1605 results about "Key generation" patented technology

A method of authenticating a user to use a system includes using a provider token to generate a random value. The token generates a derived key based at least in part on a token-provided salt value and a user-provided password. The provider generates a token unlock key based at least in part on the derived key and sends it to the token. First and second challenge data instances are generated by the provider and the token, respectively, and the process is terminated if the challenge data instances are determined not to match. If the challenge data instances are determined to match, then an encrypted data transfer system is established between the token and the provider, and the token unlocks locked private data stored on the token. The user is authenticated for secured use of the system based at least in part on the unlocked private data.

A secure method of conducting an electronic transaction over a public communications network is provided which utilizes a pseudo-expiration date in the expiration date field of an authorization request. One of the preferred methods comprises:

• • generating a per-card key associated with an account number;
  • generating a message authentication code using the per-card key;
  • converting the message authentication code into a pseudo expiration date;
  • generating an authorization request for the transaction, the request having an expiration date field containing the pseudo expiration date; and
  • verifying the message authentication code based on the pseudo expiration date.
  • Another embodiment of the invention includes a method of conducting an electronic transaction over a public communications network, with a payment account number having an associated pseudo account number, comprising:
  • (a) providing the pseudo account number with a control field indicating one of a plurality of key-generation processes to be used to generate an authentication key;
  • (b) generating an authentication key associated with the pseudo account number using one of the plurality of key-generation processes indicated in the control field of the pseudo account number;
  • (c) using the authentication key to generate a message authentication code specific to the transaction;
  • (d) generating an authorization request message including the message authentication code and the pseudo account number; and
  • (e) verifying the message authentication code using the indicated key-generation process and the authentication key.

A secure disk drive is disclosed comprising a disk for storing data, and an input for receiving an encrypted message from a client disk drive, the encrypted message comprising ciphertext data and a client drive ID identifying the client disk drive. The secure disk drive comprises a secure drive key and an internal drive ID. A key generator within the secure disk drive generates a client drive key based on the client drive ID and the secure drive key, and an internal drive key based on the internal drive ID and the secure drive key. The secure disk drive further comprises an authenticator for verifying the authenticity of the encrypted message and generating an enable signal, the authenticator is responsive to the encrypted message and the client drive key. The secure disk drive further comprises a data processor comprising a message input for receiving the encrypted message from the client disk drive, and a data output for outputting the ciphertext data to be written to the disk. The data processor further comprises an enable input for receiving the enable signal for enabling the data processor, and a key input for receiving the internal drive key, the internal drive key for use in generating a message authentication code. The data processor outputs reply data comprising the message authentication code. The secure disk drive outputs a reply to the client disk drive, the reply comprising the reply data and the internal drive ID.

A system for securing an integrated circuit chip used for biometric sensors, or other electronic devices, by utilizing a physically unclonable function (PUF) circuit. These PUF functions are in turn used to generate security words and keys, such as an RSA public or private key. Such a system can be used to protect biometric security sensors and IC chips, such as fingerprint sensors and sensor driver chips, from attack or spoofing. The system may also be used in an efficient method to produce unique device set-up or power-up authentication security keys. These keys can be generated on a low frequency basis, and then frequently reused for later security verification purposes. In operation, the stored keys can be used to efficiently authenticate the device without the need to frequently run burdensome security key generation processes each time, while maintaining good device security.

In one embodiment, the invention provides a portable wireless personal communication system for cooperating with a remote certification authority to employ time variable secure key information pursuant to a predetermined encryption algorithm to facilitate convenient, secure encrypted communication. The disclosed system includes a wireless handset, such as PDA, smartphone, cellular telephone or the like, characterized by a relatively robust data processing capability and a body mounted key generating component which is adapted to be mounted on an individual's body, in a permanent or semi-permanent manner, for wirelessly broadcasting, within the immediate proximity of the individual, a secret or private key identifying signal corresponding to a time variable secure key information under the control of the certification authority. The key identifying signal is generated in a format that facilitates secure wireless communication with the individual in accordance with a predetermined encryption algorithm including a PKI encryption algorithm. The disclosed system may be used with a console for coordinating access to a variety of different communication system and networks.

Provided is a communication device which securely registers a slave unit. A secret address generation and setup section generates a secret address generator, and a secret address of the slave unit used temporarily instead of a unique address of the slave unit based on the secret address generator and identification information of the slave unit. A second communication section transmits to the slave unit a registration start notice containing the secret address generator by broadcast. A registration process section generates a registration authentication key; generates a unique key of the slave unit by transmitting/receiving, to/from the slave unit, unique key generation information encrypted using the registration authentication key; receives, from the slave unit, the unique address of the slave unit encrypted using the registration authentication key; and stores the identification information in association with the unique address and the unique key of the slave unit in the registration information storing section.

