Abstract: The invention relates to a method for reading at least one attribute stored in an ID token, wherein the ID token is assigned to a user, comprising the following steps: authenticating the user with respect to the ID token, authenticating a first computer system with respect to the ID token, after successful authentication of the user and the first computer system with respect to the ID token, read-access by the first computer system to the at least one attribute stored in the ID token for transfer of the at least one attribute to a second computer system.

Abstract: A system includes a remote authentication dial in user service (RADIUS) server in communication with a network access server. The network access server provides an authentication request to the RADIUS server. The authentication request includes at least a user identifier and a device identifier. The RADIUS server determines an authentication format utilized by the network access server based on the received authentication request. The system may also determine an authorization level to provide with an authentication response.

Abstract: Secrets data representing one or more secrets required to access associated resources is provided along with secrets distribution policy data representing one or more secrets distribution factors used to control the distribution of the secrets. When a requesting virtual asset submits secrets request data, virtual asset profile data associated with the requesting virtual asset is obtained. The requesting virtual asset profile data is then analyzed using at least one of the secrets distribution factors to authenticate the requesting virtual asset. The requesting virtual asset profile data is then analyzed using one or more of secrets distribution factors to determine what secrets the requesting virtual asset legitimately needs. Authorized secrets data for the requesting virtual asset representing one or more authorized secrets is then generated. The requesting virtual asset is then provided access to the authorized secrets data.

Abstract: A terminal and method for receiving a broadcast service by the terminal in a broadcast system are provided. The method includes performing a registration procedure for subscription and reception of the broadcast service through a Browser And Content Mobile Broadcast (BSCAST) Subscription Management (BSM) responsible for managing subscription information; receiving a Long Term Key Message (LTKM), including key information for encryption of the broadcast service, generated from the BSM; receiving a completed Short Term Key Message (STKM), the completed STKM being generated by performing Message Authentication Code (MAC) processing on a partially created STKM; receiving, from a Broadcast Service Distribution/Adaptation (BSD/A) which is responsible for transmitting the broadcast service, an encrypted broadcast service which is encrypted by a Traffic Encryption Key (TEK) for deciphering the broadcast service; and deciphering the encrypted broadcast service by the TEK obtained using the LTKM and the completed STKM.

Abstract: Some demonstrative embodiments include devices, systems and/or methods of maintaining connectivity over a Virtual-Private-Network (VPN). For example, a system may include a server to communicate with at least one computing device via a VPN tunnel, to receive from the computing device a mode indication indicating that the computing device is in a standby mode, to receive from at least one application server one or more packets intended for the computing device when the computing device is in the standby mode, based on at least one filtering criterion, to detect at least one targeted packet to be provided to the computing device, and to transfer the targeted packet to the computing device via the VPN tunnel.

Abstract: Methods for re-anchoring a transport layer session in a communication network are disclosed. For example, a method receives a request to re-anchor a transport layer session and sends a packet notifying of a transport layer session re-anchor to a peer. The packet includes a header with a session identifier field, and a record type field that indicates that a payload of the packet comprises transport layer session re-anchor information. The method then receives a confirmation of the transport layer session re-anchor notification. Another method receives a packet comprising a notification of a transport layer session re-anchor from a peer. The packet includes a header with a session identifier field, and a record type field that indicates that a payload of the packet comprises transport layer session re-anchor information. The method then updates a session management table and transmits packets to the peer using an updated address received in the notification of the transport layer session re-anchor.

Abstract: A method and corresponding apparatus are provided to security encapsulate an original IP datagram received from a network. It is first determined whether an IP payload of the original IP datagram is a TCP segment, UDP datagram or packet of another type of network protocol. Based on this determination, a portion of the IP payload is encrypted resulting in an encrypted payload. A security encapsulated IP packet is then formed with source IP address, destination IP address, and IP protocol field from the original IP datagram, and the encrypted payload. The security encapsulated IP packet is then provided to the network.

Abstract: To make a trusted web service call, a client application sends a series of messages to obtain tokens that allow service requests to pass through a service relay. The user obtains a first security token by providing the user's credentials. A second token is obtained from a trust broker that validates the first token. Both tokens are then sent with a service request to a service relay. The service relay validates the second token and then passes the first token and the service request to a connector service. The connector service validates the first token and passes the service request to a target back end service. The connector service acts as the user when communicating with the back end service. Service responses are routed back to the user through the connector service and the service relay.

