Abstract: Methods and systems for accessing information in and loading encrypted information to memory. A processor provides virtual address information to a memory management unit. In response, the memory management unit retrieves a key tag and physical address information corresponding to the virtual address information. The memory management unit then sends the key tag and physical address information to the processor. The processor then determines whether a memory location corresponding to the physical address information is encrypted based on the key tag, and retrieves a secret key using the key tag based on the determining. Thereafter, information read from the memory location is decrypted using the secret key.

Abstract: Methods and systems consistent with the present invention establish a virtual network on top of current IP network naming schemes. The virtual network uses a separate layer to create a modification to the IP packet format that is used to separate network behavior from addressing. As a result of the modification to the packet format, any type of delivery method may be assigned to any address or group of addresses. The virtual network also maintains secure communications between nodes, while providing the flexibility of assigning delivery methods independent of the delivery addresses.

Abstract: Methods and systems consistent with the present invention provide a Supernet, a private network constructed out of components from a public-network infrastructure. The Supernet provides flexible and dynamic mobility support. When a destination node moves to a new location, it automatically updates the sending nodes with its new IP address. The destination node can choose among a number of ways to update the sending nodes, providing flexibility not found in conventional networks. Thus, a node can change locations repeatedly and continue to communicate directly with other nodes without the use of a proxy or other middleman.

Abstract: Methods and systems consistent with the present invention establish a virtual network on top of current IP network naming schemes. The virtual network uses a separate layer to create a modification to the IP packet format that is used to separate network behavior from addressing. As a result of the modification to the packet format, any type of delivery method may be assigned to any address or group of addresses. The virtual network also maintains secure communications between nodes, while providing the flexibility of assigning delivery methods independent of the delivery addresses.

Abstract: A system for group key management including a keying material infrastructure including a root portion configured to store a root public key, a key encryption key portion operatively connected to the root portion configured to store a traffic encryption key encrypted using a symmetric key encryption key, and a public key encryption key, and a first client operatively connected the key encryption key portion configured to store the symmetric key encryption key encrypted using a first client symmetric key, and a first group member configured to access the traffic encryption key using the first client symmetric key.

Abstract: Methods and systems consistent with the present invention provide a Supernet, a private network constructed out of components from a public-network infrastructure. The Supernet provides channel-specific file system views such that the file system of the Supernet is partitioned on a per-channel basis so that nodes on one channel see a different view of the network file system than the nodes on a different channel.

Abstract: Embodiments of the present invention are directed at gathering position information of mobile and stationary entities and using the position information in a wide variety of applications. Various embodiments use a plurality of signal transmitting devices and/or a plurality of signal gathering devices to gather position information. In one embodiment, the signal transmitting device is an existing mobile electronic device. In another embodiment, the signal transmitting device is a radio frequency identification (RFID) tag attached to an entity. In another embodiment, the signal gathering device is a collection of wall mounted antennas. The entity location is calculated by gathering the phase difference or other timing information of signal generated by the signal transmitting device on the entity. This location information is then given to end user applications. One embodiment is a network security application using gathered location information of wireless ethernet cards.

Abstract: Methods and systems consistent with the present invention provide a Supernet, a private network constructed out of components from a public-network infrastructure. Supernet nodes can be located on virtually any device in the public network (e.g., the Internet), and both their communication and utilization of resources occur in a secure manner. The Supernet also uses multicast communication to create Ethernet-like communication between its nodes. In using multicasting, each communication of each node on a channel in the private network is sent to a multicast address which sends it to all of the nodes on the channel. Sending a copy of every communication to all of the other nodes on the channel makes system tasks, like debugging, easy for the nodes on the channel. The multicasting provided by the private network is dynamic in that multicast addresses can be assigned for use by a channel and reclaimed so as to allow sharing of the multicast addresses.

Abstract: Embodiments of the present invention are directed at gathering position information of mobile and stationary entities and using the position information in a wide variety of applications. Various embodiments use a plurality of signal transmitting devices and/or a plurality of signal gathering devices to gather position information. In one embodiment, the signal transmitting device is an existing mobile electronic device. In another embodiment, the signal transmitting device is a radio frequency identification (RFID) tag attached to an entity. In another embodiment, the signal gathering device is a collection of wall mounted antennas. The entity location is calculated by gathering the phase difference or other timing information of signal generated by the signal transmitting device on the entity. This location information is then given to end user applications. One embodiment is a network security application using gathered location information of wireless ethernet cards.

Abstract: Methods and systems consistent with the present invention provide a Supernet, a private network constructed out of components from a public-network infrastructure. Supernet nodes can be located on virtually any device in the public network (e.g., the Internet), and both their communication and utilization of resources occur in a secure manner by providing for anonymous communications within the network through addressing. As a result, the users of a Supernet benefit from their network infrastructure being maintained for them as part of the public-network infrastructure, while the level of security they receive is similar to that of a private network. Additionally, the nodes of the Supernet are not geographically restricted in that they can be connected to the Supernet from virtually any portal to the Internet in the world.

Abstract: A method for generating a secure storage file system, including encrypting data using a symmetric key to obtain encrypted data, encrypting the symmetric key using a public key to obtain an encrypted symmetric key, storing the encrypted data and the encrypted symmetric key if the public key is associated with a user who only has read permission, generating an encrypted hashed data if the public key is associated with a user who has write permission, and storing the encrypted data, the encrypted symmetric key, and the encrypted hash data if the public key is associated with the user who has write permission.

