Abstract: The present invention provides systems and methods for protecting transaction information stored in a database of a gaming network. To accomplish this, a transaction signature is generated each time the user completes a transaction on a gaming machine. The transaction signature is generated using transaction information from a particular transaction. The transaction signature and transaction information are stored together in a network database. Upon subsequent access to the transaction information in the database, the transaction signature for the transaction information is recalculated based on the transaction information at that time. The new transaction signature is then compared to the transaction signature previously stored. Any differences between the two transaction signatures may be used to signal unauthorized alteration in the database transaction information.

Abstract: An apparatus for creating a framework for the creation, editing, signing and signature verification of multiple documents includes a master, or cover, document as a holder and display source for the subdocuments created within the cover document. The cover document is protected against direct modification with the possible exception of the addition of comments that do not affect digital signatures in the cover document. Access to the subdocuments for editing, signature generation and signature verification is through a menu associated with the cover document. A method of creating a hierarchy of approval signatures on the cover document encompassing subdocuments and nested approval signatures is described.

Abstract: A document accessible over a network can be registered. A registered document, and the content contained therein, cannot be transmitted undetected over and off of the network. In one embodiment, the invention includes maintaining a plurality of stored signatures over a registered document. In one embodiment, the plurality of stored signatures are generated by extracting content from the document, normalizing the extracted content, and generating the plurality of signatures using the normalized content.

Abstract: Systems and methods are described that enable patching of security vulnerabilities in binary files. The detection and patching of vulnerable binary files is automatic, reliable, regression free, and comprehensive across networks on an unlimited scale. These advantages can be realized in various ways including, for example, by leveraging current anti-virus infrastructure that is widely deployed across the Internet. Reliable discovery of vulnerable binary files (e.g., in operating systems, application programs, etc.) is achieved through the use of binary signatures that have been associated with discovered security vulnerabilities. A divergence of security patches away from conventional service packs provides for the possibility of production of regression-free fixes for security vulnerabilities in binary files.

Abstract: An image decrypting apparatus derives spectral reflectance of the face of an original on the basis of obtained original image data, built-in light source data and basis function data, and obtains weighted coefficients of each pixel as object color component data. The apparatus stores a file including the basis function data used at the time of obtaining the spectral reflectance as a key file, and stores a file including the object color component data as an encrypted file. From each of the key file and the encrypted file, the original image data cannot be reproduced. By using the key file and the encrypted file in a correct combination, the original image data can be reproduced. In such a manner, the original image data can be protected.

Abstract: Apparatus and method are provided for performing remote notification of records, each having a respective record identifier. A record-user mapping associates with each record identifier a respective one or more user names. For each record upon which remote notification is to be performed the respective one or more user names is obtained from the record-user mapping, and for each obtained user name a respective addressable entity is obtained from a user name-addressable entity mapping. A notification of the record is sent to the addressable entity. Target record processing may also be provided. For each record identifier for which target record processing is to be performed, a target user name is read from the associated record, a respective addressable entity is obtained from the user name-addressable entity mapping, and a notification of the record is sent to the addressable entity.

Abstract: A hybrid digital watermarking system for video authentication includes an authenticated acquisition subsystem for digitally watermarking video data and a video management subsystem in signal communication with the authenticated acquisition subsystem for verifying the digitally watermarked video data, where the authenticated acquisition subsystem may include a watermarking device for applying each of an identity signature and a control signature to the video data within a hybrid digital watermark, and the hybrid digital watermark may achieve progressively varying robustness by means of error-correcting signature coding and/or rate-distortion guided bit embedding.

Abstract: Content material is protected with a variety of watermarking processes. Different subsets of the protected content material are submitted to different watermarking processes. At the rendering device, a watermark detector is configured to detect one or more different watermarks. Only if the particular watermark(s) that the rendering device is configured to detect is removed from the protected content material will the rendering device permit the rendering of the protected material. If the particular watermark(s) that the rendering device is configured to detect is unpredictable, or if the particular segment that is protected by a particular watermark is undetectable, a wholesale removal of specific watermarks from the watermarked material will neither be efficient nor economically viable.

Abstract: A computer anti-virus system is disclosed. The computer anti-virus system can have multiple detection layers and can include a first memory and a second memory. The computer anti-virus system can have a reduced first memory size requirement for a fingerprint signature based anti-virus application program by putting off to the second memory those signatures that are redundantly detected on other layers. Thus, performance can be enhanced and/or costs can be reduced.

