Abstract: A system and method for providing Personal Cloud computing and for hosting applications and/or content may employ a network attached storage device on which virtual machine monitors (T-cups) and logical devices (Ts) are instantiated in memory. Each T may include hosted content, application modules, a server module configured to host the modules and/or content, and an interface module configured to provide access to the modules and/or content in response to detecting an authorized key. Detecting an authorized key may include communicating with a name server to determine if a T instantiated on a storage device coupled to the system is associated with a device identifier on a list of device identifiers authorized to access the module(s). The storage device may be a computer, camera, frame, phone, audio/video player, or portable storage device. The name server may be configured to authenticate Ts, define T ownership, and/or establish friend-to-friend networks between Ts.

Abstract: Systems, devices, and methods for outputting an alert on a mobile device to indicate the use of a weak hash function are disclosed herein. In one example embodiment, the method comprises receiving data (e.g. from a server) that identifies at least one first hash function, identifying a hash digest generated using a second hash function, determining if the second hash function is weak using the received data, and outputting an alert indicating that the second hash function is weak if it is determined that the second hash function is weak.

Abstract: Described are embodiments directed to negotiating an encapsulation mode between an initiator and a responder. As part of the negotiation of the security association, an encapsulation mode is negotiated that allows packets to be sent between the initiator and responder without encapsulation. The ability to send packets without encapsulation allows intermediaries, such as a firewall, at the responder to easily inspect the packets and implement additional features such as security filtering.

Abstract: A method of controlling use of a printer on a network includes providing a key to a client on the network. The key is then used to submit a print job from the client to a printer on the network.

Abstract: Systems and methods are disclosed for privacy-preserving flexible user-selected anonymous and pseudonymous access at a relying party (RP), mediated by an identity provider (IdP). Anonymous access is unlinkable to any previous or future accesses of the user at the RP. Pseudonymous access allows the user to associate the access to a pseudonym previously registered at the RP. A pseudonym system is disclosed. The pseudonym system allows a large number of different and unlinkable pseudonyms to be generated using only a small number of secrets held by the user. The pseudonym system can generate tokens capable of including rich semantics in both a fixed format and a free format. The tokens can be used in obtaining from the IdP, confirmation of access privilege and/or of selective partial disclosure of user characteristics required for access at the RPs. The pseudonym system and associated protocols also support user-enabled linkability between pseudonyms.

Abstract: Various embodiments are described herein for a mobile communication device that authenticates a smart battery prior to use. The mobile device includes a main processor and a device memory. The device memory stores first and second portions of security information used for authentication. The smart battery includes a battery processor and a battery memory. The battery memory stores a third portion of security information used for authentication. The main processor sends an authentication request including the first portion of security information to the battery processor, and the battery processor generates a response based on the first and third portions of security information and sends the generated response to the main processor. The smart battery is authenticated if the generated response matches the second portion of security information.

Abstract: An information processing system includes a client device and a server system. The client device executes an application program as a confidential process for performing processing based on confidential information. When a transmission request asking for transmission of confidential information is generated by the application program being executed, the client device transmits, to the server system, the transmission request and confidential process information indicating that the process in which the transmission request was generated is a confidential process. When the server system receives the transmission request and the confidential process information from the client device, the server system transmits stored confidential information in accordance with the received transmission request.

Abstract: An image commercial transactions system and method, an image transfersystem and method, an image distribution system and method, and a display device and method are disclosed. A reception dealer accepts the transfer of an image recorded on a recording medium in a predetermined format with a handling condition intrinsic to the image, and transfers the image with the handling condition, and an advertisement, in digital data format, and a charge accounting dealer effects an electronic charge accounting transaction for the transfer of data of the image with the handling condition and the advertisement. Accordingly, a forwarding request user is helpful in making public the advertisement by having the data of the advertisement along with the data of the image forwarded, instead of the reception dealer, whereby a transfer fee for the data of image can be made lower. Consequently, it is possible to enhance the usability for the transfer significantly.

