Abstract: A data distribution system is provided which supplies customers with an executable for requested secured data files to provide the customer with fulfillment software, obviating the need for the customer to download fulfillment software prior to requesting secure data. The data distribution system is characterized by server technology which can dynamically encrypt secured data files just prior to a customer request to download the data file. A framework for building a universal data distribution infrastructure is provided which employs Requesters.

Abstract: A system and process for network-based, interactive, multi-media learning is presented. The learning system and process employs high quality, low latency audio/video links over a multicast network (such as Internet2), as well as an interactive slideshow that allows annotations to be added by both the presenter and lecture participants, a question management feature that allows participants to submit questions and receive answers during the lecture or afterwards, and a complete archiving of the data streams and metadata associated with the foregoing features.

Abstract: Provided are a method, system, and program for authenticating a node requesting another node to perform work on behalf of yet another node. A plurality of agent nodes in the network are associated with a multi-node, wherein the agent nodes are associated with machines in the network capable of performing operations on behalf of the multi-node. A target node receives a request from a calling node for the target node to perform operations on behalf of the multi-node, wherein the target node is one of the agent nodes associated with the multi-node. The target node determines whether the calling node is one of the agent nodes associated with the multi-node and determines whether the calling node is capable of authenticating with a server. The target node performs the operations requested by the calling node in response to determining that the calling node is associated with the multi-node and is capable of authenticating with the server.

Abstract: A system for managing a distributed MetaHop that is administered, managed, and monitored as a single entity. If a new gateway is added to a MetaHop, the gateway can be provisioned with membership credentials by an administrator who indicates relatively basic information for the new gateway to join the MetaHop. Once provisioned with relatively basic information, the new gateway can be shipped to a relatively remote site where it automatically seeks out an entry point to the MetaHop. After connecting to an entry point (or entry points), the new gateway is automatically provisioned with any other information used to join the MetaHop. In one embodiment, the joined gateway is automatically enabled to forward traffic. In another embodiment, a new gateway is disabled for traffic forwarding until the administrator enables it for such forwarding on the MetaHop.

Abstract: A routing system, method, and apparatus for determining the best path for a router to transmit traffic to a specific destination on a network. As desired, the routing determination can be based, at least in part, on an analysis of the network load and an analysis of the availability of links between the autonomous systems. The routing system can be used in conjunction with a detection system that identifies and eradicates fraudulent requests on the network. The detection system can include at least one router and an activity monitoring system, comprising a route arbiter and a traffic analyzer. The route arbiter continuously monitors activity on the router to determine if abnormal activity or traffic patterns are emerging. If a determination is made that abnormal activity or abnormal traffic patterns exist, the activity monitoring system responds by blocking the activity or redirecting the traffic.

Abstract: A decryption apparatus stores secret keys, each of which is specified by two nodes in tree structure in first memory, one of the two nodes indicated by ciphertext index information item of the decryptable ciphertext being an ancestor node of leaf and the other of the two nodes being a node which is not an ancestor node of leaf, and stores an identifier of decryption apparatus corresponding to a leaf in a tree structure in a second memory. The decryption apparatus acquires a plurality of ciphertexts, each ciphertext including a ciphertext index information item indicating two nodes in the tree structure which correspond to a decryption key for decrypting the respective ciphertext, and acquires a decryptable ciphertext from the plurality of ciphertexts. Further, the decryption apparatus selects, from the stored secret keys, a secret key corresponding to the respective ciphertext, and derives a decryption key from the selected secret key to decrypt the decryptable ciphertext by using the derived decryption key.

Abstract: Methods, components and systems for implementing secure and efficient broadcast encryption schemes with configurable and practical tradeoffs among a pre-broadcast transmission bandwidth t, a key storage cost k, and a key derivation cost c, in which the schemes use subtree difference and key decomposition to generate secondary keys, use the secondary keys to encrypt the broadcast and generate ciphertexts, and use the RSA encryption scheme to implement derivability between the primary keys and the secondary keys. To decrypt the broadcast, a privileged user uses one of its primary keys to derive a secondary key, which is used to decrypt the broadcast. The product of key derivation costc and the key storage cost k is at most (2a?log a?2)loga n, when n is the number of users, 1?b?log n, a=2b, and revoked users r<n/3.

