Abstract: Provided is a system far receiving a initialization packet containing an initial vector for initializing stream encryption algorithm and an identifier of a key for decrypting an encrypted stream, initializing a decryption modules and decrypting the encrypted stream, wherein the system stores an identifier of a key which is needed to decrypt a next program in a initialization packet of a current program and informs a user of whether a desired key has been acquired or not at timing close to start time of the next program.

Abstract: A key escrow service is described. In embodiment(s), the key escrow service maintains an escrow license that includes an escrow content key that is associated with protected media content which is distributed from a content distributor to a media device. A content key that is associated with the protected media content can be received from the content distributor, and the content key can then be encrypted with a public escrow key to generate the escrow content key. The escrow license can be generated to include the escrow content key, and the escrow content key can then be communicated back to the content distributor that provides a digital rights management (DRM) license to the media device. The DRM license can include both the escrow content key and the content key encrypted with a public key that corresponds to the media device.

Abstract: A computer enabled secure method and apparatus for generating a cryptographic key, to be used in a subsequent cryptographic process, where the key is to be valid only for example during a specified time period. The method uses a polynomial function which is a function of an input variable such as time, and dynamically computes the key from the polynomial. This is useful for generating decryption keys used for distribution of encrypted content, where the decryption is to be allowed only during a specified time period.

Abstract: The invention relates to a system and method of hiding cryptographic private keys. While public/private key encryption systems are considered to be secure, the private keys ultimately must be stored in some location—in fact, in some digital commerce systems the private key is sent to the end user as part of an executable file such as an audio player and audio file. Thus, attackers can obtain access to the private key. The broad concept of the invention is to split the private key up into parts which are obfuscated, but still kept in a form that allows the encrypted data to be decrypted. One technique for obfuscating the private key uses modulo arithmetic.

Abstract: A system and method for retrieval and transfer of encrypted content from a failed set-top box. When content is recorded to the storage device of a set-top box, the content is encrypted with a content instance key. This content instance key is encrypted with the public key of the set-top box and a duplicate of the content instance key is encrypted by another public key other than the public key of the set-top. In the event the set-top fails, the encrypted content on the storage device may be retrieved from the storage device by decrypting the duplicate content instance key with the private key that corresponds with the public key that encrypted the duplicate of the content instance key.

Abstract: Modular reduction and modular multiplication for large numbers are required operations in public key cryptography. Moreover, efficient execution of these two operations is important to achieve high performance levels in cryptographic engines and processes. The present invention uses multiplication and addition instead of using division and subtraction to perform modular arithmetic. The present invention also achieves some of its advantages through processing which begins with the high order bits coupled with judicious observations pertaining to circumstances under which carry output signals from addition operations are generated. These carry output signals are used to provide corrections which thus enable the use of the higher order bits and the efficiencies that such use engenders. Additionally, unlike other methods, the present invention avoids the baggage of preprocessing and post processing operations.

Abstract: This invention relates to a communication system including a first apparatus having a first storage medium, and a second apparatus for transmitting data to the first apparatus, the second apparatus comprising: a second storage medium for storing management information of data to be transferred to the first storage medium; communication means for communicating data with the first apparatus; edit means capable of editing the management information; and control means for making a control to transfer data stored in the second storage medium to the first storage medium by way of the communication means on the basis of the management information edited by the edit means.

Abstract: A plurality of original partial data are generated by dividing the original data by the prescribed processing unit bit length, a plurality of random number partial data each having a length less than or equal to the prescribed processing unit bit length are generated in correspondence to the plurality of original partial data, and a plurality of divided partial data that constitute each divided data are generated by using exclusive OR calculation of the original partial data and the random number partial data, each divided partial data having a length equal to the prescribed processing unit bit length. Then, the divided data in the desired number of division are generated from the plurality of divided partial data, such that the original data cannot be ascertained from any one divided data alone but the original data can be recovered from a prescribed number of the divided data among generated divided data.

