Abstract: In an intrusion detection/prevention system, network traffic is received and checked for a matching pattern. Upon identifying the matching pattern, the network traffic with the matching pattern is evaluated against rules that are represented by a rule tree. References to rule options are represented in the rule tree and are stored separately from the rule tree. The rule tree represents unique rules by unique paths from a root of the tree to the leaf nodes, and represents rule options as non-leaf nodes of the rule tree. Evaluating the network traffic includes processing, against the network traffic, the rule options in the rule tree beginning at the root. Processing of the rules represented by subtrees of nodes with rule options that do not match is eliminated. The network traffic is evaluated against rules terminating in leaf nodes only for combinations of rule options that match the network traffic.

Abstract: A semiconductor memory system includes an external memory, an internal memory, and a one-time programmable (OTP) memory. The external memory includes a kernel, a public key, first boot information used to authenticate the public key and generate a test secret key, and a second boot loader verifying integrity of the kernel. The internal memory includes a first boot loader that verifies integrity of the second boot loader and generates the test secret key. The OTP memory includes second boot information generated using the public key and a secret key. Since the secure boot method and the semiconductor memory system using the method do not need an additional OTP memory to store a secret key unlike conventional technology, the capacity and recording time of the OTP memory can be reduced to about half compared to the conventional technology.

Abstract: A system, method, computer program product, and carrier are described for obtaining a resource authorization dependent upon apparent compliance with a policy of causing an emulation environment to isolate a first software object type from a second software object type; and signaling a decision whether to comply with the policy of causing the emulation environment to isolate the first software object type from the second software object type.

Abstract: According to certain embodiments of the present invention, cryptosynchronization values are calculated on an initiating and/or responding device in a communications system such that cryptosynchronization-based procedures might succeed even when the discrepancy between the system times of the initiating and responding devices exceeds the cryptosync constraints imposed by the communications system. In one embodiment, the initiating device add/subtracts a cryptosynchronization adjustment value x to/from the initiating device's system time to yield an adjusted initiator cryptosynchronization value. In another embodiment, the receiving device adjusts the receiving device's system time to yield an adjusted receiver cryptosynchronization value.

Abstract: The invention relates to a cryptographic mechanism and to a cryptographic device incorporating such cryptographic mechanism. The cryptographic mechanism offers a better resistance to side channel attacks than that of known cryptographic mechanisms by incorporating a new type of masking mechanism.

Abstract: Data storage and message processing using an encoded hash message authentication code is described. In one embodiment, a data processing apparatus comprises one or more processors; logic coupled to the one or more processors for execution and which, when executed by the one or more processors, causes receiving a data set at the one or more processors; creating and storing a hash output value by applying the data set to a collision-resistant hash operation that provides the hash output value as output; encoding the hash output value using a uniquely invertible keyed pseudo-random permutation operation based on a first shared key, to result in creating an encoded authentication code; and associating the encoded authentication code with the data set.

Abstract: When processing a data conversion function of a MISTY structure, such as the FO function of MISTY1, the logical calculation result t3 of the exclusive OR 614 of the process result of the FI function 602 of the MISTY structure in the second stage and a logical calculation result t1 of an exclusive OR 612 of the MISTY structure in the first stage is not stored in a register. The logical calculation result t3 and the logical calculation result of respective exclusive OR 642 and 643 are subject to a direct exclusive OR with the respective exclusive OR 642 and 643.

Abstract: In one embodiment a computer system comprises a processor and a memory module coupled to the processor and comprising logic instructions stored in a computer readable medium. The logic instructions, when executed, configure the processor to initiate, in a client computing device, a service request, in response to the service request, initiate a request for a location attestation certificate, and complete the client service request when the location attestation certificate is granted.

Abstract: Techniques and tools for adaptive selection of picture quantization parameters (“QPs”) for predicted pictures are described. For example, a video encoder adaptively selects a delta QP for a B-picture based on spatial complexity, temporal complexity, whether differential quantization is active, whether the B-picture is available as a reference picture, or some combination or subset of these or other factors. The delta QP can then be used to adjust the picture QP for the B-picture (e.g., to reduce bit rate for the B-picture without appreciably reducing the perceived quality of a video sequence.

Abstract: In a method and system for preventing IPv6 packet forgery in an Internet Protocol version 6 (IPv6)-Internet Protocol version 4 (IPv4) network of a dual stack transition mechanism (DSTM) environment, a DSTM server receives a request for assignment of an IPv4 address from a DSTM node. The DSTM server determines whether the request is reasonable using a previously stored dynamic address table, assigns the IPv4 address to the DSTM node when the request is reasonable, and updates the dynamic address table to have mapping information of the IPv4 address assigned to the DSTM node. The DSTM server then transmits the assigned IPv4 address to the DSTM node, and transmits the updated dynamic address table to a DSTM border router so as to synchronize its dynamic address table with a dynamic address table of the DSTM border router.

