207 results about "Key server" patented technology

Encryption-based data access management may include a variety of processes. In one example, a device may transmit a user authentication request for decrypting encrypted data to a data storage server storing the encrypted data. The computing device may then receive a validation token associated with the user's authentication request, the validation token indicating that the user is authenticated to a domain. Subsequently, the computing device may transmit the validation token to a first key server different from the data storage server. Then, in response to transmitting the validation token the computing device may receive, from the first key server, a key required for decrypting the encrypted data. The device may then decrypt at least a portion of the encrypted data using the key.

A packet-switched communications device in an enterprise network is provided. The packet-switched communications device has a corresponding unique identifier, such as an address or extension. The device includes a processor operable to (a) establish a secure communications session with a key generating agent in the enterprise network; (b) provide, to the key generating agent through the session, the unique identifier of the communications device; and (c) receive, from the key generating agent through the session, a secret key and a key identifier. An application server authenticates the packet switched device using the secret key. After authentication is successful, secure communications is established between the packet switched device and the application server.

Methods, apparatuses, media and signals for facilitating secure communication between a first device and a second device are disclosed. One method includes automatically identifying a common key server potentially accessible by both the first and second devices, and obtaining a secure private key from the common key server, for use in encrypting communications between the first and second devices. Identifying may include identifying as the common key server, a key server at an intersection of a first communication path defined between a first key server having a previously established relationship with the first device and a master key server, and a second communication path defined between a second key server having a previously established relationship with the second device and the master key server. Obtaining may include obtaining a plurality of private keys and blending the keys to produce a final private session key.

A system for maintaining a secure content library includes a server, which manages requests for copyrighted content and encrypts the content using a key server, which generates unique keys and associates the keys with the copyrighted content to create a token. A gateway receives the token and interacts with the server over a network. A client storage box interacts with the gateway to decode the token in accordance with a security protocol and sends a content key back to the server to enable the content to be downloaded and decoded, the storage box including memory for storing downloaded content. The client storage box has a use key that is updated by the server after a predetermined number of accesses to the content to enable further accessing of the content.

A security server system and method permitting participants acting as the source or destinations for a message or a conversation with multiple messages to securely communicate the messages. The messages have a message header and a message content. A message router connects the participants via a network and delivers the message between the participants based on the message header. A key server creates, stores, and releases conversation keys that the participants use to protect the message content of the message.

A method and system for transmission of digital content via e-mail with point of use digital rights management is disclosed. The secured access rights to the digital content may be customized for individual recipients by the sender, and may evolve over time. The access rights are enforced according to a time-dependent scheme. A key server is used to arbitrate session keys for the encrypted content, eliminating the requirement to exchange public keys prior to transmission of the digital content. During the entire process of transmitting and receiving e-mail messages and documents, the exchange of cryptographic keys remains totally transparent to the users of the system. Additionally, electronic documents may be digitally signed with authentication of the signature.

A system (100) for authentication in a wireless local area network (WLAN) includes a CDMA2000 authentication center (190) for authenticating CDMA2000 credentials (110), a WLAN authentication server (150) for using the CDMA2000 credentials to authenticate WLAN devices holding CDMA2000 credentials, and at least one WLAN device (130) holding CDMA2000 credentials. The WLAN server (150) performs a CDMA2000 global challenge and response (213) and a CDMA2000 unique challenge and response (223) with a WLAN device to obtain a CDMA2000 encryption key (233). The WLAN server (150) derives a master key from the CDMA2000 encryption key (234) and uses the master key to perform a WLAN challenge and response (237) with the WLAN device (130) and then derives session keys from the master key (240). The session keys protect communications between the WLAN access point (140) and the WLAN device (130).

In an automated data storage library, selective encryption for data stored or to be stored on removable media is provided. One or more encryption policies are established, each policy including a level of encryption one or more encryption keys and the identity of one or more data cartridges. The encryption policies are stored in a policy table and the encryption keys are stored in a secure key server. A host requests access to a specified data cartridge and the cartridge is transported from a storage shelf in the library to a storage drive. Based on the identity of the specified cartridge the corresponding encryption policy is selected from the table and the appropriate encryption key is obtained from the key server. The storage drive encrypts data in accordance with the key and stores the data on the media within the specified data cartridge.

A method for providing authenticated access to an encrypted file system includes generating a first seed; providing a request for a key to a key server, the request including at least a first seed block having a first encryption, a message block having a second encryption, and an encryption encapsulation block having a third encryption, the encryption encapsulation block including information for decrypting the message block; at the key server, decrypting the encryption encapsulation block and using the information therein to decrypt the at least a first seed block and the message block; and authenticating the message if the first seed in the at least a first seed block matches a first predetermined seed.

