Abstract: A distributed communication and data sharing system that provides anonymity and unlinkability. A group comprising a number of structures, each having a public/private key pair, is stored on a plurality of nodes in a Distributed Hash Table. Advantageous features of the group management system are provided through the use of Cryptographically Generated Addresses (CGA) for the structures, a secure capture method that enables a user to capture an address and be the only one authorized to request certain operations for the address, and an anonymous get/set mechanism in which a user signs messages, encloses the public key in the message and encrypts the message and public key using the public key of the receiver. The distributed communication and data sharing system of the invention can advantageously be used for group management of social networks.

Abstract: A method for generating a network address in a communication network includes at least one user equipment and a network equipment. The method includes: a) providing a same shared secret key both at the at least one user equipment and at the network equipment; and b) generating at least a portion of the network address at the at least one user equipment and at the network equipment based upon at least the shared secret key.

Abstract: An apparatus includes a plurality of connection-source terminating units. Each of the plurality of connection-source terminating units constitutes an independent communication path coupled to a corresponding one of a plurality of connection-destination terminating units provided for a connection-destination apparatus. The apparatus establishes encryption information including first information used for encryption processing on communication performed via a plurality of the independent communication paths established between the apparatus and the connection-destination apparatus. The first information is used in common for all the plurality of the independent communication paths when packets are transmitted through the plurality of the independent communication paths established between the communication apparatus and the connection-destination apparatus.

Abstract: A spread scrambled multiple access (SSCMA) scheme is described. A first encoded bit stream of a first terminal is scrambled according to a first scrambling signature. A second encoded bit stream of a second terminal is scrambled according to a second scrambling signature. The first scrambled bit stream is spread to match a communication channel bandwidth. The second scrambled bit stream is spread to match the communication channel bandwidth.

Abstract: A method for evaluating a deployment of a network access change request, the method includes: (a) formatting a network access change request to provide a formatted network access change request; wherein the formatted network access change request includes multiple formatted request items; wherein the multiple formatted request items includes a requested access type, an address of an access source, an address of an access destination; (b) determining multiple relationships between the multiple formatted request items and corresponding items of at least one entity out of a network model and a current network policy; and (c) responding to the network access change request in response to the multiple determined relationships.

Abstract: Methods including the steps of: upon sending an IP packet, obtaining, by a sender, a sender identity for a sender of the packet; securely tagging, by a sender, the packet with the sender identity, the packet having a plurality of fixed-length fields concatenated into a single fixed-length virtual field shared between a cryptographic hash and an identity index for supporting multiple distinct identities residing on an IP endpoint; determining, by a receiver, the sender identity by extracting it from the packet; checking, by the receiver, the packet to ensure the packet has been appropriately tagged; and enforcing a security policy, by the receiver, according to the sender identity. Preferably, the step of obtaining includes: accessing, by the sender, a server for obtaining the sender identity; and associating, by the server, the sender identity with the endpoint. Most preferably, the associating is performed using a prefix code for encoding the identities.

Abstract: A system and method provides secure channels for communication in a virtual universe by employing a packet interception layer for incoming and outgoing data packets. A data path is defined and is sequentially encrypted with the public keys of servers in the path. Decryption and identification of the next server occurs in a sequential manner in which the path is known only to the sender.

Abstract: Methods are provided for processing a packet received by a mesh-enabled access point (MAP). When a first MAP receives a packet it can determine whether the packet is destined for a mesh portal based on the destination address. If so, the first MAP can retrieve an encryption key corresponding to the mesh portal, use the encryption key to encrypt the packet and set a mesh forwarding flag in the packet to indicate that the packet is destined for a mesh portal, and is encrypted with an encryption key corresponding to the mesh portal, and then forward the packet to the next hop MAP towards the a mesh portal. The mesh forwarding flag indicates that the packet is destined for a mesh portal, is encrypted with an encryption key corresponding to the mesh portal, and is to be forwarded to the next hop MAP without performing decryption/re-encryption processing on the packet. When a MAP receives a packet, the first MAP it determines whether a mesh forwarding flag is set in the packet.

