Abstract: The present invention provides a system and method to quarantine in the storage operating system and configuration information in which the storage operating system is stored in a designated partition on a removable nonvolatile memory device, such as a compact flash or a personal computer (PC) card that is interfaced with a motherboard of a filer system server. By providing for separate partitions, a failure or error arising during an upgrade to the storage operating system will not corrupt the other partitions.

Abstract: In a method for distributing keys for encrypted data transmission in a sensor network, nodes store a subset of keys from a set of keys. A sink node triggers the key election procedure and sensor nodes choose from a locally broadcasted keyID list, with one key to be stored on each node. All other initially stored keys are subsequently deleted. The process is repeated until the edge of the network is reached. Such key predistribution is suitable for the encryption of reverse multicast traffic to the sink node which is the predominant traffic pattern in wireless sensor networks.

Abstract: In a multicast delivery system, A delivery server enciphers delivery data by using a current use cipher key to generate enciphered data and transmits a multicast packet containing the enciphered data and a current use key identifier indicative of a pair of the current use cipher key and a current use decipher key as current use keys. A key management server holds as a current use key data, a set of the current use decipher key and the current use key identifier, and transmits a set of the current use decipher key and the current use key identifier as a current use decipherment key data in response to a current use key data request.

Abstract: A tree is used to partition stateless receivers in a broadcast content encryption system into subsets. Two different methods of partitioning are disclosed. When a set of revoked receivers is identified, the revoked receivers define a relatively small cover of the non-revoked receivers by disjoint subsets. Subset keys associated with the subsets are then used to encrypt a session key that in turn is used to encrypt the broadcast content. Only non-revoked receivers can decrypt the session key and, hence, the content.

Abstract: In an example embodiment, a system for providing a Virtual Local Area Network (VLAN) by use of encryption states or encryption keys for identifying a VLAN. A table of data including a VLAN and an associated encryption state or key is provided for assignment of encryption states or keys, for devices in a wireless local area network.

Abstract: A method and apparatus for providing security in a group communication network provides for receiving an encryption key, encrypting media for transmission to a controller using the received encryption key, the encrypted media being directed to another communication device, and communicating the encrypted media to the controller. In one embodiment, the communicating includes wireless communication. The method and apparatus further provides for receiving encrypted media from a controller and blocking the encrypted media if the communication device is not enabled to receive encrypted-media transmission, or if the media is not encrypted based on an encryption key previously specified by the communication device. In another aspect, the communication device is a push-to-talk (PTT) device.

Abstract: Mechanisms for data source computing system(s) to provide data to data targets. The data source(s) access an identification of common groups of blocks, each group being common amongst all or a subset of the data target(s). The common groups of blocks may have different scope such that one common group of blocks is to be provided to a different set of the data targets than another common group of blocks. Optionally, a selection mechanism may be used to assign priority in initiating multicasting of the identified common groups of blocks. The data source(s) then initiate multicasting of the common groups of blocks in the appropriate order to the appropriate data targets. Since the common groups of blocks are provided in a single multicast, rather than separately, the data is provided in a more efficient manner to the data targets.

Abstract: An application for updating, distributing, and rendering an application feature set and application versions is disclosed. The application component allows multiple versions of similar applications to be installed and upgraded on the same computer. Meanwhile, allowing new product levels downloads to transform an existing product into a different product.

Abstract: A system and method for sending a secure multicast transmission. The system includes a computer system coupled to a public network and configured to generate a multicast broadcast, and encrypt the generated multicast broadcast. The system also includes a router coupled to the public network, and a user system configured to request to join a multicast broadcast, wherein the user system is associated with the router. The router is configured to retrieve the encrypted multicast broadcast from the computer system over the public network, decrypt the sent multicast broadcast, and send the decrypted multicast broadcast to the user system requesting to join.

