Abstract: A first memory section stores secret keys that are identical to secret keys stored in a cartridge. A second memory section stores history information relating to a history of usage. A secret-key selecting section performs a secret-key selecting operation of selecting, based on the history information, a specific secret key from among the secret keys. A first-authentication-information generating section encrypts a random number based on the specific secret key, thereby generating first authentication information, which is stored in a third memory section. A transmitting section transmits first identification information for identifying the specific secret key and the random number to the cartridge. A receiving section receives second authentication information generated at the cartridge by encrypting the random number based on a secret key identified by the first identification information.

Abstract: A method, apparatus and computer program product for controlling access to host access credentials required to access a host computer system by a client application is provided. The host access credentials are stored in a restricted access directory. The method comprises authenticating directory access credentials received from a client application. The authenticated client application then requests the host access credentials and a determination as to whether the authenticated client process is authorized to access the requested host access credentials, and, if authorized, these are provided to the client application.

Abstract: A secure consultation system is disclosed that enables an owner entity to securely store its most secure and private data such that designated entities of the owner entity and a consultant entity can execute application programs on that data and thus, to consult on the operation and correctness of the application programs and the data.

Abstract: Systems and methods for reactively authorizing publication of information by a third party are coordinated through the use of a presence server. The presence server communicates with other communication nodes/devices to determine and relay publication information. Publication requests that are initially unauthorized, from the perspective of the presence server, are resolved.

Abstract: Systems and methods which facilitate secure multicast communications between any valid node of a cluster using authentication between a node joining the cluster and any single node which is validly part of the cluster are disclosed. In accordance with embodiments, a cluster key is utilized to provide security with respect to intra-cluster communications. The cluster key of embodiments is shared by a node which is already part of the cluster with a node joining the cluster only after these two nodes mutually authenticate one another. The mutual authentication handshake of embodiments implements a protocol in which a session key is calculated by both nodes, thereby providing a secure means by which a cluster key may be shared. Having the cluster key, each node of the cluster is enabled to securely communicate with any other node of the cluster, whether individually (e.g., unicast) or collectively (e.g., multicast), according to embodiments.

Abstract: The present invention relates to a roaming electronic transaction terminal. It also relates to a secure system for electronic transactions comprising one or more roaming terminals. The terminal (1) has an application package support (2) and a coupler (3) for carrying out the read and write operations on a medium that are required for the electronic transactions in conjunction with the application package. The coupler (3) comprises means for creating a write time window and a read time window on the basis of a secure input signal, all writing and all reading being disabled outside of the corresponding windows. The invention applies notably for the securing of terminals carrying out checks and contractual transactions on supports equipped with processors and memories, it being possible for these supports to be through contactless read and write cards comprising for example transport entitlements, payment means or any other entitlements to be turned to account.

Abstract: A system and method for controlling a device. Data that was encrypted using a first encryption scheme is decrypted, then re-encrypted using a second encryption scheme. The re-encrypted data is then decrypted.

Abstract: A method and system for encrypting data in a wireless communication system are provided. The system includes a first node for generating a first encryption key using a plurality of encryption key parameters when performing authentication with a second node, for changing a second parameter among the plurality of encryption key parameters to generate a second encryption key being identical to the first encryption key, if a first parameter among the plurality of encryption key parameters is changed during re-authentication between the first node and the second node, for generating the second encryption key using the changed first parameter and the changed second parameter, and for encrypting data to be transmitted to the second node using the second encryption key.

Abstract: A method and system distributes N shares of a secret among cooperating entities by forming a mathematical construct that has an embedded internal structure to allow authentication of a reconstructed secret. The mathematical construct can be a splitting polynomial constructed using the secret, a key and a message authentication code (MAC) as coefficients. The splitting polynomial is evaluated at N random evaluation points to obtain N result values. N shares of the secret are generated and distributed among the cooperating entities for storage. A reconstructed secret can be authenticated by computing the MAC of the reconstructed secret and verifying a relationship among the coefficients of a reconstructed splitting polynomial using the MAC. If the coefficients do not satisfy the relationship, one or more additional shares of the secret can be used to reconstruct the splitting polynomial and the secret.

