Abstract: A method for negotiating security capabilities during movement of a User Equipment (UE) includes the following steps: a target network entity receives a Routing Area Update (RAU) Request from the UE; the entity obtains Authentication Vector (AV)-related keys deduced according to a root key, and sends the selected security algorithm to the UE; and the UE deduces the AV-related keys according to the root key of the UE. A system, SGSN, and MME for negotiating security capabilities during movement of a UE are also disclosed. The present invention is applicable to security capability negotiation between the UE and the network.

Abstract: A method and a device for negotiating encryption information are provided. In one embodiment, the method for negotiating encryption information includes: obtaining information about encryption capabilities of a first device and information about encryption capabilities of a second device; determining encryption information applicable to the first device and the second device according to the information about encryption capabilities of the first device and the information about encryption capabilities of the second device; and sending the encryption information to the first device and the second device, wherein the encryption information serves as a basis for encrypting and/or decrypting data streams between the first device and the second device. Embodiments of the present invention ensure security of data streams transmitted between a Telephony Client (TC) and a Telephony Server (TS).

Abstract: A unified encrypted messaging system transmits messages from a first computer to a second computer by dividing the encrypted message into a plurality of encrypted message fragments. A first portion of the plurality of encrypted message fragments is transmitted via a first protocol and a second portion of the plurality of encrypted message fragments is sent via a second protocol. The first portion may be sent via a first device and the second portion may be sent via a second device where the first device is different from the second device. The dividing the encrypted message may include adding a message identifier and fragment identifier to each of the plurality of encrypted message fragments to facilitate reassembly of the encrypted message upon receipt.

Abstract: A system that incorporates the subject disclosure may perform, for example, providing an upload request to a mobile communication device to cause a secure device processor of the mobile communication device to perform a modification of data according to a data protection key to generate modified data and to perform an encryption of the modified data according to an upload transport key to generate encrypted modified data where the secure device processor is separate from and in communication with a secure element of the mobile communication device, and where the secure element receives master keys from a remote management server and stores the master keys to enable the upload transport key and the data protection key to be generated by the secure element without providing the master keys to the secure device processor. Other embodiments are disclosed.

Abstract: Existing private set intersection (PSI) protocol allows two parties to find intersection of their sets, but restricts learning any other information about each other's set except for its size. In general, the server-aided private set intersection with data transfer technique described herein provides a server-aided private set intersection (PSI) protocol that supports data transfers. The technique pertains to a method for providing a server-aided private set intersection protocol which allows two parties to transfer some of the information about their elements via an untrusted third party. The protocol involves (a) parties applying a shared pseudo-random permutation to each of their sets to create labels of the elements of the set, (b) sending the labels to the third party and (c) the third party performing data transfer between the two parties along with computation of intersection of sets received using a multi-share key.

Abstract: Keying materials used for providing security in a platform are securely provisioned both online and offline to devices in a remote platform. The secure provisioning of the keying materials is based on a revision of firmware installed in the platform.

Abstract: As a user of a social networking system views a page that includes information provided by the system, certain types of social interactions are monitored. If an interaction monitored for is detected, at least one recommendation unit is identified to present to user on the page. The recommendation unit is identified based on a description of the interaction. The recommendation unit suggests that the user perform a social interaction in the social networking system. The recommendation unit is transmitted to a device of the user and is presented to the user on the page without having to reload the entire page.

Abstract: An endpoint computer in an enterprise network is configured to detect computer security threat events, such as presence of a computer virus. Upon detection of a threat event, the endpoint computer generates computer security threat data for the threat event. The threat data may include user identifiable data that can be used to identify a user in the enterprise network. The endpoint computer encrypts the user identifiable data prior to sending the threat data to a smart protection network or to an enterprise server where threat data from various enterprise networks are collected for analysis. The endpoint computer may also encrypt an identifier for the threat data and provide the encrypted identifier to the smart protection network and to an enterprise server in the enterprise network. The enterprise server may use the encrypted identifier to retrieve the threat data from the smart protection network to generate user-specific reports.

