Abstract: An apparatus and system are disclosed for asymmetric security in data communications between two or more nodes. Asymmetric security within data communications refers to sending and receiving messages at different security levels. The apparatus includes a receiving module, a transmission module, and a communication module. The receiving module receives a first message at a first security level from a first node. A security level may be defined by implementation of one or more security features, including encryption, digital signatures, and/or other security features. The transmission module transmits a second message at a second security level to the first node in response to receiving the first message. The first and second messages may be communicated during a single communication session. The communication module communicates the second security level to the first node. The communication may be directly between two nodes or may occur via a broker or other intermediate node.

Abstract: Collaboration session communications methods, methods of configuring a plurality of collaboration sessions, communications methods, collaboration infrastructures, and communications systems are described.

Abstract: The invention discloses a method and a system for deleting or isolating computer viruses. The method of deleting or isolating computer viruses comprises steps of: selecting a first operating system configured with a virus killing module from a plurality of operating systems in a computer, during the computer being in starting process; loading the first operating system; scanning, by the virus killing module, the storage area of at least one operating system of the plurality of operating systems, wherein the at least one operating system doesn't include the first operating system; and deleting or isolating virus found during scanning. According to the present invention, a problem that the basic operating system could not be started due to viruses may be solved, and thus the system stability is greatly improved.

Abstract: In a typical peer-to-peer network, any user of the peer-to-peer network may request a lookup of a key and its associated value. To limit access to a stored key-value pair, a user node may generate a registration message for a key-value pair. The value may include the payload to be stored at the storage node, and an access list containing one or more retrieval identifiers indicating one or more users authorized to access the payload. In some cases, the registration message may also include an encrypted payload which is encrypted with a group key. The group key may be included in the registration message, and may be encrypted with an encryption key which is known by the authorized user.

Abstract: A proxy server for downloading a data file for a client, such as an email client or web browser, including: a external proxy for downloading the data file for the client from an external server over a network, based on profile data associated with the client stored on the proxy server; a memory module for storing the data file; and an internal proxy for transferring the data file to the client when requested by the client. The external proxy operates asynchronously to the internal proxy, and the proxy server operates transparently with respect to the client.

Abstract: The camera includes a sensor for sensing the photographer's iris image and registering the image in advance. The iris image is recorded in the image of a subject by a digital MCU at a timing different from that at which the image of the subject is captured. The recording timing is that at which the camera power supply is turned off, that at which a recording medium is ejected from the camera or that at which the iris image to be recorded is changed to changed to the registered iris image of another photographer. The recording of the iris image is achieved by embedding it as a watermark or by appending it to metadata.

Abstract: A security token includes (a) a personal data memory configured to store digital identity credentials related to personal data of a user; (b) an input appliance configured to check said personal data; (c) a key record data memory configured to store at least one identity credential of an authentication server or of an application operator; (d) a transmitter and receiver unit configured to create a secure channel directly or indirectly to said authentication server or application operator to handle said key record relating to said authentication server or application operator, respectively; (e) a control unit configured to control the transmitter and receiver unit and the key record data memory in view of said handling, wherein the control unit is configured to perform one of: interpreting, deciphering, creating, checking, renewing, withdrawing and further key record handling actions. A method for authentication of a user using the security token is also disclosed.

Abstract: The presently preferred embodiment of the invention provides an encryption based security system for network storage that separates the ability to access storage from the ability to access the stored data. This is achieved by keeping all the data encrypted on the storage devices. Logically, the invention comprises a device that has two network interfaces: one is a clear text network interface that connects to one or more clients, and the other is a secure network interface that is connected to one or more persistent storage servers. Functionally, each network interface supports multiple network nodes. That is, the clear text network interface supports multiple client machines, and the secure network interface supports one or more storage servers.

Abstract: The present invention relates to a method for generating a downlink frame includes: generating a first short sequence and a second short sequence indicating cell group information; generating a first scrambling sequence determined by a first synchronization signal; generating a second scrambling sequence determined by a group to which the first short sequence belongs, the wireless communication system using a plurality of short sequences and the plurality of short sequence being divided into a plurality of groups; scrambling the first short sequence with the first scrambling sequence; scrambling the second short sequence with at least the second scrambling sequence; and mapping a second synchronization signal including the scrambled first short sequence and the scrambled second short sequence in the frequency domain.

Abstract: Described herein in an example embodiment, is a mechanism to distribute and implement secure credentials on a WLAN (wireless local area network) employing radio frequency identification (RFID) tags. Symmetric keys are provisioned to the tag in a manner that allows for optimized re-association and secure announcements. The provisioned keys are derived in a way that enables the controller to operate without having to maintain the key state for every tag. In an example embodiment, the controller generates keys for the RFID tags that are derived from a master key associated with the controller, an identifier assigned to the RFID tag and an address associated with the RFID tag.