Abstract: In a MISTY1 FI function, an exclusive OR to which a round key KIij2 is inputted is arranged between an exclusive OR arranged on a 9-bit critical path in a first MISTY structure and a zero-extend conversion connected to the branching point of a 7-bit right system data path. Then, a 9-bit round key KIij1 is truncate-converted to seven bits, the exclusive OR of the seven bits and the round key KIij1 is calculated by an exclusive OR and the calculation result is inputted to an exclusive OR arranged on the right system data path in the second stage MISTY structure.

Abstract: The present invention relates to a system for authentication of an end user of a user station arrangement (10) requesting access to protected information, comprising access server means (20) and authentication means (30), the user station arrangement (10) supporting communication with the authentication means (30) over a first communication channel of a radio network (40). It further supports communication with the authentication means (30) over a second communication channel. The authentication means (30) are adapted to, at reception of a request for access to protected information from a user station arrangement (10), establish if the user station arrangement (10) is reachable over the first communication channel.

Abstract: Another feature provides an efficient encryption method that safeguards the security of encrypted symbols. Each plaintext symbol is encrypted by using a separate pseudorandomly selected translation table. Rather than pre-storing every possible permutation of symbols as translation tables, the translation tables may be efficiently generated on-the-fly based on a pseudorandom number and a symbol shuffling algorithm. A receiving device may similarly generate reverse translation tables on-the-fly to decrypt received encrypted symbols.

Abstract: In one embodiment, a method comprises receiving by an agent a request from a network node for generation of a secure IPv6 address for use by the network node, the request including a selected subset of parameters selected by the network node and required for generation of the secure IPv6 address according to a prescribed secure address generation procedure, the selected subset including at least a public key owned by the network node; dynamically generating by the agent at least a second of the parameters required for generation of the secure IPv6 address; generating by the agent the secure IPv6 address based on the selected subset and the second of the parameters required for generation of the secure IPv6 address; and outputting, to the network node, an acknowledgment to the request and that includes the secure IPv6 address, and the parameters required for generation of the secure IPv6 address.

Abstract: In an embodiment of a method for converting an input video sequence, comprising digital images organized in frames and operating at a variable frame-rate, into an output video sequence, operating at a pre-set constant frame-rate, it is envisaged to store the input video sequence temporarily and to control fetching of images of said temporarily stored input video sequence. The method moreover envisages: controlling fetching of images from the temporarily stored input video sequence by adjusting an emptying rate to form an intermediate video sequence; and carrying out an operation of motion-compensated interpolation on the intermediate video sequence to form the output video sequence operating at a pre-set constant frame-rate, the emptying rate being adjusted as a function of a number of images of the input video sequence with variable frame-rate temporarily stored.

Abstract: According to an embodiment of the invention, a system for processing a plurality of service requests in a client-server system includes a challenge server for: presenting a cryptographic challenge to the client; initializing a trust cookie that encodes a client's initial priority level after the client correctly solves the cryptographic challenge; computing a trust level score for the client based on a service request wherein said trust level score is associated with an amount of resources expended by the server in handling the service request such that a higher trust level score is computed for service requests consuming less system resources; assigning the trust level score to the client based on the computation; and embedding the assigned trust level score in the trust cookie included in all responses sent from the server to the client. The system further includes an application server coupled with a firewall.

Abstract: A system and method is provided to facilitate secure communications for a server-application executing on a resource-constrained device. A request, from a client application executing on a client device to access a server application executing on the resource-constrained device is received on an application-specific secure port of a resource-constrained device. The request is authenticated using a security token stored in an application context of the server application. The authentication is performed by a transport security layer protocol executing within the application context of the server application. The security token is specific for the server application. A secure connection is established directly between the secure port and the client application upon the authentication being successful.

Abstract: A test to identify fraudulent users of an online group is generated. Data associated with a control group is obtained. Data associated with a fraudulent group is obtained. A test to identify fraudulent users of the online group is generated by comparing the data associated with the control group and the data associated with the fraudulent group.

Abstract: Methods and systems for receiving, processing and/or decoding digital video transmissions are disclosed. In one embodiment, a method of a method of processing a digital video signal includes the steps of applying an initial set of video transmission parameter values to one or more digital video signal processes, decoding video transmission parameter information from the digital video signal, and updating the initial set of video transmission parameter values with the decoded video transmission parameter information. Embodiments of the present invention can advantageously demodulate and decode a digital video signal before transmission parameters embedded in the signal are completely decoded. Thus, the time to acquire and/or scan a digital video channel is improved.

Abstract: A method for encrypting/decrypting a message includes the initial step of generating keys by the sub-steps of generating a public key; generating a decryption key; and generating a derivation key. For a first entity, the message is encrypted using the public key and a cipher. For a second entity, the cipher is decrypted to find the message. A trapdoor associated with said message is generated. The trapdoor corresponds to a derivative of the derivation key specific to the message. A test cipher is tested, using the trapdoor associated with the message, to determine if the test cipher is an encryption of the message using the public key.