Abstract: This method comprises the steps of: —choosing (1) a security parameter n,—segmenting (2) the file in n chunks S1, . . . , Sn, —randomly choosing (3) n2 coefficients aij for i=1, . . . , n and j=1, . . . , n,—verifying (3) that the vectors ai1, . . . , ain, for i=1, . . . , n, are linearly independent, otherwise generating the coefficients again, —computing (4) n linear combinations Ci=ai1S1+ . . . +aijSj+ . . . +ain·Sn, for i=1, n,—choosing (5) n storage service providers Oi, . . . , On among said plurality of storage service provider, —generating (6a; 6b; 6c) n file identifiers ID?1, . . . , ID?n designating said file (F),—storing (6a; 6b; 6c) the combination Ci at the storage service provider Oi in association with the file identifier ID?i, for i=1, . . . , n,—storing the file identifier ID?i and the provider identifier Oi, for i=1, . . . , n, in a file descriptor corresponding to the file (F), this file descriptor being stored in a local memory (LM),—storing the set of coefficients ai,1, . . .

Abstract: This disclosure is directed to methods and systems for managing rendering of a web page in a browser. A client operated by a user may execute code within a first fragment of a web page as the first fragment is presented to the user. The code may be injected into the first fragment by an intermediary between the client and a server of the web page. The intermediary may have split the web page into the first fragment and a plurality of fragments, and may have modified a default rendering characteristic for each of the plurality of fragments. Each of the modified rendering characteristic may include a trigger and action for rendering of a corresponding fragment. The executing code may dynamically detect a trigger for rendering of a second fragment from the plurality of fragments. The executing code may initiate a corresponding action for rendering of the second fragment.

Abstract: A method and apparatus for dynamic security insertion into virtualized networks is described. The method may include receiving, at a network device from a second network device, a data packet and application data extracted from the data packet. The method may also include generating a routing decision for a network connection associated with the data packet based, at least in part, on the application data. Furthermore, the method may include transmitting the routing decision for the data packet to the second device for the second device to route the data based on the routing decision.

Abstract: The invention relates to a method of authenticating a user equipment in a communications network. The method involves sending a message from a network entity to the user equipment. This message includes a set of options for an authentication procedure for authenticating an internet protocol communication over a first interface between the user equipment and the network entity; said options including a “shared key”-based authentication procedure. The method also involves selecting an option from the set. In the event that the “shared-key”-based authentication procedure is selected, a shared secret from a security key established in a generic bootstrapping architecture (GBA) is generated over a second interface between the user equipment and a bootstrapping service function. The shared secret is then used to compute and verify authentication payloads in the key-based authentication procedure for the communication over the first interface.

Abstract: A premises based multimedia communication system includes a source device that produces multimedia content, a rendering device that presents the multimedia content, and a premises communication network coupling the source device to the rendering device. The system determines a bit error rate of the premises communication network, transfers the multimedia content from the source device to the rendering device, and when the bit error rate exceeds a bit error rate threshold, the system at least partially disables link layer encryption of video frames of the multimedia content transfer. With the link layer operations at least partially disabled, the system can enable, at least partially, content layer encryption operations for the transfer of the multimedia content from the source device to the rendering device.

Abstract: A system and method for controlling a device. Data that was encrypted using a first encryption scheme is decrypted, then re-encrypted using a second encryption scheme. The re-encrypted data is then decrypted.

Abstract: A wireless communication network system includes: a location estimation device includes: a processor; and a memory which stores a plurality of instructions, which when executed by the processor, cause the processor to execute: collecting information, for each wireless device in a pair of wireless devices communicating with each other in the wireless communication network, as to the number of occurrences of duplicate reception caused by the data retransmission performed when the reception acknowledgement does not reach the transmitting wireless device; and estimating the location of an interference source of radio wave in a wireless communication network based on the collected information as to the number of occurrences of duplicate reception such that the location of the interference source is closer to one of wireless devices in the pair with a less number of occurrences of duplicate reception than to the other one of the wireless devices in the pair.

Abstract: In one implementation, identity based security features and policies are applied to endpoint devices behind an intermediary device, such as a network address translation device. The access network switch authenticates an endpoint based on a user identity and a credential. A hypertext transfer protocol (HTTP) packet is generated or modified to include the user identity in an inline header. The HTTP packet including the user identity is sent to a policy enforcement device to look up one or more policies for the endpoint. The access switch receives traffic from the policy enforcement device that is filtered according the user identity. Subsequent TCP connections may also include identity information within the TCP USER_HINT option in a synchronization packet thus allowing identity propagation for other applications and protocols.

