Abstract: An encryption apparatus capable of effectively preventing encryption data from being illegally generated is provided. Based on apparatus identification data of an integrated circuit (IC), which is input from a computer, a secure application module (SAM) selects an encryption method from among a plurality of different encryption methods. Based on the code of the IC, the SAM selects plaintext data to be encrypted from among the plurality of different pieces of plaintext data. The SAM outputs encryption data such that the selected plaintext data is encrypted by the selected encryption method.

Abstract: Recording network traffic is disclosed. Data associated with a network flow are monitored. If it is determined that the data associated with the network flow satisfy a first criterion based at least in part on a prediction value that reflects a likelihood that the network flow will result in a security event, the data associated with the network flow are begun to be recorded even though a second criterion corresponding to the security event has not been satisfied.

Abstract: Apparatus for certifying electronic data supplied by a user receives data to be signed, supplied by the user from a source device, at a certifying apparatus including at least a signature server providing a signing function. An encrypted password is received at that server from the source device via a first communication path, the password being generated by an authentication system providing an authentication function separate from the signing function and the password being transmitted to the source device via a second communication path, the signature server and the authentication system have different communication paths with the source device. A version of the encrypted password is communicated between the signature server and the authentication system via a third communication path, different to the first and second paths, for authenticating the user.

Abstract: Techniques for use in enterprise and similar computing systems securely protect data during software application use by generating private table seeds as a function of a predetermined parameters and private tables as a function of the private table seeds. Each of the private tables associates with a distinct one of the private table seeds, each of the private tables associates with a site. An enterprise table seed is formed using other parameters and an enterprise table is derived from the enterprise table seed. The enterprise table permits data communication throughout an enterprise. A string of characters allows accessing a global private information protection system which includes global tables for integrating the private tables, the enterprise tables, and the global tables into a runtime application program at a remote location and coordinating the user's use to control assure only secure use and prevent inadvertent disclosure of the protected information.

Abstract: Techniques are described for establishing network tunnels that allow communication according to one or more routing protocols. The techniques allow for the automated configuration of a selector or other filter associated with the network tunnel. A network device, for example, includes a control unit, and an interface for coupling the network device to a computer network. The control unit receives a communication to establish a network tunnel with a remote network device. The communication includes information that specifies a routing protocol supported by the remote network device. The control unit automatically configures the network tunnel to permit communication through the network tunnel in accordance with the specified routing protocol. The control unit may receive the communication in accordance with a conventional network protocol, such as the Internet Key Exchange protocol. The information may be conveyed using a data field redefined to specify the supported routing protocol.

Abstract: To provide an authentication technology making it compatible to facilitate inputting of authentication information and to ensure the security. An authentication device connected to a transmitting terminal and a receiving terminal via a communication line, receives a message from the transmitting terminal, receives authentication information from the transmitting terminal, registers the message in association with the authentication information, receives a request with a purport of acquiring the message from the receiving terminal, determines, based on the authentication information received from the receiving terminal and the registered authentication information, whether to authenticate or not, and, if authenticated, transmits the message to the receiving terminal.

Abstract: A method to grant a supplicant access to a data communication network and related devices is claimed. The supplicant is associated to a Medium Access Control address and is coupled to a port of an authenticator of the data communication network. The method includes: transmitting an authentication request by the authenticator to an authentication server being coupled thereto; making by the authentication server an authentication decision based upon predefined rules and conditions; and transmitting by the authentication server to the authenticator an authentication reply that comprises a result of the authentication decision.

Abstract: A sensor system includes a controller and sensors, the system configured to ensure unique identity for each device. Methods are provided to generate new identities for those devices having duplicate addresses, and to transmit the new identity information to those devices.

Abstract: In order to provide a communication protocol for cryptographic authentication on the basis of at least one cryptographic algorithm, in particular according to the A[dvanced]E[ncryption]S[tandard], by providing at least one random number (PRN?) for at least one first, in particular present, authentication sequence or authentication session (n), and providing at least one further random number (PRN2, PRN3) for at least one further, in particular second or next, authentication sequence or authentication session (n+1), wherein the relevant time for cryptographic authentication is shortened, it is proposed that providing the further random number (PRN2, PRN3) is initialized (p) when, in particular immediately after, successfully performing the authentication in the first authentication sequence or authentication session (n).

Abstract: Proposed is an apparatus and method of preventing the leakage of information from an external storage apparatus even when such external storage apparatus is stolen or accessed from an unauthorized host computer. This external storage apparatus accessible from a host computer or another external storage apparatus via a network encrypts or decrypts data written from a host computer to be stored in the storage area, sends a request for existence confirmation to the host computer or the other external storage apparatus every predetermined period of time, and zeroizes an encryption key to be used in the encryption calculation for encrypting or decrypting data to be performed by the encryption calculation unit based on the result of a response from the host computer or the other external storage apparatus in reply to the request.