Abstract: A data processing apparatus extracts a root key by decrypting an enabling key block. The data processing apparatus then produces a content key on the basis of a random number and encrypts the content key using the root key. Furthermore, the data processing apparatus encrypts an ID of the data processing apparatus using the produced content key thereby producing a storage key. The data processing apparatus then produces encrypted content by encrypting a content using the storage key. Furthermore, the data processing apparatus stores the encrypted content together with the data produced by encrypting the content by the root key into a removable storage medium. The content, stored into the removable storage medium in the above-described manner, can be played back only by a specific limited device.

Abstract: A technique for security and authentication on block-based media includes involves the use of protected keys, providing authentication and encryption primitives. A system according to the technique may include a secure device having a security kernel with protected keys. A disk drive security mechanism may support authentication of data, secrecy, and ticket validation using the security kernel and, for example, a ticket services module (e.g., a shared service that may or may not be used by other storage devices like flash).

Abstract: A method and system for displaying trust level on a wireless communication device (100) is provided. The method includes receiving (204) a list of trusted root authority certificates. The method further includes calculating the trust level of a local wireless communication network by determining (206) how at least one verifying root authority certificate was stored on the wireless communication device and if the at least one verifying root authority certificate is included in the list of trusted root authority certificates. Further, the method includes displaying (208) the trust level of the local wireless communication network at the wireless communication device.

Abstract: A method for securing an electronic document (22) comprising attaching a biometric characteristic (20) and the electronic document (22) to form a biometric characteristic-document combination and encrypting the biometric characteristic-document combination to form an encrypted data package (24).

Abstract: An information processing system and method are disclosed in which information processing is performed using an enabling key block (EKB) in association with a tree structure including category subtrees. A key tree is produced, which include subtrees that are grouped in accordance with categories and are managed by category entities. The EKB includes data produced by selecting a path in the key tree and encrypting a higher-level key in the selected path using a lower-level key in the selected path. The EKB is then provided to a device. A requester, which requests production of the EKB, may produce a root key or may request a key distribution center (KDC) to produce a root key. If the (KDC) produces the EKB, it may also request a category entity to produce a sub-EKB.

Abstract: A method and an apparatus distinguish the origin of operator inputs in electronic control systems having at least one first operating element and at least one second operating element. A first signal is processed in the electronic control system when the at least one first operating element is operated. The first signal differs from a second signal emitted by the at least one second operating element when the latter is operated, by virtue of an electronic identifier assigned to the at least one first operating element. A printing machine having the apparatus is also provided.

Abstract: Detection of watermarks in digital content by a system having a recording device and a playback device may be accomplished in such as a way as to improve the interoperability of the recording and playback devices. In one embodiment, a recording device having a first watermark detection component of a first sensitivity for detecting the watermark in digital content, interoperates with a playback device having a second watermark detection component of a second sensitivity for detecting the watermark in a digital content recording made by the recording device; such that the first sensitivity is more sensitive than the second sensitivity.

Abstract: A system is described for uniquely mating components of a communication network such as a smartcard and a set-top box. When mated, the smartcard and set-top box are tied together and have a single identity. Further, the smartcard operates properly only when inserted into an authorized set-top box. Exchanges of information between both components are secured by encryption and authentication to guard against piracy of the exchanged information. The system provides the same authentication key to the set-top box and the smartcard. This key is used for authenticating communication between the set-top box and the smartcard. First, the authentication key is encrypted by a set-top box mating key. The set-top box employs this mating key to decrypt the authentication key. After it is derived, the authentication key is stored in the set-top box's memory. Further, the same authentication key is encrypted by a smartcard mating key.

Abstract: According to one embodiment, a method is disclosed. The method includes storing a first list of hardware registers, receiving video data at an application program, receiving a second list of hardware registers from a device driver, determining whether the first list of hardware registers matches the second list of hardware registers, and if so, streaming the video data to a video decoder.

Abstract: Intelligent hardware token processors (5) are capable of sending and receiving encrypted messages. Generic initialization with non-user-specific certificates comprising public and private keys allows a certificate authority (210) to securely communicate with the hardware token. New users enrolling with the certificate server (210) have their hardware tokens securely reprogrammed with user specific certificates.

