908 results about "Secure channel" patented technology

Methods of creating a secure channel over which credit card personalization data can be transmitted over the air (OTA) are provided. In particular, Generic Authentication Architecture (GAA) may be used to establish a secure communication channel between the user equipment (UE) and a personalization application server or bureau acting as a network application function (NAF) server. An user equipment, personalization application service (e.g., a NAF server), a system embodying a personalization application server and an user equipment, and a computer program product are also provided for creating a secure channel, such as via GAA, over which credit card personalization data can be transmitted OTA.

A method and system for enabling wireless devices distributed throughout an enterprise to be efficiently initialized for secure communications. The method and system utilize well known public key cryptography and machine unique identifiers to establish a secure channel and initialize the wireless devices.

Embodiments relate to systems and methods for automatically generating a system restoration order for network recovery. A set of managed machines, such as personal computers or servers, can be managed by a network management platform communicating with the machines via a secure channel. The network management platform can access a dependency map indicating a required order for restoration of machines or nodes on a network. The network management platform likewise access a reverse kickstart file for each machine to be automatically restored in order to ensure proper functioning of the network, and extract a current configuration of that machine for purposes of restoring the overall network.

The present invention provides systems and methods for supporting encrypted communications with a medical device, such as an implantable device, through a relay device to a remote server, and may employ cloud computing technologies. An implantable medical device is generally constrained to employ a low power transceiver, which supports short distance digital communications. A relay device, such as a smartphone or WiFi access point, acts as a conduit for the communications to the internet or other network, which need not be private or secure. The medical device supports encrypted secure communications, such as a virtual private network technology. The medical device negotiates a secure channel through a smartphone or router, for example, which provides application support for the communication, but may be isolated from the content.

Embodiments of the present invention provide a secure remote password reset capability. In some embodiments, an exemplary method provides a remote reset of a password associated with a token in a computer system having a security server. A token-based authentication process is activated by connecting the token to the security server. A server-based authentication process is initiated in the security server by activating a password reset process in a security client. The server-based authentication process communicates with the token-based authentication process over a secure channel. An authentication credential is managed by a third party agent that supplies a query and the authentication credential as a correct response to the query to the security server. A prompt provided by the password reset process collects the authentication credential and a new password. After the authentication credential is validated mutually authentication is performed between the security server and the token. The token is updated with the new password based on a successful result of the mutual authentication.

Problem The combination of a tendency towards permissivity when verifying certificate authenticity and the use of in-band client authentication opens up an opportunity for attackers to mount man-in-the-middle attacks on SSL connections.

Solution The invention exposes any discrepancy between the intended recipient of the client credential and the actual recipient of the client credential by cryptographically including parameters that are uniquely linked to the channel (i.e., the communication session, as characterized by the parameters of the protocols that are being used), preferably the channel end points, in the calculation of the client credential. This links the process that provides the secure channel (e.g., the SSL protocol session) to the process that provides the authentication credential (e.g., the OTP token operation), thus exposing any attack that would break up the client-server channel. This is achieved without the requirement for an additional encrypted tunnel and allowing the continued use of existing components such as existing browsers.

A block encryption method and schemes (modes of operation) that provide both data confidentiality and integrity with a single cryptographic primitive and a single processing pass over the input plaintext string by using a non-cryptographic Manipulation Detection Code function for secure data communication over insecure channels and for secure data storage on insecure media. The present invention allows, in a further aspect, software and hardware implementations, and use in high-performance and low-power applications, and low-power, low-cost hardware devices. The block encryption method and schemes of this invention allow, in yet a further aspect, encryption and decryption in parallel or pipelined manners in addition to sequential operation. In a yet further aspect, the block encryption method and schemes of this invention are suitable for real-time applications.

Systems, devices, and methods for establishing a secure session for the transmission of data from an input device to a remote server device is disclosed. The input device may be an electronic check scanner attached to a banking customer's home personal computer. The customer may visit a bank's Internet website using the web browser or other application on their personal computer, and then submit scanned images of check to the bank. The bank, however, to ensure security and prevent fraud, may wish to establish a secure session between the devices and components in the system before the image data may be scanned and transmitted.

A method for conveying e-mail traffic between an e-mail server (108) and a mobile terminal (102) which has an e-mail address (122A) under the e-mail server and permanent terminal identity (122B) and a temporary identity (122D) in an access network (114). A connectivity function (600) is operationally coupled to the e-mail server (108) and the access network (114). The connectivity function (120) encrypts e-mail traffic to the mobile terminal and decrypt e-mail traffic from the mobile terminal, by using encryption information (122C). The mobile terminal generates (2-1) a service activation code which comprises an identifier (124D) of the mobile terminal, encryption information (122C) and checksum information. The service activation code is conveyed (2-3, 2-4) via a secure channel (2-3) to an authenticating terminal (100), from which the identifier (124D) of the mobile terminal and the encryption information (122C) are conveyed to the connectivity function (600).