Abstract: Systems and methods which facilitate secure multicast communications between any valid node of a cluster using authentication between a node joining the cluster and any single node which is validly part of the cluster are disclosed. In accordance with embodiments, a cluster key is utilized to provide security with respect to intra-cluster communications. The cluster key of embodiments is shared by a node which is already part of the cluster with a node joining the cluster only after these two nodes mutually authenticate one another. The mutual authentication handshake of embodiments implements a protocol in which a session key is calculated by both nodes, thereby providing a secure means by which a cluster key may be shared. Having the cluster key, each node of the cluster is enabled to securely communicate with any other node of the cluster, whether individually (e.g., unicast) or collectively (e.g., multicast), according to embodiments.

Abstract: A system includes a server connectable to a client, the server configured to allow the client to acquire a message of an index designated by the client among N messages held by the server where N is an integer of two or more. The server includes a classification unit configured to classify the N messages into M classified messages by contents of the messages; a message encryption unit configured to encrypt each of the M classified messages; a message provision unit configured to provide the M encrypted classified messages to the client; and a key sending unit configured to send the client, by oblivious transfer, a message key for decrypting the classified message corresponding to the message of the index designated by the client.

Abstract: A content data reproducing method includes: decrypting encrypted data to generate plain-text data; dividing the plain-text data into decrypted content data and reproduction management information; sending the reproduction management information to a user space; storing the decrypted content data in a secret buffer; obtaining the decrypted content data as reproduction target data from the secret buffer and transmitting the reproduction target data to a decoder; and decoding the reproduction target data by the decoder.

Abstract: The invention relates to a P2P communication method for multi-subscriber networks, which is protected from deception, eavesdropping and hacking, and wherein the communication carried out in an interval is predominantly carried out in separate rooms, allocated to the P2P communication, and with separate reference data allocated to the P2P communication. At least part of the separate random reference data and/or random data is generated in at least one unit that participates in the P2P communication and is exchanged within the P2P communication in the form of relative data. The separate P2P communication is initiated with respect to at least one global random reference date valid for the time of the P2P communication, the random reference date being valid for a randomly determined time range and being stored in all units that carry out the P2P communications in a secret and non-deceivable manner.

Abstract: A communication apparatus may include a reception portion, a decision portion, and a transmission portion. The reception portion may receive a first data request transmitted through a first security level communication, and a second data request transmitted through a second security level communication, the second security level being more secure than the first security level. The decision portion may decide whether a specific data request is the first data request or the second data request. The transmission portion may transmit a specific data to an apparatus that is a transmission source of the specific data request if the specific data request is the second data request, and may transmit different data to the apparatus if the specific data request is the first data request. The different data contains display information for causing the apparatus to retransmit the specific data request through the second security level communication.

Abstract: Described is a technology by which access to a resource is determined by evaluating a resource label of the resource against a user claim of an access request, according to policy decoupled from the resource. The resource may be a file, and the resource label may be obtained by classifying the file into classification properties, such that a change to the file may change its resource label, thereby changing which users have access to the file. The resource label-based access evaluation may be logically combined with a conventional ACL-based access evaluation to determine whether to grant or deny access to the resource.

Abstract: The present disclosure is directed to methods and systems for user registration, where a user is logged in to a first device in communication with a server, including: receiving an anonymous registration of a second device comprising a token, where the second device is in communication with the server; receiving a credential of the user and the token; finding the second device using the token; and registering the user on the second device using the credential.

Abstract: A method for allowing a first party and a second party to obtain shared secret information is provided. The method comprises the steps of: obtaining, by the first party, a sequence of values A=X+NA where X is a sequence of values and NA is a random sequence associated with the first party; obtaining, by the second party, a sequence of values B=X+NB where NB is a random sequence associated with the second party; performing, by the first and second parties, a data matching procedure to identify corresponding pairs of values, a, b in respective sequences A and B that match, wherein sequences A and B are discrete-valued sequences equal to, derived from, or derived using, sequences A and B; wherein the shared secret information is equal to, or derived from, or derived using, the matching values in sequences A and B.

Abstract: The present invention relates to hiding a device identifier (IMEI) in a communication system. Identifying a device is done by indicating an international mobile equipment identity (IMEI) as an instance identifier of the device of a user. Generating a globally routable user agent uniform resource identifier (GRUU) for the user is done by encrypting the instance identifier so that the GRUU comprises an identity of the user and the encrypted instance identifier.

