Abstract: A program supplied from a personal computer via an interface 31 is processed according to a program stored in a ROM 36, developed in a RAM 33, and executed by a CPU 32. Data resulted from the program execution is stored into a nonvolatile memory 34. The interface 31, CPU 32, RAM 33, nonvolatile memory 34 and ROM 36 are housed in an adaptor 26 formed integrally as a semiconductor IC.

Abstract: Described are methods and systems for encrypting and decrypting configuration data for programmable logic devices. An encrypted bitstream of configuration data includes two or more portions, each of which may be encrypted using a different key. Prior to loading, the author of each portion calculates the byte count for his or her portion and loads the required decryption key and byte count into a key and count memory. The designs are then loaded together as a single bitstream. The PLD decrypts the first portions using the first password. At the start of the partial bitstream, configuration logic loads the count associated with the decryption key for the first portions into a decrementing counter. The counter then decrements for each byte decrypted, reaching a count of zero when the first portion is fully decrypted. The configuration logic then selects the subsequent decryption key and associated count for the next portion of the bitstream.

Abstract: A computer security system may include a removable security device adapted to connect to the input/output port of a computer. The security device may include: a random access memory (RAM) cell; and a processor. The security system may further include: at least one encrypted update packet stored remotely from the security device and adapted to modify the contents of the RAM cell; and a private key located on the security device and adapted to decrypt the update packet; and at least one of a device driver, a software application, and/or a library stored remotely from, and in communication with, the security device and adapted to cause the contents of the at least one cell to be switched out of the cell, stored remotely from the cell, and loaded back into the cell.

Abstract: The present invention relates to systems (1) and a method for executing code. According to the method a non-critical code portion is executed on a computer (3). When an application (5) on the computer detects a critical code portion to be executed, the application sends a request to a secure execution unit (4) connected to the computer to execute the critical code portion. The secure execution unit (4) executes the critical code portion in response to the request. Thereafter the secure execution unit authenticates the result of the execution of the critical code portion using a secret key (7). The authentication allows for another party (2) to verify that the execution was carried out in a trusted way. An advantage of the present invention is that it provides a reliable execution environment that can be trusted to execute critical code.

Abstract: A method for accessing discrete data includes transmitting a write command to a memory, determining whether each data following a header of the file needs to be encrypted according to a data format of a file that is to be written into the memory, transmitting the file header and each data following the file header to a logic unit, turning on the logic unit for encrypting the data determined to be encrypted and writing the encrypted data into the memory, turning off the logic unit for writing the data determined not to be encrypted into the memory directly, and sending a first response signal from the memory when the writing of the file is finished.

Abstract: A digital certificate management apparatus updates a proof key used for proving validity of a digital certificate used for authentication for establishing communication between a client and a server. The apparatus acquires a new proof key for updating, acquires a new digital certificate used for the authentication for which validity can be proved with the use of said new proof key, transmits the new proof key to the client and transmits a new server certificate which is a new digital certificate for the server to the server. The apparatus transmits the new server certificate to the server after receiving, from the client, information indicating that the client has received the new proof key.

Abstract: A method for providing a secure firmware operating environment includes detecting the presence of a new component, for example, a peripheral device. Next, a determination is made as to whether the peripheral device includes an option read-only memory. Next, a determination is made as to whether the option read-only memory is authorized to be executed on the corresponding device. If the option read-only memory is authorized, the code contained within the option read-only memory is executed. By only allowing execution of peripheral devices or components including authorized option read-only memories, security related breaches are substantially reduced or eliminated; thereby, enhancing device integrity.

Abstract: A method and computer system for providing access to computer resources on a computer system and includes generating a token containing encrypted user information including credit, authorization, and authentication information. A request is initiated to open an encrypted computer resource stored on the computer system, and execution of a remote application manager component on the computer system is also initiated. The remote application manager component decrypts the token and authenticates a user using authentication information stored in the token. Whether the user is authorized and has sufficient credit are then verified. When the user is approved, the requested computer resource is decrypted and opened. Use of the computer resource is monitored to determine whether the user has sufficient credit to continue using the computer resource. A notification is provided when the monitored usage of the opened computer resource has exceeded the credit.