Abstract: Techniques for providing different levels of access based upon a same authentication factor are provided. A first message is received that is transformed with a first portion of a split private key, the first portion based upon a user password and another factor, and the split private key associated with an asymmetric key pair having a public key and the split private key. The user is authenticated for a first level of network access based upon the received first message being transformed with the first portion. A second message is received that is transformed with a second portion of the split private key, the second portion based upon the password only and not combinable with the first portion to complete the split private key. The user is authenticated for a second level of network access different that the first level based upon the received second message being transformed with the second portion.

Abstract: Techniques for registering certificates after the issuance of the certificates are provided. A service provider securely registers a client's identity and its certificate without depending on or using an existing basis of trust, such as that provided by domain-joined clients or a security directory (e.g., MICROSOFT's ACTIVE DIRECTORY). The service provider provides services, such as, by way of example and not a limitation, email services, web application services, application services, etc., based on identifiers (e.g., service IDs) issued to registered clients. The service provider subsequently uses the issued identifier to authenticate a client requesting a service or services, and to authorize the client to receive the requested service or services.

Abstract: A memory card (110) includes a memory (1415) to store encrypted content data, a license hold unit (1440) to store at least a portion of license information distributed by a distribution system, a plurality of authentication data hold units (1400.1, 1400.2), each storing a plurality of authentication data that are authenticated respectively by a plurality of public authentication keys KPma, KPmb common to the distribution system, and a switch (SW2) to selectively provide the data from the plurality of authentication data hold units outside of said recording apparatus according to a request external to the memory card (110).

Abstract: Techniques for authentication are provided. A first authentication request transformed with a private portion of a first type split private key is received. A first user is authenticated for a first level of network access based upon the first request being transformed with the first type of split private key. A second authentication request that is transformed with a private portion of a second type private key is also received. A second user is authenticated for a second level of network access based upon the second request being transformed with the second type of split private key.

Abstract: A method includes determining whether a key is traceable to one of a set of keys associated with a trusted source and determining whether the key is identified in a list of compromised keys. If the key is not identified as compromised and is traceable to one of the keys in the set, the key is assigned a trusted status.

Abstract: Digital rights management (DRM) can be effectively implemented through use of an anchor point and binding records in a user domain and backed up through use of an escrow anchor point and an escrow binding record in an anchor point based digital rights management system. An escrow binding record provides additional functionality and reliability to a DRM system by allowing a user to use of digital content even after an access device has been lost or compromised.

Abstract: A final agent of the message provides a first encryption key to a first agent, interposed between a message sender and the final agent. The first agent but not the final agent knows an identity of the sender. The final agent provides a second encryption key to a second agent, interposed between the sender and the final agent. The second agent knows an identity of the sender. The first agent generates a third encryption key and provides the first encryption key and the third encryption key to the sender. The second agent generates a fourth encryption key and provides the second encryption key and the fourth encryption key to the sender. The first agent receives from the sender a message encrypted with the first, second, third and fourth keys, and in response, decrypts the message based on the third key. Afterwards, the first agent provides the message decrypted based on the third key to the second agent. In response, the second agent decrypts, based on the fourth key, the message provided by the first agent.

Abstract: Methods and systems are described for communicating the session keys used to encrypt media stream to allow a lawful intercept agency to decrypt the media stream. Assuming the endpoints negotiate the session keys themselves, the send an encrypted format key message which is encrypted with an encryption key for which only the LI agency knows the corresponding decryption key. However, to avoid abuse by the LI agency, or even to avoid the perception that LI agencies can intercept private calls without due process, the media session key is further encrypted with at least one additional key, with the corresponding decryption key(s) being unknown to the LI agency.

Abstract: A weighted secret sharing and reconstructing method includes encoding the secret using a predetermined code, producing voices so that different weights are assigned to errors in an error vector according to locations of the errors, encrypting the encoded secret using the error vector and distributing the encrypted encoded secret to a plurality of participants.

Abstract: The invention relates to a method for the secure deposition of data, according to which a depositor encrypts the data with a transfer key and encrypts the transfer key with a key of a third party, then deposits the encrypted data and the encrypted transfer key on a storage support. The invention also relates to a method for recovering data, during which an addressee of the data recovers the content of the storage support, authenticates him/herself to the third party, and transmits the encrypted transfer key thereto. After having authenticated the addressee, the third party returns the decrypted transfer key. The addressee can then recover the data. The invention further relates to devices for implementing the foregoing methods.