Abstract: A distributed caching technique for use in computer networks is disclosed. The illustrative embodiment is particularly advantageous in computer networks that comprises a hierarchical topology because it removes some of the computational tasks associated with caching away from the network nodes that act as caches to other network nodes that are less burdened with computational tasks. Furthermore, some embodiments of the present invention use hash tables to facilitate the storage and retrieval of cached resources.

Abstract: The present invention pertains to a system for managing network access to resources that allows a first entity to impersonate a second entity. In one embodiment, the first entity can impersonate the second entity without knowing the second entity's password and/or without altering anything in the entity's set of personal information. This invention provides the first entity with the ability to troubleshoot in a live production system without disrupting the users or the system. In one embodiment, the first entity authenticates as itself. Access to resources is provided in response to an authorization process based on the identity of the entity being impersonated.

Abstract: A system allowing a target machine to be booted up from a disk image stored in memory. Instead of reading the boot-up information from a disk drive or other physical device the data is read from memory. No modification is necessary to native operating system, input/output subsystem, bootstrap code, etc., since the invention modifies characteristics, such as vectors used by the operating system, to make the disk image in memory appear to be the same as a standard external device.

Abstract: In a method for real-time registration having high protection against tampering by means of a security module, an encrypted initial security value for translog file analyzers is made available an unencrypted real-time message is secured by appending an authentication code that the security module generates by inserting a current security value into an algorithm for authentication code for each real-time message that is likewise employed by each translog file analyzer. The first security value is formed according to a first mathematical function known to the translog file analyzer that allows a derivation of following security values. The authentication code is formed according to a second mathematical function known to the translog analyzer that is applied to the real-time message and to the current security value and that serves for the verification of the real-time message.

Abstract: A method for providing security in password-based access to computer networks, the network including a server and a remote user, includes: signing a phrase by a security chip of the server using an encryption key; associating the signed phrase with the remote user; signing the phrase with an encryption key obtained by the security chip when a request for access to the computer network is received from the remote user; comparing the phrase signed with the obtained encryption key with the signed phrase associated with the remote user; and granting access to the remote user if the phrase signed with the obtained encryption key is the same as the stored signed phrase associated with the remote user. The use of the encryption key protects against “dictionary attacks”. Use of the security chip protects against offline attacks. These provide greater security for the computer network.

Abstract: A computer-based method and system for performing header filtering of data is presented The method comprises compressing the header of a data packet to obtain a header signature and determining if the header signature matches a known header signature. If the header signature is determined to have a match, then the header signature is identified as a known header signature. A header signature may be generated using a multidimensional data compression algorithm. A compression algorithm comprises obtaining the data bits contained in each field of a typical header. Then, a header-field group that corresponds uniquely to each field is determined. Each field is replaced with the header-field group of the corresponding data bits of the field and concatenated to create a header signature.

Abstract: A security service for an electronic marketplace that permits members of the marketplace to use any signing service to attach electronic signatures to documents resident on the marketplace regardless of format differences between the member's internal computer system and the electronic marketplace.

Abstract: The invention includes a proxy server that constitutes means for providing, verifying and logging a digital signature for a message that is to be exchanged via a network, so that a security function for a digital signature can be implemented without changing an application program. In an example embodiment, a digital signature system comprises: applications for performing data processing; and a signature server connected to the applications via a LAN, wherein the signature server intercepts the message communication from the application to a destination device outside the LAN, provides a digital signature for a message document to be exchanged through communication, and transmits the obtained message document to the destination device.

Abstract: An electronic commerce system having a server and an end user machine interacting through a network during an electronic commerce transaction is disclosed. The server includes a software module configured to receive user-entered information via the network including an electronic purchase order for a product within the electronic commerce system. In addition, the server includes a fraud detection mechanism active during electronic commerce transactions. The fraud detection mechanism determines a likelihood that the electronic purchase order is attempted fraud based upon (i) information associated with the user-entered information and (ii) factors relating to a users real-time interaction with the server during a transaction to process the electronic purchase order. A method performed by an electronic commerce system for determining a likelihood that the electronic purchase order is attempted fraud based is also provided.

