Abstract: A computer enabled secure method and apparatus for generating a cryptographic key, to be used in a subsequent cryptographic process, where the key is to be valid only for example during a specified time period. The method uses a polynomial function which is a function of an input variable such as time, and dynamically computes the key from the polynomial. This is useful for generating decryption keys used for distribution of encrypted content, where the decryption is to be allowed only during a specified time period.

Abstract: Processes for fingerprinting a document and for preventing information leakage at a deployment point are disclosed. For fingerprinting a document, a sequence of hash values for a document is generated, a portion of said hash values to be selected as fingerprints for the document. A current window is positioned over a portion of the sequence of hash values. The hash values are examined starting from one end of the current window, and a first-encountered hash value that is 0 modulo P is selected to be a fingerprint for the current window. For information leakage prevention at a deployment point, a rolling hash calculation is performed on a target document, and a determination is made if a hash value is 0 modulo P. A first filter is applied if the hash value is 0 modulo P, and a second filter is otherwise applied. Other embodiments, aspects and features are also disclosed.

Abstract: In one example, a system for authenticating domains operates by authenticating a first domain and the extensions that make up the URI of an initial or primary Internet network call. Thereafter, the system can enable the owner of the first domain to make assertions or statements about additional domains and URIs that make up the rest of the web page, session or application.

Abstract: A migration scheme for virtualized Trusted Platform Modules is presented. The procedure is capable of securely migrating an instance of a virtual Trusted Platform Module from one physical platform to another. A virtual Trusted Platform Module instance's state is downloaded from a source virtual Trusted Platform Module and all its state information is encrypted using a hybrid of public and symmetric key cryptography. The encrypted state is transferred to the target physical platform, decrypted and the state of the virtual Trusted Platform Module instance is rebuilt.

Abstract: A secure wireless local or metropolitan area network and data communications device therefor are provided, where the device transmits plain text in an encrypted message including cipher text and an initialization vector. The device may include a seed generator for performing a one-way algorithm using a secret key, a device address, and a changing reference value for generating a seed. Further, a random initialization vector (IV) generator may be included for generating a random IV, and a key encrypter may generate a key sequence based upon the seed and the random IV. Additionally, a logic circuit may be included for generating cipher text based upon the key sequence and plain text, and a wireless communications device may be connected to the logic circuit and the random IV generator for wirelessly transmitting the encrypted message.

Abstract: A data security system for a high bandwidth bus comprises a circular shift register operable to load a variable key value, and a scrambler coupled to the circular shift register operable to receive the variable key value from the circular shift register and serially scramble a serial data input in response to the variable key value.

Abstract: A method of encrypting data is provided that uses a medium key retrieved from a storage medium. The medium key is combined with another key to generate a combination key. Content is encrypted according to the combination key and written to the storage medium.

Abstract: Apparatus, methods, and machine-readable articles of manufacture enable a means of performing vocal tract based authentication and vocal tract based enrollment via the Internet or similar computing network as a communication medium. A protocol and process is outlined which enables Internet or similar network based authentication among three parties; a party wishing to prove a claimed identity, a party requesting to authenticate the claimed identity, and a party performing the authentication or enrollment process. Further, the party requesting authentication is a separate entity from the party performing authentication or enrollment. In such an arrangement, the party performing the authentication or enrollment is termed “hosted” or “software as a service”. The protocol and process is suitable for execution by distinct software components installed and running on computers located at the location of each of the three parties.

Abstract: It is an object of the present invention to prevent illegal use of a terminal device, and to enhance security of the terminal device itself. Features of the present invention are: to store identification information for collation; to receive identification information for identifying an external communication terminal, which is transmitted from the external communication terminal; to collate the received identification with the stored identification information for collation so as to judge whether or not the received identification information is transmitted from an authorized communication terminal; to set a predetermined function from an execution-disabled state to an execution-enabled state when it is judged by the judgment that the received identification information is transmitted from the authorized communication terminal; and to allow the terminal device to execute the predetermined function.

Abstract: A system and methods for detecting malicious executable attachments at an email processing application of a computer system using data mining techniques. The email processing application may be located at the server or at the client or host. The executable attachments are filtered from said email, and byte sequence features are extracted from the executable attachment. The executable attachments are classified by comparing the byte sequence feature of the executable attachment to a classification rule set derived from byte sequence features of a data set of known executables having a predetermined class in a set of classes, e.g., malicious or benign. The system is also able to classify executable attachments as borderline when the difference between the probability that the executable is malicious and the probability that the executable is benign are within a predetermined threshold.

Abstract: A certificate registry system is configured to issue authentication certificates to each one of a plurality of information providers and to maintain a root certificate corresponding to all of the authentication certificates. Each one of the authentication certificates links respective authentication information thereof to identification information of a corresponding one of the information providers. Each one of the authentication certificates includes a respective Instant Messaging (IM) screen name information of the information provider. The authentication certificates of the certificate registry are associated in a manner at least partially dependent upon at least one of a particular type of information that the information providers provide, a particular organization that the information providers are associated with, a particular type profession in which the information providers are engaged and a particular geographical region in which the information providers are located.

