Abstract: A method and system for controlling access, by an authentication server, to protected computer resources provided via an Internet Protocol network that includes storing (i) a digital identification associated with at least one client computer device, and (ii) data associated with the protected computer resources in at least one database associated with the authentication server; authenticating, by the authentication server, the digital identification forwarded by at least one access server; authorizing, by the authentication server, the at least one client computer device to receive at least a portion of the protected computer resources requested by the at least one client computer device, based on the stored data associated with the requested protected computer resources; and permitting access, by the authentication server, to the at least the portion of the protected computer resources upon successfully authenticating the digital identification and upon successfully authorizing the at least once client comp

Abstract: Object management is facilitated by signing objects with credentials and through noting and/or using an association between the signed objects and the signing credentials. In an exemplary method implementation, actions include: signing an object with a credential to produce a signed object and noting an association between an object identifier that represents the signed object and the credential. In another exemplary method implementation, actions include: receiving a revocation request for a signed object; accessing a database at an entry for the signed object to retrieve an associated credential, the associated credential having been used to sign an object to produce the signed object; and causing the associated credential to be revoked. In an exemplary electronically-accessible media implementation, a data structure thereof includes: at least one entry that associates a credential with an object identifier, the object identifier representing a signed object that was signed by the credential.

Abstract: A system, method, and computer product that accelerates encryption and decryption of data while using both a static key and a dynamic key. The present invention eliminates intermediate decryption of data that is transmitted between computer systems. More particularly, encryption efficiency is improved by eliminating decryption of the statically encrypted data while incorporating the advantages of a dynamic key such as enabling rapid change of the dynamic key. The efficiency improvements reduce the computer resources required to protect the data and therefore stronger data encryption may be enabled with the saved computer resources. End-to-end security of the data is maintained without the need for trusted data servers.

Abstract: Method and apparatus for protecting a data processing system such as an Internet server from attack by a vandal who uses an offensive vulnerability scanner to find an externally visible vulnerability of the data processing system. The method includes determining an externally visible vulnerability using a defensive vulnerability scanner, configuring an intrusion detection system to detect a network flow associated with the vulnerability, and blocking that flow by a firewall or a router. The apparatus includes a defensive vulnerability scanner that finds an externally visible vulnerability and provides a description of the vulnerability, an intrusion detection system that detects a network flow that satisfies the description, and a firewall or a router that blocks the flow responsive to detection of the flow by the intrusion detection system.

Abstract: A method for allowing a financial transaction to be performed using a electronic system, the method comprising interrogating an electronic transaction terminal with an electronic security device to obtain an integrity metric for the electronic financial transaction terminal; determining if the transaction terminal is a trusted terminal based upon the integrity metric; allowing financial transaction data to be input into the transaction terminal if the transaction terminal is identified as a trusted terminal.

Abstract: The invention relates to an integrated circuit (IC), and more particularly to security to protect an IC (10) against unauthorized accesses. In one embodiment, an identifier is provided external to IC 10. A corresponding input IC security key (52) is then provided to IC 10 and compared to a stored IC security key (30). If the input IC security key (52) and the stored IC security key (30) do not match, access to protected functional circuitry (12) is prohibited. The present invention may use any debug interface, including standard debug interfaces using the JTAG 1149.1 interface defined by the IEEE.

Abstract: A security wall, such as a firewall and a viruswall, is built easily which does not require firewall-dedicated hardware or viruswall-dedicated hardware nor, in a mobile information processing device, mobile terminal-dedicated hardware. For this purpose, on a single information processing device, a plurality of separate LAN segments are realized and data from an external network such as the Internet is forced to pass through the multiple LAN segments before it reaches a user system in order to reinforce the system against external attacks. The security wall system is made portable so that the firewall and the viruswall can be executed at the same time, strengthening the security of the mobile information processing device.

Abstract: A method and apparatus to provide security for data in a database system includes providing a secure user-defined data type (UDT) that has security features. The secure UDT defines security information, which in one arrangement is in the form of a list of identifiers of authorized users or other entities. Each data instance according to the secure UDT stored in tables of the database system is associated with such an access list. Thus, in response to a query, the security information is accessed to determine whether the user or other entity that issued the query has rights to access the data. Access is then allowed or denied based on the security information.

Abstract: Protection of private keys used to digitally sign files to be downloaded to a terminal is accomplished by storing the private keys in smartcards, and arranging a secure processor unit embedded in the smartcard to perform all signing operations requiring access to the keys so that the keys never leave the card. In addition, access to the signing operations is protected by multiple PINs, which may be distributed to multiple individuals and/or used to establish different signing authorization levels associated with different types of files.

Abstract: A method and system of alternatively selecting an encryption key used to transmit a known number data bits and providing sufficient information to inform the receiving part of the selected encryption key is presented. In one embodiment of the invention, a plurality of encryption keys are available to the parties of the communication network. The transmitting party selects an encryption key used to encrypt a message block based on the data content of a previously transmitted message block. The receiving party, having received, and decrypted, a previously transmitted message block has sufficient information to determine the encryption key used to encrypt a subsequent data block and is able to decrypt the subsequently transmitted message.

