Abstract: A key distribution method and system are disclosed in which a sender and receivers share a common key information for performing a secure broadcast communication. By use of a center side apparatus, a center generates key information of a receiver in association with a subset inclusive of two or more elements of a proper finite set S1 on the basis of a space determined by a subset inclusive of two or more elements of another finite set S2. A sender side apparatus, a sender makes the multi-address transmission of key distribution data W inclusive of data generated corresponding to each element of the finite set S1 and data generated corresponding to a set of plural receivers through a communication network. By use of a receiver side apparatus, a receiver generates common key information between the sender and the receiver from the key distribution data W and the key information of the receiver.

Abstract: Techniques and systems for controlling access to information broadcast over point-to-multipoint resources in radiocommunication systems are described. These techniques can be used to provide controllable access to broadcast information services, e.g., security quote services, sports information services, etc., which broadcast services can be provided in conjunction with more conventional cellular radiocommunication services, e.g., voice calls. Exemplary embodiments of the present invention enable subscribing users' equipment to output broadcast information using, for example, either a status variable within the remote equipment or encryption for which subscribing devices have a corresponding decryption key.

Abstract: In an information transceiver system for transmitting/receiving specific information, an information transmission device transmits a key message in which a specific information cipher key is ciphered with a usual key, and transmits to a destination information reception device a cipher message in which specific information is ciphered with the specific information cipher key. The information reception device deciphers a specific information cipher key included in a key message with a usual key, and deciphers with the specific information cipher key the cipher message following the key message. Also, in the presence of a plurality of destination information reception devices, the information transmission device provides to the information reception devices setting information of broadcast setting information of a unicast, a broadcast, or the like, cipher setting information, vendor setting information, group setting information, or the like.

Abstract: A method is described that provides efficient, secure web-based recognition services. More particularly, an embodiment of the method relates to confidential encoding by dissociating image information into individual word segments, or snippets, at a distribution point and distributing the snippets over a network to users who subscribe to provide their services. Users could include college students, housewives, or any individual with Internet access. The users view the snippets, enter equivalent ASCII information for the snippets, and send the ASCII information back over the network to the distribution point for reassembly.

Abstract: A joint subscriber management system includes a joint subscriber management unit for acting as a surrogate in performing a registration activity for enabling a receiver to receive a broadcast and/or an electronic commerce transaction. A reception unit receives a reception-limiting identification number of the receiver for receiving a specific broadcast, a broadcaster identification number of at least one broadcaster of a plurality of broadcasters, and registrant information concerning registration of a user allocated to the reception-limiting identification number. A generation unit generates a joint management identification number corresponding to the received reception-limiting identification number. A recording unit records the reception-limiting identification number, the joint management identification number, and the registrant information in a registrant information table in correspondence with one another.

Abstract: According to one embodiment of the invention, a free preview of a program can be provided to client computers in a multicasting system. This can allow viewers in the multicasting system to view a first portion of the program before deciding whether to order the program content. According to another embodiment, various distribution methods can be accomplished using encryption keys to distribute program content. According to yet another embodiment, an initial viewing period can be provided to allow negotiation of the encryption keys. According to another embodiment, rules and conditions for providing content in a multicasting environment can be utilized.

Abstract: An system for allowing a computer network site to recognize an anonymous user without revealing the identity of the user. The system involves generating a user alias based on the user's identity and the computer network site such that it is computationally difficult to determine the user's identity from the alias alone. The system further involves informing the computer network site of the alias upon access of the site by the user. The computer network site may then block access to the site's contents whenever it receives an alias associated with a disruptive user.

Abstract: A method for data communication in a cryptographic system containing a plurality of entities is specified, in which the entities are arranged in a hierarchical structure. If a current entity in the structure is altered, those entities which are connected directly to the current entity's hierarchically superordinate entity are notified of the alteration.

Abstract: Methods for granting access to a protected area, such as a PARTIES area of a storage device of a computer, after the computer has been booted. A calling process desiring access to the protected area is caused to locate an interface that interfaces between the calling process and system firmware. The calling process is caused to use the interface to create a trusted relationship between the calling process and the system firmware. Various operations may then be performed. In one embodiment, once the trusted relationship is established, access is allowed to a specific service area in the protected area. Data contained within the service area may then be processed. In another embodiment, once the trusted relationship is established, the service areas found in the protected area may be manipulated. In another embodiment, once the trusted relationship is established, the calling process is allowed access to retrieve a directory of service areas in the protected area.

Abstract: A method for tracing traitor receivers in a broadcast encryption system. The method includes using a false key to encode plural subsets representing receivers in the system. The subsets are derived from a tree using a Subset-Cover system, and the traitor receiver is associated with one or more compromised keys that have been obtained by a potentially cloned pirate receiver. Using a clone of the pirate receiver, the identity of the traitor receiver is determined, or the pirate receiver clones are rendered useless for decrypting data using the compromised key by generating an appropriate set of subsets.

