Abstract: A method of initializing and personalizing a chip card (100) and to a chip card (100) for this purpose. In accordance with the present invention, there are created in the data memory (102) of the chip card (100) data structures (200, 210, 300) which enable the personalizing data which is to be transmitted to the chip card (100) at the time of personalization to be unambiguously assigned to the various chip card applications and thus to the providers of these applications. As a result, the chip card applications are securely isolated from one another at the time of personalization.

Abstract: Method of detecting a watermark embedded in a signal (S), in which a plurality of frames of the signal (S) is combined to a detection set (Dj) for one detection event. According to the invention, the reliability of watermark detection is enhanced by using non-consecutive frames to form the detection set (Dj). The invention also relates to an apparatus (2) for recording and/or playback of a signal, and to a system for broadcast monitoring, comprising such a watermark detector (24).

Abstract: A method and system for strong, convenient authentication of a web user makes use, for example, of a computing device, such as a user's personal computer (PC), coupled over a network, such as the Internet, to one or more servers, such as the host server of an authenticating authority, as well as one or more databases of the authenticating authority. The authentication process is broken into three phases, namely a registration phase, an enrollment phase, and a transaction authentication phase, with each phase being less intrusive and less secure than the preceding phase. In the registration phase, an authenticating authority registers the user based upon identification of the user using a strong authentication technique and provides an authenticating token to the user, which can be used in the enrollment phase to enroll one or more user devices for the user.

Abstract: A browser 21 of a mark user client 3 obtains Web page 11 from a mark provider server 2 and displays it. Then control is transferred to a mark reference program 22 when a mark is detected, and the program extracts digital watermark information from a mark image. This digital watermark information comprises referred data, and an action definition that includes an action class and an index of the referred data as a parameter. The mark reference program 22 refers to this action definition, refers to required data through the index included in the action definition, and then performs processing defined by the action class.

Abstract: A computing system and encryption/decryption method realizes assurance of security and improvement of throughput in a remote system. For this purpose, encrypted data is written to a storage system, it is determined whether data in the storage system is ciphertext or plaintext, and encrypted data is read, decrypted and re-written in storage asyncronously with writing encrypted data to storage.

Abstract: To provide improved security in adjunct program modules such as plug-ins and dynamic link libraries, a requesting module provides an authorization interface to the invoked module such that the invoked module can require a certificate of the requesting module and can also challenge the authority of the requesting module. The certificate can include one or more permissions which are prerequisites for processing by the invoked module. The invoked module can challenge the authority of the requesting module by sending random test data to the requesting module and receiving in response a cryptographic signature of the test data. By verifying the signature of the requesting module using the received certificate, the invoked module confirms that the requesting module is, in fact, the owner of the receive certificate.

Abstract: Clients that are connected on a private network and which are assigned a private IP address that is not routable on the Internet can connect to the Internet through a router/server that includes a network address translator (NAT). For outgoing packets, the NAT translates the client's private source IP address and generalized port number (GPN) to the NAT's global IP address and GPN. For incoming packets sent to the NAT's global IP address and GPN, the NAT translates the global destination IP address and GPN to the client's private IP address and GPN. For protocols which cannot be directly supported by the NAT, such as those in the IPSec security protocol suite, the NAT is extended by creating in the NAT's translation table an entry that associates, for a specific unsupported protocol, a client's private IP address and GPN, the NAT's global IP address and GPN, and a foreign address on the Internet, that is valid until a specified or default expiration time.

Abstract: Method and a device for guaranteeing the integrity and authenticity of data transmitted between a management center and one or several receiver units, wherein each receiver unit comprises a decoder (IRD) and a security unit (SC) and means for communicating (NET, REC) with the management center. The method consists in calculating a check information (Hx) representative of the result of a unidirectional and collision-free function, performed on all or part of the transmitted data and in transmitting the result to the management center for verification. The center will be able to inform the decoder concerning the authenticity of the data through return channels or through the main channel.

Abstract: A method, system, and computer program product for selectively encrypting one or more elements of a document using style sheet processing. Disclosed is a policy-driven augmented style sheet processor (e.g. an Extensible Stylesheet Language, or “XSL”, processor) that creates a selectively-encrypted document (e.g. an Extensible Markup Language, or “XML”, document) carrying key-distribution material, such that by using an augmented document processor (e.g., an augmented XML processing engine), an agent can recover only the information elements for which it is authorized. The Document Type Definition (DTD) or schema associated with a document is modified, such that the DTD or schema specifies a reference to stored security policy to be applied to document elements. Each document element may specify a different security policy, such that the different elements of a single document can be encrypted differently (and, some elements may remain unencrypted).

Abstract: A method and apparatus for securely establishing voice over Internet Protocol calls are disclosed. In a Registration Security approach, a Gatekeeper sends an Access Token in all Registration Request messages. The Access Token contains information that authenticates the Gateway to the Gatekeeper. The Gatekeeper formats a message to an authentication server that will authenticate the information contained in the token, and the server responds with either an Access-Accept or Access-Reject message. The Gatekeeper responds to the Gateway with either a Registration Confirm message or a Registration Reject message. If a call is then placed from a successfully authenticated Gateway, that Gateway generates a new Access Token that is identical to the one generated during registration, except for the timestamp. The Gatekeeper uses the authentication server to authenticate the originating gateway, before sending the designation side Access Confirm message.