A method and system to support secure booting and configuration. The mechanism employs an optical link comprising a quantum channel that is used to send data encoded as quantum bits (qubits) via respective photons. Qubits encoded using a first random basis at the client and are sent to the boot server, which processes the qubits using a second random basis to extract the encoded data. A public channel is used to send data indicative of the second random basis to the client. A symmetric quantum key is then derived a both the client and the boot server using a comparison of the random basis' and the original and extracted data. The scheme enables the presence of an eavesdropper to be detected on the quantum channel. A DHCP message exchange is employed to obtain a network address, and, optionally, be provided with a network address for one or more boot servers. A boot image request is made to the boot server by the client, and a subsequent boot image is downloaded via a secure channel facilitated by the symmetric quantum key.

An optimized approach for arriving at a shared secret key in a dynamically changing multicast or broadcast group environment is disclosed. In one aspect of the invention, a method is provided for communicating through a secure channel between members of a dynamically changing multicast group connected over an insecure network. The method provides that a first shared secret key for establishing a first multicast group is computed that includes a set of one or more first members. Based on the first shared secret key, a first multicast group exchange key is also generated. Upon receiving a first user exchange key from a first user requesting entry into the first multicast group, a second secret key, based on the first user exchange key and the first shared secret key is computed. The first multicast group exchange key is sent to the first user and used by the first user to generate the same second shared secret key. Through the use of the second shared secret key a second multicast group is established whose members include the first user and the set of one or more first members of the first multicast group as the second shared secret key provides a first secure channel for communicating between members of the second multicast group over the insecure network.

A system for providing a secure channel for communication comprises a client comprising a browser, a secure server and a browser component installed on the client that enables a user to establish a connection with the secure server, the browser component configured to generate a first token. The secure server is configured to generate a second token, and wherein the client is provided with access to the secure server upon verification of the first token and the second token.

A key management technique establishes a secure channel through an indeterminate number of nodes in a network. The technique comprises enrolling a smart card with a unique key per smart card. The unique key is derived from a private key that is assigned and distinctive to systems and a card base of a card issuer. An enrolled smart card contains a stored public entity-identifier and the secret unique key. The technique further comprises transacting at a point of entry to the network. The transaction creates a PIN encryption key derived from the smart card unique key and a transaction identifier that uniquely identifies the point of entry and transaction sequence number. The technique also comprises communicating the PIN encryption key point-to-point in encrypted form through a plurality of nodes in the network, and recovering the PIN at a card issuer server from the PIN encryption key using the card issuer private key.

This patent presents a method, apparatus and system for content protection and copyright management in digital video distribution over packet-based networks. The system consists of a distribution server and its agents. The distribution server first divides a digital video into parts and then processes them into public and control portions. The public and control portions are constructed in such a way that the public portion consists of the majority of the digital video while the control portion consists of only a small fraction of the video and other crucial information for restoring the video to its original format. The public portion is freely distributed without much restriction. In the absence of the control portion, the public portion cannot be decoded for video displaying. Thus, the control portion is delivered to an agent at a premise of authorized subscribers or viewers via a packet-based interactive secured channel at the time of restoring the full-length video content for displaying. An agent, which maintains the interactive secured channel with the distribution server, combines both public and control portions of a digital video back into its original format for displaying.

A mobile retail store structure transportable to a plurality of different locations includes a trailer construction configured both exteriorly and interiorly for housing a plurality of storage bins wherein products and/or parts can be stored. Each trailer is a self-sufficient module which includes doors at one end of the trailer unit for entry and exit thereto, portable stairs for providing access to the entry doors, opposed side doors and associated walkways for allowing coupling to additional similarly constructed trailers, extendable canopies for providing a secure passageway between the respective coupled trailers, and a generator/HVAC system for providing heating, cooling and electrical power to each trailer unit. In one embodiment, a terminal is provided to allow a user to either browse electronically various items for selection and/or sale, or access a self-service check-out station to complete a transaction. A plurality of terminals can be coupled to communicate with a master server terminal over a wired/wireless network.

Embodiments relate to systems and methods for interrogating one or more diagnostic targets using a remotely loaded image. A set of managed machines, such as personal computers or servers, can be managed by a network management engine communicating with the machines via a secure channel. The network management engine can access a selected diagnostic target to temporarily deactivate the installed native operating system on that target, insert a substitute operating environment, and remotely interrogate the target to perform hardware, software, security, or other diagnostics or installs. The network management engine can connect to the diagnostic target, extract security keys from the native operating environment, remotely load the substitute environment, and then perform diagnostic or provisioning activities while the native environment is deactivate and the diagnostic target is effectively off-network. Installations, diagnostics, or other activities that require the diagnostic target to be isolated from other machines can therefore be safely conducted.