Abstract: A user selection of one or more of a plurality of content is received. The selected content is encrypted by a first encryption key that is remote and unknown to the distribution server. Payment information associated with the user selection is also received and verified. The selected content from is retrieved from a remote database. The first encryption key corresponding to the selected content to decrypt the encrypted content corresponding to the user selection is obtained. Decryption is performed by a hardware-based engine of the distribution server that is isolated from a host processor of the distribution server. The content corresponding to the user selection is encrypted according to a second encryption key that is known to the distribution server.

Abstract: Performing cryptographic operations such as encryption and decryption may be computationally expensive. In some contexts, initialization vectors and keystreams operable to perform encryption operations are generated and stored in a repository, and later retrieved for use in performing encryption operations. Multiple devices in a distributed system can each generate and store a subset of a larger set of keystreams.

Abstract: A system for securely entering particular information includes a mobile device and a background server. The mobile device includes a first area which is a non-secure environment, a second area which is a secure environment and a switching module implementing switchings between the first and second areas. At least one first application module for executing a business function application is provided in the first area. A second application module for executing a particular information entering application and an encryption module for encrypting entered particular information are provided in the second area. If a particular information entering is required by the first application module, the switching module triggers the second application module to perform the particular information entering, and returns, to the first application module, an encryption result obtained by encrypting the entered particular information.

Abstract: Methods and systems are provided for supporting electronic transactions, including transactions that are provided with per-user, per-device and per-domain security across domains of multiple service providers.

Abstract: A method and structure for authenticating users of a system that prevents theft of passwords and re-use of passwords. The method and structure use one-time passwords and a Secure CPU technology that cryptographically protects a software module known as a Secure Object from other software on a system. The method and structure generate and validate one-time passwords within Secure Objects and use a communications mechanism to securely communicate passwords or information used to generate passwords that makes use of cryptography and the protected and unprotected regions of a Secure Object to provide strong end-to-end security.

Abstract: Encrypting data without losing their format is important in computing systems, because many parties using confidential data rely on systems that require specific formatting for data. Information security depends on the systems and methods used to store and transmit data as well as the keys used to encrypt and decrypt those data. A policy broker is disclosed that maintains keys for clients in confidence, while providing cryptographically secure ciphertext as tokens that the clients may use in their systems as though they were the unencrypted data. Tokens are uniquely constructed for each client by the policy broker based on policies set by a receiving client detailing the formatting needs of their systems. Each client may communicate with other clients via the policy broker with the tokens and will send tokens unique to their system that the policy broker will translate into the tokens of the other party.

Abstract: Static security credentials are replaced by pseudonyms and session-specific passwords to increase security associated with user login attempts, and specifically to defeat keylogging attacks. For each login event, the system generates unique, session-specific credentials by randomly replacing characters within a given username and password. The random character generation ensures that system login attempts use different combinations of characters, thereby producing a new username and password for every user session. The client side of the system requires only the capability to display an image file, with specialized software/hardware limited to the server side, thereby facilitating the use of the system by a wide range of client devices.

Abstract: A system and method to watermark a compressed content encrypted by at least one content key, said content key as well as pre-marking data forming Conditional Access System (CAS) data, said CAS Data being encrypted by a transmission key and comprising at least one signature to authenticate all or part of the CAS Data, said compressed content being received by a client device comprising: a Descrambler having an input to receive the encrypted compressed content and an output to produce an compressed content, a Watermark (WM) inserter directly connected to the output of the Descrambler, said Descrambler and said WM inserter being connected with a Conditioner, said Conditioner executing the following steps: receiving the CAS Data, decrypting the CAS Data with the transmission key, verifying the signature of the CAS Data, and if the signature is valid, transferring the content key to the descrambler and the pre-marking data to the WM inserter, and watermarking by the WM inserter, the decrypted content received by t

Abstract: An encryption key management system and method implements enterprise managed encryption key for an enterprise using encryption for cloud-based services. In some embodiments, the enterprise deploys a key agent on the enterprise data network to distribute encryption key material to the network intermediary on a periodic basis. The network intermediary receives the encryption key material from the enterprise and stores the encryption key material in temporary storage and uses the received encryption key material to derive a data encryption key to perform the encryption of the enterprise's data. In this manner, the enterprise can be provided with the added security assurance of maintaining and managing its own encryption key while using cloud-based data storage services. The encryption key management system and method can be applied to ensure that the enterprise's one or more encryption keys do not leave the enterprise's premises.

