Abstract: The present invention relates to a process for producing a gel-free dispersion or solution of copper pyrithione employing at least one surfactant. Also claimed is the dispersion or solution itself, as well as a solid particulate copper pyrithione composition comprising copper pyrithione particles having a particle shape selected from the group consisting of rods, spheres, needles, platelets and combinations thereof, and optionally containing at least a trace amount of a surfactant on the outer surface of at least a portion of said particles.

Abstract: An apparatus for forwarding a data packet from a first link to a second link is disclosed. The apparatus is coupled with a plurality of computer networks through ports on the apparatus. The apparatus maintains a spanning tree list indicating which of the apparatus ports are active. The apparatus receives a packet, and determines if the packet was received from a port that is active. If the packet was received from a port that is not active, the packet is discarded. If the packet is not discarded, the data link source address of the packet is stored in a database within the apparatus for the computer network coupled with the port from which the packet was received. The apparatus then decides, responsive to a contents of a data link destination address field in the packet, whether to forward the packet as a bridge or to forward the packet as a router.

Abstract: Apparatus for protecting the confidentiality of a user's password during a remote login authentication exchange between a user node and a directory service node of a distributed, public key cryptography system includes a specialized server application functioning as an intermediary agent for the login procedure. The login agent has responsibility for approving the user's login attempt and distributing a private key to the user. However, the login agent is not trusted with the user's password and is therefore a "semi-trusted" node. In another aspect of the invention, a login protocol enables remote authentication of the user password without transmitting the password over the network.

Abstract: An improved security system inhibits eavesdropping, dictionary attacks, and intrusion into stored password lists. In one implementation, the user provides a workstation with a "password", and a "token" obtained from a passive authentication token generator. The workstation calculates a "transmission code" by performing a first hashing algorithm upon the password and token. The workstation sends the transmission code to the server. Then, the server attempts to reproduce the transmission code by combining passwords from a stored list with tokens generated by a second identical passive authentication token generator just prior to receipt of the transmission code. If any password/token combination yields the transmission code, the workstation is provided with a message useful in communicating with a desired computing system; the message is encrypted with a session code calculated by applying a different hashing algorithm to the password and token.

Abstract: An encryption system employing a one-time key-pad uses a shared secret number and a one-way hash function with which both the originator and recipient of a message generate successive segments of a key-pad to encrypt and decrypt the message respectively. In one arrangement each key-pad segment is generated by applying the hash function to a combination of the secret number and the previous key-pad segment. In the other embodiment of the invention, each key-pad section is generated by applying the one-way hash function to a combination of the secret number and a corresponding segment of the ciphertext version of the message.

Abstract: A signature system, such as an El Gamal or DSS system, involving the use of a long-term secret number and a per-message secret number generates the per-message secret number without the use of a random number generator or non-volatile storage. The per-message secret number is generated by applying a one-way hash function to a combination of the long-term secret number and the message itself.

Abstract: A novel mechanism prevents interleaving of packet cells from different source nodes on the same multicast port group at switches of a multicast virtual circuit in a cell-switched network: however, different cells bound for different multicast port groups may be interleaved. The mechanism comprises specific routing information that is stored in each multicast group port entry of a forwarding table located within each switch of the multicast virtual circuit. The forwarding table also stores information relating to each multicast port group including a virtual circuit value for each port of the multicast group. The specific routing information is provided for each multicast port group entry to notify the switch when data traffic for a particular packet is pending through a port of the multicast group and when that data traffic ceases, i.e., when the "end-of-packet" is reached. This ensures that the packets may be correctly reassembled at the destination nodes.

Abstract: Apparatus for protecting the confidentiality of a user's password during a remote login authentication exchange between a user node and a directory service node of a distributed, public key cryptography system includes a specialized server application functioning as an intermediary agent for the login procedure. The login agent has responsibility for approving the user's login attempt and distributing a private key to the user. However, the login agent is not trusted with the user's password and is therefore a "semi-trusted" node. In another aspect of the invention, a login protocol enables remote authentication of the user password without transmitting the password over the network.

Abstract: A novel switch architecture maintains the sequence of packet cells, received at one port of a multicast port group, during subsequent transfer of the cells to the remaining ports of the group. The novel architecture includes a 2-stage buffering arrangement whereby the first stage comprises a plurality of local buffers, each associated with a port of the switch, and the second stage comprises a single, global buffer. Each local buffer services its associated port of the multicast port group by temporarily storing incoming packet cells until a complete packet is received at that port, at which time the packet cells may be passed to the global buffer as outgoing cells. The global buffer services the remaining ports of the multicast port group by forwarding copies of the outgoing cells, in sequence, to those ports.

Abstract: An improved security system inhibits eavesdropping, dictionary attacks, and intrusion into stored password lists. In one implementation, the user provides a workstation with a "password", and a "token" obtained from a passive authentication token generator. The workstation calculates a "transmission code" by performing a first hashing algorithm upon the password and token. The workstation sends the transmission code to the server. Then, the server attempts to reproduce the transmission code by combining passwords from a stored list with tokens generated by a second identical passive authentication token generator just prior to receipt of the transmission code. If any password/token combination yields the transmission code, the workstation is provided with a message useful in communicating with a desired computing system; the message is encrypted with a session code calculated by applying a different hashing algorithm to the password and token.