Abstract: A task list server supports secure asynchronous communications between both a workstation and one or more machines. The task list server stores requests and responses initiated by either side and establishes secure communication channels used to forward the data between parties. The communication between workstation and machine may be delayed by hours or even days, depending on the work schedule and network access of both the workstation operator and machine. The machine may process requests in order from highest priority to lowest priority and from oldest to newest. Public key encryption may be used to establish secure channels between the task list server and the workstation or the one or more machines using a combination of certificate authorities including both manufacturers and owner/operators.

Abstract: Methods for anonymous authentication and key exchange are presented. In one embodiment, a method includes initiating a two-way mutual authentication between a first entity and a second entity. The first entity remains anonymous to the second entity after performing the authentication. The method also includes establishing a mutually shared session key for use in secure communication between the entities, wherein the initiating and the establishing are in conjunction with direct anonymous attestation (DAA).

Abstract: A device for generating a session key which is known to a first communication partner and a second communication partner, for the first communication partner, from secret information which may be determined by the first and second communication partners, includes a first module operable to calculate the session key using a concatenation of at least a part of a random number and a part of the secret information. The device also includes a second module operable to use the session key for communication with the second communication partner.

Abstract: A method, system and apparatus for protecting a bootstrapping service function (BSF) entity from attack includes: a first temporary identity and a second temporary identity are generated after a BSF entity performs a mutual authentication with a user equipment (UE) by using an initial temporary identity sent from the UE; the BSF entity receives a re-authentication request carrying the first temporary identity from the UE; and the UE sends a service request carrying the second temporary identity to a network application function (NAF) entity. The present disclosure prevents attackers from intercepting the temporary identity at the Ua interface and using the temporary identity to originate a re-authentication request at the Ub interface, thus protecting the BSF entity from attack and avoiding unnecessary load on the BSF entity and saving resources.

Abstract: Establishing secure communication between an implantable medical device and an external device includes: accessing, at the implantable medical device, biological data; utilizing the biological data, at the implantable medical device, to generate a public cryptographic key; and utilizing the public cryptographic key, at the implantable medical device, to generate a private cryptographic key.

Abstract: The embodiments relate to a method for the encrypted data exchange between subscribers of a communication system using cryptography based on elliptical curves, wherein upon a query by a first subscriber a scalar multiplication is calculated by the second subscriber, wherein merely part of the result of the scalar multiplication is returned to the first subscriber as a response. The invention relates to a communication system.

Abstract: A method includes: establishing a first connection between a first ID token and a first computer system via a second computer system for reading at least one first attribute from the first ID token, establishing a second connection between a second ID token and the first computer system via the second computer system for reading at least one second attribute from the second ID token, sending the first and second attributes from the first computer system to a third computer system, receiving the data from the third computer system by the first computer system, writing the data into the second ID token via the second connection by the first computer system thereby storing the data in the second ID token, where the first connection still exists, wherein the first and the second connection are respectively connection with end-to-end encryption and a connection oriented protocol.

Abstract: A system includes a controller and a certificate authority. The controller is configured to control a process. The certificate authority (CA) is configured to issue and to revoke certificates, wherein the controller is configured to use the CA to mutually authenticate a user to enter into a secure mode of operation.

Abstract: A method and system for mutually authenticating an identity and a server is provided in accordance with an aspect of the present invention. The method commences with transmitting a token from the server. Thereafter, the method continues with establishing a secure data transfer link. A server certificate is transmitted during the establishment of the secure data transfer link. The method continues with transmitting a response packet to the server, which is validated thereby upon receipt. The system includes an authentication module that initiates the secure data transfer link and transmits the response packet, and a server authentication module that transmits the token and validates the response packet.

