Abstract: Methods, apparatus, programs and signals for providing communications network security. The approach is based on using established “standard” protocols, but packets (or cells or frames) are deliberately malformed by the sender, optionally according to a predetermined rule (for example by inverting a packet check digit). A filter forwards only packets identified as being invalid, optionally in accordance with the rule; packets which are valid with respect to the “standard” protocol are dropped. The filter is preferably implemented in hardware to mitigate the risk of its being compromised by a malicious attack.

Abstract: Various systems and method are disclosed for disseminating security server contact information in a network. For example, one method (e.g., performed by a security server) involves determining that a network device is a secure network device, in response to participating in a security exchange with the network device; and then sending a server list to the network device. The server list includes the network address of at least one security server. Another method (e.g., performed by a network device) involves initiating an authentication exchange; receiving a server list, which includes the network address of a security server, as part of the authentication exchange; and communicating with the security server by sending a packet to the network address included in the server list.

Abstract: A digital watermark is added to audio or visual content. An illustrative embodiment segments the content, permutes the segments, and transforms such data into another domain. The transformed data is altered slightly to encode a watermark. The altered data can then be inverse-transformed, and inverse-permuted, to return same to substantially its original form. Related watermark decoding methods are also detailed, as are ancillary features and techniques.

Abstract: A system, device and method for allowing protected content to be transferred to end user communication devices that support different digital rights management (DRM) formats or schemes than the DRM format of the content provider. The method includes providing a Limited Rights Issuer (LRI) that issues content and associated digital rights to one or more of the end user devices within a domain defined by a Domain Authority with which the LRI has registered. The Limited Rights Issuer also translates content and associated digital rights information from the DRM format of an upstream DRM system to the DRM format of a downstream DRM system, which includes the end user devices within the defined domain. The system allows select end user devices to enjoy interoperability of content protected under different DRM schemes, while allowing content providers to still maintain a suitable level of DRM protection for their content.

Abstract: The disclosure provides a hardware architecture for encryption and decryption device. The hardware architecture can improve the encryption and decryption data rate by using parallel processing, and pipeline operation. Further, the hardware architecture can save footprint by sharing hardware components. Additionally, the hardware architecture can be associated with a memory to protect the information stored at the memory.

Abstract: There is provided a method of protecting a virtual community visitor from unauthorized social interaction comprising receiving a request from the virtual community visitor seeking access to a virtual community content, determining whether the virtual community content includes at least one social interaction opportunity, prompting the virtual community visitor to provide a visitor identity if the virtual community content includes at least one social interaction opportunity, associating the visitor identity with a socialization level, and utilizing the socialization level in one or more permission database to regulate social interaction.

Abstract: A multiple level security system and method for encrypting data within documents is disclosed. The method includes one or more different encryption algorithms, and can employ the one or more different encryption algorithms to achieve the multiple levels of encryption. More particularly, a first encryption algorithm is based upon multiple rearrangements of bits representing data to obtain encoded data. A second encryption algorithm is based upon performing multiple XOR operations on bits representing data so that each data word is at least encoded with previous data words. Either encryption method or a combination of both encryption methods can be repeatedly applied to portions of data within a document to selectively encrypt each data portion within the document in accordance with the authorization level associated with the data portion.

Abstract: This invention enables authenticated communications (transactions) to take place on a standard I2C bus without requiring modification of existing I2C devices. Read and write transactions occurring on the bus are authenticated using an Authentication Agent and a shared secret key. In addition to allowing verification of the legitimacy of the transactions, the authentication of the I2C transactions enhances the reliability and serviceability of the bus and devices on the bus by allowing the Baseboard Management Controller (BMC) to quickly determine and pinpoint errors.

Abstract: Various embodiments protect against undesirable activities, in at least some embodiments, by combining the protection of a data or message filter with the user's own knowledge and judgment. In at least some embodiments, data or a message that is suspected of being associated with an undesirable activity is identified and indicia is provided to a user that the message is suspect. The data or message is presented to the user in a protected environment that allows the user to access the data or message in full fidelity, but prevents them from interacting with the data or message in a manner which would expose them to the undesirable activity. After reviewing the data or message in the protected environment, the user can decide how the message should thereafter be treated.

Abstract: To control update of content in a programmable read-only memory in a system, the security status associated with the system is determined, where the security status is one of a secure mode and non-secure mode. In response to detecting that the system is in secure mode, a write to the programmable read-only memory is enabled. In response to detecting that the system is in non-secure mode, a write to the programmable read-only memory is disabled.

