Abstract: An application is instrumented with a document protection service provider interface (SPI). The interface is used to call an external function, e.g., an encryption utility, to facilitate secure document exchange between a sending entity and a receiving entity. When the application invokes the SPI, the user is provided with a display panel. The end user provides a password for encryption key generation, together with an indication of desired encryption strength. The service provider uses the password to generate an encryption key. In one embodiment, the service provider provides the key to the service provider interface, which then uses the key to encrypt the document and to complete the file transfer operation. In the alternative, the service provider itself performs encryption. The SPI generates and sends a message to the receiving entity that includes the key or a link to enable the receiving entity to retrieve the key.

Abstract: Disclosed is an apparatus and method to securely activate or revoke a key. For example, the apparatus may comprise: a storage device to store a plurality of pre-stored keys; a communication interface to receive an activate key command and a certificate associated with one of the pre-stored keys; and a processor. The processor may be coupled to the storage device and the communication interface and may be configured to: implement the activate key command to reboot the apparatus with the pre-stored key and the certificate; and determine if the reboot is successful.

Abstract: The present disclosure relates to a method performed by a network element in a communication network for routing an IP session to a radio device over a WLAN, the IP session comprising at least one bearer. The method comprises obtaining an identifier for each of the at least one bearer of the IP session. The method also comprises mapping downlink data packets of the IP session to the identifier for each of the at least one bearer of the IP session. The method also comprises transmitting each of the DL packets on a bearer of said at least one bearer, together with the identifier for the bearer it has been mapped to, over the WLAN to the radio device. The disclosure also relates to a network element and a radio device, as well as to other methods thereof.

Abstract: A method and system for encrypting data packets in a multimedia stream are disclosed. Each data packet includes a header portion and a payload portion. In one embodiment, one or more data packets are selected from an incoming multimedia stream. Further, one or more of a header portion and a payload portion are selected within the one or more data packets. Furthermore, one or more regions in the selected one or more of the header portion and the payload portion are encrypted using an encryption algorithm.

Abstract: Some embodiments provide a method for performing a cryptographic process. The method receives first and second cipher keys. The method generates a set of subkeys corresponding to each of the first and second cipher keys. The set of subkeys for the first cipher key is dependent on the first cipher key and the second cipher key. The method performs the cryptographic process by using the generated sets of subkeys.

Abstract: Embodiments include apparatuses, methods, and systems for a physically unclonable function (PUF) circuit. The PUF circuit may include an array of PUF cells to generate respective PUF bits of an encryption code. Individual PUF cells may include first and second inverters cross-coupled between a bit node and a bit bar node. The individual PUF cells may further include a first pre-charge transistor coupled to the bit node and configured to receive a clock signal via a first clock path, and a second pre-charge transistor coupled to the bit bar node and configured to receive the clock signal via a second clock path. Features and techniques of the PUF cells are disclosed to improve the stability and/or bias strength of the PUF cells, to generate a dark bit mask for the array of PUF cells, and to improve resilience to probing attacks. Other embodiments may be described and claimed.

Abstract: An external system (such as a website) that interacts with users communicates with a social networking system to access information about the users, who may also be users of the social networking system. If a privacy setting is changed in the social networking system, and the change applies to information that has been shared with an external system, the change is enforced at the external system. For example, the external system may be notified that the information is invalid and must be deleted, or the external system may periodically request the information so that changes to the privacy settings are eventually experienced at the external systems. When an external system again needs the information, whether expired naturally or actively invalidated by the social network, the external system sends a new request for the information, which is subject to the (possibly revised) privacy settings.

Abstract: Provided is an authentication system in which a client terminal that receives input of request information is connected to a server that executes a process with regard to the request information. The client terminal includes: a first authentication information generation unit that generates first authentication information based on information which is shared with the server; an encryption unit that generates encryption information; and a transmission unit that transmits the request information and encryption information to the server.

Abstract: Data can be protected in mobile and payment environments through various tokenization operations. A mobile device can tokenize communication data based on device information and session information associated with the mobile device. A payment terminal can tokenize payment information received at the payment terminal during a transaction based on transaction information associated with the transaction. Payment data tokenized first a first set of token tables and according to a first set of tokenization parameters by a first payment entity can be detokenized or re-tokenized with a second set of token tables and according to a second set of tokenization parameters. Payment information can be tokenized and sent to a mobile device as a token card based on one or more selected use rules, and a user can request a transaction based on the token card. The transaction can be authorized if the transaction satisfies the selected use rules.