Abstract: A method for registering a new member in group key management is disclosed. An agent is deployed on the local network that requires the automatic group key management service; the agent receives an original registration request message sent by a new member in the local network, encapsulates the original registration request message and an information indicating the new member into a first request message, and sends the first request message to a Group Controller Key Server (GCKS); and the agent receives a first response message returned by the GCKS, extracts the information indicating the new member and the original response message carrying the processing result of request from the first response message, and sends the original response message to the new member according to the information indicating the new member. Apparatuses and system for registering a new member in group key management are also disclosed.

Abstract: A mobile terminal is configured to acquire an encryption key to decrypt a pay channel encrypted with a smartcard profile by the mobile terminal in a Multimedia Broadcast/Multicast Service (MBMS) mobile broadcast system. The mobile terminal is configured to purchase a specific pay channel, determine validity of an encryption key, store a range of a valid encryption key identification value, and initialize a reference Time Stamp (TS) value. The mobile terminal also; extracts an encryption key identification value and a TS value from a last received Short Term Key Message (STKM), when a view request for the specific pay channel is created; and determines that an encryption key is valid, when the extracted TS value satisfies the reference TS and the extracted encryption key identification value falls within a range of the valid encryption key identification value, and extracts and acquires an encryption key from the STKM.

Abstract: An enabling key block (EKB) used in an encrypted key distributing tree structure is generated by forming a simplified 2-branch or multi-branch type tree with a terminal node or leaf which is capable of decrypting on the basis of a key corresponding to a node or a leaf of the simplified tree. Further, the EKB includes a tag for indicating a position of an encrypted key in the tree. The tag not only discriminates position but also stores data for judging the presence of encrypted key data within the EKB. As such, a considerable reduction in data quantity is realized, and the decrypting process in a device is also simplified.

Abstract: In a method for distributing keys for encrypted data transmission in a sensor network, nodes store a subset of keys from a set of keys. A sink node triggers the key election procedure and sensor nodes choose from a locally broadcasted keyID list, with one key to be stored on each node. All other initially stored keys are subsequently deleted. The process is repeated until the edge of the network is reached. Such key predistribution is suitable for the encryption of reverse multicast traffic to the sink node which is the predominant traffic pattern in wireless sensor networks.

Abstract: The present invention provides a system and method to quarantine in the storage operating system and configuration information in which the storage operating system is stored in a designated partition on a removable nonvolatile memory device, such as a compact flash or a personal computer (PC) card that is interfaced with a motherboard of a filer system server. By providing for separate partitions, a failure or error arising during an upgrade to the storage operating system will not corrupt the other partitions.

Abstract: In a multicast delivery system, A delivery server enciphers delivery data by using a current use cipher key to generate enciphered data and transmits a multicast packet containing the enciphered data and a current use key identifier indicative of a pair of the current use cipher key and a current use decipher key as current use keys. A key management server holds as a current use key data, a set of the current use decipher key and the current use key identifier, and transmits a set of the current use decipher key and the current use key identifier as a current use decipherment key data in response to a current use key data request.

Abstract: A tree is used to partition stateless receivers in a broadcast content encryption system into subsets. Two different methods of partitioning are disclosed. When a set of revoked receivers is identified, the revoked receivers define a relatively small cover of the non-revoked receivers by disjoint subsets. Subset keys associated with the subsets are then used to encrypt a session key that in turn is used to encrypt the broadcast content. Only non-revoked receivers can decrypt the session key and, hence, the content.

Abstract: In an example embodiment, a system for providing a Virtual Local Area Network (VLAN) by use of encryption states or encryption keys for identifying a VLAN. A table of data including a VLAN and an associated encryption state or key is provided for assignment of encryption states or keys, for devices in a wireless local area network.