Abstract: A data blob has an operator's certificate that specifies a network. The data blob is encrypted by the network using a private key that authenticates that a user device owns a MAC address. The network sends the encrypted data blob to the user device, which decrypts it using a private key that is locally stored in the user device. From that the user device obtains the operator's certificate, locks the user device to a network specified by the operator's certificate, and sends a response message signed with the private key. The network grants access to the user device based on the signed response message. Various embodiments and further details are detailed. This technique is particularly useful for a WiMAX or WLAN/WiFi network in which there is no SIM card to lock the device to the network.

Abstract: An apparatus and method for performing cryptographic operations within microprocessor. The apparatus includes an instruction register having a cryptographic instruction disposed therein, a keygen unit, and an execution unit. The cryptographic instruction is received by a microprocessor as part of an instruction flow executing on the microprocessor. The cryptographic instruction prescribes one of the cryptographic operations, and also prescribes that a user-generated key schedule be employed when executing the one of the cryptographic operations. The keygen unit is operatively coupled to the instruction register. The keygen unit directs the microprocessor to load the user-generated key schedule. The execution unit is operatively coupled to the keygen unit. The execution unit employs the user-generated key schedule to execute the one of the cryptographic operations. The execution unit includes a cryptography unit.

Abstract: According to a conventional technique, in the case where a program is stored into a non-volatile memory once and then activated, authentication of the program is performed immediately before such activation. However, calculations such as decryption of encrypted values are required before the activation of the program starts, which causes the problem that responsiveness is decreased in proportion to the time required for calculations. In order to solve this problem, authentication of a program is performed immediately before such program is stored, so that no authentication is performed or only a part of the authentication is performed to verify the validity of certificates at program activation time.

Abstract: Method for providing a single level secure (SLS) user processor (402, 502) with access to a multi-level secure (MLS) file system (300). The method begins by authenticating a user to a cryptographic processor (302) by communicating one or more types of user authentication information to the cryptographic processor. Based on such authentication, the MLS file system services are provided such that the SLS user processor (402, 502) has access to files (306, 308, 310, 312, 314) at only one defined security classification level at a time. The method also includes zeroizing one or more data stores used by the SLS user processor each time the SLS user processor transitions between accessing classified data files at a first security classification level and a second security classification level.

Abstract: A method of allowing a user to authenticate to an authentication service while isolating information associated with the user from the authentication service includes generating a service user identifier (SUID) associated with an authentication code source, a subscribing site and an authentication service. The method includes creating an association of the SUID with the information associated with the user, and isolating the association within the subscribing site. The method includes providing an authentication code generated by the authentication code-generating device from the user to the subscribing site, and providing the authentication code along with the SUID and information identifying the subscribing site to the authentication service.

Abstract: Sampling and transforming (“twisting”) of biometric data are performed at client based on information known at client only. Twisting includes shuffling the arrays of biometric data and may include changing of values in these arrays. Twisted biometric data are submitted to server. Amount of information contained in twisted data is enough to verify and/or identify the client using proposed correlation procedure, however, is not enough to restore the client's real biometrical data in case of interception of submitted data and in case of compromising security of server. As a result the privacy of the client is guaranteed in the highest degree.

Abstract: Protecting content. A recipient receives content from a publisher. Some content is managed by an access server. The access server controls the recipient's use of managed content through interaction with a trusted agent at the recipient. The content is encrypted to a content key, and the content is associated with policy information. The policy information includes the content key for decrypting the content. The policy information is encrypted to an access server key allowing the policy information to be decrypted by the access server. The content key is received from the access server. The content key is encrypted to a trusted agent key. The content key is further encrypted to additional factor(s) defining additional content protection beyond that provided by trusted agent. The content key is decrypted using the trusted agent key and the at least one additional factor. The content is decrypted using the content key.

Abstract: An encryption part or a decryption part of an encryption/decryption apparatus or a part common to both parts is used both for encryption and decryption of a datum to be stored and the encrypted memory content and for the generation of the address-individual key and the address-dependent key, respectively.

Abstract: A method and system for creating security policies for firewall and connection policies in an integrated manner is provided. The security system provides a user interface through which a user can define a security rule that specifies both a firewall policy and a connection policy. After the security rule is specified, the security system automatically generates a firewall rule and a connection rule to implement the security rule. The security system provides the firewall rule to a firewall engine that is responsible for enforcing the firewall rules and provides the connection rule to an IPsec engine that is responsible for enforcing the connection rules.

Abstract: A method and a system for managing a key of a home device in a broadcast encryption system are provided. A hierarchical structure of a group set comprising a plurality of nodes corresponding to the home server and a plurality of nodes corresponding to the home device is formed. A key set to be allotted to the node set is generated. The node group is allowed to correspond to the key set to generate key-node corresponding information according to a request of the home server.