Abstract: A way for securely protecting secret information—for example, a secret key—in a programmed electronic device is provided. A technique is disclosed for protecting secret information in a programmed electronic device that includes a non-trusted memory containing software, a data memory containing the secret information, and an access restriction logic unit that is adapted to allow or block access to the secret information wherein the secret information is adapted to be used for verifying the integrity of the software. In one embodiment, when starting up the programmed electronic device, the access restriction logic unit allows access to the secret information. Then the secret information is accessed for use in verifying the integrity of the software, and subsequently the access restriction logic unit blocks further access to the secret information. Embodiments of a semiconductor device and a programmed electronic device comprising similar features are also disclosed.

Abstract: Systems and methods for providing Kerberos pre-authentication are presented. According to a method embodiment, a request for authentication is received from a principal of an authentication service. The principal in the authentication service is authenticated. A key associated with the authenticated principal in the authentication service is provided to a Kerberos Key Distribution Center (KDC).

Abstract: A system for proactively authenticating includes a server having media independent access functions including media independent authentication functions that authenticates other entities attached via an interface to an end of a link specific to a media. A plurality of heterogeneous networks each having media specific access functions including authentication functions corresponding to the other entities attached via the interface to the end of the link specific to the media and mobile devices connected to the plurality of heterogeneous networks, and the server having predefined media independent handover protocols and media independent handover identities based on the media independent functions related to handover, in which the server authenticates candidate access networks prior to the handover of the mobile devices from serving access networks to the candidate access networks each of which belonging to the plurality of heterogeneous access networks having the link specific to the media.

Abstract: A system and method for extending automated penetration testing of a target network is provided. The method comprises: computing a scenario, comprises the steps of: translating a workspace having at least one target computer in the target network, to a planning definition language, translating penetration modules available in a penetration testing framework to a planning definition language, and defining a goal in the target network and translating the goal into a planning definition language; building a knowledge database with information regarding the target network, properties of hosts in the network, parameters and running history of modules in the penetration testing framework; and running an attack plan solver module, comprising: running an attack planner using the scenario as input, to produce at least one attack plan that achieves the goal, and executing actions defined in the at least one attack plan against the target network from the penetration testing framework.

Abstract: Techniques for securely performing reputation based analysis using virtualization are disclosed. In one particular exemplary embodiment, the techniques may be realized as a computer implemented method for performing reputation based analysis comprising detecting a specified activity associated with a virtual client, determining a reputation associated with the specified activity, and performing an action associated with the determined reputation.

Abstract: A system and method provide application penetration testing. The system contains logic configured to find at least one vulnerability in the application so as to gain access to data associated with the application, logic configured to confirm the vulnerability and determine if the application can be compromised, and logic configured to compromise and analyze the application by extracting or manipulating data from a database associated with the application. In addition, the method provides for penetration testing of a target by: receiving at least one confirmed vulnerability of the target; receiving a method for compromising the confirmed vulnerability of the target; installing a network agent on the target in accordance with the method, wherein the network agent allows a penetration tester to execute arbitrary operating system commands on the target; and executing the arbitrary operating system commands on the target to analyze risk to which the target may be exposed.

Abstract: This authentication device includes: a volatile memory; a non-volatile memory which stores a plurality of electronic certificate files; a unit which refers to the non-volatile memory upon start-up, and which stores a hierarchical relationship between the plurality of electronic certificate files in the volatile memory; a unit for searching for a desired electronic certificate file based upon the hierarchical relationship between the plurality of electronic certificate files in the volatile memory; and an authentication unit which performs authentication using the electronic certificate file which has been found by the search unit.

Abstract: A system and related method are provided for user authentication and dynamic usability of touch-screen devices. The system utilizes probability distribution representations including an authorized user probability distribution representation and a global or wide population probability distribution representation, to associate the purported authorized user to the authorized user. Touch dynamics or data, or other data from similar measurable characteristics, can be utilized to associate the purported authorized user and the authorized user and to determine optimal positions and sizes for user interface components.

Abstract: A method and a system for transmitting confidential and non-confidential data blocks between intake units (1, 1?) and output units (3, 3?) of a communication system. The communication system has intake units (1) for confidential data blocks, intake units (1?) for non-confidential data blocks, output units (3) for confidential data blocks, and output units (3?) for non-confidential data blocks. A data distribution unit (2) transmits data blocks with confidential information from the intake units (1) for confidential information to the output units (3) for confidential information and data blocks with non-confidential information from the intake units (1?) for non-confidential information to the output units (3?) for non-confidential information.

Abstract: A system and method for preventing an administrator impersonating a user from accessing sensitive resources on a target system is provided. The method comprises receiving a first request from a user to change the user's password on a target system to be changed, sending a “change password” request for the user to the target system, storing the user's new password, receiving a second request from the target system on behalf of the user for access to a sensitive resource, wherein the second request contains information about the user's password, and denying the second request if the information about the user's password is not consistent with the user's stored new password.