Abstract: A method and an apparatus for sharing content are provided. Information about at least one content is transmitted to an external device. Information about associated content that have been searched for by the external device based on the transmitted information about the at least one content is received from the external device. Content to share with a second user device are selected from among the associated content based on a predetermined condition. Information about the selected content is transmitted to the second user device.

Abstract: A system administrator of a wireless LAN 100 manipulates a personal computer PC1 to change a WEP key. The personal computer PC1 authenticates a memory card MC as genuine under management of the system administrator. In the case of the authenticated memory card MC, changed setting information, as well as a previous WEP key before the change of the setting information, is written into the memory card MC. The system administrator then inserts this memory card MC into a memory card slot of a printer PRT1. The printer PRT1 authenticates the memory card MC as genuine under management of the system administrator. In the case of the authenticated memory card MC, the setting information is updated. This arrangement effectively relieves the user's workload in setting wireless communication devices, while ensuring the sufficiently high security.

Abstract: A homomorphic encryption algorithm is performed that encrypts at least a portion of a plurality of plaintext data items at a client computing device into homomorphic queries, each query including a cryptographically safe representation of one of the data items. The queries are transmitted to at least one discrete homomorphic encryption (DHE) server. An identifier is received from each query from the DHE server. The identifiers are transmitted to at least one computing server that maintains a database including data structures. The computing server is requested to requesting the computing server to insert the received identifiers into the database. At least one of the identifiers is processed: the computing server is requested to find the identifiers in the data structures that match the at least one identifiers and to perform at least one equality-based operation on the matching identifiers. A result of the at least one operation is received.

Abstract: An information processing apparatus includes a control unit that, in a case where it is determined that proxy response processing should be performed, performs control such that an inputted job is processed without causing the information processing apparatus to transition from a second power mode to a first power mode, and, in a case where it is determined that proxy response processing should not be performed, performs control such that inputted job is processed after causing the information processing apparatus to transition from the second power mode to the first power mode.

Abstract: Methods and apparatus for reducing security vulnerabilities in a client/server speech recognition system including one or more client computers and one or more server computers connected via a network. Decryption of sensitive information, such as medical dictation information, is performed on designated servers to limit the attack surface of unencrypted data. Management of encryption and decryption keys to restrict the storage and/or use of decryption keys on the server side of the client/server speech recognition system, while maintaining encrypted data on the server side is also described.

Abstract: Methods and apparatus are provided for protecting private data on a vehicle. The method comprises receiving a first signal generated by a user of the vehicle and, in response to the first signal, deleting predetermined data stored on the vehicle to prevent the private data from being accessed.

Abstract: A three-way trust relationship is established between a mobile device, Internet-connected vehicle system, and a cloud-based service. Access rights are granted to the mobile device from the vehicle system, such that the mobile device can securely connect to, and obtain status information and/or control the Internet-connected vehicle system, through the cloud-based service.

Abstract: A device sends an authentication request from the device to a session management server, and receives a token from the session management server if the device authenticates successfully. The device obtains a streaming media playlist file from a content delivery server, and sends the token to a key server for token validation. The device receives a decryption key from the key server if the token validates successfully, and requests a first streaming media segment file from the content delivery server based on the playlist file. The device receives the first streaming media segment file from the content delivery server; and decrypts the first streaming media segment file using the decryption key.

Abstract: In an embodiment, a method comprises obtaining a second network address at a computer node, which has been already associated with a first network address and provided first keying information; sending, to a key server computer, an update message that comprises both the first network address and the second network address; using the first keying information to encrypt messages that the computer node sends from the second network address to one or more other members of a group.

Abstract: Systems, methods, and machine-readable media for low latency server-side redirection of User Datagram Protocol (UDP)-based transport protocols traversing a client-side Network Address Translation (NAT) are provided. At a first server, a request for directing a data resource to a client may be received. The request may be received from the client or a back-end server trying to push the data resource to the client. The first server may lack the data resource or the resources to provide the data resource to the client. A second server may be determined for responding to the request. The request may be redirected to the second server. The first server may provide for the second server to connect to the client and directly respond to the request. The second server may have not been previously connected to the client.