Abstract: A method of upgrading an encryption process for encryption of video information from an old encryption process to a new encryption process, consistent with certain embodiments involves selecting a portion of video content for selective encryption. The selected portion is duplicated to produce first and second copies of the selected portion. The first copy is encrypted using the old encryption process and the second copy is encrypted using the new encryption process to produce a dual partially encrypted segment of video information that can either be broadcast over a cable or satellite system or stored in a package medium as two program chains.

Abstract: A method for obtaining a firmware image from a second encrypted data having an encrypted firmware image. The encrypted firmware image is generated from the firmware image sequentially encrypted utilizing a first encryption key and a second encryption key. The first encryption key is specified for securing the firmware image. The second encryption key is specified for securing a distribution of the firmware image. The method includes: providing a second decryption key specified for decrypting the second encrypted data; decrypting at least the encrypted firmware image utilizing the second decryption key to generate a first encrypted data; providing a first decryption key specified for decrypting the first encrypted data; and decrypting the first encrypted data utilizing the first decryption key to obtain the firmware image.

Abstract: Software updates remedy vulnerabilities in a computer program that has been distributed and installed on a plurality of computers. The software updates are distributed in encrypted form, and then, after the encrypted update has been delivered to a sufficient number of machines, the decryption key for the update is delivered. Since the key is relatively small, it can be distributed to a large number of machines very quickly, thereby reducing the amount of time between when the update is first known to the public, and the time at which all or most machines have installed the update to protect against the vulnerability.

Abstract: When a user commands execution of a computer program to commence, a loader program 2 is first started. This loader program 2 reads an encrypted version of the computer program 6 and decrypts it using a public key. This generates an executable version of the computer program 9 which is written directly to the computer memory 8. When the loader program 2 has decrypted the whole of the computer program 9 it starts execution of the computer program 9 it has written into the computer memory 8 and terminates itself or is terminated by the computer program it started. The computer program 9 written into the computer memory 8 will be written into its own memory space and will have its own execution thread. The encryption used may be public key/private key encryption.

Abstract: A method for transferring at least one data record from an external data source into a processor unit, e.g., and a suitably designed processor unit are described. In such a method for transcribing at least one data record from the external data source to a processor unit, the at least one data record is transmitted from the external data source together with additional information to a buffer memory of the process unit. A check of the admissibility of using the at least one data record is performed on the basis of the additional information. A blocking signal is generated when the check reveals that use of the at least one data record is not allowed. The at least one data record is then deleted from the buffer memory. An enable signal is generated when the use of the at least one data record is allowed. The additional information includes an identifier assigned individually to the processor unit, with the validity check being performed in the processor unit.

Abstract: A universal method and system for downloading game software to legacy gaming machines. A gaming machine includes a locked enclosure; a first computing device disposed within the locked enclosure, the first computing device being programmed to enable game play of the gaming machine; a second computing device disposed within the locked enclosure of the gaming machine, the second computing device being configured for network access, and an interface between the first and the second computing devices. The second computing device is configured to receive game software components over the network that are compatible with (e.g., executable by) the first computing device but not compatible with (e.g., not executable by) the second computing device and to transfer the received game software components to the first computing device over the interface. The second computing device may include, for example, a PC.

Abstract: The invention, an electronic book selection and delivery system, is a new way to distribute books and other textual information to bookstores, libraries and consumers. The primary components of the system are a subsystem for placing text in a video signal format and a subsystem for receiving and selecting text that is placed in the video signal format. The system configuration for consumer use contains additional components and optional features that enhance the system, namely: (1) an operation center, (2) a video distribution system, (3) a home subsystem, including reception, selection, viewing, transacting and transmission capabilities, and (4) a billing and collection system. The operation center and/or video distribution points perform the functions of manipulation of text data, security and coding of text, cataloging of books, messaging center, and uplink functions.

Abstract: An installation mechanism that securely installs encrypted software modules on a computer is described. The mechanism allows restricted software, such as domestic strength cryptography software, to be shipped directly to a user. The mechanism decrypts the software modules and installs the software modules on the computer only when at least one of a set of trigger files is present on the computer, thereby requiring that the computer be authorized for the restricted software. A setup program invokes each of a plurality of installation modules in order to install the software modules. Each installation module securely encapsulates an encrypted version of the software module and is programmed to decrypt the corresponding software module only when a genuine trigger file is detected.