The present invention Includes using an embedded SIM (eSIM) associated with a newly-opened mobile network operator (MNO) system and a receiving MNO system, the method performs the steps of: generating a security domain (SD) for a receiving MNO on the basis of a request from the newly-opened MNO system; injecting a prior SD key value; installing a secure applet for key generation and secure arithmetic operations, injecting a new SD key value on the basis of a request from the receiving MNO, and transmitting only a public key to the receiving MNO system after generating key pairs for the receiving MNO; and decoding a receiving MNO profile with a private key corresponding to the public key after receiving the receiving MNO profile from the receiving MNO system or the newly-opened MNO system.

A content management system integrated with a web caching proxy that delivers content according to access control rules. An access control token is generated using a secret key when a user selects a desired object (to be provided only upon token validation, thus the object retrieval and delivery task can be delegated). However, tokens for other content and/or for other users could be generated by a rogue resource manager. If the desired object is already cached, the proxy asks the resource manager to validate the token and then selectively provides the desired object without contacting a library server. Alternately, the proxy itself performs the token validation, but must coordinate with the library server to ensure it has the latest secret key. Finally, the tokens may contain digital signatures generated with a private key and validated with a corresponding public key, so that private keys need not be distributed.

The present invention relates to a method to manage a One Time Password key, referenced OTP key, used in an OTP algorithm in a user device having access to an unsafe storage including the steps of retrieving a Personal Identification Number, named PIN, of a user of the user device, deriving a symmetric key from the PIN, encrypting the OTP key using the derived symmetric key, storing the encrypted OTP key in the unsafe storage, decrypting the OTP key using the derived symmetric key, and generating a next OTP key using an incremental parameter, wherein the start value of the incremental parameter of the OTP key generation is random.

System and techniques for protecting wireless communication systems from blended electronic attacks that may combine wireless and computer attacks. One embodiment is an integrated hardware and software firewall/protection system that provides a protection scheme that may include an additional functional processing layer between the hardware firewall and a mobile terminal. This additional functional processing layer performs an extra layer of communications and security processing, including such features as management of Internet Connection Firewall (ICF) functions, key generation for firewall and virtual private network (VPN) functions, and packet inspection and filtering.

As various applications of wireless ad hoc network have been proposed, security has become one of the big research challenges and is receiving increasing attention. The present invention provides for a distributed key management and authentication approach by deploying the recently developed concepts of identity-based cryptography and threshold secret sharing. Without any assumption of pre-fixed trust relationship between nodes, the ad hoc network works in a self-organizing way to provide the key generation and key management service, which effectively solves the problem of single point of failure in the traditional public key infrastructure (PKI)-supported system. The identity-based cryptography mechanism provided not only to provide end-to-end authenticity and confidentiality, but also saves network bandwidth and computational power of wireless nodes.

A digital cryptograph and encryption process encrypts and transmits in a digital format specific items of information requested by a user of a digital content transmission system by using key information, a user's key and a temporary validation key, to decrypt and replay the encrypted digital information at the user's terminal by using the key information and the user's authorization information. Each registered subscribing user is provided with unique key information. The user key is generated by applying the key information to a key generation algorithm. The temporary validation key that is created when the registered user accesses the server, is encrypted with the user key. The digital information is encrypted by using the temporary validation key in an encryption algorithm. The decryption algorithm allows the user to decrypt and replay the encrypted digital information upon receipt of the key information that has a one-to-one correspondence to the identity characters of the registered subscribing user.

Apparatus, methods and computer program products incorporate improvements that provide enhanced security during handovers in a cellular wireless communications network. In one aspect, user equipment performs additional operations during handover to improve security. During such operations, user equipment begins key generation based on a predicted target base station before it is notified of the handover decision. User equipment also signs certain communications generated during handover operations to prevent hijacked base stations from generating false location updates. Separate keys are used to authenticate communications made by base stations during handover proceedings defeating, for example, logical theft of service attacks since a target base station's signature and encrypted content is required to be sent to the user equipment before the user equipment can switch to the target base station. In other aspects, user equipment assigns location updates sequence numbers and the active gateway keeps track of them defeating attacks based on replay of intercepted location update messages.

A method and architecture for secure transmission of data within optical-switched networks. In one embodiment, the optical switched network comprises a photonic burst-switched (PBS) network. Under various schemes, security keys including encryption and decryption keys are generated by edge nodes and the decryption keys are distributed to other edge nodes in a PBS network. In one embodiment, the security keys are dynamically generated by a trusted platform module (TPM). A source edge node uses its encryption key to encrypt selected data bursts to be sent to a destination edge node via a virtual lightpath coupling the source and destination edge nodes. Security data are embedded in a control burst header indicates to the destination node whether corresponding data bursts sent via the virtual lightpath are encrypted. The security data also includes the decryption key and may also identify an encryption/decryption algorithm to be used. In some embodiments, public key infrastructure facilities are used in conjunction with employment of private and public keys and digital certificates.