Abstract: A method and apparatus for providing security in a group communication network provides for receiving an encryption key, encrypting media for transmission to a controller using the received encryption key, the encrypted media being directed to another communication device, and communicating the encrypted media to the controller. In one embodiment, the communicating includes wireless communication. The method and apparatus further provides for receiving encrypted media from a controller and blocking the encrypted media if the communication device is not enabled to receive encrypted-media transmission, or if the media is not encrypted based on an encryption key previously specified by the communication device. In another aspect, the communication device is a push-to-talk (PTT) device.

Abstract: Mechanisms for data source computing system(s) to provide data to data targets. The data source(s) access an identification of common groups of blocks, each group being common amongst all or a subset of the data target(s). The common groups of blocks may have different scope such that one common group of blocks is to be provided to a different set of the data targets than another common group of blocks. Optionally, a selection mechanism may be used to assign priority in initiating multicasting of the identified common groups of blocks. The data source(s) then initiate multicasting of the common groups of blocks in the appropriate order to the appropriate data targets. Since the common groups of blocks are provided in a single multicast, rather than separately, the data is provided in a more efficient manner to the data targets.

Abstract: An application for updating, distributing, and rendering an application feature set and application versions is disclosed. The application component allows multiple versions of similar applications to be installed and upgraded on the same computer. Meanwhile, allowing new product levels downloads to transform an existing product into a different product.

Abstract: A system and method for sending a secure multicast transmission. The system includes a computer system coupled to a public network and configured to generate a multicast broadcast, and encrypt the generated multicast broadcast. The system also includes a router coupled to the public network, and a user system configured to request to join a multicast broadcast, wherein the user system is associated with the router. The router is configured to retrieve the encrypted multicast broadcast from the computer system over the public network, decrypt the sent multicast broadcast, and send the decrypted multicast broadcast to the user system requesting to join.

Abstract: A method, apparatus, and system for sending and receiving a security policy of multicast sessions are provided. The method for sending the security policy of multicast sessions includes: after a Datagram Transport Layer Security (DTLS) session is set up between a sender and a receiver, receiving a security policy request from the receiver, constructing a security policy response according to a security policy, multiplexing the security policy response and Secure Real-Time Transport Protocol (SRTP) multicast session data, and sending the multiplexed data to the receiver.

Abstract: Profiling a user is disclosed. The user's behavior with respect to specially designed content comprised of one or more units of content is monitored. The specially designed content is designed such that one or more characteristics of the user may be inferred based at least in part on the user's behavior with respect to the content. One or more characteristics of the user is/are inferred based at least in part on the user's behavior with respect to the specially designed content.

Abstract: A data protection system is provided that reduces, to a degree, the amount of encrypted data that is distributed to a plurality of terminals. In the data protection system a terminal whose decryption keys are exposed by a dishonest party is made to be unable to decrypt the data correctly, while other terminals are able to decrypt the data correctly. The data protection system includes a plurality of terminals, and an encryption device that encrypts distribution data distributed to each terminal. Each terminal is corresponded with one node on a lowest level of a 4-ary tree structure or the like having a plurality of hierarchies.

Abstract: An approach for establishing secure multicast communication among multiple event service nodes is disclosed. The event service nodes, which can be distributed throughout an enterprise domain, are organized in a logical tree that mimics the logical tree arrangement of domains in a directory server system. The attributes of the event service nodes include the group session key and the private keys of the event service nodes that are members of the multicast or broadcast groups. The private keys provide unique identification values for the event service nodes, thereby facilitating distribution of such keys. Because keys as well as key version information are housed in the directory, multicast security can readily be achieved over any number of network domains across the entire enterprise. Key information is stored in, and the logical tree is supported by, a directory service.

Abstract: A subscription broadcast security system for preventing theft of an encrypted program datastream utilizes an encryption protocol with steganographic supplementation. A decoder includes a decryption chip containing numerous decryption codes and an ID chip having a continually changing unique identification code for authenticating subscriber access. The ID chip and the decryption chip each receive decoding instructions through a combination of hidden data in the audio signal and from service provider communication directly with the ID chip.

Abstract: An apparatus and method of sharing content is provided. An apparatus for sharing content according to an aspect of the invention includes a search module which extracts specific information from encrypted content, and requests a host apparatus for an execution code, and a client DRM agent module which is installed with the execution code received from the host apparatus according to the request and outputs the encrypted content using the execution code.

