Abstract: Methods and apparatus are provided for communicating a flow of packets with a requested quality of service. An exemplary method involves receiving a first packet of a flow, determining a first reference value for the packet flow identification field of the first packet using a key value, and facilitating the requested quality of service for the first packet when the received value of the packet flow identification field of the first packet matches the first reference value. The method continues by receiving a second packet of the flow, determining a second reference value for the packet flow identification field using the key value, and facilitating the requested quality of service for the second packet when the received value of the packet flow identification field of the second packet matches the second reference value.

Abstract: In a key pair management method for use in an image forming device, one or more key pairs which are usable for secure communication between the image forming device and an external device are stored into a first area of a memory. A key pair required for the secure communication with the external device is received from the first area of the memory. After the key pair is received from the first area of the memory, the key pair required for the secure communication with the external device is generated in an asynchronous mode and stored into the first area of the memory again. The secure communication between the image forming device and the external device is performed using the key pair received from the first area of the memory.

Abstract: Methods, devices, and systems are disclosed for simulating a large, realistic computer network. Virtual actors statistically emulate the behaviors of humans using networked devices or responses and automatic functions of networked equipment, and their stochastic actions are queued in buffer pools by a behavioral engine. An abstract machine engine creates the minimal interfaces needed for each actor, and the interfaces then communicate persistently over a network with each other and real and virtual network resources to form realistic network traffic. The network can respond to outside stimuli, such as a network mapping application, by responding with false views of the network in order to spoof hackers, and the actors can respond by altering a software defined network upon which they operate.

Abstract: A communication method for a host and a wireless Internet access module, and a data card, are provided so that the host implements wireless Internet access with the wireless Internet access module of a secure digital interface. The method includes simulating each port on a wireless Internet access processing function unit in a wireless Internet access module into a secure digital card partition and reporting the secure digital card partition to a host side; receiving downlink interaction information from the host side encapsulated in a secure digital card interface format, decapsulating the downlink interaction information, and delivering the decapsulated downlink interaction information to a corresponding port; and receiving uplink interaction information reported to the host side from each port, encapsulating the received uplink interaction information in the secure digital card interface format.

Abstract: This invention provides a method and system for data encryption and decryption in data transmission through the web. The method includes: a browser sends a cryptographic information acquisition request to a cryptographic information providing equipment; the cryptographic information providing equipment sends cryptographic information back to the browser via an HTTPS channel; the cryptographic information includes a cryptographic algorithm and a cryptographic index; the browser uses the cryptographic algorithm to encrypt the data to be transmitted, and sends the encrypted data and the cryptographic index to the web server via an HTTP channel; the web server obtains the cryptographic algorithm corresponding to the cryptographic index from the cryptographic information providing equipment, then decrypts the encrypted data. Embodiments of the present invention can alleviate the load in the HTTPS channel, and improve the overall performance.

Abstract: Techniques are provided to append packet handling information “in the clear” ahead of security related information in a packet to be routed over a network to optimize wide area network deployments of security-configured equipment. In one form, at a network device that performs connectionless secure communication and network routing of packets, data is received from a source device to be sent through a network to a destination device. Packet handling information is inserted in a packet that is to be used to transport the data. The packet handling information is configured to enable controlled handling of the packet in the network and is inserted in an unprotected portion of the packet. Encrypted payload data is generated from the data received from the source device. The encrypted payload data and security information are inserted in a protected portion of the packet and the packet is sent to the network.

Abstract: A data communication security system is disclosed that includes a network interface including a first security module implementing a first security architecture, and a second security module implementing a second security architecture different from the first security architecture. The network interface further includes a file-based application programming interface defining a plurality of attributes of the network interface and including at least one attribute associated with data security managed by one of the first and second security modules. The file-based application programming interface includes at least one attribute from among the plurality of attributes that is associated with selecting between the first or second security modules.

Abstract: A first application at a first device selects one of multiple encapsulation format types based on a cost or bandwidth associated with a network, or associated with a link of the network, connected between the first application at the first device and a second application at a second device. The first application receives, at the first application from Open Systems Interconnection (OSI) layers above an OSI session layer, payload data associated with a session, and generates one or more session layer encapsulated blocks of the payload data using the selected one of the multiple encapsulated format types. The first application encrypts the payload data, and other data of the one or more session layer encapsulated blocks, and passes the encrypted session layer encapsulated block to OSI layers below the session layer for sending to the second application at the second device.