Abstract: An information processing method enables verification of validity of signed data using received partial signed data parts, even when all the signed data is not received. According to the information processing method, signature data including a signature value and digests of a plurality of partial signed data parts is received. Then, the signature data is verified by using the signature value and the digests of a plurality of partial signed data parts. Subsequently, the partial signed data is received according to a result of verifying the signature data. Then, the partial signed data is verified using the partial signed data and the digest of the partial signed data.

Abstract: When a document creation unit 1 is started, it calculates a hash value of each software piece therein and stores the hash value in a hash value holder 71 and a measurement log document holder 44. The document creation unit 1 accesses a time distribution unit plural times to receive time information therefrom, and records the time information in a log document and a measurement log document. The document creation unit 1 transmits the log document, the measurement log document, and digital signature-embedded hash value information (measurement auxiliary document) in a tamper-resistant device 63 to a document reception device. The document reception device verifies matching of the hash values or digital signature in the document group, confirms software operating environments in the document creation unit 1 from the hash values, and determines whether the time information is correctly managed within the unit 1.

Abstract: A method for protecting digital information includes: converting a protected address range into a plurality of address blocks based on a preset conversion unit, and generating an address block rearranging rule using the address blocks as a parameter; when it is desired to load data into an address batch of the protected address range, converting the address batch into a plurality address blocks based on the conversion unit; and locating rearranged addresses of the address blocks in the protected address range according to the address block rearranging rule, and loading the data into the rearranged addresses. Thus, the data can be stored in the address batch scatteredly, and the protected data cannot be recomposed into the original correct data when stolen.

Abstract: The invention relates to a distributed system for detecting eThreats that propagate in a network, which comprises: (a) graphs database storing at least one propagation graph, each graph describing the typical propagation over time of one eThreat class or a legitimate executable class within the network; (b) plurality of agents that are distributed in corresponding plurality of hosts within the network, each of said agents continuously monitoring the corresponding host and reporting to a Central Decision Maker (CDM) the identity of any new suspected executable, and the time in which said suspected executable has been first detected by said agent; (c) a CDM for: (c.1) receiving all said reports from said plurality of agents; (c.2) creating from said reports for each suspected executable a corresponding propagation graph which reflects the propagation characteristics over time of said suspected executable within the network, and (c.

Abstract: The disclosure relates to the management of PKI digital certificates, including certificate discovery, installation, verification and replacement for endpoints over an insecure network. A database of certificates may be maintained through discovery, replacement and other activities. Certificate discovery identifies certificates and associated information including network locations, methods of access, applications of use and non-use, and may produce logs and reports. Automated requests to certificate authorities for new certificates, renewals or certificate signing requests may precede the installation of issued certificates to servers using installation scripts directed to a particular application or product, which may provide notification or require approval or intervention. An administrator may be notified of expiring certificates, using a database or scanning or server agents.

Abstract: Multiple views and optimized communications pathways of personal descriptors are provided over a communications network for a globally accessible contact list of contacts in a database. User descriptors are automatically populated in a dynamic repository, and subsequently form personal descriptors. User queries and contact information are received anonymously and stored in a dynamic repository, based on adding the contact to an instant messaging roster state database, where the contact information is categorized, based on identifiable relationships between user descriptors and a group of user defined rules. Such user contact information is transmitted and/or received to and/or from contacts in the globally accessible contact list so as to share presence and access information, and where the user is an authorized user providing varying levels of access information.

Abstract: Certain embodiments consistent with the present invention involve a method of selectively encrypting digital video content that involves receiving a plurality of packets containing the digital video content; identifying packets containing start of frame (SOF) headers; inserting padding into the packets containing SOF headers to move the content of the packets containing the SOF headers to a previous or subsequent packet and create padded packets containing the SOF headers; selecting certain of the packets for encryption according to a selection criterion, wherein the selected packets exclude the padded packets containing SOF headers; encrypting the selected packets; and retaining the padded packets containing the SOF headers unencrypted to form selectively encrypted digital video content. Corresponding decoding method as well as encoding and decoding apparatus are also taught. This abstract is not to be considered limiting, since other embodiments may deviate from the features described in this abstract.

Abstract: A data transfer method performed at a proxy server includes intercepting a data request from a client computer that is directed to a target server, encrypting profile information, augmenting the data request by adding the encrypted profile information to the data request, and sending the augmented data request to the target server. A data transfer method that is performed at an information server includes receiving a data request from a proxy server, extracting profile information added to the data request by the proxy server, using the extracted profile information to generate a response, and sending the response to the proxy server.

Abstract: This invention concerns a security module deactivation and reactivation method particularly intended for access control of conditional access data. These security modules include a plurality of registers (R1, R2, R3, Rn) containing values. The method includes the step of sending at least one management message (RUN-EMM) containing an executable code, this executable code being loaded into a memory of the security module and then executed. The execution of this code in particular can carry out the combination and/or the enciphering of the values of the registers, or render these values illegible. This method also allows the reactivation of the security modules that have been deactivated previously. In this case, the method includes the step of sending another message containing an executable code (RUN-EMM?1) for the reactivation of the modules, this executable code having an inverted function to that of the executable code used for the deactivation of the security modules.