A method is implemented by a network device operating as a content node for securely distributing a content object over an information centric networking (ICN) network. The method implements a unique obscured retrieval sequence. The method includes receiving an interest for a chunk of the content object from a client device, where the chunk is identified with an obscured chunk identifier, translating the obscured chunk identifier into a general chunk identifier for the content object, and sending the chunk of the content object to the client device.

An apparatus for decoding a media stream includes a memory module, a processor module coupled to the memory module, wherein the memory module contains instructions that when executed by the processor cause the apparatus to perform the following: receive a media stream including a segment signaling information and a plurality of segments, wherein the plurality of segments includes encoded and unencoded segments, wherein the segment signaling information includes identification of at least two segment groups each including at least one segment, identify at least one segment group using the segment signaling information in the media stream, identify at least one segment decoding algorithm for the at least one segment group, identify at least one decoding key for the at least segment group, and decode each encoded segment within the at least segment group using the at least segment decoding algorithm and the at least one decoding key.

An encrypted-bypass webRTC-based voice and/or video communication method provides dynamic use of the encryption algorithms in WebRTC communication.

A method and associated system. A server computer selects a re-ordering scheme from one or more re-ordering schemes, for re-ordering chunks of an original tile. The server computer divides the file into the chunks. After the file is divided into the chunks, the server computer re-orders the chunks according to the selected re-ordering scheme to form an obfuscated file that includes the re-ordered chunks. The server computer sends, to a client computer, the obfuscated file along with a scheme access reference that enables the client computer to access the selected re-ordering scheme.

A method for enforcing entitlements includes configuring a wide variety of entitlements at a server; determining applicable combination of entitlements for a given client request; sending entitlements to the requesting client securely; handling entitlement information securely on a plurality of client devices at run time; storing entitlement information securely on a plurality of client devices for offline use; and enforcing entitlements on a plurality of client devices. The method employs manipulation of manifest files by a proxy that may be included in the client device or located in the network.

An encryption application splits a data payload into multiple segments. Each of the segments is encoded using one of multiple encryption keys. The encryption keys may be selected from a pool of encryption keys tied to a user account. The encrypted segments are transmitted to a network destination using multiple parallel network paths.

An embodiment of an automatic key delivery system is described, An automatic key delivery system comprises the following operations. Herein, a first token is generated and provided to a first network device. Thereafter, a first key value pair, including the first token and a first key segment of a cryptographic key, is received by a first relay server and a second key value pair, including the first token and a second key segment of the cryptographic key, is received from a second relay server. In response, a second token to be provided to the first relay server and the second relay server. Thereafter, the first and second key segment are returned from the first and second relay servers based on usage of the second token as a lookup in order to recover the cryptographic key for decryption of an encrypted content from the first network device.

Disclosed are methods and apparatus for detecting mismatch of ciphering parameters, such as Count-C, in a wireless device and recovery therefrom. The methods and apparatus for detection include examining a predefined ciphered field, such as a Length Indicator field, in one or more received Radio Link Control (RLC) Protocol Data Units (PDUs). Next, a determination of when the field is invalid over a predetermined sample number of PDUs is performed. Mismatch of ciphering parameters can then be determined when a predetermined number of samples of the field detected as invalid exceed a predetermined threshold. Additionally, recovery of PDUs after mismatch detections is disclosed using a range of Hyper-Frame Numbers (HFNs) to decipher buffered PDUs, and then check which of the HFNs eliminate the parameter mismatch by again determining if parameter mismatch occurs using the methods and apparatus for detection.

A method, network element, and mobile station (MS) are disclosed. The method includes: obtaining information that a plug-in card of the MS does not support a first encryption algorithm; deleting the first encryption algorithm from an encryption algorithm list permitted by a core network element according to the information that the plug-in card of the MS does not support the first encryption algorithm; sending the encryption algorithm list excluding the first encryption algorithm to an access network element, so that the access network element selects an encryption algorithm according to the encryption algorithm list excluding the first encryption algorithm and the MS capability information sent from the MS and sends the selected encryption algorithm to the MS. By using the method, network element, and MS, errors due to the fact that the plug-in card of the MS does not support an encryption algorithm may be avoided during the encryption process.

Data storage operation commands are digitally signed to enhance data security in a distributed system. A data storage client and a compute-enabled data storage device may share access to a cryptographic key. The data storage client uses the cryptographic key to digitally sign commands transmitted to the data storage device, which can use its copy to verify a digital signature of a command before fulfilling the command. The storage device can also determine whether to perform a transformation, such that requests authenticated to a first identity might receive cleartext while a request authenticated to a second identity might receive ciphertext. The compute-enabled storage device can also receive unauthenticated calls and attempt to retrieve the appropriate key from a key management service or other such source.