Abstract: A data processing apparatus comprises a primary processor, a secondary processor configured to perform secure data processing operations and non-secure data processing operations and a memory configured to store secure data used by the secondary processor when performing the secure data processing operations and configured to store non-secure data used by the secondary processor when performing the non-secure data processing operations, wherein the secure data cannot be accessed by the non-secure data processing operations, wherein the secondary processor comprises a memory management unit configured to administer accesses to the memory from the secondary processor, the memory management unit configured to perform translations between virtual memory addresses used by the secondary processor and physical memory addresses used by the memory, wherein the translations are configured in dependence on a page table base address, the page table base address identifying a storage location in the memory of a set of des

Abstract: An authentication system, method and device are provided in the present application. The authentication system includes an Application Server (AS) for providing non Internet protocol Multimedia Subsystem (IMS) service, an authentication gateway and an IMS terminal. The AS forwards a connection request message sent by the IMS terminal to said authentication gateway, the authentication gateway sends a obtained first random number to said IMS terminal through the AS, the IMS terminal generates a first Response (RES) value according to the first random number and sends the generated first RES value to the authentication gateway through the AS, and if the received first response value and an obtained Expected Response (XRES) value is found coincident after being compared by the authentication gateway, the authentication gateway determines that the authentication to the IMS terminal is passed, and indicates the AS to provide non IMS service for the IMS terminal.

Abstract: Method for providing a mesh key which can be used to encrypt messages between a first node and a second node of a mesh network, wherein a session key is generated when authenticating the first node in an authentication server, the first node and the authentication server or an authentication proxy server using a predefined key derivation function to derive the mesh key from said session key, which mesh key is transmitted to the second node.

Abstract: A network media gateway is used to bridge trust between a Service Provider network and subscriber devices. The gateway is authenticated by the Service Provider by using knowledge of network topology. Subscriber devices are authenticated in response to subscriber input to the gateway via an interface. Trusted subscriber devices can be tightly coupled with the Service Provider network, thereby facilitating delivery of QoE. Mobile and remote subscriber devices may also be authenticated. The gateway may also facilitate establishment of VPNs for peer-to-peer communications, and dynamically adjustable traffic, policy and queue weightings based on usage patterns.

Abstract: A server receives identifying information of a user of a client device and data encrypted with a public key of a group, where the encrypted data includes an encrypted session key for secure content. The server determines whether the user is a member of the group using the identifying information of the user. If the user is a member of the group, the server decrypts the encrypted session key using a private key of the group, and causes the client device to obtain a session key to access the secure content.

Abstract: Methods, systems, and computer-readable media are disclosed for packet sanitization. A particular method intercepts a packet of a packet stream, where the packet stream is transmitted in accordance with a particular protocol. The packet is analyzed based on a specification associated with the particular protocol. Based on the analysis, a data value of a field of the packet is replaced with a sanitized data value to create a sanitized packet. The sanitized packet may be injected into the packet stream or may optionally be forwarded to a signature module that checks the sanitized packet for malicious content. When malicious content is found, the sanitized packet may be dropped, the sanitized packet may be logged, the sanitized packet may be redirected, or a notification regarding the sanitized packet may be sent to an administrator.

Abstract: An apparatus and method for ciphering uplink data in a mobile communication system are provided. The apparatus includes a Radio Network Controller (RNC) for, when receiving a Radio Bearer Setup Complete after a ciphering activation time, determining a Hyper Frame Number (HFN) value of a User Equipment (UE) and changing an HFN value of the RNC to the same HFN value determined of the UE.

Abstract: A digital security bubble encapsulation is disclosed. A first key and a device identifier of at least one recipient is requested from a first server. A message containing one or more components is encrypted using a second key. The second key is encrypted using the first key. The encrypted message, the encrypted second key, and the device identifier are encapsulated in a digital security bubble encapsulation. The digital security bubble encapsulation is transmitted to a second server.

Abstract: A process of triggering an Internet packet protocol against malware includes providing protocol trigger mechanisms configured to affect network access and data object access against malware, denial of service attacks, and distributed denial of service attacks, A multi-level security system is established with a cryptographically secure network channel, or another equivalent encrypted channel, and a second object of an encrypted document or data message that uses the secure network channel. The equivalent encrypted channel can be a Virtual Private Network tunnel (VPN) including MPPE/PPTP/CIPE/Open VPN, Secure Socket Layer (SSL), or IPSec tunnel.