Abstract: A secure arrangement in which stations in a communications network are informed of the addresses of their neighbors by means of identifying messages transmitted by the stations. To prevent the insertion of illegitimate stations into the network, the system makes use of passwords included in the station-identifying messages. In networks where eavesdropping is possible, the passwords are encrypted versions of the identities of the stations transmitting the messages and in systems where stations can also be impersonated, the encrypted passwords also include time stamps.

Abstract: A technique for issuing and revoking user certificates of authenticity in a public key cryptography system, wherein certificates do not need expiration dates, and the inconvenience and overhead associated with routine certificate renewals are minimized or avoided entirely. A Certification Authority issues certificates as required, and issues a blacklist having a start date, an expiration date, and an entry for every invalid certificate issued after the start date. Users assume that every certificate issued prior to the blacklist start date is invalid, and that invalid certificates issued after the start date will be included in the current blacklist. A new blacklist is issued prior to expiration of the current one, and the blacklist start date is changed only when the blacklist becomes unmanageably long.

Abstract: A decryption method, and associated cryptographic processor, for performing in-line decryption of information frames received from a communication network through a first in-line processing stage. As an information packet is streamed into the cryptographic processor, a determination is made to an acceptable level of probability whether the packet contains data that should be decrypted. The decision whether or not decrypt is made by analyzing the incoming packet header, recognizing a limited number of packet formats, and further parsing the packet to locate any encrypted data and to make sure that the packet is not a segment of a larger message. Falsely decrypted packets are looped back through the cryptographic processor, to regenerate the data that was falsely decrypted. Decryption and encryption are performed in such a manner that a false decryption is completely reversible without loss of data.

Abstract: A method for delegating authorization from one entity in a distributed computing system to another for a computing session is disclosed wherein a session public/private encryption key pair is utilized for each computing session. The private encryption key is erased to terminate the computing session.

Abstract: A method for denying a first group access to a system resource wherein a second group is selected such that the first group is a subgroup of the second group. Access is granted only to those members of the second group who do not derive their membership in the second group through their membership in the first group.

Abstract: Stored information used for routing packets of a network of nodes interconnected by links. A link state packet is sent to the first node indicating the states of links connected to some given node in the network. At the first node, an attempt is made to derive from the link state packet sent in step (a), the states of the links. If the states of fewer than all of the links connected to the given node are derived in step (b), the stored information used for routing packets is updated using the derived link states without regard to other link state packets sent to the first node. Another aspect features organizing, at a node in a network of nodes interconnected by links, a database of entries concerning respective links, by (a) providing indicators associated with the entries, (b) when a link becomes inoperable, setting or clearing the indicator associated with the entry related to the link, and (c) when the link becomes operable, clearing or setting the indicator.

Abstract: A method for selective disclosure of the identity of a communication protocol under which an information packet originated, but without incorrectly identifying the protocol in a header accompanying the packet. If there is a need to conceal the identity of the underlying source protocol, a special anonymous protocol identifier is used, instead of the real protocol identifier, in the header of an encrypted information packet. Network monitors can then still provide accurate information concerning traffic on the network, without having this information distorted by the use of incorrect communication protocols. If there is a desire to reveal the underlying protocol, a subnetwork protocol frame format is used to store the protocol identity and signify whether the packet is encrypted. A packet that is of a non-subnetwork protocol can be encapsulated with a subnetwork header containing a special code signifying that there is an encapsulated packet and containing the original protocol identifier.

Abstract: The nodes in a computer network utilize an encrypted key as a key identifier in a data packets transferred between nodes which eliminates the need for a receiving node to perform a memory look up operation to ascertain the key used to encrypt the data. Each node is provided with a master key that is unique to each node. When two nodes want to establish communications they first negotiate a shared key. This shared key is then encrypted under each nodes' master key. The nodes then exchange their respective encrypted key. The encrypted key of the receiving node is placed in the data packet to be sent by the transmitting node. Upon receiving a data packet, the receiving node decrypts the encrypted key to determine the shared key. This shared key is then used to decrypt encrypted data in the data packet.

Abstract: A method and related cryptographic processing apparatus for handling information packets that are to be cryptographically processed prior to transmission onto a communication network, or that are to be locally cryptographically processed and looped back to a node processor. A special cryptographic preamble is included in each information packet that is to be subject to cryptographic processing. The cryptographic preamble contains an offset value pointing to the starting location of information that is to be processed, and completely defines the type of cryptographic processing to be performed. The cryptographic processor can then perform the processing as specified in the preamble without regard to a specific protocol. If the packet is to be transmitted onto the network, the preamble is stripped from the packet after cryptographic processing, so that the formats of packets transmitted onto the network will be unaffected by the preamble.

Abstract: A method for improving communications in a bridge network between end nodes involving sensing trunking configurations and executing binding schemes to make certain daughter bridges involved in the trunking conditions behave as a plurality of bridges and forward messages in the correct time sequence. This can be done by creating "forwarding groups" associating different groups of networks connected to those daughter bridges.