Abstract: An information processing device creates a hash value from an event log every time the event occurs. The information processing device generates a digital signature by encrypting the hash value with its own private key. The device transmits the signature-bound event log obtained by binding the digital signature with the event log to a log management apparatus. The log management apparatus decrypts the hash value from the event log of the received signature-bound log information using a device public key. The apparatus also generates a new hash value from the event log verifies the coincidence of the decrypted hash value and the new hash value, and authenticates signature-bound event logs for which this coincidence has been verified. The apparatus stores signature-bound event logs that have been authenticated. Every time an event occurs, the device transmits an event log bound with a digital signature that is created using its private key.

Abstract: A multifunctional apparatus control system includes a multifunctional apparatus an authentication information input device, an I/F converter, and a control server.

Abstract: A client platform can be verified prior to being granted access to a resource or service on a network by validating individual hardware and software components of the client platform. Digests are generated for the components of the client platform. The digests can be collected into an integrity report. An authenticator entity receives the integrity report and compares the digests with digests stored in either a local signature database, a global signature database in an integrity authority, or both. Alternatively, the digests can be collected and stored on a portable digest-collector dongle. Once digests are either validated or invalidated, an overall integrity/trust score can be generated. She overall integrity/trust score can be used to determine whether the client platform should be granted access to the resource on the network using a policy.

Abstract: Methods and apparatuses for private electronic information exchange are described herein. In one embodiment, when electronic information is received to be delivered to a recipient, the electronic information is transmitted over an electronic network with a private routing address. The private routing address is routable within a private domain, which is a subset of the electronic network. Other methods and apparatuses are also described.

Abstract: A client system and a server system use a Hypertext Transfer Protocol (HTTP) authentication mode preference header to negotiate an HTTP authentication mode. The client system sends an HTTP request to the server system. In response to the HTTP request, the server system sends an HTTP response to the client system. The HTTP response includes an HTTP authentication mode preference header. The HTTP authentication mode preference header indicates whether a preferred HTTP authentication mode is connection-based HTTP authentication or request-based HTTP authentication. In subsequent HTTP requests to the server system, the client system uses the HTTP authentication mode indicated by the HTTP authentication mode preference header.

Abstract: A mobile terminal apparatus is provided to process a copyright-protected content based on rights that permit the processing of the content. The mobile terminal apparatus includes a priority information selecting unit selecting a piece of priority information associated with one of many processing conditions for the content to be processed, from among pieces of priority information for determining a priority for each of the rights. The mobile terminal apparatus also includes a right selecting unit determining a priority of each of the rights based on the selected piece of priority information, and selecting a right having a highest priority among the rights, according to the determined priority. The mobile terminal apparatus also includes a content processing unit processing the content based on the selected right.

Abstract: A first information processing apparatus encrypts data that it receives from a second information processing apparatus, and transmits the data thus encrypted to an external device. The second information processing apparatus transmits the data to the first information processing apparatus according to a data size that results after a data size being necessary for communication of the encrypted data is subtracted from a specified data size.

Abstract: This invention relates to a method for broadcasting digital data to a targeted set of reception terminals in which said data are previously scrambled by a series of control words transmitted in a conditional access control message. This method comprises the following steps: on transmission, particularise said access control message using a reversible function F for which the inverse function F?1 is executable only in terminals in the targeted set, and on reception, redetermine the original access control message in each terminal in the targeted set using said inverse function.

Abstract: A method for controlling a digital television (DTV) includes receiving independent space identification information recorded in a storage area of a compact wireless device and a wired equivalent privacy (WEP) key value of an access point (AP) card, receiving the WEP key value corresponding to the AP card of the DTV from a management server, and comparing the WEP key value received from the compact wireless device with the WEP key value received from the management server. If the WEP key values are identical to each other, receiving first checklist information associated with the use of the independent space from the management server, displaying the received first checklist information, and transmitting second checklist information, in which one or more elements of the displayed first checklist information is marked, to the management server.