Abstract: The present invention is directed towards systems and methods for split proxying Secure Socket Layer (SSL) communications via intermediaries deployed between a client and a server. The method includes establishing, by a server-side intermediary, a SSL session with a server. A client-side intermediary may establish a second SSL session with a client using SSL configuration information received from the server-side intermediary. Both intermediaries may communicate via a third SSL session. The server-side intermediary may decrypt data received from the server using the first SSL session's session key. The server-side intermediary may transmit to the client-side intermediary, via the third SSL session, data encrypted using the third SSL session's session key. The client-side intermediary may decrypt the encrypted data using the third SSL session's session key. The client-side intermediary may transmit to the client the data encrypted using the second SSL session's session key.

Abstract: Techniques for sending information without interruption during a change in ciphering configuration are described. A user equipment (UE) communicates with a wireless communication network for a call. The UE sends first information to the wireless network using a first ciphering configuration. For a change in ciphering configuration, the UE selects an activation time for a second ciphering configuration and sends a security message with the activation time. This activation time is the time at which the UE applies the second ciphering configuration to transmission sent to the wireless network. The UE thereafter sends second information (e.g., a measurement report message) using the first ciphering configuration after sending the security message and before the activation time. The UE sends third information using the second ciphering configuration after the activation time.

Abstract: In the present disclosure, a DRM (in this case IPRM) system may be used to deliver media content keys to a player device in a live streaming environment and take advantage of all DRM related functionalities that come with it, such as proximity control, copy protection enforcement and rights verification. A playlist may be used to deliver a key identifier for encrypted live streaming content.

Abstract: A mobile device includes a user interface that has a plurality of non-password-protected desktop screens and at least one password protected desktop screen. The mobile device includes a touch sensitive display device that accepts gestures used to navigate between the desktop screens. Applications may be installed to password protected desktop screens.

Abstract: A content issuer entity designates a transport security level for each of a plurality of electronic certificates and provides the electronic certificates to a first wireless device. A second wireless device establishes a communications link to transfer electronic certificate data associated with one or more electronic certificates stored on the first wireless device to the second wireless device via a wireless transaction and determines, for each stored electronic certificate, a transport security level previously designated at the content issuer entity. At the first wireless device, a highest transport security level is determined from among the respective transport security levels associated with the stored electronic certificates. The electronic certificate data is transferred from the first wireless device to the second wireless device via the communications link in accordance with a security measure that corresponds to the highest determined transport security level.

Abstract: Systems and methods are described for using a client agent operating in a virtual private network environment to intercept HTTP communications. Methods include: intercepting at the network layer, by a client agent executing on a client, an HTTP request from an application executing on the client; modifying the HTTP request; and transmitting, via a transport layer connection, the modified HTTP request to a server. Additional methods may comprise adding, removing, or modifying at least one cookie in the HTTP request. Still other methods may comprise modifying at least one name-value pair contained in the HTTP request. Corresponding systems are also described.

Abstract: A system and method for providing a variety of medium access and power management methods are disclosed. A defined frame structure allows a hub and a node to use said methods for secured or unsecured communications with each other. Contended access is available during a random access phase. The node uses an alternate doubling of a backoff counter to reduce interference and resolve collisions with other nodes attempting to communicate with the hub in the random access phase. Non-contended access is also available, and the hub may schedule reoccurring or one-time allocation intervals for the node. The hub and the node may also establish polled and posted allocation intervals on an as needed basis. The node manages power usage by being at active mode at times during the beacon period when the node is expected to transmit or receive frames.

Abstract: A Network device including a security module to establish, in response to the network device being capable of operating in multiple frequency bands, and in response to the network device operating in a first frequency band, security for the frequency band and a second frequency band by performing a single authentication in the first frequency band prior to the network device switching operation form the first frequency band to the second frequency band. A session transfer module to transfer, subsequent to the network device switching operation from the first frequency band to the second frequency band, a communication session of the network device from the first frequency band to the second frequency band. The communication session resumes in the second frequency band using the security established for the second frequency band during the operation of the network device in the first frequency band.