Abstract: A method and system for maintaining integrity and confidentiality of pages paged to an external storage unit from a physically secure environment. An outgoing page is selected to be exported from a physically secure environment to an insecure environment. An integrity check value is generated and stored for the outgoing page. In one embodiment, this takes the form of taking a one-way hash of the page using a well-known one-way hash function. The outgoing page is then encrypted using a cryptographically strong encryption algorithm. Among the algorithms that might be used in one embodiment of the invention are IDEA and DES. The encrypted outgoing page is then exported to the external storage. By virtue of the encryption and integrity check, the security of the data on the outgoing page is maintained in the insecure environment.

Abstract: Distributing information, including the steps of watermarking the digital content, distributing the digital content using a multi-source system, and partially fingerprinting digital content at each stage of moving information from a point of origin to the viewer. “Adaptation” of the digital content to the recipient includes maintaining the digital content in encrypted form at each such intermediate device, including decrypting the digital content with a key unique to both the device and the specific movie, selecting a portion of the watermark locations into which to embed information, embedding fingerprinting information into those locations sufficient to identify the recipient, and encrypting the fingerprinted digital content with a new such key.

Abstract: A hardware authenticity verification system includes a hardware element having a hardware address. A digital signature generator is included to create a digital signature of the hardware address of the hardware element. A memory element stores the digital signature of the hardware element. A software program is included to compare the digital signature of the hardware element to a known value. If the digital signature of the hardware element matches the known value, the user may be granted read and write access to all memory locations within the memory element, including a location in which the hardware address is stored. On the other hand, if the hardware address of the hardware element does not match the known value, the hardware element will not properly function, because the manufacturer's software program is configured to not load on the hardware element if the hardware address of the hardware element does not match the known value.

Abstract: Copyright information embedded in a digital content can always be sampled and the copyright of the digital content can be protected reliably, by using a sampling program which is automatically activated and samples the copyright information from the digital content. For example, the digital content added with the sampling program is distributed or an application program added with the sampling program for utilizing the digital content is distributed so that the copyright information can be reliably sampled from the digital content and the utilization of the digital content can be controlled in accordance with the copyright information. If a file containing a plurality of digital contents is used, copyright information is embedded in each digital content and the copyright information is sampled from each digital content. It is possible to control the utilization of each digital content in accordance with the sampled copyright information.

Abstract: A database for reliably identifying a Security Profile of a device that generates digital signatures is managed by (a) maintaining the database in a secure environment, (b) recording in the database for each one of a plurality of devices manufactured in the secure environment, (i) a public key of a public-private key pair of the manufactured device, and in association therewith, (ii) a Security Profile of the manufactured device, the public key and Security Profile thereby being securely linked together, and (c) thereafter, when a linked public key successfully authenticates a digitally signed message, identifying the Security Profile associated with the linked public key as pertaining to the manufactured device to which belongs the private key utilized in digitally signing the message. Furthermore, a reference is communicated in a secure manner, the reference including the public key and Security Profile linked therewith for at least one of the manufactured devices.

Abstract: An RSA-based signing scheme that combines essentially optimal efficiency with attractive security properties. One preferred signing routine requires one RSA decryption plus some hashing, verifications requires one RSA encryption plus some hashing, and the size of the signature preferably is the size of the modulus. Given an ideal underlying hash function, the scheme is not only provably secure, but has security tightly related to the security of RSA. An alternative embodiment maintains all of the above features and, in addition, provides message recovery. The techniques can be extended to provide schemes for Rabin-based signatures or signatures using other trapdoor functions.

Abstract: A communication system includes a community management server used by a communication manager and a participant's terminal used by a community participant participating in communication. The community management server manages multimedia data that has data about the community participant embedded therein, an element symbolizing the community participant, a data content display control part and a participant personal identification authentication part. The participant's terminal includes generation part for generating card-like information as a communication unit. When a plurality of community participants executes communication by using the cards to which the multimedia data are put, they can execute information display of personal information of the community participants, authentication of personal identification, and retrieval/edition of a speech content by using information embedded in the multimedia data.

