Abstract: A content management system integrated with a web caching proxy that delivers content according to access control rules. An access control token is generated using a secret key when a user selects a desired object (to be provided only upon token validation, thus the object retrieval and delivery task can be delegated). However, tokens for other content and/or for other users could be generated by a rogue resource manager. If the desired object is already cached, the proxy asks the resource manager to validate the token and then selectively provides the desired object without contacting a library server. Alternately, the proxy itself performs the token validation, but must coordinate with the library server to ensure it has the latest secret key. Finally, the tokens may contain digital signatures generated with a private key and validated with a corresponding public key, so that private keys need not be distributed.

Abstract: A method, a system and a computer program for changing an encryption key of data encrypted by a first key and stored on an archive server (40), wherein a conversion is applied to the data, generating recrypted data decryptable by means of a second key, the conversion being generated on a second server (30) and associated with the first key and the second key via a functional operation and transferred from the second server (30) to the archive server (40) via a transfer channel (38).

Abstract: Automatic recognition apparatus (100, 700) includes multiple automatic recognition subsystems (102, 104, 106) that are cable of producing estimates of the probability that a subject matches a particular identity, a probability estimate combiner (108) that receives estimates from the multiple automatic recognition subsystems (102, 104, 106) and produces a combined estimate, and a decayer that (111) that decreases the certainty of the combined estimate over time while avoiding changing estimates to values that would suggest strong information contrary to the initial values of the combined estimates.

Abstract: All nodes within a communication system (100) will create an IP address based on a shared-secret key. The shared-secret key is unique for every node within the communication system and is known only to the node (102) and a server (103). The router (101) can validate that the node (102) owns the IP address.

Abstract: Upon integration of a file system, user identifier recorded in a storage as management data is translated. A file server connected to a storage storing the data of a file system therein has a file system operation unit for managing the file system, a file server operation unit for receiving the access request to the file, and a user identifier translation unit for carrying out translation between first user identifier, which is used by the client and second user identifier, which is recorded in the storage as management data of the file system. Receiving the access request to the file from the client, the user identifier translation unit translates the second user identifier included in the management data of the file that is an access target of the access request into the first user identifier, and the file server operation unit transmits the management data to the client.

Abstract: Data streams are scanned to detect malicious jump-call-pop shellcode constructs used in attacks against stack-based buffer overflow vulnerabilities on software executing in the IA32 architecture prior to execution. Upon a detection of a malicious jump-call-pop shellcode construct, protective action is taken, such as preventing the malicious shellcode from executing.

Abstract: A secure time stamping device uses multiple virtual clocks, each of which may be individually accessed and calibrated. A digital key is associated with each of the clocks. All of the virtual clocks use a common timer (130), with the actual clock output being generated by applying calibration information (124) for that clock to the timer (130) output. A user wishing to have a message time stamped presents that message along with information as to which virtual clock to be used at a device input (92). The appropriate calibration information (124) is then selected and the timer (130) output is compensated accordingly. The incoming message plus the resultant time are concatenated and automatically signed using the key (126) applicable to that particular virtual clock.

Abstract: An encryption communication system, comprising a communication relay device that connects a first network and a second network, for encrypting a communication within the first network and a communication within the second network in a network system configured so that communications are performed between a client in the first network and a server in the second network via the communication relay device, wherein the communication relay device comprises key generation unit generating an encryption key and a decryption key with respect to the client, and key transfer unit transmitting the encryption key and the decryption key to the server, and the server comprises frame receiving unit decrypting a receipt frame by use of the decryption key, and frame transmitting unit encrypting the frame by use of the encryption key and thus transmitting the frame.

Abstract: A password management solution which provides a user with convenient access to multiple resources (e.g. systems and services), and also provides the flexibility to establish varying password security requirements for each resource is disclosed. In an embodiment, there is provided a password registry for registering resources and securely storing user ID and encrypted password information. An unencrypted user-provided password may be encrypted by a process associated with each resource, using an encryption algorithm specific to that resource, before storage of the encrypted password in the password registry. An encrypted password retrieved from the password registry may be decrypted by a process associated with each resource using a decryption algorithm specific to that resource.

Abstract: A system, method and program product that allows a set of actions being executed on a computer system to be temporally authorized for execution for a short duration. A computer system is provided comprising: an execution platform for executing program code; and an execution control system that can interrupt execution of actions encountered in the program code, wherein the execution control system includes a system for temporally authorizing execution of an encountered action.

Abstract: An apparatus for communicating, including a communicating unit that enables the apparatus to communicate with a communications counterparty via the communicating unit. The communicating unit includes a unit for providing an individual certificate that is a digital certificate being provided with information identifying the apparatus for communicating in order to receive an authentication by the communications counterparty when communicating, and a unit for communicating when having been authenticated with the individual certificate by the communications counterparty. The apparatus further includes at least one storage area for storing the individual certificate and a common certificate that is a digital certificate not being provided with apparatus identifying information, in a replacement component as a minimum unit enabled for replacement.