Abstract: A first time software is loaded for execution by a device, the software stored in non-secure storage is authenticated. Authenticating the software may involve a cryptographic operation over the software and a digital signature of the software. A verification tag may be generated for the software if authentication of the software is successful, the verification tag based on the software and at least a device-specific secret data. The verification tag may be stored within the device. Each subsequent time the software is loaded for execution it may be verified (not authenticated) by using the verification tag to confirm that the software being loaded is the same as the one used to generate the verification tag while avoiding authentication of the software.

Abstract: Methods and systems are provided for supporting electronic transactions, including transactions that are provided with per-user, per-device and per-domain security across domains of multiple service providers.

Abstract: Embodiments disclosed herein relate to determining authorization of a software product based on a first authorization item and a second authorization item. Each authorization item may be a file or a registry key. A processor 104 may determine whether use of the software product is authorized at a particular time period by comparing a first authorization item and a second authorization item.

Abstract: System and method embodiments are provided for segment integrity and authenticity for adaptive streaming. In an embodiment, the method includes receiving at a data processing system a segment of a media stream, determining, with the data processing system, a digest or a digital signature for the segment, and comparing, with the data processing system, the digest/digital signature to a correct digest or a correct digital signature to determine whether the segment has been modified.

Abstract: A computing device configured to compute a data function on a function-input value, the device comprising an electronic storage storing a first table network configured for the data function and a second table network configured to cooperate with the first table network for countering modifications made to the first table network, an electronic processor coupled to the storage and configured to obtain first table inputs for the first table network, the first table inputs including the function-input value, and to compute the data function by applying the first table network to the first table inputs to produce first table outputs, the first table outputs including a function-output value corresponding to the result of applying the data function to the function-input value.

Abstract: An apparatus and method for providing a security keypad are provided. The apparatus for providing a security keypad includes a coordinate generation unit, a keypad output unit, and a key value processing unit. The coordinate generation unit computes a displacement by which a security keypad is to be shifted, and rearranges at least some of keys included in the security keypad by shifting the at least some keys so that the central axis of the security keypad is translated by the displacement. The keypad output unit displays the rearranged security keypad to a user. The key value processing unit processes key values in response to the user's input to the rearranged security keypad, and transfers the processed key values to an application for which the rearranged, security keypad is used.

Abstract: There is provided an information processing apparatus, including a storage section which stores a first image, which is an image of a format requiring license information in reproduction, to which reproduction is performed by a reproduction apparatus after being acquired, a conversion section which converts the first image into a second image of a format not requiring license information in reproduction, which is an image with content the same as content of the first image, and a distribution section which distributes the second image to the reproduction apparatus to be reproduced, during acquisition of the first image.

Abstract: Provided are a system and method for providing a digital signature based on a mobile trusted module (MTM). The system includes a control unit configured to activate a mobile application and receive selection of one certificate in a previously set certificate list from a user through the activated mobile application, an MTM configured to generate based on the selected certificate a keypad image in which buttons are irregularly arranged, an MTM table for converting keypad touch information into an actual value, and a terminal table for converting keypad image coordinates into an area, and put a digital signature on the certificate using a certificate password input by the user based on the keypad image, the MTM table, and the terminal table to generate a digital signature value, and a communication unit configured to encrypt the generated digital signature value and transmit the encrypted digital signature to an authentication server.

Abstract: Some embodiments provide a method for performing a block cryptographic operation that includes a plurality of rounds. The method receives a message that includes several blocks. The method selects a set of the blocks. The set has a particular number of blocks. The method applies a cryptographic operation to the selected set of blocks. A particular round of the cryptographic operation for a first block in the set is performed after a later round than the particular round for a second block in the set, while a different particular round for the first block is performed before an earlier round than the different particular round for the second block. In some embodiments, at least two rounds for the first block are performed one after the other without any intervening rounds for any other blocks in the set.

Abstract: A method of for issuing a radio frequency (RF) card key of an authentication server is disclosed. The method includes receiving an encrypted serial number of a smart card from a mobile terminal, decrypting the encrypted serial number, extracting an RF card key corresponding to the decrypted serial number, encrypting the RF card key, and transmitting the encrypted RF card key to the mobile terminal.