A system for increasing transaction security across existing infrastructure is provided. A user bio-metric sensor device is integrated into a credit or debit card. A display unit provides a key, preferably encrypted, upon successful utilization of the sensor device. Included in the key generation mechanism is an indicator of the transaction number or other sequential count indicative of card use. An authorization service decrypts the key in a manner at least partially dependent upon a second sequential count maintained in sync with the first count to determine whether the use is authorized.

An approach for protecting digital contents includes a content delivery phase wherein a client stores digital contents or retrieves them in streaming, transmits to a user device the digital content in a protected format along with an enabling code for enabling the user device to access or read the protected digital content. The approach includes a key generation phase in a DRM (Digital Right Management) server which derives at least one key for encrypting the digital contents. A key transmission phase involves the derived key being transmitted from the DRM server to the client. For decrypting the digital content, the user device requests the key from the DRM server, with the request including a key identification defined by the enabling code transmitted by the client to the user device which is used by the DRM server to derive the key for the user device.

A digital measurement apparatus measures a physical measurement object, provides a digital signature of public-key cryptography to measured data of a thus-measured physical quantity, and manages the measured data. The apparatus generates at least a pair of a public key and a private key, to be used for the digital signature of the public-key cryptography, through a key generating algorithm.

A method and system for delegation of security procedures to a second domain. A first key is generated for a mobile node. The first key is stored at the mobile node and at a home domain of the mobile node. The mobile node is moved to the second domain. A request is sent from the second domain to the home domain to authenticate the mobile node. A second key is generated at the home domain using the first key and a random number. The random number and the second key are sent to the second domain. The random number is sent to the mobile node by the second domain. The mobile node generates the second key using the random number and the first key. The second key is used for authentication procedures and/or key derivation procedures between the mobile node and the second domain.

A secure embedded system that uses cryptographic and biometric signal processing acceleration is described. In one embodiment, the secure embedded system is configured as a wireless pay-point protocol for brick-and-mortar and e-commerce applications in which biometric information is localized and does not require transmission of biometric data for authentication. In one embodiment, a key-generation function uses a dynamic key generator and static biometric components. In one embodiment, an embedded system design methodology provides hardware and software acceleration transparency.

A method is provided for generating on-demand cryptographic keys in a vehicle-to-vehicle communication system. At least one unique identifier is obtained relating to a user of the vehicle. The host vehicle generates cryptographic keys for encrypting, decrypting, and authenticating secured messages between the host vehicle and at least one remote vehicle in the vehicle-to-vehicle communication system. The cryptographic keys are generated as a function of the at least one unique identifier. A respective cryptographic key used to decrypt or encrypt messages communicated between the host vehicle and the at least one remote entity is temporarily stored in a memory device of the host vehicle. The host vehicle utilizes the respective cryptographic key to decrypt or encrypt a secure message transmitted between the host vehicle and the remote vehicle. The respective cryptographic key temporarily stored in the memory device of the host vehicle is deleted after the vehicle-to-vehicle communications of the host vehicle is disabled.

An encryption communication system, comprising a communication relay device that connects a first network and a second network, for encrypting a communication within the first network and a communication within the second network in a network system configured so that communications are performed between a client in the first network and a server in the second network via the communication relay device, wherein the communication relay device comprises key generation unit generating an encryption key and a decryption key with respect to the client, and key transfer unit transmitting the encryption key and the decryption key to the server, and the server comprises frame receiving unit decrypting a receipt frame by use of the decryption key, and frame transmitting unit encrypting the frame by use of the encryption key and thus transmitting the frame.

A method and apparatus of transmitting data using authentication between a first device and a second device are provided. The method includes transmitting an encrypted certificate of the first device using a shared key shared by the first device and the second device, receiving authentication key generation information for generating an authentication key, which is received when it is determined that the certificate of the first device is valid and not revoked, generating a first random number and generating an authentication key based on the first random number and the authentication key generation information, and encrypting and transmitting data using the authentication key.

Cryptographic communication between communication terminals can be realized even when a plurality of cryptographic algorithms are present, and secure cryptographic communication for a longer time is realized without increasing a processing overhead at each of the communication terminals. A key management server manages cryptographic algorithms that can be used by each of the communication terminal, and searches for a cryptographic algorithm common to the communication terminals, and notifies each of the communication terminals of the cryptographic algorithm found by the search together with plural key generation informations, each piece containing a key to be used in the cryptographic algorithm or a key type for generating the key. Each of the communication terminals sequentially switches the plural key generation informations notified from the key management server, and performs the cryptographic communication with a communication counterpart in accordance with the cryptographic algorithm notified from the key management server.

