Abstract: A method and system for ordering, loading, and using admission tickets for access to access-controlled service devices, in which admission tickets are ordered from a reservation center through transmission of order data by an order channel. The order data includes the call number of a mobile communications terminal to which the ordered admission tickets are transmitted by a mobile network and are stored there in a memory module. The data exchange between this memory module and a reading device of the service device takes place over a contactless interface. Decisions about the access authorization of the user of the communications terminal are made, for example, in the reading device or in the communications terminal, taking into account the ticket information contained in the admission ticket, for example, limited to a digitally signed ticket number or with indications about the respective service device.

Abstract: A device (such as a printer or a network device that may be connected to the printer) that is connected to a network and which performs secure operations using an existing encryption keypair maintained within the device, generates a new encryption keypair within the device by receiving a request from another device on the network to provide an encryption key of the existing encryption keypair to the another device. In response to the request, the device determines whether an encryption key of the existing encryption keypair within the device is valid. In a case where it is determined that the encryption key of the existing encryption keypair is invalid, the device automatically deletes each key of the existing encryption keypair from the device, generates a new encryption keypair within the device and stores the new encryption keypair in the device. The device then provides a new encryption key corresponding to the requested encryption key of the new encryption keypair to another device.

Abstract: An improved firewall for providing network security is described. The improved firewall provides for dynamic rule generation, as well using conventional fixed rules. This improvement is provided without significant increase in the processing time required for most packets. Additionally, the improved firewall provides for translation of IP addresses between the firewall and the internal network.

Abstract: A user authentication information management method receives a meta-password from a user. A repository (34) lists network addresses (36) and associated handles (38), each handle having an associated encoded password. An authentication response from the user is intercepted. A modified authentication response is generated by identifying a network address to which the response is directed (208), searching for the identified network address (210) in the repository (34), identifying a handle (212) corresponding to the address based on the searching (210), decoding the password associated with the handle using the meta-password as a decoding key (214), and substituting the decoded password for the meta-password in the authentication response (216). The method also generates pseudo-random passwords (124) consistent with password rules (128). The repository (34) can reside on a client device (14), a proxy server, a local area network, or a security server having an Internet protocol (IP) address.

Abstract: A method for providing a user with access to a plurality of computer resources, at least some of which utilize distinct protocols for receiving security information and for providing access to outside systems based on received security information. A request is received from the user identifying one of the plurality of computer resources. From a set of previously stored records each of which identifies one of the plurality of computer resources and contains security information for allowing access to the computer resource identified in the record, one of the records of the set is selected whose identification of one of the plurality of computer resources best matches the request's identification of one of the plurality of computer resources. The security information in the selected record is used to provide access to the computer resource identified in the request according to the distinct protocol utilized by that resource.

Abstract: The invention relates to an apparatus and for facilitating the reauthentication of a user using a client computer to a server computer. In one embodiment, the method includes the steps of receiving, by the server, confidential information during a first communication session between the server and a client, encrypting the confidential information with a key to create encrypted confidential information, and storing the encrypted confidential information in the server's memory. The method also includes the steps of transmitting, by the server, the key to the client and deleting, by the server, the key from the server's memory. When the server receives the key from the client during a second communication session, the server uses the key to decrypt the encrypted confidential information.

Abstract: A technique for cryptographic strength selection for at least one application is provided, in accordance with a framework for providing cryptographic support of the at least one application. Data encryption is performed at a first cryptographic strength when the at least one application is privileged to perform encryption at a first cryptographic strength. Data encryption is performed at a second cryptographic strength when the at least one application is not privileged to perform encryption at the first cryptographic strength. The first cryptographic strength is stronger than the second cryptographic strength.

Abstract: A system and method for detecting a drone implanted by a vandal in a network connected host device such as a computer, and controlling the output of the drone. The system includes an inbound intrusion detection system (IDS), an outbound IDS, a blocker such as a firewall, an inbound trace log for storing a trace of inbound traffic to the protected device, an outbound trace log for storing a trace of outbound traffic from the protected device, and a correlator. When the outbound IDS detects outbound distributed denial of service (DDoS) traffic, the outbound IDS instructs the blocker to block the outbound DDos traffic. The correlator then recalls the outbound trace log and the inbound trace log, correlates the logs, and deduces the source ID of a message responsible for triggering the drone. The correlator then instructs the blocker to block incoming messages that bear the source ID.

Abstract: A level of trust is determined based on a combination of scores for one or more successful authentications. Scores indicate relative degrees of reliability for authentications, so that differing authentication methods may correspond to different scores. The determined level of trust can then be used to allow or deny access to a resource, and can be used to specify the type of access that is allowed, if applicable.

Abstract: System, methods and apparatus are applicable to enable owners and vendors of software to protect their intellectual property and other rights in that software. The system also enables vendors or distributors of software to charge per-use for an instance of software. The system produces a unique, unforgeable, tag for every vendor supplied instance (copy) of specific software. Each user device is equipped with a supervising program that ensures, by use of the tag and other information, that no software instance will be used on the device in a manner infringing on the vendor, distributor, or software owner's rights. When installing or using a vendor-supplied software instance, the supervising program verifies the associated tag and stores the tag. When installing or using untagged software, the supervising program fingerprints selected portions of the software and stores the fingerprints. Software is used on a user's device through the supervising program which ensures proper use of the software.