Abstract: Disclosed is a method for efficient transport of packets between a mobile station and a secure gateway over a wireless local area network for accessing home services. In the method, a first encryption security association is established for transporting first-type packets from the secure gateway to the mobile station, and a second encryption security association is established for transporting first-type packets from the mobile station to the secure gateway. Next, a first null-encryption security association is established for transporting second-type packets from the secure gateway to the mobile station, and a second null-encryption security association is established for transporting second-type packets from the mobile station to the secure gateway. Second-type packets are selected for transport using the second null-encryption security association based on a traffic selector.

Abstract: Systems and methods for providing multimedia content from one process or component to another process or component over an unsecured connection are provided. One embodiment includes obtaining the cryptographic information, extracting the at least partially encrypted video data from the container file to create an elementary bitstream, enciphering the cryptographic information, inserting the cryptographic information in the elementary bitstream, providing the elementary bitstream to a video decoder, extracting the cryptographic information from the elementary bitstream at the video decoder, deciphering the cryptographic information, decrypting the elementary bitstream with the cryptographic information and decoding the elementary bitstream for rendering on a display device using the video decoder.

Abstract: An embodiment is a method of managing bandwidth, performed by a computing system. The system receives user-selected connection parameters associated with a subscriber device. The system associates a network identifier of the subscriber device with a group bandwidth policy, based on the user-selected connection parameters. The system stores, in computer-readable storage media, parameters associated with the group bandwidth policy, in association with the network identifier of the subscriber device. The system receives, at a gateway device, network communication data from the subscriber device. The system limits, at the gateway device, bandwidth available to the network communication data, based on the stored parameters associated with the group bandwidth policy.

Abstract: A network is disclosed that includes a message originator computer and a message recipient computer, for secure electronic mail delivery. In accordance with the invention, the network includes a message delivery server that can distinguish between real and phantom messages. In operation, the message originator computer waits a random time and then transmits a first encrypted phantom message to the message delivery server. This message is to spoof an eavesdropper into believing that there is a steady stream of messages being sent from the originator computer. However, the message delivery server recognizes the message as a phantom message and discards it. When the message originator computer receives a user request to transmit a real message to the recipient computer, it waits a random time and then encrypts and transmits the real message to the message delivery server. The message delivery server recognizes the message as a real message and forwards the real message to the recipient computer.

Abstract: Method for accessing a resource in a data-processing environment. The resource includes a set of objects. The data-processing environment is capable of storing in association with at least one object of the resource at least one modified object. The data-processing environment is capable of storing in association with such an object information of degree of elaboration. The method performs the steps of identifying, for each object of the resource to which corresponds at least a modified object, by using the information of degree of elaboration, at least a most elaborate version of said object, and assembling the objects thus identified for them to be displayed in the resource.

Abstract: An apparatus for transmitting N packets including a key mixing circuit to generate N groups of encryption seeds, each based upon a predetermined key, a transmitter address, and a predetermined start value for a packet number. A packet number circuit inserts a different one of N values for the packet number into each of the N packets. Each of the N values for the packet number is greater than, or equal to, the predetermined start value for the packet number. An encryption circuit encrypts each of the N packets using the one of the N groups of encryption seeds that was generated based on the value for the packet number in the respective one of the N packets. An output circuit sends the N packets. The encryption circuit generates each of the N groups of encryption seeds before an input circuit receives the respective one of the N packets.

Abstract: A data decryption circuit for decrypting a current encrypted data packet is provided. The current encrypted data packet includes a header and a payload. The data decryption circuit includes an operation unit and a decryption calculation unit. The operation unit generates first data according to the header and a pseudo-random number, second data according to a session key and a constant, and length information and start position information of the payload according to the header. The operation unit generates the first data, the second data, the length information and the start position information by executing a program code. The decryption calculation circuit, coupled to the operation unit, generates a decryption key according to the first and second data, retrieves the payload from the current encrypted data packet according to the start position information and the length information, and decrypts the payload by the decryption key.

Abstract: A user's set top box (STB), or other client, executes a shell and has an application program interface (API) by which certain features of the client can be controlled. The client is in communication with a walled garden proxy server (WGPS). The client sends a request to the WGPS to access a service provided by a site in the garden. The site sends the client a message containing code calling a function in the API. The WGPS traps the message from the site and looks up the site in a table to determine the access control list (ACL) for the site. The WGPS includes the ACL in the header of the hypertext transport protocol (HTTP) message to the client. The shell receives the message and extracts the ACL. If the code lacks permission, the shell stops execution.

