Abstract: The present invention provides a system and method for managing secure communications in an ad-hoc network having three or more users including a first user, a second user and a third user. Each user is associated with at least one communication device, and has a set of keys associated with the user for managing secure communications between the at least one communication device of the user and the at least one communication device of another one of the three or more users. Each set of keys includes a private key and a public key, where the public key is shared with the communication device of the other ones of the three or more users with which the user has been authenticated, and the private key is used to decrypt communications encrypted using the corresponding public key from the same set of keys.

Abstract: A method, a computer program product and a computer system, for exchanging information to provide services, is provided. A computer processor creates an information repository associated with a service requestor, in response to receiving a request for service from the service requestor. The computer processor notifies a service provider of the request for service from the service requestor. The computer processor receives a request for information from the service provider, regarding information about the service requestor. The computer processor forwards the request for information to one or more information providers. The computer processor stores information in the information repository, in response to receiving the information from the one or more information providers, and notifies the service provider to retrieve the information from the information repository.

Abstract: Methods, systems, and computer programs for generating a digital signature are disclosed. In some aspects, a symmetric key is accessed. The symmetric key is based on an ephemeral public key. The ephemeral public key is associated with an ephemeral private key. A ciphertext is generated based on the symmetric key and a message. An input value is obtained based on the ciphertext independent of a hash function. A digital signature is generated from the ephemeral private key, the input value, and a long term private key.

Abstract: Devices and methods are provided for managing identity-based decryption of digital content. A message sender (“Alice”) uses a random key (Krand) to encrypt message content for a message recipient (“Bob”). Then Alice uses the public key of a message decryption service provider (“Carmen”) to generate a wrapped key ciphertext comprising the Krand and authentication information associated with Bob. Alice then sends a message text containing the encrypted message content and the wrapped key ciphertext to Bob, who in turn sends the wrapped key ciphertext to Carmen along with his authentication information. Carmen then uses her private key to process the wrapped key ciphertext to decrypt the Krand and Bob's authentication information. If the authentication information provided by Bob matches the decrypted authentication information, then Carmen sends the decrypted Krand to Bob, who uses it to decrypt the encrypted message content.

Abstract: A receipt system allows customers to store receipts on a Unified Card or smartphone when making purchases from different retailer merchants. The customer purchases goods or services and the receipt is recorded electronically onto a single Unified Card or smartphone. This eliminates the need for paper receipts. The user can then use the Unified Card or smartphone to make returns or exchanges or as proof of purchase. Unified Card readers can be located at Kiosks as part of a home based system that works with the user's home computer.

Abstract: One embodiment of the present invention provides a system to facilitate collaboration for mitigating network threats. During operation, the system receives encrypted data sets from a plurality of entities. The data sets including data describing threats to network security. The system performs privacy-preserving operations on the encrypted data sets, such as private set intersection. The system then computes one or more metrics based on results of the private set intersection computations. The system may generate a similarity matrix based on the one or more metrics, and returns one or more similarity values from the similarity matrix to one or more entities of the plurality of entities.

Abstract: A method for supply of data, including generating an empowerment certificate signed with a signing entity's electronic signature. The empowerment certificate includes attributes of a described entity, information identifying the signing entity, indication of data relating to the described entity, indication of a source of the data, and identification of a relying entity to which the data can be supplied. The relying entity forwards the empowerment certificate to a source supplying the data indicated in the empowerment certificate.

Abstract: Instructions and logic provide for a Single Instruction Multiple Data (SIMD) SM4 round slice operation. Embodiments of an instruction specify a first and a second source data operand set, and substitution function indicators, e.g. in an immediate operand. Embodiments of a processor may include encryption units, responsive to the first instruction, to: perform a slice of SM4-round exchanges on a portion of the first source data operand set with a corresponding keys from the second source data operand set in response to a substitution function indicator that indicates a first substitution function, perform a slice of SM4 key generations using another portion of the first source data operand set with corresponding constants from the second source data operand set in response to a substitution function indicator that indicates a second substitution function, and store a set of result elements of the first instruction in a SIMD destination register.