Abstract: A method for transmission data in a system is provided. The system includes a first device, plurality of second devices, and plurality of third devices, the method includes steps of encrypting the data with a first key and encrypting the first key with a second key at the first device, sending the encrypted data from the first device to the second device, decrypting the second key and encrypting the first key with a third key by the second device, sending the encrypted data from the second device to the third device, and decrypting the third key and the first key by the third device.

Abstract: An example method includes identifying a transport layer security (TLS) session between a client and a server, parsing one or more TLS messages to identify a session ticket associated with the session, transforming the session ticket into a fixed size session token, and managing the session using the session token to identify the session. The transforming may include computing a hash value of the session ticket using a hashing algorithm. If any of the TLS messages is spread across more than one TLS protocol record, the method can include computing a hash value of a portion of the session ticket encountered in a TLS protocol record using a hashing algorithm, incrementally computing another hash value of another portion of the session ticket encountered in a subsequent TLS protocol record from the previously computed hash value, and repeating the incremental computing until portions of the session ticket have been processed.

Abstract: A method for encrypting a file using a combination of an electronic device and a protection communication-enabled (PCE) wireless device is provided. The method includes using an encryption/decryption engine executing on the electronic device to encrypt a first flag string, which is a binary string stored in a header of the file, with a digest value to create an encrypted flag string. The digest value is associated with the PCE wireless device, which is a device having a transmission application program installed thereon for enabling interaction between the PCE wireless device and the encryption/decryption engine. The method also includes encrypting at least a portion of the file using the digest value and a first password provided by a user, thereby generating an encrypted file that includes an encrypted version of at least a portion of the file, the encrypted flag string, and the first flag string.

Abstract: A network control apparatus and method is provided. The method includes operations of informing a server of capability information including an encryption/decryption method, wherein the server provides the network control apparatus with control information used to control a network device using a general-purpose control web application, transmitting to the server a control information requesting message that requests the control information, receiving from the server the control information which has been encrypted using the encryption/decryption method, decrypting the encrypted control information according to the encryption/decryption method, and transmitting a control command for controlling the network device according to the decrypted control information.

Abstract: The present invention relates to key management in a secure microcontroller, and more particularly, to systems, devices and methods of automatically and transparently employing logic or physical address based keys that may also be transferred using dedicated buses. A cryptographic engine translates a logic address to at least one physical address, and processes a corresponding data word based on at least one target key. The target key is selected from a plurality of keys based on the logic or physical address. A universal memory controller stores each processed data word in the corresponding physical address within a memory. Each key is associated with a memory region within the memory, and therefore, the logic or physical address associated with a memory region may be used to automatically identify the corresponding target key. A dedicated secure link may be used to transport key request commands and the plurality of keys.

Abstract: Enhanced security measures are provided for accessing applications or data on a client device using an encryption scheme. The client device receives authorization to access the applications or data from a server that compares a password received at the client device with a password previously stored in the server. In addition to comparing the passwords, the server may implement additional security measures such as checking geographic locations of the client device or monitoring for suspicious patterns of usage on the client device. Further, different passwords may be used depending on whether the client device has connectivity with the server. When the connectivity is not available, a longer or more complicated password may be used instead of a shorter or simple password to provide added security. When the user is authenticated, a key is made available to access applications or data on the client device.

Abstract: Methods and associated systems are disclosed for providing secured data transmission over a data network. Data to be encrypted and encryption information may be sent to a security processor via a packet network so that the security processor may extract the encryption information and use it to encrypt the data. The encryption information may include flow information, security association and/or other cryptographic information, and/or one or more addresses associated with such information. The encryption information may consist of a tag in a header that is appended to packets to be encrypted before the packets are sent to the security processor. The packet and tag header may be encapsulated into an Ethernet packet and routed via an Ethernet connection to the security processor.

Abstract: An apparatus for decoding a media stream, wherein the apparatus comprises a memory module, a processor module coupled to the memory module, wherein the memory module contains instructions that when executed by the processor cause the apparatus to perform the following: receive a media stream comprising a segment signaling information and a plurality of segments, wherein the plurality of segments comprises encoded and unencoded segments, wherein the segment signaling information comprises identification of at least two segment groups each comprising at least one segment, identify at least one segment group using the segment signaling information in the media stream, identify at least one segment decoding algorithm for the at least one segment group, identify at least one decoding key for the at least segment group, and decode each encoded segment within the at least segment group using the at least segment decoding algorithm and the at least one decoding key.