Abstract: A computer system storing parameters pertaining to the regulatory restrictions placed on a for-hire vehicle compares the parameters to a current operating environment of the for-hire vehicle. In some embodiments, the computer system acts as the meter (such as a taximeter) of the for-hire vehicle. The operating parameters may include expiration or exclusion parameters that define the scope of operation of the for-hire vehicle stemming from the for-hire vehicle's medallion or certificate of public convenience and necessity. The expiration or exclusion parameters may also correspond to a driver's permit or any general regulation enacted by the regulatory agency. If the current operating environment does not comply with the expiration or exclusion parameters, the computer system shuts down, or enters a standby mode, and may not accept additional passenger fares until the current operating environment complies with the expiration and exclusion parameters.

Abstract: The present invention relates to the field of information security. Disclosed are a system and method for communication between a dynamic token and a tool, the system comprising a tool part and a dynamic token part; the tool part comprises a control module and a tool radio frequency communication module; the dynamic token part comprises an MCU and liquid crystal module and an OTP radio frequency communication module. The method comprises: the tool part transmits a modulated wake-up command signal to the dynamic token part in the form of an electromagnetic wave; when a wake-up response command signal returned by the dynamic token part is correctly received, the tool part transmits the modulated command signal to the dynamic token part in the form of an electromagnetic wave; and the tool part detects the amplitude variation of the generated carrier signal, judges whether the response signal is correctly received, and operates correspondingly.

Abstract: A system for processing packet streams includes a first packet queuing circuitry connected between a first processor and a second processor and operable to queue packets for transfer from the first processor to the second processor. The system includes a second packet queuing circuitry connected between the first processor and the second processor and operable to queue packets for transfer from the second processor to the first processor. The first processor is programmed to transfer secure packets to the second processor via the first queuing circuitry for security processing and the second processor is programmed to return the security-processed packets to the first processor via the second queuing circuitry.

Abstract: The present invention relates to key management in a secure microcontroller, and more particularly, to systems, devices and methods of automatically and transparently employing logic or physical address based keys that may also be transferred using dedicated buses. A cryptographic engine translates a logic address to at least one physical address, and processes a corresponding data word based on at least one target key. The target key is selected from a plurality of keys based on the logic or physical address. A universal memory controller stores each processed data word in the corresponding physical address within a memory. Each key is associated with a memory region within the memory, and therefore, the logic or physical address associated with a memory region may be used to automatically identify the corresponding target key. A dedicated secure link may be used to transport key request commands and the plurality of keys.

Abstract: A computational engine may include an input configured to receive a first data packet and a second data packet, a context memory configured to store one or more contexts, and a set of computational elements coupled with the input and coupled with the context memory. The set of computational elements may be configured to generate a first output data packet by executing a first sequence of cryptographic operations on the first data packet, and generate a second output data packet by executing a second sequence of cryptographic operations on the second data packet and on a selected context of the one of the one or more contexts. The selected context may be associated with the second packet of data, and the context may be stored in the context memory prior to the execution of the first sequence of cryptographic operations.

Abstract: Preventing web crawler access includes receiving a request for a webpage that includes web content that is to be protected from a web crawler, encrypting the web content to be protected to generate encrypted content and responding to the request, including sending the encrypted content and a decryption instruction. The decryption instruction is configured to allow a web browser to decrypt the encrypted content.

Abstract: System and method embodiments are provided for asynchronous event notification and message handling in dynamic adaptive streaming over hypertext transfer protocol (DASH). The embodiments includes sending in a segment file, from a network server to a client, a message box that is configurable for encryption, for scheduling a callback from the client, and with one or more arguments according to a messaging scheme of the message box. The network server further sends a message handling descriptor to the client for reloading a media presentation description (MPD) for obtaining a DASH event. The client then configures a universal resource locator (URL) for the MPD using the message box and the message handling descriptor, and sends the URL back to the network server. After receiving the URL, the network server sends the MPD to the client, which then uses the MPD to request segments of an asynchronous event.

Abstract: Methods and associated systems are disclosed for providing secured data transmission over a data network. Data to be encrypted and encryption information may be sent to a security processor via a packet network so that the security processor may extract the encryption information and use it to encrypt the data. The encryption information may include flow information, security association and/or other cryptographic information, and/or one or more addresses associated with such information. The encryption information may consist of a tag in a header that is appended to packets to be encrypted before the packets are sent to the security processor. The packet and tag header may be encapsulated into an Ethernet packet and routed via an Ethernet connection to the security processor.

