Abstract: A method for transmitting encrypted user data objects to a first telecommunications terminal includes the following steps: first, in a switching component of a telecommunications network, an encrypted user data object that is to be transmitted to the first telecommunications terminal is provided with a reference for acquiring the description of characteristics of the encrypted user data object; the switching component then determines a profile relating to the capacity of the first telecommunications terminal for processing a user data object; in addition, the switching component transmits a request, together with the profile that has been determined for the first telecommunications terminal, to a data provision component (in particular of the provider of the user data objects), in accordance with an address that is contained in the reference, in order to verify whether the user data object that is to be transmitted can be processed by the first telecommunications terminal; the data provision component then co

Abstract: One embodiment of the present invention provides a system that manages secret keys for messages. During operation, the system receives a desired expiration time T from an encrypter, and possibly a nonce N, at a server that manages keys. If N is not sent by the encrypter, it is generated by a key managing server. Next, the system chooses a secret ST, with an expiration time close to T, and an identifier IDS from a database for which secret ST can be retrieved using the identifier IDS. If such an ST is not already in the database, the server generates a new ST and IDS. The system then calculates a hash H=h(N,ST), and sends H and IDS from the server to the encrypter. The encrypter then encrypts M with H to form {M}H, and communicates ({M}H, N, IDS) to a message reader. The message reader then sends N and IDS to the server. The server then uses IDS to lookup ST, recalculates H=h(N,ST), and sends H to the message reader, thereby enabling the message reader to decrypt {M}H to obtain M.

Abstract: A method of using the Host Identity Protocol (HIP) to at least partially secure communications between a first host operating in a first network environment and a second, HIP-enabled, host operating in a second network environment, with a gateway node forming a gateway between the two environments. An identifier is associated with the first host, stored at the gateway node, and sent to the first host. The identifier is then used as a source address in a subsequent session initiation message sent from the first host to the gateway node, having an indication that the destination of the message is the second host. The stored identifier at the gateway node is then used to negotiate a secure HIP connection to the second host. The first network environment may be a UMTS or GPRS environment, in which case the gateway node may be a Gateway GPRS Support Node (GGSN).

Abstract: Detecting anomalous network activity through transformation of a terrain is disclosed. A set of network properties is mapped into a multidimensional terrain. The terrain is transformed into an observation domain in which data events of interest are amplified relative to other data comprising the terrain. The transformed terrain is evaluated for anomalous network activity.

Abstract: A quantum cryptography key distributing system includes an optical fiber; a transmission unit and a reception unit. The transmission unit is connected with the optical fiber, generates a transmission optical pulse signal from an optical pulse signal based on a first data in synchronism with an optical clock signal and transmits the transmission optical pulse signal to the reception unit via the optical fiber. Polarization of the transmission optical pulse signal is different from that of the optical pulse signal. The reception unit is connected with the optical fiber, transmits the optical pulse signal to the transmission unit via the optical fiber, phase-modulates a part of the transmission optical pulse signal based on a second data in synchronism with the optical clock signal, and detects a reception data corresponding to the first data based on the transmission optical pulse signal in synchronism with the optical clock signal.

Abstract: A system for, and method of, generating a plurality of proxy identities to a given originator identity as a means of providing controlled access to the originator identity in electronic communications media such as e-mail and instant messaging.

Abstract: A method, system, apparatus, or computer program product is presented for securing computational resources in a data processing system. A first user uses a first computational device, and a user security level is associated with the first user. Likewise, a second user uses a second computational device, and a user security level is associated with the second user. The computational resources on the first computational device are automatically reconfigured based on the second user security level of the second user. A computational security level may be assigned to a computational resource on the first computational device, and the computational security level is dynamically adjusted in response to detected network activity by the second computational device that is being used by the second user. Modified security-related parameters for reconfiguring computational resources on the first computational device are reconfigured based on the adjusted computational security level.

Abstract: Methods and apparatus in accordance with the present invention are operable to carry out certain functions including: receiving an encrypted program at a processing apparatus; transmitting a machine ID over a network to an administrator; receiving registration data over the network from the administrator in response to the machine ID; transmitting the registration data over the network to a distributor; receiving an encrypted decryption key and an encrypted virtual ID at the processing apparatus over the network from the distributor in response to the registration data; decrypting the encrypted decryption key using the virtual ID, and decrypting the encrypted program using the decryption key; re-encrypting the program using the virtual ID; and storing the encrypted virtual ID and the re-encrypted program in a first storage device.

Abstract: An address allocated to a user by an authentication server is used as an IP address of a packet which is transmitted from a user terminal, preventing an illicit use if the IP address were eavesdropped. An authentication server 100 performs an authentication of a user based on a user authentication information which is transmitted from the user terminal, and upon a successful authentication, allocates an address to the user terminal, and issues a ticket containing the address to be returned to the user terminal. The user terminal sets up the address contained in the ticket as a source address, and transmits the ticket to the application server 300, requesting a session to be established. After verifying that the ticket is authentic, the server 300 stores the ticket and establishes a session with the user terminal. The user terminal transmits a service request packet containing the source address to the server 300 utilizing the session.