Abstract: Systems and methods for adding context to prevent data leakage over a computer network are disclosed. Data is classified and contextual information of the data is determined. A transmission policy is determined in response to the classification and contextual information. The data is either transmitted or blocked in response to the classification and the contextual information.

Abstract: High-security communications against information leakage as well as high-speed communications are realized using present optical fiber networks. The methods are as follows: (1) A seed key is shared between a transmitter and a receiver in advance. Random numbers are transmitted using carrier light accompanied by fluctuations and bases that are decided by random numbers. The transmitter and receiver compare a shared basis that is determined by the seed key with the random basis, and decompose the random numbers superimposed on each bit into two sequences, based on whether the shared basis coincides with the random basis or not. Error correction is processed for each sequence in the receiver, and then the random numbers are shared between the transmitter and the receiver. (2) The amount of the random numbers shared between the transmitter and the receiver is reduced to secret capacity through privacy amplification, and the resultant random numbers are used as a secret key.

Abstract: An apparatus and method for establishing a communication connection between a first party and a second party using a secured communication connection object are provided. With the apparatus and method, a first party generates the secured communication connection object by setting parameters identifying and limiting the use of the secured communication connection object for establishing communication connections with the first party. These parameters are encapsulated with contact information for the first party such that the contact information is encrypted. The resulting secured communication connection object is then transmitted to a second party's communication device.

Abstract: The present invention relates to a method for transferring content to a device, the method including the steps of: receiving a request for content from the device; delivering a uniquely identifiable, ephemeral player to the device; and transferring content to the device, for presentation on the device by the player. The invention has particular application to digital rights management in respect of the distribution of audiovisual content such as film and television programs, advertisements and live event broadcasts over communication networks such as the Internet.

Abstract: A method and apparatus that secures a dynamic virtualized network is described. In an exemplary embodiment, a device learns a current network policy of the dynamic virtualized network, where the dynamic virtualized network is a virtualized layer 2 network that is overlaid on a layer 3 physical network. In addition, the current network policy includes multiple network policy elements, where each of the multiple network policy elements identifies an authorized endpoint in the dynamic virtualized network. Furthermore, the layer 3 physical network includes multiple network access devices. The device further determines a network security policy for the dynamic virtualized network from the current network policy. The network security policy includes one or more second network policy elements that are a different network policy element than one of the multiple network policy elements of the current network policy.

Abstract: A method and apparatus that secures a dynamic virtualized network is described. In an exemplary embodiment, a device learns a current network policy of the dynamic virtualized network, where the dynamic virtualized network is a virtualized layer 2 network that is overlaid on a layer 3 physical network. In addition, the current network policy includes multiple network policy elements, where each of the multiple network policy elements identifies an authorized endpoint in the dynamic virtualized network. Furthermore, the layer 3 physical network includes multiple network access devices. The device further determines a network security policy for the dynamic virtualized network from the current network policy. The network security policy includes one or more second network policy elements that are a different network policy element than one of the multiple network policy elements of the current network policy.

Abstract: A method of cipher communication for management frame performed by station in wireless local area network system is provided. The method includes obtaining a first pseudonoise code sequence (PN) for a plaintext Medium Access Control (MAC) protocol data unit (MPDU), constructing an additional authentication data (AAD) by using fields in a header of the plaintext MPDU, constructing a Nonce value from the PN, an Address 2 and a Priority field in the header of the plaintext MPDU, generating a encrypted MPDU from the plaintext MPDU by using a temporal key, the AAD, and the Nonce value, and transmitting the encrypted MPDU to a peer station, wherein the plaintext MPDU is a management frame including a sequence number field, the sequence number field including access category field indicating category of data included in the plaintext MPDU, and the Nonce value includes a priority field matched with the access category field.

Abstract: A method for encrypting print jobs that includes receiving output data, encrypting the output data with a randomly-generated symmetric session key, generating a session key header by encrypting the randomly-generated symmetric session key using an asymmetric user public key, and encrypting the session key header using a server public key.

Abstract: An intermediary device may be used to connect a telecommunications device to an existing secure network that is accessed by a computing device. The intermediary device may simplify connections to the secure network by connecting to the secure network without setting up a new connection to the secure network. The telecommunications device may connect to the computing device, via the intermediary device, using a secondary network, which enables the telecommunications device to access the secure network through the computing device. In some instances, the computing device may operate to bridge a connection with the telecommunications device and perform some or all of the functions of the intermediary device.

