Techniques to protect a subscriber identity, by encrypting a subscription permanent identifier (SUPI) to form one-time use subscription concealed identifiers (SUCIs) using a set of one-time ephemeral asymmetric keys, generated by a user equipment (UE), and network provided keys are disclosed. Encryption of the SUPI to form the SUCIs can mitigate snooping by rogue network entities, such as fake base stations. The UE is restricted from providing the unencrypted SUPI over an unauthenticated connection to a network entity. In some instances, the UE uses a trusted symmetric fallback encryption key K.sub.FB or trusted asymmetric fallback public key PK.sub.FB to verify messages from an unauthenticated network entity and/or to encrypt the SUPI to form a fallback SUCI.sub.FB for communication of messages with the unauthenticated network entity.

The present invention relates in particular to a pairing method between a multimedia unit and one operator having an operator identifier, the multimedia unit having a multimedia unit identifier and receiving conditional access data from said operator, the method being characterized in that: receiving by the multimedia unit a multimedia unit key formed by applying a first cryptographically function to a personalization key and to the multimedia unit identifier; receiving by the operator an operator key formed by applying a second cryptographically function to said personalization key and to the operator identifier; said multimedia unit further having a function of the multimedia unit and said operator further having a function of the operator, these functions being such that the result of the application of the function of the operator to said operator key and to said multimedia unit identifier is equal to the result of the application of the function of the multimedia unit to said multimedia unit key and to said operator identifier, this result forming a pairing key between said multimedia unit and said operator.

Technologies for secure I/O data transfer include a computing device having a processor and an accelerator. Each of the processor and the accelerator includes a memory encryption engine. The computing device configures both memory encryption engines with a shared encryption key and transfers encrypted data from a source component to a destination component via an I/O link. The source may be processor and the destination may be the accelerator or vice versa. The computing device may perform a cryptographic operation with one of the memory encryption engines and bypass the other memory encryption engine. The computing device may read encrypted data from a memory of the source, bypass the source memory encryption engine, and transfer the encrypted data to the destination. The destination may receive encrypted data, bypass the destination memory encryption engine, and store the encrypted data in a memory of the destination. Other embodiments are described and claimed.

Content screening operations, which can include watermark extraction and the application of content usage enforcement actions, may be organized such that some or all of the operations can be conducted by different devices that are connected via connectors such as HDMI (High-Definition Multimedia Interface (HDMI), analog composite video, DVI (Digital Visual Interface), SDI (Serial Digital Interface), DisplayPort, or networked via Ethernet or wireless. Authentication and encryption methods are disclosed that can be used to establish the trust and secure communication between devices that conduct collaborative content screening. Delegation architecture may be based on ascertained screening capabilities of the sink device wherein the source device verifies that the sink device is capable and trusted to perform partial or whole screening operations delegated by the source. Alternatively, delegation architecture may be based on ascertained screening capabilities of the source device wherein the sink device verifies that the source device is capable and trusted to provide correct content credential and content use policy (“content credential”) that is needed for the sink device to determine whether content screening should be performed, and if yes, what content screening operations should be performed.

A handshake message includes a field containing random data that is filled with data used to derive keying material on the source and destination computers. The data may be elliptic curve data and may include a representation of the data used by the destination computer to verify that elliptic curve data is present. The data may additionally include data for deriving second keying material on a second destination computer that the first destination computer forwards to the second computer, receives a response, and returns data from the response as part of its own handshake message.

Systems and techniques for accessing and controlling field devices to collect data and convert protocols are disclosed herein. An example system to access a field device includes one or more processors, a transmitter, a wireless network interface controller, and a memory storing instructions that, when executed, may cause the field communicator device to retrieve process parameter data encoded in a field device transmission protocol. The field communicator device may retrieve the process parameter data at a plurality of time intervals from a field device, and the process parameter data may correspond to a process parameter for the field device. The field communicator device may also store at least some of the process parameter data, analyze the process parameter data over the plurality of time intervals to identify a condition of the field device, and transmit an indication of the condition of the field device to a remote device.

According to one aspect is provided a method for establishing a secure connection between a client device and a network gateway. The method is performed by an access point. The method comprises establishing a first secure connection between the access point and the network gateway. The method comprises establishing a second secure connection serving as a virtual private network tunnel between the client device and the network gateway. There is also provided corresponding methods as performed by the client device and the network gateway.

Aspects of the disclosure relate to providing derived keys for connectionless network protocols. The derived key may be provided by receiving, at a host, a remote procedure call (RPC) sent by a remote host in response a request by an application executing on the remote host. The host may generate a derived key from a region key, the region key being associated with an application-specific memory region on the host. The host may transmit the derived key to the remote host.

A client may transmit an authentication request to a server. The server may initiate a key agreement process using a short-lived private key generated at the server and a public key of the device, generate a shared secret, and derive a symmetric key. The symmetric key may be used to encrypt a random challenge. Further, the server initiates a key agreement process for the client using the partial private key that was generated for the client and the short-lived public key generated at the server. A partial key agreement result and the encrypted random challenge may be transmitted to the client. The client may complete the key agreement process using the partial key agreement result and a respective portion of the private key. The client may derive the encryption key and decrypt the random challenge. An indication of the random challenge may be transmitted to the server, which authenticates the client.

In an authentication method, a first controller generates a first group key, executes first mutual authentication with devices within a group, and shares the first group key with devices that have succeeded in the first mutual authentication. When a second controller joins the group, the first controller decides which coordinator manages a group key used in common. The first controller executes second mutual authentication with the coordinator, and shares the first group key with the coordinator when the second mutual authentication is successful. The coordinator performs encrypted communication within the group using the first group key, generates a second group key when the first group key valid time runs out and before updating the first group key, executes third mutual authentication with the devices and a third controller, and updates the first group key of the devices and the third controller that have succeeded in the third authentication.