Abstract: The invention concerns a cryptographic key distribution system comprising a server node, a repeater network connected to the server node through a quantum channel, and a client node connected to the repeater network through a quantum channel; wherein in use: the repeater network and the client node cooperatively generate a transfer quantum key which is supplied to a system subscriber by the client node; the server node and the repeater network cooperatively generate a link quantum key; the repeater network encrypts the link quantum key based on the transfer quantum key and sends the encrypted link quantum key to the system subscriber through a public communication channel; the server node encrypts a traffic cryptographic key based on the link quantum key and a service authentication key and sends the encrypted traffic cryptographic key to the system subscriber through a public communication channel.

Abstract: A communication system exchanges key generation parameters for secure communications. An internet service and communications device of a user are in communication with each other. The internet service includes an account authentication mechanism for a user and includes a database having stored cryptographic keys and key generation parameters. A device client operates on the communications device and initiates a request to the internet service that authenticates the user and establishes a secure communications channel between the internet service and communications device and determines key generation parameters based on an authenticated user identifier and transmits the key generation parameters for initiating key generation and securely establishing a cryptographic key between the internet service and communications device.

Abstract: A method and apparatus for key management in a communication network. A Key Management Server (KMS) receives from a first device a request for a token associated with a user identity, the user identity being associated with a second device. The KMS then sends the requested token and a user key associated with the user to the first device. The KMS subsequently receives the token from the second device. A second device key is generated using the user key and a modifying parameter associated with the second device. The modifying parameter is available to the first device for generating the second device key. The second device key is then sent from the KMS to the second device. The second device key can be used by the second device to authenticate itself to the first device, or for the first device to secure communications to the second device.

Abstract: In some embodiments, authentication, confidentiality, and privacy are enhanced for a wireless network of cognitive radios by encryption of network management and control messages as well as data traffic, thereby protecting information pertaining to node identification, node location, node-sensed incumbent transmissions, CRN frequency channel selections, and such like. During initial network registration, a temporary ID can be issued to a node, and then replaced once encrypted communication has been established. This prevents association of initial, clear-text messages with later encrypted transmissions. Elliptic curve cryptography can be used for mutual authentication between subscribers and the base station. ECC-based implicit digital certificates can be embedded in co-existence beacons used by CRN nodes to coordinate use of frequency channels, thereby preventing denial of service attacks due to transmitting of falsified beacons.

Abstract: An authentication server and method are provided for generating tokens for use by a mobile electronic device for accessing a service. Communications between the device and the authentication server are through a relay. A memory stores a secret shared with a service server from which the service is provided. A processor is configured to generate the token using the shared secret and based on a reliance on the relay to ensure that the device has authorization to access the service. One or more computer readable medium having computer readable instructions stored thereon that cause the device to obtain proof of authorization to access the service is also provided. The instructions implement a method comprising: outputting via a wireless connection to a relay a request addressed to an authentication server for a token and receiving the token from the authentication server via the relay.

Abstract: A computer-implemented method is provided for controlling use of a file on a user device. The method includes transmitting authentication information to a system and downloading the file from the system over the network upon successful authentication by the system. The method also includes limiting access of the file to a client application of the user device and preventing altering of the file, printing of the file and opening of the file outside of the client application. Notes corresponding to the file can be stored in a local storage area.

Abstract: A method enables selected features of a software product residing on an end user electronic device with a license delivered from a licensing provider to a service provider of the end user electronic device. The method includes requesting at least one license to authorize a first service provider. An encrypted installation key uniquely associated with the first service provider is received as well as an authorization agent module for installation on one or more authorization agent devices associated with the first service provider. The encrypted installation key and the authorization agent module are installed on the authorization agent devices. A device-unique identifier (DUID) is generated for each authorization agent device based on hardware characteristics of the respective authorization agent devices. The DUID and the encrypted installation key are sent from the authorization agent device to a licensing provider to obtain the requested license.