Abstract: Disclosed is an apparatus and method for encrypting plaintext data. The method includes: receiving at least one plaintext data input; applying a Nonce through a function to the at least one plaintext data input to create Nonced plaintext data outputs and/or to intermediate values of a portion of an encryption function applied to the at least one plaintext data input to create intermediate Nonced data outputs; and applying the encryption function to at least one of the Nonced plaintext data outputs and/or the intermediate Nonced data outputs to create encrypted output data. The encrypted output data is then transmitted to memory.

Abstract: A method can include receiving a request from a requestor to a given resource, which requestor is registered to access a set of one or more resources. The request includes a ticket that includes signature data generated by an authenticating entity in response to authenticating the requestor. The signature data may be decrypted to provide a decrypted signature. The ticket may be validated in response to the request based on evaluating the decrypted signature. A response can be provided to the requestor based on the validation, and the response can grant the requestor access to the given resource if the validation determines the ticket to be authentic and authorized for the given resource or the response can deny the requestor access to the given resource if the validation determines to reject the ticket.

Abstract: Some embodiments provide a method for performing an iterative block cipher. Line rotations and column rotations are combined to have a diversity of representations of the AES state. These protections can be performed either in static mode where the rotations are directly included in the code and the tables or in dynamic mode where the rotations are chosen randomly at execution time, depending on some entropic context variables. The two modes can also be advantageously combined together.

Abstract: The user of any one portable terminal sends a content information request including a user ID to a distribution server. In response, the distribution server distributes a stream data of content that can be used on the user's terminal. If the user of first portable terminal intends to let a second portable terminal try out a certain content, the user sends to the distribution server the trial permission information including the user's own user ID, a content ID of the content of interest, and a digital signature. The distribution server authenticates the received information before distributing a streaming data of a trial-oriented content with the content ID and user ID attached to it as search keys. This allows the content that can be used on a given user terminal to be tried out on another user terminal without the latter user having recourse to the steps of searching for the content in question.

Abstract: Described herein is a computer implemented method for simplifying a hierarchical edit script comprising nodes describing operations which can be applied to dataset A to generate dataset B. The method comprises identifying nodes in the hierarchical edit script that can potentially be simplified and forming one or more node groups, each node group comprising one or more sibling nodes from the hierarchical edit script that are of a same node type and that can potentially be simplified. For each node group the method further comprises identifying a node group type based on a type the node or nodes in the node group, based on the node group type, processing the node group to generate a single node, the single node capturing the operations described by the node or nodes in the node group, and replacing the node group in the hierarchical edit script with the single node.

Abstract: A method includes generating a first sequence of data words for sending over an interface. A second sequence of signatures is computed and interleaved into the first sequence, so as to produce an interleaved sequence in which each given signature cumulatively signs the data words that are signed by a previous signature in the interleaved sequence and the data words located between the previous signature and the given signature. The interleaved sequence is transmitted over the interface.

Abstract: A method of performing a keyed cryptographic operation by a cryptographic system mapping an encoded input message to an output message, including: receiving an encoding selection parameter p; receiving the encoded input message, wherein the encoding on the input message corresponds to the encoding selection parameter p; decoding the input message using an inverse of a default input encoding; computing a first portion of the cryptographic operation on the decoded input message to produce a first portion output; and compensating the first portion output based upon the encoding selection parameter p.

Abstract: In a general aspect, a conversion scheme is used with a cryptographic system. In some aspects, a pad bit vector is generated based on a size of a message bit vector, and a record bit vector is generated based on the pad bit vector. The record bit vector indicates the size of the pad bit vector. The record bit vector, the message bit vector, and the pad bit vector are combined to yield a first bit vector. A hash function is applied to the first bit vector, and an encryption function is applied to a portion of the first bit vector. A ciphertext is generated based on the output of the hash function and the output of the encryption function.