Abstract: An IPSec front-end may be configured to encrypt, decrypt and authenticate packets on behalf of a host on an insecure network and a peer on a secure network. For example, the IPSec front-end may receive internet protocol (IP) packets from the host and encrypt the data and format the data as an internet protocol security (IPsec) packet for transmission to the peer. When the peer responds with an IPSec packet, the IPSec front-end may decrypt the data and format the data as an IP packet. The IPSec front-end may be software executing on a Linux server.

Abstract: In one embodiment, a method includes receiving a first identifier and a private key after a network device has been included in a data center switch fabric control plane, authenticating the network device based on the private key, sending a second identifier to the network device, and sending a control signal to the network device based on the second identifier. The first identifier is associated with the network device and unique within a segment of the data center switch fabric control plane. The second identifier is unique within the segment of the data center switch fabric control plane.

Abstract: An approach for reutilizing transport layer security (TLS) connections among separate application is provided. In one aspect, a computing system establishes a a transmission control program/Internet protocol (TCP/IP) connection between a first application of a first endpoint and a second application on a second endpoint. The computing system further performs a TLS handshake over the established TCP/IP connection. The computing system also transmits a request from a third application of the second endpoint to transfer a TLS context from the second application on the second endpoint. In response to the second application on the second endpoint accepting the transfer request, the second application utilizing via the one or more computer processors, a predetermined method of providing a TLS context to the third application, wherein the third application of the second endpoint and the first application of the first endpoint communicate securely.

Abstract: An expanded sequence number is added to PDUs in a Bluetooth® low energy system. The expanded sequence number provides more accurate identification of the PDUs and allows the system to avoid delaying transmission of PDUs while retransmitting other PDUs. A PDU security sequence number may also be added to the PDUs. The security sequence number is used to create a unique nonce for use in encrypting or decrypting and authenticating the PDU. Using the security sequence number, a failed connection can be reestablished between two devices without the need of generating an encryption key. The security sequence number allows the devices to perform encryption or decryption and authentication using an existing key and a nonce generated from the security sequence number.

Abstract: A packet processing type determiner includes a non-secure packet processing module configured to process packets received over a single socket using a non-secure protocol. The packet processing type determiner also includes a data indicator checking module configured to check the packets for a first indicator denoting a beginning of a secure data record. The packet processing type determiner further includes a secure packet processing module configured to use a secure protocol to process the packets when a packet with the first indicator is detected until a packet with a second indicator denoting an end of the secure data record is detected.

Abstract: A Dynamic Adaptive Streaming over Hypertext Transport Protocol (DASH) server component is disclosed. The DASH server component may comprise a memory, a processor coupled to the memory, and a transmitter coupled to the processor. The processor may be configured to generate one or more keys containing content protection information for media content, associate the keys with one or more segments of media content, store the keys in a DASH metadata track in the memory, and generate a media presentation description (MPD) specifying an association between the keys and the segments of media content. The transmitter may be configured to transmit the keys to at least one client independently of transmitting the media content and transmit the MPD to the at least one client.

Abstract: Communication equipment includes a communication device (112) and a user interface device (101), e.g. a remote speaker-microphone, interconnected via a short-range data link. The user interface device includes a user interface (102) for receiving commands from a user. The user interface device includes a processor (104) for generating event data in accordance with the commands and for combining the event data with a digital data stream whose information is to be transmitted. The processor encrypts the result in accordance with cryptographic control data accessible to the processor. The encrypted digital data stream is delivered to a transceiver of the user interface device in order to transmit it to the communication device. As the encryption is carried out by the processor in accordance with the cryptographic control data, the transceiver does not need provide cryptographic functionality and the communication equipment can flexibly support different cryptographic algorithms.

Abstract: A method includes transmitting a paging indicator indicating to user equipment assigned to one or more groups that the user equipment are to attempt to receive paging messages including paging information targeted to at least one of the one or more groups; and transmitting in a channel the paging information in the paging messages. Another method includes receiving a paging indicator indicating a user equipment is to attempt to receive paging messages including paging information targeted to at least one of one or more groups; and receiving from a channel the paging information in the paging messages. A method includes sending a request message to user equipment assigned to one or more groups, the request message comprising an indication to cause the user equipment to read device trigger information in a system broadcast message; and sending the device trigger information in the system broadcast message.

