Abstract: A large message can be stored by separating the message into an envelope portion containing information such as headers, protocols, and addresses, and a payload portion containing items such as file attachments. The envelope portion can be stored in local storage, while the payload can be stored to a persistent store. The message can be processed incrementally, such that the entire message is never in system memory. Once the envelope portion is processed, the payload portion can be read in increments without being processed, and those increments written directly to the persistent store. Alternatively, the payload can be streamed to the persistent store. A pointer in the envelope can then be used to locate and retrieve attachments from persistent storage. This description is not intended to be a complete description of, or limit the scope of, the invention. Other features, aspects, and objects of the invention can be obtained from a review of the specification, the figures, and the claims.

Abstract: An approach is provided for refreshing keys in a communication system. An application request is transmitted to a network element configured to provide secure services. A message is received, in response to the application request, indicating refreshment of a key that is used to provide secure communications with the network element. A refreshed key is derived based on the received message.

Abstract: A system is provided that uses identity-based encryption to support secure communications. Messages from a sender to a receiver may be encrypted using the receiver's identity and public parameters that have been generated by a private key generator associated with the receiver. The private key generator associated with the receiver generates a private key for the receiver. The encrypted message may be decrypted by the receiver using the receiver's private key. The system may have multiple private key generators, each with a separate set of public parameters. Directory services may be used to provide a sender that is associated with one private key generator with appropriate public parameters to use when encrypting messages for a receiver that is associated with a different private key generator. A certification authority may be used to sign directory entries for the directory service. A clearinghouse may be used to avoid duplicative directory entries.

Abstract: An information processor includes a data processing section that executes a processing of storing subsequently generated data, which is subsequently generated or acquired using information read from an information recording medium, onto a storage unit. The data processing section is configured to execute a processing of storing onto the storage unit encrypted subsequently generated data as encrypted data that is encrypted with a unit key as an encryption key corresponding to a content management unit to which the subsequently generated data belongs, and execute a processing of acquiring an encrypted bind unit key and storing the encrypted bind unit key onto the storage unit, the encrypted bind unit key being encrypted data of a bind unit key including as its constituent data the unit key and one of key information acquired from the information processor and identification information acquired from the information recording medium.

Abstract: The present invention provides a system and method for automatically hiding sensitive information, obtainable from a process table, from other processes that should not access the sensitive information. The system and method include a sensitive command attribute table that is used by a system administrator to designate the commands and command attributes that will typically be associated with sensitive information. The sensitive command attribute table is used when a command is entered that requests information from the process table to be displayed or output. In response, a search of the process table entries is made to determine if a command and/or its attribute in the process table matches an entry in the sensitive command attribute table. If so, the command, its attributes, and/or its attribute values are blanked from the output of the process table information.

Abstract: An arrangement is provided in which an authentication key with media content and storage capabilities is configured as a removable module that interoperates with a set top box (“STB”) to enable two-factor authentication to be implemented when authenticating a user to unblock media content recorded by a digital video recorder that is restricted using, for example, parental control or blocking features provided by the STB. The authentication key is also arranged with a memory to store recorded media content that is accessed from the STB which functions as an intermediary, or “proxy” device, to facilitate selecting, receiving, and recording media content from a distribution network. The authentication key is also configured with an onboard video processor that enables the authentication key to perform as a portable media player that can drive, in various illustrative examples, a built-in display device or external presentation devices such as television or monitor.

Abstract: A cryptographic key split binder includes key split generators that generate cryptographic key splits from seed data and a key split randomizer for randomizing cryptographic key splits to produce a cryptographic key, and a process for forming cryptographic keys. Key split generators can include a random split generator for generating a random key split based on reference data, a token split generator for generating a token key split based on label data, a console split generator for generating a console key split based on maintenance data or a biometric split generator for generating a biometric key split based on biometric data. Any key split can further be based on static data, which can be updated. Label data can be read from a storage medium, and can include user authorization data. A cryptographic key can be, for example, a stream of symbols, at least one symbol block, or a key matrix.

Abstract: This invention provides a fingerprint authentication mechanism for accessing the wireless network system that is applicable to a wireless network communications apparatus, the mechanism including the steps of inputting data of users' fingerprints and converting the same into matrix data compliant with wireless network authentication bit ciphers; setting thresholds for pattern identification with respect to the matrix data as an authentication basis for determining if the user has access rights to the network system upon receipt of a request signal for network connection sent from a user end; and analyzing if the captured fingerprint of the user matches with the preset authentication data to determine if the wireless network communications apparatus is to be started for network connection, thereby increasing the quality, usability and safety of the wireless network connection to achieve an easier scheme of information security management.

Abstract: A method and deterministic random bit generator system operating in accordance with the method, for generating cryptographic keys and similar secret cryptographic inputs which are hard to guess. A entropy is input from an entropy source; and an initial seed is generated as a function of the entropy input. When a request to generate a cryptographic key is received a temporary seed is generated by applying the function to the seed. The requested cryptographic key is generated by applying a second function to the temporary seed; and output. A new seed is then generated by applying a third function to the temporary seed. In one embodiment of the subject invention all three functions are carried out by applying the same operator to appropriate inputs. In another embodiment of the subject invention new entropy is incorporated into the seed from time to time.