Abstract: By arranging a redundancy means and a control means upstream from an encryption means which encrypts and decrypts the data to be stored in an external memory, the integrity of data may be ensured when the generation of redundancy information is realized by the redundancy means, and when the generation of a syndrome bit vector indicating any alteration of the data is implemented by the control means. What is preferred is a control matrix constructed from idempotent, thinly populated, circulant square sub-matrices only. By arranging redundancy and control means upstream from the encryption/decryption means, what is achieved is that both errors in the encrypted data and errors of the non-encrypted data may be proven, provided that they have occurred in the data path between the redundancy/control means and the encryption/decryption means.

Abstract: The invention relates to methods and apparatuses for acquiring a physical measurement, and for creating a cryptographic certification of that measurement, such that its value and time can be verified by a party that was not necessarily present at the measurement. The certified measurement may also include corroborative information for associating the actual physical measurement process with the certified measurement. Such corroborative information may reflect the internal or external state of the measurement certification device, as well as witness identifiers of any persons that may have been present at the measurement acquisition and certification. The certification may include a signal receiver to receive timing signals from a satellite or other external source. The external timing signals may be used to generate the time included in the certified measurement, or could be used to determine the location of the measurement certification device for inclusion in the certified measurement.

Abstract: An encrypted traffic test system is disclosed which tests whether or not traffic involving packets over a network is encrypted, the encrypted traffic test system including: a test data acquisition portion configured to receive each of the packets on the network so as to acquire test data from the received packet; an encrypted traffic test portion configured to evaluate the test data acquired by the test data acquisition portion for randomness using a random number testing scheme and, if the test data is evaluated to have randomness, to further determine that the traffic involving the packets including the test data is encrypted traffic; and a test result display portion configured to display a test result from the encrypted traffic test portion on a test result display screen.

Abstract: An architecture for authenticating packets is provided that includes: an input 322 operable to receive a packet, the packet comprising at least one of a transport, session and presentation header portion and a transport agent 312 operable to compute a first message authentication code based on at least some of the contents of the packet and compare the first message authentication code with a second message authentication code in the at least one of a transport, session, and presentation header portion to authenticate the packet.

Abstract: The present invention is intended to allow distribution of personal information to be managed on the basis of not only a personal information management policy defined by a personal information producer but also management policies of all apparatuses which handle personal information when the distribution of personal information is managed between apparatuses. In its configuration, personal information generation apparatus 1 encapsulates personal information together with a transmission policy to generate a personal information capsule which is transmitted to personal information utilization apparatus 2. Personal information utilization apparatus 2 receives and holds the personal information capsule for utilization. In this event, personal information generation apparatus 1 transmits a transmission policy defined by the personal information producer. Personal information utilization apparatus 2 in turn transmits a reception policy defined by a personal information user.

Abstract: An exemplary computer-implementable method (300) transforms information to reduce or eliminate risk of exploitation of a software service and includes receiving information (304) in response to a request, transforming the information (308) to produce transformed information and sending the transformed information (312). An exemplary firewall server (112) includes server software (144, 148) that allows the firewall server (112) to receive information from a resource (104, 108) via a network and to send information to a client computer (114) and a browser protection component (264, 268) for transforming the information to prevent exploitation of a vulnerability of browser software (154) on the client computer (114). Various other exemplary methods, devices, systems, etc., are also disclosed.

Abstract: Unique digital signatures of sensitive or restricted image files are calculated and stored in a database. A hook routine hooks an open or read command when an application opens an image file in order to check for a restricted digital signature of that image file. If present, a digital watermark is added to the image before the application edits that image. A user may then modify the image. A hook routine also hooks a close or write command in order to check for a digital watermark. If present, the digital watermark is removed and a new digital signature for the revised image is calculated. The digital signature for the revised image is then uploaded to a database associated with a DLP server software product, and then pushed periodically down to endpoint DLP client products.

Abstract: The present invention is related to a technology for grasping the number of a plurality of terminals of a client using a Cookie in a private network in which plural terminals are shared by redirecting a session which is to be connected to a Web by analyzing a TCP/IP packet, detecting the accurate number of a plurality of terminals of a client using an Internet, and making the accurate number as a DB, and selectively permitting or blocking a connection to Internet according to TCP/IP by using the Cookie pool information of a DB type and JOB when the users configuring and using a private network connect to the Internet at the same time.

