Abstract: A system and method for implementing security of multi-party communication is disclosed in the disclosure. The system mainly includes a group key management unit and a record protocol unit. The method mainly includes when the system runs in the centralized group key management mode, the Group Controller and Key Server (GCKS) establishes and stores a Group Security Association, the GCKS negotiates with the group members to establish an Initiation Security Association, under the protection of the Initiation Security Association, the group members obtain the Group Security Association from GCKS. When the system runs in the distributed group key management mode, a Group Security Association is established by all the group members together at the beginning of the group communication.

Abstract: A security control method in a cable network dynamic multicast session, and more particularly, a method of controlling forward secrecy and backward secrecy in a Data Over Cable Service Interface Specifications (DOCSIS) 3.0 network dynamic multicast session is provided. A security control method in a cable network dynamic multicast session, includes: maintaining a multicast group that is allocated with a first Downstream Service Identifier (DSID) and a first Security Association Identifier (SAID) and that is joined by a first cable modem and a second cable modem; receiving a LeaveMulticastSession message from the second cable modem; exchanging, corresponding to the LeaveMulticastSession message, a Dynamic Bonding Change (DBC) message for changing a multicast parameter with the second cable modem; and updating a first Traffic Encryption Key (TEK) corresponding to the first DSID with a second TEK.

Abstract: In a mobile communication system, upon multicasting a service data through a common channel in a radio communication area, a user not subscribing is disabled a multicasted service data, and charge can be applied only for the subscribing user. As a generating method of a security key for applying security for the multicoated service data, in SGSN, the security key is generated corresponding to the multicasting service for security process. The multicasted service data applied security process can be transmitted through the common channel in the radio communication area between RAN and UE (terminal), and the service data cannot be decoded by the user who is not subscribing.

Abstract: A method for managing encryption keys in a communication system having a plurality of communication devices includes establishing a set of cryptographic keys for secure communication. Each of the cryptographic keys is associated with a geographic region. A geographic region is determined for a communication device and at least one cryptographic key is distributed to the communication device based on the geographic region of the communication device. At least one cryptographic key may be used to derive further cryptographic keys associated with a set of sub-regions of the geographic region associated with the communication device.

Abstract: An encryption device performs elliptic curve encryption using a secret key. The encryption device includes an operation unit for performing scalar multiplication of a point on an elliptic curve a storage unit having a plurality of data storing areas and a determiner unit for determining, in accordance with a bit sequence of a given value (d) and with a random value (RNG), an address of one of the plurality of data storage areas that is to be coupled to the operation means for each scalar multiplication.

Abstract: A method and apparatus for providing network security using role-based access control is disclosed. A network device implementing such a method can include, for example, an access control list. Such an access control list includes an access control list entry, which, in turn, includes a user group field. Alternatively, a network device implementing such a method can include, for example, a forwarding table that includes a plurality of forwarding table entries. In such a case, at least one of the forwarding table entries includes a user group field.

Abstract: A network publishing authorization protocol, for use in a network connected to a printer, a server and a publisher of network publications. The protocol authorizes the printing of a publication at the printer. It includes the steps of: addressing the publication to a user; signing the publication using a private key; sending the publication to the printer; and confirming that the publication may be printed at the printer, by verifying the private key signature. Confirmation may take place at the printer or at the server.

Abstract: A method for minimizing overhead occurring caused by control information for encryption performed to protect MBMS data for an MBMS service in a mobile communication system. This method is implemented by distinguishing a case in which control information used for encryption is updated from another case in which the control information used for encryption is not updated, and transmitting different control information according to the distinguishment result. That is, when the control information used for encryption is not updated, only minimized control information is transmitted, and when the control information for encryption is updated, the entire updated control information is transmitted. Accordingly, the amount of control information transmitted along with MBMS data is minimized, contributing to an increase in the amount of MBMS data transmitted per unit time.

Abstract: A method includes receiving an authentication request from a mobile station (401) and determining whether to forward the request to an authentication agent. When it is determined to forward the request, the request is forwarded to the authentication agent (107). A random number and a random seed are received from the authentication agent (107). The random number and the random seed are forwarded to the mobile station (401). A response to the random number and the random seed from the mobile station (401) is received and forwarded to the authentication agent (107). The authentication agent (107) compares the response with an expected response. When the authentication agent (107) authenticates the mobile station (401), a derived cipher key is received from the authentication agent (107).