Abstract: An encryption key management system and method implements enterprise managed encryption key for an enterprise using encryption for cloud-based services. In some embodiments, the enterprise deploys a key agent on the enterprise data network to distribute encryption key material to the network intermediary on a periodic basis. The network intermediary receives the encryption key material from the enterprise and stores the encryption key material in temporary storage and uses the received encryption key material to derive a data encryption key to perform the encryption of the enterprise's data. In this manner, the enterprise can be provided with the added security assurance of maintaining and managing its own encryption key while using cloud-based data storage services. The encryption key management system and method can be applied to ensure that the enterprise's one or more encryption keys do not leave the enterprise's premises.

Abstract: Methods and systems are provided for supporting electronic transactions, including transactions that are provided with per-user, per-device and per-domain security across domains of multiple service providers.

Abstract: A user selection of one or more of a plurality of content is received. The selected content is encrypted by a first encryption key that is remote and unknown to the distribution server. Payment information associated with the user selection is also received and verified. The selected content from is retrieved from a remote database. The first encryption key corresponding to the selected content to decrypt the encrypted content corresponding to the user selection is obtained. Decryption is performed by a hardware-based engine of the distribution server that is isolated from a host processor of the distribution server. The content corresponding to the user selection is encrypted according to a second encryption key that is known to the distribution server.

Abstract: A system for application usage continuum across client devices and platforms includes a first client device configured to execute a first instance of an application and a second client device configured to execute a second instance of the application. The first client device is configured to receive an indication to transfer operation of the first instance of the application running on the first client device to the second instance of the application on the second client device. The first client device is further configured to generate state information and data associated with execution of the first instance of the application on the first client device and cause the state information to be sent to the second client device to enable the second instance of the application on the second client device to continue operation of the application on the second client device using the state information from the first client device.

Abstract: Methods and systems are provided for supporting electronic transactions, including transactions that are provided with per-user, per-device and per-domain security across domains of multiple service providers.

Abstract: Methods and systems are provided for supporting electronic transactions, including transactions that are provided with per-user, per-device and per-domain security across domains of multiple service providers.

Abstract: Methods and systems are provided for supporting electronic transactions, including transactions that are provided with per-user, per-device and per-domain security across domains of multiple service providers.

Abstract: Methods and systems are provided for supporting electronic transactions, including transactions that are provided with per-user, per-device and per-domain security across domains of multiple service providers.

Abstract: A computer implemented method for automatically fixing a security vulnerability in a source code is disclosed. The method includes obtaining identification of code that sends tainted data to corresponding sink code in the source code; and automatically fixing the vulnerability by automatically performing code modification which is selected from the group of code modifications consisting of: code motion and code duplication.

Abstract: A first code is read from a user carried device useable in an access control system. The first code is an encoded form of at least an ID of a user carrying the device and at least one privilege. The privilege defines the user's access to a resource. The first code is compared to a second code, and access is permitted only if the first code compares favorably to the second code. A reader of the access control system computes the second code based on the user ID and the privilege. The first and second codes may be also based on a secret key applicable only to the user.

Abstract: Configurable one-time authentication tokens are provided with improved resilience to attacks. A one-time authentication token is configured by providing a plurality of token features that may be selectively incorporated into the configurable one-time authentication token, wherein the plurality of token features comprise at least two of the features; obtaining a selection of at least a plurality of the token features: and configuring the one-time authentication token based on the selected token features, wherein the configuration must always enable forward security for the one-time authentication token and at least one additional selected token feature. A configurable one-time authentication token is provided that comprises a plurality of selectable token features that may be selectively incorporated into the configurable one-time authentication token, wherein the configurable one-time authentication token is always configured with the forward security and at least one additional token feature.

Abstract: The terminal device 600 comprises: a read unit configured to read encrypted content and a content signature from a regular region of a recording medium device 700, and to read a converted title key from an authorized region of the recording medium device 700, the converted title key having been converted from a title key with use of a content signature generated by an authorized signature device 500; a title key reconstruction unit configured to generate a reconstructed title key by reversely converting the converted title key with use of the content signature read by the read unit; and a playback unit configured to decrypt the encrypted content with use of the reconstructed title key to obtain decrypted content, and to play back the decrypted content.