Abstract: A method, apparatus, and system for sending and receiving a security policy of multicast sessions are provided. The method for sending the security policy of multicast sessions includes: after a Datagram Transport Layer Security (DTLS) session is set up between a sender and a receiver, receiving a security policy request from the receiver, constructing a security policy response according to a security policy, multiplexing the security policy response and Secure Real-Time Transport Protocol (SRTP) multicast session data, and sending the multiplexed data to the receiver.

Abstract: Profiling a user is disclosed. The user's behavior with respect to specially designed content comprised of one or more units of content is monitored. The specially designed content is designed such that one or more characteristics of the user may be inferred based at least in part on the user's behavior with respect to the content. One or more characteristics of the user is/are inferred based at least in part on the user's behavior with respect to the specially designed content.

Abstract: A data protection system is provided that reduces, to a degree, the amount of encrypted data that is distributed to a plurality of terminals. In the data protection system a terminal whose decryption keys are exposed by a dishonest party is made to be unable to decrypt the data correctly, while other terminals are able to decrypt the data correctly. The data protection system includes a plurality of terminals, and an encryption device that encrypts distribution data distributed to each terminal. Each terminal is corresponded with one node on a lowest level of a 4-ary tree structure or the like having a plurality of hierarchies.

Abstract: A subscription broadcast security system for preventing theft of an encrypted program datastream utilizes an encryption protocol with steganographic supplementation. A decoder includes a decryption chip containing numerous decryption codes and an ID chip having a continually changing unique identification code for authenticating subscriber access. The ID chip and the decryption chip each receive decoding instructions through a combination of hidden data in the audio signal and from service provider communication directly with the ID chip.

Abstract: An approach for establishing secure multicast communication among multiple event service nodes is disclosed. The event service nodes, which can be distributed throughout an enterprise domain, are organized in a logical tree that mimics the logical tree arrangement of domains in a directory server system. The attributes of the event service nodes include the group session key and the private keys of the event service nodes that are members of the multicast or broadcast groups. The private keys provide unique identification values for the event service nodes, thereby facilitating distribution of such keys. Because keys as well as key version information are housed in the directory, multicast security can readily be achieved over any number of network domains across the entire enterprise. Key information is stored in, and the logical tree is supported by, a directory service.

Abstract: An apparatus and method of sharing content is provided. An apparatus for sharing content according to an aspect of the invention includes a search module which extracts specific information from encrypted content, and requests a host apparatus for an execution code, and a client DRM agent module which is installed with the execution code received from the host apparatus according to the request and outputs the encrypted content using the execution code.

Abstract: The present invention relates to methods, apparatus, and systems for implementing a secure neighbor cache preload. The method includes initiating a data transfer request. The data transfer request is associated with a sequence of bytes. Further, receiving bytes associated with the data transfer request. Further, the method includes storing the bytes in the client system's personal cache, and processing the data transfer request through a filtering system. The filtering system is configured to determine whether the sequence of bytes is to be relayed to the plurality of clients. Then, based on the data transfer request passing through the filtering system, echoing the sequence of bytes to the plurality of client systems within the LAN using an Internet protocol (IP) broadcast operation, and storing within each of the plurality of client systems' public caches at least a portion of the relayed sequence of bytes associated with the data transfer request.

Abstract: A domain (101) has a primary e-mail server (103) with an e-mail delivery address (109), and at least one backup e-mail server (105) with an e-mail delivery address (111). A trap manager (115) adds at least one trap e-mail delivery address (113) to an e-mail delivery address list (107) associated with the domain (101), the trap e-mail delivery address (113) resembling a backup e-mail server delivery address (111) and pointing to the trap manager (115). The trap manager (115) receives (201) e-mail sent to the trap address (113), and determines whether received e-mail comprises spam (119).

Abstract: An encryption communication system, comprising a communication relay device that connects a first network and a second network, for encrypting a communication within the first network and a communication within the second network in a network system configured so that communications are performed between a client in the first network and a server in the second network via the communication relay device, wherein the communication relay device comprises key generation unit generating an encryption key and a decryption key with respect to the client, and key transfer unit transmitting the encryption key and the decryption key to the server, and the server comprises frame receiving unit decrypting a receipt frame by use of the decryption key, and frame transmitting unit encrypting the frame by use of the encryption key and thus transmitting the frame.