Abstract: The present invention provides an efficient method and system in which a plurality of participants share a secret key in a communication environment that is not ensured. According to an embodiment of the invention, each of the participants is assigned with a secret key from a key generation party, generates exchange information, and transmits its own exchange information to the other participant to exchange the exchange information with each other. Each of the participants generates a shared key on the basis of the exchange information and its own secret key.

Abstract: Provided is a method for updating a group key in a highly secure manner and at high speed. A method includes: a step of making subscriber terminals (20) perform a part of decryption of an encrypted group key used to decrypt the information before distribution of the group key; a step of distributing the group key and individual decryption information used to perform a part of remaining decryption other than the part of decryption of the group key and corresponding to terminal devices to the subscriber terminals (20); and a step of making the subscriber terminals (20) perform decryption of the group key using the decryption information being distributed and results obtained by implementing a part of decryption of the group key, the part of decryption previously being performed.

Abstract: A method is described for controlling the distribution of a software code update for an embedded software application on a device. The method includes the steps of assigning an asymmetric key pair to the software application and another asymmetric key pair to the sender of the software code update. The software code update is sent in a secure manner to one or more devices while preventing devices not possessing to the appropriate keys from obtaining the software code update.

Abstract: A method includes receiving an authentication request from a mobile station (401) and determining whether to forward the request to an authentication agent. When it is determined to forward the request, the request is forwarded to the authentication agent (107). A random number and a random seed are received from the authentication agent (107). The random number and the random seed are forwarded to the mobile station (401). A response to the random number and the random seed from the mobile station (401) is received and forwarded to the authentication agent (107). The authentication agent (107) compares the response with an expected response. When the authentication agent (107) authenticates the mobile station (401), a derived cipher key is received from the authentication agent (107).

Abstract: Electronic document processing logic coupled to a computer and to a quarantine is operable to identify an encrypted electronic document received at the computer; determine whether the key server stores particular decryption data, or credentials to access decryption data, that can decrypt the encrypted electronic document; in response to determining that the key server does not store particular decryption data that can decrypt the encrypted electronic document: store the electronic document in the quarantine; notify one of the users; receive from the one of the users the particular decryption data; decrypt the electronic document; scan the electronic document to identify specified content in the electronic document; and perform one or more responsive actions based on the specified content. As a result, encrypted content in documents or e-mail can be decrypted, scanned for viruses, malware, or prohibited content, and re-encrypted or delivered.

Abstract: Described herein is an information transmission apparatus for encrypting and transmitting first data and second data, the information transmission apparatus including: encryption element for deriving a second key from a first key by using an irreversible function, encrypting the first data by using the first key to generate encrypted first data and encrypting the second data by using the second key to generate encrypted second data; and transmission element for transmitting the encrypted first data, the encrypted second data and the first key.

Abstract: Automated test equipment (ATE) is provided with a plurality of hardware components, at least two of which provide a common test feature. The ATE is also provided with program code to access a number of security tokens, each token of which grants rights to use one or more test features without specifying a particular hardware component on which the test features are to be enabled. If a number of security tokens granting rights to use the common test feature are available, the program code enables the common test feature on user-selected ones of the hardware components that provide the common test feature, as permitted by the number of security tokens. Methods for provisioning and using the security tokens to enable the ATE are also disclosed.

Abstract: A system and method for implementing XSL/XML based authorization rules policy on a given set of data. An authorization rules engine is created which uses authorization rules defined in XSL to operate on access decision information (ADI) provided by the user. Inside the authorization rules engine, a boolean authorization rules mechanism is implemented to constrain the XSL processor to arrive at a boolean authorization decision. By applying the constrained authorization rules, the authorization rules engine evaluates available ADI data from an ADI XML input document. An output from a set of predetermined authorization decisions is provided to the user when the ADI input data is successfully evaluated. An error message is also provided to the user if required ADI data is unavailable for evaluation.

