Abstract: A method, system, and apparatus for performing computations. In a method, arguments X and K are loaded into session memory, and X mod P and X mod Q are computed to give, respectively, XP and XQ. XP and XQ are exponentiated to compute, respectively, CP and CQ. CP and CQ are merged to compute C, which is then retrieved from the session memory. A system includes a computing device and at least one computational apparatus, wherein the computing device is configured to use the computational apparatus to perform accelerated computations. An apparatus includes a chaining controller and a plurality of computational devices. A first chaining subset of the plurality of computational devices includes at least two of the plurality of computational devices, and the chaining controller is configured to instruct the first chaining subset to operate as a first computational chain.

Abstract: An information-processing method for application-specific processing of messages. A message is received. Whether the message is in a selected application format is ascertained. If not, the message is routed to a next location. If so, the message is routed to a selected application processor, processed by the processor, and routed to the next location.

Abstract: A computer system has a resource, a verification unit and an execution engine for running a body of program code having an associated signature. A cryptographic key is associated with the resource and when the code is to be loaded into the execution engine a verification operation is run on the signature using the cryptographic key associated with the resource. The execution engine is separate from the resource and when access to the resource is required by the code in the execution engine a further verification operation is conducted on the signature using the cryptographic key associated with the resource. Access to the resource by the code depends upon the result of the verification operation.

Abstract: A method, system, and device for encrypted packet inspection allowing an authorized third party device to monitor cryptographic handshaking information (full- duplex) between two other devices and together with the secret private key then transparently decrypt the bulk encrypted data stream. The scope of this invention encompasses many applications, three examples of which are firewalls, load balancers, and local network caches. Additionally, this invention achieves and contributes to the efficient handling of encrypted information in other ways, three examples of which are making switching, routing, and security decisions.

Abstract: A method is described herein for transmitting data from a first point (203) to a second point (205) on a network (201) via a proxy server (207). In accordance with the method, a first data packet is received from the first point at the proxy server without sending an acknowledgement packet to the first point. The first data packet is forwarded from the proxy server to the second point, and a second data packet is received from the second point at the proxy server. The second data packet is then forwarded to the first point along with an acknowledgement packet for receipt of the first data packet from the first point at the proxy server.

Abstract: A data encryption method performed with ring arithmetic operations using a residue number multiplication process wherein a first conversion to a first basis is done using a mixed radix system and a second conversion to a second basis is done using a mixed radix system. In some embodiments, a modulus C is be chosen of the form 2w?L, wherein C is a w-bit number and L is a low Hamming weight odd integer less than 2(w?1)/2. And in some of those embodiments, the residue mod C is calculated via several steps. P is split into 2 w-bit words H1 and L1. S1 is calculated as equal to L1+(H12x1)+(H12x2)+ . . . +(H12xk)+H1. S1 is split into two w-bit words H2 and L2. S2 is computed as being equal to L2+(H22x1)+(H22x2)+ . . . +(H22xk)+H2. S3 is computed as being equal to S2+(2x1+ . . . +2xk+1). And the residue is determined by comparing S3 to 2w. If S3<2w, then the residue equals S2. If S3?2w, then the residue equals S3?2w.

Abstract: A secure time stamping device uses multiple virtual clocks, each of which may be individually accessed and calibrated. A digital key is associated with each of the clocks. All of the virtual clocks use a common timer (130), with the actual clock output being generated by applying calibration information (124) for that clock to the timer (130) output. A user wishing to have a message time stamped presents that message along with information as to which virtual clock to be used at a device input (92). The appropriate calibration information (124) is then selected and the timer (130) output is compensated accordingly. The incoming message plus the resultant time are concatenated and automatically signed using the key (126) applicable to that particular virtual clock.

Abstract: A method and system for generating a cryptographically random number stream (100) is provided. A system includes a module (102) configured to provide at least two statistically random number streams (106) and (108) and an oscillator (104) operably coupled to the module (102). The oscillator (104) is configured to operate at a frequency which varies in response to physically unpredictable events and to select a current number from one of the at least two statistically random number streams (106) and (108) based on the oscillator's state. A process includes several steps. At least two statistically random number streams are provided (138). A current number is selected (140) from one of the at least two statistically random number streams based on the state of an oscillator operating at a frequency which varies in response to physically unpredictable events. The step of selecting (140) is repeated (142) to create the cryptographically random number stream.