Abstract: A device and method for performing a keyed cryptographic operation mapping an input message to an output message including a first and a second round, wherein the cryptographic operation includes a key scheduling method that produces round keys based upon the encryption key, including: instructions for receiving a first input by the first round; instructions for receiving a second input by the first round; instructions for outputting the second input as a third input to the second round; instructions for performing a first cryptographic operation on the second input using a first static round key to produce a first cryptographic output; and instructions for combining first input, the first cryptographic output, and a second encoded dynamic round key to produce a fourth input to the second round, wherein the second encoded dynamic round key is produced by inputting an encoded dynamic encryption key into the key scheduling method.

Abstract: The invention relates to a method for generating a certificate for signing electronic documents by means of an ID token (106), having the following steps: —sending (201) a transaction request for a user to carry out a transaction, —as a result of the sending of the transaction request, a check is carried out as to whether the certificate (519) is available and if this is not the case, carrying out the following steps: generating (206) an asymmetrical key pair consisting of a private key and a public key using an ID token, said ID token (106) being assigned to the user; storing (207) the generated asymmetrical key pair on the ID token, wherein at least the private key is stored in a protected memory region of the ID token; transmitting (208; 509) the generated public key (518) to a first computer system, and generating (209) the certificate (519) by means of the first computer system for the public key.

Abstract: A problem to be solved is to reduce processing time when a block cipher which refers to a table is implemented in software. An encryption device includes: a round-key generation module which generates a round key from a secret key; a table-entry generation module which adds a starting address of an n-bit S-box table (n?2) aligned to a 2m-bit boundary (m?n) in a memory, and the round key, and holds an obtained value as a table entry; and a data mixing module which mixes data by referring to the S-box stored in the first memory, by using, as a table index, an exclusive OR between the table entry stored in the second memory and the data.

Abstract: An apparatus is described that includes an execution unit within an instruction pipeline. The execution unit has multiple stages of a circuit that includes a) and b) as follows: a) a first logic circuitry section having multiple mix logic sections each having: i) a first input to receive a first quad word and a second input to receive a second quad word; ii) an adder having a pair of inputs that are respectively coupled to the first and second inputs; iii) a rotator having a respective input coupled to the second input; iv) an XOR gate having a first input coupled to an output of the adder and a second input coupled to an output of the rotator. b) permute logic circuitry having inputs coupled to the respective adder and XOR gate outputs of the multiple mix logic sections.

Abstract: A first signal and a second signal associated with a circuit may be identified. A first count of a number of times that the second signal is associated with a transition when the first signal is at a first value may be determined. Furthermore, a second count of a number of times that the second signal is associated with a transition when the first signal is at a second value may be determined. A value corresponding to the dependence between the second signal and the first signal may be calculated based on the first count and the second count.

Abstract: A device includes one or more registers and circuitry. The circuitry subjects a key having a number of bits to a first function which takes a selection value into account, generating a result having a number of bits which is twice the number of bits of the key, and stores the result in the one or more registers. In response to a call for the key, the circuitry subjects the result stored in the one or more registers to a second function which takes the selection value into account to generate a response having a same value as the key.

Abstract: A method includes receiving, at a server, a request from a DNS client. The request identifies a domain name to be resolved that is not able to be resolved by the server. The method includes identifying a hash of the domain name as being part of a set of hashes. The hash of the domain name identified at the server was computed using a first cryptographic technique. However, the hash can be computed by an external system using a second cryptographic technique. The first cryptographic technique is able to compute the hash in substantially fewer or substantially less complex operations than the operations required to compute the hash using the second cryptographic technique. The method further includes returning a result indicating that the domain name cannot be resolved, including returning an indicator identifying the set of hashes.

Abstract: A cryptographic device performs modular addition between a first integer value x and a second integer value y in a processor by: obtaining a first masked input {circumflex over (x)}, a second masked input ?, a first mask rx and a second mask ry, the first masked input {circumflex over (x)} resulting from the first integer value x masked by the first mask rx and the second masked input ? resulting from the second integer value y masked by the second mask ry; computing a first iteration masked carry value ?1, using the first masked input {circumflex over (x)}, the second masked input ?, the first mask rx, the second mask ry and a carry mask value ?; recursively updating the masked carry value ?i to obtain a final masked carry value ?k?1, wherein the masked carry value is updated using the first masked input {circumflex over (x)}, the second masked input ?, the first mask rx, the second mask ry, and the carry mask value ?; combining the first masked input {circumflex over (x)} and the second masked input ? and t

Abstract: A data protection method and apparatus that can protect data through encryption using a Boolean function is provided. The data protection method includes applying an inverse affine transformation to data to be encrypted using a Boolean function; applying round operations of an Advanced Encryption Standard (AES) cryptographic algorithm to the inverse-affine transformed data; and producing ciphertext data by applying an affine transformation to the result of the round operations.