Abstract: The method includes the steps of receiving at the PEAD first digital data representing the transaction request. The PEAD provides information to the user regarding an ability to approve the transaction request. When the transaction request is approved by the user, the PEAD receives second digital data representing the electronic service authorization token. A remote agent server may provided a bridge between the electronic transaction system and the PEAD. In another embodiment, the private key is stored on the portable device, encrypted. The decryption key is stored outside of the device, at a trusted 3rd party location. When the user attempts to make a signature the software sends a request for the decryption key, along with the user's password or pass phrase keyed in at the keyboard of the PDA, smart phone, or cell phone, to a server belonging to the trusted 3rd party.

Abstract: Provided is a method of inserting authentication code into a data packet. The method includes determining whether to insert authentication code into a data packet based on at least one of an importance of the data packet and a type of the data packet, and inserting the authentication code into the data packet based on a result of the determining.

Abstract: A method for electronically storing and retrieving at a later date a true copy of a document stored on a remote storage device comprises: sending a document in electronic format from a document owner's computing device to a store entity for storing the document; generating a digest of the document while the document is at the store entity by applying a hash function to the document; signing the digest electronically with a key while said document is at the store entity; generating a receipt that includes the digest and the key; sending the receipt to the document owner; and verifying, at the document owner's computing device, that the received receipt corresponds to the document sent from the owner's computing device.

Abstract: An encrypted communication system is provided, in which an encryption key for use in encrypted communication and settings information for the encrypted communication are distributed to each of a plurality of communication devices performing encrypted communication within a group, and in which traffic generated by distributing the encryption key and the like can be reduced. In the encrypted communication system according to the present invention, information including a key for use in the intra-group encrypted communication or a seed which generates the key is distributed to the communication devices belonging to the group that are participating (e.g., logged in) in the intra-group encrypted communication.

Abstract: Systems, devices, and methods for modifying a signed bundle and verifying the modified bundle are disclosed. A signed bundle may be modified by removing a file specified in a server file list from a plurality of files in the bundle. The signed bundle comprises a catalog of files in the signed bundle and their associated hashes. The modified bundle includes the remaining files of the signed bundle that are not specified in the server file list and the catalog file of the signed bundle, the catalog signature of the signed bundle. The modified bundle may be verified by verifying the catalog signature of the modified signed bundle, and checking that the files specified in the catalog are either in the modified signed bundle or specified in the server file list. The hashes of the files in the modified signed bundle may also be checked to verify the modified signed bundle.

Abstract: Routing and connectivity in the Internet is largely governed by the dynamics and configuration of the Border Gateway Protocol (BGP). A configuration analysis toolkit enables network operators to discover, analyze and diagnose their BGP configuration, policies and peering relationships. Statistical variance analysis in such a toolkit exploits the recurrence of policies in large networks for analysis. In a large network, policies that have similar functions are examined, e.g. all inbound route maps associated with customer autonomous systems. For n occurrences of similar policy P, it is possible to flag k deviant configurations, and evaluate the probability that the deviant configurations are in error.

Abstract: Provided is an authentication system capable of identifying a cause of a failure when authentication fails. A data structure of data to be authenticated has a header authentication data area (D2), and an authentication data area (D4) in addition to a header area (D1) and a data area (D3). The header authentication data area (D2) authenticates validity of the header area (D1), and the authentication data area (D4) authenticates the validity of the header authentication header area (D2) and the data area (D3). Since two kinds of authentication are carried out, the cause of the failure in authentication can be identified easily when authentication is failed.

Abstract: A method for processing an application packet for transmission includes receiving a plurality of segments of the application packet in a byte stream, the byte stream including a plurality of blocks, creating a plurality of superblocks within the byte stream by grouping a number of the plurality of blocks within the byte stream, and creating first pseudorandom bits for the plurality of superblocks. The method also includes determining a block number and a superblock number for a beginning of each of the plurality of segments, determining a block number and a superblock number for an ending of each of the plurality of segments in the byte stream.

