135 results about "Key distribution center" patented technology

In accordance with an embodiment of the present invention, a security module may be configured to provide an owner the capability to differentiate between users. In particular, the security module may be configured to generate an asymmetric read/write key pair for respectively decrypting/encrypting data for storage on a disk. The owner of the file may distribute the read key of the asymmetric key pair to a group of users that the owner has assigned read-permission for the encrypted data, i.e., a group that has read-only access. Moreover, the owner of the file may distribute the write key of the asymmetric pair to another group of users that the owner has assigned write-permission for the encrypted data, i.e., users in the write-permission group may modify the data. Alternatively, the security module may be configured to throw away the write key and not allow further re-use of the key. The security modules may also be configured to encrypt the read key for with a further key for additional protection while stored. The security module may be also configured to generate a first set of read/write key pairs for fragments of a file. Each file fragment is encrypted with a different write key from the set of read/write key pairs. The respective read keys may then be encrypted with a second long-lived key pair chosen by the owner of the file. The security module may then configured to store the encrypted file fragment and the associated encrypted read key in a storage area of a shared computer system accessible to the users of the shared computer system. The security module may also be configured to provide distribution of the required keys-either the read/write keys for direct use, or the long-lived keys for indirect use-either by means of the data owners themselves, or through use of a key distribution center.

Methods and systems are provided for distributing key information by securely transmitting light information in a network along a path comprised of a plurality of network devices and by using a key distribution center (KDC) connected with the network. Three or more user devices connected with the network are specified as constituting a secure communication group. Each user device sets up an end-to-end path to the KDC by configuring at least one of the network devices to direct light information along the path. Thereafter, a user key is established between each user device and the KDC, by sending light information using randomly selected quantum bases through the path. The KDC determines a shared secret key, and notifies each user device of the shared secret key by sending the result of a calculation based on the shared secret key and each user key through the network.

A secure Internet Protocol (IP) telephony system, apparatus, and methods are disclosed. Communications over an IP telephony system can be secured by securing communications to and from a Cable Telephony Adapter (CTA). The system can include one or more CTAs, network servers, servers configured as signaling controllers, key distribution centers (KDC), and can include gateways that couple the IP telephony system to a Public Switched Telephone Network (PSTN). Each CTA can be configured as secure hardware and can be configured with multiple encryption keys that are used to communicate signaling or bearer channel communications. The KDC can be configured to periodically distribute symmetric encryption keys to secure communications between devices that have been provisioned to operate in the system and signaling controllers. The secure devices, such as the CTA, can communicate with other secure devices by establishing signaling and bearer channels that are encrypted with session specific symmetric keys derived from a symmetric key distributed by a signaling controller.

An approach for managing addition or deletion of nodes in a multicast or broadcast group, which avoids introducing a single point of failure at a group controller, certificate authority, or key distribution center, is disclosed. A central group controller utilizes a binary tree structure to generate and distribute session keys for the establishment of a secure multicast group among multiple user nodes. The central group controller is replicated in a plurality of other group controllers, interconnected in a network having a secure communication channel and connected to a load balancer. The secure communication channel is established using a public key exchange protocol. The load balancer distributes incoming join/leave requests to a master group controller. The master group controller processes the join or leave, generates a new group session key, and distributes the new group session key to all other group controller replicas. Each group controller is successively designated as master group controller in real time when a former master group controller crashes or relinquishes its master authority.

One embodiment of the present invention provides a system for operating a key distribution center (KDC) that provides keys to facilitate secure communications between clients and servers across a computer network, wherein the system operates without having to store long-term server secrets. The system operates by receiving a communication from a server at the KDC. This communication includes an identifier for the server, as well as a temporary secret key to be used in communications between a client and the server for a limited time period. In response the communication, the system attempts to authenticate the server. If the server is successfully authenticated, the system stores the temporary secret key at the KDC, so that the temporary secret key can be subsequently used to facilitate communications with the server. Upon subsequently receiving a request at the KDC from a client that desires to communicate with the server, the system produces a session key to be used in communications between the client and server, and then creates a ticket to the server by encrypting an identifier for the client and the session key with the temporary secret key for the server. Next, the system assembles a message that includes the identifier for the server, the session key and the ticket to the server, and sends the message to the client in a secure manner. The system subsequently allows the client to forward the ticket to the server in order to initiate communications between the client and the server.

An approach for establishing secure multicast communication among multiple members that participate in a multicast group is disclosed. In one feature, multiple multicast proxy service nodes (MPSNs) are defined and control when members join or leave the multicast group. The MPSNs are logically represented by a first binary tree in which each node of the first binary tree is associated with a domain of a directory service and one or more of the MPSNs. A second binary tree is created that has leaf nodes representing each member. The second binary tree is stored in a domain of the directory service with a root node that represents one or more of the MPSNs. The members can each establish multicast communication and serve as a key distribution center. When a member joins the multicast group, a new group session key is determined by replicating a branch of the second binary tree.