Abstract: Disclosed is a method of recording and storing a broadcast content received for mobile broadcast services in a transmitting-end level. A broadcast receiving terminal includes a type of the key profile in the header of the recorded file for the particular broadcast content, the CIEK which is used in encrypting the broadcast content and encrypted with the second layer encryption key, and the acquisition information on the second layer encryption key. The acquisition information on the second layer encryption key is included in a corresponding field of the header according to the type of the used profile. As in the SRTP and IPSec, a recorded file format in the transmitting-end level recording is the PDCF. Information associated with the encryption of the encrypted broadcast content is stored in the OMA DRM common header box (ohdr box) of the PDCF recorded file.

Abstract: A method for recovering a password includes: obtaining a request code from a data storage device, transmitting the request code to an external authority that produces a recovery code from the request code, and using the recovery code to recover a password and an encryption key from a hidden area of the data storage device. An apparatus that can be used to implement the method is also provided.

Abstract: Systems and methods for reducing latency on a remotely-booted information handling system are disclosed. A method may include remotely booting an information handling system having a local storage resource. The method may also include establishing, at the start of a session, an encryption key for the local storage resource for use during the session. Additionally, the method may include using the encryption key to encrypt data written to the local storage resource during the session. The method may further include permanently disabling access to the encrypted data written to the local storage resource at the end of the session.

Abstract: A system for remotely tracking a mobile unit is presented. The system includes a computer connected to a data network, mobile units collecting data and transmitting the data to the computer, and a configuration database connected to the data network. The configuration database stores configuration parameters for the mobile units. The mobile units are programmed to contact the configuration database upon being powered on, obtain the configuration parameters, and transmit the collected data to the computer according to the configuration parameters. Since each configuration file could apply to multiple mobile units, the system provides an efficient way to control the data reporting patterns of many mobile units. The configuration database may be organized in layers of configuration files for improved flexibility. Files from different layers can be mixed and matched and then applied to a group of mobile units.

Abstract: A device key 46 is implemented on a drive 4 side. To securely transmit the device key 46 to a host 5, the device key 46 is encrypted with a bus key. The host 5 side decrypts the device key with the bus key. A medium unique key calculating block 55 calculates a medium unique key with an MKB 12, a medium ID, and the decrypted device key 46. When the calculated medium key is a predetermined value, the drive 4 is revoked and the process is stopped. The medium unique key is supplied to an encrypting/decrypting module 54. A content key is obtained with an encrypted title key 14 and a CCI 15. With the content key, an encrypted content is decrypted and a content that is recorded is encrypted.

Abstract: The present invention provides for trusted side-band communications between components in a computer system, so that use of the system bus may be avoided. Two components may be connected by means other than a bus (e.g., an infrared port, a wire, an unused pin, etc.), whereby these components may communicate without the use of the system bus. The non-bus communication channel may be referred to as “side-band.” The side-band channel may be used to communicate information that might identify the user's hardware (e.g., a public key) or other information that the user may not want to be easily intercepted by the public at large. Communication over the side-band channel may also be used to verify that the participants in a communication are within a defined positional relationship to each other.

Abstract: A digital identity device for uniquely identifying legal entities. The digital identity device is used for secure electronic communications.

Abstract: Even though data transmitted between a data processing apparatus and disc recording and/or reproducing apparatus is monitored, copying the data is effectively prevented and the data can be protected. A write ID generator 20 of a disc recording and/or reproducing apparatus 10 generates independent write ID for each recording of data, and transmits the write ID to an encryptor 102 of a data processing apparatus 100. The encryptor 102 encrypts contents ID to be used for key information for encrypted contents data and data control information to restrict or prohibit copy by the use of an encrypting key based on the write ID. The encrypted data are transmitted to an encryptor 24 of the disc recording and/or reproducing apparatus 10 via an I/F 101 and I/F 19, and encrypted along with the write ID by the use of an encrypting key based on disc ID, and recorded to a disc 30.

