Abstract: A system and method for securely transferring sensitive payment data across a system landscape. The system and method may utilize machine-readable media including program code stored therein executable by one or more processors to perform the transferring of payment data. The transferring of data includes generating and encrypting a data container to combine all sensitive payment data.

Abstract: Embodiments of the present invention provide apparatuses, methods, and systems for authenticated distributed detection and inference. In various embodiments, an apparatus comprises an interface configured to communicatively couple a node hosting the apparatus to a network, and a distributed detection and inference (DDI) agent coupled to the interface and configured to receive, via the interface, DDI collaboration parameters from an authentication node is disclosed. Other embodiments may be described and claimed.

Abstract: A method of authenticating data transmitted in a digital transmission system, in which the method comprises the steps, prior to transmission, of determining at least two encrypted values for at least some of the data, each encrypted value being determined using a key of a respective encryption algorithm, and outputting said at least two encrypted values with said data.

Abstract: A cryptographic communication system and method having a first plurality of stations, each of the first plurality of stations having at least one encryption key Kj, were j is a number greater than 2, a data packet D to be viewed by each of the first plurality of stations, means for encrypting the data packet by each of the first plurality of stations to form an encrypted data packet Ej for transmission to a central processor, and means for combining each of the encrypted data packets, wherein the means for encrypting is applied in parallel to allow each of the first plurality of stations to view the contents of the data packet D prior to encrypting the data packet D.

Abstract: A unique system and method that facilitates visually identifying authentic UI objects, bundles, or windows is provided. A detection component can detect when user-based input has activated a verification mode with respect to one or more trusted UI objects rendered on-screen. A verification component can verify at least one of a source and identity associated with one or more UI objects in order to ensure the integrity related therewith. A verification rendering engine can re-render the one or more trusted UI objects in a manner that is based at least upon whether the one or more trusted UI objects are verified, thus improving visual recognition of verified trusted UI objects over non-verified UI objects.

Abstract: In an information reproducing apparatus having an open architecture, a secure module stores first information, and has a structure which does not allow access to the first information from outside, and a memory has a structure which can be accessed from outside. A decryption unit loaded in the memory decrypts an encryption applied to the first information by using a predetermined key. A key supply unit implemented in the secure module supplies the predetermined key to the decryption unit. An authentication unit implemented in the secure module supplies second information to the decryption unit, refers to third information returned in response to the second information, and checks for authenticity of the decryption unit. A key-supply stop unit implemented in the secure module stops supply of the predetermined key by the key supply unit when the authentication unit does not authenticate the decryption unit.

Abstract: Upon receiving server side entity information and a principal confirmation profile request data from a server side entity device, a consolidation apparatus transmits an entity information transmission request to each of a plurality of client side entity devices and receives client side entity information from each of the client side entity devices. Then, it determines the principal confirmation profile ID in each piece of client side entity information and the principal confirmation profile ID in the server side entity information according to the principal confirmation profile ID request information having the highest priority in the principal confirmation profile request data and prepares a routing table information associating the processing capability IDs and the entity IDs corresponding to the determined principal confirmation profile ID, which routing table information is then stored in a memory.

Abstract: A method, a correspondent node and a mobile node provide anonymity and unlinkability to a mobile node in a session with a correspondent node. Sequence values, calculated based on secret data, are added to updates sent from the mobile node towards the correspondent node and are used by the correspondent node to authenticate updates from the mobile node. A home address of the mobile node is not explicitly disclosed. An expected care-of address is calculated at the correspondent node and used by the correspondent node to send data packets to the mobile node.

Abstract: A method for obtaining resource restriction information of a client application's resource includes: receiving authentication information from one of a plurality of authentication modules; identifying a client application's resource and authentication module based on the received authentication information; locating a policy store that is associated with the identified client application's resource, the policy store containing resource restriction information for each of the plurality of authentication modules; and obtaining the resource restriction information associated with the identified authentication module from the policy store.

Abstract: A digital MFP carries out an authentication of an operator by a user ID and a password prior to usage of the digital MFP. The digital MFP requests from the operator an instruction as to whether or not to store the successfully authenticated user ID and password in a flash memory along with a generated abbreviated code. When the operator instructs to store, the successfully authenticated user ID and the password are stored in the flash memory along with the generated abbreviated code. The digital MFP retrieves from the flash memory the user ID and the password that form a pair with the abbreviated code entered by the operator using the operation unit, and acquires authentication success or failure information with respect to the retrieved user ID and the password from an authentication server.