Abstract: Embodiments of the present invention disclose a method and an apparatus for security algorithm selection processing, a network entity, and a communication system. The method includes: receiving a service request message sent by user equipment; and according to a security protection requirement of the service request message, selecting a security algorithm from a security algorithm list supported by both the user equipment and a network entity, where security algorithm lists supported by the user equipment and/or the network entity are set separately based on different security protection requirements, or security algorithm lists supported by the user equipment and the network entity are used for indicating security capability of the user equipment and the network entity respectively.

Abstract: Privacy-preserving smart metering for a smart grid. Issuing a privacy-enhanced credential to a consumer node having smart meter. Operating the consumer node to associate an id with the credential and to use the id to report usage. Other systems and methods are disclosed.

Abstract: A system and method for obtaining an authorization key to use a product utilizes a secured product identification code, which includes a serial number and at least one code that is generated based on a cryptographic algorithm.

Abstract: Disclosed is a method for mutual authentication between a station, having a digital rights agent, and a secure removable media device. The digital rights agent initiates mutual authentication by sending a message to the secure removable media device. The secure removable media device encrypts a first random number using a public key associated with the digital rights agent. The digital rights agent decrypts the encrypted first random number, and encrypts a second random number and a first hash based on at least the first random number. The secure removable media device decrypts the encrypted second random number and the first hash, verifies the first hash to authenticate the digital rights agent, and generates a second hash based on at least the second random number. The digital rights agent verifies the second hash to authenticate the secure removable media device.

Abstract: Secure function evaluation SFE) with input consistency verification is performed by two parties to evaluate a function. For each execution, the first party computes a garbled circuit corresponding to the function and uses an Oblivious Transfer protocol to provide wire secrets that are an encrypted version ki of the input xi of the second party. The second party stores the encrypted version ki of the input xi of the second party for the plurality of executions. The second party receives the garbled circuit for computation of an output, which is sent to the first party. To verify the inputs of the second party for two executions, the first party computes a check garbled circuit corresponding to a verification function based on the input keys of the garbled circuits being verified; and sends the check garbled circuit to the second party for computation of a verification output. The verification output is computed by applying the stored encrypted versions ki for the two executions to the check garbled circuit.

Abstract: A method for setting the bandwidth of a multiple stream decrypting and decoding system includes at least the following steps: authenticating a multiple transport stream decryption card; sending a transport stream through the system; extracting program information from the transport stream; utilizing the program information to set a bandwidth limit to the system; and enabling the multiple transport stream decryption card.

Abstract: According to one embodiment, a content reproducing device is provided with connection unit and reproducing unit. The connection unit connects a license server and removable medium to each other in such a manner that mutual authentication can be carried out between the license server and removable medium, and rights information can be downloaded from the license server to the removable medium. The reproducing unit carries out mutual authentication between itself and the removable medium and, when the authentication is successful, acquires rights information recorded on the removable medium to thereby decrypt the encrypted content item delivered by the content server on the basis of the rights information, and subject the decrypted content item to streaming reproduction.

Abstract: Secure functions may be accessed via an authentication process utilizing a password that may be generated within a chip integrated on a device. The password may be unique per chip location, per challenge and/or per chip. The location of the chip may be determined based on GPS information and securely stored and securely communicated to an external entity. Two or more of the chip location, a generated random number sample and a key from a table of keys may be passed to a hash function that may generate a password. An external entity attempting access may be challenged to respond with a password that matches the password generated by the hash function. The response may be compared with the password generated by the hash function and access to one or more secure functions may be granted based on the comparison.

Abstract: Methods for preventing the transmission of sensitive information to locations outside of a secure network by a person who has legitimate access to the sensitive information are described. In some embodiments, in order for an end user of a computing device to establish a secure connection with a secure network and access data stored on the secure network, a client application running on the computing device may be required by the secure network. The client application may monitor visual cues (e.g., facial expressions and gestures) associated with the end user, detect suspicious activity performed by the end user based on the visual cues, and in response to detecting suspicious activity may perform mitigating actions to prevent the transmission of sensitive information such as alerting human resources personnel or requiring authorization prior to sending information to locations outside of the secure network.