Abstract: An apparatus, and an associated method, for providing secured effectuation of a communication service at a substitute mobile station. A user desiring temporarily to use a substitute mobile station to carry out the communication service initiates a request at the mobile station for its use. The communication service is available to be performed at the substitute mobile station for a selected period. Upon termination of the selected period, the communication service session ends, and data associated with the communication service session is deleted from the substitute mobile station.

Abstract: The disclosed technology includes techniques for improving data privacy in mobile communications over public cloud services. According to certain implementations, a novel conceptual layer may be interposed between the “application” layer and the “user” layer. In some implementations, the conceptual layer may be at least partially embodied by a transparent window or pane overlaid on top of existing app graphical user interfaces to: (1) intercept plaintext user input before transforming the input and feeding it to an underlying app; and (2) reverse transform output data from the app before displaying the plaintext data to the user. Accordingly, the conceptual layer may serve as a protective layer while preserving the original application workflow and look-and-feel.

Abstract: A method for operating a distributed data management and control enclave comprises providing a policy that identifies a set of data to be managed and controlled. The policy further identifies devices upon which the data may be transferred and the conditions under which that data may be transferred to the identified devices. A first data management and control system to be used on a first device is then defined in the policy. A second management and control system to be used on a second device is then defined in the policy. The second data management and control system can be distinct from the first data management and control system. The specified data management and control system is then instantiated on a device. The specified data management and control system is then used to manage and control data on the device in accordance with the policy.

Abstract: A peer-to-peer (P2P) bot(s) in a network is identified using an already identified P2P bot. More specifically, such embodiments may facilitate determining a candidate set of computers, which may be potential P2P bots, by identifying computers in a network that have a private mutual contact with a seed bot, which is a computer identified as a P2P bot, and identifying additional computers that have private mutual contacts with the identified computers. Further, a confidence level indicative of a certainty of a membership of each of the candidate computers in the P2P botnet is determined and responsive to a determination that the confidence level of the candidate computer exceeds a determined threshold confidence level, the candidate computer is identified as a P2P bot.

Abstract: A communication system that includes a sender computer and plurality of designated receiver computers coupled to the sender through a communication link. Each one of the receiver computers is equipped with computational resources stronger than the computational resources of an adversary computer. There is provided a method for sending a secret from the sender computer to a designated receiver computer. The sender computer defining a succession of computational tasks having respective solutions. The computational tasks are so defined such that the duration of solving each task by the receiver computer is shorter than what would have been required for the adversary computer to solve the task. Next, the sender computer sending through the link the succession of tasks encrypted by previous solutions and the receiver computer receiving the tasks and is capable of decrypting the secret faster than what would have been required for the adversary computer to decrypt the secret.

Abstract: A method may include allocating a number of public keys, where each respective public key is allocated to a respective entity of a number of entities; storing a number of private keys, where each respective private corresponds to a respective public key; storing one or more decryption algorithms, where each respective decryption algorithm is configured to decrypt data previously encrypted using at least one encryption algorithm of the encryption algorithms. Each respective encryption algorithm may be configured to encrypt data using at least one public key. Each respective decryption algorithm may be configured to decrypt data using at least one private key. The method may include receiving encrypted data, where the encrypted data is encrypted using a first public key and a first encryption algorithm, and the encrypted data is provided over a network.

Abstract: Disclosed are various embodiments of a network switch for storing a prefix address and a mask corresponding to the prefix address, the prefix address and the mask each representing a binary value, the mask representing a number of significant bits of an address beginning with a most significant bit. The network switch obtains a network frame via one of a plurality of network interfaces, the network frame comprising a network address in a header of the network frame, the network address being a binary value representing a physical address of a network interface device. The network switch determines a truth value associated with a comparison of a mask number of bits of the prefix and network addresses, the truth value indicating an equivalence of the comparison. In response to the truth value, the network switch may initiate at least one action associated with the network frame.

