Abstract: Methods and associated systems are disclosed for providing secured data transmission over a data network. Data to be encrypted and encryption information may be sent to a security processor via a packet network so that the security processor may extract the encryption information and use it to encrypt the data. The encryption information may include flow information, security association and/or other cryptographic information, and/or one or more addresses associated with such information. The encryption information may consist of a tag in a header that is appended to packets to be encrypted before the packets are sent to the security processor. The packet and tag header may be encapsulated into an Ethernet packet and routed via an Ethernet connection to the security processor.

Abstract: The disclosed technology includes techniques for improving data privacy in mobile communications over public cloud services. According to certain implementations, a novel conceptual layer may be interposed between the “application” layer and the “user” layer. In some implementations, the conceptual layer may be at least partially embodied by a transparent window or pane overlaid on top of existing app graphical user interfaces to: (1) intercept plaintext user input before transforming the input and feeding it to an underlying app; and (2) reverse transform output data from the app before displaying the plaintext data to the user. Accordingly, the conceptual layer may serve as a protective layer while preserving the original application workflow and look-and-feel.

Abstract: A communication system that includes a sender computer and plurality of designated receiver computers coupled to the sender through a communication link. Each one of the receiver computers is equipped with computational resources stronger than the computational resources of an adversary computer. There is provided a method for sending a secret from the sender computer to a designated receiver computer. The sender computer defining a succession of computational tasks having respective solutions. The computational tasks are so defined such that the duration of solving each task by the receiver computer is shorter than what would have been required for the adversary computer to solve the task. Next, the sender computer sending through the link the succession of tasks encrypted by previous solutions and the receiver computer receiving the tasks and is capable of decrypting the secret faster than what would have been required for the adversary computer to decrypt the secret.

Abstract: A peer-to-peer (P2P) bot(s) in a network is identified using an already identified P2P bot. More specifically, such embodiments may facilitate determining a candidate set of computers, which may be potential P2P bots, by identifying computers in a network that have a private mutual contact with a seed bot, which is a computer identified as a P2P bot, and identifying additional computers that have private mutual contacts with the identified computers. Further, a confidence level indicative of a certainty of a membership of each of the candidate computers in the P2P botnet is determined and responsive to a determination that the confidence level of the candidate computer exceeds a determined threshold confidence level, the candidate computer is identified as a P2P bot.

Abstract: Disclosed are various embodiments of a network switch for storing a prefix address and a mask corresponding to the prefix address, the prefix address and the mask each representing a binary value, the mask representing a number of significant bits of an address beginning with a most significant bit. The network switch obtains a network frame via one of a plurality of network interfaces, the network frame comprising a network address in a header of the network frame, the network address being a binary value representing a physical address of a network interface device. The network switch determines a truth value associated with a comparison of a mask number of bits of the prefix and network addresses, the truth value indicating an equivalence of the comparison. In response to the truth value, the network switch may initiate at least one action associated with the network frame.

Abstract: A method begins by a dispersed storage (DS) processing module encoding data to produce slices and redundancy slices and selecting primary and redundancy storage and execution units. The method continues with the DS processing module assigning partial tasks to the primary storage and execution units and generating a unique key set for each of the primary storage and execution units. The method continues with the DS processing module encrypting each of the slices with a corresponding one of the unique key sets to produce encrypted slices and sending the encrypted slices and an indication of the assigned partial tasks to the primary storage and execution units for storage and execution of the assigned partial tasks on the encrypted slices. The method continues with the DS processing module sending the redundancy slices to the set of redundancy storage and execution units for storage therein.

Abstract: A method for operating a distributed data management and control enclave comprises providing a policy that identifies a set of data to be managed and controlled. The policy further identifies devices upon which the data may be transferred and the conditions under which that data may be transferred to the identified devices. A first data management and control system to be used on a first device is then defined in the policy. A second management and control system to be used on a second device is then defined in the policy. The second data management and control system can be distinct from the first data management and control system. The specified data management and control system is then instantiated on a device. The specified data management and control system is then used to manage and control data on the device in accordance with the policy.

Abstract: A method may include allocating a number of public keys, where each respective public key is allocated to a respective entity of a number of entities; storing a number of private keys, where each respective private corresponds to a respective public key; storing one or more decryption algorithms, where each respective decryption algorithm is configured to decrypt data previously encrypted using at least one encryption algorithm of the encryption algorithms. Each respective encryption algorithm may be configured to encrypt data using at least one public key. Each respective decryption algorithm may be configured to decrypt data using at least one private key. The method may include receiving encrypted data, where the encrypted data is encrypted using a first public key and a first encryption algorithm, and the encrypted data is provided over a network.

