Abstract: An access request is transmitted from a first device to a second device causing one or more security functions to be executed on the first device. Whether to grant the access request is based on a result of the executed one or more security functions.

Abstract: An occupancy state of access to a predetermined device when lock processing is to be executed is detected, and whether the lock processing is to be stopped is decided based on the result of the detection.

Abstract: A two-way actively stabilized QKD system that utilizes control signals and quantum signals is disclosed. Because the quantum signals do not traverse the same optical path through the system, signal collisions in the phase modulator are avoided. This allows the system to have a higher transmission rate than a two-way system in which the quantum signals traverse the same optical path. Also, the active stabilization process, which is based on maintaining a fixed relationship between an intensity ratio of interfered control signals, is greatly simplified by having the interferometer loops located all in one QKD station.

Abstract: Methods of securing a programmable logic device (PLD) when an intrusion attempt is detected, e.g., methods of erasing sensitive data from the PLD or disabling configuration of the PLD in response to an attack. For example, when an attempt is made to configure the PLD with an unauthorized bitstream, a decryption key stored on the PLD can be erased, or decryption logic in the PLD can be otherwise disabled. The criteria for assuming that an attack is in progress can include, for example, the lack of a cyclic redundancy check (CRC) value included with a configuration bitstream, an attempt to operate the PLD outside normal operating ranges, receipt of an incorrect CRC value, or receipt of a predetermined number of bitstreams including incorrect CRC values. In some embodiments, an error correction procedure is performed on the bitstream, thereby preventing most transmission errors from being incorrectly interpreted as an attack.

Abstract: A method and apparatus for device discovery and multi-mode security in a wired and/or wireless control network are described. A controlled device is configured with discovery-level instructions and application-level control instructions. The controlled device includes a user-configurable parameter for selecting between multiple security modes. In one or more security modes, the controlled device may ignore application-level messages until encrypted communications are established with a controller. In one mode, the encrypted communication is established with an encryption key exchange using a predetermined security key. In another mode, a specific key is manually entered into the controller by the user/administrator to facilitate the encryption key exchange. Additionally, for control applications where security is not important, an unencrypted security mode may be implemented. A driver ID provided by the controlled device facilitates loading of a preferred device driver by the controller.

Abstract: A management unit (110) which issues a digital certificate to a new transmission unit (410) includes a wireless communication section for performing communication in a network (300) and a wire communication section to which the new transmission unit (410) can be connected; when the new transmission unit (410) is wire-connected to the management unit (110), it is judged in accordance with the received device type information of the new transmission unit (410), whether or not the new transmission unit (410) is a device having a communication means that can communicate in the network (300); and if the new transmission unit is judged as a device having that type of means, the management unit creates a digital certificate by using a device identifier specific to the new transmission unit (410), and sends the digital certificate to the new transmission unit (410).

Abstract: A method processes an input image securely. An input image I is acquired in a client. A set of m random images, H1, . . . , Hm, and a coefficient vector, a=[a1, . . . , am], are generated such that the input image I is I=?i=1m?iHj. The set of the random images is transferred to a server including a weak classifier. In the server, a set of m convolved random images H? are determined, such that {H1?=?1(H1*y}i,1m, where * is a convolution operator and ?1 is a first random pixel permutation. The set of convolved images is transferred to the client. In the client, a set of m permuted images I? is determined, such that I?=?2(?i=1m?iH1?), where ?2 is a second random pixel permutation. The set of permuted image is transferred to the server.

Abstract: A validation authority for certificates searches for and verifies paths and certificate revocation lists periodically, and classifies the paths into valid paths and invalid paths in accordance with the results of the validations, so as to register the paths in databases beforehand. Besides, in a case where a request for authenticating the validity of a certificate has been received from an end entity, the validation authority judges the validity of the public key certificate by checking in which of the valid-path database and the invalid-path database a path corresponding to the request is registered. On the other hand, in a case where the path corresponding to the validity authentication request is not registered in either of the databases, the validity of the public key certificate is authenticated by performing path search and validation anew.

Abstract: A method, system, and program defeating unauthorized keystroke logging during password entry are provided. Secure password entry is facilitated by displaying a password prompt comprising a changing stream of random characters, where a particular character within the stream of random characters is displayed at a visibly detectable higher frequency. A user selects a password character by entering input to increment or decrement the particular high frequency character to reach the password character, such that any unauthorized keystroke logging to detect said password is ineffective. Once the user reaches the password character, the user provides another input indicating a selection of the current high frequency character as the password character. Once the user has selected all the characters of the password, the user enters an input indicating the password is complete and the password entry controller then passes the password to the calling layer.

Abstract: A method and system is provided so that requests to a first application (e.g., an LDAP directory) are routed to a second application, the second application being trusted by the first application. The second application validates the requests and sends the request to the first software application when the first application is available. Requests may be queued for processing until the first application is available so that the requests remain pending. A reply may be sent to the requester indicating the results of the request. The second software application processes authentication and validation of the request thereby relieving the first application of this function. Since the second application is a trusted application, the request to the first application may be applied with improved efficiencies increasing the overall performance of the first software application.

Abstract: An apparatus, a method, and a computer program are provided for securing transmitted text. Once text has been produced by an application, the potential exists for an unintended third party to obtain sensitive data transmitted over computer networks. However, a parsing function can then operate either on an individual computer or on a network to scan text at an Open Systems Interconnection (OSI) Layer 1 to assist in the prevention of sensitive data transmission. By utilizing the parsing function, text can be scanned for potentially sensitive data by using a variety of techniques, such as a learning algorithm. The sensitive data can then be verified by a user, bypassed, or autostripped.

Abstract: A computing environment security agent is provided for automatically determining whether to grant access to an asset, deny access to the asset, or grant access to a transformed asset responsive to an asset request by a user of the computing environment. The security agent includes logic for authenticating a user for computing environment access, for receiving a request from the authenticated user to access an asset, and for determining whether the authenticated user is authorized to access the asset, and if so, for determining whether to transform the asset responsive to the request to access the asset by the authenticated user. The security agent can further include logic for transparently transforming the requested asset or for defining at least one transformation rule for the requested asset and saving the at least one transformation rule in a transformation list accessible by the authenticated user.

Abstract: The present invention provides an application authentication system capable of authenticating an application on a terminal device, which does not have a secure information concealing area, by a secure device. In an application authentication system in which a secure device 10 fitted to a terminal device 30 that has no secure information concealing area authenticates an application 31 stored in the terminal device, the secure device 10 authenticates an application running means 33 stored in an unwritable area 302 of the terminal device, and also authenticates the application based on a process applied to the application 31 by the application running means to request an access to the secure device. Since the terminal authentication by the secure device and the application authentication executed within the terminal device are coupled in combination, the secure device can authenticate the application operated on the terminal device without the secure information concealing area.

Abstract: One embodiment of the invention relates to a management method for conditional access data processing by at least three decoders associated to a subscriber. These decoders include activation/deactivation means for conditional access data processing and local communication means structured to allow communication between the subscribers' decoders. This method comprises a reception step, a determination step, and a comparison step. In addition conditional access data processing by said first decoder (STB) is deactivated if the latter has not received messages from the required number of different decoders. Another embodiment of the invention relates to a decoder that allows the implementation of the method according to the invention and characterized in that it includes local communication means (10) structured to transmit messages to other decoders and to receive messages originating from said other decoders, and processing means for messages received by said local communication means (10).

Abstract: Systems and methods for metering execution of code at runtime are described. According to one implementation, a call is received requesting execution of a protected service. In response, permission is requested for the execution. The request for permission is analyzed. A grant of permission is based on the analysis.