Abstract: The invention provides a method for flexibly, safely, robustly, and efficiently serving user interface pages composed of foreign content supplied by a third-party as well as local content supplied by the first party by allowing the cobrander to serve cobranded page templates. The cobrandee server retrieves the cobranded page templates from cobrander server and inserts the cobrandee contents into the cobranded page templates to generate cobranded Web content pages.

Abstract: A system, method and apparatus for securing communications between a trusted network and an untrusted network are disclosed. A perimeter client is deployed within the trusted network and communicates over a session multiplexing enabled protocol with a perimeter server deployed within a demilitarized zone network. The perimeter client presents requests to make available and communication initiation requests to the perimeter server which presents corresponding sockets to the entrusted network. The session multiplexing capabilities of the protocol used between the perimeter server and perimeter client permit a single communication session therebetween to support a plurality of communication sessions between the perimeter server and untrusted network. In the event data flows across the communication sessions are encrypted, decryption of the data flows is left to the components at the end points of the communication session, thereby restricting exposure of privileged information to areas within trusted networks.

Abstract: The invention relates to a P2P communication method for multi-subscriber networks, which is protected from deception, eavesdropping and hacking, and wherein the communication carried out in an interval is predominantly carried out in separate rooms, allocated to the P2P communication, and with separate reference data allocated to the P2P communication. At least part of the separate random reference data and/or random data is generated in at least one unit that participates in the P2P communication and is exchanged within the P2P communication in the form of relative data. The separate P2P communication is initiated with respect to at least one global random reference date valid for the time of the P2P communication, the random reference date being valid for a randomly determined time range and being stored in all units that carry out the P2P communications in a secret and non-deceivable manner.

Abstract: A system and method for secure transport of data, the method comprising: sharing of key information with a key distributor, wherein the key information is for enabling decryption of first and second encrypted data, the key distributor being for making one or more decryption keys available to an authorised user; creating a container object, the container object comprising: first encrypted data having a first encryption based on at least a part of said key information; second encrypted data having a second encryption based on at least a part of said key information, wherein the first encryption is different to the second encryption; and metadata relating to the first encrypted data and the second encrypted data; and sending the container object to a data store or otherwise making the container object available, to allow user access to said data container object.

Abstract: The invention relates to a method for transmitting user data, particularly user data realizing real-time applications, between at least one first communication device and at least one second communication device, the user data being transmitted as data packets during a communication connection, wherein during the communication connection at least from the first communication device at least one packet enabling an authentication of the first communication device is embedded in at least one of the data packets transmitting the user data and directed at the second communication device. The invention furthermore relates to an arrangement for carrying out the method.

Abstract: A connection assistance apparatus avoids unauthorized access and DoS attacks, prevents a performance degradation from occurring, and does not need to recognize different connections to gateway apparatus. An authenticating unit authenticates the validity of a terminal by checking if the terminal is a valid terminal capable of communicating with a gateway apparatus according to IPSec in response to a request from a user who owns the terminal. If it is judged that the terminal is a valid terminal, then a preshared key generating unit generates a preshared key for the terminal and the gateway apparatus, and a firewall opening instruction information generating unit generates firewall opening instruction information to open a firewall of the gateway apparatus. A transmitting unit sends the preshared key to the terminal and the gateway apparatus and sends the firewall opening instruction information to the gateway apparatus.

Abstract: A printer as an image forming device establishes the same password for multiple confidential printing jobs received within a specified time period from the same user and sends them back to the source of the transmission. The printer approves the execution of the particular confidential printing job when the entered password matches with the password established for the confidential printing job.

Abstract: Vehicle internetworks provide for communications among diverse electronic devices within a vehicle, and for communications among these devices and networks external to the vehicle. The vehicle internetwork comprises specific devices, software, and protocols, and provides for security for essential vehicle functions and data communications, ease of integration of new devices and services to the vehicle internetwork, and ease of addition of services linking the vehicle to external networks such as the Internet.