Abstract: The present disclosure presents methods, systems and intermediaries which determine an encoding scheme of a uniform resource location (URL) from a plurality of encoding schemes for a clientless secure socket layer virtual private network (SSL VPN) via a proxy. An intermediary may receive a response from a server comprising a URL. The response from the server may be directed to a client via a SSL VPN session and via the intermediary. The intermediary may determine, responsive to an encoding policy, one of a transparent, opaque or encrypted encoding scheme for encoding the URL. The intermediary may rewrite the URL for transmission to the client in accordance with the determined encoding scheme.

Abstract: A method and apparatus for detecting data modification in a layered operating system is disclosed. Outbound content indicators at different layers are compared to detect potential outbound data modifications. Likewise, inbound content indicators at different layers are compared to detect potential inbound data modifications. Content indicators include checksum, cryptographic hash, signature, and fingerprint indicators. Embodiments of the present invention enable detection of data modifications across an operating system's kernel and user mode spaces, prevention of modified outbound data from reaching a network, prevention of modified input data from reaching a user application, and detection of malware and faults within an operating system.

Abstract: There are a terminal device capable of link layer encryption and decryption and a data process method thereof, and the terminal device includes a link layer processing module including a control module, a data frame encryption module, a data frame decryption module, a key management module, an algorithm module, a transmission port and a reception port; and the control module is connected with the transmission port through the data frame encryption module, the reception port is connected with the control module through the data frame decryption module, the control module is connected with the key management module, the data frame encryption module is connected with the data frame decryption module through the key management module, and the data frame encryption module is connected with the data frame decryption module through the algorithm module.

Abstract: In one embodiment, apparatus and methods for a rekey process are disclosed. In certain rekey embodiments, when a key-generation protocol exchange is executed, instead of generating a single new security relationship, such as a Security Association or SA, a multiple set (e.g., 10) of new security relationships (e.g., SAs) are generated. An authorized device can then individually use these security relationships (e.g., SAs) as needed to securely communicate with each other. For example, a set of SAs can be efficiently programmed into an 802.1ae protocol ASIC for handling transmitted and received data packets. In the description herein, embodiments of the invention are described with respect to SA's, and this “SA” term is generally defined as any type of security relation that can be formed to allow a particular node to securely transmit packets or frames to another receiving node.

Abstract: A wireless communication system includes a pager or similar device that communicates to a home terminal. The home terminal confirms the identity of the pager and attaches a certificate to the message for ongoing transmission. Where the recipient is also a pager, an associated home terminal verifies the transmission and forwards it in a trusted manner without the certificate to the recipient.

Abstract: Aspects of the present invention provide a mechanism to utilize IMS media security mechanisms in a CS network and, thereby, provide end-to-end media security in the case where the media traffic travels across both a CS network and a PS network.

Abstract: A method for authenticating video content includes: receiving a digital signature, an unsecured video fingerprint, and an unsecured video content from a transmitting node at a receiving node in a communication network; determining if the digital signature is consistent with the unsecured video fingerprint at the receiving node to verify the unsecured video fingerprint; and determining if the unsecured video fingerprint is consistent with the unsecured video content at the receiving node to verify the unsecured video content in a manner that tolerates a predetermined measure of loss in the unsecured video content. If the unsecured video fingerprint and the unsecured video content are verified, the unsecured video content is authenticated for subsequent use at the receiving node. A receiving node associated with the method includes an input module, a fingerprint verification module, a content verification module, and a controller module.

Abstract: Method and apparatus for secure transmissions. Each user is provided a registration key. A long-time updated broadcast key is encrypted using the registration key and provided periodically to a user. A short-time updated key is encrypted using the broadcast key. The short-time key is available with each broadcast message, wherein sufficient information to calculate the short-time key is provided in an Internet protocol header preceding the broadcast content. Broadcasts are then encrypted using the short-time key, wherein the user decrypts the broadcast message using the short-time key.

Abstract: Aspects include a mechanism of entitling users to transacted-for digital content access, indicating download authorization with discrete authentication URLs, and validating download attempts using each such URL. The authentication mechanism comprises producing an encrypted string included in a URL provided to a user. The encrypted string comprises transaction identifier information, and information about the transacted-for entitlement. When a user wishes to exercise the transacted-for entitlement, the user activates the URL, which is resolved to a location that has/can obtain access to the key(s) used in producing the encrypted string, decrypt the string, and use the information in it to validate the URL and the entitlement. The validation can use data retrieved from a database, using the transaction identifier as a key. The entitlement information included in the now-decrypted string can be compared with the prior download information.