Abstract: System, apparatus, and methods are disclosed wherewith a group of independent wireless routing devices known as Service Points work cooperatively to form an ad hoc mesh communication network. The resulting Service Point Network is used to provide reliable address-directed communication services between devices attached by conventional means (wired or wireless) to respective Service Ports on any of the Service Points. Attached Utilizing Devices are not considered a part of the Service Point Network and need not contain any custom software or hardware related to the operations of the Service Point Network. To protect the security of network communications and the integrity of the network, the Service Points are assigned internal IP addresses and unique identifiers that need not be disclosed to the Utilizing Devices. The unique identifiers in turn are used to derive public and private encryption key pairs for each Service Point.

Abstract: Principles of the invention are described for providing multicast virtual private networks (MVPNs) across a public network that are capable of carrying high-bandwidth multicast traffic with increased scalability. In particular, the MVPNs may transport layer three (L3) multicast traffic, such as Internet Protocol (IP) packets, between remote sites via the public network. The principles described herein may reduce the overhead of protocol independent multicast (PIM) neighbor adjacencies and customer control information maintained for MVPNs. The principles may also reduce the state and the overhead of maintaining the state in the network by removing the need to maintain at least one dedicated multicast tree per each MVPN.

Abstract: A method for enforcing compliance in both the copy protect domain and service subscription domain for streamed multicast data. Each content is encrypted with a title key that itself is encrypted with a channel unique key which is a hash of a session key and a channel key. A compliant player is given the channel key upon registration for a subscription service (representing subscription protection) and is also given device keys upon activation (representing copy protection) for decrypting the session key. Consequently, the channel unique key can be obtained (and, hence, the content decrypted) only by a player that is compliant with both copy protection rules and subscription rules. The channel key can be refreshed periodically as subscriptions change or expire.

Abstract: A small-scale wireless communication system offering advanced security level. An encryption key memory of an access point stores an encryption key list of a plurality of different encryption keys. A change information transmitter periodically transmits change information to a terminal by radio, the change information requesting the change of encryption key. An encryption key selector selects an encryption key from the encryption key list under a rule when the change information transmitter transmits the change information. A terminal-side encryption key memory of the terminal stores a terminal-side encryption key list which is the same as the encryption key list. A change information receiver receives the change information from the access point. Upon reception of the change information, a terminal-side encryption key selector selects an encryption key from the terminal-side encryption key list under a rule which is the same as the rule which the encryption key selector used to select the encryption key.

Abstract: Disclosed herein is a data transmission system permitting secure and more reliable transmission of data from a data transmitter to a data receiver or receivers. The system comprises: a data transmitter for encrypting data and transmitting the encrypted data; data receivers for receiving the encrypted data from the data transmitter; satellite links used for data transmission from the data transmitter to the data receivers; and bidirectional communication channels which are also used for transmitting data from the data receivers to the data transmitter and which have a smaller capacity of data transmission than the satellite links. The satellite links are used to transmit encrypted data from the data transmitter to the data receivers. At least the bidirectional communication channels are used to communicate restrictive data transmission control information between the data transmitter and the data receivers.

Abstract: A mailing list server sends mail encrypted by an encryption method compatible with the mail user agent device likely to receive the mail. A mailing list server 20 receives a signed mail from a member and registers and manages the SMIMECapabilities of that mail in a members' encryption function map 212. A mail-receiving part 201 verifies the signature on a mail received from a member using the member's certificate and decrypts the mail. A mail-distributing part 202 signs and encrypts mail for distribution and distributes it to members' mail addresses. A symmetric encryption key to be used for the encryption is determined for each member with reference to the members' encryption function map 212.

Abstract: A group messaging system enabling anonymous collective communications in a group which is locally defined in association with a group owner's messaging account, wherein messaging software at the group owner converts a group message into multiple one-to-one group messages destined to each group member in collaboration with the said group membership resolution process. The invention further includes a group message reply process wherein the messaging software at a recipient's side composes a reply message and transmits it to the group owner messaging software which then forwards it to the group members in collaboration with said group membership resolution process, thereby providing a means of designating the identity of a group in the group owner messaging account, sending a group message, and hiding the identities of individual recipients during the lifetime of the group message. The group owner side can additionally perform access control for group communications.