Abstract: A collaborative communication system that includes a plurality of endpoints and interconnecting nodes configured to communicate via messages over interconnecting channels. Each of the plurality of endpoints and/or interconnecting nodes can determine whether to apply protection to the messages on a per message basis and/or base on the interconnecting channel being used. Thus, a balance between adequate protection and use of system resources and bandwidth can be maintained.

Abstract: A communication system provides separate subscription keys for a non-subscriber version of a broadcast-multicast flow and a subscriber-only version of the flow, thereby controlling who may store or render the flow. In one embodiment, separate subscription keys may be assigned to a same broadcast-multicast flow. The communication system may then switch the keys used to encrypt the flow, or may use different keys to encrypt different copies of the flow, in order to allow at least non-subscribers to view one version of the flow and only subscribers to view another version of the flow. In another embodiment, the communication system may assign a group subscription key to a group of broadcast-multicast flows that is separate from the keys assigned to each individual flow. The group subscription key may then be used to encrypt a non-subscriber version of any broadcast-multicast flow in the group of broadcast-multicast flows.

Abstract: Embodiments of streaming content management are described herein. For example, techniques may be employed to manage streams received by client devices such that the client devices may receive content and share functionality.

Abstract: A method and system for distributed security for a plurality of devices in a communication network, each of the devices being responsible for generating, distributing and controlling its own keys for access to the communication network and using the keys to establish a trusted network, each device's membership to the communication network being checked periodically by other devices by using a challenge response protocol to establish which devices are allowed access to the communication network and the trusted network.

Abstract: A method of authenticating candidate members 1 wishing to participate in an IP multicast via a communication network, where data sent as part of the multicast is to be encrypted using a Logical Key Hierarchy based scheme requiring that each candidate member submit a public key to a group controller. The method comprises, at the group controller 1, verifying that the public key received from each candidate member 1 is owned by that member and that it is associated with the IP address of that candidate member 1 by inspecting an interface ID part of the IP address.

Abstract: Provided are a method, a system, an article of manufacture, and a computer program product, wherein a first indicator is stored for a first entity, and wherein the first indicator identifies groups to which the first entity belongs and operations associated with the groups. The first entity receives a second indicator from a second entity, wherein the second indicator indicates privileges granted to the second entity for at least one operation on at least one group. A determination is made locally by the first entity, whether an operation requested by the second entity is to be executed by the first entity, based on a comparison of the second indicator to the first indicator.

Abstract: An extensible cryptographically generated network address may be generated by forming at least a portion of the network address as a portion of a first hash value. The first hash value may be formed by generating a plurality of hash values by hashing a concatenation of a public key and a modifier using a second hash function until a stop condition. The stop condition may include computing the plurality of hash values for a period of time specified by a time parameter. A second hash value may be selected from the plurality of hash values, and the modifier used to compute that hash value may be stored. A hash indicator may be generated which indicates the selected second hash value. The first hash value may be generated as a hash of a concatenation of at least the public key and the modifier. At least a portion of the node-selectable portion of the network address may include at least a portion of the first hash value.

Abstract: Content items or portions of content items are made available for previewing according to various techniques. In some techniques, designated portions of content items are transmitted in plaintext, while the remaining portions are transmitted in encrypted form. In other techniques, an entire content item is transmitted in encrypted form. However, content keys for decrypting the content item may be transmitted in plaintext form for certain portions designated for previewing and in encrypted form for the remaining portions. Also, an entire content item may be transmitted in encrypted form. Similarly the content keys for decrypting the content item is transmitted in encrypted form. However, preview rights keys for decrypting the content keys may be transmitted. These rights keys have associated usage rules that limit their use.