Abstract: In a vehicle-to-vehicle wireless communication system utilizing certificates to verify trustworthiness of received communications, a method for distributing a list of certificate revocations to vehicles in the communication system. At least one main station transmits a list of certificate revocations to at least one vehicle and the vehicle thereafter transmits the list of certificate revocations to other vehicles in the communication network. Each of the other vehicles in the communication network updates its list of certificate revocations in response to the receipt of the list of certificate revocations from another vehicle in the system. The other vehicles thereafter transmit their updated list of certificate revocations to other vehicles in the system.

Abstract: A portion of the signed message in an ECPVS is kept truly confidential by dividing the message being signed into at least three parts, wherein one portion is visible, another portion is recoverable by any entity and carries the necessary redundancy for verification, and at least one additional portion is kept confidential. The additional portion is kept confidential by encrypting such portion using a key generated from information specific to that verifying entity. In this way, any entity with access to the signer's public key can verify the signature by checking for a specific characteristic, such as a certain amount of redundancy in the one recovered portion, but cannot recover the confidential portion, only the specific entity can do so. Message recovery is also provided in an elliptic curve signature using a modification of the well analyzed ECDSA signing equation instead of, e.g. the Schnorr equation used in traditional PV signature schemes.

Abstract: The invention proposes an off-line divisible e-cash scheme where a user can withdraw a divisible coin of monetary value nL (n being for example equal to 2) that he can parceled and spend anonymously and unlinkably. The invention allows to protect the anonymity of honest users and to revoke anonymity only in case of cheat for protocols based on a tree structure without using a trusted third party.

Abstract: A method of securing user credentials in a remote repository is provided. In accordance with one embodiment, there is provided a method comprising generating a first private key and a first public key pair from a registered password; generating a second private key and a second public key pair; generating a storage key from the second private key and the first public key; encrypting a set of credentials using the storage key; creating a encrypted credential signature from the encrypted set of credentials and the first private key; and storing the encrypted set of credentials, the encrypted credential signature, and the second public key in the remote repository.

Abstract: Techniques for utilizing trusted hardware components for mitigating the effects of equivocation amongst participant computing devices of a distributed system are described herein. For instance, a distributed system employing a byzantine-fault-resilient protocol—that is, a protocol intended to mitigate (e.g., tolerate, detect, isolate, etc.) the effects of byzantine faults—may employ the techniques. To do so, the techniques may utilize a trusted hardware component comprising a non-decreasing counter and a key. This hardware component may be “trusted” in that the respective participant computing device cannot modify or observe the contents of the component in any manner other than according to the prescribed procedures, as described herein. Furthermore, the trusted hardware component may couple to the participant computing device in any suitable manner, such as via a universal serial bus (USB) connection or the like.

Abstract: A method begins with a first computing device receiving a first request from a user device to access secure data. The method continues with the first computing device processing the first request to determine a level of access. When the level of access is acceptable, the method continues with the first computing device facilitating sending a set of encoded data slices to the user device. The method continues with a second computing device receiving a second request from the user device. The method continues with the second computing device processing the second request to determine the level of access. When the level of access is acceptable, the method continues with the second computing device facilitating sending a second set of encoded data slices to the user device. When the level of access is at a given level, the sets include a reconstruction threshold number of encoded data slices.

Abstract: Techniques to process service requests are described herein. In various embodiments, an identifier data associated with a service consumer with which a service request is associated is used to determine a subset comprising fewer than all members of a set of service instances. A selected service instance is selected from among the service instances in the subset to perform the service request.

Abstract: A media processing device includes a one time programmable (OTP) memory to store a first set of cryptographic keys and rule set for the first set of cryptographic keys, a key store memory, and a rule set memory. The media processing device further includes an arbitration module to provision: a first segment of the key store memory to store cryptographic keys from the one-time programmable (OTP) memory; a first segment of the rule set memory to statically store rules for the cryptographic keys stored in the first segment of the key store memory; a second segment of the key store memory to store cryptographic keys; and a second segment of the rule set memory to store rules dynamically generated during operation of the media processing device for cryptographic keys stored in the second segment of the key store memory.

Abstract: An improved technique involves providing protection of secrets by splitting the secret into secret shares and providing tokens for each secret share. Along these lines, a terminal splits a secret such as a credit card number into shares. The terminal then transmits each share to a separate and distinct token server. Each token server, upon receiving a secret share, generates a corresponding token and sends that token to an application server. In some cases, when a user at the application server requires access to the secret, the application server sends each token to the token server form which the token was generated. The token servers each send, in return, a secret share to the application server. The application server combines the secret shares to recover the secret.