Abstract: Implementations of the present disclosure are directed to web-based authentication. Implementations include receiving user credentials at a browser, transmitting a first request to an application, the first request including a first user credential, receiving a first response, the first response including an encrypted server public key (SPK) and a user-specific salt value, decrypting the encrypted SPK to provide a SPK, the encrypted SPK being decrypted based on the user-specific salt value and a second user credential, determining a browser public key (BPK) and a client-side session signing key (SSK), encrypting the BPK to provide an encrypted BPK, transmitting a second request to the application, the second request including the encrypted BPK and a request signature, the request signature having been provided based on the client-side SSK, and receiving a second response, the second response including a response signature and indicating that a user has been authenticated by the application.

Abstract: A passport authentication protocol provides for encryption of sensitive data such as biometric data and transfer of the encryption key from the passport to the authentication authority to permit comparison to a reference value.

Abstract: In one illustrative example, a method in a mobile communication device operating in a wireless local area network (WLAN) involves performing, via a wireless AP of the WLAN, a first authentication procedure with an authentication server for obtaining a first session key and a key lifetime value associated with the first session key; establishing a first secure connection with the wireless AP based on the first session key; setting a timer with an initial value that is less than or equal to the key lifetime value, and running the timer; communicating in a media session over the first secure connection with the wireless AP; and in response to an expiration of the timer during the media session: performing, during the media session, a second authentication procedure with the authentication server for obtaining a second session key; and establishing, during the media session, a second secure connection with the wireless AP using the second session key; and communicating in the media session over the second secure

Abstract: An information handling system includes a memory and a processor to execute instructions stored in the memory, which causes the processor to at least: send identification information to a second information handling system in response to an identification request broadcast from the second information handling system via a short-range communication; receive first authentication information for a local application and a remote service from the second information handling system; receive a copy of the local application; authenticate a user for the copy of the local application and for the remote service prior to the user logging on to the information handling system; receive second authentication information from the user to access the information handling system; authenticate the user to the information handling system; and automatically initiate a secure session between the copy of the local application and the remote service when the user is authenticated to the information handling system.

Abstract: A method of establishing secure communication between a first mobile computing device and a second mobile computing device includes generating a first self-signed key at the first mobile computing device, pairing the first device with a second device, the pairing including receiving user input of a passcode and after receiving the user input sending the first public key to the second mobile computing device and receiving a second public key from the second mobile computing device, storing the second public key in a database of trusted devices, the database of trusted devices being stored in the first mobile computing device, receiving in the first mobile computing device a list of mobile computing devices connected to a mobile network, matching the list of mobile computing device against the database of trusted devices, and establishing secure communication between the first mobile computing device and the second mobile computing device.

Abstract: Disclosed is a method including allowing an application server to request setup of a session on behalf of a user terminal, and using mechanisms of a generic peer authentication procedure for procedure for enabling authentication of the application server to an interrogating server, the interrogating server being a network element that is configured to process said request to setup a session on behalf of a user terminal. Also disclosed are related devices, systems and computer programs.

Abstract: Provided is an apparatus and method of a portable terminal authenticating another portable terminal. The portable terminal may receive a seed generated by the other portable terminal, issue an authentication certificate generated using the seed to the other portable terminal, authenticate the other portable terminal based on the authentication certificate, and provide a secure communication.

Abstract: A method for authenticating a communication channel between a client and server has been disclosed. The method employs a mutual authentication payload (MAP) protocol that enables mutual authentication between a client and server system in a convenient user-friendly manner while providing seamless and automated portability to the clients. In the process of mutual authentication, the client verifies that the server entity is indeed the intended entity and is trusted. Likewise, the server verifies if the client entity initiating the exchange is indeed the intended entity and is trusted. Accordingly, this verification process involves multi-factor authentication factors contained within the MAP protocol.

Abstract: Consistent one-time password (OTP) functionality is provided from a presentation server to secure various on-line resources. A seed file can be provided to or created by a service provider for execution as part of a hosted page displayed at a client to a user. A presentation server receives a call from the seed file. A user interface widget can be initialized at the presentation server in response to the call from the seed file. The widget can be displayed as part of the remotely hosted Web page so that the user perceives the UI widget to be embedded in the page as viewed on the client computer system. Security for the interaction between the servers can be provided through use of security assertion markup language (SAML).