Abstract: In a network, a router uses some secret information combined with a cryptographic process in determination of a subnet's routing prefix. Several methods are disclosed, including using an IP suffix for prefix generation and for decryption, maintaining a pool of pseudo prefixes at the router, using public key encryption and symmetric key encryption.

Abstract: This disclosure presents a system that uses masking to safely execute native code. This system includes a processing element that executes the native code and a memory which stores code and data for the processing element. The processing element includes a masking mechanism that masks one or more bits of a target address during a control flow transfer to transfer control to a restricted set of aligned byte boundaries in the native code.

Abstract: A system and method connect a first network device and a second network device by initiating a secure communication link. The system includes one or more servers configured to: receive, from the first network device, a request to look up a network address of the second network device based on an identifier associated with the second network device; determine, in response to the request, whether the second network device is available for a secure communications service; and initiate a secure communication link between the first network device and the second network device based on a determination that the second network device is available for the secure communications service; wherein the secure communications service uses the secure communication link to communicate at least one of video data and audio data between the first network device and the second network device.

Abstract: Systems and methods for broadcast and multicast retransmissions within a protected wireless communications system are described. Retransmitted broadcast or multicast frames are designated by modification of fields or subfields in the MAC header of the frame which are constituent parts of the additional authentication data used to generate encryption keys. Such modifications cause legacy receivers to disregard the retransmitted frames or render legacy receivers to be unable to decrypt the retransmitted frame, avoiding the generation of duplicate frames. Non-legacy receivers recognizing the modification conventions can restore the MAC header to the original state and can reconstruct the original encryption keys and decrypt the retransmitted frames. A non-legacy transmitter can retransmit a frame without the need to re-encrypt the frame.

Abstract: A digital content protection apparatus and method for digital rights management (DRM) are provided in which a content file including a plurality of content parts is imported such that a header is included which stores location information required for decoding each of the content parts. Therefore, the number of content parts constituting the content file can be recognized, and a license that is required for the use of each of the content parts can be acquired by analyzing header information without necessitating the parsing of the transport packets of the content file. Accordingly, preparation time for using content can be reduced.

Abstract: A self-synchronizing cryptographic device can be shared among a plurality of communications links. Blocks of data can be transferred to the cryptographic device, wherein each block of data includes a head portion which is the tail portion of a previous block of data for the same communication link. The head/tail portion is sufficient to reestablish cryptographic synchronization of the cryptographic device.

Abstract: A system and method for secure communications in a communication system, wherein the system programs a computer to perform the method, which includes: receiving at least one authentication key, without an encryption key, from a key-management server; receiving a packet, which is encrypted, from a source device; authenticating the packet, using the at least one authentication key, without cryptographically altering the packet; and forwarding the authenticated packet to a destination device of the packet.

Abstract: A broadcast receiving apparatus comprises a broadcast receiving unit (1, 4˜13) for receiving a digital broadcast; a communication unit (1˜3) for performing two-way communication through a network; an operation unit 15 for performing an acquisition operation of a key for decrypting an encrypted broadcast program received by the broadcast receiving unit; and an address generating unit 16 for generating an address of an acquisition location of the key which is accessible with the communication unit, by using program arrangement information corresponding to the broadcast program based on the acquisition operation of a key by the operation unit.

Abstract: A device is provided which includes: a processor that outputs a command signal or an address signal and includes a bus module which inputs or outputs a data signal; and an encryption circuit that encrypts or decrypts the data signal in an encryption method using a common key and the address signal, wherein the processor and the encryption circuit are provided in a chip.

Abstract: This disclosure provides a system and method for client authentication that allows a service provider to implement multiple authentication challenges to verify a user/client. The system includes an extractor, a comparer, and an attributer. The extractor receives an Internet protocol source address from a client and extracts a media access control address. The extractor also determines a source identifier of the client from the media access control address. The comparer compares the extracted media access control address with a client media access control address associated with the client, and signals execution of one or more client authentication challenges when the extracted media access control address fails to match the at least one client media access control address associated with the client. The attributer associates the source identifier with the client after successful execution of a client authentication challenge.