Abstract: Combining a browser cache and cookies to improve the security of token-based authentication protocols. A client stores a first portion of an authentication token as information (e.g., a cookie) in a first memory area. The client stores a second portion of the authentication token as server-inaccessible information (e.g., cached web content) in a second memory area. A server obtains the first and second portions from the client to recreate the authentication token to authenticate the client.

Abstract: Networked computing entities which are members of a trusted group share knowledge of a secret value K that is unknown outside the trusted group. When an entity within the trusted group establishes a secure connection, it encodes its name along with the secret value K and an optional random number into a connection identifier. Encoding may use a hash function and/or encryption. By using this connection identifier and the secret value K, other members of the trusted group can decode the connection identifier and gain access to the specific secure connection by using the original cryptographic information for the connection. The connection identifier can be freely transmitted, with little risk that non-trusted entities will be able to use it to gain access to the secure connection.

Abstract: Encrypted compressed content is produced by encrypting content based at least in part on a content key, and compressing the content based at least in part on the content key. Thus, the content key is employed to encrypt the content and also to compress the content. Similarly, decrypted decompressed content is produced from the encrypted compressed content by decrypting the content based at least in part on a content key, and decompressing the content based at least in part on the content key. Thus, the content key is employed to decrypt the content and also to decompress the content.

Abstract: A system and method for providing protection of ownership rights of digital content files while also providing distribution of the content files to consumers that are authorized to receive the digital content files. A system and method for preventing or deterring the unauthorized distribution of digital content files. Several possible protection schemes include, for example, proactive protections such as encryption, SSL or VPN technologies, and reactive protections such as watermarking, PKI, piracy watch systems, or legal action management.

Abstract: A system and method for preventing misuse conditions on a data network are described. Embodiments of the system and method evaluate potential network misuse signatures by analyzing variables such as the state of the network and/or target, the context in which the potential misuse signatures are detected, the response/reaction of the target and/or the fingerprint of the target. These and other variables may be factored in to the misuse determination, either alone, or in combination.

Abstract: A computer system includes various security measures to insure that semi-permanent operating programs, such a boot blocks and firmware, are updated properly. For example, the system may include a security switch that can enable a host computer to load a replacement program into another computer, such as an appliance server for example, if the other computer fails. Also, if a replacement program is being loaded over a network connection that fails, the loading can resume automatically after re-establishment of the network connection. In addition, certain programs, such as boot blocks, may be verified in an execution memory, such as RAM, and loaded into a more permanent storage memory, such as ROM, only if verified.

Abstract: A method is disclosed for discovering a trust chain that imparts a required attribute to a subject and is grounded in a trusted principal that is the issuer of a known trusted attribute delegation. The method involves setting as a primary goal to be proved an attribute delegation from a trusted principal to the subject and then seeking a backwards proof of the primary goal by a process of recursively taking a goal to be proved, starting with the primary goal, and decomposing it into subgoals one of which corresponds to an attribute delegation already proved by an available certificate. If it is not possible to decompose a subgoal that has not been proved, the process backtracks to a previous subgoal to seek a new decomposition of the latter. A trust chain is taken as found when the process produces a chain of subgoals proved by corresponding certificates, that grounds in a subgoal proved by a trusted attribute delegation. Name mappings are also permitted.

Abstract: The Evidentiary Imaging System (EIS) provides secure storage or transmission of a digital image into which is encoded the date, time, and location at which the image was taken, along with the camera ID and frame number. The encoding is dispersed throughout the image so that the image cannot be modified without distorting the encoding. The image may be encrypted for additional security. Annotation can be superimposed on the encoded or encoded and encrypted image to classify or identify the image to human or automated scanning systems. The annotation can also be used to key the decoding and decryption tasks. The EIS produces imagery which may be authenticated as to originality, time and location of imaging. The imagery may be stored, duplicated, and transmitted while retaining its authenticity. However, any modifications to the image, including any local changes, are readily detected because the encoding will not decode correctly.

Abstract: A communication apparatus and a communication method capable of selecting desired sender-information in a short time from multiple of registered sender-information are presented. Sender-default information of the communication apparatus is stored in a default information table of the memory section, and sender-information including password is stored in sender-information table. The apparatus collates the sender-information stored in the sender-information table by an input password, selects sender-information matched in password, and attaches the sender-information to a transmitted data.

Abstract: A method for processing an access-request message in an IMT-2000 system is described. A user password is encrypted by a temporary authenticator value and an authenticator value which is able to verify an access-request message itself is generated, so that when an AAA server receives the access-request message, it can directly verify the access-request message without analyzing the received access-request message. Thus, even if a malicious hacker transmits a large quantity of false access-request message to the AAA server, the use of the system resource and the message processing time are reduced, so that the system is prevented from crashing.