Abstract: An information processing system includes a plurality of information processing apparatuses, each apparatus including a transmission unit and a verification unit, and a plurality of authentication servers connectable to the plurality of information processing apparatuses via one or more networks.

Abstract: Implementations of the present disclosure are directed to web-based authentication. Implementations include receiving user credentials at a browser, transmitting a first request to an application, the first request including a first user credential, receiving a first response, the first response including an encrypted server public key (SPK) and a user-specific salt value, decrypting the encrypted SPK to provide a SPK, the encrypted SPK being decrypted based on the user-specific salt value and a second user credential, determining a browser public key (BPK) and a client-side session signing key (SSK), encrypting the BPK to provide an encrypted BPK, transmitting a second request to the application, the second request including the encrypted BPK and a request signature, the request signature having been provided based on the client-side SSK, and receiving a second response, the second response including a response signature and indicating that a user has been authenticated by the application.

Abstract: Implementations of the present disclosure include methods, systems, and computer-readable storage mediums for secure client-side key storage for authentication tracking. Implementations include actions of determining, at a browser executed on a client-side computing device, that an application is authentic, the application being executed on a server-side computing device, in response to determining that the application is authentic, receiving a session signing key (SSK) at a sub-domain of an application domain, the sub-domain including a static script that handles the SSK and that selectively provides request signatures, receiving, at the sub-domain, a message requesting a request signature, determining that the message originated from an authentic origin, and in response to determining that the message originated from an authentic origin, providing a request signature to a source of the message, the request signature being based on the SSK.

Abstract: A secure authentication channel (SAC) between two nodes in a communication network is created by the nodes themselves using mutual authentication. The network has two nodes, a coordinating entity, two PKI-based SACs, and one non-PKI SAC which is created by the two nodes and is for use by the nodes. The coordinating entity generates a master key which is transmitted to two nodes via a PKI-based SAC established between the coordinating entity and each of the two nodes. One node uses the master key to generate a first random number and the second node uses the key to generate a second random number. The second node also has an encrypted third random number. The network also has a third SAC, which is not solely based on PKI, between the first node and the second node and is created when the two nodes have authenticated each other. The mutual authentication process occurs without the intervention of the coordinating entity.

Abstract: Implementations of the present disclosure include methods, systems, and computer-readable storage mediums for secure client-side key storage for authentication tracking. Implementations include actions of determining, at a browser executed on a client-side computing device, that an application is authentic, the application being executed on a server-side computing device, in response to determining that the application is authentic, receiving a session signing key (SSK) at a sub-domain of an application domain, the sub-domain including a static script that handles the SSK and that selectively provides request signatures, receiving, at the sub-domain, a message requesting a request signature, determining that the message originated from an authentic origin, and in response to determining that the message originated from an authentic origin, providing a request signature to a source of the message, the request signature being based on the SSK.

Abstract: A method of generating a key by a first correspondent. The key is computable by a second correspondent. The method comprises the steps of: a) making available to the second correspondent a first short term public key; b) obtaining a second short term public key from the second correspondent; c) computing a first exponent derived from the first short term private key, the first short term public key, and the first long term private key; d) computing a second exponent derived from the first short term private key, the first short term public key, the second short term public key and the first long term private key; e) computing a simultaneous exponentiation of the first exponent with the second short term public key and the second exponent with the second long term public key.

Abstract: An electronic device generates identifying values which are used in authenticating the electronic device. The device comprises an interface, a private key generator for generating a private key, a non-volatile memory for storing at least the private key, an index source, a hash engine, and a logical interconnection between the private key generator, the non-volatile memory, the index source, the hash engine and the interface. The hash engine generates identifying values provided to the interface via the logical interconnection. The identifying values are provided to a verifying device for use in authenticating the electronic device. Alternatively or in addition, devices may be paired to share a root key to cryptographically communicate between each other and/or to authenticate each other.