Abstract: A first device may receive a first password from a second device. The first password may be generated based on first time information and first location information identifying a geographic location of the second device. The first device may, determine a second password based on second time information and second location information identifying the geographic location of the second device. The first device may determine that the second device is located at the geographic location at a particular time when characters in the first password match characters in the second password, and may provide a service based on determining that the second device is located at the geographic location at the particular time.

Abstract: Methods and apparatus are disclosed for generating a short term password that may be used to access a data warehouse. According to aspects of the disclosure, a user may request a password after inputting a data warehouse environment, an ID name, and a reason for the password reset. A server may receive the request and determine whether the difference in time of the present request and a previous request for the same ID name and data warehouse environment is greater than a time limit. Additionally, the server may determine whether a previous user has logged in using a password for the same ID name and data warehouse environment. Thereafter, the server may generate and output a short term password that expires after the time limit.

Abstract: An apparatus is described that includes an execution unit within an instruction pipeline. The execution unit has multiple stages of a circuit that includes a) and b) as follows. a) a first logic circuitry section having multiple mix logic sections each having: i) a first input to receive a first quad word and a second input to receive a second quad word; ii) an adder having a pair of inputs that are respectively coupled to the first and second inputs; iii) a rotator having a respective input coupled to the second input; iv) an XOR gate having a first input coupled to an output of the adder and a second input coupled to an output of the rotator. b) permute logic circuitry having inputs coupled to the respective adder and XOR gate outputs of the multiple mix logic sections.

Abstract: An approach is provided for enabling a web browser to decrypt and to display encrypted information based on entropy calculations of the information. The decryption manager determines at least one entropy value for at least one element of at least one webpage. The decryption manager causes, at least in part, a decryption of the at least one element to generate at least one decrypted element based, at least in part, on a comparison of the at least one entropy value against one or more entropy threshold values.

Abstract: Enhanced cryptographic techniques are provided which facilitate higher data rates in a wireless communication system. In one aspect, improvements to the ZUC algorithm are disclosed which can reduce the number of logical operations involved key stream generation, reduce computational burden on a mobile device implementing ZUC, and extend battery life. The disclosed techniques include, for instance, receiving, at a wireless communication apparatus, a data stream having data packets for ciphering or deciphering. The wireless apparatus can generate a cipher key for the cryptographic function, determine a starting address of a first data packet in the data stream and shift the cipher key to align with the starting address of the first data packet. Once aligned, the processing apparatus applies the cryptographic function to a first block of the first data packet using the shifted cipher key and manages a remaining portion of the cipher key to handle arbitrarily aligned data across multiple packets.

Abstract: A device comprises a data storage media storing data content and a digital signature. At least a portion of the digital signature is encrypted on the data storage media. The device also includes a removable control circuitry including a unique key. If the unique key corresponds to the encrypted portion of the digital signature, the removable control circuitry allows access to the data content. If the unique key does not correspond to the encrypted portion of the digital signature, the removable control circuitry prevents access to the data content. Embodiments of the invention may be useful to prevent a user from accessing the data content without the original control circuitry used to write the data content. For example, embodiments of the invention may prevent a user from using a different control circuitry that would readily allow unauthorized copying and distribution of the data content.

Abstract: Disclosed is an apparatus and method for encrypting plaintext data. The method includes: receiving at least one plaintext data input; applying a Nonce through a function to the at least one plaintext data input to create Nonced plaintext data outputs and/or to intermediate values of a portion of an encryption function applied to the at least one plaintext data input to create intermediate Nonced data outputs; and applying the encryption function to at least one of the Nonced plaintext data outputs and/or the intermediate Nonced data outputs to create encrypted output data. The encrypted output data is then transmitted to memory.