Abstract: A measurement and authentication engine in a nonvolatile memory computes an original hash value on data read from the nonvolatile memory. A measurement and authentication engine in a host processor recomputes the hash value on the data received from nonvolatile memory and checks that the computed hash value matches the hash value generated and transferred from the nonvolatile memory.

Abstract: A method, system and computer program product for providing a secure connection between a client and a remote server to run a Virtual Environment (VE), including (a) establishing a repository for VE content on the remote server; (b) creating a data necessary for the VE to function; (c) generating a two key pairs that includes a VE key pair and a client key pair, wherein the VE key pair includes encryption and decryption keys, the client key pair includes decryption and encryption keys corresponding to encryption and decryption keys of the corresponding VE key pair and the two key pairs are used to provide a full duplex secure network channel between the client and the repository; (d) storing the data necessary for the VE to function as the VE content using data from the VE key pair in the repository; (e) receiving the address for accessing the stored data; and (f) from the client side, using the VE address and the client key pair to start the VE from the data necessary for the VE to function.

Abstract: Multiple service servers can store identification tags, which identify each user, after associating the identification tags with the identification tags of other users; and can also store identification data, which uniquely identifies users across multiple service servers, after associating the identification data with an encryption key for each identification datum. A management server device stores as identification data the user address data encrypted by means of an encryption key that has been generated for each identification datum. A gateway server device receives the identification tags from a first service server, receives the other identification tags associated with the first identification tags, receives the encryption keys associated with the other identification tags, and obtains the encrypted data from the management server. The gateway server device then decodes the encrypted information, and commands delivery that uses the obtained address data.

Abstract: A method, apparatus, and system for processing a Dynamic Host Configuration Protocol (DHCP) message are disclosed. The method includes: receiving a DHCP message, where the source address of the DHCP message is a Cryptographically Generated Address (CGA) and a signature of a DHCP message sender is carried in the DHCP message; verifying the CGA and the signature; and processing a payload of the DHCP message after the verification of the CGA and the signature succeeds. The CGA and the signature are verified in the embodiment of the present invention, thus improving the security of DHCPv6, and bringing convenience for key management due to publicity of the public key. In addition, because the life of the public key is long, configuration on the DHCP server and/or the network client is convenient.

Abstract: A translator is provided for translating predetermined portions of packet header information including an address of a data packet according to a cipher algorithm keyed by a cipher key derived by a key exchanger. A mapping device is also provided for mapping the address to a host table stored in memory. If the address does not match an entry in the host table, a security device is triggered.

Abstract: A method and apparatus for encrypted universal resource identifier (URI) based messaging is described. In one embodiment of the method, a computing system receives an encrypted message from a first client computing system over a network, stores the received message in a message data store, generates a shortened uniform resource locator (URL) for subsequent retrieval of the stored message, and sends the shortened URL to the first client computing system. Subsequently, the computing system receives a request, including the shortened URL, from a second client computing system to retrieve the stored message. The computing system encrypts the stored message in a URI and sends the URI to the second client computing system.

Abstract: A communication apparatus includes: a first storage unit registering a plurality of addresses of a plurality of communication apparatuses; a command sending unit sending a first command for requesting a first public key, which corresponds to a first secret key of the first communication apparatus, to the address of the first communication apparatus; a response receiving unit receiving from the first communication apparatus a first response including the first public key; a storage control unit associating the first public key the address of the first communication apparatus and registering the first public key; an encrypted data generating unit encrypting first data, which is to be sent to the first communication apparatus, using the first public key registered in association with the address of the first communication apparatus to generate first encrypted data; and a data sending unit sending the first encrypted data to the address of the first communication apparatus.

Abstract: An encoding/decoding operation portion includes an encoding/decoding operation circuit and an avoiding path for detouring the encoding decoding operation circuit and can select between encoding or decoding input data in the encoding/decoding operation circuit and detouring the encoding/decoding operation circuit to output the input data without change. Only one wire has to be provided from a selector to a key storage portion and an initialization-vector storage portion. With this construction, it is possible to realize an encoding/decoding circuit which can suppress an increase in the number of wires used to transmit a content of key data to the key storage portion and the initialization-vector storage portion and does not cause complication of circuit layout.