Abstract: Secure communication of information over a wireless link with apparatus including a blade management module and a plurality of blade servers, the blade servers connected for data communications with the blade management module through at least one wired link, the blade servers also connected for data communications with the blade management module through at least one wireless link, including sharing an encryption key between the blade management module and one or more of the blade servers only through the at least one wired link connecting the blade management module to the one or more blade servers; encrypting information by the blade management module with the encryption key; transmitting the encrypted information by the blade management module to the one or more blade servers through the at least one wireless link; and decrypting the encrypted information by the blade server with the encryption key.

Abstract: A computing system includes data encryption in the data path between a data source and data storage devices. The data storage devices may be local or they may be network resident. The data encryption may utilize a key which is derived at least in part from an identification code stored in a non-volatile memory. The key may also be derived at least in part from user input to the computer. In a LAN embodiment, public encryption keys may be automatically transferred to a network server for file encryption prior to file transfer to a client system.

Abstract: A method of checking and protecting data and identities within a communication or computing process between at least one author and at least one recipient comprises at least: a step of allocation by an anonymization authority of one and the same stamp forming a cryptonymic marking, to one or to several different authors and to their objects; a step of inserting said stamp into the communication or computing protocol associated with the data stream, by means of a stamp system, the protocol containing the identity of said author or of said object of the author or authors, and each author being able moreover to simultaneously have a plurality of different cryptonyms; a step of reading, at at least one recipient, of said protocol by means of a reading system able to detect the presence of said stamp.

Abstract: Methods and apparatus related to performance of telemetry, data gathering, and failure isolation using non-volatile memory are described. In one embodiment, a Non-Volatile Memory (NVM) controller logic stores data in a portion of an NVM device. The portion of the NVM device is determined based at least in part on a type or an identity of a sender of the data. Also, the data is encrypted in accordance with a public key provided by the sender. Other embodiments are also disclosed and claimed.

Abstract: Embodiments of the present invention address deficiencies of the art in respect to symmetric key generation and provide a method, system and computer program product for symmetric key generation using an asymmetric private key. In one embodiment, a symmetric key generation data processing system can include a symmetric key generator configured with a programmatic interface including an input parameter for a seed, an input parameter for an asymmetric private key, and an output parameter for a symmetric key. The symmetric key generator can include program code enabled to generate the symmetric key by encrypting the seed with the asymmetric private key.

Abstract: A client application, when executed by a processor, is operative to create a HyperText Transfer Protocol (HTTP) request containing a target header that includes a confidential value. The HTTP request is to be sent over a Secure Sockets Layer (SSL) 3.0 connection or a Transport Layer Security (TLS) 1.0 connection to a web server. The client application implements at its HTTP layer a countermeasure to a blockwise chosen-boundary attack. The client application generates an additional header having a header name that is not recognizable by the web server and inserts the additional header into the HTTP request ahead of the target header, thus creating a modified HTTP request. The modified HTTP request is to be sent, instead of the unmodified HTTP request, over the SSL 3.0 connection or the TLS 1.0 connection to the web server.

Abstract: A transmit portion of a network device including a medium access control (MAC) module configured to receive a frame of data to be transmitted from the network device in accordance with a MAC security (MACsec) protocol. In response to the frame of data being a precise time protocol (PTP) frame, the MAC module is configured to encrypt the PTP frame in accordance with the MACsec protocol, and associate an identifier with the encrypted PTP frame. A physical layer module includes a transmit module configured to transmit the encrypted PTP frame from the network device at a particular time. A PTP module configured to, based on the identifier associated with the encrypted PTP frame, generate a time stamp indicating the particular time that the transmit module transmits the encrypted PTP frame from the network device. The time stamp is transmitted from the network device along with the encrypted PTP frame.

Abstract: A secure mechanism for performing a network boot sequence and provisioning a remote device may use a private key of a public key/private key encryption mechanism to generate a command by a server and have the command executed by the device. The command may be used to verify the authenticity of the remote device, and may be used to establish ownership of the device. After authenticity and, in some cases ownership is established, bootable software may be downloaded and executed. The remote device may be provisioned with software applications. One mechanism for performing the initial encrypted commands is through a Trusted Platform Module. In many embodiments, the public key for the initial encrypted communication may be provided through a trusted second channel.