Abstract: An approach is provided for generating a structured and partially regenerable identifier. An identification generation platform receives a request to generate at least one regenerable that includes, at least in part, a plurality of fields. The identification generation platform determines to separately hash and/or encrypt the respective ones of the plurality of fields. A generation of the at least one identifier is caused, based at least in part, on the hashed and/or encrypted respective ones of the plurality of fields.

Abstract: An IC card may include a substrate having opposing first and second surfaces, and a circuit carried by the substrate adjacent the first surface of the substrate. The substrate may include a first area defining a first sector of the substrate carrying the circuit and configured to be separated from the IC card, the first sector having a form and size based upon a first IC card format, the first area having a first line delimiting the first sector to the first IC card format. The substrate may include a second area defining a second sector around the first sector and configured to be separated from the IC card based upon a second line. The second sector may have a form and size based upon at least one of a second IC card format and a third IC card format.

Abstract: A cryptography circuit protected by masking, said circuit including means for encrypting binary words using at least one key krc, means for applying linear processing operations and nonlinear processing operations to said words and means for masking said words. The binary words are unmasked upstream of the nonlinear processing operations by using a mask kri and masked downstream of said processing operations by using a mask kr+1i, the masks kri and kr+1i being chosen from a set of masks that is specific to each instance of the circuit.

Abstract: A method and system for authenticating messages is provided. A message authentication system generates an encrypted message by encrypting with a key a combination of a message and a nonce. The message authentication system generates a message authentication code based on a combination of the message and the nonce modulo a divisor. To decrypt and authenticate the message, the message authentication system generates a decrypted message by decrypting with the key the encrypted message and extracts the message and the nonce. The message authentication system then regenerates a message authentication code based on a combination of the extracted message and the extracted nonce modulo the divisor. The message authentication system then determines whether the regenerated message authentication code matches the original message authentication code. If the codes match, then the integrity and authenticity of the message are verified.

Abstract: A cryptographic device includes a key addition module, a first module, and a key module. The key addition module generates an input block based on a cipher key and a plaintext block. The first module generates an output block by performing a plurality of rounds of processing on the input block. The key module, for each of the rounds, provides a round key based on the cipher key. The first module includes an inversion module that, for each of the rounds, performs a matrix inversion operation on first intermediate data to generate second intermediate data. In a first round of the rounds, the first intermediate data is set equal to the input block. The first module also includes a combined operation module that, for each of the rounds, updates the first intermediate data by performing an affine transformation operation and a mix columns operation on the second intermediate data.

Abstract: Provided are a computer system and its data control method that enable safe backup of data and reduction in the capacity of data to be backed up. A control processor refers to a differential and, if a differential bit is “0,” encrypts data of an online VOL with an encryption circuit by using key information, and transfers the encrypted data to a second storage system. If the differential bit is “1,” the control processor performs redundancy elimination processing to journal data, thereafter compresses the journal data with a compression circuit, encrypts the compressed journal data with an encryption circuit according to the key information, and transfers the journal data that was encrypted after compression to the second storage system.

Abstract: The present invention is directed to a method for virtualizing a personal working environment and a device for the same, relating to the information security field. The method comprises the steps of: installing a Virtual Machine (VM) environment on a device; upon virtualizing the personal working environment, connecting the device to a host, loading the VM environment into the host; and responding to a user operation and saving data of the user operation to the device by the VM environment. The device comprises a communication interface module, a VM environment storage module, and a control module. The present invention provides a means for secure and convenient mobile work.

Abstract: A homomorphic encryption algorithm is performed that encrypts at least a portion of a plurality of plaintext data items at a client computing device into homomorphic queries, each query including a cryptographically safe representation of one of the data items. The queries are transmitted to at least one discrete homomorphic encryption (DHE) server. An identifier is received from each query from the DHE server. The identifiers are transmitted to at least one computing server that maintains a database including data structures. The computing server is requested to requesting the computing server to insert the received identifiers into the database. At least one of the identifiers is processed: the computing server is requested to find the identifiers in the data structures that match the at least one identifiers and to perform at least one equality-based operation on the matching identifiers. A result of the at least one operation is received.

Abstract: An information processing apparatus includes an encrypting unit that encrypts a value to be kept secret with a predetermined cipher key. The information processing apparatus includes a converting unit that converts, when the value to be kept secret is an initial value written at the time of initialization of a storage device in which a value encrypted by the encrypting unit is stored, the value encrypted by the encrypting unit into a value which is reversibly convertible and is independent of the cipher key used by the encrypting unit. The information processing apparatus includes a storing unit that stores the value converted by the converting unit in the storage device.