Abstract: An embodiment of the invention provides an apparatus and method for data verification by challenge. The apparatus and method perform acts including: sending a hash value of a data piece in a sender; if the hash value matches a stored hash value in a receiver, then sending a challenge from the receiver to the sender; sending a sample data set from the data piece in the sender, wherein the sample data set is determined by a window that is identified by the challenge; comparing the sample data set with a data set that is overlapped by the window for a stored data piece in the receiver; and performing a response based on the comparison of the sample data set and the stored data set that is overlapped by the window for the stored data piece.

Abstract: According to one general aspect, a method of managing a web browser extension by an apparatus may include executing, by a processor included by the apparatus, a web browser. The method may include installing on the apparatus, via the web browser, a web browser extension. In one embodiment, the web browser extension may include at least one web page configured to alter the functionality of the web browser, and a substantially unique identifier (UID) based upon a public encryption key. The method may further include launching, via the web browser, the web browser extension based upon the substantially unique identifier.

Abstract: A sink device including a first data processing unit and a second data processing unit authenticates the processing units, when turned on, to generate first authentication keys having the same data. When a data request is issued from the sink device to the source device, device authentication is made between the source device and the first data processing unit to generate second authentication keys having the same data. The source device encrypts an exchange key using the second authentication key, and sends the encrypted exchange key to the first data processing unit. The first data processing unit decrypts the encrypted exchange key using the second authentication key, encrypts the decrypted exchange key using the first authentication key, and sends the encrypted exchange key to the second data processing unit. The second data processing unit decrypts the encrypted exchange key using the first authentication key to obtain an exchange key.

Abstract: A technique for securing a flash memory block in a secure device system involves cryptographic techniques including the generation of a Message Authentication Code (MAC). The MAC may be generated each time a file is saved to one or more data blocks of a flash memory device and stored with the file's metadata and to each of the data blocks. A technique for reading and storing versioned files may be employed when applications utilize versioning.

Abstract: An apparatus and method for managing the distribution and expansion of public keys held by a group or array of systems in white lists. The addition of a new system to the array entails a manual input to authorize the introduction of the new system to one trusted system in the array. After the introduction the new system is trusted by the one member and the white list of the one member is loaded into the white list of the new system. The new system then requests joining each of the other systems in the array. For each system in the array asked by the new system, the systems in the array ask if any other systems in the array already trust the new member. In response, a system of the array that trusts the new system responds by sending its white list (containing the public key of the new system) to the requesting system. Eventually the public key of the new system is in the white lists of all the systems in the array.

Abstract: A method includes determining whether a transaction request has occurred during a transaction session. Upon a determination that a transaction request has occurred, the method includes parsing critical values from the transaction request and determining whether the critical values are legitimate. If the critical values are found to be suspicious instead of legitimate, the method further includes seeking approval of the transaction request from the user of the host computer system. Upon approval of the transaction request, the transaction request is allowed. Conversely, upon denial of the transaction request, the transaction request is determined to be malicious, and protective action is taken including terminating the transaction request.

Abstract: Web-based authentication includes receiving a packet in a network switch having at least one associative store configured to forward packet traffic to a first one or more processors of the switch that are dedicated to cryptographic processing if a destination port of the packet indicates a secure transport protocol, and to a second one or more processors of the switch that are not dedicated to cryptographic processing if the destination port does not indicate a secure transport protocol. If a source of the packet is an authenticated user, the packet is forwarded via an output port of the switch, based on the associative store. If the source is an unauthenticated user, the packet is forwarded to the first one or more processors if the destination port indicates a secure transport protocol, and to the second one or more processors if the destination port does not indicate a secure transport protocol.

Abstract: A detection-based defense to a wireless network. Elements of the infrastructure, e.g., access points or scanning-only access points, detect intruders by detecting spoofed frames, such as from rogue access points. Access points include a signature, such as a message integrity check, with their management frames in a manner that enables neighboring access points to be able to validate the management frames, and to detect spoofed frames. When a neighboring access point receives a management frame, obtains a key for the access point sending the frame, and validates the management frame using the key.

