Abstract: A technique for encrypting a file without changing file size may involve encrypting a first set of a plurality of blocks of a file in a first encryption mode using the first set of encryption keys and/or the first set of configuration rules, and a second set of the plurality of blocks of the file in a second encryption mode using a second set of the encryption keys and/or a second set of the configuration rules without causing the file to increase in size before and after the encryption. Here, the first and the second encryption modes are chosen to be different, so are the first and the second sets of the encryption keys and/or the configuration rules to reduce security risk of the file being encrypted.

Abstract: A technique for secure file encryption first choose a file encryption key randomly among a set of file encryption keys and encrypts a file using the chosen file encryption key based on a set of encryption rules. The file encryption key can then be encrypted via a directory master secret (DMS) key for an extra layer of security so that an intruder cannot decrypt the encrypted file even if the intruder gains access to the DMS-encrypted file encryption key. Finally, the DMS-encrypted file encryption key can be stored in a metadata associated with the file.

Abstract: A method and apparatuses are disclosed for handling digital data packets at a logical borderline that separates an untrusted packet-switched information network from a protected domain. A packet processor part intercepts a packet that is in transit between the untrusted packet-switched information network and the protected domain. The packet is examined at the packet processor part in order to determine, whether the packet contains digital data that pertains to a certain protocol. If the packet is not found to contain such digital data, it is processed at the packet processor part. If the packet is found to contain digital data that pertains to said certain protocol, it gets redirected to an application gateway part that processes the packet according to a set of processing rules based on obedience to said certain protocol. The packet processor part is a kernel mode process running in a computer device and the application gateway part is a user mode process running in a computer device.

Abstract: In an embodiment of a method of and system for secure communication, a computer system comprises a primary system protocol stack operative in kernel space and interfacing with an external network. A secondary system protocol stack, security software, and at least one application program operate in user space, and may be provided on a portable storage medium by a user who does not have privileges to install programs in kernel space. The application program interfaces with the secondary system protocol stack. The secondary system protocol stack interfaces with the primary system protocol stack. The security software operates on communications through the secondary system protocol stack.

Abstract: In an embodiment of a method of and system for detecting rollback of usage data, the usage data is recording in a database. A sequence value in the database is repeatedly advanced. A copy of the sequence value is repeatedly saved to protected storage. The copy of the sequence value in the protected storage is compared with the sequence value in the database, and it is determined whether the result of the comparison is consistent with normal operation of the database since the previous save to protected storage.

Abstract: A novel approach introduces an extra layer of data security by storing files and the keys required to access the files separately. When the files are being accessed, the host of the files sends a request to an access device that stores the keys to access the files. The key will be provided to the host only if at least one of the following conditions is met: the host is within close proximity of the access device, the identity of the person attempting to access the files is authenticated, or the security status of the host is verified.

Abstract: A technique is introduced to support on-disk software image encryption. Image of a software component deployed to a host is encrypted when the image is created and/or its content is changed, before such image of the software component is being saved to a non-volatile storage of the host. The encrypted image of the software component is decrypted only at startup and/or resume time of the software component. Once decrypted, the image of the software component is loaded into a volatile storage of the host so that the software component can be up and running.

Abstract: The invention relates to methods for processing data packets according to a set of rules, and especially for preparing of decision trees for selecting the correct rule for processing of a data packet. In preparation of a decision tree, a splitting point within a dimension being studied is chosen as follows. The rules are sorted to allow monotonous iteration through all range end values specified in the rules in the dimension being studied. The range end values are then iterated through in a monotonous fashion, either increasing or decreasing. At each iteration, the number of range low end values and the number of range high end values being equal to the current iteration value is counted. From these counts and the accumulated results from the corresponding counts in previous iterations, the numbers of rules with ranges in different positions relative to the current iteration value are deduced, and from these values, the goodness of the iteration value is calculated.

Abstract: The present invention teaches a variety of methods for building and searching secure, indexed database tables. Sensitive portions of the database tables and database indexes are encrypted, ordered and searched according to Boolean functions arranged to work with encrypted data. Also disclosed is a database management system that allows authorized users to build and search encrypted tables.

Abstract: A method and devices are provided for handling a broadcast packet in a computer (131, 132, 612, 622, 632, 711, 721, 731, 741, 1111, 1112, 1301) that has an IPsec-protected connection to a part (121, 122, 141, 732, 733, 742, 743, 1113, 1114) of a logical network segment (101, 601, 701, 1101) within which the broadcast packet should be distributed. The IPsec protection specifies, what kinds of packets are acceptable for transmission over the IPsec-protected connection. The broadcast packet is encapsulated (204, 311, 508, 835, 838, 840, 842, 849, 852, 909) into a form that is acceptable for transmission over the IPsec-protected connection. It is then transmitted (205, 206, 312, 509, 836, 839, 841, 843, 850, 853, 910) to the part of the logical network segment through the IPsec-protected connection.

