Abstract: A method and apparatus is provided that allows code signed by a master key to grant trust to an arbitrary second key, and also allows code, referred to as an antidote and also signed by the master key to revoke permanently the trust given to the second key.

Abstract: An apparatus and method is disclosed for establishing a one-time cryptographic pad between a communicating pair, a communicating pair comprising a pair of transmitter-receivers, each of the pair having a plurality of cryptographic devices in common. The communicating pair also store previously exchanged messages and transmissions, a transmission comprising secure data exchanged by the pair that is independent of message content. The first transmitter-receiver randomly selects a cryptographic device and a previous transmission or message that has been sent to the second transmitter-receiver. The first transmitter-receiver also randomly selects a reference to a message or transmission previously sent by the second transmitter-receiver. The first transmitter-receiver encrypts the previously sent transmission or message and the reference to the message or transmission previously sent by the second transmitter-receiver and sends to the second transmitter-receiver.

Abstract: A computer network management system for remotely managing a network device. The system includes a secure management access controller which is in direct communication with the network device. The secure management access controller provides access for remotely and securely managing a network. The secure management access controller further separates management communications from user communications to ensure the security of the management communications. The system further includes network and power monitoring and notification systems. The system further provides authentication and authorization capabilities for security purposes.

Abstract: A method of encrypting a data unit, the method comprising the steps of dividing the data unit into a series of data blocks, and for each data block, applying a block cipher function to a data block counter value to generate an encrypted block counter value, performing a logical operation to combine the encrypted block counter with the data block, and applying a block cipher function to the combined data.

Abstract: An apparatus is equipped with a deciphering round key generator to successively generate in real time at least a first and a second deciphering round key based on a deciphering key, and a deciphering unit coupled to the deciphering round key generator to successively employ the real time successively generated deciphering round keys to incrementally decipher a ciphered text. The deciphering round key generator at least generates the second deciphering round key in real time while the deciphering unit deciphers the ciphered text employing the real time generated first deciphering round key. At a result, deciphering round keys may be generated in a much more efficient manner on an as needed basis.

Abstract: The invention relates to a mobile system and especially to detecting, in the mobile system in question, the use of terminal equipment having a copied mobile equipment identity. In the invention, a database containing records is created, each record containing an international mobile equipment identity associated with a mobile station and an international mobile subscriber identity, a check is made to see whether the database contains a record which contains a mobile equipment identity corresponding to the mobile equipment identity transmitted by the mobile station, but whose mobile subscriber identity does not correspond to that transmitted by the mobile station, and if yes, at least a signal is produced, indicating that the mobile equipment identity is possibly a copied one.

Abstract: A management server receives first user identification information and designation information for designating a service which are sent from a user terminal; detects specific information corresponding to a service provider which provides the desired service from a database containing specific information uniquely assigned to each service provider; generates second user identification information based on the detected specific information and the first user identification information; and then transmits the second user identification information to the user terminal. Using the second user identification information, the user terminal accesses the server of the service provider providing the desiring service. This prevents important information such as device IDs from being used when a user receives a service through a network from a service provider other than device manufacturers, and relieves the burden on such service provider upon providing a service.

Abstract: The present invention provides systems and methods for making efficient trust management decisions. A trust management engine is provided that processes requests for system resources, authorizations or certificates, and the identity of one or more root authorities that are ultimately responsible for granting or denying the requests. To determine whether a request should be granted, the trust management engine identifies a set principals from whom authorization may flow, and interprets each of the certificates as a function of the state of one or more of the principals. The processing logic iteratively evaluates the functions represented by the certificates, updates the states of the principals, and repeats this process until a reliable determination can be made as to whether the request should be granted or denied.

Abstract: A method of communication is such that a first party (30) communicates a composite credential (54) across a distributed electronic network (44) to a second Party (32). The composite credential (54) includes a plurality of credentials (46-52).

Abstract: A client sends a request to an authentication server requesting access to a service at an application server. The authentication server returns a token containing an encrypted version of a session key that was encrypted using a secret shared between the authentication server and the application server. The client encrypts application data using a corresponding unencrypted version of the session key and text-encodes both the encrypted application data and the encrypted version of the session key. The text-encoded application and text-encoded encrypted version of the session key are both included in a message and sent to the application server. The application server decrypts the encrypted version of the session key using the shared secret so as to reveal the unencrypted version of the session key. The application server then decrypts the encrypted application data using the revealed unencrypted version of the session key.