Abstract: A system, method, and program code are given for secure communication. Multiple geographic cells are arranged in a hierarchical tree having a root node and internal nodes. The root node and each internal node in the tree have an associated node cryptographic key for secure communication with lower nodes in the tree. Each cell is associated with a leaf node of the tree and a cell cryptographic key for secure communications with devices located within the cell. A key management center is at the root node for determining an anticipated cell path of a mobile device from a current cell to a destination cell. The key management center distributes to the mobile device a set of cryptographic keys from the tree. This set contains a minimum number of cryptographic keys necessary to permit secure communications for the mobile device within each cell along the anticipated cell path, but no other cells.

Abstract: An apparatus for restricting a copy of digital information is provided with a detecting device for detecting a first watermark, which is buried in the digital information and comprises a first signal generated on the basis of a first rule. A burying device buries a second watermark, which comprises a second signal generated on the basis of a second rule and having a structure different from that of the first signal, into the digital information if the first watermark is detected by the detecting device. A recording apparatus is provided with: an inputting device for inputting the digital information; the above mentioned copy restricting apparatus; and a recording device for recording the digital information in which the second watermark is buried by the burying device.

Abstract: An initial Puk-linked account database is established by (a) maintaining the database in a secure environment, (b) recording in the database for each one of a plurality of devices manufactured in the secure environment, (i) a public key of a public-private key pair of the manufactured device, and in association therewith, (ii) a Security Profile of the manufactured device, the public key and Security Profile thereby being linked together, (c) distributing the manufactured devices from the secure environment to a plurality of users, and (d) identifying the database records of said distributed devices as the initial PuK-linked account database of the users. An initial Puk-linked account database record of a user is established with each one of a plurality of third-parties in similar manner.

Abstract: The installation method makes possible the installation of new programs, while maintaining security, in a system LSI device. The installation method comprises a step for receiving the signature data 7 of a program 6, a step for checking for interference with other already installed programs on the basis of said signature data 7, and a step for authorizing the installation of programs with which there is no interference. A declaration of signature data is elicited from a program being installed; a check for interference among programs is performed based on this, authentication is performed, and the installation of interfering programs is prevented or the installation of programs with which there is no interference is executed. It therefore becomes possible to install new programs while protecting high-security programs.

Abstract: An exponentiation operation or other computational task associated with a cryptographic protocol is performed in a secure distributed manner using multiple machines, e.g., a client device and multiple servers of a computer network. The computational task is transformed by an originator machine before being sent to one or more external servers for execution. The transformation may include replication and dependency operations to provide robustness to errors in the computations performed by the external servers, and blinding and permutation operations to provide privacy for secret information associated with the computational task. The transformed computational task is executed by the one or more external servers, and the results of the transformed computational task are transmitted back to the originator machine. The originator machine transforms the results of the transformed computational task in a manner which permits verification that the one or more results are appropriate results for a given input.

Abstract: A scalable system for notification of a change in condition of an electronic certificate is provided. The system includes a network of servers capable of providing notification of changes in conditions of electronic certificate to an unlimited number of users. The system includes a first server comprising a detection module and a notification module. The system having at least one server capable of actively monitoring and detecting changes in conditions of a certificate. Other CAP servers in the system may and/or may not actively monitor electronic certificates at the same time. That is, these CAP servers may actively monitor conditions of electronic certificates at the same time they play passive roles (e.g., not monitoring the electronic certificates for which they will be notified of changes from another CAP server).

Abstract: The present invention provides a method and apparatus for facilitating hot upgrades of software components within a telecommunications network device through the use of “signatures” generated by a signature generating program. After installation of a new software release within the network device, only those software components whose signatures do not match the signatures of corresponding and currently executing software components are upgraded. Signatures promote hot upgrades by identifying only those software components that need to be upgraded. Since signatures are automatically generated for each software component as part of putting together a new release a quick comparison of two signatures provides an accurate assurance that either the software component has changed or has not. Thus, signatures provide a quick, easy way to accurately determine the upgrade status of each software component.

Abstract: To stop illegal digital content distribution, IDs will be included in the content. However, current ideas of how to use the IDs are unacceptable. The automatic ID management process and apparatus increases the ease of access to protected content for the consumer, with desired content protection and minimal implementation costs. The process includes tracking the IDs of the previously accessed content of a rendering device, reviewing rules contained within the new content and rendering device, and restricting access if the new content does not meet the rules. For example, devices may be limited to accessing content with N different IDs over a specific time period, where the time period is influenced by the number of times content with a specific ID is accessed. The apparatus includes a logic processor and memory that implements the automatic ID management process.

