In a method for enabling support for backwards compatibility in a User Domain, in one of a Rights Issuer (RI) and a Local Rights Manager (LRM), a Rights Object Encryption Key (REK) and encrypted REK are received from an entity that generated a User Domain Authorization for the one of the RI and the LRM and the REK is used to generate a User Domain Rights Object (RO) that includes the User Domain Authorization and the encrypted REK.

A mobile device receives a shared access key corresponding to a work machine. An access code is generated from the shared access key, and from a changing value (such as a time-sensitive value). The access code is transmitted to the work machine which, itself, calculates an access code based on the shared access key and based on the changing value. If the access code provided to the work machine and the access code generated by the work machine match one another, then the work machine unlocks corresponding functionality so that the operator can use the work machine.

A technique controls access to a resource. The technique includes deriving, by processing circuitry, a password based on a phrase/thought provided by a user. The technique further includes confirming with the user that the password is to control access to the resource. The technique further includes, after confirming with the user that the password is to control access to the resource, imposing a requirement that the user provide the password before obtaining access to the resource. Such a password may be formed by concatenating multiple words (e.g., four words) that may be unrelated to each other. Such a password may be relatively strong since the resulting concatenation would not be found in any dictionary, and since it would be an extremely difficult and time consuming endeavor to predict such a password by attempting to combine words from a dictionary to form the concatenations.

Binding a security token to a client token binder, such as a trusted platform module, is provided. A bound security token can only be used on the client on which it was obtained. A secret binding key (k.sub.bind) is established between the client and an STS. The client derives a key (k.sub.mac) from k.sub.bind, signs a security token request with k.sub.mac, and instructs the STS to bind the requested security token to k.sub.bind. The STS validates the request by deriving k.sub.mac using a client-provided nonce and k.sub.bind to MAC the message and compare the MAC values. If the request is validated, the STS generates a response comprising the requested security token, derives two keys from k.sub.bind: one to sign the response and one to encrypt the response, and sends the response to the client. Only a device comprising k.sub.bind is enabled to use the bound security token, providing increased security.

A method for a distributed storage network (DSN) includes retrieving a slice of a chunk for execution of a partial task, identifying a record configuration of the slice, facilitating processing of a partial task on at least one record of the slice, and when the slice includes a partial record, identifying a slice location of another slice that includes a remaining partial record corresponding to the partial record, and when the slice location is favorable, retrieving the other slice from the slice location, and facilitating processing of the partial task on at least one record of the other slice.

A method and system is provided that simplifies the key management by allowing personalization data protected for one chip model to be used to provision device with another chip model with different global hardware root keys. The solution minimizes the changes needed to be performed on the device during provisioning and remains secure.

Systems and methods are disclosed for implementing an educational mode on a portable computing device, such as a tablet computer, that is a single-user system, used serially by multiple users. Each user can have a separate user storage that may be encrypted. The computing device boots as a system user to a login screen. A first student user enters user credentials into the login screen. The computing device can reboot the user-space processes, while leaving the kernel running, rebooting the computing device as the first student user. When the first student user logs out, data to be synchronized to, e.g., the cloud, can be synchronized for the first student user while a second student user is logged into the device.

A method in a User Equipment (UE) of an Evolved Packet System (EPS) establishes a security key (K_eNB) for protecting Radio Resource Control/User Plane (RRC/UP) traffic exchanged with a serving eNodeB. The method comprises sending a Non-Access Stratum (NAS) Service Request to a Mobility Management Entity (MME), the request indicating a NAS uplink sequence number (NAS_U_SEQ). The method further comprises receiving an indication of the NAS_U_SEQ of the NAS Service Request sent to the MME, back from the MME via the eNodeB. The method further comprises deriving the K_eNB from at least the received indication of the NAS_U_SEQ and from a stored Access Security Management Entity-key (K_ASME) shared with said MME.

A lightweight network protocol provides mutual authentication and encryption of a communication channel in environments where the amount of computing resources available to the networked devices is constrained. When a new device is added to a network, the device contacts a registration service and provides information that is published via a device directory. The network entity locates the device via information provided by the device directory, and establishes an encrypted network connection with the device. A shared secret is established between the device and the network entity using a key-exchange protocol. Consecutive messages that are sent or received are encrypted or decrypted with a sequence of cryptographic keys generated based at least in part on the shared secret. Key-exchange parameters are added to message exchanges between the device and the network entity to facilitate regenerating the shared secret.

A server establishes a secure session with a client device where a private key used in the handshake when establishing the secure session is stored in a different server. During the handshake procedure, the server receives a premaster secret that has been encrypted using a public key bound with a domain for which the client device is attempting to establish a secure session with. The server transmits the encrypted premaster secret to another server for decryption. The server receives the decrypted premaster secret and continues with the handshake procedure including generating a master secret from the decrypted premaster secret and generating one or more session keys that are used in the secure session for encrypting and decrypting communication between the client device and the server.