Abstract: A method for performing data analytics on outsourced data may include receiving, at a data analyst, cipher text representing data from a data owner such that the data remains hidden from the data analyst, generating a query token using a constant provided by the data analyst such that the constant remains hidden from the data owner, and analyzing the cipher text using the query token.

Abstract: Apparatus and methods for distributing access control clients. In one exemplary embodiment, a network infrastructure is disclosed that enables delivery of electronic subscriber identity modules (eSIMs) to secure elements (e.g., electronic Universal Integrated Circuit Cards (eUICCs), etc.) The network architecture includes one or more of: (i) eSIM appliances, (ii) secure eSIM storages, (iii) eSIM managers, (iv) eUICC appliances, (v) eUICC managers, (vi) service provider consoles, (vii) account managers, (viii) Mobile Network Operator (MNO) systems, (ix) eUICCs that are local to one or more devices, and (x) depots. Moreover, each depot may include: (xi) eSIM inventory managers, (xii) system directory services, (xiii) communications managers, and/or (xiv) pending eSIM storages. Functions of the disclosed infrastructure can be flexibly partitioned and/or adapted such that individual parties can host portions of the infrastructure.

Abstract: A method for generating a large prime number in an embedded system, comprising: (1) setting all identifiers in an identifier group in a first storage area; generating and storing a random number with preset bit length in a third storage area; modulizing the data in the third storage area by using the data stored in the storage unit of a second storage area as a modulus; determining the serial number of the identifier to be reset in the identifier group according to the modulized value and the data in the storage unit corresponding to the modulized value; and resetting the identifier corresponding to the serial number; (2) judging whether a set identifier exists in the identifier group, if yes, then executing step (3); otherwise, returning to step (1); and (3), determining a number to be detected according to the random number and the serial number of the set identifier in the identifier group; detecting the primality of the number to be detected; if the number to be detected passes the primality detection, th

Abstract: A certificate management operation request is managed on a device, access to which is governed by an authentication certificate. Upon receiving a request to perform a certificate management operation on a certificate, a consequence of performing the certificate management operation is determined and the consequence is indicated via a user interface of the device. For example, anytime a user attempts to use a certificate management application to delete, distrust or revoke a certificate, it is determined whether the certificate meets certain criteria, such as the certificate being the authentication certificate or being in the certificate chain of the authentication certificate. If the certificate meets the criteria, the user may be notified of a lack of permission to perform the requested operation and the operation may be prevented from completing. Alternatively, the user may be permitted to confirm the instruction to perform the requested operation, and the operation may be completed.

Abstract: In some embodiments, an electronic signature service automatically updates electronic documents to prevent execution by an unauthorized signatory. The electronic signature service can receive an electronic document to be electronically signed on behalf of an organization. The electronic signature service can retrieve organization data indicative of signatories that are authorized to electronically sign the electronic document. The organization data may be inaccessible to a first signatory that is associated with the document. The electronic signature service can determine from the organization data that the first signatory is not authorized to electronically sign the document. The electronic signature service can update the electronic document with a second signatory that is determined from the organization data as being authorized to execute the document.

Abstract: Methods, systems, and products describe a robust solution for the dictionary problem of data structures. A hash function based on tabulation is twisted to utilize an additional xoring operation and a shift. This twisted tabulation offers strong robustness guarantees over a set of queries in both linear probing and chaining.

Abstract: Methods, computer systems, and computer program products for calculating a remainder by division of a sequence of bytes interpreted as a first number by a second number are provided. A first subset of bytes is read, and an associated first remainder by division is calculated and stored in the memory location from which the subset was read. A second subset of bytes is read, and an associated second remainder by division is calculated with a second processor. The calculating of the second remainder by division may occur at least partially during the calculating of the first remainder by division. A third and fourth subset of bytes is read and associated remainders are calculated.

Abstract: According to one embodiment, a method is provided that can comprise receiving, by a server computer system from a user operating a client computing device, an electronic document and user input for adding one or more electronic annotations to the electronic document. The method can further comprise generating, by the server computer system, an annotated version of the electronic document that includes the one or more electronic annotations based on the user input. The server computer system can then send the annotated version of the electronic document to a recipient designated by the user.