Abstract: A method for enforcing compliance in both the copy protect domain and service subscription domain for streamed multicast data. Each content is encrypted with a title key that itself is encrypted with a channel unique key which is a hash of a session key and a channel key. A compliant player is given the channel key upon registration for a subscription service (representing subscription protection) and is also given device keys upon activation (representing copy protection) for decrypting the session key. Consequently, the channel unique key can be obtained (and, hence, the content decrypted) only by a player that is compliant with both copy protection rules and subscription rules. The channel key can be refreshed periodically as subscriptions change or expire.

Abstract: Methods and systems are provided for enabling a network between a first and a second processor using at least one additional processor separate from the first and the second processors. In one embodiment, the additional processor may receive on behalf of the first processor information that includes the name of the second processor and receives on behalf of the second processor in that includes the name of the first processor. The additional processor may determine a first virtual address for the first processor based on the received name of the first processor and a second virtual address for the second processor based on the received name of the second processor such that the first and second virtual addresses uniquely identify the first and second processors, respectively, and are routable through the network. The additional processor may provide to each of the first and second processors the first and second virtual addresses to enable one or more tunnels between the first and the second processors.

Abstract: In a data communication network, a system for protecting parts of the network. The system comprises a plurality of user nodes linked together within the network. Each user node comprises means for transmitting list indicating to other nodes in the network the identification of allowed senders and receivers; and two or more security nodes within the network; each security node detects transmission and relays each signal only to the recipients specified in the list.

Abstract: In a data communication network, a system for protecting parts of the network. The system comprises a plurality of user nodes linked together within the network. Each user node comprises means for transmitting list indicating to other nodes in the network the identification of allowed senders and receivers; and two or more security nodes within the network; each security node detects transmission and relays each signal only to the recipients specified in the list.

Abstract: An electronic document delivery system and method in which a broadcast center periodically sends a “catalog” of available documents to a receiving computer, thereby allowing a user to browse through the available documents without having to access the broadcast center. The documents are transmitted as packets, and the packets are decrypted as soon as they are received, eliminating the need to store both an encrypted and an decrypted version of the documents at the receiving computer. The receiving computer periodically receives information allowing it to decrypt received documents and to encrypt billing information for the receiving computer. The invention is not limited to text-only documents and can receive all types of documents, such as software, images, text, and full-motion video.

Abstract: A method and apparatus for secure and scalable key management in a multicast network environment is provided. In a first portion, one or more seed nodes on the network receive a multicast transmission request for a cryptographic key from a requesting node. The seed node compares the identity of the requesting node with an authenticated predetermined list of nodes having permission to receive the cryptographic key. If the comparison indicates the requesting node is not a member of the authenticated predetermined list, the seed node denies the multicast request. However, if the comparison indicates that the requesting node is a member of the predetermined list of nodes, the cryptographic key is transmitted using a secure unicast key distribution technique such as SKIP. A second portion concerns the requesting node which generates a multicast request to obtain the cryptographic key from one or more seed nodes and one or more keyed nodes on the internetwork.

Abstract: A system of distributed group management for generating authentication information relating to a group to which users belong at a high speed on a client side and, at the same time, wherein a server side can verify this at a high speed. This system provides a group certificate issuing apparatus for issuing a group certificate on a client side based on original group information including the name of the group to which the users belong and a group certificate verification unit for verifying a legitimacy of the certificate transmitted from the client side in a server.

Abstract: A sender station sends a verification signal to itself after having sent data to be distributed. In the event that any one of receiver stations has failed to receive any one of data sets, the receiver station sends a predetermined jamming signal, to thereby hinder the sender station from receiving the verification signal transmitted to the sender station. When having failed to receive the verification signal, the sender station determines that any one of the receiver stations has failed to receive the data. In contrast, when having received the verification signal, the sender station determines that all the receiver stations have successfully received the data.

Abstract: A method and apparatus to allow a key manager node in a network to initiate the process of changing a group key for all nodes in a multicasting group. In the described embodiment, the key manager node initiates changing the group key by setting an indicator in a multicast packet. The indicator indicates that each of the nodes in the multicast group should obtain a new group key from the key manager node. The key manager node sets the indicator whenever the key manager node determines that the nodes in the group need to change their key. The nodes in the multicast group then obtain a key from the key manager node. In one embodiment of the present invention, the key manager node sends the group key to the members of the group and, once all nodes in the group have received their key, sends an indicator that the group members should start using the new keys. In another embodiment, the key manager node sends the new key to the group, along with instructions specifying when the new key is to take effect.