Abstract: A method for processing packets in a computer undergoing transitioning from a first configuration of a firewall to a second configuration of the firewall is disclosed. Packets arriving in the computer are associated with the first configuration of the firewall existing in the computer, and after a second configuration of the firewall becomes available, the computer starts associating packets arriving in the computer with the second configuration of the firewall, and processing packets associated with the second configuration according to the second configuration of the firewall, while continuing processing the packets associated with the first configuration according to the first configuration of the firewall until all packets associated with the first configuration are processed. Packets are processed by a plurality of firewall processing modules asynchronously. First and second reference counts, counting numbers of packets processed according to respective firewall configuration are conveniently introduced.

Abstract: This document discusses, among other things, applying network policy at a network device. In an example embodiment fiber channel hard zoning information may be received that indicates whether a fiber channel frame is permitted to be communicated between two fiber channel ports. Some example embodiments include identifying a media access control address associated with the fiber channel ports. An example embodiment may include generating one or more access control entries based on the fiber channel identifications of the fiber channel ports and the zoning information. The access control entries may be distributed to an Ethernet port to be inserted into an existing access control list and used to enforce a zoning policy upon fiber channel over Ethernet frames.

Abstract: The present invention relates to a method of generating a downlink frame.

Abstract: There is described an electronic data communication system in which encrypted mail messages for a recipient are sent in two parts: message data encrypted by a symmetric encryption algorithm using a session key and session key data encrypted by an asymmetric encryption algorithm using a public key associated with the recipient. If the recipient uses a webmail service to access the encrypted electronic mail message, the encrypted session key data is sent to a trusted third party server which has access to the private key of the user. The trusted third party server decrypts the encrypted session key using the private key of the user, and then sends the decrypted session key to a remote network device for decryption of the encrypted message. In this way, although the trusted third party has access to the private key of the user, the trusted third party does not have access to any decrypted message.

Abstract: Methods and systems for blocking unwanted software downloads within a network. Such methods may thereby prevent (i) downloads of spyware from one or more identified locations, and/or (ii) certain outbound communications from the network and/or may also permit software downloads only from specified locations. In general, the policies are defined by rules specified by a network administrator or other user.

Abstract: A system and method for providing modified rights information to an application on an electronic device. A centralized component monitors both a system clock and a secure clock. The centralized component calculates the difference between the time of the system clock and the time of the secure clock and thereafter modifies the access rights information for the application by the difference between the times. The modified access rights information is then presented to the application for use.

Abstract: A virtual local area network switching device and an associated computer system and method are provided to permit operation in accordance with a plurality of different security classifications. The computer system includes a computer, a virtual local area network switching device and a plurality of peripheral units having different security classifications. The virtual local area network switching device may include a computing device that includes the plurality of ports and that is configured to control communications with the peripheral units in accordance with the respective security classifications. The virtual local area network switching device may also include a memory device configured to store information associating the plurality of the ports with the security classification of the respective peripheral unit. The memory device may also store information associating each port with both a logical address and a physical address of the respective peripheral units.

Abstract: A system, method, and program product is provided that initializes a counter maintained in a nonvolatile memory of a security module to an initialization value. The security module receives requests for a secret from requesters. The security module releases the secret to the requesters and the released secrets are stored in memory areas allocated to the requesters. A counter is incremented when the secret is released. Requestors send notifications to the security module indicating that the requestor has removed the secret from the requestor's memory area. The security module decrements the counter each time a notification is received. When the computer system is rebooted, if the counter is not at the initialization value, the system memory is scrubbed erasing any secrets that remain in memory.

Abstract: A reputation server is coupled to multiple clients via a network. Each client has a security module that detect malware at the client. The security module computes a hygiene score based on detected malware and provides it to the reputation server. The security module monitors client encounters with entities such as files, programs, and websites. When a client encounters an entity, the security module obtains a reputation score for the entity from the reputation server. The security module evaluates the reputation score and optionally cancels an activity involving the entity. The reputation server computes reputation scores for the entities based on the clients' hygiene scores and operations performed in response to the evaluations. The reputation server prioritizes malware submissions from the client security modules based on the reputation scores.

Abstract: An anonymous secure messaging method and system for securely exchanging information between a host computer system and a functionally connected cryptographic module. The invention comprises a Host Security Manager application in processing communications with a security executive program installed inside the cryptographic module. An SSL-like communications pathway is established between the host computer system and the cryptographic module. The initial session keys are generated by the host and securely exchanged using a PKI key pair associated with the cryptographic module. The secure communications pathway allows presentation of critical security parameter (CSP) without clear text disclosure of the CSP and further allows use of the generated session keys as temporary substitutes of the CSP for the session in which the session keys were created.