Abstract: In the field of communications technology, a method and a system for forwarding data between private networks are provided, which can enable terminals in different private networks to securely communicate with each other by using private network addresses. The method includes the following steps. A Secure Socket Layer (SSL) tunnel to an SSL Virtual Private Network (VPN) device in another private network is established. Address allocation information of the another private network is received through the SSL tunnel. The address allocation information and a mapping relation between the address allocation information and a public network IP address of the SSL VPN device transmitting the address allocation information and a session ID of the SSL tunnel transmitting the address allocation information are saved.

Abstract: A secure secret sharing system is implemented. Shares SH(?, h(?)) are generated by secret sharing of secret information separately for each subset SUB(?); each of share management apparatuses PA(?, h(?)) generates a shared secret value DSH(?, h(?)) by performing a common operation to a corresponding share SH(?, h(?)) and common information containing a common value ?(?) shared in each subset SUB(?); and an acquisition apparatus generates a reconstructed secret value SUBSK(?) by reconstruction processing for each subset SUB(?), using a plurality of shared secret values DSH(?, h(?)) corresponding to the same subset SUB(?), and generates generation information SK by using the reconstructed secret values SUBSK(?).

Abstract: Methods, apparatus, system and computer program are provided for concealing the identity of a network device transmitting a datagram having a network layer header. A unique local identifier and broadcast address are determined in accordance with a next-hop address. A partially encrypted network layer header is determined by encrypting a plurality of identifying portions of the network layer header, where one portion of the network layer header is the unique local identifier. The datagram is encapsulated with another network layer header whose address is set to the broadcast address. The encapsulated datagram can be received and detunneled, and an address of a recipient can be extracted from the network layer header. The datagram is then admitted into a network domain.

Abstract: In one embodiment, a method includes sending by an endpoint a request for information about available services to a network device; receiving by the endpoint a message from the network device, the message including information associated with a first service provider; determining by the endpoint whether the first address is certified by a trusted third party as being associated with the first service provider; if the first address is certified by the trusted third party, communicating by the endpoint with the first service provider using the information; and, in response to communicating with the first service provider using the information, receiving by the endpoint access to a service from the first service provider through the network device.

Abstract: In one embodiment of the invention, a system and method for error tolerant delivery of data is provided. A data file is received for transmission which includes metadata and data. The metadata includes mandatory portions and optional portions, which are grouped together, respectively. The mandatory portions of the metadata include file control data. The file is parsed into packets and transmitted as a data stream to a plurality of receiver devices. In some cases this data stream may be transmitted multiple times for redundancy. Once the data stream is received, the receiver device may look for transmission errors in the control data of the data stream. If such an error is present the data stream is discarded; otherwise, the receiver device converts the data stream back into the native file format and stored for later playback or queued processing.

Abstract: Computer-implemented methods and apparatus to perform a valid transfer of an electronic mobile ticket on a mobile device by a ticketing application system of a ticket processing center. One method includes: receiving a first electronic message from a first user, where the first message includes an encrypted electronic mobile ticket and a mobile device number of a second user, and where the electronic mobile ticket is encrypted with a key shared between the first user and the ticketing application system; decrypting the encrypted electronic mobile ticket; generating an electronic mobile ticket encrypted with a key shared by the ticketing application system and the second user; and transmitting a second electronic message that includes the electronic mobile ticket encrypted with the key shared between the ticketing application system and the second user to a mobile device of the second user.

Abstract: An apparatus for establishing a virtual private network with an internet protocol multimedia subsystem (IMS) device that includes a key derivation module, a tunneling protocol module, a tunnel management module, and a security policies module. The apparatus includes a non-volatile memory configured to store a first routing table that maps host addresses and IMS addresses of security devices allowing access to those hosts, such that when an application running in the IMS device requests communication to a host address, the apparatus initiates a session with the IMS address to which the host address is mapped. The session is initiated by a message that includes a body that contains, for each tunneling protocol supported by the tunneling protocol module, data about the local tunnel endpoint (e.g.