Abstract: An attribute-based digital signature system is disclosed. A first signature generating unit (1) is used for generating a first signature (10) for a document (11), based on a first signature key (12) and the document (11). A re-signing unit (2) is used for generating a second signature (13) for the document (11), based on the first signature (10) and a re-signing key (14), wherein the re-signing unit (2) is arranged for handling attributes (15, 16) associated with the first signature (10) and/or the second signature (13). The second signature (13) is associated with a second set of attributes (16,16?) determined by the re-signing key (14), wherein the second set of attributes (16) comprises a plurality of attributes.

Abstract: Provided are a security device and a method for operating same. The security device may conceal an encryption key used for an encryption algorithm in an encryption module in correspondence to security attacks such as reading information on where the encryption key is stored in a memory by disassembling an IC chip, or extracting said information through microprobing. The encryption key may be included as a physical encryption key module in an encryption module, and a certain storage medium for storing the encryption key may be included in the encryption module. Accordingly, the encryption key is not transmitted via a bus in a security device for encryption.

Abstract: A router is placed between a protected computer and devices with which the computer communicates, including peripherals and other computers. The router includes a list of authorized devices that are permitted to send data to the protected computer, against which requests to send data are checked. The router also communicates with a remote authentication service to authenticate devices requesting such permission. The authentication service may be a cloud-based identity service.

Abstract: A non-hierarchical infrastructure for managing twin-security keys of physical persons or of elements includes a public key and a private key with a public key certificate. The structure does not include any certification authority distinct from the physical persons or elements, but does include at least one registering authority and its electronic notary server. There is provided at least one registering authority and its electronic notary server for a circle of trust. The registering authority includes local registering agencies. The local registering agency establishes, after face-to-face verification of the identity of the physical person or of the identification of the element, a public key certificate, and a “public key ownership certificate”, which does not contain the public key of the person or of the element but the print thereof, and which is transmitted in a secure manner to the associated electronic notary server for storing in a secure manner.

Abstract: Systems, methods, and devices are provided for intermediate authentication of a message transmitted through a switched-path network, such as an optical transport network (OTN). In one method, a message transmitted through communication nodes of a switched-path network may be authenticated, at least partially, by authentication logic of one or more of the communication nodes. The one or more communication nodes may identify whether a prior communication node has tampered with or corrupted the message or may generate an authentication tag to enable an authentication authority to authenticate the message.

Abstract: Methods and systems receive an electronic scanned image generated by activity of an application running on a portable computerized device, and calculate a cryptographic digest from data of the electronic scanned image using a second computerized device. Also, such methods and systems encrypt the cryptographic digest using an encryption key stored on the portable computerized device to create a content signature of the cryptographic digest, and send the content signature to the second computerized device. The authenticity of a copy of the electronic scanned image provided by the second computerized device is verified by recalculating the content signature (based on the copy of the electronic scanned image) using the encryption key from the portable device.

Abstract: Provided are identifier (ID)-based encryption and decryption methods and apparatuses for the methods. The ID-based encryption method includes having, at a transmitting terminal, a transmitting-side private key corresponding to a transmitting-side ID issued by a key issuing server, generating, at the transmitting terminal, a session key using the transmitting-side ID, a receiving-side ID, and the transmitting-side private key, extracting, at the transmitting terminal, a secret key from at least a part of the session key, and encrypting, at the transmitting terminal, a message using a previously set encryption algorithm and the secret key.

Abstract: A method is disclosed. It includes presenting a payment card to an access device, obtaining additional data, encrypting the additional data, and passing the encrypted additional data to the access device.

Abstract: A graphical user interface can be provided for creating a digital certificate profile for a digital certificate. In one embodiment, the graphical user interface presents a plurality of certificate profile attributes selectable by the user. A security metric using at least two attributes of the plurality of certificate profile attributes is calculated. The security metric indicates the vulnerability of the digital certificate having the digital certificate profile. A usability metric using at least two other attributes of the plurality of certificate profile attributes is calculated. The usability metric indicates the vulnerability of the digital certificate having the digital certificate profile. A graphical representation of the security metric and the usability metric is provided in the graphical user interface.

Abstract: Systems and methods for managing private and public encryption keys without the need for a third party certification authority. An initial value is generated by an authentication server. The initial value is divided into at least two portions and each portion is communicated with a user using different communication channels. The user receives the portions and enters a secret string value (i.e. a secret sentence) known only to the user. The portions are concatenated together to recreate the initial value. The portions, the initial value, and the secret string value are then used to create public and private keys for use by the user. Any recipient can authenticate digital signatures without needing the secret string value or the user's device can authenticate a digital signature using the portions and the secret string value.