Abstract: System and method is disclosed for protecting client software running on a client computer from tampering using a secure server. Prior to or independent of executing the client software, the system integrates self-protection into the client software; removes functions from the client software for execution on the server; develops client software self-protection updates; and periodically distributes the updates. During execution of the client software, the system receives an initial request from the client computer for execution of the removed function; verifies the initial request; and cooperates with the client computer in execution of the client software if verification is successful. If verification is unsuccessful, the system can attempt to update the client software on the client computer; and require a new initial request. Client software can be updated on occurrence of a triggering event. Communications can be encrypted, and the encryption updated. Authenticating checksums can be used for verification.

Abstract: The present disclosure relates to systems and methods for secure communications. In some aspects, an initiator KMS receives, from an initiator UE, one or more values used in generation of an encryption key, which includes obtaining at least one value associated with a RANDRi. The initiator KMS sends the at least one value associated with the RANDRi to a responder KMS. The responder KMS generates the encryption key using the one or more values.

Abstract: A processing apparatus 2 has a secure domain 90 and a less secure domain 80. Security protection hardware 40 performs security checking operations when the processing circuitry 2 calls between domains. A data store 6 stores several software libraries 100 and library management software 110. The library management software 110 selects at least one of the libraries 100 as an active library which is executable by the processing circuitry 4 and at least one other library 100 as inactive libraries which are not executable. In response to an access to an inactive library, the library management software 110 switches which library is active.

Abstract: Method and System for encrypting plaintext digital data divided into a sequence comprising successive plaintext blocks of a same length of bits each and a residual plaintext block having a length of bits lower than the length of one of the successive plaintext blocks. The successive plaintext blocks are ciphered with the main encryption key by using a ciphering algorithm based on a cipher block chaining mode to obtain a sequence of successive ciphered blocks having the same length as the successive plaintext blocks. A set of round keys having a same length, are generated by applying a key schedule function on a string obtained by adding the last ciphered block to the main encryption key. The round keys of the set are added together to obtain a resulting string having a length equal to the length of a block of the sequence.

Abstract: Methods and systems are provided for supporting electronic transactions, including transactions that are provided with per-user, per-device and per-domain security across domains of multiple service providers.

Abstract: Technologies for enabling biometric multi-factor authentication includes a transform selector value, a transform function that uses the transform selector value and a biometric user identifier as input, a salt derived from the output of the transform function, and a cryptographic hash function that generates a hash value based on the salt and a non-biometric user identifier.

Abstract: According to an embodiment, a device includes a processor unit, a control unit, a setting unit, a writing unit, and an executing unit. The processor unit is configured to switch between secure and non-secure modes, read/write data from/to a memory unit, and write an OS execution image of a secure OS unit to the memory unit. The setting unit is configured to set a shared memory area allowing reading and writing in both modes and an execution module memory area allowing reading and writing in the secure mode but not allowing reading or writing in the non-secure mode with respect to the control unit. The writing unit is configured to write an execution module to be executed in the secure OS unit to the shared memory area. The executing unit is configured to execute the execution module that has been written to the execution module memory area.

Abstract: Methods and systems are provided for supporting electronic transactions, including transactions that are provided with per-user, per-device and per-domain security across domains of multiple service providers.

Abstract: A method for decrypting multicast data by a mobile station in a wireless communication system is described. The method includes receiving an identifier of a group from a base station, receiving parameters for generating a group traffic key from the base station, wherein the parameters include an authentication key for the group, a group security seed and a counter, performing a key derivation function to generate the group traffic key based on the identifier and the parameters and decrypting multicast data using the group traffic key.

Abstract: The present disclosure includes apparatuses and methods for data compression and management. A number of methods include receiving a number of data segments corresponding to a managed unit amount of data, determining a respective compressibility of each of the number of data segments, compressing each of the number of data segments in accordance with its respective determined compressibility, forming a compressed managed unit that includes compressed and/or uncompressed data segments corresponding to the number of data segments corresponding to the managed unit amount of data, and forming a page of data that comprises at least the compressed managed unit.

Abstract: RFID reader systems, readers, components, software and methods cause RFID tags to backscatter a combination made from at least portions of a first code and a second code, without transmitting any commands in the interim. The first and/or second codes may include a tag response to a reader challenge. In a number of embodiments, a separate command does not have to be sent for reading the second code along with the first code, thereby saving time in inventorying the tags. Plus, the combination can enable reading tag codes during tag manufacturing that are not otherwise readily available to read in the field. In some embodiments, the combination may further include one or more error-checking codes.