Abstract: A method and apparatus for authenticating to a third party service provider from a personal computer. The method includes authenticating, with a mobile terminal, to the service provider with a universal subscriber identity module associated with the mobile terminal to obtain credentials specific to the service provider, transferring the credentials specific to the service provider from the mobile terminal to the personal computer, and accessing the service provider with the personal computer using the credentials transferred from the mobile terminal. The apparatus includes a mobile terminal, a computing device, a bootstrapping security module, and a network application function that cooperatively work to allow the computing device to access the network application function using a security credential from the mobile terminal.

Abstract: A problem is to provide a connection support apparatus and a gateway apparatus in which management of information is easy and remote access from a user terminal to the gateway apparatus can be performed easily and securely, and the problem is solved by including a control unit configured to perform control on a gateway apparatus to which a user apparatus connects so as to permit connection from the user apparatus for which authentication succeeds; and a communication unit configured to provide the user terminal with connection information used for connecting to the gateway apparatus.

Abstract: A method is provided for sending a data packet from a client through a network and to a server. The data packet is a data structure having an originating address portion and destination address portion. The network includes a first mix router and a second mix router. The client has a client address, whereas the first mix router has a first mix router address, the second mix router has a second mix router address and the server has a server address. The method includes encrypting the originating address portion of the data packet and encrypting the destination portion of the data packet, transmitting the encrypted data packet, decrypting the originating address portion of the encrypted data packet and the destination portion of the encrypted data packet, providing a first data packet and providing a second data packet.

Abstract: Methods, devices, and systems that may be used to secure networked devices are provided. One method includes receiving, at a security device, encrypted configuration data from a management server connected to a data network, from packets addressed to a networked device. The method further includes managing, by the security device, packets between the networked device and other devices accessible through a network based upon the configuration data. The method further includes sending, by the security device, a plurality of encrypted heartbeat messages to the management server utilizing an address associated with the networked device as the originating address for packets in which the encrypted heartbeat messages are transmitted.

Abstract: The present intention permits a user to conduct remote transactions without a network while using an untrusted computing device, such as a hand held personal digital assistant or a laptop computer. The computing device is augmented with a smartcard reader, and the user obtains a smartcard and connects it to the device. This design can be used by an untrusted user to perform financial transactions, such as placing bets on the outcome of a probabilistic computation. Protocols are presented for adding (purchasing) or removing (selling) value on the smartcard, again without requiring a network connection. Using the instant protocols, neither the user nor the entity issuing the smartcards can benefit from cheating.

Abstract: A method for establishing an encrypted communication channel between a first apparatus and a second apparatus by using a session management apparatus. The method includes: establishing a first encrypted communication channel between the session management apparatus and the first apparatus by performing mutual authentication between the session management apparatus and the first apparatus; establishing a second encrypted communication channel between the session management apparatus and the second apparatus by performing mutual authentication between the session management apparatus and the second apparatus; and exchanging key information between the first apparatus and the second apparatus via the first encrypted communication channel and the second encrypted communication channel so as to establish an encrypted communication channel between the first apparatus and the second apparatus.

Abstract: A communication apparatus includes: a first storage unit configured to store a plurality of addresses of a plurality of first communication apparatuses; an acquiring unit configured to acquire a self-public key; a specifying unit configured to specify an address of at least one of the plurality of first communication apparatuses stored in the first storage unit when the self-public key is acquired; and a first public key sending unit configured to send the self-public key to the address of the at least one of the plurality of first communication apparatuses specified by the specifying unit.

Abstract: A security panel includes a processor, memory, and a network interface having a unique MAC address, and is configured to communicate over a network with a server. A method for registering the security panel with the server includes contacting the server utilizing a network address stored in the memory. A dealer ID, a line number, and a unique account number is sent to the server. The dealer ID, the line number, and the unique account number are stored in the memory. An encryption key is received for encryption of additional communication between the security panel and the server. The unique MAC address is sent to the server in an encrypted session to verify the security panel to the server.