Abstract: A method of extending the functionality of a virtual network is disclosed. Messages intended for a virtual destination address located on a network equipped with a device performing packet filtering, network address translation or a similar function on the edge of the network (an “edge device”), are encapsulated in higher level protocols prior to being sent to the edge device. The virtual destination address may be associated with a process on the edge device or a process on another device in the interior of the network. Higher level protocol designations, including transport protocol designations accompanied by a port number and application protocol designations, are retrieved from an extended virtual address registration. Messages arriving at the edge device are determined by the Network layer to contain a higher level protocol and are passed up the Internet Protocol model stack to a higher layer.

Abstract: A method of associating a range of destination IP addresses with a real IP address for use with the Virtual Address Resolution Protocol is disclosed. The destination addresses may be a range of virtual IP addresses in a virtual network or a range of real IP addresses in a physical network. A record of the association of the range of destination addresses with a single real IP address is stored in a Virtual Address Resolution Protocol lookup table which is utilized when sending messages from a virtual IP address. The ability to assign a range of destination addresses to a single real IP address represents an extension of the use of VARP. The association of multiple destination addresses to a single real IP address allows an electronic device to function as a router to a widely distributed real or virtual network. The virtual network of the present invention adds a layer of encryption to the originating virtual network by sending encrypted data packets between the origin and destination addresses.

Abstract: A method for updating a key in a secure group involves issuing an update request by a first member of the secure group, receiving the update request by a second member of the secure group, generating a first suggested revision number by the first member, generating a second suggested revision number by the second member in response to the update request, calculating a first send time by the first member using the first suggested revision number, calculating a second send time by the second member using the second suggested revision number, sending the first suggested revision number by the first member upon reaching the first send time if the first member is not blocked from sending, sending the second suggested revision number by the second member upon reaching the second send time if the second member is not blocked from sending, receiving the first suggested revision number by the second member, comparing the first suggested revision number to the second suggested revision number by the second member, bloc

Abstract: Methods and systems of the present invention include providing a connection between a first computer and a second computer by receiving, at a third computer, information regarding one of the first and second computers to facilitate establishment of a secure connection between the first computer and the second computer, creating a first end-to-end security link between the first computer and third computer, and creating a second end-to-end security link between the second computer and the third computer to establish the secure connection. The first and second computers could be a client and a server on the Internet, and these methods and systems can, for example, increase the possible number of new secure connections to the server. The third computer also permits processing of information transmitted between the client and server in the third computer. For example, the information could be reformatted or used in testing a process of one of the first and second computers.

Abstract: Methods and systems for accessing file system entities. A lookup routine receives a request from a node to access a file system entity. After determining that a file system view table does not have a first entry that corresponds to the file system entity, the lookup routine searches the file system view table for an alternate entry. The alternate entry comprises an entity name of the requested entity, extended by an uncommon string of characters including an expandable sequence. The lookup routine then expands the expandable sequence of the alternate entry by a value corresponding to the node, and retrieves information from the file system view table corresponding to the expanded alternate entry.

Abstract: Methods and systems for accessing information in and loading encrypted information to memory. A processor provides virtual address information to a memory management unit. In response, the memory management unit retrieves a key tag and physical address information corresponding to the virtual address information. The memory management unit then sends the key tag and physical address information to the processor. The processor then determines whether a memory location corresponding to the physical address information is encrypted based on the key tag, and retrieves a secret key using the key tag based on the determining. Thereafter, information read from the memory location is decrypted using the secret key.

Abstract: A method for conveying a security context, including creating and assigning a virtual address to a client process, issuing a first Internet Protocol version compliant packet wherein the first Internet Protocol version compliant packet comprises a security context, prepending an issued packet with a second Internet Protocol version header producing a second Internet Protocol version compliant packet, forwarding the second Internet Protocol version compliant packet to a recipient, stripping away the second Internet Protocol version compliant header from the second Internet Protocol version compliant packet producing a stripped packet at the recipient, decrypting and authenticating the stripped packet using a particular method as indicated by the security context producing a decrypted and authenticated packet, and routing the decrypted and authenticated packet to a recipient process using the virtual address.

Abstract: A method for secure data communication with a mobile machine in which a data packet is received from the mobile machine having a particular network address. A pool of secure addresses is established and a data structure is created to hold address translation associations. Each association is between a particular network address and a particular one of the secure addresses. If the received data packet is a secure data packet an association between the received data packet's network address and a secure address in the data structure is identified and the data packet's network address is translated to the associated secure address before forwarding the data packet on to higher network protocol layers. When the received data packet is not secure it is passed it on without address translation to the higher network protocol layers. For outgoing packets addressed to a secure address, the secure address is translated to a real network address (e.g.

Abstract: The present invention provides a method and apparatus for device location sensitive data routing. In one embodiment of the present invention, a signal from a portable, electronic device identifies a user. In this embodiment, a sensor detects the signal and relays the identification information along with information about electronic communications devices available at the location to a routing device. The routing device reroutes electronic communications to the physical location of the user. In one embodiment, the signal is a radio emanation. In another embodiment, the signal is an infrared emanation. In yet another embodiment, the signal is transmitted over a connection line which couples the portable, electronic device to the sensor. In one embodiment, phone calls are rerouted to a phone located near the portable, electronic device. In another embodiment, e-mail messages are rerouted to a general purpose computer located near the portable, electronic device.