Abstract: To authenticate and authorize prospective members in a reliable multicast data distribution setup, the prospective members contact a central authority to obtain a “participation certificate” for the multicast session. The central authority authenticates each node and issues a digitally signed certificate to the node. Each certificate contains information specifying the manner in which the respective node is authorized to participate in the multicast session in addition to the respective node's public key. The nodes exchange their participation certificates with each other during session-establishment dialog to prove their identities and their authorization to participate. Each node verifies the rights of other nodes based on authorization information contained in the participation certificate received from the other node. Thus, a node is allowed to participate as a repair node only if it presents a participation certificate authorizing it to do so.

Abstract: A logical tree structure and method for managing membership in a multicast group provides scalability and security from internal attacks. The structure defines key groups and subgroups, with each subgroup having a subgroup manager. Dual encryption allows the sender of the multicast data to manage distribution of a first set of encryption keys whereas the individual subgroup managers manage the distribution of a second set of encryption keys. The two key sets allow the sender to delegate much of the group management responsibilities without compromising security because a key from each set is required to access the multicast data. Security is further maintained via a method in which subgroup managers can be either member subgroup managers or participant subgroup managers. Access to both keys is provided to member subgroup managers whereas access to only one key is provided to participant subgroup managers.

Abstract: A key management server is arranged at the same position as a terminal unit as viewed from a chat server. A channel secret key unique to each channel is generated by the key management server and distributed to a chat client so that the communication can be kept secret, even when a chat server low in reliability is used.

Abstract: A system for secure multicast including a plurality of participants that can send and receive multicast messages. A traffic distribution component is coupled to the participating entities, where the traffic distribution component supports multiple receiver communication. A participant key management component operates within each participant entity where the participant key management component uses a first key that is shared with all of the other participants, and a second key that is shared with a subgroup of participants. A group key management component is implemented using a flat data structure having a size that is logarithmically proportional to the number of participants.

Abstract: Threshold cryptography (secret sharing) is used for exchanging a secret between a server and a client over an unreliable network. Specifically, a secret is computationally divided into N shares using a threshold encryption scheme such that any M of the shares (M less than or equal to N) can be used to reconstruct the secret. The N shares are spread over a number of transmitted messages, with the assumption that some number of the messages including a total of at least M shares will be received by the client. Upon receiving at least M shares, the client uses the at least M shares to reconstruct the secret using the threshold encryption scheme.

Abstract: A private broadcasting system includes communication terminals which are coupled to both a broadcasting network and point-to-point network. A private broadcasting device included in the broadcasting system is coupled to a database that contains a pool of encryption keys and a pool of channel numbers. The encryption keys and channel numbers are assigned to a private broadcast request when the communicating partners of the private broadcast request are available for communication. The encryption key and channel number is issued to each of the participating terminals. Each of the participating terminals encrypts and de-encrypts the information transmitted on and received from the broadcasting channel at the assigned channel number. In this way, the terminals communicate with each other privately excluding all other terminals that are not part of the private broadcast communication.

Abstract: A system for secure multicast including at least one sending entity operating on a sending computer system, the sending entity with a sending multicast application running on the sending computer system. A number of receiving entities each running on a receiving computer system, the receiving entities having a receiving multicast application running. A traffic distribution component coupled to the sending entity and each of the receiving entities, where the traffic distribution component supports a connectionless datagram protocol. A participant key management component operates within each receiver entity where the participant key management component holds a first key that is shared with the sender and all of the receiving entities, and a second key that is shared with the sender and at least one but less than all of the receiving entities. A group key management component is coupled to the traffic distribution component and includes a data structure for storing all of the participant first and second keys.

Abstract: A key distribution method and system are disclosed in which a sender and receivers share a common key information for performing a secure broadcast communication. By use of a center side apparatus, a center generates key information of a receiver in association with a subset inclusive of two or more elements of a proper finite set S1 on the basis of a space determined by a subset inclusive of two or more elements of another finite set S2. A sender side apparatus, a sender makes the multi-address transmission of key distribution data W inclusive of data generated corresponding to each element of the finite set S1 and data generated corresponding to a set of plural receivers through a communication network. By use of a receiver side apparatus, a receiver generates common key information between the sender and the receiver from the key distribution data W and the key information of the receiver.

Abstract: A method for distributing a secret key from a key holder H to intended group members M. The method assumes that during the distribution process each party, a group member M and the key holder H, can decrypt and encrypt exchanged information such that the encrypter knows that the decrypter will be the intended party. The method preferably uses a public key/private key encryption technique in which, for example, a trusted Certificate Authority in a public key infrastructure signs the certificates to provide the public keys involved in the encryption. Alternatively, the method, together with a symmetric cipher, uses a shared secret, established in an authenticated mechanism that is outside the information exchanges of the invention. Additionally, the method uses a strong mixing function that takes several items of data as input and produces a pseudo-random authentication (or digest). Inputs to the mixing function include identity stamps that are generated by each member M and key holder H.