A method of inter-area rekeying of encryption keys in secure mobile muiticast communications, in which a Domain Group Controller Key Server (Domain GCKS) distributes Traffic Encryption Keys (TEK) to a plurality of local Group Controller Key Servers (local GCKS), and said local Group Controller Key Servers forward said Traffic Encryption Keys, encrypted using Key Encryption Keys (KEK_i, KEK_j) that are specific to the respective local Group Controller Key Server (local GCKS_i, GCKS_j), to group members, said local Group Controller Key Servers (GCKS_i, GCKS_j) constituting Extra Key Owner Lists (EKOL_i, EKOL_j) for group key management areas (area_i, area_j) that distinguish group members (MM_i, MM_j) possessing Key Encryption Keys (KEK_i, KEK_j) and situated in the corresponding group key management area (area_i, area_j) from group members (MM_ij) possessing Key Encryption Keys (KEK_i) that were situated in the corresponding group key management area (area_i) but are visiting another area (area_j).

A method is disclosed for enabling stateless server-based pre-shared secrets. Based on a local key that is not known to a client, a server encrypts the client's state information. The client's state information may include, for example, the client's authentication credentials, the client's authorization characteristics, and a shared secret key that the client uses to derive session keys. By any of a variety of mechanisms, the encrypted client state information is provided to the client. The server may free memory that stored the client's state information. When the server needs the client's state information, the client sends, to the server, the encrypted state information that the client stored. The server decrypts the client state information using the local key. Because each client stores that client's own state information in encrypted form, the server does not need to store any client's state information permanently.

A method for establishing a security association between a client and a service node for the purpose of pushing information from the service node to the client, where the client and a key server share a base secret. The method comprises sending a request for generation and provision of a service key from the service node to a key server, the request identifying the client and the service node, generating a service key at the key server using the identities of the client and the service node, the base secret, and additional information, and sending the service key to the service node together with said additional information, forwarding said additional information from the service node to the client, and at the client, generating said service key using the received additional information and the base key. A similar approach may be used to provide p2p key management.

Provided are a computer program product, system and method for a redundant key server encryption environment. A key server transmits public keys associated with the key server and at least one device to at least one remote key server. The key server receives from the at least one remote key server public keys associated with the at least one remote key server. The key server receives a request for an encryption key from a requesting device comprising one of the at least one device and generates the encryption key for use by the requesting device to unlock a storage. The key server generates a first wrapped encryption key by encrypting the encryption key with a requesting device public key associated with the requesting device. The key server generates a second wrapped encryption key by encrypting the encryption key with a public key associated with the key server. At least one additional wrapped encryption key is generated for each of the at least one remote key server by encrypting the encryption key with the at least one public key provided by the at least one remote key server. The key server transmits the first, second and the at least one additional wrapped encryption key to the requesting device.

A data processing system stores encrypted data. Object identifiers are assigned to storage objects, and data encryption keys are assigned to the storage objects. When performing an operation upon a storage object, data encryption key failure may occur due to a corrupt or incorrect key. In this case, a copy of the data encryption key is fetched from a key server. It is possible for the association of the object identifiers with the data encryption keys to become lost or confused, so that the key server may fail to provide the correct key for a specified object identifier. Therefore, an absolute key identifier that is unique across the key server namespace also is stored in association with the object identifier in the storage system and in the key store of the key server, and the absolute key identifier is used as a failsafe for recovery of encrypted data.

A system is provided that uses identity-based encryption to support secure communications between senders and recipients over a communications network. Private key generators are used to provide public parameter information. Senders encrypt messages for recipients using public keys based on recipient identities and using the public parameter information as inputs to an identity-based encryption algorithm. Recipients use private keys to decrypt the messages. There may be multiple private key generators in the system and a given recipient may have multiple private keys. Senders can include private key identifying information in the messages they send to recipients. The private key identifying information may be used by the recipients to determine which of their private keys to use in decrypting a message. Recipients may obtain the correct private key to use to decrypt a message from a local database of private keys or from an appropriate private key server.

The present invention includes one or more clients in communication with a server. The client desires to send a storage construct to the server for storage. The client negotiates a transmission key with the server. The client generates a storage key associated specifically with the storage construct. The client encrypts the storage construct using the storage key and encrypts the storage key using the transmission key. The encrypted storage construct and encrypted storage key are sent to the server. The server decrypts the storage key using the transmission key. The server stores the storage construct on a storage device separate from a storage device storing the storage key. Preferably, any changes to the storage construct location, the storage key location, or the storage construct name are tracked and proper modifications are made to an association relating the location of the storage construct and the location for the corresponding storage key.

Disclosed is a key download and management method, comprising: a device end authenticating the validity of an RKS server by checking the digital signature of a public key of an operating certificate of the RKS server; the RKS server generating an authentication token (AT); after being encrypted with a device identity authentication public key of the device end, returning a ciphertext to the device end; after being decrypted by the device end with a device identity authentication private key thereof, encrypting the ciphertext with the public key of the operating certificate and then returning same to a key server; after being decrypted with a private key of the operating certificate, the key server contrasting whether the decrypted authentication token (AT) is the same as the generated authentication token (AT); and if so, indicating that the POS terminal of a device is valid, thereby realizing bidirectional identity authentication.