Abstract: Conventional mechanisms exist for denoting such a communications group (group) and for establishing point-to-point, or unicast, secure connections between members of the communications group. In a particular arrangement, group members employ a group key operable for multicast security for unicast communication, thus avoiding establishing additional unicast keys for each communication between group members. Since the recipient of such a unicast message may not know the source, however, the use of the group key assures the recipient that the sender is a member of the same group. Accordingly, a system which enumerates a set of subranges (subnets) included in a particular group, such as a VPN, and establishing a group key corresponding to the group applies the group key to communications from the group members in the subnet.

Abstract: A system and method for automatic key and certificate management is disclosed. In particular, a key store in a base computer contains both new and previously viewed cryptographic keys. When a mobile communications device is to be updated with the new keys, the new keys are automatically identified by comparing the keys stored in the base computer with a list of previously viewed keys to determine which new keys are to be marked for download. Upon marking the new keys, the user may be prompted to download the newly identified keys, or they may be downloaded automatically. Once the new keys have been marked, the list of previously viewed keys is updated to include those marked, so that the next time updating occurs, the previously viewed key list will be correct.

Abstract: The present invention discloses an 802.1X protocol-based multicasting control method. According to the method, an authenticated subscriber intercepts the message while sending a request message for joining in a multicasting group, then obtains the port and MAC address information from the intercepted message, searches corresponding subscriber account information from the authenticated data according to said port and MAC address, then authenticates the subscriber's account number and multicasting IP address, and adds the subscriber to the multicasting group after successful authentication; therefore, controlled multicasting, authentication of the legality of adding to multicasting, and accounting can be achieved according to the method, which can also protect existing investment and compatibility with existing software of the subscriber.

Abstract: An approach for establishing secure communication among multiple multicast groups using a multi-master directory is disclosed. The multi-master directory is on a per object and per attribute access controls basis. The event service nodes, which can implemented as event servers, are distributed throughout an enterprise domain. The attributes of the event service nodes include the group session key and the private keys of the event service nodes. A standardized authentication service is used to register publishers and subscribers. These publishers and subscribers can individually belong to multiple multicast groups under a readily scalable, secure network architecture.

Abstract: In a digital certificate management system, a client/server system is connected to a digital certificate management apparatus capable of communicating with clients and servers. Mutual authentication is performed between the clients and the servers by using digital certificates and communications are performed over a communication channel established based on mutual authentication. The digital certificate management apparatus includes a certification key update part updating a server certification key used for mutual authentication and stored in each of the clients that become communication parties of one of the servers. The certification key updating part includes a key obtaining part, a certificate obtaining part, and first and second transmission parts.

Abstract: A method is for protecting an encrypted content, by use of at least one encryption key. The method includes generation of a temporary encryption key, encryption by the temporary key of a value allowing the determination of the encryption keys of the content, transmission of the encrypted value to a multimedia unit, and encryption and transmission of at least two cryptograms including the temporary key encrypted by an authorization key. The first cryptogram is encrypted by a first authorization key pertaining to a first security module and the second cryptogram is encrypted by a second authorization key pertaining to a group of security modules whose first security module is excluded.

Abstract: An update utility requests a signature verification of the utility's signature along with a request to unlock the flash memory stored in the utility. A trusted platform module (“TPM”) performs a signature verification of the utility using a previously stored public key. Upon verification of the signature, the TPM unlocks the flash memory to permit update of the utility. Upon completion of the update, the flash utility issues a lock request to the TPM to relock the flash memory.

Abstract: In one embodiment, a method can include: (i) sending a request to join a group to a service broker; (ii) receiving from the service broker a list of key servers servicing the group; and (iii) sending registration information to a selected one of the key servers in the list.

Abstract: A network connected to a plurality of printers associated with a plurality of users and to a publisher of network publications, the publisher adapted to authorize the printing of a document at the printers by obtaining a document identity and page descriptions for the document to be printed from an identity server; the publisher then sending the document, including its identity and page descriptions to a page server responsible for that document identity; the publisher creating a message that includes the publisher's own identity, alias identities of the plurality of users, a set of multicast channel names, and a private electronic signature of the publisher; the publisher addressing the document to the plurality of users; and the publisher sending the document to the plurality of printers associated with the plurality of users.

