Abstract: This application generally describes techniques for dynamically updating trusted certificates and CRLs, generally referred to herein as certificate information. That is, techniques are described for updating trusted certificates and CRLs without terminating existing communication sessions. An exemplary method includes the steps of receiving an initial configuration that includes a trusted certificate authority, receiving certificate information that includes a certificate revocation list (CRL) and a first certificate from the trusted certificate authority, storing the certificate information in the configuration, initiating a communication session for an application, receiving an update to the certificate information, and updating the configuration to reflect the update to the certificate information without terminating the communication session.

Abstract: In one embodiment, the present invention provides for extended memory protection for memory of a system. The embodiment includes a method for associating a protection indicator of a protection record maintained outside of an application's data space with a memory location, and preventing access to the memory location based on the status of the protection indicator. In such manner, more secure operation is provided, as malicious code or other malware is prevented from accessing protected memory locations. Other embodiments are described and claimed.

Abstract: A check of a processing device is performed. A device may receive a network access request to access a network from a first processing device. A security check may be caused to be performed on the first processing device. Whether to grant the network access request to the first processing device is based on a result of the security check.

Abstract: A computer-implemented method for filtering electronic messages. The method may include identifying a first time period during which a user accesses electronic messages less than during a second time period. The method may also include associating a first filtering level with the first time period and associating a second filtering level with a second time period. The method may further include, during the first time period, setting a spam filter to the first filtering level. The first filtering level may cause the spam filter to perform stronger filtering than the second filtering level. The method may include, during the second time period, setting the spam filter to the second filtering level. Corresponding systems and computer-readable media are also disclosed.

Abstract: A solution for transparently verifying the authentication of a real user includes a monitor that receives network packets and a collector. The monitor identifies an authentication exchange packet from network traffic, extracts information from the packet and sends it to the collector, which obtains objects from a directory service and determines if the information includes a user name equivalent to a name attribute in an object. If so, authentication is deemed verified. For additional verification, the monitor extracts from the packet a destination address if it is an response packet, or a source address if it is a request packet. Monitor sends the extracted address to the collector, which uses the extracted address to obtain a hostname and determines whether a user account associated with the name attribute is active on a computing device having the hostname. If so, the authentication of the real user is deemed further verified.

Abstract: A method and apparatus for proving and a method and apparatus for verifying that a secret value is a member of a predetermined set of values. The proving mechanism receives a set of signatures which has respective values in the predetermined set signed using a private key. The proving mechanism sends to the verifying mechanism a commitment on the secret value of the proving mechanism. The proving mechanism and verifying mechanism then communicate to implement a proof of knowledge protocol demonstrating knowledge by the proving mechanism of a signature on the secret value committed to in the commitment, thus proving that the secret value is a member of the predetermined set.

Abstract: Performing security sensitive operations with an application security model. Security agnostic code is executed. The security agnostic code is identified as not having authorization to perform a security sensitive operation. Executing the security agnostic code includes calling code identified as security safe critical code. In response to the security agnostic code calling the security safe critical code, the security safe critical code is executed. The security safe critical code includes functionality for performing validity checks. Executing the security safe critical code includes performing an validity check for the security agnostic code. When the security agnostic code passes the validity check, code identified as security critical code is called. In response to the security safe critical code calling the security critical code, the security critical code is executed. The security critical code is authorized to perform the security sensitive operation.

Abstract: An image forming apparatus is configured to receive user authentication information and perform image formation based on an image formation request and is connected to au external authentication server which performs authentication based on the user authentication information. The image forming apparatus comprises an authentication querying unit that queries the external authentication server for the authentication based on the user authentication information; an authentication result receiving unit that receives a result of the authentication performed by the external authentication server; an authentication result storage unit that stores the result of the authentication received by the authentication result receiving unit; and a control unit that controls the authentication querying unit, the authentication result receiving unit, and the authentication result storage unit.

Abstract: Portable devices, methods, and systems for controlling access to computers and other secure systems such as systems protecting secure premises, by processing data supplied by the individual seeking access to the system and data supplied by the system to which the prospective user seeks access, to determine whether access by the individual is to be authorized or enabled. In one embodiment the invention provides a device for providing a code that may be used to access a system such as a computer or security system. The device comprises an output device and at least one processor. The processor processes data representing a biometric characteristic of a prospective user of the system and a signal provided by the system, and, depending upon a result of the processing, provides to the output device a code that may be used to access the system.

Abstract: Dynamically selecting an endpoint for a tunnel into an enterprise computing infrastructure. A client dynamically selects a gateway (which may alternatively be referred to as a boundary device or server) as a tunnel endpoint for connecting over a public network (or, more generally, an untrusted network) into an enterprise computing infrastructure. The selection is made, in preferred embodiments, according to least-cost routing metrics pertaining to paths through the enterprise network from the selected gateway to a destination host. The least-cost routing metrics may be computed using factors such as the proximity of selectable tunnel endpoints to the destination host; stability or redundancy of network resources for this gateway; monetary costs of transmitting data over a path between the selectable tunnel endpoints and destination host; congestion on that path; hop count for that path; and/or latency or transmit time for data on that path.