Abstract: An apparatus for securely backing up data using a cryptographic module includes a mass storage device having a first accessible portion and a second encrypted portion. The mass storage device is initialized to only decrypt the encrypted portion on the system that first created the encrypted portion. The cryptographic module may be a Trusted Platform Module (TPM) based on specifications from the Trusted Computer Group. The mass storage device comprises a trusted platform interface module configured to communicate with the TPM. The system may include a motherboard having a TPM, and the mass storage device. The method in one embodiment comprises providing a computer readable mass storage device, initializing a password module, transmitting an encrypted password to the cryptographic module, authenticating the encrypted password, decrypting the encrypted password, transmitting the decrypted password to the computer readable medium, and decrypting the second encrypted portion using the decrypted password.

Abstract: A system and method in which the operating system of the user computer loads the software application and a DLL having a portion of the application execution code stored therein into memory is disclosed. At selected points during its execution, the software application calls the DLL to execute a portion of the application code that was saved into the DLL before delivery to the end user. Since this code is encrypted and the encryption key is stored in a hardware security device and not in the DLL or the software application, the application code portion cannot be executed without recovering the key.

Abstract: A control system having a download function includes a first storage area for storing execution program data for executing a control function in a rewritable status, a second storage area for storing a download module containing fresh pieces of update target execution program data and module identifying information, a first control unit for receiving the download module encrypted by an encryption key generated from the same program data as the execution program data stored in the first storage element and from the module identifying information, and storing the received download module in the second storage element, and a second control unit for decrypting the download module by an encryption key generated from data in the execution program data in the first storage area and from data of the download module in the second storage area and replacing, when a storage start address, a data length and a check digit that are encrypted in the download module are decrypted into valid values in a plain text, the execut

Abstract: Disclosed is a system, method, and program for distributing computer software from a first computer system. The first computer system receives a request for software from a second computer system. In response, the first computer system generates a message, encrypts the generated message, and transmits the encrypted message to the second computer system. The first computer system later receives an encrypted response from the second computer system and processes the encrypted response to determine whether the second computer system is authorized to access the software. The second computer system is permitted access to the software after determining that the second computer system is authorized to access the software. To access the computer software with the second computer system, the second computer system transmits a request for the software to the first computer system.

Abstract: A data copyright management system comprises a database for storing original data, a key control center for managing crypt keys, copyright management center for managing data copyrights, and a communication network for connecting these sections. Data supplied from the database to users is encrypted and distributed. The users decrypts the encrypted data by crypt keys obtained from the key control center or copyright management center. To supply data to users, there are the following two methods: a one-way supplying of encrypted data to users by means of broadcasting or the like; and two-way supplying of encrypted data to users corresponding to users' requests. A crypt key system used for encrypting data uses a secret-key cryptosystem, a public-key cryptosystem or a cryptosystem combining a secret-key and a public-key and further uses a copyright control program to control data copyrights.

Abstract: Embodiments of the present invention relate to systems and methods for detecting software buffer security vulnerabilities. According to an embodiment, a computer-readable medium stores a plurality of instructions to be executed by a processor for detecting software buffer security vulnerabilities. The plurality of instructions comprise instructions to receive software code associated with a potential buffer vulnerability, generate constraints related to the software code associated with the potential buffer vulnerability, partition the software code into one or more procedures, and generate for each procedure a set of constraints that summarizes the impact of a procedure on buffer variables.

Abstract: An encrypting keypad module (30) comprising a keypad (40) and an encryption unit (42) is described. The encryption unit (42) includes an interpreter (56) for receiving a file (150) containing data and instructions for processing the data. The encryption unit (42) is operable to process the data in the file (150) by interpreting the instructions in the file (150). This enables a file (150) to be used to instruct the encryption unit (42) about the data that is to be operated on and the type of operations to be performed on the data.

Abstract: A self-installing peripheral device is provided. The device includes an onboard memory that stores a device driver that enables the device to communicate with a computer operating system. When the device is connected to a computer, the device automatically downloads the device driver to the computer and installs the device driver. In some embodiments, the device is a USB device that may include an internal USB hub. The onboard memory is connected to the USB hub and the primary functionality of the USB device also connects to the computer via a single USB connection through the USB hub. In other embodiments, the device connects to the computer via a wireless connection protocol. Such a device may be a Bluetooth-enabled device.