Abstract: The present invention provides methods and apparatus for generating a TCR-commitment having properties differing from the properties of a regular commitment. It provides solutions to the problem of packet authentication for multicast and other scenarios requiring fast, compact digital signature/commitment for E-commerce protocols. It also provides a relatively high level of security guarantees required for packet authentication in a way that can handle multiple independent flows, produces authentication fields of fixed size, works in the fully unreliable setting, does not require any packet delays and has the additional property of being able to withstand and smooth over irregular processor loading and bursty packet output rate. In an embodiment, it uses a hybrid approach consisting of the commiter/signer/bidder creating a certificate for the public key of an efficient k-time signature scheme using a regular signature key.

Abstract: A method, an apparatus and a computer program product are disclosed for protecting the legitimacy of an article (100), and in particular an electronic document, against forgery or fraud. Such articles include passports, credit cards, bank notes, lottery tickets, secure forms. The method includes the following steps: several watermarks (204, 224, 244) are generated independently (304, 306, 308) by different cryptographic watermarking mechanisms controlled utilising information permanently associated within the article or product (100); and each watermark is embedded in a linked cryptographic manner (160, 162, 164). Subsequently, the watermarks can be scanned and digitised (410). The authenticity of the article (100) can be determined by verifying the correctness of extracted watermarks and the encryption links (160, 162, 164) among them. Also disclosed is a method of embedding an invisible watermark (714) in an official seal (712) incorporated in an electronic article or document (700).

Abstract: An electronic apparatus has a protection device which includes a random number generator for producing a random number unique to the electronic apparatus. The random number is stored as a personality data in a memory when the electronic apparatus is switched on for the first time. Subsequently, a comparator compares the random number with the personality data stored in the memory and prevents operation of the electronic apparatus device and/or memory access when the comparison result indicates that the random number and personality data are different. The random number generator is formed by a voltage divider of resistors having large tolerances and/or being chosen randomly, where the voltage divider output is converted to a digital value.

Abstract: A computer network system includes a plurality of information provider computers, an information collector computer and a communication network for connecting these computers together. The information provider computers store therein a plurality of information sets in connection with respective generation number information including ID codes and version codes. The information collector computer stores therein the information sets in connection with the version codes, periodically or intermittently receives the generation number information, compares the same against corresponding information stored therein, and receives the information set if a corresponding version code is not stored therein.

Abstract: A method and system for maintaining integrity and confidentiality of pages paged to an external storage unit from a physically secure environment. An outgoing page is selected to be exported from a physically secure environment to an insecure environment. An integrity check value is generated and stored for the outgoing page. In one embodiment, this takes the form of taking a one-way hash of the page using a well-known one-way hash function. The outgoing page is then encrypted using a cryptographically strong encryption algorithm. Among the algorithms that might be used in one embodiment of the invention are IDEA and DES. The encrypted outgoing page is then exported to the external storage. By virtue of the encryption and integrity check, the security of the data on the outgoing page is maintained in the insecure environment.

Abstract: Methods, apparatus and computer products provide solutions to the problem caused by the slow speed of public key signature algorithms. The solutions also solve problems of packet authentication for multicast and other scenarios requiring fast, compact digital signatures. Security guarantees required for packet authentication are provided in a way that can handle multiple independent flows, produces authentication fields of fixed size, works in the fully unreliable setting, does not require any packet delays and has the additional property of being able to withstand and smooth over irregular processor loading and bursty packet output rate. One aspect of the present invention uses a hybrid approach consisting of the signer creating a certificate for the public key of an efficient k-time signature scheme using a regular signature key. The signer then signing up to k messages with the private key corresponding to k-time public key.

Abstract: A system and method are provided for the distribution of digital licenses through a multi-level distribution chain using one or more clearinghouses. The system supports content providers, distributors, and end users. Content providers create and provide licenses. Distributors acquire licenses from content providers and upstream distributors, and can modify them in accordance with the terms of the original licenses. Distributors digitally sign modified licenses before providing to other users. Distributors optionally extend licenses to create new licenses and distribute them. End users acquire, download and activate licenses. Content providers and distributors can obtain tracking reports from clearinghouses detailing transactions (e.g., purchases, acquisitions, activations, and license compliance) associated with licenses as they progress down the distribution chain and are finally activated.