Abstract: One embodiment provides a system that facilitates routers in verifying content objects in a cost-effective manner by aggregating content objects into a secure content catalog. During operation, a client computing device receives a secure content catalog, which indicates a set of content objects and their corresponding digests. The catalog is digitally signed with the private key of a producer of the catalog. The client computing device constructs an interest for a content object, where the interest indicates a name for the content object and the corresponding digest for the content object, which is based on the secure content catalog. The name for the request content object is a hierarchically structured variable length identifier (HSVLI) which comprises name components ordered from a most general level to a most specific level.

Abstract: A system that incorporates teachings of the subject disclosure may include, for example, receiving multiple software agents and configuring a network of the multiple software agents according to a predetermined policy. The process can further include facilitating secure communications among software agents of the network of the multiple software agents according to the predetermined policy. A state of one of the system, a system environment within which the system operates, or a combination thereof can be determined, based on the secure communications among the software agents of the network of the multiple software agents. A computing environment can be facilitated conditionally on the state of the one of the system, the system environment, or the combination thereof, according to the predetermined policy to support a mission application. Other embodiments are disclosed.

Abstract: Online ordering systems allow a user to submit sensitive information such as payment card information to a merchant in encrypted form. A payment card processor server may be used to provide the user's web browser with code for an encryption function, a cryptographic key, and a key identifier. The web browser may encrypt the payment card information by executing the encryption function and using the key. The encrypted payment card information may be supplied to the merchant over the internet. A key identifier that identifies which cryptographic key was used in encrypting the payment card information may be provided to the merchant without providing the merchant with access to the key. The merchant can forward the encrypted payment card information to the credit card processor server with the key identifier. The processor server can use the key identifier to obtain the key and decrypt the payment card information for authorization.

Abstract: A video editing device, when having failed to obtain a portion of high-resolution video data from a video camera through a network, provides, to the user, low-resolution video data which has been previously transferred from the video camera, instead of the portion of the high-resolution video data. In parallel with this, the video editing device automatically searches for the missing high-resolution video data, on a network, using the ID of a video file or the ID of a recording medium, and if it is found, supplements a video which is to be provided to the user, with the found high-resolution video data.

Abstract: An electronic device includes a security system which provides for protection of designated files stored on an electronic device. For example, an electronic device may receive user input selecting a file for protection processing. The user input may select the file for encryption and automatic decryption under certain predetermined conditions and/or for automatic saving to a remote storage device after the device has been reported stolen, for instance. After receiving the user input selecting the file for protection processing, the electronic device may automatically receive theft information from a remote server, wherein the theft information indicates whether the electronic device has been reported stolen. After determining whether the electronic device has been reported stolen, the electronic device may automatically process the selected file according to the selected protection processing, wherein the processing is contingent on whether the electronic device has been reported stolen.

Abstract: There is proposed a method of generating secret and public keys vDGHV with enhanced security, implemented in a device including at least one microprocessor and a memory. The method includes generating a secret key SK corresponding the generation of a prime random number p or product of prime numbers.

Abstract: A method, system and computer program product for ensuring PKI key pairs are operatively installed within a secure domain of a security token prior to generating a digital certificate. The public key component of the PKI key pair is incorporated into a digital certificate which is returned to the security token for storage. The arrangement included herein incorporates the use of a critical security parameter to ensure a chain of trust with an issuing entity such as a registration authority. Furthermore, the arrangement does not require security officer or system administrator oversight during digital certificate generation as the critical security parameter provides a sufficient level of trust to ensure that digital certificate generation is being performed in conjunction with a designated security token rather than a rogue application. Lastly, separate inventive embodiments allow alternate communications and verification arrangements to be implemented.

Abstract: An anonymous entity authentication method includes the steps of: an entity B sending RB and IGB; an entity A sending RB, R?A, IGA and IGB to a trusted third party TP, the trusted third party TP checking a group GA and a group GB against IGA and IGB for legality; the trusted third party TP returning ResGA, ResGB and a token TokenTA or returning ResGA, ResGB, TokenTA1 and TokenTA2 to the entity A; the entity A sending TokenAB and IGA to the entity B for authentication by the entity B; and the entity B sending TokenBA to the entity A for authentication by the entity A. In this solution, anonymous entity authentication can be performed without passing identity information of the authenticated entity itself to the opposite entity. Furthermore this solution further relates to an anonymous entity authentication apparatus and a trusted third party.