Abstract: Providing secure content-based user experience enhancement in a player device for rendering digital content includes accepting encrypted digital content, decrypting the encrypted digital content into decrypted digital content, downsampling the decrypted digital content into downsampled digital content; and processing the downsampled digital content by an enhancement module to provide the user experience enhancement. The system protects content being rendered by a player application even when the content is also sent to an enhancement module such as a plug-in. The original content is protected by only transferring a version of the content to the enhancement module that is downsampled. That is, the original high fidelity, high value content is never transferred to the untrusted enhancement module.

Abstract: A method and apparatus for initiating secure operations in a microprocessor system is described. In one embodiment, one initiating logical processor initiates the process by halting the execution of the other logical processors, and then loading initialization and secure virtual machine monitor software into memory. The initiating processor then loads the initialization software into secure memory for authentication and execution. The initialization software then authenticates and registers the secure virtual machine monitor software prior to secure system operations.

Abstract: A system for encrypting data files of application programs is provided. The system includes a security file for encrypting and decrypting data files and for launching software applications. The invention further operates automatically without user intervention and as an addition to existing applications, whereby said applications need not be modified. The invention further decrypts data files only in the computer's memory and is capable of backing up data files to a remote location and tracking changes made to files.

Abstract: A process for watermarking images that includes embedding into the images before their transmission a message by modifying the data characteristic of the images. Further, a co-watermarking is performed by periodic embedding of a binary matrix into the image to determine on reception the co-ordinates of the origin of the initial image and allow the registration of the images received relative to this origin so as to make it possible to read the embedded message. Such a process may find particular application to the transmission of stationary or video images.

Abstract: The basic concept is that before a resource is accessed, the entity that has the burden of gathering the credentials, pro-actively refreshes the credentials and keeps them current. In one instance, a presenter of credentials, for example, a client, pro-actively refreshes the credentials such that at the time of presentation, the credentials meet the resource-specific constraints of a recipient of credentials, for example, a resource server. For each resource that it protects, a resource server typically establishes various constraints such as a recency requirement, which specifies how recently a credential has to have been issued to be accepted as an adequate credential. Other constraints may include maximum certificate chain length, trust level and so forth. In another instance, a recipient of credentials pro-actively gathers and refreshes credentials to prevent un-authorized access to the various resources it is protecting.

Abstract: A method for selectively controlling the operation of a device for authenticating a user. The user may have a multifunction smart card that is capable of downloading and executing programs, based upon personal and authentication account data, which is selectably stored on the smart card.

Abstract: An encryption evaluation support system, includes an evaluation executing unit, and a point storing unit. The evaluation executing unit receives a figure representation of an encryption algorithm. The figure representation includes a plurality of unit figures. The point storing unit stores points allocated to the plurality of unit figures respectively. The evaluation executing unit gives the points to the plurality of unit figures of the figure representation, respectively, to output the points given to the plurality of unit figures of the figure representation.

Abstract: A file format for a serverless distributed file system is composed of two parts: a primary data stream and a metadata stream. The data stream contains a file that is divided into multiple blocks. Each block is encrypted using a hash of the block as the encryption key. The metadata stream contains a header, a structure for indexing the encrypted blocks in the primary data stream, and some user information. The indexing structure defines leaf nodes for each of the blocks. Each leaf node consists of an access value used for decryption of the associated block and a verification value used to verify the encrypted block independently of other blocks. In one implementation, the access value is formed by hashing the file block and encrypting the resultant hash value using a randomly generated key. The key is then encrypted using the user's key as the encryption key. The verification value is formed by hashing the associated encrypted block using a one-way hash function.

Abstract: Scanning for computer viruses or E-mail and data content filtering is performed using a distributed programming approach. A master computer 4 serves to divide the scanning operation into a plurality of tasks that are allocated to further computers 8, 10, 12, 14, 20. These further computers then separately perform the tasks and return the results to the master computer 4. The master computer 4 can check the update status of the further computers prior to them starting operation in order to check that they have the latest data defining the scanning to be performed.

Abstract: A method and a subscriber station for allocating rights of access to a telecommunications channel of the telecommunications network to at least one subscriber station (5, 10, 15, 20) are proposed in which information signals are transmitted to the at least one subscriber station (5, 10, 15, 20). With the information signals, access authorization data (45, 50, 55) are transmitted to the at least one subscriber station (5, 10, 15, 20). Upon reception of the access authorization data (45, 50, 55) in an evaluation unit (6) of the at least one subscriber station (5, 10, 15, 20), the question is asked whether the access authorization data (45, 50, 55) include an access threshold value (S), and the access threshold value (S) is compared with a random number or a pseudo-random number (R), and the right of access to a telecommunications channel of the at least one subscriber station (5, 10, 15, 20) is granted as a function of the outcome of comparison.