Abstract: The present invention provides a method for keys generation, member authentication and communication security in a dynamic group, which comprises steps: assigning each member an identification vector containing common group identification vector elements and an individual identification vector element, and generating an authentication vector and an access control vector for each member according to the identification vector; using the identification vector elements to generate public key elements and establish an authentication public key and an access control public key; and using a polynomial and the identification vector to generate a private key. The present invention uses these public keys and private keys, which are generated from the identification vectors, to implement serverless member authentication and data access control, whereby is protected privacy of members and promoted security of communication.

Abstract: Provided are techniques for providing security in a computing system with identity mediation policies that are enterprise service bus (EBS) independent. A mediator component performs service-level operation such as message brokering, identity mediation, and transformation to enhance interoperability among service consumers and service providers. A mediator component may also delegate identity related operations to a token service of handler. Identity mediation may include such operations as identity determination, or “identification,” authentication, authorization, identity transformation and security audit.

Abstract: A control unit for controlling a card reader. The control unit includes an authentication management unit for transmitting/receiving information to/from a host and each of a first encryption magnetic head device and a second encryption magnetic head device to mutually authenticate each other. The authentication management unit includes (1) a commanding means for commanding one of the first encryption magnetic head device and the second encryption magnetic head device to create lower-level information for authentication, according to a request on authentication from the host, (2) a sharing means for transmitting the lower-level information for authentication received from the above-mentioned one device to the other device for the purpose of sharing it and (3) a transmission means for transmitting the lower-level information for authentication, having been shared in all of the first encryption magnetic head device and the second encryption magnetic head device, to the host.

Abstract: A device for generating a session key which is known to a first communication partner and a second communication partner, for the first communication partner, from secret information which may be determined by the first and second communication partners, includes a first module operable to calculate the session key using a concatenation of at least a part of a random number and a part of the secret information. The device also includes a second module operable to use the session key for communication with the second communication partner.

Abstract: Apparatus and methods are described for searching and replacing user credentials in a multiple disparate credential store environment. Upon authentication of a user to change credentials, credential information of multiple disparate credential stores is searched. Upon population of search results, users indicate which of the credentials they desire to change and results are committed upon affirmative execution in a user interface dialog. In this manner, users locate their credential information, from whatever store, and change it in quantity or singularly from a single point of control. They can also fully understand how many passwords, secrets, keys, etc., they have over the many disparate stores available to them and affirmatively control their relationship to other credential information. Reversion of credential information to an earlier time is still another feature as is retrofitting existing SSO services. Computer program products and computing network interaction are also disclosed.

Abstract: A security module and method within an information handling system are disclosed. In a particular form, a processing module can include a local processor configurable to initiate access to resources of a host processing system. The processing module can also include a security module configured to enable use of the resources of the host processing system using a security metric. According to an aspect, the security module can be further configured to detect the security metric, and enable access to a resource of the host processing system in response to the security metric. The security module can further be configured to disable access to another resource of the host processing system in response to the security metric.

Abstract: The present invention concerns a method of generation of a secret key, shared between a first terminal and a second terminal. The key is generated from the impulse response of the transmission channel separating the two terminals. A first message representative of the impulse response estimated by the first terminal is transmitted to the second terminal. This message is encoded using a channel encoding and punctured at a rate which prevents any decoding if additional information is missing. The second terminal combines this first message with at least a part of a second message representative of the impulse response estimated by the second terminal in order to attempt to decode the first message. If the decoding is successful the secret key is generated by the second terminal from the first message thus decoded.

Abstract: A method and system for transmitting control data between a vehicle data recorder arranged in a motor vehicle and a test device arranged outside the motor vehicle. A random code is generated by the vehicle data recorder or by the test device as a connection code. The random code is detected and input device not generating the random code. After the random code has been input into the device coupling is effected automatically via a short-distance radio link between the devices. Subsequently the control data is transmitted by the vehicle data recorder to the test device via the short-distance radio link. After the control data transmission has ended, the short-distance radio link between the vehicle data recorder and the test device is separated and the random code is deleted in the vehicle data recorder and in the test device.