Abstract: A method, computer program product, and data processing system for executing larger-than-physical-memory applications while protecting sensitive program code (and also data) from unauthorized access in a memory space not subject to protection fault or page fault detection are disclosed. Large applications are accommodated by providing a mechanism for secure program overlays, in which a single large application is broken into two or more smaller applications (overlays) that can be executed from the same memory space by overwriting one of the smaller applications with another of the smaller applications when the latter needs to be executed. So that the data may be shared among these smaller applications, each of the applications contains embedded cryptographic keys, which may be used to encrypt or decrypt information to be stored persistently while control is transferred from one application to the other.

Abstract: Techniques for assigning a network address to a host are based on authentication for a physical connection between the host and an intermediate device. One approach involves receiving first data at the intermediate device from an authentication and authorization server in response to a request for authentication for the physical connection. The first data indicates at least some of authentication and authorization information. A configuration request message from the host is also received at the intermediate device. The configuration request message is for discovering a logical network address for the host. A second message is generated based on the configuration request message and the first data. The second message is sent to a configuration server that provides the logical network address for the host. The configuration server is then able to provide the logical network address based on authorization and authentication information.

Abstract: Systems and methods are disclosed for enabling a recipient of a cryptographically-signed electronic communication to verify the authenticity of the communication on-the-fly using a signed chain of check values, the chain being constructed from the original content of the communication, and each check value in the chain being at least partially dependent on the signed root of the chain and a portion of the communication. Fault tolerance can be provided by including error-check values in the communication that enable a decoding device to maintain the chain's security in the face of communication errors. In one embodiment, systems and methods are provided for enabling secure quasi-random access to a content file by constructing a hierarchy of hash values from the file, the hierarchy deriving its security in a manner similar to that used by the above-described chain.

Abstract: A method and apparatus for digital content access control comprises receiving an authenticated digital content request based at least in part on a digital content request comprising a request for digital content, validating the authenticated digital content request and providing the digital content if the authenticated digital content request is valid. The validating comprises indicating the authenticated digital content request is valid if the authenticated digital content request is validly associated with the digital content and if the authenticated digital content request authenticates the digital content request, and indicating the authenticated digital content request is invalid if the authenticated digital content request is not validly associated with the digital content.

Abstract: The present invention relates to a method and a system by which non-law enforcement operator(s) can conduct checks (requests, queries or searches) against CJIS (Criminal Justice Information System), NCIC (National Criminal Information Center) and other law enforcement only secure databases and comply with the rules and regulations for disseminating such data. In doing so, the invention provides for a system and process by which the checks (request, queries or searches) of individuals and/or articles are made against the CJIS/NCIC and/or other “law enforcement only” restricted databases, such that the indicia relating to persons and/or articles is compared with said databases. The resulting information regarding matches (and, in certain embodiments, non-matching results) flows to law enforcement officials so that they may use any results deemed relevant for response thereto.

Abstract: A texturing system for use in a three-dimensional graphics system has an input for receiving object data for an object to be textured. Encrypted texture data is obtained from a store and decrypted in a decryption unit. The decrypted texture data generates texture image data for a frame buffer from which the texture image data can be outputted for display. A method for producing a software application for using in a three-dimensional graphics system which creates instructions for a software application and static texture data for using in conjunction with the instructions is also provided. The static texture data is encrypted and provided as encrypted texture data with the software instructions.

Abstract: A method of identifying an object having identification information, said identification information being used to verify the object's identity, said method comprising: determining at least one characteristic of a magnetic field of at least a portion of a tag, thereby obtaining a first specific magnetic signal, wherein the tag comprises a substantially non-magnetic host material having pores, wherein at least some of the pores contain a magnetic material, and storing signal information relating to said first specific magnetic signal, said stored signal information forming the identification information of the object.

Abstract: A portable media player receives encrypted audio files and an encrypted content key from a central license server on the Internet. The media player supports digital rights management (DRM) by storing the encrypted audio file in its flash memory and disabling copying or playing of the audio file after a copy limit has been reached. The copy limit is a rule that is combined with the content key in a transfer key that can be encrypted together by the license server. The license server can detect cloning of the media player by reading a unique player ID from the player and detecting when too many accounts use the same unique player ID. The content key can be generated from polar coordinates of the unique player ID, player manufacturer, and song genre. A fingerprint sensor on the player can scan and compare the user's fingerprints to further detect cloning.