Abstract: A method of certifying transmission, reception and authenticity of electronic documents between a sender user (2) and addressee user (3) belonging to a telecommunication network (4) is disclosed, wherein the sender (2) carries out the following steps: drafting the document to be sent putting the electronic address of addressee (3), sending to a mailbox belonging to the telecommunication network associated to the addressee (3) a message comprising the drafted documents and wherein the addressee (3) carries out the step of downloading the message from the mailbox associated to him. The method provides for the automatic generation of a certificate of transmittal of the message that is being automatically sent to the mailbox of the sender (2) by a certification entity connected to the network when the message reaches the mailbox of the addressee (3).

Abstract: The present invention discloses a method, computer program product and system for adjusting roles in a computer system (100) that launch application services (301-307) by a first user who is assigned to at least one role. A first role (110) calls a second role (150) by reference (111). Both roles comprise representations of applications services (101, 102, 103) and (104, 105). When representations in the second role are modified, for example, application services are added (106, 107), a delta list (112) for the first reference is automatically created to conditionally prevent the first role (110) from referencing to at least some of the modified representations of the second role (150). This is achieved by using a rule database (118) containing rules about application services that are mutually exclusive and checking for conflicts between the representations of the first role and modified, second role. A second user, e.g.

Abstract: A platform discrimination indication register is stored in a wireless network card. This register holds a platform discrimination indication that indicates whether the wireless network card can be used to transfer data with notebook computers or whether the wireless network card is restricted to transferring data from a personal digital assistant or defined set of restricted devices. The platform discrimination indication can be upgraded using a key value obtained from an Internet site. This key value is limited to a specific wireless network card because of the use of a unique electronic I.D. An Internet site encrypts the electronic I.D. to produce the first key, such as a platform activation key (PAK). This first key is then decrypted at the personal data device in order to obtain a unique calculated I.D. value. If the calculated I.D. value matches the electronic I.D.

Abstract: In an LSI, a decoding section decodes an ID signal received externally and outputs the decoded signal. A fuse circuit writes the value represented by the decoded signal therein when an operation setting signal is active, and holds the written value when the operation setting signal is inactive. An ID RAM stores the value held in the fuse circuit as the ID. This enables installation of IDs of various values in LSIs only by changing the value of the ID signal.

Abstract: Game software for use in video game systems can be downloaded from Internet servers to game consoles in encrypted form to protect the software from being copied by software pirates. A small but essential part of the game software can be encrypted for use with a larger amount software that is not encrypted. The encrypted portion is downloaded into a secure cryptoprocessor preferably in a memory cartridge that plugs into a game system. This cryptoprocessor decrypts the downloaded software, stores it in on-chip EEPROM and then executes it, all in the same cryptoprocessor. The non-encrypted software is processed in the game system by a conventional processor which depends on data generated by program instructions decrypted and executed in the secure cryptoprocessor.

Abstract: A network system is disclosed that comprises an access point that relays communication between a client and a LAN; and an authenticating server that authenticate an access of the client through the access point, wherein the authenticating server comprises a judging unit that judges the application state of a security program in the client that tries to connect with the LAN through the access point and notifies the client of the result of the judgment; and a data providing unit that provides data necessary for updating the application state to the client according to the result of the judgment and in response to a request of the client.

Abstract: A computer system includes at least one processor and a memory. A secure platform is stored in the memory for controlling the processor and the memory. An operating system image is stored in the memory for controlling the processor and the memory, and operates on top of the secure platform. An end user application is stored in the memory for controlling the processor and the memory, and operates on top of the operating system image. The secure platform is configured to provide a secure partition within the memory for storing secret data associated with and accessible by the end user application. The secure partition is inaccessible to the operating system and other tasks operating on top of the secure platform.

Abstract: The present invention provides a device for securing data communication, said device being part of a system and comprising a dynamically reconfigurable logic array comprising separate blocks for algorithms needed for carrying out an application by the use of said device; a common memory means for storing configuration bitstreams, wherein each of said configuration bitstreams corresponds to a block; a configuration memory means for storing configuration bitstreams currently needed to configure said logic array; and a processing means for controlling a reconfiguration of said logic array and for configuring needed blocks into said logic array by use of said configuration bitstreams, said processing means being capable of communicating with other devices of said system.