Abstract: Systems and methods for implementing an identity assertion framework to authenticate a user in a federation of security domains are provided. A first security token service (STS) is configured to receive a request for a first token from a consumer and to issue the first token to the consumer. The first STS is associated with a first security domain, and the first token is issued according to a first issuing policy of the first security domain. A service provider within a second security domain receives the first token and makes a determination whether the first token is invalid in the second security domain. A second STS receives the first token from the service provider, determines that the first token was issued by the first STS, and validates the first token according to a federation policy between the first security domain and the second security domain.

Abstract: A method, a computer readable medium and a system of multi-domain login and messaging are provided. The method for multi-domain login comprises inputting a local password by an agent, accessing a password vault with the local password, and retrieving at least one hidden password from the password vault, and logging the agent into at least one agent application using the at least one hidden password. The method for multi-domain messaging comprises retrieving information of an agent from a database, retrieving at least one skill group to which the agent belongs from the information, retrieving a message linked to the at least one skill group, and sending the message to the agent.

Abstract: A shared data store may be accessible to a plurality of electronic devices and used to share files in a collaboration setting. A shared file is shared by a first electronic device with a second device via a connection between the first electronic device and the shared data store. A coordinating electronic device associated with the shared data store monitors the connection with the first electronic device. If a loss in the connection is detected, the coordinating electronic device may cause access to the shared file to become restricted to the second electronic device responsive to the loss of the connection.

Abstract: A computer-implemented method for negotiating a time and a medium for communications between users is described. The method is performed at a server including one or more processors and memory storing one or more programs. The method includes receiving a request from a first user to negotiate a time and a medium for communication with a second user. The request includes a plurality of acceptable mediums of communication. The method also includes generating a first notification based on the request. The first notification includes the plurality of acceptable mediums of communication. The method furthermore includes transmitting the first notification to the second user, and receiving a response to the first notification from the second user. The response indicates whether the second user has accepted one of the acceptable mediums of communication.

Abstract: A streaming one time pad cipher using rotating ports for data encryption uses a One Time Pad (OTP) and an Exclusive Or (XOR) (or other cipher) with a public key channel to encrypt and decrypt OTP data. There is no method in cryptography to thwart the OTP/XOR method and it is proven impossible to crack. The method also rotates the ports of the channels periodically to increase communication obfuscation. Through pre-fetching and cache of OTP data, latency increases from encryption are kept to an absolute minimum as the XOR for encryption and decryption is done with a minimal number of instructions.

Abstract: The invention relates to a method for securely exchanging data (5) between a communication device (1) and a server (8) of a service provider (2) via a communication network (3), the communication device (1) enabling at least one user (13) of the communication device (1) to use the services (4) provided by said service provider (2), said method being characterized in that it includes the following steps for exchanging data (5) between the communication device (1) and at least one server (8) of the service provider (2): in order to send the data (5), encrypting at least a portion of the sent data (5) using a physical key (7) which is known to the service provider (2) and which is physically written in a read-only memory of an electronic chip (6) of the communication device (1); and, upon receiving the data (5), decrypting the received data using said physical key (7).

Abstract: In one embodiment, a method for securing data on a semi-trusted server is implemented on a computing device and includes: receiving at least a current session key from a user device for use during a current session, where the current session key is suitable for encrypting data and for decrypting data encrypted with the current session key, decrypting communications received from the user device during the session with said session key, encrypting with the session key at least one of communications to be sent to said user device and personal data generated during the session, storing the encrypted personal data, and discarding the current session key upon completion of the session, thereby limiting possible access to the stored encrypted personal data other than during the session. Related apparatus and methods are also described.

Abstract: Disclosed is a method for securely processing data in a portable data carrier. Said method is characterized by the following steps: a) the data to be processed is requested; b) the data to be processed is encoded; c) the encoded data is temporarily stored in a buffer storage zone of the data carrier; d) the temporarily stored, encoded data is decoded by means of a decoding key; and e) the decoded data is processed.