Abstract: A system for providing secure multi-cast broadcasts. The system includes a broadcasting processing system, a security server processing system, and at least one receiving processing system. The security server provides an encryption key to the broadcasting processing system and the at least one receiving processing system. The broadcasting processing system then encrypts broadcast data with the encryption data and transmits the encrypted data over the network. The at least one receiving processing systems then receive the encrypted data and decrypt the data using the encryption key.

Abstract: Different targets (c0, N1) of a digital certificate are mapped into a “super-target” using methods allowing a certificate validity verifier (110) to compute the super-target. The certificate includes the super-target instead of the targets. Also, a certificate with multiple targets can be signed with a redactable signature by the certification authority (CA 120). When the certificate's owner provides the certificate to a verifier together with a validity proof, the owner redacts the certificate to delete unnecessary targets. A single validity proof (ci(F)) may be provided to certificate owners for a set (F) of the certificates via a multicast transmission if a multicasting group (2010) is formed to correspond to the set. A verifier (110) may decide to cache the validity proof for a set provide the cached proof to other parties. The caching decision is based on the caching priority of the set F.

Abstract: A system, method and computer program product are provided. In use, a key is distributed to a plurality of nodes of a wireless network for use in securing the nodes during use of the wireless network. Further, the key is automatically updated at the nodes in the wireless network based on predetermined criteria.

Abstract: The system delivers a continuous sequence of individual pieces of media information over a communications network to a group of users that selected said media information. The system includes at least one server that transmits the continuous sequence of individual pieces of media information at approximately the same time to each user in the group. The system also includes an application configured to generate a user interface screen. The User interface screen includes a list of available media information, a program guide containing information relating to the media information selected by a user, and an object configured to allow a user to initiate a purchase of a product. Finally, the system includes at least one server configured to maintain an audit log that records data.

Abstract: A system and method for reusable efficient key distribution is disclosed. Key distribution is effected through the application of self-repairing groups that obviate the need for key distribution messages in portions of a hierarchical tree. In one embodiment, the self-repairing group is based on a reusable power set.

Abstract: Secure tunneled multicast transmission and reception through a network is provided. A join request may be received from a second tunnel endpoint, the join request indicating a multicast group to be joined. Group keys may be transmitted to the second tunnel endpoint, where the group keys are based at least on the multicast group. A packet received at the first tunnel endpoint may be cryptographically processed to generate an encapsulated payload. A header may be appended to the encapsulated payload to form an encapsulated packet, wherein the header includes information associated with the second tunnel endpoint. A tunnel may be established between the first tunnel endpoint and the second tunnel endpoint based on the appended header. The encapsulated packet may be transmitted through the tunnel to the second tunnel endpoint. The second tunnel endpoint may receive the encapsulated packet. Cryptographic processing of the encapsulated packet may reveal the packet having a second header.

Abstract: An invention was developed to improve the performance and survivability of units in a competitive environment. Cryptic Command, Control, and Planning, and Management increases to apparent randomness of a plan from an opponent's perspective without increasing the randomness that is apparent to friendly parties. Friendly systems each carry a keyed pseudo-random or chaotic number generating process and a known method for mapping the numbers to behavioral modifications. Since the opponent does not know the key, the sequence, or the mapping, the result from his point of view is increased randomness and degraded predictive capability. Since friendly systems know each other's key, sequence, and mapping, they can predict each other's behavior or generate compatible controls or plans. This improves coordination of friendly units while forcing the opponent to revert to reactive responses rather than maintaining predictive responses.

Abstract: A method for generating a secure association key (SAK), a method for realizing medium access control security (MACsec) and a network device are provided. The method for generating an SAK includes the following steps. A sending key selection protocol (KSP) instance sends a key selection protocol data unit (KSPDU) to the other KSP instances in the same secure connectivity association (CA). The KSPDU includes a secure connectivity association key identifier (CKI) of the instance and information about a MACsec level that the sending KSP instance belongs to. If the receiving KSP instance and the sending KSP instance belong to the CA with the same MACsec level, an SAK is generated based on the KSPDU. The MACsec of multiple levels in a communication network and the secure MACsec network communication with multiple levels are realized, thus ensuring the confidentiality of the network communication.