Abstract: A technique for secure computation obfuscates program execution such that observers cannot detect what instructions are being run at any given time. Rather, program execution and memory access patterns are made to appear uniform. A processor operates based on encrypted inputs and produces encrypted outputs. In various examples, obfuscation is achieved by exercising computational circuits in a similar way for a wide range of instructions, such that all such instructions, regardless of their operational differences, affect the processor's power dissipation and processing time substantially uniformly. Obfuscation is further achieved by limiting memory accesses to predetermined time intervals, with memory interface circuits exercised regardless of whether a running program requires a memory access or not. The resulting processor thus reduces leakage of any meaningful information relating to the program or its inputs, which could otherwise be detectable to observers.

Abstract: A security policy database identifies the intended security policies within a network, a traffic generator provides test traffic that is configured to test each defined security policy, and a simulator simulates the propagation of this traffic on a model of the network. The model of the network includes the configuration data associated with each device, and thus, if devices are properly configured to enforce the intended security policies, the success/failure of the simulated test traffic will conform to the intended permit/deny policy of each connection. Differences between the simulated message propagation and the intended security policies are reported to the user, and diagnostic tools are provided to facilitate identification of the device configuration data that accounts for the observed difference. Additionally, if a network's current security policy is unknown, test traffic is generated to reveal the actual policy in effect, to construct a baseline intended security policy.

Abstract: A method for efficiently decrypting asymmetric SSL pre-master keys is divided into a key agent component that runs in user mode, and an SSL driver running in kernel mode. The key agent can take advantage of multiple threads for decoding keys in a multi-processor environment, while the SSL driver handles the task of symmetric decryption of the SSL encrypted data stream. The method is of advantage in applications such as firewalls with deep packet inspection in which all encrypted data traffic passing through the firewall must be decrypted for inspection.

Abstract: The present invention employs in-band signaling between PTEs to provision and control session keys, which are used by the PTEs for encrypting and decrypting traffic that is carried from one PTE to another over a transport network. In operation, a first PTE will receive incoming traffic from a first edge network, map the traffic to frames, encrypt the traffic with a session key, and send the frames with the encrypted traffic over the transport network to a second PTE. The second PTE will extract the encrypted traffic from the frames, decrypt the encrypted traffic with a session key, and send the recovered traffic over a second edge network toward an intended destination. If symmetric encryption is employed, the session key used by the first PTE to encrypt the traffic will be identical to the session key used by the second PTE to decrypt the traffic.

Abstract: A method for generating and delivering a message via a web service is provided. A message for a recipient is converted to a URL and sent. A request is received from a sender to send a message to a recipient. A URL message is created in response to receiving the request to send the message to the recipient and the URL message is sent to the recipient. A URL message response is received from the recipient and a landing message is sent to the recipient in response to receiving the URL message response. The landing message includes a hint requesting an answer from the recipient. An answer is received from the recipient and the message is displayed to the recipient in response to receiving the answer.

Abstract: A system and method for authenticating a user that includes receiving an access-request of a network protocol at a challenge-response server; determining if an access-challenge message is required; delivering an active script component through a parameter of an access-challenge message of the network protocol when an access-challenge is required; receiving a challenge-response of a user; validating the challenge-response; and selectively sending an access-accept response for a valid challenge-response and sending an access-denied response for an invalid challenge-response.

Abstract: A method and a device are provided for accessing data files of a secure file server, wherein a user or a process is authenticated; wherein access to the data files of the secure file server takes place by way of an encryption module of the secure file server; wherein the encryption module comprises an encryption agreement of a centralized security application; and wherein the access of the authenticated user or process to the secure file server takes place by way of an encrypted protocol taking into consideration the encryption agreement. Such a device may be included in a corresponding computer network.

Abstract: In a first embodiment of the present invention, a method for operating a user agent on a first device is provided, comprising: discovering, using a home networking protocol, a second device, wherein the second device includes a user input mechanism; retrieving information regarding the user input mechanism from the second device using the home networking protocol; determining whether to accept the connection based on the information regarding the user input mechanism; when it is determined to accept the connection, negotiating an out-of-band connection in a protocol other than the home networking protocol with the second device; receiving input command events from the second device via the out-of-band connection; and executing the input command events at the user agent to control an aspect of the first device.