Abstract: A method for authenticating clients and boot server hosts to provide a secure network boot environment. Messages are exchanged between a client and a boot server or authentication server proxy for the boot server during pre-boot operations of the client to authentic the boot server and the client. In one embodiment, authentication is performed by comparing shared secrets stored on each of the client and the boot server or authentication proxy. The shared secret comprises authentication credentials that may be provisioned by an administrator, user, or by the client itself via a trusted platform module. Authentication provisioning schemes include an Extensible Authentication Protocol (EAP) exchange. In one embodiment, authentication is performed during the pre-boot via an authenticated Dynamic Host Configuration Protocol (DHCP) process.

Abstract: The present invention discloses a software method for creating a multilevel customer database that provides consumer data privacy via a smart card or other personal storage device. The method allows the merchant or business to access specific information that the consumer is willing to share. Each individual consumer maintains control of information that he or she considers to be personal, private, and only divulges the level or type of data that he or she feels is appropriate.

Abstract: An electronic timer may include a clock reference signal generator and a real time clock (RTC) circuit for generating real time data based upon the clock reference signal. The RTC circuit may include a plurality of registers each for storing a respective bit of the real time data. Further, each register may include a master latch for initially storing the real time data bit, a slave latch for subsequently storing the real time data bit, and a user latch for storing the real time data bit from the slave latch. The RTC circuit may further include a controller for causing at least some of the registers to increment based upon the clock reference signal. Additionally, the electronic timer may also advantageously include a tamper circuit for receiving a tamper event signal and causing each of the user latches to hold a time stamp therein.

Abstract: A digital watermark embedding apparatus divides data to be watermarked into a plurality of data areas on the basis of data characteristics, in time series, or on the basis of user selection and performs digital watermark embedding in which different algorithms are applied to the separate data areas. Unlike schemes that embed digital watermarks using an algorithm that is uniform with all data areas, a digital watermark can be embedded in accordance with each data area of an image. When the algorithm is selected in accordance with user input, the embedding algorithm can be selected in accordance with the characteristics of the human vision or auditory sense. Image/audio quality control and detection performance improvement are thus made possible, and deterioration in data quality can be prevented.

Abstract: A system and method for managing malware is described. One embodiment is designed to receive an initial URL associated with a Web site; download content from that Web site; identify any obfuscation techniques used to hide malware or pointers to malware; interpret those obfuscation techniques; identify a new URL as a result of interpreting the obfuscation techniques; and add the new URL to a URL database.

Abstract: A global server includes a communications engine for establishing a communications link with a client; security means coupled to the communications engine for determining client privileges; a servlet host engine coupled to the security means for providing to the client, based on the client privileges, an applet which enables I/O with a secured service; and a keysafe for storing a key which enables access to the secured service. The global server may be coupled to multiple sites, wherein each site provides multiple services. Each site may be protected by a firewall. Accordingly, the global server stores the keys for enabling communication via the firewalls with the services.

Abstract: A key server (320) based communication system (310) wherewith communicating parties, originators (312) and recipients (314), exchange encrypted communications (324). An originator requests or provides a key (330) to the key server, optionally with an assertion (322) from an authentication authority (318). Based on attributes (326) from the originator or elsewhere, the key server sets controlling events (340) for the communication. The originator encrypts and sends the communication to one or more recipients. A recipient may or may not request the key to decrypt the message. Positive events (342) are determined based on the controlling events and when and how many such requests occur. Negative events (344) are determined based on the absence of any requests or all requests being untimely.

Abstract: In a system composed of a recording apparatus that records digitized content such as a movie, or a reproduction apparatus that reproduces the digitized content, and a recording medium, a media key for use in recording or reproduction is encrypted by a plurality of device keys and recorded on the recording medium. Here, the recording apparatus or the reproduction apparatus specifies the encrypted media key that it is to decrypt, from amongst the plurality of encrypted media keys. A key management apparatus records node revocation patterns assigned to nodes in a tree structure to the recording medium in a particular order, as header information of key information, together with the encrypted media keys. The recording apparatus or the reproduction apparatus specifies the encrypted media key to be decrypted, by analyzing the node revocation patterns sequentially.

Abstract: A scheme for distributing executable programs through a network from a program distribution device to a client device having a tamper resistant processor which is provided with a unique secret key and a unique public key corresponding to the unique secret key in advance is disclosed. In this scheme, a first communication path is set up between the program distribution device and the client device, and a second communication path directly connecting the program distribution device and the tamper resistant processor is set up on the first communication path. Then, the encrypted program is transmitted from the program distribution device to the tamper resistant processor through the second communication path.

Abstract: An automated, policy-based system and method provides information security at various levels in the network, including at the baseline inventory, device, network frame, and command level. This approach improves over the conventional distributed security model by centralizing security in one multi-level management structure. Embodiments of the present invention may also provide a scheme for mapping vendor-unique opcodes to access rights.