Abstract: A system, device, and method for receiver access control in a multicast communication network treats each subscriber location as a separate subnetwork having one and only one multicast receiver. An access device is situated at each subscriber location. Each access device connects to a separate port of a multicast distribution device. Each subscriber device accesses the multicast network through the access device that is situated at its subscriber location. Each access device acts as a proxy for its respective subscriber devices by joining and leaving multicast groups on behalf of the subscriber devices and acting as the sole multicast receiver for the subscriber location. The access devices run a multicast group management protocol for joining and leaving various multicast groups, and therefore the access devices appear to the multicast distribution device as the ultimate multicast receivers for multicast information.

Abstract: An improved subset-difference method is provided. The improved method uses the value of a current content key to help generate the requisite difference keys. The requisite difference keys are then used to encrypt the next content key which will be delivered only to users who are supposed to remain in the group. Users who have the current content key are then able to generate the requisite difference keys which they can then use to decrypt the next content key. Using the decrypted next content key, the users are then able to continue to receive contents. Since previously revoked users do not have the current content key, they are unable to determine the next content key and thus are prevented from receiving future contents.

Abstract: A group formation/management system rigidly sets a group range, allows contents to be used freely among member devices in the group, and includes one or more registered member devices for holding common secret information unique to the group, a new member device for transmitting a request for registration in the group and receiving and holding common secret information, and a group management device for receiving the registration request from the new member device and, when the number of registered member devices is less than the maximum number of registerable member devices, outputting the common secret information to the new member device. Furthermore, because member devices are authenticated using the common secret information when contents are to be used, and contents are only delivered if the authentication is successful, member devices that do not hold the common secret information (i.e. unregistered member devices) can be prevented from using contents.

Abstract: A system for multicasting a data packet in a multicast group includes a network entity, and a plurality of members of the multicast group. A member can notify the network entity of a rogue member of the group claiming an identity of a spoofed member of the group. In response to being notified, the network entity can distribute, to at least the members of the group other than the spoofed member, different versions of a symmetric key associated with the spoofed member. The member notifying the network entity of the rogue member can then receive a next data packet and a code for the next data packet, the code having been generated at the rogue member using a version of the symmetric key associated with the spoofed member such that the rogue member can be identified based upon the version of the symmetric key.

Abstract: An approach for establishing secure multicast communication among multiple members that participate in a multicast group is disclosed. In one feature, multiple multicast proxy service nodes (MPSNs) are defined and control when members join or leave the multicast group. The MPSNs are logically represented by a first binary tree in which each node of the first binary tree is associated with a domain of a directory service and one or more of the MPSNs. A second binary tree is created that has leaf nodes representing each member. The second binary tree is stored in a domain of the directory service with a root node that represents one or more of the MPSNs. The members can each establish multicast communication and serve as a key distribution center. When a member joins the multicast group, a new group session key is determined by replicating a branch of the second binary tree.

Abstract: A host bridge is described including a memory controller and a security check unit. The memory controller is adapted for coupling to a memory storing data arranged within a multiple memory pages. The memory controller receives memory access signals (e.g., during a memory access), and responds to the memory access signals by accessing the memory. The security check unit receives the memory access signals, wherein the memory access signals convey a physical address within a target memory page. The security check unit uses the physical address to access one or more security attribute data structures located in the memory to obtain a security attribute of the target memory page. The security check unit provides the memory access signals to the memory controller dependent upon the security attribute of the target memory page.

Abstract: A method includes receiving an authentication request from a mobile station (401) and determining whether to forward the request to an authentication agent. When it is determined to forward the request, the request is forwarded to the authentication agent (107). A random number and a random seed are received from the authentication agent (107). The random number and the random seed are forwarded to the mobile station (401). A response to the random number and the random seed from the mobile station (401) is received and forwarded to the authentication agent (107). The authentication agent (107) compares the response with an expected response. When the authentication agent (107) authenticates the mobile station (401), a derived cipher key is received from the authentication agent (107).