Abstract: A method of logging in a health information tele-monitoring device by using a personal portable device. The method includes issuing a security key embedded in a health information tele-monitoring device to a personal portable device, storing the security key issued by the health information tele-monitoring device in the user's personal portable device; requesting the user's personal portable device to authenticate the health information tele-monitoring device in order to connect the health information tele-monitoring device to a healthcare server; and authorizing access of the health information tele-monitoring device to the healthcare server.

Abstract: When a first MFP that manages first and second conversion values of user authentication information accesses a second MFP, the first MFP queries about which conversion value is used by the second MFP to execute user authentication processing. The first MFP transmits information based on a conversion value in accordance with the query result to the second MFP. Then, the second MFP executes user authentication processing using information based on a conversion value in accordance with the query result and a conversion value managed by the second MFP.

Abstract: In a method for issuing a digital certificate by a certification authority (B), a device (A) sends a request message to the certification authority (B) for issuing the certificate, the certification authority (B) receives the request message and sends a request for authenticating the device (A) to the device (A), the device (A) sends a response to the certification authority (B) in response to the received request, and the certification authority (B) checks the received response and generates the certificate and sends the certificate to the device (A), if the response was identified as correct.

Abstract: The disclosure discloses a wireless access device (2), which includes: a wireless module (204) which establishes a wireless connection with a network, a solid state memory (203) partitioned into different storage volumes, a driver management module (202) and an enumeration management module (201). In the solid state memory, the fourth storage volume stores a bootstrap, the first storage volume stores an operating system and system management software, and the third storage volume stores encryption driver management software, device drive software and device management software. The driver management module (202) stores storage volume information.

Abstract: A method for exchanging strong encryption keys between devices using alternate input methods. At least two devices that want to communicate with one another are set in key exchange mode. The at least two devices are to communicate with one another using a short range radio or personal area network. The at least two devices negotiate with one another to determine which of the at least two devices will generate an encryption key, wherein device A represents the negotiated device and device B represents the non-negotiated device. Device A generates the encryption key and transmits the encryption key to device B using an out-of band transmission channel. The out-of-band transmission channel may be transmitting the encryption key via audio tones. A validation process determines whether the transmission of the encryption key via the out-of-band transmission channel was successful.

Abstract: A system for management of access rights to operating data and/or control data of buildings or building complexes can include a communications release service running on a first server. This release service releases a communication of a user, who is registered with an identity, with the buildings or building complexes filed for him or her in a list when his or her identity corresponds with an identity filed in the list. Also, after release of the communication has taken place by the communications release service, a building authorization service running on a second server releases specific access rights for the user to operating data and/or control data of the building or building complex on the basis of access rights filed in an authorization databank.

Abstract: A method begins by a processing module determining whether a data access request is requesting access to data stored in a plurality of dispersed storage networks (DSNs). The method continues with the processing module determining whether one of the plurality of DSNs is a home DSN to a requesting entity when the data access request is requesting access to data stored in the plurality of DSNs. The method continues with the processing module utilizing a local signed certificate to access one or more dispersed storage (DS) units of the home DSN, validating a global signed certificate with one or more DS units of a non-home DSN of the plurality of DSNs to produce a valid global signed certificate, and utilizing the valid signed certificate to access the one or more DS units of the non-home DSN when the plurality of DSNs includes the home DSN.

Abstract: A method for mutual authentication in an RFID system comprising an RFID reader and an RFID tag, the method comprising requesting an identification from the tag, receiving the identification, using the received identification to select a password associated with the identification, generating a password key based on the selected password, encrypting the selected password using the password key, and transmitting the encrypted password to the tag.

Abstract: A terminal for managing digital rights of a memory card inserted into the terminal and has a processor and a memory, the digital rights allowing the terminal to access digital contents. The terminal includes a processor configured to manage a digital rights and to exchange information with the memory card, the information including a terminal ID and a memory card ID; perform a mutual authentication procedure with the memory card; receive, from a contents provider, a trigger message which indicates to the terminal that a digital rights for the memory card is prepared in the contents provider; if a parameter included in the trigger message does not indicate the memory card, perform a procedure for obtaining a digital rights for the terminal; and if a parameter included in the trigger message indicates the memory card, perform a procedure for requesting a digital rights for the memory card.