Abstract: A method and apparatus for transferring a message securely from a sender to a recipient over a network and includes at each transfer: creating a message; retrieving the public key of the recipient from an external key server just prior to sending the message; signing the message using the private key of the sender; encrypting the signed message using a public key encryption algorithm and the public key of the recipient producing an encrypted signed message; generating an E-mail message addressed to the recipient; attaching the encrypted signed message as an attachment to the E-mail message; and, transmitting the E-mail message to the recipient.

Abstract: A system is provided that uses identity-based encryption to support secure communications. Messages from a sender to a receiver may be encrypted using the receiver's identity and public parameters that have been generated by a private key generator associated with the receiver. The private key generator associated with the receiver generates a private key for the receiver. The encrypted message may be decrypted by the receiver using the receiver's private key. The system may have multiple private key generators, each with a separate set of public parameters. Directory services may be used to provide a sender that is associated with one private key generator with appropriate public parameters to use when encrypting messages for a receiver that is associated with a different private key generator. A certification authority may be used to sign directory entries for the directory service. A clearinghouse may be used to avoid duplicative directory entries.

Abstract: A process may be utilized by a device to implement public key asymmetric encryption. The process encrypts a data set with a symmetric encryption key to form an encrypted data set. Further, the process encrypts the symmetric encryption key with a public key component of an asymmetric encryption key to form an asymmetric encrypted cookie. Finally, the process stores the encrypted data set and the asymmetric encrypted cookie in a non-secure area of a storage medium.

Abstract: A high level of security for access to recorded information is provided by a method which includes provisioning of a trusted/protected communication linkage such as a tamper-resistant or tamper evident enclosure, a physical close coupling between information source and encryption processor and/or obfuscated code or end-to-end network encryption and encryption, possibly symmetrical, of the information to be recorded by a preferably random session key or segment key. The session key or segment key may then be encrypted, preferably asymmetrically, by a secure key which may be shared or access thereto shared in accordance with any desired security policy. Use of a public key or public key/private key infrastructure also provides for authentication of the recorded information.

Abstract: A method for updating encryption keystores within a computer network having multiple host computers is disclosed. A keystore is initially loaded into a key manager within one of the host computers. In response to a key request by a peripheral device within the computer network, a determination is made whether or not the keystore is currently being updated. In a determination that the keystore is not currently being updated, the loaded keystore is utilized to handle the key request. In a determination that the keystore is currently being updated, any incoming key request is redirected to a local queue associated with the key manager. Afterwards, the updated keystore is utilized to handle the key request and any other key request pending in the local queue associated with the key manager.

Abstract: Provided is a content distribution system that prevents different keys to be derived between an encryption apparatus and a decryption apparatus. A random-number generating unit 112d, in an encryption apparatus 110d, generates a random number s, and a first function unit 113d generates a functional value G(s) of the random number s, and generates a verification value a and a shared key K from the functional value G(s). An encryption unit 114d generates a first cipher text c1 of the verification value a using a public-key polynomial h, and a second function unit 115d generates a functional value H(a,c1) of the verification value a and the first cipher text c1, and a random-number mask unit 116d generates a second cipher text c2=s xor H(a,c1). A decryption unit 123d, in a decryption apparatus 120d, decrypts the first cipher text c1 using a secret-key polynomial f, to generate a decryption verification value a?.

Abstract: A system for encrypting data comprising a computer configured to encrypt a plurality of data entries using at least one encryption algorithm and a system memory, wherein the computer is configured to use different keys with the encryption algorithm(s) for each data entry and the system is configured to store in the system memory or transmit for storage in an external memory the encrypted data corresponding to each entry along with an identifier corresponding to at least part of the key used to encrypt that entry, such that when decrypting a data entry in the system or external memory the associated identifier can be used to locate at least part of the correct key.

Abstract: In accordance with certain aspects, a computer system has a central processing unit (CPU) and an operating system (OS), the CPU having a pair of private and public keys and a software identity register that holds an identity of the operating system. An OS certificate is created including the identity from the software identity register, information describing the operating system, and the CPU public key. The created OS certificate is signed using the CPU private key.

Abstract: A method for transmitting information between a transmitter station and a plurality of receiving stations in which encrypted information is transmitted from the transmitter station to the receiver station with a first key and at least a control message bearing a second key. The first key used for decryption is restored in each receiving station from the second key and from at least one datum selected from a set of data available in the receiving stations, according to a selection command periodically transmitted between the transmitting station and the receiving station. Such a system may find particular application to pay television.