Abstract: A secure user authentication system, operable over a client-server communications network to authenticate a system user. The system includes an application server which includes a site which is able to be enabled, and an authentication server, which is able to enable the application server site. The authentication server includes a core database, and receives and stores user authentication-enabling data in the core database. The system further includes a client, and a client program which is able to be actuated in the client. The client program includes the user authentication-enabling data. Upon actuation, the client program automatically directly connects to the authentication server, and sends the client authentication-enabling data to the authentication server, for secure user authentication by the authentication server.

Abstract: A method of authentication of data to be sent in a digital transmission system, the data being organized in a series of at least three files, involving generating a first authentication value for at least one first file, storing said first authentication value in a second file, generating a second authentication value for said second file, storing said second authentication value in a third file, and transmitting said first, second, and third files to a receiver.

Abstract: Computer software or integrated circuit for performing a secure hashing method including one or more of the following: representing an initial sequence of bits as a specially constructed set of polynomials; transformation of this set by masking; partitioning the transformed set of polynomials into a plurality of classes; forming the bit string during the (separated) partitioning; for each of the plurality of classes, factoring each of the polynomials and so as to define a set of irreducible polynomials and collecting these factors in registers defined for each of the plurality of classes; wrapping the values of the registers from the plurality of classes by means of an enumeration; organizing the enumerations and the bit strings into a knapsack; and performing an exponentiation in a group to obtain the hash value or the MAC value.

Abstract: An improved system and approaches for protecting passwords are disclosed. A file security system for an organization operates to protect the files of the organization and thus prevents or limits users from accessing some or all of the files (e.g., documents) associated with the organization. According to one aspect, a password entered by a user is used, provided it is authenticated, to obtain a respective authentication string (a relatively longer string of numbers or characters). The retrieved authentication string is then used to enable the user to enter the file security system and/or to access secured files therein. According to another aspect, user passwords are not stored in the file security system to avoid security breaches due to unauthorized capture of user passwords.

Abstract: A real-time stateful packet inspection method and apparatus is provided, which uses a session table processing method that can efficiently generate state information. In the apparatus, a session table stores session data of a packet received from an external network. A hash key generator hashes a parameter extracted from the received packet and generates a hash pointer of the session table corresponding to the packet. A session detection module searches the session table for a session corresponding to the received packet. A session management module performs management of the session table such as addition, deletion, and change of sessions of the session table. A packet inspection module generates state information corresponding to the received packet from both directionality information of the packet and entry header information of the packet stored in the session table and then inspects the packet based on the generated state information.

Abstract: An apparatus for establishing a virtual private network with an internet protocol multimedia subsystem (IMS) device that includes a key derivation module, a tunneling protocol module, a tunnel management module, and a security policies module. The apparatus includes a non-volatile memory configured to store a first routing table that maps host addresses and IMS addresses of security devices allowing access to those hosts, such that when an application running in the IMS device requests communication to a host address, the apparatus initiates a session with the IMS address to which the host address is mapped. The session is initiated by a message that includes a body that contains, for each tunneling protocol supported by the tunneling protocol module, data about the local tunnel endpoint (e.g.

Abstract: A network interface system is presented for interfacing a host system with a network, including a bus interface system, a media access control system, a memory system, a security system, and a descriptor management system, wherein the descriptor management system obtains initialization vector information from the host system and provides the initialization vector information to the security system. A method of encrypting outgoing data in a network interface system is provided, comprising providing initialization vector information from a descriptor to a security system in a network interface system, selectively encrypting or authenticating outgoing data using the security system, and selectively employing an initialization vector from the outgoing data to perform CBC encryption of the outgoing data according to the initialization vector information.

Abstract: A storage device includes a storage unit that stores key information. The storage device also includes an input/output unit that inputs a converted command. Further, the storage device includes an extractor that extracts attached information from the converted command inputted, reads out, from an address according to the attached information, the key information from the storage unit, and performs an inverse data conversion corresponding to a data conversion on the converted command, using the key information, to extract command information and address information. In addition, the storage device includes an output controller that, only when the command information is equivalent to predetermined information, reads out and outputs storage data from an address of the storage unit through the input/output unit, the address of the storage data indicated by the address information extracted by the extractor.