Abstract: Methods for anonymous authentication and key exchange are presented. In one embodiment, a method includes initiating a two-way mutual authentication between a first entity and a second entity. The first entity remains anonymous to the second entity after performing the authentication. The method also includes establishing a mutually shared session key for use in secure communication between the entities, wherein the initiating and the establishing are in conjunction with direct anonymous attestation (DAA).

Abstract: The method of securing data transfer comprises: a step of attempting to transmit a document from a document sender to at least one document recipient, by implementing at least one transmission attribute and for at least one step of attempted transmission, a step of evaluating the value of at least one transmission attribute and a step of making the evaluation of the value of the transmission attribute available to the sender. Preferably, in the course of the evaluating step, the evaluation is dependent on the anomalies of correspondence that are observed for each attempted transmission. Preferably, in the course of the evaluating step, the evaluation is, moreover, dependent on the elements provided by the recipient in the course of a step of registering with an electronic document transmission service.

Abstract: The present invention provides a method and an apparatus for automating authentication of a user. In one embodiment, a method calls for detecting an authentication event at a wireless communication device to gain access to a first wireless network through an access point associated with the first wireless network, automatically obtaining a credential from a second wireless network in response to the authentication event, and authenticating the user based on the credential to establish a connection between the wireless communication device and the first wireless network. A client-server based communication system includes a client module at a wireless communication device for user authentication of a Wi-Fi device to a Wi-Fi network through an access point associated therewith. For the purposes of authentication, the client-server based communication system further includes a server module with which the client module may automatically exchange short message service messages over a wide area network.

Abstract: A client-server communication protocol permits the server to authenticate the client without requiring the client to authenticate the server. After establishing the half-authenticated connection, the client transmits a request and the server performs or responds accordingly. A network management system and environment where this protocol can be used is also described and claimed.

Abstract: There is provided a system and method for distributors to use an interoperable key chest. There is provided a method for use by a distributor to obtain content access authorizations from a key chest or central key repository (CKR), the method comprising receiving a user request from a user device for access to an encrypted content identified by a content identification, transmitting a key request to the CKR including the content identification, receiving an encrypted first key from the CKR, decrypting the encrypted first key using a second key to retrieve the first key, and providing a DRM license for the encrypted content to the user device using the first key for use by the user device to decrypt the encrypted content using the first key. By generating such DRM licenses, distributors can unlock protected content even sourced from distributors using different DRM schemas.

Abstract: A method, a system, and a computer program product embodying computer readable code for configuring a rule file for a Web application firewall. The method includes: blocking a response created by a Web application; modifying the response by adding capturing code for capturing a regular expression and an associated parameter value embedded in the response while being executed; sending the modified response to the browser; receiving a request submitted by the browser and at least one regular expression and an associated parameter value captured by the capturing code; determining a parameter name and a regular expression associated with the same parameter value, and configuring the rule file of the firewall by use of the determined parameter name and regular expression associated with one another as a filtering rule.

Abstract: A system and method for facilitating secure client server communication using elliptical curve cryptography and certificateless public key infrastructure has been disclosed. The system includes a secret key generation means which generates a secret key of m-bits based on the elliptic curve diffie hellman algorithm. The system further includes a session key generation means which makes use of said secret key and elliptic curve diffie hellman algorithm to generate a session key. The session key is used to facilitate secured communication between the client and the server.

Abstract: A method, system, and device are provided for bootstrapping a Session Initiation Protocol Proxy for a mobile device when the Home Agent is bootstrapped for the device. When an authentication server obtains a Home Agent address for the mobile device, it also obtains a Session Initiation Protocol Proxy address, associated with the Home Agent, for the mobile device. The Session Initiation Protocol Proxy address is sent to the mobile device along with the Home Agent address.