Abstract: A reduction in the size of encryption processing configuration applying generalized Feistel structures is achieved. The encryption processing configuration applies a generalized Feistel structure for dividing and inputting data into multiple lines, and repeatedly executing data transformation processing applying a round function on the data transferred to each line, and during the execution cycle of a matrix operation by a matrix operation executing unit for executing linear transformation processing applying a matrix on the data in a first line, an operation is executed on the matrix operation processing data from the initial cycle and data in a second line. This configuration enables a register to be used for both the storage of the data for the second line and the storage of the results of the matrix operation on the first line of data in progress, a reduction in the total number of registers, and thus a reduction in size.

Abstract: Described herein is a computing platform incorporating a trusted entity, which is controllable to perform cryptographic operations using selected ones of a plurality of cryptographic algorithms and associated parameters, the entity being programmed to record mode of operation information, which is characterized by the algorithms and associated parameters that are selected to perform an operation.

Abstract: Efficient hardware architecture for a S1 S-box for a ZUC cipher is described. One circuit includes a first circuit to map an 8-bit input data of a Galois field GF(256) for a 8-bit data path for a ZUC cipher non-linear function component into 4-bit data paths for the ZUC cipher non-linear function component. The circuit further includes other circuits coupled to the first circuit to execute the 4-bit data paths in GF(162) to determine the inverse of the 8-bit input data for the ZUC cipher non-linear function component in GF(162) and to map the inverse in GF(162) to the Galois field GF(256).

Abstract: A system and method for encrypting and/or decrypting data with a Cryptomeria (C2) cipher may be provided that generates C2 round keys in parallel. Accordingly, data may be encrypted or decrypted at least twice as fast as without the system. A storage device may encrypt data written to the storage device and/or decrypt data read from the storage device with such a system.

Abstract: An apparatus, method, system and computer-readable medium are provided for preserving an encryption of data when confronted by an attack, such as a side channel analysis (SCA) attack based on a statistical analysis. In some embodiments, hardware, software, and/or firmware associated with an encryption calculation may be exercised or accessed during a background operation when an actual or real operation is not taking place. During the background operation, dummy values for data and one or more keys may be input to the hardware. A switching between the real operation and the background operation may take place seamlessly such that measurement of a physical characteristic associated with the hardware is indistinguishable in terms of when the real and background operations are active. In this manner, the secrecy of a key used in connection with the real operation may be preserved.

Abstract: In a method (400) for routing packets between a plurality of top switches (110a-110n) and a plurality of leaf switches (120a-120n) using a balancing table (204, 208, 210) in a fat tree network (100), a failed link between at least one top switch (110n) and at least one leaf switch (120n) is detected (402). In addition, the balancing table (204, 208, 210) is modified (406) based on the detected failed link, and the packets are routed (408) between the plurality of top switches (110a-110n) and the plurality of leaf switches (120a-120n) in the fat tree network (100) based on the modified balancing table (204, 208, 210).

Abstract: A hardware architecture for encryption and decryption device can improve the encryption and decryption data rate by using parallel processing, and pipeline operation, and save footprint by sharing hardware components. The hardware architecture can also be associated with a memory to protect the information stored at the memory. The encryption device can include a tweaking value manager to generate an array of tweaking values corresponding to the array of data blocks based on a tweaking encryption key, a first encryption unit to encrypt a first portion of the array of data blocks into a first portion of encrypted data blocks based on corresponding tweaking values and a data encryption key, a second encryption unit to encrypt a second portion of the array of data blocks, and a data block combiner to combine the first portion of encrypted data blocks and the second portion of encrypted data blocks.

Abstract: A method for converting, by means of a conversion entity, a first digit into a second digit, the first cipher corresponding to the result of a symmetric probabilistic encryption of an plain message element using a first secret matrix parameterized by a random vector, the second digit corresponding to the result of a symmetric probabilistic encryption of the plain message element using a second secret matrix that is parameterized by the random vector, characterized in that the method includes a step of: calculating the second digit by encrypting the first digit using a secret conversion matrix which is a function of the first and second secret matrices, and which is parameterized by the random vector.