One embodiment of the present invention provides a system for establishing a shared cryptographic key between participating nodes in a network. The system operates by sending a first message from the first node to the second node requesting establishment of a shared key. The second node sends a second message containing identifiers and a message authentication code to a key distribution center (KDC). The authentication code is generated using a second node key belonging to the second node. The KDC recreates the previously created second node key using the second node identifier and a secret key known only to the key distribution center. The KDC then verifies the message authentication code using the second node key. If the message authentication code is verified, the KDC creates a shared key for the nodes to use while communicating with each other. The KDC securely communicates this shared key to the participating nodes

Embodiments authenticate a user in response to receiving from a Kerberos key distribution center (“KDC”) a request to authenticate the user that includes a user identification (“ID”). Embodiments retrieve a user record corresponding to the user ID, the user record including a principal key. Embodiments decrypt the principal key using a tenant-specific encryption key and encrypt the decrypted principal key using a Kerberos master key to generate an encrypted principal key. Embodiments retrieve a password policy corresponding to the user ID. Based on the retrieved password policies, embodiments construct password state attributes and return to the KDC the encrypted principal key, the password policy and the password state attributes.

A key distributing method, a public key of key distribution centre online updating method, a key distribution centre, a communication entity and a key management system. The system includes: communication entities, a carrying device, a key distribution centre and a database, wherein the carrying device carries or transports the information during the key distributing course and the public key online updating course, the database stores whether each communication entity registered secret service; the database connects with the key distribution centre, the key distribution centre connects with the carrying device, and the carrying device connects with each communication entity. Using the cipher technology of public key, a key distribution system is provided based on principle of three-element peer authentication (TePA). The system safely distributes the communication key to each pair entities to enable keys have PFS attribute, reduces the key management complexity of the system, and realizes online updating of the public key of the trusted third party i.e. key distribution centre.

The invention discloses an attribute-based searchable encrypted electronic medical record system and an encryption method. The system comprises a key distribution center and a cloud storage center, wherein the key distribution center generates public parameters and a master key to initialize the system; the key distribution center generates and distributes keys containing user attributes to users;a data owner sets an access strategy before uploading medical record data, encrypts the data, and then uploads the data to the cloud storage center; a data visitor generates a trap door according tokeywords and the keys, and provides a query request to the cloud storage center; and after receiving the query request, the cloud storage center determines to return corresponding encrypted data to the data visitor according to the trap door and keyword ciphertexts. According to the scheme of the invention, the difficulty of key management in a multi-user environment can be reduced, data users canbe supported to accurately query the keywords of the ciphertexts, guessing attacks of the keywords can be resisted, and the leakage of privacy data can be effectively prevented.

The invention relates to a method for the distribution of an encryption key and the online innovation of a public key, which comprises the steps that: (1) a first entity produces a temporary public and private key pair; (2) a communication conversation encryption key exists between the first entity and a second entity; (3) an encryption key distribution center locally stored is utilized to carry out the signature verification of the public key; (4) the second entity produces a temporary public and private key pair; (5) a encryption key response message is formed and returned to the second entity; (6) the encryption key distribution center locally stored is utilized to carry out the signature verification of the public key; (7) the communication conversation encryption key is utilized by the first entity and the second entity to serve as a conversation encryption key to carry out secret communication. The method proposes a method that safely distributes communication encryption key to each pair of entity, causes the encryption key to have PFS property and lowers the complexity of the encryption key management of the system, and also supports the online innovation function of a public key of the encryption key distribution center which is the trusted third party.

The method includes steps: after receiving request for building encrypted call from calling terminal, switchboard sends request for applying encryption key to key distribution center (KDC); receiving the request, and passing through authentication of encrypting qualification, KDC generates calling and called encryption keys, which are returned back to switchboard; switchboard sends the calling and called encryption keys to calling party and called party respectively, and switchboard the mobile terminal locates on informs converter TC in bypass speech encoding format of base station controller; using the received encryption keys, the calling terminal and called terminal carry out encrypted speech communication. Based on network control being as center, the invention realizes point-to-point encrypted speech communication. Powerful function on network side provides advantages are: safety, reliable, flexible and enhanced extensibility.