Abstract: Given the rise in popularity of communicating personal, private, sensitive, or vital peer-to-peer or peer-to-group information over potentially insecure text messaging infrastructure, it would be highly desirable to provide a solution that would enable the initiator and/or the consumer of these communiqués to determine the state of the privacy associated with the messages. The non-limiting technology herein provides systems and methods for enabling a consumer to graphically, linguistically, verbally, or programmatically, determine the privacy and security state of a communiqué and/or the privacy/security association with the at least one plurality of peers. Methods and systems provided by a computer application can enable a consumer to input message oriented data that will be subsequently communicated to at least one of a plurality of peers. Upon reception of the data, systems and methods are also describe to display the message oriented communiqué to the at least one peer consumer or other user.

Abstract: A data file decryption method, a decryption device and a data broadcasting system are disclosed, which are applied to a data broadcasting service. Among them, the data file decryption method includes the steps of: receiving the file delivery information which includes a data file identification and a key file identification corresponding to the data file; receiving the corresponding data file and key file according to the data file identification and the key file identification; and decrypting the data file according to the key file.

Abstract: In one implementation, actions may include generating a first key for encryption of data and a second key for encryption of connection parameters. The connection parameters may enable the client device to establish a connection to an update server. Further actions may include encrypting the connection parameters using the second key and providing the first key and the second key to the update server. Additional actions may include storing the first key on the client device, receiving, at the client device, a notification of an update that includes the second key, decrypting the encrypted connection parameters using the received second key, and connecting to the update server using the decrypted connection parameters. Actions may further include providing a request for the update to the update server, receiving data encrypted using the first key in response, and decrypting the encrypted data using the first key.

Abstract: An information processing apparatus securely stores a program group comprising one or more programs and includes a first detector that detects an execution waiting state of a given program among the program group; a secure module that is configured such that information stored therein cannot be referred to by an external device, and when the execution waiting state is detected by the first detector, that encrypts the given program and writes the encrypted given program to a storage area that is different from that of the program group; a second detector that detects an execution request concerning the given program; a decrypter that decrypts the given program encrypted by the secure module and writes the decrypted given program to the storage area, when the execution request concerning the given program is detected by the second detector; and a program executor that executes the given program decrypted by the decrypter.

Abstract: An input content data managing system, includes a first electronic storing apparatus that stores encoded content data generated by encoding content data with a cryptographic key; a electronic second storing apparatus that stores the cryptographic key with corresponding digest-value data of the encoded content data capable of identifying sameness of the encoded content data; a matching unit that determines a matched cryptographic key stored in the second storing apparatus for the encoded content data stored in the first storing apparatus, the matching using, as a matching key, at a predetermined time, digest-value data of the encoded content data obtained from the encoded content data stored in the first storing apparatus to match with the digest-value data of the encoded content data stored in the second storing apparatus, in order to obtain the content data by decoding the encoded content data using the matched cryptographic key.

Abstract: Resources may be managed in a topology for audio/video streaming. DisplayPort is a digital audio/video interconnect standard of the Video Electronic Standards Association (VESA). It allows video and audio to be coupled from a computer to a video display or an audio playback system. The topology includes audio/video sources and sinks and intervening branch devices. Messages between these sources, sinks, and branch devices may be used for resource management.

Abstract: Embodiments relate to systems and methods for migrating data between cloud networks via a data distribution service. In aspects, an administrator of a data payload may wish to migrate the data payload from a host cloud network to a target cloud provider to leverage cost, security, redundancy, consolidation, or other advantages. The data distribution service can identify target cloud providers with sets of resources that are capable of hosting the data payload. Further, the data distribution service can determine that the target cloud providers are connected to or capable of being connected to the data distribution service via a set of dedicated communication channels. According to aspects, the data distribution service can receive the data payload from the host cloud network, and transport the data payload to a selected target cloud provider via the set of dedicated communication channels.

Abstract: A lightweight solution enables the exchange of multimedia information in a secure manner. Exchanged cryptographic material can be used to encipher multimedia message-oriented communications between devices. This lightweight solution can be used by common off the shelf devices such as smartphones, tablets, feature phones, or special purpose machine to machine devices for private communications, such as command and control, location services, video, audio, electronic attachments, etc. using insecure voice or data communication paths, such as MMS.

Abstract: Disclosed are an apparatus and method of verifying an application installation procedure. One example method of operation may include receiving an application at a computer device and initiating the installation of the application on the computer device. The method may also provide executing the application during the installation procedure and creating a hash value corresponding to the executed application data. The method may further provide storing the hash value in memory and comparing the hash value to a pre-stored hash value to determine whether to continue the installation of the application.

