Abstract: A compact, self-contained, personal key is disclosed. The personal key comprises a USB-compliant interface releaseably coupleable to a host processing device; a memory; and a processor. The processor provides the host processing device conditional access to data storable in the memory as well as the functionality required to manage files stored in the personal key and for performing computations based on the data in the files. In one embodiment, the personal key also comprises an integral user input device and an integral user output device. The input and output devices communicate with the processor by communication paths which are independent from the USB-compliant interface, and thus allow the user to communicate with the processor without manifesting any private information external to the personal key.

Abstract: A device that secures a token from unauthorized use is disclosed. The device comprises a user interface for accepting a personal identifier, a processor, communicatively coupled to the user interface device, and a token interface. The token interface includes a token interface IR emitter that produces an IR signal having information included in the PIN. The token IR emitter is coupled to the processor and is further communicatively coupled to a token IR sensor when the token is physically coupled with the token interface. The token interface also includes a shield, substantially opaque to the IR signal, for substantially confining the reception of the IR signal to the token IR sensor. In one embodiment, the shield substantially circumscribes the IR emitter. In another embodiment, the interface also comprises a token interface IR sensor, which allows communications from the token to the device as well.

Abstract: A computer-implemented method of generating an elliptic curve cryptosystem (ECC) signature includes the steps of: generating a first random key (k1) having n bits, where n is a natural number; calculating a first ECC point (V) from k1 and a base point; and storing k1 and V securely in a computer-readable medium. To digitally sign electronic data, the method further includes the steps of generating a second random key (k2), where k2 has fewer than n bits; calculating a second ECC point (Q) from V and k2; and digitally signing electronic data using Q.

Abstract: A method, apparatus, and article of manufacture for protecting a shelled computer program with a startup code featuring multiple-route execution. In one embodiment, the startup code comprises a sequence of tasks, collectively executing a startup code, wherein one or more of the tasks is selectably performed by one of a plurality of task code variations as selected by a selection code associated with the task.

Abstract: A method for preventing unauthorized use of a software program on a computing device includes updating a state of a software program on a computing device to an updated state. Transmitting an update signal from the software program to a hardware token coupled to the computing device and updating a state of the hardware token to an updated state in response to the received update signal. Performing a first cryptographic check using the updated state of the software program and the updated state of the hardware token with the hardware token. Transmitting the first cryptographic check from the hardware token to the software program and performing a second cryptographic check using the state of the hardware token and the state of the software program with the computing device.

Abstract: A system and method for binding a protected application to a shell module. The shell module is appended to the application. The shell module executes prior to the execution of the application, and first creates a resource. After the shell module finishes execution, the application tries to access the created resource. If the access is successful, the application is allowed to proceed. Otherwise, the application terminates. The inability of the application to access the resource is an indication that the shell module never actually created the resource. This suggests that the shell module never executed; the shell module may have been either removed or functionally disconnected from the application. This further implies that the security functionality of the shell module has not executed. The application is therefore not permitted to execute, since the shell's security checks have probably not been performed.

Abstract: A method for generating look-up tables for a high speed multi-bit Real-time Deterministic Finite state Automaton (hereinafter RDFA). The method begins with a DFA generated in accordance with the prior art. For each state in the DFA, and for each of the bytes recognized in parallel the following occurs. First an n-closure list is generated. An n-closure list is a list of states reachable in n-transitions from the current state. Next an alphabet transition list is generated for each state. An “alphabet transition list” is a list of the transitions out of a particular state for each of the characters in an alphabet. Finally, the transitions are grouped into classes. That is, the transitions that go to the same state are grouped into the same class. Each class is used to identify the next state. The result is a state machine that has less states than the original DFA.

Abstract: A method, apparatus, and article of manufacture provide the ability to rapidly generate a large prime number to be utilized in a cryptographic key of a cryptographic system. A candidate prime number is determined and a mod remainder table is initialized for the candidate prime number using conventional mod operations. If all mod remainder entries in the table are non-zero, the candidate number is tested for primality. If the candidate prime number tests positive for primality, the candidate number is utilized in a cryptographic key of a cryptographic system. If any of the table entries is zero, the candidate number and each mod remainder entry are decremented/incremented. If any mod remainder entry is less than zero or greater than the corresponding prime number, the corresponding prime number is added/subtracted to/from the mod remainder. The process then repeats until a satisfactory number is obtained.

Abstract: A “dual” personal key/token is disclosed. The “dual” personal key is useful for installing drivers and other command interfaces which allow the personal key to be coupled to and used with a host computer. In a first embodiment, the personal key operates as a USB hub, and reports two devices, a storage device and a personal key, to the host computer. In a second embodiment presents a single device, and different portions of the personal key are activated as required.