Abstract: A system and method for processing server-to-client and client-to-server data communications using data processing devices (DPDs) in a small-area system, such as a local area network or smaller system. The DPDs act as proxies for the servers to which the transmissions are directed. The DPDs are connected to each other in a small-area system using interconnect devices, preferably forming a bidirectional ring network, so that received transmissions can be passed among the DPDs to the appropriate DPD. The resulting system allows the DPDs to perform processing on the incoming data communications, offloading this task from the destination servers. While the preferred embodiment is specifically drawn to DPDs that perform encryption/decryption, the disclosed system may implement any number of data processing applications on data that is being transmitted between clients and servers.

Abstract: A state decision subsystem (SDS) including an inload module, a simple programmable entity (SPE), at least one SPE memory, an unload module, and a coherency module. The inload module reads state information from a memory subsystem—the state information corresponding to TCP packets that are to be processed. In addition, the inload module writes contexts to the SPE memory. Each context includes both a TCP packet and its corresponding state information. The SPE reads each context from the SPE memory, processes the context, and writes the processed context to the SPE memory. The processed context includes both a processed TCP packet and its corresponding processed state information. Furthermore, the unload memory reads the processed context and writes the processed state information to the memory subsystem.

Abstract: A memory architecture design and strategy is provided using memory devices that would normally be considered disadvantageous, but by accommodating the data input, output, and other peripheral controller services, overall performance in this mode is optimized. The surprising result is that even though the choice of memory is inappropriate for the task based on the precepts of the prior art, the overall memory system is effective. Bank switching in DDR-SDRAM can be utilized to achieve technological feasibility without resorting to, for example, SRAM.

Abstract: A method for the secure transmission of data from a distributor to a client over a computer network. The method includes encrypting the data using an encryption confidentiality key known to the client, but not the distributor. The method also includes storing the encrypted data at the distributor and generating a message by further encrypting the encrypted data using an encryption transmission key. The corresponding transmission decryption key is also known by the client. Also, the method includes transmitting the generated message to the client.

Abstract: A cryptographic security module holds a cryptographic key having a private part and a public part. The private part is held within the module and is usable only to sign messages generated within the module. The public part can be extracted from the module and is usable by a warranting authority to generate a warrant for the module. The module may be used to generate a new key and the private part of the cryptographic key used to generate a key-generation certificate by signing a key-generation message containing information by which the new key can be identified.

Abstract: The invention relates to a method of storing items of data in a memory device. The memory device has an array of a storage locations, each identified by an address corresponding to a unique multi-bit index value. The data items consist of a multi-bit identifier value and an information value. The method includes generating a first index value corresponding to the address of a fist storage location as a first function of the identifier value of an item of data and a first number from a predetermined sequence of numbers. If the first storage location is unoccupied, the item of data is stored therein. Alternatively, if the first storage location is already occupied, a second index value corresponding to the address of a further storage location is generated as a function of the identifier value and a second number from the predetermined sequence of numbers. If the further storage location is unoccupied, the item of data is stored therein. The invention also relates to a memory device for storing items of data.

Abstract: A method and apparatus for the generation and use of a biometric cryptographic key to secure and retrieve data that involves combining a random key and the biometric information to generate a template, such that the cryptographic key needed to retrieve the data cannot be obtained from the combination unless the identical user submits his or her biometric information during a subsequent biometric scan at which time the cryptographic key is generated from a combination of the stored template and the scan, allowing the secured data to be released and/or decrypted. Thus, if the system containing the secured data were compromised it would be virtually impossible to decrypt the data because not enough information resides on the system to re-construct the cryptographic key.

Abstract: A method is described of managing memory in a microprocessor system comprising two or more processors (40, 42). Each processor (40, 42) has a cache memory (44, 46) and the system has a system memory (48) divided into pages subdivided into blocks. The method is concerned with managing the system memory (48) identifying areas thereof as being "cacheable", "non-cacheable" or "free". Safeguards are provided to ensure that blocks of system memory (48) cannot be cached by two different processors (40, 42) simultaneously.