Abstract: Described is a solution for maintaining the security of encrypted data despite a compromised private key by using a re-encryption process that does not require decryption of the encrypted data. The compromised private key is re-encrypted using a new public key as is the encrypted symmetric key which the compromised private key can decrypt. When a decrypted version of the encrypted data is requested, the private key corresponding to the new public key decrypts both the encrypted version of the compromised private key and the re-encrypted version of the symmetric key resulting in the unencrypted compromised private key and the previously encrypted version of the symmetric key, which when decrypted using the compromised private key decrypts the encrypted data. The unencrypted symmetric key can then be encrypted using the new public key any encrypted compromised private key can be deleted.

Abstract: A method, system, and apparatus are provided for establishing trust without revealing identity. According to one embodiment, values in a first proof corresponding to a first statement are precomputed, a request for a second proof is received from a challenger, and the first and second proofs are completed.

Abstract: The invention provides a method for verification having a structure that reflects reliability of a signature history properly for a hysteresis signature used for verification based on the signature history, and provides a method for arbitration and an arbitrator apparatus that solve a dispute on correctness of a signature based on the method for verification. Furthermore, the invention provides a method for managing history that mitigates the signature history management burden on a signer. Reliability is set on a signature forming record that is a component of a signature history, reliability of the signature history is calculated based on the set reliability, and the calculated reliability is output as reliability of a verification result. The invention provides a method for verification having a structure that reflects the reliability of a signature history properly and a method for arbitration and an arbitrator apparatus that solve a dispute on correctness of a signature.

Abstract: Provided are a method, system, and article of manufacture for maintaining keys removed from a keystore in an inactive key repository. A keystore includes active keys, wherein at least one active key in the keystore is associated with at least one storage device and available for encrypting and decrypting data with respect to the associated storage device. A request is received for an operation with respect to a specified active key that causes the specified active key to be removed as an active key from the keystore. The specified active key is indicated as inactive, wherein keys indicated as inactive are not available for use to encrypt and decrypt data. A request is received to restore one of the inactive keys to make available to decrypt and encrypt data for the at least one associated storage device associated with the requested inactive key.

Abstract: Security is provided in a network system. A message is received from a user, which message requires authentication of the user. An authentication message is sent indicating the identity of the user to an initial software security agent. The software security agent, on receipt of the authentication message, determines whether information relating to the user is stored on a security database associated with the software security agent, and, if so, the software security agent adds an authentication key to the authentication message. The authentication message is sent on to one or more further software security agents. The prior noted steps are repeated with the further software security agent(s) and, if user-related stored security information is found, adding an authentication key to the authentication message and sending the authentication message on to one or more further software security agents until the number of keys associated with the authentication message equals a predetermined number N.

Abstract: Methods and apparatus are described which provide secure interactive communication of text and image information between a central server computer and one or more client computers located at remote sites for the purpose of storing and retrieving files describing and identifying unique products, services, or individuals. Textual information and image data from one or more of the remote sites are stored separately at the location of the central server computer, with the image data being in compressed form, and with the textual information being included in a relational database with identifiers associated with any related image data. Means are provided at the central computer for management of all textural information and image data received to ensure that all information may be independently retrieved. Requests are entered from remote terminals specifying particular subject matter, and the system is capable of responding to multiple simultaneous requests.

Abstract: Aspects of the invention provide a method and system for securely managing the storage and retrieval of data. Securely managing the storage and retrieval of data may include receiving a first disaster recovery code and acquiring a first password corresponding to the first disaster recovery code. A first disaster recovery key may be generated based on the first disaster recovery code and the first password. Another aspect of the invention may also include generating the received first disaster recovery code based on said first password and the first disaster recovery key. The generated disaster recovery code may be securely stored on at least a portion of a storage device or a removable media. Data stored on the storage device may be encrypted using the first generated disaster recovery key. Additionally, data read from the storage device may be decrypted using the generated first disaster recovery key.