Abstract: A data processor and a method for processing data is disclosed. The processor has an input port for receiving packets of data to be processed. A master controller acts to analyze the packets and to provide a header including a list of processes to perform on the packet of data and an ordering thereof. The master controller is programmed with process related data relating to the overall processing function of the processor. The header is appended to the packet of data. The packet with the appended header information is stored within a buffer. A buffer controller acts to determine for each packet stored within the buffer based on the header within the packet a next processor to process the packet. The controller then provides the packet to the determined processor for processing. The processed packet is returned with some indication that the processing is done. For example, the process may be deleted from the list of processes.

Abstract: An integrated circuit device comprises a processor and a secure protection zone with security properties that can be verified by a remote device communicating with the integrated circuit device. The secure protection zone includes a persistent storage that is configured for storing cryptographic keys and data. The secure protection zone also includes instructions that are configured for causing the processor to perform cryptographic operations using the cryptographic keys. In addition, the secure protection zone includes an ephemeral memory that is configured for storing information associated with the cryptographic operations. The instructions are configured for causing the processor to perform the cryptographic operations on the data stored in the persistent storage and the information in the ephemeral memory as part of a secure communication exchange with the remote device.

Abstract: Apparati, methods, and computer-readable media for improving the security of communications networks. In one embodiment, an application control device (1102) controls another device (1109) from a remote location. The system comprises a remote device (1101) coupled to the device (1109) being controlled. The remote device (1101) has an action portion (1103) and a security portion (1104). The security portion (1104) contains a unique security portion identifier (1142). Remotely situated from the remote device (1101), the application control device (1102) comprises a rolling transaction code generator (1120) adapted to assign a unique rolling transaction code to each occurrence for which the application control device (1102) wishes to control the action portion (1103) of the remote device (1101). Another embodiment is a system for enabling two or more devices (1401, 1402, 1403) to communicate with each other over a network (1450) without human intervention.

Abstract: A device includes a key store memory that stores one or more cryptographic keys. A rule set memory stores a set of rules for accessing the cryptographic keys. A key store arbitration module grants access to the cryptographic keys in accordance with the set of rules. The device can be used in conjunction with a key ladder. The device can include a one-time programmable memory and a load module that transfers the cryptographic keys from the one one-time programmable memory to the key store memory and the set of rules to the rule set memory. A validation module can validate the cryptographic keys and the set of rules stored in the key store and rule set memories, based on a signature defined by a signature rule.

Abstract: Technology for communicating security key information from a macro eNB is disclosed. Security key information associated with the macro evolved node B (eNB) may be determined. The security key information may be used to cipher information communicated at the first eNB. A small eNB may be identified at the macro eNB to generate the security key information associated with the macro eNB for ciphering information communicated at the second eNB. The security key information may be communicated, from the macro eNB, to the small eNB for inter-Evolved Universal Terrestrial Radio Access (EUTRA) evolved node B (eNB) carrier aggregation.

Abstract: A method of assessing risk in an electronic transaction involves assignment of quality attributes to cryptographic identities presented in a digital transaction. The quality assignment supports assessment of risk in the transaction. The evaluation of risk in the transaction is made by assessing machine readable attributes of the digital identities along with transaction details. The digital identity attributes may be constructed using extensions of existing standards. A guarantee against risk of loss may be obtained by procuring insurance on the transaction before execution. Third party insurers may analyze the risk of loss in a transaction by assessing the attributes of digital identities along with transaction details and may provide a requestor with an insurance premium quote. Based on the value of the quote, the transaction participants may decide whether or not to execute the transaction.

Abstract: According to an embodiment, a communication device is connected to a key generating device which generates an encryption key. The communication device includes a querying unit, an encryption processor, and a selecting unit. The querying unit is configured to send a query to the key generating device about capability information which indicates capability of the key generating device to generate the encryption key. The encryption processor is configured to implement a plurality of encryption functions. The selecting unit is configured to select, from among the plurality of encryption functions, an encryption function according to the capability information. The encryption processor implements the encryption function thus selected.