Abstract: A method and apparatus for secure distribution of information over a network, comprising: encrypting payload information using a first encryption key in a first data processor; sending the payload information encrypted using the first encryption key to a second data processor; encrypting the payload information encrypted using the first encryption key using a second encryption key in the second data processor; and sending the payload information encrypted using the first encryption key and the second encryption key to a third data processor, and generating a decryption key based on the first encryption key and on the second encryption key, such that the decryption key is operable to compute the payload information by decrypting the payload information encrypted using the first encryption key and the second encryption key.

Abstract: While a semiconductor memory operates in a first operation mode with high security, an encrypted command is inputted and then decoded to acquire the first address information. After the semiconductor memory comes into a second operation mode where the level of security is lower than that of the first operation mode, a command is inputted. Then, the second address information is acquired from the command. A control circuit in the semiconductor memory generates an address of 10 bits by using the first address information as a high-order 4 bits and the second address information as a low-order 6 bits and outputs the address to a memory array. With this operation, it becomes possible to read/write data from/to the memory array.

Abstract: A method (300) of distributing software features (particularly software products having a global portion and a user portion necessary for activating the software products) to client workstations of a network; each client workstation has a multi-user operating system, and may be accessed (327-328) with different user profiles each one associated with a corresponding operating context. A distribution package is received (312) in the client workstation; the distribution package includes instructions associated with global activities for the client workstation as a whole or with user activities specific for the single profiles. A distribution agent (running outside the context of a current profile) executes (309-329) only the global activity (even if the workstation is in a logoff condition) and schedules the user activities to be performed when a user next logs onto the workstation.

Abstract: When data is encrypted and stored for a long time, encryption key(s) and/or algorithm(s) should be updated so as not to be compromised due to malicious attack. To that end, stored encrypted data is converted in the storage system with new set of cryptographic criteria. During this process, read and write requests can be serviced.

Abstract: One embodiment of the present invention provides a system that facilitates software installation using embedded user credentials. The system receives a software installation package at a computer to be installed on the computer. The system then extracts an installation program from the software installation package. Next, the system determines if the current user has sufficient privileges to run the installation program. If not, the system recovers a set of user credentials from the software installation package that is associated with sufficient privileges to run the installation program. The system then authenticates to the computer using this set of user credentials. Finally, the system runs the installation program on the computer.

Abstract: In a computing system, a method of operation comprises receiving a first permutation specification of a first permutation of a first plurality of inputs, receiving a first permutation modifier and receiving a first interaction specification of a first interaction between first permutation and the first permutation modifier. A second permutation specification of a second permutation of the first plurality of inputs is generated, the second permutation being a composite permutation of the first permutation and the permutation modifier, reflective of the first specified interaction between the first permutation and the first permutation modifier.

Abstract: A system allowing a target machine to be booted up from a disk image stored in memory. Instead of reading the boot-up information from a disk drive or other physical device the data is read from memory. No modification is necessary to native operating system, input/output subsystem, bootstrap code, etc., since the invention modifies characteristics, such as vectors used by the operating system, to make the disk image in memory appear to be the same as a standard external device.

Abstract: A modular BIOS update mechanism provides a standardized method to update options ROMs and to provide video and processor microcode upgrades in a computer system without requiring a complete replacement of the system BIOS. The MBU mechanism provides several advantages. First, new features and BIOS bugs from earlier release may be delivered to an installed base of end-user systems even if direct OEM support cannot be identified. Also, BIOS components may be provided as a validated set of revisions. With resort to a validation matrix, BIOS updates may be managed easily. The modular BIOS update is particularly useful in systems having several independent BIOS's stored within unitary firmware.

Abstract: A method is described for controlling customer installations of software or data by providing to the customer an encrypted list of authorized installation targets, whereby the installation program reads and decrypts the list, and only allows installation to proceed if the customer's installation target has a serial number that matches one of the vendor-provided serial numbers in the authorization list. Provision is also made for allowing customers to add serial numbers to the list, within constraints predetermined by the software vendor. Also provided is a method for a customer to perform a predetermined number of installations, whereby the software maintains and decrements a counter in an encrypted file on a storage medium, keeping track of how many remaining installations a customer may perform.

