Abstract: The claimed subject matter relates to architectures and/or mechanisms that can facilitate issuing, embedding and verification of an optical DNA (o-DNA) signature. A first mechanism is provided for obtaining a set of manufacturing errors inherent in an optical media instance. These errors can be encoded into the o-DNA that can be cryptographically signed with a private key, then embedded into the source optical media instance. A second mechanism is provided that can decrypt the o-DNA with a public key and compare the authenticated errors to the observed errors to ascertain whether the optical media instance is authentic as opposed to a forgery or counterfeit.

Abstract: Methods and apparatus for protecting user privacy in a shared key system. According to one aspect, a user generates a derived identity based on a key and a session variable, and sends the derived identity to an application. In one embodiment, a key server may be used to receive the derived identity from the application, and return a sub-key to the application to use for encrypting communications with the user.

Abstract: A method for securing communication among members of a group. The method includes a first member obtaining a first secret. An n-bit generator executing on the first member generates a first message digest using the first secret. The first member extracts a first encryption solution and a second encryption solution, at least in part, from the first message digest, encrypts a first communication using the first encryption solution to obtain a first encrypted communication, and sends, to a second member of the group, the first encrypted communication. The first member further receives, from the second member, a second encrypted communication, and decrypts the second encrypted communication using the second encryption solution to obtain a second communication.

Abstract: A method and system for managing user authentication. First authentication data associated with a user is received from a first authentication mechanism. The first authentication data is generated in response to the first authentication mechanism successfully authenticating the user. In response to receipt of the first authentication data, a first identifier associated with the user is registered. The first authentication data is associated with the first identifier. In response to associating the first authentication data with the first identifier, second authentication data associated with the user is received from a second authentication mechanism. The second authentication data is generated in response to the second authentication mechanism successfully authenticating the user. The second authentication data is associated with the first authentication data and the first identifier.

Abstract: A method of performing a trusted dynamic host configuration protocol (DHCPT). The method comprises receiving a trusted dynamic host configuration protocol request message, wherein the request message was created in and transmitted from a trusted security zone of a computing device, and wherein the request message requests an internet protocol (IP) address and routing information for the computing device, allocating an internet protocol address and determining routing information for the computing device, wherein the allocating and determining are performed by a dynamic host configuration protocol server while executing in a trusted security zone of the server, and transmitting the internet protocol address and routing information to the computing device over a trusted end-to-end communication link.

Abstract: A system for providing an application associated with a portable communication device the ability to communicate via a secure element. The system has a digital identifier and digital token operably associated with the application; a card services module that provides an application programming interface to the secure element; and a secure data table associated with the card services module. The secure data table includes a list of trusted applications each identifiable by paired digital identifier and token. The card services module [includes] compares the identifier and the token with each of the identifier-token pairs in the table until a match indicates the application is trusted. The card services module issues commands to the secure element based on an action requested by a trusted application in conjunction with the presentation of the digital token. A method of providing an application with the ability to communicate via secure element is also disclosed.

Abstract: One embodiment of the present invention provides a system that facilitates encrypting data. During operation, the system receives unencrypted data to be encrypted. Next, the system preprocesses the unencrypted data to create preprocessed unencrypted data, wherein preprocessing the unencrypted data involves generating a salt (wherein the salt facilitates in determining if the subsequently encrypted data has been altered) and concatenating the salt and the unencrypted data to create the preprocessed unencrypted data. Next, the system encrypts the preprocessed unencrypted data to create the encrypted data. Because the salt has already been applied to the plaintext data, it does not need to be reapplied during the encryption phase as is typically done in encryption. Finally, the system stores a copy of the salt with the encrypted data.

Abstract: An optical communications network incorporating photonic layer security, with secure key exchange without loss of data, and a method of operating the network are disclosed. The network comprises a transmit side and a receive side. The transmit side includes first and second scramblers and a transmit side switch; and the receive side includes first and second descramblers and a receive side switch. The scramblers use encryption keys to encrypt optical signals, and the descramblers use the encryption keys to decrypt the encrypted optical signals. The encryption keys can be updated randomly and at will by installing new encryption keys on the scramblers and descramblers, and the transmit side and receive side switches are synchronized so that all of the optical signals that are encrypted using a new or updated encryption key are decrypted using the same new or updated encryption key.

Abstract: A data generating is device capable of preventing unauthorized extraction of plaintext content between decryption processing and digital watermark embedment processing. A content reproducing device obtains restoration information and, in accordance with the restoration information, selectively performs predetermined restoration processing and processing of embedding device unique information, on content data at a position shown by the restoration information.

Abstract: A method for protecting a first secrets file. The method includes an n-bit generator generating a secrets file name for the secrets file and generating a decoy file names for decoy files. The secrets file includes a secret. Each of the decoy files includes decoy file contents, are a same size as the secrets file, and is associated with a modification time within a range of modification times. The modification time of the secrets file is within the range of modification times. The secrets file and decoy files are stored in a secrets directory.