Abstract: A method performed by a first computer node for selecting a leader node to provide service to a plurality of other nodes in a multicast group, wherein each of the nodes communicates using multicast messages, comprises issuing a first election call message; receiving candidacy announcement messages from one or more leader candidate nodes in a specified time period; selecting a victor from among all leader candidate nodes from which candidacy announcement messages are received; receiving one or more victor announcement messages from one or more leader victor nodes for a second specified time period; resolving zero or more collisions among the victor announcement messages to result in selecting the leader node. One embodiment provides a dynamic secure protocol for electing a key server, such as a key server that is suited for use with a group key exchange protocol such as the Group Domain of Interpretation (GDOI).

Abstract: When a user successfully logs into an account, the user is provided with a first-class login token, which entitles the user to one or more unsuccessful login attempts without experiencing delays the user would otherwise experience. If attempts with a second-class login token or an expired first-class login token is impermissible, a subsequent login attempt is subject to delays the user would otherwise not experience. The delays minimize the effectiveness of dictionary attacks. Additionally, if the user attempts to login without a login token or an invalid login token, the login attempt is impermissible and the user is provided with a second-class login token for use in a delayed, subsequent login attempt.

Abstract: A tree is used to partition stateless receivers in a broadcast content encryption system into subsets. Two different methods of partitioning are disclosed. When a set of revoked receivers is identified, the revoked receivers define a relatively small cover of the non-revoked receivers by disjoint subsets. Subset keys associated with the subsets are then used to encrypt a session key that in turn is used to encrypt the broadcast content. Only non-revoked receivers can decrypt the session key and, hence, the content.

Abstract: A method for rejoining a second group of nodes with a first group of nodes is described. A first state of a first group key associated with a first group of nodes is received. The first state of the first group key is multicast to a second group of nodes. The first group key is rekeyed to a second group key associated with the second group of nodes. A second state of the second group key is multicast to the second group of nodes. A third state of a third group key associated with the first group of nodes is received. A rekey command is multicast to the second group of nodes if the third state is different from the second state. The second group key is rekeyed to the third group key.

Abstract: In a method for increasing peer privacy, a request for a data is received from a data requester and the data is stored at a data provider. A plurality of peers are selected to form a path, where the data provider and the data requestor are the respective ends of the path. A mix is generated according to the path and the mix is transmitted to the data provider.

Abstract: A data protection system is provided that reduces, to a degree, the amount of encrypted data that is distributed to a plurality of terminals. In the data protection system a terminal whose decryption keys are exposed by a dishonest party is made to be unable to decrypt the data correctly, while other terminals are able to decrypt the data correctly. The data protection system includes a plurality of terminals, and an encryption device that encrypts distribution data distributed to each terminal. Each terminal is corresponded with one node on a lowest level of a 4-ary tree structure or the like having a plurality of hierarchies.

Abstract: Authentication information is generated for a group where members within a group are able to communicate with each other, but a non-members is not able to participate in that communication. The authentication information provides the determination of whether the member belongs to the group.

Abstract: A method of verifying data timeliness with time-based derived cryptographic keys is disclosed. A master key is received. Based on both the master key and a current time, an interval key is derived. Data, which was encrypted with the interval key, is decrypted with the interval key.

Abstract: In accordance with the present invention, there is provided a method for sharing a secret value x among n participating network devices via an asynchronous network. The n participating network devices comprises t faulty devices and k sub-devices capable of reconstructing the secret value x, wherein t<n/3 and k<n. The secret value x being provided by a distributor.

Abstract: A computer-implemented method is described for processing multimedia channels comprising: encrypting a first group of multimedia channels using a first type of encryption to produce a first group of encrypted multimedia channels; encrypting the first group of multimedia channels using a second type of encryption to produce a second group of encrypted multimedia channels; concurrently transmitting the first group of encrypted multimedia channels with the second group of multimedia channels to a plurality of multimedia subscribers having multimedia receivers capable of decrypting the first group of encrypted multimedia channels and/or the second group of multimedia channels.

Abstract: Assigning security levels to a shared component is presented. A workflow manager receives a workflow request that corresponds to a plurality of workflow steps. For each workflow step, the workflow manager determines whether the workflow step uses a shared component or an unshared component for execution. If the workflow step uses a shared component, the workflow manager invokes the step, and stores the step and its corresponding security level in a security tracking table. When the workflow manager encounters a shared component, the workflow manager uses the security tracking table entries in order to determine a security level to assign the shared component. The workflow manager assigns the determined security level to the shared component, and invokes the shared component to execute the corresponding process step.