Abstract: A method for offloading encryption and decryption of a message received at a message server to one or more end devices that are remote from the message server. An encrypting end device remote from the message server encrypts a message using cryptographic context and transmits the cryptographic context and encrypted message to the message server for storage at the message server. The message server stores the encrypted message as received without decrypting the message. The message server sends the stored cryptographic context and the encrypted message to a decrypting end device in response to the decrypting end device sending a request for the message server to transmit the encrypted message to the decrypting end device. The decrypting end device uses the cryptographic context to decrypt the encrypted message and then presents the decrypted message to a user of the decrypting end device.

Abstract: A system and method for exchanging a transformed message with enhanced privacy is presented. A set of input messages is defined. A set of output messages is defined. A message is selected from the input messages set. One or more words in the selected message are efficiently transformed directly into a transformed message different from the selected message, wherein the transformed message belongs to the set of output messages, at least one component of the selected message is recoverable from the transformed message, and the cost of determining whether the transformed message belongs to the input messages set or the output messages set exceeds a defined threshold.

Abstract: The present invention discloses a method for a network to choose an authentication mode, wherein the key lies in that, according to the received authentication information in the authentication vector request message from S-CSCF as well as according to type of the requesting subscriber, HSS returns authentication information of the Early-IMS-based authentication vector to S-CSCF, or returns authentication information of the Full-IMS-based authentication mode to S-CSCF, or directly returns failure information to S-CSCF. If it is under the former two situations, the subscriber will be authenticated by adopting the corresponding authentication mode, and then S-CSCF will return access-allowed or access-rejected information to the subscriber according to authentication result. If it is in the latter situation, S-CSCF will directly send access-rejected information to the subscriber.

Abstract: Privacy Preserving Data-Mining Protocol, between a secure “aggregator” and “sources” having respective access to privacy-sensitive micro-data, the protocol including: the “aggregator” accepting a user query and transmitting a parameter list for that query to the “sources” (often including privacy-problematic identifiable specifics to be analyzed); the “sources” then forming files of privacy-sensitive data-items according to the parameter list and privacy filtering out details particular to less than a predetermined quantity of micro-data-specific data-items; and the “aggregator” merging the privacy-filtered files into a data-warehouse to formulate a privacy-safe response to the user—even though the user may have included privacy-problematic identifiable specifics.

Abstract: A secure communication module is provided for securing communication between a client application and a network service. The secure communication module comprises an authentication identifier provider for providing the client application a pool of authentication identifiers for use in subsequent communication with the network service, and an authentication identifier validator for checking the validity of an authentication identifiers from the pool of authentication identifiers sent with the subsequent communication.

Abstract: The global access control system and method presents a solution to synchronizing the physical access devices that federal agencies must try to meet Federal Information Processing Standards (FIPS) 201 requirements. The method encompasses wire and wireless technology, IP Security (IPSec), the assignment of IPv6 addresses to every device, integrating with logical access control systems, and providing a homogeneous audit and control format. As part of FIPS 201, Government identification badges (Personal Identity Verification (PIV) cards) will include an IPv6 address that uniquely identifies every card holder. By assigning an IPv6 address to every access device and using the card holder's IPv6 address, every access device can be used for global access control. Moreover, common and interoperable audit records throughout an entire enterprise (logical and physical) are possible.

Abstract: To unlock a HDD when a computer is in the suspend state, at both BIOS and the HDD a secret is combined with a password to render a new one-time password. BIOS sends its new one-time password to the HDD which unlocks itself only if a match is found. The new one-time password is then saved as an “old” password for subsequent combination with the secret when coming out of subsequent suspend states. In this way, if a computer is stolen the thief cannot sniff the bus between BIOS and the HDD to obtain a password that is of any use once the computer ever re-enters the suspend state.

Abstract: The installation of a computer program, such as a malware scanner, may be checked to determine whether or not it has not been tampered with using an installation checking computer program to gather characteristics of the installation of the target computer program after the installation checking computer program has first been validated by a separate further computer. The installation characteristics may include operating system registry entries, installed files list, file sizes and file checksums.