Abstract: A method of identity attribute validation at a computer server involves the computer server receiving an identity attribute validation request from a communication terminal. The computer server further receives a credential, and is configured with an attribute disclosure profile of attributes authorized for disclosure to the communication terminal. The computer server determines the validity of the credential, and provides the communication terminal with a response to the identity attribute validation request based on an outcome of the credential validity determination. The attribute validation response includes attributes data associated with the credential authorized for disclosure by the attribute disclosure profile but excludes attributes data associated with the credential not authorized for disclosure by the attribute disclosure profile.

Abstract: A method and system for mutually authenticating a first node and a second node operating in a wireless communication network enables mutual authentication when the first node and the second node are unable to directly authenticate each other. The method includes identifying, at the first node, a third node that can authenticate both the first node and the second node (step 215). Authentication data for authenticating the first node with the third node is then transmitted from the first node to the third node (step 220). Keying material that is received from the third node is then processed at the first node (step 225). A shared secret mutual authentication protocol is then processed, whereby the first node and the second node are mutually authenticated by proving that they each have authenticated with the third node and each have the keying material (step 230).

Abstract: A method for joining a user domain based on digital right management (DRM), a method for exchanging information between a user device and a domain enforcement agent, and a method for exchanging information between user devices belonging to the same user domain include sharing a domain session key between the user device and the domain enforcement agent or between the user devices belonging to the same user domain. Information is exchanged through a secure session set up between the user device and domain enforcement agent or between the user devices, and information exchange occurs through encryption/decryption using the domain session key.

Abstract: Methods, computer program products, and systems are provided for using a single shared secured connection among all servers in a cluster by efficiently establishing and securely disseminating a shared key between the servers. In particular, this is done by using a Diffie-Hellman key agreement scheme among the servers using an ordered list of servers generated on-the-fly.

Abstract: Embodiments are directed to towards cloud scale automatic identity management. A floating network may be established using agents operative on hosts across one or more networks. Each node of the floating network is resident on host (computer or cloud instance) that includes an agent configured to perform one or more networking tasks that establish the floating network. Parent nodes may be nodes designated as points in the floating network for adding additional nodes. Accordingly, each parent node includes at least one parent agent that includes at least parent credentials. Agent installers provided to a host may generate a child agent for the host that includes child credentials generated based on its parent credentials. An unambiguous identity value for the new child node may be determined by tracing a trust relationship path from the child node to the root node of the floating network.

Abstract: Principles of the invention provide one or more secure key management protocols for use in communication environments such as a media plane of a multimedia communication system. For example, a method for performing an authenticated key agreement protocol, in accordance with a multimedia communication system, between a first party and a second party comprises, at the first party, the following steps. Note that encryption/decryption is performed in accordance with an identity based encryption operation. At least one private key for the first party is obtained from a key service. A first message comprising an encrypted first random key component is sent from the first party to the second party, the first random key component having been computed at the first party, and the first message having been encrypted using a public key of the second party.

Abstract: The present invention provides a new method for user centered privacy which works across all 3rd party sites where users post content, or even for encryption of emails. Users have an identity with a Hyde-It Identity provider (HIP) which authenticates the user to a Hyde-It Service (HITS) which performs key distribution. The functionality can be invoked through a user toolbar, built into the browser or be downloaded on demand via a bookmarklet.

Abstract: A computing device and method for managing security of a memory or storage device without the need for administer privileges. To access the secure memory, a host provides a data block containing a control command and authentication data to the memory device. The memory device includes a controller for controlling access to a secure memory in the memory device. The memory device identifies the control command in the data block, authenticates the control command bused on the authentication data, and executes the control command to allow the host device to access the secure memory.

Abstract: A terminal identification method is provided which enables two-way communications between terminals and a network while identifying terminal IDs and protecting privacy. Also, authentication method and system are provided which require no complicated calculating process, less steps and smaller amount for wireless communications, and less power consumption. A server and terminal share a hash function and an initial value determined for each terminal, calculate the same temporary ID by hashing the initial value the same number of times with the hash function, and identify the terminal using the calculated temporary ID. The server and the terminal also hold a common hash function and authentication information, acquire an authenticating communication parameter from communication parameters temporarily common during communication, and generate an authentication key using the authentication information, the authenticating communication parameter, and the hash function.