Abstract: A system and method for verifying and/or geolocating network nodes in attenuated environments for cyber and network security applications are disclosed. The system involves an origination network node, a destination network node, and at least one router network node. The origination network node is configured for transmitting a data packet to the destination network node through at least one router network node. The data packet contains a security signature portion, a routing data portion, and a payload data portion. The security signature portion comprises a listing of at least one network node that the data packet travelled through from the origination network node to the destination network node. In addition, the security signature portion comprises geolocation information, identifier information, and timing information for at least one network node in the listing.

Abstract: Techniques related to data stream traffic control are disclosed herein. A bit equivalent entropy of an anonymized data stream is computed. Traffic of the data stream is controlled based on the value of the bit equivalent entropy.

Abstract: Techniques are provided to append packet handling information “in the clear” ahead of security related information in a packet to be routed over a network to optimize wide area network deployments of security-configured equipment. In one form, at a network device that performs connectionless secure communication and network routing of packets, data is received from a source device to be sent through a network to a destination device. Packet handling information is inserted in a packet that is to be used to transport the data. The packet handling information is configured to enable controlled handling of the packet in the network and is inserted in an unprotected portion of the packet. Encrypted payload data is generated from the data received from the source device. The encrypted payload data and security information are inserted in a protected portion of the packet and the packet is sent to the network.

Abstract: Techniques for injecting encryption keys into a meter as a part of a manufacturing process are discussed. Since various encryption keys injected into meters may be specific to each individual meter, a utility company customer may require a copy of the injected encryption keys associated with each individual meter. The techniques may include providing a copy of keys injected into each meter to a utility company customer. In some instances, the meter manufacturer may not store or persist various encryption keys that are injected into the meters during the manufacturing process.

Abstract: In an embodiment, a peripheral interface controller may include an inline cryptographic engine which may encrypt data being sent over a peripheral interface and decrypt data received from the peripheral interface. The encryption may be transparent to the device connected to the peripheral interface that is receiving/supplying the data. In an embodiment, the peripheral interface controller is included in a system on a chip (SOC) that also includes a memory controller configured to couple to a memory. The memory may be mounted on the SOC in a chip-on-chip or package-on-package configuration. The unencrypted data may be stored in the memory for use by other parts of the SOC (e.g. processors, on-chip peripherals, etc.). The keys used for the encryption/decryption of data may remain within the SOC.

Abstract: A system and method is provided which allows multicast communications encrypted using IPSec protocol to be received by receivers in a network. In order to allow the receivers to receive the encrypted multicast communication, the address information of the received multicast communication is modified to appear as a unicast communication being transmitted directly to the address of the receiver, such that the receiver may then decrypt the received multicast communication using IPSec decryption capabilities or may, alternatively, forward the received multicast communication in its encrypted state to other devices. The system and method further provide IPSec encryption key delivery to the receiver using an encrypted markup language file. Multiple keys may also be generated for a given IP address of a receiver with each key being generated for a particular multicasting hierarchical classification.

Abstract: A DRM technique interoperability system includes an exporter and an importer. The exporter cancels the DRM technique from the contents to which the DRM technique of a DRM device is applied to generate a contents stream, generates a plurality of packets from the contents stream, and transmits the packets to the importer. The importer receives a plurality of packets from the exporter, generates a contents stream from the plurality of packets, applies a DRM technique of a second DRM device to the contents stream, and provides it to the second DRM device.

Abstract: A method and system for encrypting data packets in a multimedia stream are disclosed. Each data packet includes a header portion and a payload portion. In one embodiment, one or more data packets are selected from an incoming multimedia stream. Further, one or more of a header portion and a payload portion are selected within the one or more data packets. Furthermore, one or more regions in the selected one or more of the header portion and the payload portion are encrypted using an encryption algorithm.

Abstract: Embodiments may be configured to receive a protected version of content that includes multiple encrypted content samples. In various embodiments, each encrypted content sample includes multiple encrypted blocks. For a given encrypted content sample, different sets of encrypted blocks in that sample may form different encryption chains. The protected version of the content may further include decryption information for decrypting the encrypted content samples. The decryption information may include at least some initialization vectors generated dependent upon non-content information that is not included in the protected version of the content. The non-content information may be from a different protected version of the content. Embodiments may be configured to use the decryption information to decrypt one or more of the encrypted content samples.