Abstract: To allow a user to access a public data network from a region of service operated by a visited access provider, the visited provider is supplied with an identity of a credit provider. The user is redirected to the credit provider, resulting in establishment of a temporary connection with the credit provider. During this temporary connection, the user supplies original user credentials and, in return, receives substitute user credentials if the original user credentials are valid. The substitute user credentials are supplied to the visited provider, which proceeds to have the user authenticated by the credit provider on the basis of the substitute user credentials. In this way, the visited provider authenticates the user with the credit provider before allowing the user to access the public data network, but a secure exchange of the original user credentials between the user and the credit provider prevents unauthorized access to this information by the visited provider.

Abstract: A technique for maintaining secure network connections is disclosed. In one particular exemplary embodiment, the technique may be realized as a method for maintaining secure network connections. The method may comprise detecting a change of address associated with a first network element. The method may also comprise updating at least one first security configuration at the first network element. The method may further comprise transmitting at least one secure message from the first network element to a second network element, wherein the at least one secure message comprises information associated with the change of address. And the method may comprise updating at least one second security configuration at the second network element based at least in part on the at least one secure message.

Abstract: A data storage architecture for networked access by clients includes a file server capable of communication with the clients via the network, physical storage organized as a plurality of logical volumes, and an encryption device in communication with both the file server and the physical storage. The encryption device is operable in response to signaling from the file server, including an indication of a range of blocks of data, to cause encryption of the range of blocks with an encryption key that is unique within the physical storage. The encryption device includes nested tables mapping block ranges to encryption keys. Consequently, undesirable key sharing across files, file systems, and other units can be avoided down to the block level.

Abstract: Methods and systems for adjusting control settings associated with filtering or classifying communications to a computer or a network. The adjustment of the control settings can include adjustment of policy and/or security settings associated with the computer or network. Ranges associated with the control settings can also be provided in some implementations.

Abstract: A WEP key is generated from predetermined binary data and stored in an access point. The binary data is converted into an SSID using a predetermined conversion algorithm. The access point transmits the SSID in a beacon. A mobile game apparatus receives the SSID and recovers the binary data from the SSID using the predetermined conversion algorithm. Using the same algorithm as used for generating the WEP key, a WEP key is generated from the recovered binary data. Encrypted communication is performed between the access point and the mobile game apparatus using the WEP key.

Abstract: One embodiment of a method of authenticating data comprises: receiving, at a device, data in a plurality of indexed packets transmitted by a data server, the data of the indexed packets being at least a portion of a larger data stream; receiving, at the device, from a data authentication server connected to the device by a network, a server-computed authentication value based on a subset of the data transmitted by the data server, the data authentication server having access to the data that was transmitted from the data server to the device; and comparing a device-computed authentication value based on a subset of the received data, corresponding to the subset of the data transmitted by the data server, with the server-computed authentication value in order to determine whether the subset of the data received at the device is authentic.

Abstract: Secure access to a database of upgrade data is provided by storing an encryption key value in an adapter device used to interconnect a first device to be upgraded and a second device that is associated with the database of upgrade data. The second device allows access to the database of upgrade data via the adapter only once the adapter is positively authenticated by the second device through use of the encryption key value stored in the adapter device.

Abstract: The security of an authentication system using a one-time password is increased, a shift from an authentication system using a fixed password is simplified, and a range of use is increased. An authentication system wherein a one-time password is synchronized with time, or an authentication system wherein a one-time password is synchronized with the number of online service authentication requests, is provided. When a one-time password client 9 downloads a one-time password for online service authentication from a one-time password server 2, current time information or a current value of the number of online service authentication requests is made to coincide between the client and server, and an online service authentication request is authenticated as long as the downloaded one-time password for online service authentication is valid. The one-time password may also be synchronized with service usage details contained in the online service authentication request.

Abstract: A method and apparatus are provided for enabling a Universal Plug and Play (UPnP) device to be automatically provisioned to access services without the need for manual interaction. In accordance with the invention, when a UPnP device needs to be provisioned, it automatically obtains pre-provisioning information from a provisioning device on the home network, and uses the pre-provisioning information to interact with the provisioning device to cause the UPnP device to be provisioned. The provisioning enables the UPnP device to access services, including digital rights management (DRM) services, over a network.