Abstract: A computing device to determine whether to update using a computer file by generating a file signature for that computer file based on its file header information and comparing the file signature to a collection of file signatures for updates already applied for matches.

Abstract: A device is arranged to carry out security-related tasks using one-time pad data. The device has a memory for holding multiple one-time pads, each pad having a different security rating and being intended for use by the device in executing a task to that security rating. Provisioning of the pads with one-time pad data involves carrying out a process for obtaining new secret random data. This process has a security rating with the value of this rating varying according to the nature and parameters of the process concerned. The security rating of the process used to obtain the new secret random data is matched to that of the pad to be provisioned with one-time data, or the other way around, such that the security rating of the process is as least as good as that of the pad to be provisioned.

Abstract: Some embodiments provide non-transitory machine-readable medium that stores a program which when executed by at least one processing unit of a device synchronizes a set of keychains stored on the device with a set of other devices. The device and the set of other devices are communicatively coupled to one another through a peer-to-peer (P2P) network. The program receives a modification to a keychain in the set of keychains stored on the device. The program generates an update request for each device in the set of other devices in order to synchronize the set of keychains stored on device with the set of other devices. The program transmits through the P2P network the set of update requests to the set of other devices over a set of separate, secure communication channels.

Abstract: Techniques for proving enterprise mode security for relays are disclosed. For example, enterprise mode security based on IEEE 802.1x is provided for relays or other similar devices to extend the coverage of access point hotspots or other similar access point use cases. According to one aspect, a relay incorporates an authentication client associated with an authentication server. According to another aspect, a four address format is employed for tunneling messages via a relay between a station and an access point. According to another aspect, a cryptographic master key associated with an access point and a station is provided to a relay to enable the relay to be an authenticator for the station.

Abstract: A communication network manages key material. A method generates and provides session keys from a security node to an access node for further propagation during handoff procedures, without requiring the security node to take part in the handoff procedures.

Abstract: A smart card issuance system and method are disclosed. In a first aspect a method and system for issuing a smart card device (SC) is disclosed. The method and system comprise providing an initialization phase of the SC by a manufacturer and providing an authentication phase of the SC by the manufacturer. The method and system also include deploying the SC, providing a first time authentication phase for a specific customer by the issuer (IS) after the SC is deployed and starting a first phase of the registration process of the SC for the specific customer by the issuer. The method and system further include providing another authentication phase of the SC by IS after the first time authentication; and providing of an authentication of the IS by the SC. When both the SC and IS are mutually authenticated, the IS and the specific customer are allowed to complete the registration process. In a second aspect, a data transmission process and system for a smart card device (SC) of an issuer (IS) is disclosed.

Abstract: Progressive authentication is generally employed to establish the authenticity of a user, such as a user of a computing device, or a user that wants to access a proprietary data item, software application or on-line service. This can entail inputting authentication factors each of which corresponds to one or multiple attributes associated with the user, or historical patterns of one or more attributes associated with the user, or both, and a confidence level that estimates a reliability of the factor. Sensor readings captured by one or more sensors are also input. Each sensor senses a user attribute and are used to quantify each authentication factor confidence level. An overall confidence level is established based at least in part on a combination of the individual confidence levels. A user is then designated as being authentic whenever the established overall confidence level exceeds a prescribed authentication level.

Abstract: A local proxy system includes a storage device having a local proxy and a physical port connection. The local proxy is part of a split proxy configuration having a local proxy and a remote proxy. The physical port connection is operative to receive commands from a host via an internet application protocol; and to transmit commands to the host via a modem control protocol, to thereby function as a gateway for conveying these commands to a remote proxy, via the host. Also provided is a method of optimizing communication over a network; and a local proxy system that includes a storage device having a local proxy. The storage device is in connection with a host via a physical port connection complying with a standard storage device interface.