Abstract: A system and a method for bypassing execution of an algorithm are provided. The method includes associating a first algorithm of a first computer with a second algorithm of a second computer, utilizing the first computer, wherein execution of the second algorithm by the second computer is to be bypassed. The method further includes determining when the second computer has a predetermined state. The method further includes stopping execution of the second algorithm on the second computer when the second computer has the predetermined state. The method further includes initiating execution of the first algorithm on the first computer when the second computer has the predetermined state.

Abstract: In various embodiments, a method for signing tags associated with objects includes receiving a first identifier associated with a tag. A first signature is generated for the tag based on the identifier and a public key. The first identifier and the first signature are then stored in the tag.

Abstract: Systems and/or methods for establishing and maintaining authenticity of a plurality of records and/or documentary materials to be persisted in an electronic archives system are provided. Each record and/or documentary material may be safeguarded throughout its entire lifecycle by monitoring and recording both intended changes to each said record and/or documentary material and its corresponding status, as well as unintended changes to each said record and/or documentary material. Context and structure associated with each said record and/or documentary material may be extracted and preserved. Substantially uninterrupted proof-of-custody including at least a source may be established and preserved for each said record and/or documentary material throughout its entire lifecycle. Essential characteristics of each said record and/or documentary material may be captured and preserved throughout its lifecycle in dependence on one or more changeable definitions of essential characteristic.

Abstract: A method is disclosed for a certifying authority (CA) to establish a secure status and authenticity in an integrated circuit (IC). Cryptographic logic and certification logic are incorporated in the IC by an IC manufacturer. The cryptographic logic is operable to generate a cryptographic key intended to be communicated external to the IC. The certification logic includes a certification key intended for use in establishing a secure certification arrangement. The certification key is communicated securely to the CA and a secure certification arrangement is established between the CA and the IC using the certification key. During the secure certification arrangement, the cryptographic key is accessed by the CA to certify the cryptographic key associated with the IC and in response thereto the certification key is deleted and the secured certification arrangement is terminated.

Abstract: A system and method authenticates an e-mail message containing a code that may be sent as part of an advertising campaign. The code is a hashed hash result of a combination of the e-mail address to which the message was sent and a pass phrase for the campaign, along with an identifier of the campaign. To authenticate the message, the user supplies the user's e-mail address and the code and the system and method parses the code to identify the campaign identifier and hashed hash result, looks up the pass phrase using the campaign identifier, hashes the campaign identifier and e-mail address and hashes that hash result. If the hashed hash results match, the system and method indicates the message is authentic and otherwise, indicates the message is not authentic.

Abstract: The present invention provides an architecture and method for a gaming-specific platform that features secure storage and verification of game code and other data, provides the ability to securely exchange data with a computerized wagering gaming system, and does so in a manner that is straightforward and easy to manage. Some embodiments of the invention provide the ability to identify game program code as certified or approved, such as by the Nevada Gaming Regulations Commission or other regulatory agency. The invention provides these and other functions by use of encryption, including digital signatures and hash functions as well as other encryption methods.

Abstract: A wireless network security system including a system data store capable of storing network default and configuration data, a wireless transmitter and a system processor. The system processor performs a network security method. An active defense request signal is received, typically from an intrusion detection system. The received request signal includes an indicator of an access point within the wireless computer network that is potentially compromised. In response to the received an active defense of the wireless network is triggered. The triggered active defense may be on or more of transmitting a jamming signal, transmitting a signal to introduce CRC errors, transmitting a signal to increase the difficulty associated with breaking the network encryption (typically by including in the signal packet appearing legitimate but containing randomized payloads, or transmitting a channel change request to the potentially compromised access point.

Abstract: Systems and methods for binding a smartcard and a smartcard reader are provided. A smartcard is provision to store a first set of credentials for use in traditional transactions such as at a brick and mortar retail store and a second set of credentials for use when performing a transaction using a smartcard reader associated with a user such as an on-line transaction. The user smartcard reader registers with a smartcard issuer server by cryptographically authenticating a secure processor associated with the smartcard reader. As a result of the registration, the secure processor obtains a set of private keys associated with the second set of credentials. When a request for a authorizing a transaction via the user's smartcard reader is received, the smartcard reader cryptographically authenticates itself to the smartcard using a private key associated with a credential to be used to authorize the transaction.