived seed, and (ii) providing a corruption detection signal indicating whether the current representation of the derived seed matches the stored representation of the derived seed.

Abstract: The present invention allows creation of a backup key for backing up an encryption key inside a source trusted chip, encrypting the encryption key with the backup key, exporting the encrypted encryption key from the source trusted chip and storing it in a storage device, encrypting the backup key for transmission to a trusted third party. If the encrypted encryption key needs to be restored inside a destination trusted chip, the backup key and the encryption key encrypted with the backup key are imported to the destination trusted chip, where the encrypted encryption key is decrypted with the backup key inside the destination trusted chip to obtain the encryption key of the source trusted chip.

Abstract: A method for content access control operative to enable authorized devices to access protected content and to prevent unauthorized devices from accessing protected content, the method comprising: providing a plurality of authorized devices; dividing the plurality of authorized devices into a plurality of groups, each of the plurality of authorized devices being comprised in at least one of the plurality of groups, no two devices of the plurality of authorized devices being comprised in exactly the same groups; determining whether at least one device of the plurality of authorized devices is to be prevented from having access to the protected content and, if at least one device is to be prevented, removing all groups comprising the at least one device from the plurality of groups, thus producing a set of remaining groups; and determining an authorized set comprising groups from the set of remaining groups, such that each device of the plurality of authorized devices which was not determined, in the determining

Abstract: As various applications of wireless ad hoc network have been proposed, security has become one of the big research challenges and is receiving increasing attention. The present invention provides for a distributed key management and authentication approach by deploying the recently developed concepts of identity-based cryptography and threshold secret sharing. Without any assumption of pre-fixed trust relationship between nodes, the ad hoc network works in a self-organizing way to provide the key generation and key management service, which effectively solves the problem of single point of failure in the traditional public key infrastructure (PKI)-supported system. The identity-based cryptography mechanism provided not only to provide end-to-end authenticity and confidentiality, but also saves network bandwidth and computational power of wireless nodes.

Abstract: Provided are a computer program product, system and method for a redundant key server encryption environment. A key server transmits public keys associated with the key server and at least one device to at least one remote key server. The key server receives from the at least one remote key server public keys associated with the at least one remote key server. The key server receives a request for an encryption key from a requesting device comprising one of the at least one device and generates the encryption key for use by the requesting device to unlock a storage. The key server generates a first wrapped encryption key by encrypting the encryption key with a requesting device public key associated with the requesting device. The key server generates a second wrapped encryption key by encrypting the encryption key with a public key associated with the key server.

Abstract: In a group signature system of the present invention, user device 400 registered in the group, when receiving an issuing device public key of a set that includes order N of a cyclic group and its elements a—0, a—1 and a—2, determines such primes e and e? that e? is a prime that is obtained by subtracting a fixed number smaller than the prime e from the prime e, generates a user device secret key of a set including such numbers x and r that the product between a—0 and the result obtained by performing modular exponentiation of a—1 by number x, multiplied by the result obtained by performing modular exponentiation of a—2 by number r is equal to the result obtained by performing element A of the first cyclic group raised to the e-th power, based on order N as a modulus, and a user device public key of a set including prime e, prime e? and element A, transmits prime e? to revocation manager 300, receives B calculated based on prime e? from revocation manager 300 to obtain a message, generates a signature statemen

Abstract: A method for enforcing use of certificate revocation lists in validating certificates, the lists being associated with a series of list generation indices such that each list is assigned one index which advances according to a time of generation of the list, the lists and the indices being cryptographically signed, the method including receiving one of the lists and an associated index as an identifier of the one list, checking the certificates against the list, associating each of the certificates, which have been checked against the list, with the index, receiving an enforcement generation index (EGI) associated with a latest list in use, storing the EGI as a last known EGI, and refusing performance of an action associated with a certificate if the one index of the one certificate is earlier in the series than the last known EGI. Related apparatus and methods are also included.

Abstract: A method involving a communication device, which comprises sending a request to a communication device; receiving a response from the communication device over a local communication path; deriving a received data set from said response; determining at least one data set that had been previously transmitted to the communication device over a wireless portion of a second communication path different from the local communication path; and validating the response based on the received data set and the at least one previously transmitted data set.

Abstract: A method for proving the validity of a digital document digitally signed using a digital key that corresponds to a digital certificate in a chain of digital certificates issued by certification authorities within a hierarchy of certification authorities. At least one secure digital time stamp is applied to at least one record comprising the digital document, the digital signature, certificate chain data, and information relating to the revocation of certificates by certification authorities within the certificate chain. If, at some later time, one or more digital certificates either expire or are revoked, the timestamp serves as evidence of the integrity of the signed digital document.

Abstract: A system and method for data storage and removal includes providing databases and providing encryption keys. Each database is associated with a database time period and each encryption key is associated with an encryption time period. Data items are received and each data item is encrypted using the encryption key associated with the encryption time period that corresponds to a time associated with the data item. Each encrypted data item is stored in the database associated with the database time period that corresponds to the time associated with the data item. Each encryption key is deactivated at a predetermined time after the associated encryption time period ends. Each database is made irretrievable upon a determination that all of the encryption keys associated with the data items stored in that database have been deactivated.