Abstract: The present invention relates to methods, apparatus, and systems for implementing a secure neighbor cache preload. The method includes initiating a data transfer request. The data transfer request is associated with a sequence of bytes. Further, receiving bytes associated with the data transfer request. Further, the method includes storing the bytes in the client system's personal cache, and processing the data transfer request through a filtering system. The filtering system is configured to determine whether the sequence of bytes is to be relayed to the plurality of clients. Then, based on the data transfer request passing through the filtering system, echoing the sequence of bytes to the plurality of client systems within the LAN using an Internet protocol (IP) broadcast operation, and storing within each of the plurality of client systems' public caches at least a portion of the relayed sequence of bytes associated with the data transfer request.

Abstract: A domain (101) has a primary e-mail server (103) with an e-mail delivery address (109), and at least one backup e-mail server (105) with an e-mail delivery address (111). A trap manager (115) adds at least one trap e-mail delivery address (113) to an e-mail delivery address list (107) associated with the domain (101), the trap e-mail delivery address (113) resembling a backup e-mail server delivery address (111) and pointing to the trap manager (115). The trap manager (115) receives (201) e-mail sent to the trap address (113), and determines whether received e-mail comprises spam (119).

Abstract: An encryption communication system, comprising a communication relay device that connects a first network and a second network, for encrypting a communication within the first network and a communication within the second network in a network system configured so that communications are performed between a client in the first network and a server in the second network via the communication relay device, wherein the communication relay device comprises key generation unit generating an encryption key and a decryption key with respect to the client, and key transfer unit transmitting the encryption key and the decryption key to the server, and the server comprises frame receiving unit decrypting a receipt frame by use of the decryption key, and frame transmitting unit encrypting the frame by use of the encryption key and thus transmitting the frame.

Abstract: A collaborative communication system that includes a plurality of endpoints and interconnecting nodes configured to communicate via messages over interconnecting channels. Each of the plurality of endpoints and/or interconnecting nodes can determine whether to apply protection to the messages on a per message basis and/or base on the interconnecting channel being used. Thus, a balance between adequate protection and use of system resources and bandwidth can be maintained.

Abstract: A communication system provides separate subscription keys for a non-subscriber version of a broadcast-multicast flow and a subscriber-only version of the flow, thereby controlling who may store or render the flow. In one embodiment, separate subscription keys may be assigned to a same broadcast-multicast flow. The communication system may then switch the keys used to encrypt the flow, or may use different keys to encrypt different copies of the flow, in order to allow at least non-subscribers to view one version of the flow and only subscribers to view another version of the flow. In another embodiment, the communication system may assign a group subscription key to a group of broadcast-multicast flows that is separate from the keys assigned to each individual flow. The group subscription key may then be used to encrypt a non-subscriber version of any broadcast-multicast flow in the group of broadcast-multicast flows.

Abstract: Embodiments of streaming content management are described herein. For example, techniques may be employed to manage streams received by client devices such that the client devices may receive content and share functionality.

Abstract: A method and system for distributed security for a plurality of devices in a communication network, each of the devices being responsible for generating, distributing and controlling its own keys for access to the communication network and using the keys to establish a trusted network, each device's membership to the communication network being checked periodically by other devices by using a challenge response protocol to establish which devices are allowed access to the communication network and the trusted network.

Abstract: A method of authenticating candidate members 1 wishing to participate in an IP multicast via a communication network, where data sent as part of the multicast is to be encrypted using a Logical Key Hierarchy based scheme requiring that each candidate member submit a public key to a group controller. The method comprises, at the group controller 1, verifying that the public key received from each candidate member 1 is owned by that member and that it is associated with the IP address of that candidate member 1 by inspecting an interface ID part of the IP address.

Abstract: Provided are a method, a system, an article of manufacture, and a computer program product, wherein a first indicator is stored for a first entity, and wherein the first indicator identifies groups to which the first entity belongs and operations associated with the groups. The first entity receives a second indicator from a second entity, wherein the second indicator indicates privileges granted to the second entity for at least one operation on at least one group. A determination is made locally by the first entity, whether an operation requested by the second entity is to be executed by the first entity, based on a comparison of the second indicator to the first indicator.