Abstract: Methods and apparatus for the generation of a cryptographic one way function (a key or keystream generator) for use in encrypting or decrypting binary data. A non-linear key or keystream generation algorithm using multiple feedback shift registers is provided. The feedback shift registers may be constructed utilizing an advanced mathematical construct called an extended Galois Field GF(2m). The key or keystream is generated as a non-linear function of the outputs of the multiple feedback shift registers, which may be a combination of static feedback shift registers and dynamic feedback shift registers. Dense primitive polynomials with many coefficients may be used to produce a cryptographically robust keystream for use as an encryption or decryption key.

Abstract: An apparatus and method are utilized for transmitting data across an interface between a sender and a receiver. The sender and receiver can be provided with a shared key, a receiver—key and a sender—key. A payload message can be combined with the keys to generate a unique message for transmission across the interface. The payload message can be authenticated utilizing the same input and the same algorithm on the receiving end of the transmission. The resulting confirmatory payload message can be utilized with the authenticating payload message to authenticate the payload message.

Abstract: Systems and methods are disclosed for enabling a recipient of a cryptographically-signed electronic communication to verify the authenticity of the communication on-the-fly using a signed chain of check values, the chain being constructed from the original content of the communication, and each check value in the chain being at least partially dependent on the signed root of the chain and a portion of the communication. Fault tolerance can be provided by including error-check values in the communication that enable a decoding device to maintain the chain's security in the face of communication errors. In one embodiment, systems and methods are provided for enabling secure quasi-random access to a content file by constructing a hierarchy of hash values from the file, the hierarchy deriving its security in a manner similar to that used by the above-described chain.

Abstract: A method is proposed for protecting the central processing unit of a computer, in particular a smart card. Individual security-related registers are logically combined to form a check sum after the CPU has executed an instruction. The check sum is stored and compared with an accordingly formed check sum before the onset of processing of the next instruction. If the compared check sums fail to match, this indicates manipulation of the register contents of the CPU in the time period between the execution of the two instructions. In such a case a corresponding error message is issued and the processor stopped or the card confiscated.

Abstract: The present invention discloses a method and apparatus for manufacturing trusted devices. A licensing authority provides keying information to a multitude of manufactures that insert the keying information into trusted devices. The trusted devices generate final private and public keys using the keying information. The keys may then be certified by the manufacture and verified by other devices.

Abstract: A method and apparatus for enabling hardware platform identification while ensuring privacy protection. The apparatus comprises a computer-readable medium that stores computer-executable instructions. Those instructions, when executed by a microprocessor, cause an expected hash value, which is derived from a key and a first identifier for a computer system; to be compared with a hash value, which is derived from the key and a second identifier for a computer system. A microprocessor for executing those instructions may comprise an identifier that identifies the microprocessor, and embedded instructions for comparing a hash value, derived from the identifier and a key, to an expected hash value.

Abstract: A method for copy protection includes receiving data in a recording module representing content to be recorded on a recording medium, the data including an indication that the content is to be protected from unauthorized copying. Responsive to the indication, the recording module signals a protection module to initiate a protection protocol in synchronization with the recording module. The protection module generates control information, so as to prevent the unauthorized copying of the content that is to be protected, and conveys the control information to the recording module, in accordance with the protocol. The recording module combines the control information with the data representing the content in the recording module, for recording on the recording medium.

Abstract: The present invention provides systems and methods for risk detection and analysis in a computer network. Computerized, automated systems and methods can be provided. Raw vulnerability information and network information can be utilized in determining actual vulnerability information associated with network nodes. Methods are provided in which computer networks are modeled, and the models utilized in performing attack simulations and determining risks associated with vulnerabilities. Risks can be evaluated and prioritized, and fix information can be provided.

Abstract: An electronic authentication method for identifying a user who is going to use a recording medium into which the information for making use of any kind of computerized service has been stored, comprising a step to carry out authentication by comparing the authentication information input by the user who is going to use the recording medium into which the information for making use of any kind of computerized service has been stored with the authentication information recorded on the recording medium and a step to carry out authentication by comparing the authentication information input by the user or the authentication information recorded on the recording medium with the registered authentication information existing in the hub of the networking to provide the service.

Abstract: A system and method for authenticating users over a network. At least one pluggable authentication module (PAM) is used to authenticate users of network services. Each PAM includes a client-side authentication library and a server-side authentication library which may each be implemented in accordance with a specification expressed in an interface definition language (IDL), wherein the IDL is operable to define interfaces across a plurality of platforms and programming languages. The client-side authentication library is implemented for a particular client platform and deployed on the client computer system to provide a client-side interface to retrieve and encrypt a user profile. The server-side authentication library is implemented for a particular server platform and deployed on the server computer system to provide a server-side interface to receive the encrypted user profile from the client-side authentication library and decrypt the user profile to authenticate the user for network services.