Abstract: Disclosed are a system and a method for transferring with improved security root keys from a key provider system to a customer system via an information network that is other than secure. The key provider provides a secure module having a super-root key stored therein within the customer system. The super-root key is accessible internally to the module only by program code executable on a processor internal to the module, and only in response to a request from a corresponding module of the key provider system. The super-root key is only for use in decrypting encrypted root keys that are provided from the key provider system, which decrypted root keys are stored internally to the secure module.

Abstract: A system for processing regular expressions containing one or more sub-expressions. Information regarding one or more regular expressions, each containing one or more sub-expressions, is stored. Data is compared to the stored information regarding expressions in only a single pass through the data. From the comparison, for any stored expression, the location within the data of the beginning and end of each sub-expression, and the end of the regular expression, are determined. From such determination, the presence within the data of any one or more stored regular expressions containing one or more sub-expressions is identified.

Abstract: A computer security system may include a removable security device adapted to connect to the input/output port of a computer. The security device may include: a random access memory (RAM) cell; and a processor. The security system may further include: at least one encrypted update packet stored remotely from the security device and adapted to modify the contents of the RAM cell; and a private key located on the security device and adapted to decrypt the update packet; and at least one of a device driver, a software application, and/or a library stored remotely from, and in communication with, the security device and adapted to cause the contents of the at least one cell to be switched out of the cell, stored remotely from the cell, and loaded back into the cell.

Abstract: A portable computer device, comprising a circuit board; a connector in communication with the circuit board, the connector adapted for insertion into a computer port; a light source associated with the circuit board; and a housing encasing at least the circuit board and the light source, the housing comprising a substantially opaque body portion and a substantially transparent or translucent lens portion, the lens portion located proximate the light source.

Abstract: A method and apparatus for booting a computer. The method comprises the steps of emulating a floppy disk drive communicatively coupled to a computer in a token via a USB-compatible interface, and booting the computer using the token. The apparatus comprises means for performing these functions, including a token with a processor having one or more memories storing processor instructions and data for performing the method steps. The memory may also securely store sensitive data.

Abstract: A method and system for securely timestamping digital data is disclosed. A secure encryption key is provided within a timestamping module. The timestamping module comprises a processor for performing security functions with the secure encryption key. The processor is operable in a first mode wherein the secure encryption key is used for encryption operations and for test operations and in a second mode in which the secure encryption key is only used for timestamping operations. Once the processor performs a function with the secure encryption key in the second mode it is precluded from performing further functions in the first mode with the secure encryption key. After the processor has been placed in the second mode of operation a unique code for being embedded within timestamped digital data is generated. Data indicative of a real time a request for a timestamping operation has been received is then provided to the processor from a real time clock.

Abstract: A system and method in which the operating system of the user computer loads the software application and a DLL having a portion of the application execution code stored therein into memory is disclosed. At selected points during its execution, the software application calls the DLL to execute a portion of the application code that was saved into the DLL before delivery to the end user. Since this code is encrypted and the encryption key is stored in a hardware security device and not in the DLL or the software application, the application code portion cannot be executed without recovering the key.

Abstract: A method and system for overriding selected ROM code functions or adding new ROM code functions within a processing system. A system designer determines an existing ROM address for the selected existing code function or a desired ROM address for the new code function. The system designer then programs a patch to replace the selected existing code function or programs a new code function. The patch or new code function is then loaded into a first memory. A loader module is also programmed and loaded into the first memory. Upon system boot-up, the loader module transfers any patches or new code functions within the first memory into a second memory that is memory-mapped to the ROM. This second memory can be accessed by the processor at a faster rate than the processor can access ROM. During a processor request cycle, the processor first examines the second memory for the presence of a desired ROM code function.

Abstract: A method for determining the start of a match of a regular expression using the special state table, the set of start state registers and the DFA next state table, includes the step of determining from the regular expression each start-of-match start state and each end-of-match terminal state. For each start state, a start state entry is loaded into the special state table. For each terminal state, a terminal state entry is loaded into each special state table. The next state table is used to return the next state from the current state and an input character. When a start state is encountered, the current offset from the beginning of the input character string is loaded into the start state register. When a terminal state is encountered, the terminal state entry is retrieved from the special state table, and the value of the start state register corresponding to the rule number of the terminal entry in the special state table is further retrieved.

Abstract: A method is presented for setting up communication parameters in a virtual private network node for connecting to at least one other node in the virtual private network. The method may include reading information from a hardware token for determining how to connect to a packet data network; reading information from the hardware token for determining how to obtain configuration information for the virtual private network node; connecting to a packet data network on the basis of information read from the hardware token; obtaining configuration information for the virtual private network node on the basis of information read from the hardware token; and using obtained configuration information for setting up the communication parameters.