Abstract: The invention provides a method and apparatus for transmitting data securely using an unreliable communication protocol, such as User Datagram Protocol. In one variation, the invention retains compatibility with conventional Secure Sockets Layer (SSL) and SOCKS protocols, such that secure UDP datagrams can be transmitted between a proxy server and a client computer in a manner analogous to conventional SOCKS processing. In contrast to conventional SSL processing, which relies on a guaranteed delivery service such as TCP and encrypts successive data records with reference to a previously-transmitted data record, encryption is performed using a nonce that is embedded in each transmitted data record. This nonce acts both as an initialization vector for encryption/decryption of the record, and as a unique identifier to authenticate the record.

Abstract: A method and apparatus cryptographically process data including a plurality of data segments. The cryptographic process includes (a) receiving a plurality of data segments, (b) selecting, for each data segment, a set of encryption information based on data contained in a predetermined portion of the data segment to be encrypted, and (c) encrypting each data segment using the set of encryption information selected for the data segment. At least one of an encryption algorithm, an encryption key, and an encryption parameter may be changed for each data segment based on the data contained in the predetermined portion. The predetermined portion may include a first predetermined portion for selecting a first set of encryption information, and a second predetermined portion for selecting a second set of encryption information, the encryption information including an encryption algorithm, an encryption key, and optionally an encryption parameter.

Abstract: Application programming interface (API) for starting and accessing distributed routing table (DRT) functionality. The API facilitates bootstrapping into the DRT by one or more devices of a group of devices (a mesh) seeking to collaborate over a serverless connection, establishing a node of the DRT, where each node is an instance of an application that is participating in the mesh, and node participation by allowing the application to search for keys published by other nodes in the mesh, or by becoming part of the mesh by publishing a key. The API facilitates optimization of the routing table for quickly finding a root of a specific key in the mesh by finding the key directly in a cache or by asking a root node of the key that is in the local routing table that is closest numerically to the key being searched.

Abstract: Methods and apparatus are provided for secure function evaluation between a semi-honest client and a semi-honest server using an information-theoretic version of garbled circuits (GC). An information-theoretic version of a garbled circuit C is sliced into a sequence of shallow circuits C1, . . . Cn, that are evaluated. Consider any wire wj of C that is an output wire of Ci, and is an input wire of Ci+1. When a slice Ci is evaluated, Ci's 1-bit wire key for wj is computed by the evaluator, and then used, via oblivious transfer (OT), to obtain the wire key for the corresponding input wire of Ci+1. This process repeats until C's output wire keys are computed by the evaluator. The 1-bit wire keys of the output wires of the slice are randomly assigned to wire values.

Abstract: To prevent falsification of an attribute of data, a mechanism is provided, which encrypt document/image data while holding the attribute contained in electronic document data as a plain text and make it extremely difficult to decrypt the document/image data if the attribute is falsified. A transmitter receives a public key set including a plurality of public keys from a receiver, encrypts the document/image data using a common key, selects a public key from the public key set based on an attribute of the data, encrypts the common key using the selected public key, and transmits the data including the encrypted document/image data, the encrypted common key, and the attribute to the receiver.

Abstract: A system includes a server connectable to a client, the server configured to allow the client to acquire a message of an index designated by the client among N messages held by the server where N is an integer of two or more. The server includes a classification unit configured to classify the N messages into M classified messages by contents of the messages; a message encryption unit configured to encrypt each of the M classified messages; a message provision unit configured to provide the M encrypted classified messages to the client; and a key sending unit configured to send the client, by oblivious transfer, a message key for decrypting the classified message corresponding to the message of the index designated by the client.

Abstract: A communication apparatus may include a reception portion, a decision portion, and a transmission portion. The reception portion may receive a first data request transmitted through a first security level communication, and a second data request transmitted through a second security level communication, the second security level being more secure than the first security level. The decision portion may decide whether a specific data request is the first data request or the second data request. The transmission portion may transmit a specific data to an apparatus that is a transmission source of the specific data request if the specific data request is the second data request, and may transmit different data to the apparatus if the specific data request is the first data request. The different data contains display information for causing the apparatus to retransmit the specific data request through the second security level communication.