Abstract: A method begins by a dispersed storage (DS) processing module encoding data to produce slices and redundancy slices and selecting primary and redundancy storage and execution units. The method continues with the DS processing module assigning partial tasks to the primary storage and execution units and generating a unique key set for each of the primary storage and execution units. The method continues with the DS processing module encrypting each of the slices with a corresponding one of the unique key sets to produce encrypted slices and sending the encrypted slices and an indication of the assigned partial tasks to the primary storage and execution units for storage and execution of the assigned partial tasks on the encrypted slices. The method continues with the DS processing module sending the redundancy slices to the set of redundancy storage and execution units for storage therein.

Abstract: Secure communication of information over a wireless link with apparatus including a blade management module and a plurality of blade servers, the blade servers connected for data communications with the blade management module through at least one wired link, the blade servers also connected for data communications with the blade management module through at least one wireless link, including sharing an encryption key between the blade management module and one or more of the blade servers only through the at least one wired link connecting the blade management module to the one or more blade servers; encrypting information by the blade management module with the encryption key; transmitting the encrypted information by the blade management module to the one or more blade servers through the at least one wireless link; and decrypting the encrypted information by the blade server with the encryption key.

Abstract: A method of checking and protecting data and identities within a communication or computing process between at least one author and at least one recipient comprises at least: a step of allocation by an anonymization authority of one and the same stamp forming a cryptonymic marking, to one or to several different authors and to their objects; a step of inserting said stamp into the communication or computing protocol associated with the data stream, by means of a stamp system, the protocol containing the identity of said author or of said object of the author or authors, and each author being able moreover to simultaneously have a plurality of different cryptonyms; a step of reading, at at least one recipient, of said protocol by means of a reading system able to detect the presence of said stamp.

Abstract: A computing system includes data encryption in the data path between a data source and data storage devices. The data storage devices may be local or they may be network resident. The data encryption may utilize a key which is derived at least in part from an identification code stored in a non-volatile memory. The key may also be derived at least in part from user input to the computer. In a LAN embodiment, public encryption keys may be automatically transferred to a network server for file encryption prior to file transfer to a client system.

Abstract: Methods and apparatus related to performance of telemetry, data gathering, and failure isolation using non-volatile memory are described. In one embodiment, a Non-Volatile Memory (NVM) controller logic stores data in a portion of an NVM device. The portion of the NVM device is determined based at least in part on a type or an identity of a sender of the data. Also, the data is encrypted in accordance with a public key provided by the sender. Other embodiments are also disclosed and claimed.

Abstract: Embodiments of the present invention address deficiencies of the art in respect to symmetric key generation and provide a method, system and computer program product for symmetric key generation using an asymmetric private key. In one embodiment, a symmetric key generation data processing system can include a symmetric key generator configured with a programmatic interface including an input parameter for a seed, an input parameter for an asymmetric private key, and an output parameter for a symmetric key. The symmetric key generator can include program code enabled to generate the symmetric key by encrypting the seed with the asymmetric private key.

Abstract: A client application, when executed by a processor, is operative to create a HyperText Transfer Protocol (HTTP) request containing a target header that includes a confidential value. The HTTP request is to be sent over a Secure Sockets Layer (SSL) 3.0 connection or a Transport Layer Security (TLS) 1.0 connection to a web server. The client application implements at its HTTP layer a countermeasure to a blockwise chosen-boundary attack. The client application generates an additional header having a header name that is not recognizable by the web server and inserts the additional header into the HTTP request ahead of the target header, thus creating a modified HTTP request. The modified HTTP request is to be sent, instead of the unmodified HTTP request, over the SSL 3.0 connection or the TLS 1.0 connection to the web server.

Abstract: The invention relates to a method and an arrangement for concealing the true identity of a user in a communications system comprising a first user equipment having a first characteristic identifier, a second user equipment having a second characteristic identifier, a service network serving the first and the second user equipment. The method according to the invention comprises: requesting a virtual identifier by means of the first user equipment; establishing the virtual identifier for the first user equipment; linking the virtual identifier of the first user equipment to the first characteristic identifier of the first user equipment and using the virtual identifier of the first user equipment for communication between the first and the second user equipment.