Abstract: A security system is provided. The system comprises a computer system, a memory accessible to the computer system, a data store, and an application. The data store comprises a threat catalog, wherein the threat catalog comprises a plurality of threat vectors, each threat vector comprising a plurality of fields, wherein each field is constrained to carry a value selected from a predefined list of enumerated values. The application is stored in the memory and, when executed by the computer system receives a threat report, wherein the threat report comprises an identification of at least one threat vector, determines a correlation between the at least one threat vector received in the threat report with the threat vectors comprising the threat catalog, and, based on the correlation, sends a notification to a stakeholder in an organization under the protection of the security system.

Abstract: A battery pack includes at least one rechargeable battery configured to output power; a remaining battery capacity detection unit configured to detect a remaining battery capacity of the at least one rechargeable battery; and a cryptographic unit configured to output a response word in response to an external request word by encrypting the external request word based on a cryptographic algorithm with a common code key.

Abstract: An embodiment of the present invention provides a method and circuit for secure definition and integration of a core into a circuit design without exposing the core. In one embodiment, a core development package is obtained. The core development package includes an encrypted core and a decryption key of the encrypted core. The decryption key is encrypted with an asymmetric cipher. The encrypted core is transmitted from the design tool to a trusted platform module. The decryption key is decrypted with a private key of the asymmetric cipher. The encrypted core is decrypted within the trusted platform module. One or more design tool operations are performed using the decrypted core.

Abstract: Embodiments include methods, apparatus, and systems for storage device data encryption. One method includes encrypting data on a storage device with a key and then transmitting the key to a cryptographic module that encrypts the key to form a Binary Large Object (BLOB). The BLOB is transmitted to an array controller that is coupled to the storage device which stores the BLOB.

Abstract: Aspects of a method and system for traffic engineering in an IPSec secured network are provided. In this regard, a node in a network may be authenticated as a trusted third party and that trusted third party may be enabled to acquire security information shared between or among a plurality of network entities. In this manner, the trusted third party may parse, access and operate on IPSec encrypted traffic communicated between or among the plurality of network entities. Shared security information may comprise one or more session keys utilized for encrypting and/or decrypting the IPSec secured traffic. The node may parse IPSec traffic and identify a flow associated with the IPsec traffic. In this manner, the node may generate and/or communicate statistics pertaining to said IPSec secured traffic based on the flow with which the traffic is associated.

Abstract: In one embodiment, a Home Agent receives a Mobile IP registration request from a group member, where the group member is a Mobile Node. The Home Agent generates a mobility binding for the group member that associates the group member with a care-of address, wherein the group member is a member of one or more groups. The Home Agent generates a Mobile IP registration reply, where the Mobile IP registration reply identifies one or more key servers. Each of the one or more key servers serves at least one of the one or more groups and is adapted for distributing group cryptography material to members of each group that is served by the corresponding key server. The Home Agent sends the Mobile IP registration reply to the group member, thereby enabling the group member to obtain cryptography material for at least one of the one or more groups from at least one of the one or more key servers to enable the group member to use the cryptography group material to securely communicate with other group members.

Abstract: An example of a device comprises a storage which stores data which is input from outside and to which tracking information is added, a section which detects a first reading event of first data from the storage to which the tracking information is added, a section which detects, after the first reading event, a first writing event to part of character string data to the storage, a section which detects, after the first writing event, a second reading event of second data from the storage to which the tracking information is added, a section which detects, after the second reading event, a second writing event to part of the character string data to the storage, and a section which adds, when the first reading/writing event, second reading/writing event are detected, the tracking information to data to be written to the storage by the first and second writing event.

Abstract: The present invention utilizes the AAA infrastructure to dynamically allocate the various parameters needed to establish the security association between the Foreign Agent and the Home Agent. The present invention uses the AAA server as a central entity to dynamically generate and distribute the chosen security association parameters needed to support the Foreign Agent and Home Agent security association based on a request from the Foreign Agent. The AAA server can also dynamically assigns a unique SPI value to the Foreign Agent and Home Agent pairs. The various parameters that can be allocated in the present invention include a FA-HA shared secret key or a public/private key pair, an authentication algorithm and mode, a FA-HA secret key lifetime, and security parameter index or security index values. The present invention also can assist in making sure that the Foreign Agent and the Home Agent stay synchronized with respect to their security association.

Abstract: A method and apparatus for synchronously changing authentication credentials of a plurality of domains comprising detecting an authentication credential change event for a particular domain, where the authentication credential is being changed from a first credential to a second credential, determining whether the particular domain is within a domain group, and, if the particular domain is within the domain group, changing the authentication credential of at least one other domain in the domain group from the first credential to the second credential.

Abstract: Provided is a secure apparatus for protecting the integrity of a software system and a method thereof. The apparatus comprises: a template repository for storing templates required for generating an agent module; a template generator for randomly selecting one template from said template repository and generating a new agent module according to the selected template; and a transceiver for sending said new agent module to an external apparatus communicating with said secure apparatus to update a current agent module which is running in said external apparatus, wherein said current agent module is used to verify the integrity of said software system running in said external apparatus. The secure apparatus can protect software in an insecure environment with a high software protection level to prevent the software from being tampered or bypassed.