A cryptographic method and related implements the Rijndael—AES encryption standard. In one improvement, the decryption round keys are generated on a round by round basis from the final Nk round keys saved from a previous encryption key scheduling operation. Latency and memory requirements are thereby minimized. S-boxes for the AES key generation and cipher operation itself, may be implemented multiple times in different ways with different power signatures, with a pseudo-random selection of the pathway for the different bytes to be substituted. The premix operation occurs simultaneously with the generation of first round keys, and a dummy circuit with substantially identical timing as the real premix circuitry adds power consumption noise to the premix.

A technique for securing message traffic in a data network using a protocol such as IPsec, and more particularly various methods for distributing security keys where key generation, key distribution, policy generation and policy distribution are separated, with inner to outer header replication on packet traffic. The approach permits encrypted messages to travel seamlessly through various otherwise unsecured internetworking devices.

Software applications are provided for integrating individual multi-sourced patient healthcare transaction data records in a longitudinal database. The data records are processed in a manner which preserves patient privacy by encrypting patient-identifying attributes in the data records and thereby rendering sensitive personal information inaccessible. The applications, which may be organized as modules using common frame work components, are designed to process the multi-sourced data records at data supplier sites and at a common database assembly facility. The applications provide the data supplier sites and the database facility with methods for acquiring attributes, standardizing formats, encryption key generation, and encrypting and decrypting attributes in the data records. The encryption application provides methods for double encryption of the data records at data supplier sites using a key specific to a data supplier and a key specific to the database facility.

A system and method that grants a token to authenticate a user requesting access to an application in a domain is disclosed. The method includes receiving a response from an identity (ID) provider in a second domain responsive to a first request from a user to access an application provided by an application server in a first domain, the response indicating the authenticity of the user in the second domain, randomly selecting a first key and a second key from a key store, generating a secret by randomly permuting the first key and the second key, generating a signature by signing user information associated with the user using the secret, generating an authentication token including the signature, determining whether the authentication token is valid, and responsive to determining that the authentication token is valid, granting access to the first application to the user based on the authentication token.

The present invention defines a strong authentication token for generating different dynamic credentials for different application providers comprising an input interface providing an output representing an application provider indicator; a secret key storage for storing one or more secret keys; a variability source for providing a dynamic variable value; a key providing agent for providing an application provider specific key as a function of said application provider indicator using one or more keys stored in said secret key storage; a cryptographic agent for cryptographically combining said application provider specific key with said dynamic variable value using symmetric cryptography; a transformation agent coupled to said cryptographic agent for transforming an output of said cryptographic agent to produce a dynamic credential; and an output interface to output said dynamic credential.

The present invention defines furthermore a method to manage the secret keys of strong authentication tokens that can generate dynamic credentials for more than one supported application provider or application provider group using different secret keys for each supported application provider or application provider group comprising generating for each of a batch of strong authentication tokens a token specific master key; personalising each token of said batch with the token specific master key associated with said token; generating for each of a plurality of supported application providers or application provider groups a set of application provider specific token keys, one application provider specific token key for each token of said batch, whereby each application provider specific token key of each of said sets is derived from that token's token specific master key and a unique identifier or indicator of that application provider or application provider group; providing to each application provider or an entity that is responsible for the verification on behalf of said application provider of the dynamic credentials that are generated for said application provider, the corresponding set of application provider specific token keys.

A system and method for facilitating secure client server communication using elliptical curve cryptography and certificateless public key infrastructure has been disclosed. The system includes a secret key generation means which generates a secret key of m-bits based on the elliptic curve diffie hellman algorithm. The system further includes a session key generation means which makes use of said secret key and elliptic curve diffie hellman algorithm to generate a session key. The session key is used to facilitate secured communication between the client and the server.

Improved system and approaches for centralized storage of access restrictions which are associated with public keys are disclosed. The access restrictions serve to limit access to files secured by a security system. According to one aspect of the present invention, identifiers, or encoded versions thereof, are used as public keys to identify particular access restrictions. The identifiers to the access restrictions are used in a decentralized manner for public keys, while the access restrictions themselves are maintained in a centralized manner. As compared to the access restrictions, the public keys based on identifiers tend to be smaller and more uniform in size. The centralized storage of the access restrictions also facilitates subsequent changes to access restrictions for previously secured files. The improved system and approaches is particularly suitable in an enterprise environment.