Abstract: A security system including a token and a host system. The token includes volatile random access memory for storing security data for use during a step of secure authentication, an interface for providing communication with a host system when coupled thereto, and a processor. The processor performs the steps of authenticating a host system and the token, providing secure information to the host system upon authentication therewith, and re-authenticating the host system and the token in response to receipt of the secure information after a reset of the token has occurred.

Abstract: A system and method for the issuance of software licenses through a tiered structure, whereby a software license is issued from a software developer to an end user through one or more intermediate layers of distribution. The system and method for doing so enforces a predefined security policy. In an embodiment of the invention, the security policy is defined by the security developer. The security policy may, for example, address who may use the software package, how many users there may be, an expiration date for use of the software, and/or specific features that may or may not be used by a particular user. The software developer first issues a license template to the next intermediate layer of distribution. This may be a software distributor, who then specifies one or more restrictions on the use of the software. This is done be articulating these restrictions in the license template, effectively “filling in” some or all of the template.

Abstract: A method and apparatus for securing a token from unauthorized use is disclosed. The method comprises the steps of receiving a first message transmitted from a host processing device and addressed to a PIN entry device according to a universal serial bus (USB) protocol; accepting a PIN entered into the PIN entry device; and transmitting a second message comprising at least a portion of the first message and the PIN from the PIN entry device to the token along a secure communication path.

Abstract: A Synchronized-Download Version Manager (S-DVM) allows media creators to take advantage of the valuable attributes embedded in a media file because it provides the ability to not only download and identify the different media versions that pervade the Internet, but it also enables the analysis, investigation, and tracking of each of the attributes embedded in the file, attributes which can help in the tracing of distribution leaks, master file theft, and file propagation.

Abstract: A system and method for highly secure data communication. Embodiments of the invention may include encrypting data a first time, packetizing the data, encrypting the data a second time and transmitting the data. Encryption may occur at a data link layer and an Internet Protocol layer. Packetized, twice encrypted data may be transmitted over a network, such as, for example, the Internet. The system may include a first computer system containing data for transmission, a first interface device that receives data from the first computer system, a second interface device that receives data from the first interface device, and a second computer system that receives data from the second interface device.

Abstract: A system, method and apparatus for protecting circuit components from unauthorized access. The circuit components to be protected are disposed on a first layer of a substrate with a plurality of layers. A cover member composed of a plurality of layers is abutted to the substrate, defining an enclosure space for enclosing the circuit components to be protected. A three-dimensional resistive network sensor surrounds the protected circuit components. The sensor comprises at least one conduction path in at least one of the layers below the first layer of the substrate and at least one conduction path in at least one of the layers of the cover member and also comprises a plurality of vias transverse to and electrically connecting the conduction paths. A short or open in the sensor will be detected by a tamper detection circuit that is disposed on the first layer of a substrate.

Abstract: A method and apparatus for protecting computer software from unauthorized execution or duplication using a hardware key is disclosed. The apparatus comprises a means for communicating with the computer to receive command messages from the computer in the hardware key and to provide response messages to the computer, a memory for storing data for translating command messages into response messages enabling software execution, and a processor coupled to the communicating means for translating command messages into response messages using the data stored in the memory. The processor further comprises a memory manager, including means for logically segmenting the memory storing the data into at least one protected segment, and a means for controlling access to the protected segment.

Abstract: A method for synchronizing a timing device of a client station via a communications network is disclosed. A plurality of packets is sent from a time server to the client station via the communications network. Upon receipt of the plurality of packets at the client station a time indicative of a local time of receipt of the plurality of packets is determined and the plurality of packets are returned to the time server via the communications network. Upon receipt of the plurality of packets at the time server data in dependence upon round trip delay of the packets and variance in packet spacing are determined and compared to threshold values. If the determined data are within the threshold values data indicative of a time correction are determined and sent from the time server to the client station.

Abstract: A method, apparatus, and article of manufacture for a computer implemented packet processor. The packet processor processes packets in parallel. In particular, the packet processor performs a combination of encryption and authentication on data packets. The encryption and authentication processing of a second data packet may begin before the encryption and authorization processes of a first data packet have completed.

Abstract: A system for managing licenses for protected software on a communication network is disclosed. The system includes at least one client computer that is capable of being coupled to or decoupled from the communication network. While coupled to the communication network, a user of the client computer may request a commuter authorization to use the protected software. At least one license server is also coupled to the communication network. Each license server is programmed for managing a distribution of allocations to use the protected software. In addition, at least one of the license servers is programmed for granting a commuter authorization in response to a request for a commuter authorization from a client computer if there is an available authorization. After a commuter authorization is received by a client computer, the client computer stores a commuter authorization lifetime representing a time period for which the commuter authorization is valid.

Abstract: A key management scheme for managing encryption keys in a cryptographic co-processor includes the first step of selecting a key from one of a symmetrical key type and an asymmetrical key type. Then, the key bit length is selected. The key is then generated and, lastly, the key is represented in either an external form or an internal form.