Abstract: A streaming video server generates a virtual file system that includes virtual addresses of a plurality of encrypted segments of a plurality of video programs at each of a plurality of bitrates, without storing the plurality of encrypted segments in persistent storage. A request is received from a client device to access a selected one of the plurality of video programs via a request to access the virtual file system. The plurality of encrypted segments of the selected one of the plurality of video programs are generated at a selected bitrate, in response to the request.

Abstract: A device, receives a unicast packet designating a unicast source and a unicast destination, and determines whether the received unicast packet is a Data Register message. The device extracts information relating to a multicast packet encapsulated within the unicast packet when the unicast packet is a Data Register message, and performs a security policy lookup based on the extracted multicast packet information to identify a security policy associated with the multicast packet. The device determines whether the identified security policy authorizes forwarding of the unicast packet, and establishes a multicast data session when the identified security policy authorizes forwarding of the unicast packet. The device establishes a multicast control session based on the multicast data session, where the multicast control session authorizes transmission of PIM-related control messages associated with the multicast packet.

Abstract: Provided is a method of protecting a content consumer's privacy. The method includes classifying contents into content groups, encrypting the contents using different encryption keys, generating a plurality of decryption keys each of which can decrypt all contents in each of the content groups, and provides the generated decryption keys to authorized clients, wherein each client is provided with a different decryption key.

Abstract: Disclosed are a cellular phone terminal, a cellular phone system and a privacy protection method therefor that enable to prevent leakage of private information from the communication data when conducting a search for wireless LAN base stations. The cellular phone terminal comprises, in addition to the cellular phone function section, a cellular phone network transmitter/receiver section, a wireless LAN transmitter/receiver section and a wireless LAN connection control section, an SSID•MAC address management section connected to the wireless LAN connection control section and the cellular phone network transmitter/receiver section. The SSID•MAC address management section is allocated by a MAC address management server one or more temporary MAC addresses together with their time limit by way of the cellular phone network transmitter/receiver section and a cellular phone base station and the temporary MAC addresses are used when conducting a search for wireless LAN base stations.

Abstract: A communication device receives secure communication frames on which a security transform has been performed to permit authentication. The communication device maintains an authentication history and a local time varying parameter. In multi-hop communication, the communication device provisionally verifies the freshness of a received secure communication frame by verifying that identifying information extracted from the frame is not already present in the authentication history and that a received time varying parameter extracted from the frame is not older than the local time varying parameter by more than a certain margin. If these freshness tests both pass, the frame is authenticated. If authentication succeeds, the frame is transmitted on the next hop without performance of a new security transform.

Abstract: To check a secure registration to a service provided by a web server from a communication terminal (TC), the web server (SW) saves a dynamically generated code matching the terminal (TC)'s IP address and transmits a message containing the code (CodC) to an e-mail address. This address is provided by the user in response to the terminal's connection to the web server. The server transmits to the terminal an application (App) capable of generating an automated test in order to tell computers apart from humans. The answer provided by the user is encrypted with the terminal's IP address and the code contained in the message transmitted to the e-mail address, and is directly transmitted by the application to the server, which decrypts it and compares it with an expected answer in order to enable access to the Web server if the decrypted answer matches the expected answer.

Abstract: An electronic messaging system, including: a first message transfer server for receiving a message for a party, mapping the destination address of the message to a trusted address for the party, and substituting the trusted address for the destination address; and a second message transfer server for establishing an authenticated transport session with the first message transfer server to receive the message and transfer the message to a location corresponding to the trusted address.

Abstract: An improved method, apparatus, and computer instructions for processing outbound traffic passing through a port. This port is for a server and receives a request from a client. The request includes a universal resource identifier to a destination. A determination is made as to whether the request requires encryption using the universal resource identifier in the request. The request is sent through the port to the destination in an encrypted form, in response to a determination that the request requires encryption.

Abstract: In a memory system using a removable recording medium and data stored in the recording medium, identifying information for identifying each recording medium from others is held in the recording medium, and when data stored in the recording medium is used, the identifying information of the recording medium is required. As a result, when a flash memory card, etc. is used, a copyright is reliably protected.