Abstract: A method for malware detection, wherein the method includes: utilizing a hardware based program flow monitor (PFM) for embedded software that employs a static analysis of program code; marrying the program code to addresses, while considering which central processing unit (CPU) is executing the program code; capturing an expected control flow of the program code, and storing the control flow as physical address pairs of leaders and followers (LEAD-FOLL pair) in a Metadata Store (MDS) within the PFM; monitoring control flow at runtime by the PFM; and comparing runtime control flow with the expected control flow.

Abstract: A method and a corresponding apparatus for metering usage of software products on a computer are proposed. The solution of the invention is based on the idea of associating each product with an installation signature (indicative of the installation of the product on the computer) and with a running signature (indicative of the running of the product on the computer). The products that are installed on the computer are asynchronously determined according to their installation signatures; in this way, any ambiguities (for example, caused by different versions and/or configurations of a product sharing the same executable modules) can be resolved in advance. Therefore, when at run-time the invocation of an executable module is detected it is possible to use only the running signatures to identify the corresponding product uniquely (without the need of additional information about the executable module, such as its size).

Abstract: A module type node apparatus for packet communication of this invention includes an extension module for executing predetermined processing and a node apparatus main body for forwarding packet data to the extension module, the extension module including a memory for storing connectivity authentication data, and a module controller for transmitting the connectivity authentication data stored in the memory to the node apparatus main body for packet communication when the connectivity authentication data is requested from the node apparatus main body for packet communication, the node apparatus main body for packet communication being characterized by further including a connectivity authentication unit for authenticating permission of connection of the extension module based on the connectivity authentication data received from the extension module, and a connection controller for receiving the packet data from the extension module when the connectivity authentication unit permits the connection.

Abstract: A system is provided for establishing a secure link among multiple users on a single machine with a remote machine. The system includes a subsystem to filter traffic so that traffic from each user is separate. The subsystem generates and associates a Security Association (SA) with at least one filter corresponding to the user and the traffic, and employs the SA to establish the secure link. An Internet Key Exchange module and a policy module may be included to generate and associate the security association, wherein the policy module is configured via Internet Protocol Security (IPSEC).

Abstract: A transmitter classifies quantum pulses into supervisory pulses and message pulses, and assigns each message pulse to a message bit. Each message pulse is then encoded using a coding base randomly selected from a set of coding bases, and with a polarity relative to the coding base that depends on the value of the corresponding message bit. Supervisory pulses are encoded using a coding base different from the coding bases in the aforementioned set. The encoded pulses are sent to a recipient over a quantum channel. The transmitter also informs the recipient of the positions of the supervisory pulses. The recipient detects the pulses relative to a locally selected coding base, producing a zero-click, a one-click or a two-click.

Abstract: A method for generating a root key is described. Stable bits of a plurality of comparator outputs are identified. The root key is selected from a number of the identified stable bits. A statistically unique value is calculated from the root key using a cryptographically secure function. An identifier of the identified stable bits and the statistically unique value are stored in a memory.

Abstract: A method for transmission and storing of scrambled content in which the scrambled content is transmitted together with encrypted control words, the control words being used for descrambling the scrambled content, transmitting to a receiver/decoder the scrambled content and encrypted control words, said control words being encrypted by an exploitation key (KG), decrypting said encrypted control words in a removable security module with an exploitation key (KG), said removable security module being received by the receiver/decoder, characterised in that it further includes transmitting usage rules message (URM) to the receiver/decoder (2000), which usage rules (URM) impose usage constraints on the playback of the content stored on a mass storage device encrypting the decrypted encrypted control words and usage rules messages by a local key (KL) to produce encrypted control management messages (CMM) storing said scrambled content and encrypted control management message on the mass storage device of the receiver

Abstract: A method for verifying execution of a program, wherein the program comprises a first code portion and a second code portion. The method includes entering the first code portion, where the first code portion includes a first plurality of instructions, executing the first code portion, calculating a first checksum during the execution of the first code portion, wherein the first checksum is calculated using information associated with at least one of the first plurality of instructions, comparing the first checksum to a first pre-calculated checksum prior to exiting the first code portion, and exiting the first code portion and entering the second code portion if the first checksum equals the first pre-calculated checksum.

Abstract: Device discovery can be made efficient using certain embodiments of the present invention. In one embodiment, the present invention includes accessing a message in a message log, wherein the message log associates a host identifier with the message, the host identifier being an identifier of a host that sent the message to the message log. Then a list of parsers associated with the host identifier associated with the message can be accessed and parsing the message using parsers from the list of parsers associated with the host identifier can be attempted. If the parsing is unsuccessful, a device type of an originator of the message can be discovered, and a parser associated with the discovered device type can be added to the list of parsers associated with the host identifier.

Abstract: A group of devices are fabricated based on a common design, each device having a corresponding plurality of measurable characteristics that is unique in the group to that device, each device having a measurement module for measuring the measurable characteristics. Authentication of one of the group of devices is enabled by selective measurement of one or more of the plurality of measurable characteristics of the device.

Abstract: The present invention relates to a method of access to a service consisting in i) identifying and registering a client (C), ii) authenticating the client to an anonymous certification authority, iii) authenticating the client by producing an anonymous signature and opening and maintaining an anonymous authentication session with a server (Se), and iv) selectively allowing contact between the server (Se) and the anonymous certification authority (ACA) to revoke the anonymity of the client (C) using the signature provided in step iii). The invention also relates to a system for opening and maintaining an authentication session guaranteeing non-repudiation.