Abstract: An extensible cryptographically generated network address may be generated by forming at least a portion of the network address as a portion of a first hash value. The first hash value may be formed by generating a plurality of hash values by hashing a concatenation of a public key and a modifier using a second hash function until a stop condition. The stop condition may include computing the plurality of hash values for a period of time specified by a time parameter. A second hash value may be selected from the plurality of hash values, and the modifier used to compute that hash value may be stored. A hash indicator may be generated which indicates the selected second hash value. The first hash value may be generated as a hash of a concatenation of at least the public key and the modifier. At least a portion of the node-selectable portion of the network address may include at least a portion of the first hash value.

Abstract: Content items or portions of content items are made available for previewing according to various techniques. In some techniques, designated portions of content items are transmitted in plaintext, while the remaining portions are transmitted in encrypted form. In other techniques, an entire content item is transmitted in encrypted form. However, content keys for decrypting the content item may be transmitted in plaintext form for certain portions designated for previewing and in encrypted form for the remaining portions. Also, an entire content item may be transmitted in encrypted form. Similarly the content keys for decrypting the content item is transmitted in encrypted form. However, preview rights keys for decrypting the content keys may be transmitted. These rights keys have associated usage rules that limit their use.

Abstract: A system for providing secure multi-cast broadcasts. The system includes a broadcasting processing system, a security server processing system, and at least one receiving processing system. The security server provides an encryption key to the broadcasting processing system and the at least one receiving processing system. The broadcasting processing system then encrypts broadcast data with the encryption data and transmits the encrypted data over the network. The at least one receiving processing systems then receive the encrypted data and decrypt the data using the encryption key.

Abstract: Different targets (c0, N1) of a digital certificate are mapped into a “super-target” using methods allowing a certificate validity verifier (110) to compute the super-target. The certificate includes the super-target instead of the targets. Also, a certificate with multiple targets can be signed with a redactable signature by the certification authority (CA 120). When the certificate's owner provides the certificate to a verifier together with a validity proof, the owner redacts the certificate to delete unnecessary targets. A single validity proof (ci(F)) may be provided to certificate owners for a set (F) of the certificates via a multicast transmission if a multicasting group (2010) is formed to correspond to the set. A verifier (110) may decide to cache the validity proof for a set provide the cached proof to other parties. The caching decision is based on the caching priority of the set F.

Abstract: A system, method and computer program product are provided. In use, a key is distributed to a plurality of nodes of a wireless network for use in securing the nodes during use of the wireless network. Further, the key is automatically updated at the nodes in the wireless network based on predetermined criteria.

Abstract: The system delivers a continuous sequence of individual pieces of media information over a communications network to a group of users that selected said media information. The system includes at least one server that transmits the continuous sequence of individual pieces of media information at approximately the same time to each user in the group. The system also includes an application configured to generate a user interface screen. The User interface screen includes a list of available media information, a program guide containing information relating to the media information selected by a user, and an object configured to allow a user to initiate a purchase of a product. Finally, the system includes at least one server configured to maintain an audit log that records data.

Abstract: A system and method for reusable efficient key distribution is disclosed. Key distribution is effected through the application of self-repairing groups that obviate the need for key distribution messages in portions of a hierarchical tree. In one embodiment, the self-repairing group is based on a reusable power set.

Abstract: An invention was developed to improve the performance and survivability of units in a competitive environment. Cryptic Command, Control, and Planning, and Management increases to apparent randomness of a plan from an opponent's perspective without increasing the randomness that is apparent to friendly parties. Friendly systems each carry a keyed pseudo-random or chaotic number generating process and a known method for mapping the numbers to behavioral modifications. Since the opponent does not know the key, the sequence, or the mapping, the result from his point of view is increased randomness and degraded predictive capability. Since friendly systems know each other's key, sequence, and mapping, they can predict each other's behavior or generate compatible controls or plans. This improves coordination of friendly units while forcing the opponent to revert to reactive responses rather than maintaining predictive responses.