Abstract: The aim of the invention is to provide a means of encrypting company-related data which also ensures that the data can be reproduced if the key is lost. To this end, the invention provides a method or an information processing system in which a key for a symmetrical encryption method is allocated to a user (4) for encrypting the data. Allocation information associating the key with the predetermined data to be encrypted and/or the user (4) is stored and can only be accessed by an authorised third party. If necessary, the key used for the particular data can be determined and the encrypted data reproduced, i.e. rendered readable, by this authorized third party. The allocation information, associating a particular key with an element identifying the predetermined data or a user identifier, can be stored in the information processing system in a predetermined manner or be created following a request for the allocation of a key.

Abstract: A method and apparatus for authenticated recoverable key distribution are described. In one embodiment, an application key is provided to an integrated chip platform. In one embodiment, the integrated chip platform encrypts the application key with a Key Encryption Key, which is stored within the persistent memory on the platform, and outputs a ChipID and the encrypted application key to enable recovery. In one embodiment, the platform can provide the ChipID to a recovery database to replace a lost encrypted application key. In one embodiment, the ChipID is the public key of a public/private key pair, and the application key is provided to the integrated chip platform by encrypting it using this public key. In one embodiment, the ChipID and the Key Encryption Key are derived from a secret random number programmed into the integrated chip. Other embodiments are described and claimed.

Abstract: An ambulatory repeater for use in automated patient care is presented. A local memory store includes a cryptographic key, sensitive information, and physiological measures. The cryptographic key is uniquely assigned to the implantable medical device prior to implant of the implantable medical device into a patient. The sensitive information is preencrypted under the cryptographic key and physiological measures are measured by the implantable medical device. An authentication module is in receipt of the cryptographic key. A permissions module confirms authorization of an external data processing device against the cryptographic key. A decryption module decrypts the sensitive information with the cryptographic key into decrypted information. A processor is operatively coupled to the local memory store. A communications module exchanges the decrypted information and the physiological measures with the external data processing device over a wireless interface contingent upon the authorization confirmation.

Abstract: Embodiments of methods, apparatuses, devices, and/or systems for data copyright management are described.

Abstract: The present invention relates to a method for traitor tracing. One embodiment of a method for determining at least one traced private key used by a decoder to decrypt an encrypted message includes defining an input ciphertext, the input ciphertext being associated with a tracing private key and having a sublinear size, calling the decoder on the input ciphertext, and associating the tracing private key with a set of traced private keys if the decoder is able to correctly decrypt the encrypted message in accordance with the input ciphertext, the set of traced private keys including at least one private key.

Abstract: A network-based data protection scheme for a mobile device utilizes encryption techniques and a remote key server that stores encryption keys on behalf of the mobile device. The mobile device stores encrypted data, preferably having no unencrypted counterpart stored therewith. On an as-needed basis, the mobile device requests a decryption key (or an encrypted version of a decryption key) from the key server, where the decryption key can be used by the mobile device to decrypt the encrypted information. The key server transmits the decryption key to the mobile device after authenticating the user of the mobile device.

Abstract: A method of operating a multi-level security system including the steps of providing a plurality of processors. At least some of said processors are equipped with a data card which permits simultaneous processing of different classification levels of information and the dynamic reallocation of processors to different classification levels.

Abstract: Secure instant messaging is described. In an embodiment, a messaging device encrypts a challenge identifier to generate an encrypted challenge message, and communicates the encrypted challenge message via a peer-to-peer communication link to a recipient messaging device. The recipient messaging device decrypts the encrypted challenge message and encrypts the challenge identifier as a return challenge identifier to generate an encrypted challenge return. The messaging device receives the encrypted challenge return from the recipient messaging device, decrypts the encrypted challenge return, and verifies that the return challenge identifier matches the challenge identifier to establish that communications are secure when communicated via the peer-to-peer communication link and, optionally, to establish control policies pertaining to a communication received at the recipient messaging device.

Abstract: Methods for automatically verifying and populating an encryption keystore are provided. Pursuant to these methods, the keystore may be automatically checked to determine if it is missing a required digital certificate; if so, the missing required digital certificate may be automatically inserted into the keystore. The methods may also include automatically obtaining the required digital certificates and a list of the required digital certificates, and automatically comparing the list of required digital certificates with the digital certificates in the keystore to determine if the keystore is missing a required digital certificate. The methods may further include sending an informational alert if a missing required digital certificate was automatically inserted into the keystore, and may include checking the keystore to determine if any required digital certificates have expired, will expire within a predetermined time period, or are inoperative.

Abstract: Systems for customizing the privatizing of instant messages preferably comprise a processing device configured to detect a marking of select portions of an instant message as sensitive data. The instant message is parsed for marked sensitive data. An encryption engine encrypts the sensitive data. A modified unencoder is also preferably included for converting the encrypted sensitive data into a data stream that complies with an XML format. Other systems and methods are also provided.