Abstract: A method and computer program product for providing enforcement of security policies for kernel module loading is presented. File paths for shared library executable files opened by user processes are cached. When a request to load a kernel loadable module (KLM) is received, a previously cached file path for said KLM is retrieved, said file path mapping a location of an executable file from which said KLM was produced. A security policy is applied to said file path, wherein when said file path triggers a security policy rule then an action associated with a triggered rule is taken, and wherein when said file path does not trigger a security policy rule then said KLM request is allowed to proceed.

Abstract: An implementation of a technology, described herein, for facilitating the protection of computer-executable instructions, such as software. At least one implementation, described herein, may generate integrity signatures of one or more program modules—which are sets of computer-executable instructions—based upon a trace of activity during execution of such modules and/or near-replicas of such modules. With at least one implementation, described herein, the execution context of an execution instance of a program module is considered when generating the integrity signatures. With at least one implementation, described herein, a determination may be made about whether a module is unaltered by comparing integrity signatures. This abstract itself is not intended to limit the scope of this patent. The scope of the present invention is pointed out in the appending claims.

Abstract: Malicious software is identified in an executable file by identifying malicious structural features, decryption code, and cryptographic functions. A malicious structural feature is identified by comparing a known malicious structural feature to one or more instructions of the executable file. A malicious structural feature is also identified by graphically and statistically comparing windows of bytes or instructions in a section of the executable file. Cryptography is an indicator of malicious software. Decryption code is identified in an executable file by identifying a tight loop around a reversible instruction that writes to random access memory. Cryptographic functions are identified in an executable file be obtaining a known cryptographic function and performing a string comparison of the numeric constants of the known cryptographic function with the executable file.

Abstract: In a first aspect of the invention, method for classifying characters within a character string entered via a keyboard device includes logging interrupts, checking a time between interrupts, checking an interrupt duration and classifying the characters within the character string based upon the time between interrupts and the interrupt duration. In a second aspect of the invention, a method for protecting against timing attacks against a trusted path mechanism includes employing a multithreaded process with a first thread to prevent any timing Trojan horses from running, running the first thread in a loop at a first priority and preventing unprivileged processes from obtaining a priority higher than the first priority.

Abstract: An optical disk player to reproduce information recorded on an optical disk, being operable by a remote controller, includes a system controller. The system controller displays an image of the remote controller on a display device by set-up. The system controller stores different items of color information for discriminating, from one another, inhibit key information indicating a key by which key entry is inhibited during playing, the key being other than keys for which inhibition setting of a key operation is previously disabled on a side of the player or the optical disk, user-designated inhibit key information indicating a user-designated key for which inhibition of the key entry is desired during playing of the optical disk, and inhibition-setting disabled key information. The system controller displays color marks according to the different items of color information at segments of corresponding keys on the remote controller image displayed on the display device.

Abstract: The use of a variety of devices to render multimedia content is on the increase. It is important ensure that the content owners/providers get their share of return on investment in order to achieve the unlimited global distribution of content. However, illegal use of the delivered content could affect such a return on investment. One of the important requirements is to protect a content and allow for rendering of the protected content in an efficient manner on target devices. A system for protected content rendering involves ensuring that the unprotected content is not available for misuse.

Abstract: One embodiment of the present invention provides a system that facilitates using an external security device to secure data in a database without having to modify database applications. The system operates by receiving a request at the database to perform an encryption/decryption operation, wherein the encryption/decryption operation is performed with the assistance of the external security module in a manner that is transparent to database applications. In response to the request, the system passes a wrapped (encrypted) column key (a key used to encrypt data within the database) to an external security module, wherein the wrapped column key is a column key encrypted with a master key that exists only within the external security module. The system then unwraps (decrypts) the wrapped column key in the external security module to retrieve the column key. Next, the system returns the column key to the database.

Abstract: The administration of protection of data on a client mobile computing device by a server computer system such as within an enterprise network or on a separate mobile computing device is described. Security tools are described that provide different security policies to be enforced based on a location associated with a network environment in which a mobile device is operating. Methods for detecting the location of the mobile device are described. Additionally, the security tools may also provide for enforcing different policies based on security features. Examples of security features include the type of connection, wired or wireless, over which data is being transferred, the operation of anti-virus software, or the type of network adapter card. The different security policies provide enforcement mechanisms that may be tailored based upon the detected location and/or active security features associated with the mobile device.

Abstract: A method of authorizing transfer of software into an embedded system, comprising the steps of obtaining a hardware identification code (HWID) relating to one of a service/recalibration tool and an embedded system, obtaining a software identification code (SWID) relating to at least a portion of software information that is not resident in the embedded system but is to be downloaded into the embedded system, creating a password as a function of the HWID and the SWID, and downloading a password-protected portion of the software information from the service/recalibration tool into the embedded system based on the password.