Abstract: The present software delivery system includes a computer system and a CD-ROM. The computer system includes a central processing unit communicably coupled to a CD-ROM drive, a hard drive, and a non-volatile memory. The CD-ROM contains a control module and a plurality of software modules. Each of the software modules contains one or more software products which are the software to be delivered to the user of the computer system. Each of the software modules is assigned a unique identifier (ID) such as an identification number or code. In the non-volatile memory, addresses have been designated to contain an encrypted code key which comprises a list of identification numbers corresponding to the identification numbers of the software modules.

Abstract: Redirecting function calls through a protected environment to effect secure linkage of program modules. In one embodiment, a program module, such as a player application for example, may make function calls to secure functions instead of to insecure operating system (OS) services, thereby deterring attacks on the player's calls to OS services. In one embodiment, the new secure functions provide similar functionality to the replaced OS services. Providing a securely loaded function for calling by a program module in place of calling an insecure OS function includes obtaining object code for the securely loaded function from a signed binary description file, performing signature and integrity verification of the program module using the signed binary description file, loading the object code for the securely loaded function into memory, and updating an address for calling the securely loaded function by the program module.

Abstract: A method is disclosed for securely updating system attributes of a client computer with a BIOS and includes signing a public key of a secure server with a private key of the BIOS prior to completion of manufacturing of the client computer to create an encrypted public key and embedded private key stored at the server. The method includes receiving at the server a request packet transmitted from the client computer requesting system attribute modification, encrypting the request packet to create an encrypted packet, and transmitting a return packet to client computer comprising the encrypted packet, the server's public key, and server instructions. The client computer decrypts the request packet using the server's public key and compares it to the original request packet, and if identical, executes the server instructions to modify the client computer's boot block to update client computer's system attributes.

Abstract: When data is encrypted and stored for a long time, encryption key(s) and/or algorithm(s) should be updated so as not to be compromised due to malicious attack. To that end, stored encrypted data is converted in the storage system with new set of cryptographic criteria. During this process, read and write requests can be serviced.

Abstract: An image processing apparatus which stores user information related to a seller or a buyer of the image processing apparatus. The user information is thereafter multiplexed to an output image formed by the image processing apparatus. If the output image were an unlawful image, the seller or the buyer could be identified from the user information multiplexed in the output image.

Abstract: A communication system (10) supports the provision of a plurality of dedicated communication resources (50–64), such as copper drops, RF links and optical fibers, to dedicated home-gateway devices (44–48) or distribution points (124). The communication resources (50–64) support broadband interconnection (104) between the dedicated home-gateway devices (44–48) or distribution points (124) and an access multiplexor (30) in a network (12). Each gateway device (44–48) or distribution point (124) generally includes a local RF transceiver (84) and associated control logic (80–82) that allows local communication (86) between gateway devices (44–48) and hence statistically multiplexed access (60–64, 89) to multiple communication resources, thereby providing increased bandwidth in uplink and/or downlink directions.

Abstract: An apparatus and method for enabling functionality of a component, wherein the apparatus includes a random number generating module for generating a random number, and a hash function module in communication with the random number generating module. A host is provided in communication with the random number generating module, and at least one memory in communication with the host is included. An encryption module in communication with the at least one memory is provided, and a comparing device in communication with the encryption module and the hash function module is included. The comparing device of the apparatus compares a first bit string to a second bit string to generate a function enable output for the component.

Abstract: Configuration information settings for a storage device are made highly reliable and facilitated. The storage device includes a service processor for setting storage device configuration information, and a terminal device connected to the service processor via a private line to send a command group, received from an operator and related to the storage device configuration information, to the service processor. The service processor also includes a device for determining approval or denial of execution of the command group prior to execution of the command group received from the terminal device.

Abstract: In a microprocessor that internally has a microprocessor specific secret key, a key management unit is provided to carry out a key registration for reading out from an external memory a distribution key that is obtained in advance by encrypting the instruction key by using a public key corresponding to the secret key, decrypting the distribution key by using the secret key to obtain the instruction key, and registering the instruction key in correspondence to a specific program identifier for identifying the program into a key table, and to notify a completion of the key registration to the processor core asynchronously by interruption when the key registration is completed.