Abstract: A process for managing encrypted group communication according to a single security association (SA) for network traffic from a sender includes receiving a request for an encrypted communication among a plurality of network devices. A common decryption key and a common security parameters index (SPI) are provided to each of the network devices participating in the communication. The common security parameters index facilitates locating, in respective databases associated with each of the network devices, security association information that is associated with the common security association. Information is encrypted based on the common security association, and unicasted to each of the network devices. In an embodiment, the common security parameters index provided to each network device is established by the sender. For example, the SPI is established by a conference server and sent to each device participating in a voice conference.

Abstract: A device (110) performs a method 200 for authentication and Ad Hoc network setup. The device (110) receives (210) a first security configuration; receives (220) a second security configuration based on location; authenticates (230) at least a second node (110) having the first security configuration and the second security configuration; and forms (240) a network with the at least a second node (110).

Abstract: A cryptographic method and apparatus for anonymously signing a message. Added to the anonymous signature is another signature which is calculated (operation 13) using a private key common to all the members of a group authorized to sign and unknown to all revoked members. The private key is updated (operations 8, 11) at group level on each revocation within the group and at member level only on anonymous signing of a message by the member.

Abstract: Processing an MPEG elementary stream contained in multiple PID streams in a conditional access overlay environment. A multi-program transport stream contains numerous video and audio elementary streams. Critical packets in the elementary streams are encrypted with two different encryption schemes creating a stream having multiple PID values. The streams are then sent from the headend to individual set-top boxes. One encryption scheme can be decoded by the incumbent set-top box and the second encryption scheme can be decoded by the overlay set-top box. The overlay set-top box uses a dual filter system to filter and decode the PIDs for each video and audio stream of the desired program.

Abstract: Method and apparatus relating to defining additional channels in an interprocessor communication system having broadcast and non-broadcast channels. A broadcast identifier may be sent on a channel defined to be non-broadcast, generating an additional broadcast channel outside the interprocessor communication protocol definition. Likewise a device-specific identifier may be sent on a channel defined to be a broadcast channel, generating an additional non-broadcast channel outside the interprocessor communication protocol definition.

Abstract: A content distribution system employs IP multicast techniques to facilitate in identifying software dynamically, and to facilitate in downloading the software from the appropriate server to diverse client receivers. The clients monitor multicasts from a server and utilize a master/slave hierarchy technique to assist in requesting desired software blocks. The server sends out multicasts with payloads that identity, for example, manufacturers and model numbers of client receivers. The client receivers can then listen and download the payloads that pertain to their specific models. The master/slave technique allows only a master client receiver to request software blocks. Once fulfilled, the master status can be passed to another client receiver to request software blocks.

Abstract: A system and method for implementing security of multi-party communication is disclosed in the disclosure. The system mainly includes a group key management unit and a record protocol unit. The method mainly includes when the system runs in the centralized group key management mode, the Group Controller and Key Server (GCKS) establishes and stores a Group Security Association, the GCKS negotiates with the group members to establish an Initiation Security Association, under the protection of the Initiation Security Association, the group members obtain the Group Security Association from GCKS. When the system runs in the distributed group key management mode, a Group Security Association is established by all the group members together at the beginning of the group communication.

Abstract: A security control method in a cable network dynamic multicast session, and more particularly, a method of controlling forward secrecy and backward secrecy in a Data Over Cable Service Interface Specifications (DOCSIS) 3.0 network dynamic multicast session is provided. A security control method in a cable network dynamic multicast session, includes: maintaining a multicast group that is allocated with a first Downstream Service Identifier (DSID) and a first Security Association Identifier (SAID) and that is joined by a first cable modem and a second cable modem; receiving a LeaveMulticastSession message from the second cable modem; exchanging, corresponding to the LeaveMulticastSession message, a Dynamic Bonding Change (DBC) message for changing a multicast parameter with the second cable modem; and updating a first Traffic Encryption Key (TEK) corresponding to the first DSID with a second TEK.