Abstract: An approach for establishing secure multicast communication among multiple multicast proxy service nodes is disclosed. The multicast proxy service nodes, which can be distributed throughout an enterprise domain, are organized in a logical tree that mimics the logical tree arrangement of domains in a directory server system. The attributes of the multicast proxy service nodes include the group session keys that are members of the secure multicast or broadcast groups. Because keys as well as key version information are housed in the directory, multicast security can be achieved over any number of network domains across the entire enterprise. Key information is stored in, and the logical tree is supported by, a directory service. Replication of the directory accomplishes distribution of keys. Multicast proxy service nodes may obtain current key information from a local copy of the replicated directory.

Abstract: The present invention relates to a method of managing a mobile multicast key using a foreign key. More specifically, the present invention relates to a method of managing a mobile multicast key using a foreign key for secure communication between a mobile terminal and a secure relay server in the region where microwaves from plural access points overlap. A method of managing a mobile multicast key using a foreign key according to the present invention has an advantage that multicast secure relay servers perform delegated authentication in advance in a region where microwaves overlap, thus reducing a delay time for authentication in a mobile terminal. And it has an advantage that it can minimize an effect from changes in group keys that user's movement make, by using a primary group key and a foreign key. This results in a reduction of an overhead from update of a group key while moving, and accordingly a reduction of a delay time.

Abstract: A method of transmitting contents, which are to be received at a reception side where a portion of the contents is previewed while the contents are not accessible for playing other than for a preview purpose, includes the steps of encrypting the contents by a first encryption key, generating information indicative of an elapsed time of the contents that indicates a relationship between positions on a time axis of the contents representing an amount of time that passes as the contents are played and a time count that accrues as a preview time when the contents are previewed, encrypting the first encryption key and the information indicative of an elapsed time of the contents by a second encryption key, thereby generating first encrypted information, encrypting the second encryption key and content-usage control information by a third encryption key, thereby generating second encrypted information, the content-usage control information indicating usage of the contents on the reception side, and transmitting the

Abstract: A multicast media service is provided. The multicast media service may be implemented using a media server that multicasts media files to users at user computing equipment. The multicast media service maintains playlists of media files. Users that receive the same multicasted media files at the same time form a viewer group. The multicast media service displays media player screens for each user in the viewer group. The media player screens include a media player region in which a media file that is currently being multicasted is played. Each media player screen also includes a current playlist of media files. The users in the viewer group can communicate about a currently playing media file using real time chat. Users can also upload associated content such as tags, persistent comments, and ratings. The multicast media management service may automatically suggest playlist modifications and can support navigation options.

Abstract: The present invention provides a data processing apparatus and method for managing processor configuration data. The data processing apparatus comprises a processor operable in a plurality of modes and a plurality of domains, said plurality of domains comprising a secure domain and a non-secure domain, said plurality of modes including at least one non-secure mode being a mode in the non-secure domain, at least one secure mode being a mode in the secure domain, and a monitor mode. The processor is operable such that when executing a program in a secure mode the program has access to secure data which is not accessible when said processor is operating in a non-secure mode.

Abstract: A system, device, and method for controlling access in a multicast communication network uses a centralized host authentication scheme to prevent unauthorized hosts from joining a shared multicast distribution tree. Each authorized host is allocated a unique authentication key, which is used by the designated router to encode the PIM join message and by the rendezvous point router to authenticate the PIM join message. If the PIM join message is authentic, then each PIM router from the rendezvous point router to the designated router establishes appropriate multicast routes to route multicast packets to the host. If the PIM join message is not authentic, then multicast packets are prevented from reaching the host.

Abstract: A logical tree structure and method for managing membership in a multicast group provides scalability and security from internal attacks. The structure defines key groups and subgroups, with each subgroup having a subgroup manager. Dual encryption allows the sender of the multicast data to manage distribution of a first set of encryption keys whereas the individual subgroup managers manage the distribution of a second set of encryption keys. The two key sets allow the sender to delegate much of the group management responsibilities without compromising security because a key from each set is required to access the multicast data. Security is further maintained via a method in which subgroup managers can be either member subgroup managers or participant subgroup managers. Access to both keys is provided to member subgroup managers whereas access to only one key is provided to participant subgroup managers.