Abstract: A method for authenticating an entity at a first data resource, the method comprising the steps of: sending a first request token from the entity (100) to a token distribution unit (20) to request a first one-way authentication token, the first request token being a function of authentication information provided by the entity (100); sending the first one-way authentication token from the token distribution unit (20) to the entity (100); sending the first one-way authentication token from the entity (100) to the first data resource (200) to authenticate the entity (100) at the first data resource (200); sending the first one-way authentication token from the first data resource (200) to the token distribution unit (20) to validate the first one-way token; and invalidating the first one-way token.

Abstract: A system for processing encrypted SSL sessions includes a web application, a secure sockets layer socket, a TCP/IP stack network layer device. The secure sockets layer socket is coupled between the web application and the TCP/IP stack network layer device. The system also includes an Ethernet device. The TCP/IP stack network layer device is coupled to the Ethernet device. The system also includes a SSL kernel, a kernel SSL interface coupled between the kernel SSL module and the TCP/IP stack network layer device and a crypto subsystem coupled to the kernel SSL module. A method for processing encrypted SSL sessions is also described.

Abstract: Authorizing information flows between devices of a data processing system is provided. In one illustrative embodiment, an information flow request is received from a first device to authorize an information flow from the first device to a second device. The information flow request includes an identifier of the second device. Based on an identifier of the first device and the second device, security information identifying an authorization level of the first device and second device is retrieved. A sensitivity of an information object that is to be transferred in the information flow is determined and the information flow is authorized or denied based only on the sensitivity of the information object and the authorization level of the first and second devices irregardless of the particular action being performed on the information object as part of the information flow.

Abstract: A system and method for assessing the risk to information resources that may include the generation and/or use of a security risk index. The security risk index may represent the security of information resources. The security risk index may be based on at least one factor. The at least one factor may be individually quantified. The at least one factor may include a threat factor associated with a rate or frequency of security events that threaten the security of the information resources, a vulnerability factor associated with a likelihood of a security event breaching the security of the information resources, an impact factor associated with an expected cost of a breach of the security of the information resources, or another type of factor. The security risk index of a subset of information resources including at least one resource may enable various comparisons and observations with respect to the security of the subset of information resources.

Abstract: Systems and methods for login a user into a computing system are shown and described. The method can include receiving a request for an anonymous user login, creating an identifying tag responsive to the received request, creating a user account incorporating the identifying tag, and providing to the computing system the created user account to log into the computing system.

Abstract: A method of granting a public-key certificate to a managed node in an IT network is provided. A request from the managed node to grant the certificate is received at a certification server. It is ascertained whether an initialization-to-request time interval between an initialization time of the managed node and a request time assigned to the request is within a maximum time interval for automatic certificate grant. The requested certificate is automatically granted if the initialization-to-request time interval is within the maximum time interval.

Abstract: Disclosed are multivariate paraunitary asymmetric cryptographic systems and methods based on paraunitary matrices. The cryptographic systems and methods are based on formulating a system of multivariate polynomial equations by paraunitary matrices. These matrices are a family of invertible polynomial matrices that can be completely parameterized and efficiently generated by primitive building blocks. Using a general formulation involving paraunitary matrices, a one-way function is designed that operates over the fields of characteristic two. Approximations made to a paraunitary matrix result in a trapdoor one-way function that is efficient to evaluate, but hard to invert without secret information about the trapdoor. An exemplary implementation operates on the finite field GF(256). In this example, the message block includes 16 to 32 symbols from GF(256), i.e., the block size is an integer between 16 and 32. The ciphertext block takes its elements from the same field and has at least 10 extra symbols.

Abstract: An efficient solution for secure implementation of indirect addressing (IA) is described. IA may be used, for example, in networks of which the routing algorithms are not capable of multicast but also contain very constrained devices that, although requiring multicast, are not capable of repeated unicast. This ID is useful in wireless networks containing low-power low-cost devices.

Abstract: A monitor of malicious network traffic attaches to unused addresses and monitors communications with an active responder that has constrained-state awareness to be highly scalable. In a preferred embodiment, the active responder provides a response based only on the previous statement from the malicious source, which in most cases is sufficient to promote additional communication with the malicious source, presenting a complete record of the transaction for analysis and possible signature extraction.

Abstract: Disclosed are a conditional access transmission system and method, and a receiving terminal and method. The transmission system transmits scrambled broadcasting signals including a network identification code (NIC) in the digital broadcasting service. A repeating system repeats the broadcasting signals transmitted by the transmission system to a subscriber station. In this instance, the NIC of the repeating system is different from that of a main broadcasting network. A receiving terminal descrambles the scrambled broadcasting signals by using the NIC and a descrambling key. According to the present invention, the charged subscriber can receive broadcasting signals or TPEG messages in the repeating network.