Abstract: Secure tunneled multicast transmission and reception through a network is provided. A join request may be received from a second tunnel endpoint, the join request indicating a multicast group to be joined. Group keys may be transmitted to the second tunnel endpoint, where the group keys are based at least on the multicast group. A packet received at the first tunnel endpoint may be cryptographically processed to generate an encapsulated payload. A header may be appended to the encapsulated payload to form an encapsulated packet, wherein the header includes information associated with the second tunnel endpoint. A tunnel may be established between the first tunnel endpoint and the second tunnel endpoint based on the appended header. The encapsulated packet may be transmitted through the tunnel to the second tunnel endpoint. The second tunnel endpoint may receive the encapsulated packet. Cryptographic processing of the encapsulated packet may reveal the packet having a second header.

Abstract: A method for generating a secure association key (SAK), a method for realizing medium access control security (MACsec) and a network device are provided. The method for generating an SAK includes the following steps. A sending key selection protocol (KSP) instance sends a key selection protocol data unit (KSPDU) to the other KSP instances in the same secure connectivity association (CA). The KSPDU includes a secure connectivity association key identifier (CKI) of the instance and information about a MACsec level that the sending KSP instance belongs to. If the receiving KSP instance and the sending KSP instance belong to the CA with the same MACsec level, an SAK is generated based on the KSPDU. The MACsec of multiple levels in a communication network and the secure MACsec network communication with multiple levels are realized, thus ensuring the confidentiality of the network communication.

Abstract: A process for managing encrypted group communication according to a single security association (SA) for network traffic from a sender includes receiving a request for an encrypted communication among a plurality of network devices. A common decryption key and a common security parameters index (SPI) are provided to each of the network devices participating in the communication. The common security parameters index facilitates locating, in respective databases associated with each of the network devices, security association information that is associated with the common security association. Information is encrypted based on the common security association, and unicasted to each of the network devices. In an embodiment, the common security parameters index provided to each network device is established by the sender. For example, the SPI is established by a conference server and sent to each device participating in a voice conference.

Abstract: A cryptographic method and apparatus for anonymously signing a message. Added to the anonymous signature is another signature which is calculated (operation 13) using a private key common to all the members of a group authorized to sign and unknown to all revoked members. The private key is updated (operations 8, 11) at group level on each revocation within the group and at member level only on anonymous signing of a message by the member.

Abstract: A device (110) performs a method 200 for authentication and Ad Hoc network setup. The device (110) receives (210) a first security configuration; receives (220) a second security configuration based on location; authenticates (230) at least a second node (110) having the first security configuration and the second security configuration; and forms (240) a network with the at least a second node (110).

Abstract: Processing an MPEG elementary stream contained in multiple PID streams in a conditional access overlay environment. A multi-program transport stream contains numerous video and audio elementary streams. Critical packets in the elementary streams are encrypted with two different encryption schemes creating a stream having multiple PID values. The streams are then sent from the headend to individual set-top boxes. One encryption scheme can be decoded by the incumbent set-top box and the second encryption scheme can be decoded by the overlay set-top box. The overlay set-top box uses a dual filter system to filter and decode the PIDs for each video and audio stream of the desired program.

Abstract: Method and apparatus relating to defining additional channels in an interprocessor communication system having broadcast and non-broadcast channels. A broadcast identifier may be sent on a channel defined to be non-broadcast, generating an additional broadcast channel outside the interprocessor communication protocol definition. Likewise a device-specific identifier may be sent on a channel defined to be a broadcast channel, generating an additional non-broadcast channel outside the interprocessor communication protocol definition.

Abstract: A content distribution system employs IP multicast techniques to facilitate in identifying software dynamically, and to facilitate in downloading the software from the appropriate server to diverse client receivers. The clients monitor multicasts from a server and utilize a master/slave hierarchy technique to assist in requesting desired software blocks. The server sends out multicasts with payloads that identity, for example, manufacturers and model numbers of client receivers. The client receivers can then listen and download the payloads that pertain to their specific models. The master/slave technique allows only a master client receiver to request software blocks. Once fulfilled, the master status can be passed to another client receiver to request software blocks.