Abstract: The present invention authenticates a user for multiple resources distributed across multiple domains through the performance of a single authentication. User access requests for a protected resource in a first domain are received and redirected to a second domain. User authentication is performed at the second domain. In one embodiment, the system transmits an authentication cookie for the second domain to the user after authentication at the second domain. In another embodiment, the system further redirects subsequent resource requests for resources in the first domain or a third domain to the second domain. The second domain confirms the user's authentication for applicable portions of the first, second, and third domains using the cookie.

Abstract: A network interface and storage medium that, in an embodiment, filter packets received from a network based on rules. The filtering discards a subset of the packets based on the rules and keeps a remaining subset of the packets. The remaining subset is copied to a destination. The rules are created offline in a lower priority process from the filtering and copying by detecting whether symptoms exist in a sample of the remaining subset. In an embodiment, the order that the symptoms are detected is changed based on the frequency of the existence of the symptoms in the sample. In various embodiments, the symptoms may include receiving a threshold number of ping packets within a time period, receiving a threshold number of broadcast packets within a time period, receiving a packet with an invalid source address, and receiving a packet with an invalid header flag.

Abstract: A secure and transparent digital credential sharing arrangement which utilizes one or more cryptographic levels of indirection to obfuscate a sharing entity's credentials from those entities authorized to share the credentials. A security policy table is provided which allows the sharing entity to selectively authorize or revoke digital credential sharing among a plurality of entities. Various embodiments of the invention provide for secure storage and retrieval of digital credentials from security tokens such as smart cards. The secure sharing arrangement may be implemented in hierarchical or non-hierarchical embodiments as desired.

Abstract: A communications apparatus and method is provided to reliably protect communication systems, such as mobile phone systems, from unauthorized use, as well as to make the interception of wireless communication more difficult. Specifically, the static wireless phone number or other similar identifiers are not used for identification and authorization during communication between the mobile unit and a base station. Instead, a set of private identifiers is determined and is known only to the phone company and the base stations controlling the mobile phone calls. These private identifiers allow dynamic and continual updating of the mobile phone and base station directories with current valid identifiers that are used for communication between the devices.

Abstract: A method for providing a menu for a device, by providing a GUI for an administrator to select and lock-down device driver setting profiles, and providing a GUI for displaying to a user the locked-down profiles and permitting the user to select only from the listed profiles. Allowing a user to choose only from the pre-defined profiles makes for convenience and avoids waste from setting errors by novice users. The computer system detects the current system and job information (time, date, printer status, application, user information, etc.) using WMI and SNMP, applies mapping rules defined by an administrator, and displays only those profiles that are applicable to the current system and job status. Methods also include defining new profiles; alerting the user when no profiles are available, with mapping explanation and suggestion; profile detail display; and printer support.

Abstract: Systems and methods for an anti-virus detection module that can detect known undesired computer files in encrypted, compressed, password-protected and/or damaged archives are provided. According to one embodiment, an archive file is scanned without decrypting and without decompressing contents of the archive file. A type and associated structure of the archive file are identified. Then, based on the identified type and the associated structure, descriptive information from the archive file is obtained describing one or more contained files. The descriptive information for each of the contained files is evaluated to determine if any of the contained files are malicious or undesired computer files by comparing the descriptive information to signatures of known malicious or undesired computer files. Finally, an attempt is made to prevent any of the contained files determined to be a malicious or undesired computer file from being opened.

Abstract: Method and system for endorsing and verifying the authority of a digital signature is provided. The system includes, a server that is operationally coupled to a user's computer via a network link, wherein the server receives a signed document; the server identifies the type of document submitted and the signer's authority to sign it; and if all conditions are met, the server provides a signed statement or endorsement stating the user was authorized to sign the electronic document.

Abstract: A method is provided for use in a computer system including a client and a health registration authority. The health registration authority is configured to accept requests for assertions, and the client has a health state described by at least one health claim. The method may include an act of including an indication of the at least one health claim of the client in a request for an assertion. A second method is provided for use in a computer system comprising a client, an assertion authority, and a plurality of health policies. The method can include an act of including an indication of at least one health policy that the health claim of the client satisfies in an assertion.

Abstract: In an embodiment, a method is provided. The method of this embodiment provides receiving a packet having a wake-up pattern, and waking up if the wake-up pattern corresponds to one of a number of dynamically modifiable passwords on a pattern wake list, each of the dynamically modifiable passwords being based, at least in part, on a seed value.

Abstract: Systems and methods for protecting information provided to an agent via a communication network are provided. In this regard, a representative method comprises: receiving a communication via a communication network, the communication including information that is to be protected; routing the communication to an agent; recording at least a portion of the communication; identifying the information that is to be protected from the communication; and preventing unauthorized access to the information during replay of the portion of the communication.

Abstract: A method for protecting data of at least one password-protected account of a user in a system comprises the steps of: (a) creating, by the user, a password-protected account associated with a user identification and a password on the system; (b) hashing the password and storing the hashed password in a first password digest in a database; (c) receiving credential data from a user, including the user identification and password; (d) requesting, from the database, the first password digest based upon the received credential data; (e) receiving, into volatile memory, the first password digest from the database in response to the request; (f) hashing the received password as the credential data and creating a second password digest; (g) receiving, into volatile memory, the second password digest; (h) comparing, in volatile memory, the first password digest with the second password digest; and (i) authenticating the user based upon the comparison.