Abstract: An authentication method includes RFID readers authenticating RFID tags using public-key cryptography. A tag manufacturer or other legitimate authority produces a tag private-public key pair and stores the tag private key in externally unreadable tag memory and the tag public key in externally readable tag memory. The authority produces a master private-public key pair and distributes the master public key to readers in the field. The authority generates a tag-specific electronic signature based on at least the tag public key and the master private key and stores this signature in externally readable tag memory. A reader authenticates the tag by retrieving the tag public key and electronic signature from the tag, verifying the authenticity of the tag public key using the master public key and the electronic signature, challenging the tag, receiving a response from the tag to the challenge, and verifying the response using the tag public key.

Abstract: Systems and methods are disclosed for allowing an authority to monitor a computer user's information in a most palatable manner for the computer user. The authority is provided access to information with encrypted user identification information and the user is notified if decryption is facilitated. The systems and methods also include a novel key production system whereby large numbers of deterministic key pairs may be created for use in the monitoring system.

Abstract: Systems and methods for security key transmission with strong pairing to a destination client are disclosed. A security key may be generated by an on-chip key generator, an off-chip device, and/or software. A rule may then be paired with the security key and an address associated with the security key. The rule may define permissible usage by a destination module, which is defined by the associated address. The rule may comprise a command word, which may be implemented using a data structure associated with a permissible algorithm type, a security key size, and/or a security key source.

Abstract: The present disclosure discloses a network device and/or method for determination of leveled security key holders for a wireless client in a wireless network. The network device detects a roaming or connection pattern of one or more wireless clients in the wireless network based on requests received from the wireless clients. Furthermore, the network device determines one or more selecting rules for selecting an appropriate key holder for the wireless client among a plurality of network devices. Next, the network device prioritizes the one or more selecting rules, and selects the appropriate key holder based on the determined rules and their corresponding prioritization. Through selection of appropriate key holders, the disclosed method provides for better load balancing among possible leveled key holders, and shortens the latencies experienced by wireless clients during fast basic service set transition.

Abstract: Methods and systems are provided for supporting electronic transactions, including transactions that are provided with per-user, per-device and per-domain security across domains of multiple service providers.

Abstract: A distributed system in which time-dependent credentials are supplied by controllers that operate according to different local times. Errors that might arise from the controllers generating inconsistent credentials because of time skew are avoided by identifying credentials generated during transition intervals in which different ones of the controllers may generate different credentials at the same absolute time. During a transition interval, controllers and other devices may use credentials differentially based on the nature of the authentication function. Each controller may periodically renew its credentials based on self-scheduled renewals or based on requests from other devices, such that renewal times are offset by random delays to avoid excessive network traffic. Controllers may determine which credential is valid for any given time, based on a cryptographically secure key associated with that time and information identifying the entity that is associated with that credential.

Abstract: According to one embodiment, an encryption device includes a storage unit, an input unit, first to fourth partial encryption units, a generation unit, and an output unit. The first partial encryption unit calculates first intermediate data from input plain data to store in the storage unit. The generation unit generates a round key, which is used in calculations for the first intermediate data and N-th intermediate data, from the secret key. The second partial encryption unit calculates (i+1)th intermediate data from i-th intermediate data (i is smaller than N) and the round key to store in the storage unit. The third partial encryption unit performs an arithmetic operation including predetermined conversion for mixing the N-th intermediate data, and calculates (N+1)th intermediate data to store in the storage unit. The fourth partial encryption unit obtains encrypted data by performing an arithmetic operation including inverse conversion of the conversion on the (N+1)th intermediate data.

Abstract: A system for securing a variable length keyladder key includes a keyladder decryptor configured to alter a first layer key and to execute a keyladder algorithm to generate a content key, the keyladder algorithm to generate the content key by decrypting an encrypted second layer key with the altered first layer key. The alteration mirrors the alteration applied to encrypt the second layer key by a content server providing content data to be decrypted. The system may further include a cryptographic direct memory access controller (DMAC) coupled with the keyladder decryptor and to decrypt encrypted content data using the generated content key. The keyladder decryptor may be further configured to send the content key to be stored in the DMAC without information regarding how the first layer key was altered. The alteration may include a permutation function or other change or modification.