Abstract: This method of receiving a multimedia signal scrambled by means of a control word uses a first cryptographic entity that can be connected to any one of P second cryptographic entities to form part of a device for receiving the scrambled multimedia signal. Only second cryptographic entities of a group of N second cryptographic entities selected from a wider set of P second cryptographic entities use a session key obtained by diversifying a root key identical to the root key used to obtain the session key of the first cryptographic entity.

Abstract: Various embodiments of the present invention generally relate to trademark searching and notification systems. More specifically, various embodiments of the present invention relate to systems and methods for informing requesters about trademarks similar to a provided input. Some embodiments of the present invention provide for a proactive system in which users are notified of similar trademarks before using specific term(s) and users proceed after understanding which trademarks actually exist and what areas those trademarks actually entail, and possibly being notified of newly applied trademarks and modified trademarks at later times that are similar to the specific term(s) being used.

Abstract: A secure hash, such as a Hash-based Message Authentication Code (“HMAC”), is generated using a piece of secret information (e.g., a secret key) and a piece of public information specific to each escrow key (e.g., a certificate hash or public key). Using the secret key ensures that escrow key validation data can only be generated by knowing the secret key, which prevents an attacker from generating the appropriate escrow key validation data. Using the certificate hash as the public data ties each escrow key validation data to a particular certificate, thereby preventing the attacker from simply copying the validation data from another escrow key. Any escrow key that is found to be invalid may be removed from the file container and a system audit log may be generated so that a company, individual, or other entity can be aware of the possible attempt at a security breach.

Abstract: An apparatus is disclosed having a receiver configured to receive a request to transmit data from a wireless node in a plurality of wireless nodes; and a transmitter configured to transmit a multi-cast message to a set of wireless nodes in the plurality of wireless nodes to permit data transmission. A method for wireless communications is also disclosed.

Abstract: A method for securely altering a platform component is provided, comprising: assigning certificates for public encryption and signature verification keys for the device; assigning certificates for public encryption and signature verification keys for an upgrade server; mutually authenticating a device containing the platform component and the upgrade server; causing the device and the upgrade server to exchange a session key; and providing an alteration to be made to the platform component from the upgrade server to the device using the session key.

Abstract: In general terms, the invention provides a finite field engine and methods for operating on elements in a finite field. The finite field engine provides finite field sub-engines suitable for any finite field size requiring a fixed number of machine words. The engine reuses these engines, along with some general purpose component or specific component providing modular reduction associated with the exact reduction (polynomial or prime) of a specific finite field. The engine has wordsized suitable code capable of adding, subtracting, multiplying, squaring, or inverting finite field elements, as long as the elements are representable in no more than the given number of words. The wordsized code produces unreduced values. Specific reduction is then applied to the unreduced value, as is suitable for the specific finite field. In this way, fast engines can be produced for many specific finite fields, without duplicating the bulk of the engine instructions (program).

Abstract: Apparatus and methods for authenticating and granting a client device (e.g., cellular telephone) access to a network. In one embodiment, a network service provider such as a cellular telephone company may distribute user access (e.g., Universal Subscriber Identity Module or “USIM”) credentials to a services manager via a USIM vendor. The services manager may maintain a list of authorized users. A user at a client may authenticate to the services manager. Once authenticated, the services manager may provide the user with a set of USIM credentials. When the user desires to use wireless network services, the user equipment may establish a wireless link between the user equipment and the network service provider. During authentication operations, the user equipment may use the USIM credentials to authenticate to the network service provider. Following successful authentication, the network service provider may provide the user equipment with wireless services.

Abstract: An information processing device including a receiving unit that receives a first random number from another information processing device; a generating unit that generates a second random number; a time-variant-key generating unit that generates a time variant key for encryption according to the second random number; an encrypting unit that encrypts the first random number with the time variant key; and a transmitting unit that transmits the first random number encrypted by the time variant key and the second random number to the other information processing device.