Abstract: In a mobile communication system, upon multicasting a service data through a common channel in a radio communication area, a user not subscribing is disabled a multicasted service data, and charge can be applied only for the subscribing user. As a generating method of a security key for applying security for the multicoated service data, in SGSN, the security key is generated corresponding to the multicasting service for security process. The multicasted service data applied security process can be transmitted through the common channel in the radio communication area between RAN and UE (terminal), and the service data cannot be decoded by the user who is not subscribing.

Abstract: A method for managing encryption keys in a communication system having a plurality of communication devices includes establishing a set of cryptographic keys for secure communication. Each of the cryptographic keys is associated with a geographic region. A geographic region is determined for a communication device and at least one cryptographic key is distributed to the communication device based on the geographic region of the communication device. At least one cryptographic key may be used to derive further cryptographic keys associated with a set of sub-regions of the geographic region associated with the communication device.

Abstract: An encryption device performs elliptic curve encryption using a secret key. The encryption device includes an operation unit for performing scalar multiplication of a point on an elliptic curve a storage unit having a plurality of data storing areas and a determiner unit for determining, in accordance with a bit sequence of a given value (d) and with a random value (RNG), an address of one of the plurality of data storage areas that is to be coupled to the operation means for each scalar multiplication.

Abstract: A method and apparatus for providing network security using role-based access control is disclosed. A network device implementing such a method can include, for example, an access control list. Such an access control list includes an access control list entry, which, in turn, includes a user group field. Alternatively, a network device implementing such a method can include, for example, a forwarding table that includes a plurality of forwarding table entries. In such a case, at least one of the forwarding table entries includes a user group field.

Abstract: A network publishing authorization protocol, for use in a network connected to a printer, a server and a publisher of network publications. The protocol authorizes the printing of a publication at the printer. It includes the steps of: addressing the publication to a user; signing the publication using a private key; sending the publication to the printer; and confirming that the publication may be printed at the printer, by verifying the private key signature. Confirmation may take place at the printer or at the server.

Abstract: A method for minimizing overhead occurring caused by control information for encryption performed to protect MBMS data for an MBMS service in a mobile communication system. This method is implemented by distinguishing a case in which control information used for encryption is updated from another case in which the control information used for encryption is not updated, and transmitting different control information according to the distinguishment result. That is, when the control information used for encryption is not updated, only minimized control information is transmitted, and when the control information for encryption is updated, the entire updated control information is transmitted. Accordingly, the amount of control information transmitted along with MBMS data is minimized, contributing to an increase in the amount of MBMS data transmitted per unit time.

Abstract: A method for enforcing compliance in both the copy protect domain and service subscription domain for streamed multicast data. Each content is encrypted with a title key that itself is encrypted with a channel unique key which is a hash of a session key and a channel key. A compliant player is given the channel key upon registration for a subscription service (representing subscription protection) and is also given device keys upon activation (representing copy protection) for decrypting the session key. Consequently, the channel unique key can be obtained (and, hence, the content decrypted) only by a player that is compliant with both copy protection rules and subscription rules. The channel key can be refreshed periodically as subscriptions change or expire.

Abstract: A logical tree structure and method for managing membership in a multicast group provides scalability and security from internal attacks. The structure defines key groups and subgroups, with each subgroup having a subgroup manager. Dual encryption allows the sender of the multicast data to manage distribution of a first set of encryption keys whereas the individual subgroup managers manage the distribution of a second set of encryption keys. The two key sets allow the sender to delegate much of the group management responsibilities without compromising security because a key from each set is required to access the multicast data. Security is further maintained via a method in which subgroup managers can be either member subgroup managers or participant subgroup managers. Access to both keys is provided to member subgroup managers whereas access to only one key is provided to participant subgroup managers.