Abstract: Secondary content in encrypted for distribution to client terminals by selecting at least a portion of raw encrypted audio-video data (REAVD) that is provided on a media article as an encryption key, encrypting secondary content using the encryption key, and storing encrypted secondary content at a remotely located host. The media article can then be used for providing access to the encrypted secondary content to client terminals by receiving encrypted secondary content at a client terminal, extracting a decryption key from a media article encoded with REAVD, the decryption key being determined by at least a portion of the REAVD, using the decryption key to decrypt the secondary content, and outputting the decrypted secondary content from the client terminal.

Abstract: A new technique for accelerating the computational speed of a computer algorithm is provided. The inventive technique can be applied to video compression/decompression algorithms, optical character recognition algorithms, and digital camera zooming applications.

Abstract: For use in a distributed system where a client computer is operable to communicate with a server computer and to receive a digital certificate associated with a remote external component, apparatus for securing a communications exchange between computers includes a hasher, responsive to the client computer receiving a digital certificate, for hashing data associated with the client computer and the server computer with data associated with the digital certificate to create a first message digest, and a first transmitter for transmitting the first message digest to the remote external component.

Abstract: A content playback apparatus reduces load concentration on a specific server apparatus that manages content keys of encrypted content, while protecting copyrights of the content. The content apparatus makes playback of content recorded in a recording medium sold possible after the specific server breaks down. A key acquisition control unit (204) reads a playback control information table (211) from a recording medium (102) via a reading unit (201). The key acquisition unit (204) acquires a rights key via a key acquisition intermediation unit (223) from an apparatus specified by an acquisition-destination type and a request-destination type that are stored in the playback control information table (211) and that corresponding to the content to be played. The key acquisition unit (204) generates a content key using the acquired rights key and, when required, a medium key recorded in a medium. A decryption unit (203) decrypts encrypted content using the content key.

Abstract: In a computer system having a central processing unit (CPU) and a graphics processing unit (GPU), a system, method and computer program product for recovering a password used to encrypt a plaintext, including (a) generating N passwords on the CPU; (b) providing the N passwords to the GPU; (c) for each of the N passwords, calculating a transformed value from the password on the GPU, wherein the calculating is performed in parallel for all the N passwords provided to the GPU; (d) providing the N transformed values to the CPU; (e) at the CPU, testing the N transformed values for correctness; and (f) if none of the N transformed values are correct, repeating steps (a)-(e) for the next set of N passwords; (g) informing the user of a correct password.

Abstract: A disclosed encryption key restoring method enables restoration of an encryption key in the event of inability to use the encryption key stored in a secure memory of an information processing apparatus, in which data encrypted by the encryption key is stored in an internal storage unit. A disclosed information processing apparatus includes a key management module that checks the validity of the encryption key. If the encryption key is not valid, the key management module acquires a restore key for the encryption key from outside the information processing apparatus, and checks the validity of the restore key. If the restore key is valid, the key management module stores it in the secure memory, and reboots the information processing apparatus in a normal mode.

Abstract: A method decrypts the encrypted messages sent by a transmission device to a first electronic device associated with a first trusted authority and to a second electronic device. In one embodiment, first and second tokens are generated and exchanged, respectively, by the first and second electronic devices, which then generate a joint decryption key in order to decrypt the encrypted message.

Abstract: One embodiment of the present invention provides a system for managing keys. During operation, the system authenticates a client at a key manager. Next, the system receives a token from the client at the key manager, wherein the token is associated with a customer key, and includes a token authenticator. This token authenticator comprises one-half of an authenticator pair which is used to determine if the client is the owner of the customer key. Next, the system decrypts the token using a master key. The system then verifies a client authenticator, which comprises the other half of the authenticator pair which is used to determine if the client is the owner of the customer key. If the client is the owner of the customer key, the system sends the customer key to the client, which enables the client to encrypt/decrypt data. Finally, the client deletes the customer key.

Abstract: A layered defense-in-depth knowledge-based data management comprises a reception zone for authenticating a user for access to the system and an operations zone for adjudicating on a user level access to data objects stored in the system database. In addition, the data management comprises a security zone for issuing certificates of accessibility for defined users and a screening zone to interrogate data packets during processing thereof. The first line of defense is firewall protection and packet filtering preceding the reception zone.

Abstract: A key management of cryptographic keys has a data package including one or more cryptographic keys that are transferred to a personal device 100 from a secure processing point 150 of a device assembly line in order to store device specific cryptographic keys in the personal device 100. In response to the transferred data package, a backup data package is received by the secure processing point 150 from the personal device 100, which backup data package is the data package encrypted with a unique secret chip key stored in a tamper-resistant secret storage 125 of a chip 110 included in the personal device 100. The secure processing point 150 is arranged to store the backup data package, together with an associated unique chip identifier read from the personal device 100, in a permanent, public database 170.