Abstract: A first network device is configured to receive a request for content from a user device, determine that the user device is not authenticated, and send information to the user device that the user device requires authentication. The first network device is configured further to receive a notification that the user device is authorized to receive content from multiple content providers. The first network device is configured further to generate a secret key and authenticate the user device by using the secret key. The first network device is further configured to send the content to the user device.

Abstract: A first module divides a string into blocks. A second module associates the blocks with monoid elements in a list of first monoid elements to produce second monoid elements. A third module applies a first function to an initial monoid element and a first of the second monoid elements producing a first calculated monoid element and evaluates an action of the initial monoid element on the first function producing a second function. A fourth module applies the second function to the first calculated monoid element and to a second of the second monoid elements producing a second calculated monoid element and evaluates the action of the first calculated monoid element on the first function producing a third function.

Abstract: A system and methods for providing and reclaiming a single use imaging device for sterile environments is disclosed and described. The system may include a single use high definition camera used for general purpose surgical procedures including, but not limited to: arthroscopic, laparoscopic, gynecologic, and urologic procedures, may comprise an imaging device that is a sterile and designed to ensure single use. The imaging device may have a single imaging sensor, either CCD or CMOS, encased in a housing.

Abstract: The present invention discloses a method and system for secret communication between nodes in a wired Local Area Network (LAN). The method of secret communication between nodes in the wired LAN includes the following steps: 1) a sharing key is established; 2) the route probe is exchanged; 3) the data communication is classified; 4) the secret communication is processed among the nodes. According to the different communication situations among the nodes, the method of secret communication between nodes provided in the present invention can process the classification and select an appropriate secret communication strategy; compared with per-hop encryption, the calculation load of the exchange equipment is reduced, and the transmission delay of data packets is shortened; compared with the method that inter-station keys are established in pairs of nodes in order to protect the communication secret, the key number is reduced, and the key management is simplified.

Abstract: Various exemplary embodiments relate to a method and related network node including one or more of the following: determining by the network device that an S9 session should be audited; determining that the S9 session is a suspect session; transmitting an S9 message to a partner device, wherein the S9 message includes an innocuous instruction; receiving, at the network device, a response message from the partner device; determining, based on the response message, whether the suspect session is orphaned; and if the suspect session is orphaned, removing an S9 session record associated with the suspect session.

Abstract: A third party is configured to establish a virtual secure channel between a source SSD and a destination SSD via which the third party reads protected digital data from the source SSD and writes the protected digital data into the destination SSD after determining that each party satisfies eligibility prerequisites. An SSD is configured to operate as a source SSD, from which protected data can be copied to a destination SSD, and also as a destination SSD, to which protected data of a source SSD can be copied.

Abstract: A management apparatus for managing one or a plurality of devices connected to a network, comprises a management unit configured to manage information of each device; an instruction unit configured to cause a server having a function of managing a key to implement multicast using IPsec to register information of the management apparatus and the information of a device caused to belong to a multicast group out of the devices managed by the management unit, and issue key information to be used in the multicast group; and a communication unit configured to perform multicast communication using the IPsec with the device belonging to the multicast group using the key information issued by the server.

Abstract: An apparatus and method for sending encrypted data to a conditional access module (CAM) over a common interface (CI). A plurality of data packets are formed, and one data packet of the plurality of data packets includes a header and a payload for storing the encrypted data. The data packets are sent to the CAM over a transport stream (TS) interface of the CI. Encrypted data in different file formats can be sent over the TS interface. An initialization message including information about a selected format can be sent to the CAM over a control interface of the CI, and the CAM can send data request messages over the control interface to request specific data.

Abstract: Control of access to at least one digital content is managed as a function of at least one access criterion. The digital content is transmitted to at least one terminal in the form a data stream. The access criterion is stored in the terminal as a function of an identifier. The terminal receives the data stream in association with a control message indicating the identifier. It then retrieves the stored access criterion as a function of the identifier received in the control message. Finally, it verifies whether the stored access criterion is satisfied in order, where appropriate, to authorize access to the content.

Abstract: The invention relates to a method and an arrangement for concealing the true identity of a user in a communications system comprising a first user equipment having a first characteristic identifier, a second user equipment having a second characteristic identifier, a service network serving the first and the second user equipment. The method according to the invention comprises: requesting a virtual identifier by means of the first user equipment; establishing the virtual identifier for the first user equipment; linking the virtual identifier of the first user equipment to the first characteristic identifier of the first user equipment and using the virtual identifier of the first user equipment for communication between the first and the second user equipment.