Abstract: A system and method for changing safety-relevant data for a control device is provided wherein an authorized user inputs new or altered safety-relevant data, which is received on a data processing installation. A first checksum for the safety-relevant data is established and stored along with the safety-relevant data in at least one data record on the data processing installation. An enable code may also be stored in the at least one data record. This enable code may be produced by a code generator and encrypted by a key module. The data processing installation then reads back the safety-relevant data from a memory in the data processing installation, thereby allowing a comparison of the received safety-relevant data and the read back safety-relevant data. A second checksum is generated in a case where the comparison resulted in no differences. The second checksum may also be stored in the at least one data record.

Abstract: Various embodiments of a system and method for secure password-based authentication are described. The system and method for secure password-based authentication may include an authentication component configured to request and receive authentication from an authenticating system according to a secure password-based authentication protocol. The authentication component may be configured to participate in an attack-resistant password-based authentication protocol such that an attacker who has compromised the authorizing system and/or a communication channel between the authentication component and the authenticating system may not determine a user's password and/or impersonate the user. In one embodiment, the authentication component may be configured to provide its attack-resistant password-based authentication functionality to an application (e.g., through a stand-alone application, plugin, or application extension).

Abstract: A data processing apparatus which divides stream data into portions is disclosed. An evaluation value calculating section calculates an evaluation value at a dividing candidate position of the stream data based on an evaluation function. A comparing section compares the evaluation value calculated by the evaluation value calculating section with a predetermined threshold value. A dividing candidate position obtaining section obtains the dividing candidate position of the stream data in each predetermined unit. A controlling section decides a dividing position of the stream data based on a compared result of the comparing section. A controlling section causes the dividing candidate position obtaining section to obtain a second dividing candidate position when the compared result of the comparing section denotes that the evaluation value at the first dividing candidate position does not exceed the threshold value.

Abstract: A system identifies a playlist comprising at least one reference to content. The system provides a digital signature to the playlist. The digital signature links the playlist to a creator of the playlist. The system authenticates an application rendering the content using the digital signature. The system receives a command to render the playlist using the application.

Abstract: Computerized methods, systems, and computer-readable media for promoting cooperation between a first and second virtual network overlay (“overlay”) are provided. The first overlay is governed by a first authority domain and includes members assigned virtual IP addresses from a first address range. The second overlay is governed by a second authority domain, which is associated with a second federation mechanism, for negotiating on behalf of the second overlay. The second federation mechanism is capable of negotiating with, or soliciting delegation of authority from, a first federation mechanism that is associated with the first authority domain. When negotiations are successful or authority is delegated, the second federation mechanism establishes a communication link between the second overlay and the first overlay or joins a member of the second overlay to the first overlay. Joining involves allocating a guest IP address from the first address range to the member.

Abstract: Systems, devices and/or methods that facilitate mutual authentication for processor and memory pairing are presented. A processor and a suitably equipped memory can be provided with a shared secret to facilitate mutual authentication. In addition, the memory can be configured to verify that the system operating instructions have not been subjected to unauthorized alterations. System integrity can be ensured according to the disclosed subject matter by mutual authentication of the processor and memory and verification of the authenticity of system operating instructions at or near each system power up. As a result, the disclosed subject matter can facilitate relatively low complexity assurance of system integrity as a replacement or supplement to conventional techniques.

Abstract: A method is provided in one example embodiment that includes receiving a signal to enable a whitelist mode on a host in a network, terminating a process executing on the host if the process is not verified, and blocking execution of software objects on the host if the software objects are not represented on the whitelist. In more particular embodiments, the method also includes identifying the process on a process list that enumerates one or more processes executing on the host. Yet further embodiments include quarantining the host if a second process on the process list is a critical process and if the second process is not verified. More specific embodiments include identifying and restarting another process on the process list if process memory was modified.

Abstract: A method is provided for network identification based on high entropy data on a network which are not easily guessed or obtained outside the network, which can prevent an attacker from “spoofing” the network. A component in a client computer connected to a network may obtain over the network a network data block including device identification information of a device controlling the network. Upon parsing the network data block, such high entropy data as unique device identifiers may be obtained from the device identification information. Depending on availability of the unique device identifiers and authentication history of the client computer, different combinations of the unique device identifiers and/or other identification information may be used to generate a unique network identifier such as a network signature. The component may provide the network signature to applications within the client computer.

Abstract: A method for replacing audio data within a recorded audio/video stream is presented. In the method, a first audio/video stream including audio data, video data, and supplemental data is stored. Location information is received which references the supplemental data to identify a location within the first audio/video stream. The location information is received in a data file separately from the first audio/video stream. Also received is an audio data segment. At least a portion of the audio data of the first audio/video stream is replaced at the identified location with the audio data segment to produce a second audio/video stream. At least a portion of the second audio/video stream is then transferred for presentation.

Abstract: A server and a client mutually exclusively execute server-side and client-side commutative cryptographic processes and server-side and client-side commutative permutation processes. The server has access to a hash table, while the client does not. The server and client perform a method including: encrypting and reordering the hash table using the server; communicating the encrypted and reordered hash table to the client; further encrypting and further reordering the hash table using the client; communicating the further encrypted and further reordered hash table back to the server; and partially decrypting and partially undoing the reordering using the server to generate a double-blind hash table. To read an entry, the client hashes and permute an index key and communicates same to the server which retrieves an item from the double-blind hash table using the hashed and permuted index key and sends it back to the client which decrypts the retrieved item.