Abstract: A system for confirming a computing environment includes a remote computing device connected by a communication network to a computing device. The remote computing device generates a nonce, or number used once, and executes an attestation function to determine an attestation measurement value based on the contents of the memory of the remote computing device. The nonce is transmitted by the network to the computing device, which uses the nonce to execute the attestation function based on the contents of the memory of the computing device and determine an attestation measurement value. This attestation measurement value is transmitted to the remote computing device. If the attestation measurement values match, the computing device is designated as trusted. If the attestation measurement values mismatch, the computing device is designated as untrusted.

Abstract: Testing a system against fuzzing attacks includes negating all regular expressions used in the corresponding language, and applying those negated regular expressions to a system interface. Only expressions definitively outside the scope of protocol specification implicate vulnerabilities to fuzzing attacks. The system detects fuzzing attacks by continuously monitoring packets of data and only passing through packets that conform to regular expressions of the language.

Abstract: An object designator system has a laser light source, and image sensor, a display, and a processor coupled with a non-transitory processor-readable medium storing processor-executable code. The image sensor captures an external scene image. The processor determines a range to an object of interest in the external scene and an exposure delay based on the range. The laser light source emits a laser light pulse into the external scene. The image sensor, based on the exposure delay, captures a laser spot image including laser light pulse reflections, and a spot baseline image of the external scene. The processor determines, based on the laser spot image and the spot baseline image, a location of the laser spot in the external scene and generates a symbol indicative of the location of the laser spot. The processor renders the symbol onto the external scene image to display an integrated image to a user.

Abstract: A method for routing of information between networks of differing security levels may include, but is not limited to: receiving a data packet from a first network having a security classification at a first network node; determining a geographic location of the first network node; applying one or more geographic location-dependent access control rules for the data packet according to the geographic location of the first network node with a guard engine; transferring the data packet to a second network according to compliance of the data packet with the one or more geographic location-dependent access control rules.

Abstract: A system and method are provided for implementing a security construct for downloading, delivering and protecting large amounts of data for transfer to an aircraft upload capability in a short period of time, including between individual legs of a flight for a particular aircraft or fleet of aircraft. Large data packages include In Flight Entertainment and Electronic Flight Bag data. The data is downloaded at an available rate using wired communication paths communicating with various data sources via communication networks to a mobile communication device. The data is secured in the mobile communication device according to particular encryption schemes acceptable to data content providers. The mobile communication device securely holds the data for carriage to the aircraft where wired communication is established to upload the data in available abbreviated amounts of time in a manner that is not dependent on the availability of wireless communicating bandwidth.

Abstract: A system for preventing a computing device from obtaining unauthorized access to a secure network includes a client agent operably connected to the computing device configured to intercept network traffic information from applications running on the computing device and transmit a network request including application information and the network traffic information. A network token broker operably connected to the network client agent contains a database of application information. The network token broker is configured to cooperate with the network client agent for i) verifying whether the network request should be granted access to the secure network, and ii) cryptographically signing the intercepted network traffic information with a network authorization token, to authorize network access for the intercepted network traffic information.

Abstract: A communication device includes at least one receiver and at least one transmitter. The communication device also includes a cryptographic processor coupled to at least one of the at least one receiver and the at least one transmitter. The communication device further includes the cryptographic processor enabling high speed cryptographic modes. The cryptographic processor includes a resource virtualization subsystem having an address offset register bank and an offset adder coupled to a microaddress calculation logic on a bank virtualization subsystem.

Abstract: A system for preventing computer software from communicating from a user computer in a network to untrusted remote computers. A host-based credential management agent is operably connected to a user computer for intercepting network traffic information from the user computer and transmitting a network request including credentials of the remote computer and the network traffic information. A trusted credential database contains information identifying trusted entities and corresponding cryptographic certificates. A server cooperates with the management agent for i) verifying whether the user computer in the network request should have network access, and ii) cryptographically signing the intercepted network traffic information with an authorization server key, to authorize network access for the intercepted information. A firewall is operably connected to the user computer and the authorization server.

Abstract: An improved architecture is disclosed of a crypto engine, such as a Janus Crypto Engine (JCE) having a Programmable Cryptographic Channel (PCC) using a Programmable Cryptographic Processor (PCP). The architecture of the crypto engine does not require zeroizing between messages received by the PCC. Consequently, using the new architecture of the present invention, the crypto engine can allocate PCC resources based on throughput and algorithm needs, reducing latency, and employing fewer PCCs.

Abstract: The present invention is directed to routing information between networks of differing security level. Communication to/from each network is handled by a dedicated Offload Engine (OE). Each OE interfaces to a Guard Engine through a Guard Data Mover (GDM) and includes an interface for connecting to an external network. A first OE receives a data packet from a first network intended to be transmitted to a second network. The Guard Engine analyzes the data packet. The Guard Engine includes an ACL (Access Control List) which are rules data packets must meet before being passed onto a destination network. If allowed, the Guard Engine delivers the data packet to the second network via a second OE utilizing a GDM associated with the first OE and a GDM associated with the second OE. The architecture of the present invention reduces the time and effort needed to attain high-assurance certification.

Abstract: A method and apparatus for improved algorithm and key agility for a cryptosystem, comprising a CAM-type key manager. The key manager uses two memories, an index RAM and a key RAM, to virtualize each algorithm or key using pointers from the index RAM to the key RAM, allowing simple reference to algorithm/key pairs, and to dynamically allocate storage for keys. An autonomous free memory management design improves latency in future key write operations by transforming the search for free location addresses in the key RAM memory into a background task, and employing a free address stack. The index RAM is resizable so that data for a plurality of cryptographic algorithms may be stored dynamically.

Abstract: The present invention provides a high speed data encryption architecture in which fabric elements are communicatively coupled to one another via a hardwired interconnect. Each of the fabric elements includes a plurality of wide field programmable gate array (FPGA) blocks used for wide datapaths and a plurality of narrow FPGA blocks used for narrow datapaths. Each of the plurality of wide FPGA blocks and each of the plurality of narrow FPGA blocks are communicatively coupled to each other. A control block is communicatively coupled to each of the fabric elements via the hardwired interconnect to provide control signals to each of the fabric elements. The fabric elements are used to implement cryptographic algorithms.

Abstract: The present invention is a rotating priority queue manager. A rotating priority queue manager in accordance with the present invention may include a plurality of source data channels, a corresponding plurality of processing resources, and an arbitrating interface directing the flow of data from the source channels to the processing resources where the data must flow over a shared data path. The plurality of processing resources may comprise any system of parallel processors where the servicing of input data must be carried out in a manner where there the maximum latency for processing a given data channel is determinable, the arbitration between channels is equal, no input channel may prevent another channel from being serviced, and lower priority processing resources are not prohibited from receiving input data if higher priority processing resources are not currently available or if higher priority data is not currently available.