The invention discloses a data sharing method and system. The method comprises the following steps that: a plurality of secret key distribution center is constructed by using a unified common parameter; on the basis of the common parameter, each secret key distribution center generates an attribute public key corresponding to an attribute of a user; a corresponding secret key is generated based on a user attribute of a data visitor; a data sharer constructs an access strategy according to an access limit demand of shared data; encryption is carried out on the shared data by using an encryption secret key to generate a ciphertext; on the basis of the access strategy and the corresponding attribute public key, the encryption secret key is encrypted to generate a ciphertext public key; and the ciphertext is decrypted according to the ciphertext public key and a private key of the data visitor meeting the access strategy. Compared with the prior art, the safety performance of the system can be substantially improved with the method; and on the premise that safety is not reduced, the computational work of the method can be substantially reduced.

A security provider is presented that integrates a Java based application server with Kerberos security protocol. The security provider includes a login module, a JMX MBean, an MBean definition file and a security provider java class. The JMX MBeans can contain various options that contain configuration information for the login module. The login module is responsible for authenticating the users by obtaining the user name and password, creating encryption keys, sending requests to the Kerberos key distribution center and receiving a ticket granting ticket encrypted with the user's password. The login module can then create an authenticated principal and add it to the subject associated with the user. The ticket granting ticket can also be added to the subject's private credentials. The security provider also supports the persistence of Kerberos credentials into a file based credentials cache.

The disclosed method is applicable to soft switching system composed of switchboard, cipher key distribution center, controller of base station, public telephone switching network, and encrypted gateway when a call is built for both calling party and called party, and normal communication is carried out. The method also includes following steps: receiving switching request, switchboard determines current communication mode; if the current mode is plain mode, then switchboard at the party, who initiates switching request, applies to cipher key distribution center for cipher key, and switches plain mode to cipher mode; if the current mode is cipher mode, then switchboard at the party, who initiates switching request, sends message for closing cipher mode to another party, and switches current mode to plain mode, and closes cue tone. Plain mode and cipher mode can be switched by initiating switching request by calling party without interrupting normal communication in the invention.

The invention provides a quantum and classical integrated communication network system and a key distribution method thereof. The system adopts a three-layer mechanism, from the quantum key generationof a quantum layer to the storage and forwarding of a key management layer, and terminal application of an application layer, the functionality of each layer is clear, and the more appropriate QKD can be selected according to the application layer quantum group terminal, the communication distance, the key rate and like requirements; an engineering modularization system is more flexible and convenient to facilitate the industry standardization and the large-scale market application; the key distribution method provided by the invention adopts a dynamic distribution technology, namely, the request-distribution online distribution technology, a session mechanism is established according to a request and key distribution center of the terminal, and the key distribution can be efficiently accomplished in real time.

The invention discloses an identity authentication apparatus on a PaaS platform. The identity authentication apparatus is used for authenticating the identities of users who are to access applications on the PaaS platform; the identity authentication apparatus includes a key distribution center which is used for authenticating the users according to access strategies made by the developers of the applications, and distributing tickets; the key distribution center includes an authentication server; and the authentication server is configured to receive verification requests from the users, to determine protocols to which the identities of the users belong, to determine the verification modes of the users according to the protocols and transmit first granting tickets to the users after successful verification. The invention also discloses a PaaS platform-based identity authentication method.

The invention relates to an authentication method based on a public key encryption system, applied to an environment of instant message communication, network telephone and the like. The authentication method comprises identity authentication and shared session key generation. The authentication method mainly consists of three roles: a sender A, a receiver B, and a key distribution center. In a protocol execution process, the sender A and the receiver B complete the mutual identity authentication with the key distribution center and the mutual authentication between the sender A and the receiver B through the interaction with the secret key distribution center, in the period, the sender A and the receiver B respectively receive a shared session key generated by the secret key distributioncenter, and the authentication party also receives the shared session key so as to use the shared session key to encrypt and decrypt communication contents in the next stage of information interaction. By adoption of the authentication method provided by the invention, the security requirements of the authentication protocol are fully met, the old message playback can be prevented, and the identity impersonation attacks are defended.

The invention discloses an Internet of Things terminal card binding, network access authentication and service authentication method and device, which are used for solving the problems of a complex authentication process and a high cost of Internet of Things equipment in the prior art. The Internet of Things terminal card binding method comprises the following steps: receiving a card writing request sent by an Internet of Things terminal, wherein the card writing request carries an international mobile equipment identifier (IMEI) of the Internet of Things terminal, distributing the IMSI for the Internet of Things card, carrying the distributed IMSI in a key request, sending the key request to a key distribution center, receiving a private key which is sent by the key distribution center and is calculated and generated by utilizing a preset algorithm according to the IMSI, storing the corresponding relationship between the IMEI and the IMSI in an authentication server, sending the IMSIand the private key to the Internet of Things terminal, and enabling the Internet of Things terminal to write the IMSI, the IMEI and the private key into the Internet of Things card for machine-card binding.