Abstract: A method and apparatus for issuing an attribute certificate for attributes of a Light Weight Directory Access Protocol (LDAP) entry stored in an LDAP repository. In one embodiment, the method includes receiving a request for an attribute of an LDAP entry. The method further includes, in response to the request, sending a reply that includes an attribute value of the requested attribute and a digital signature to authenticate the attribute value.

Abstract: A Generic Authentication Architecture bootstrapping procedure is performed between a mobile terminal and a bootstrapping server function resulting in the mobile terminal and the bootstrapping server function each acquiring at least a bootstrapping transaction Identifier associated with the mobile terminal and a corresponding shared key. The mobile terminal derives a network application function specific key based on at least the acquired shared key and an identifier of said network application function. The bootstrapping transaction identifier and the network application function specific key are sent from the mobile terminal to the proxy mobile node. A request message for Mobile Internet Protocol registration is sent from the proxy mobile node to a home agent on behalf of the mobile terminal, the request message including the bootstrapping transaction identifier and an identifier of the proxy mobile node.

Abstract: Processes and techniques for tailoring operations management in a system are described. The processes and techniques allow a user to customize operations management based on the user's function within a system and the particular tasks that the user wishes to accomplish. Simplified user interfaces can be created by scoping the interfaces based on user profiles, preferences and system components.

Abstract: A network communication system has terminal devices belonging to a group, the terminal devices generating, if there is a leaving terminal device leaving from the group, an updated group encryption key corresponding to a new group encryption key, from a deletion key corresponding to the leaving terminal device and a group encryption key, and, after the leaving terminal device leaves the group, communicating by using the updated group encryption key; and a group management server generating the updated group encryption key corresponding to the new group encryption key from the deletion key corresponding to the leaving terminal device and the group encryption key, and, after the leaving terminal device leaves the group, communicating by using the updated group encryption key.

Abstract: A pay-per-use computer, or other electronic device that uses local security, may use a security module or other circuit for monitoring and enforcement of a usage policy. To help prevent physical attacks on the security module, or the circuit board near the security module, a second circuit may be mounted over the security module to help prevent access to the security module. Both circuits may be mounted on a interposer and the interposer mounted to the circuit board, creating a stack including the first circuit, the interposer, the security module, and a main PC board. When the PC board includes dense signal traces under the security module a three dimensional envelope is created around the security module. When the first circuit is a high value circuit, such as a Northbridge, the risk/reward of attacking the security module is increased substantially and may deter all but the most determined hackers.

Abstract: In an information recording medium reproducing method, an information recording medium, a reproducing apparatus and an information recording medium managing method, a predetermined server is accessed on the basis of an address recorded in an information recording medium to issue key data from the server, and encrypted data recorded in the information recording medium are decrypted with the key data thus issued.

Abstract: Anti-Phishing protection assists in protecting against phishing attacks. Any links that are contained within a message that has been identified as a phishing message are disabled. A warning message is shown when the phishing message is accessed. The first time a disabled link within the phishing message is selected a dismissible dialog box is displayed containing information about how to enable links in the message. After the user dismisses the dialog, clicking on a disabled link causes the warning message to flash drawing the user's attention to the potential severity of the problem. The links may be enabled by the user by selecting the warning message and choosing the appropriate option. Once the user enables the links, future displays of the message show the links as enabled.

Abstract: With each embodiment of the present invention, a content providing system comprises a content encrypting section which encrypts content by use of a session key and a header generating section which encrypts the session key by use of an encryption key in such a manner that the session key can be obtained by use of a decryption key assigned to a user system and generates header information including the encrypted session key and one or more values based on user identification information of each of the user systems that are permitted to obtain the session key. The content providing system transmits the encrypted content and the header information to each user system. Since the header information does not explicitly include user identification information of the user systems, information about whose decryption keys have been revoked is not leaked out in the block box tracing.

Abstract: A system and method for transmitting protected real-time content from one user to another is described. In a first aspect, a user sends a Rights Object to another user. In a second aspect, a user sends a Rights Object to another user via an intermediate server for a multiparty communication. In this second aspect, the users may be able to switch between designated Rights Objects as needed.

Abstract: A system for proactive forced renewal of content protection implementations in devices includes a key generation facility to generate and allocate keys for the devices, and to generate revocation data corresponding to revoked keys in response to at least one of a security compromise and on a periodic basis independent of a security compromise; and a device manufacturer to receive the keys from the key generation facility, to embed the keys in content protection implementations for the devices, to distribute the devices, and to renew the content protection implementations in devices after the devices are distributed, in response to at least one of a security compromise and on a periodic basis independent of a security compromise.