A method for establishing a security association between a client and a service node for the purpose of pushing information from the service node to the client, where the client and a key server share a base secret. The method comprises sending a request for generation and provision of a service key from the service node to a key server, the request identifying the client and the service node, generating a service key at the key server using the identities of the client and the service node, the base secret, and additional information, and sending the service key to the service node together with said additional information, forwarding said additional information from the service node to the client, and at the client, generating said service key using the received additional information and the base key.

There is provided a content data delivery system including a playback equipment that is adapted to be able to decrypt a content data encrypted with a content key data and to play back the decrypted content data and that holds an equipment ID to identify itself; a handheld device that is adapted to be able to communicate data with the playback equipment and holds a handheld device ID to identify itself; and a server that delivers the content key data to the playback equipment via the handheld device. The server generates a first random number and transmits the first random number to the playback equipment via the handheld device. The playback equipment generates a second random number. The handheld device transmits to the server the equipment ID, handheld device ID, and second random number to provide a request for delivery of the content key data. The server and playback equipment use the first random number and second random number as a basis to generate a session key. The server uses the session key to encrypt the content key data and transmits the encrypted content key data to the playback equipment via the handheld device.

A system for communicating a message securely between a sender and a receiver. The sender provides a key server with a string specifying the receiver. The key server obtains a message key and a particular envelope encryption key corresponding with a particular envelope decryption key, encrypts the message key with the envelope encryption key (creating the envelope), and provides the envelope to the sender-client. The sender-client encrypts the message with the message key and provides it and the envelope to the receiver. The receiver-client receives these and asks an authentication server for the envelope decryption key. The authentication server obtains the envelope decryption key and provides it to the receiver. The receiver then decrypts the envelope with the envelope decryption key, to get the message key, and decrypts the message.

The invention belongs to the technical field in which a protocol is taken as the characteristic, and discloses a high-efficiency data re-encryption method and system supporting data deduplication anda cloud storage system. Before a user uploads data, the user consults with a key server to generate an MLE key, and the MLE key enables the same clear-text data to always obtain the same key; in a mode of establishing one access control tree for one file, a file key is distributed to a valid user; after the user encrypts data to obtain ciphertext by using the MLE key, the user uses the ciphertextas an input of CAONT and a new data block is output; and after re-encrypting one part of the newly generated data block, the user uploads the data block and stores the data block at a cloud service provider. According to the invention, a rescinding user can be prevented from continuously accessing sensitive data of a data owner; and computation cost when the data owner carries out re-encryption can be greatly reduced. Experiments show that by adopting the high-efficiency data re-encryption method and system supporting data deduplication and the cloud storage system which are disclosed by the invention, computation cost when the data owner carries out re-encryption is greatly reduced.

Systems and methods in which multiple key servers operate cooperatively to securely provide authorization codes to requesting devices. In one embodiment, a server cloud receives a device authorization code request and selects an “A server”. The “A server” requests authorization from one or more “B servers” and authorizes the “B servers” to respond. The “B servers” provide authorization to the “A server”, and may provide threshold key inputs to enable decryption of device authorization codes. The “A server” cannot provide the requested device authorization code without authorization from the “B server(s)”, and the “B server(s)” cannot provide the requested server authorization code and threshold inputs without a valid request from the “A server”. After the “A server” receives authorization from the “B server(s)”, it can provide the initially requested device authorization code to the requesting device.

The invention provides an information interaction method and system and smart key equipment. The information interaction method comprises the steps that a terminal generates and displays transaction order data and generates and issues a transaction request; a server receives the transaction request and generates transaction data; the server and the smart key equipment conduct session key negotiation operation, and a first session key and a second session key are generated respectively; the server uses the first session key to encrypt the transaction data, generates the encrypted transaction data and sends the encrypted transaction data to the terminal; the terminal receives the encrypted transaction data and sends the encrypted transaction data to the smart key equipment; the smart key equipment uses the second session key for decryption to obtain the transaction data, processes the transaction data, obtains second transaction key information and sends the second transaction key information to the terminal; the terminal displays the second transaction key information, generates a confirmation information after obtaining confirmation instruction and sends the confirmation information to the smart key equipment; the smart key equipment sends encrypted signature data to the terminal, and the terminals receives the encrypted signature data and sends the encrypted signature data to the server; the server uses the first session key to decrypt the encrypted signature data, obtains the signature data and conducts attestation operation.

The present invention re-encrypts encrypted content on a Video-on Demand (VoD) system. A device on the VoD system, such as a server, obtains the encrypted version of the content on the VoD system and the key, the first key, that was used to encrypt that version. The server decrypts the encrypted content using that key, re-encrypts the decrypted content using a second key, and provides the re-encrypted content to the VoD system, which provides it to a user. The server then deletes from its files any other version of the content, including any unencrypted, decrypted and re-encrypted version, and all keys, including the first and second key.