Abstract: Aspects for achieving individualized protected space in an operating system are provided. The aspects include performing on demand hardware instantiation via an ACE (an adaptive computing engine), and utilizing the hardware for monitoring predetermined software programming to protect an operating system.

Abstract: Techniques are provided for determining an updated session encryption key. According to one embodiment, a packet index can be computed using a sequence number received in a session data packet during a SRTP session and a predetermined value. The predetermined value can be, for example, a non-zero value from a roll-over-counter that has been set to the non-zero value. The updated session encryption key can then be determined using a master key received from a BCMCS controller and the packet index. The determined updated session key is used to encrypt or de-encrypt content provided by a content server.

Abstract: A monitoring device is disposed to thwart denial of service attacks on a data center. The monitoring device is a device that collects statistical information on packets that are sent between a network and the data center for a plurality of customers by examining traffic as if the device was disposed on links that are downstream from links that the provisioned monitor is disposed on.

Abstract: Methods and systems are provided for generating and verifying signatures of digital messages communicated between signers and verifiers. Using bilinear mappings, such as Weil or Tate pairings, these methods and systems enable generation and verification of efficient multisignatures, identity-based ring signatures, hierarchical proxy signatures, and hierarchical online/offline signatures.

Abstract: The subject matter disclosed herein relates to authenticating an identity of users desiring access to an application program and determining whether an authenticated user is authorized to access one or more aspects of the application program.

Abstract: An engine, register in a memory, and methods for the same are provided. The engine may include a data encryptor, a key encryptor, a data decryptor, a key decryptor, a register, and a control circuit. The data encryptor may encrypt data using a key. The key encryptor may encrypt the key used by the data encryptor. The data decryptor may receive encrypted data from a storage medium and may decrypt the encrypted data. The key decryptor may receive an encrypted key from the storage medium and may decrypt the encrypted key. The register may indicate the status of the key and/or the encrypted key. The control circuit may control the data encryptor, the data decryptor, the key encryptor, the key decryptor, and the register.

Abstract: A communication method and a communication system providing services for subscribers having private identities is disclosed. The method includes receiving at a network element (S-CSCF) a communication from user equipment (UE) including a private identity of the subscriber and assigning a random string to the private identity.

Abstract: The present invention communication network system and method facilitates authentication and registration in a communication network as mobile nodes move from one geographical region to another. Multiple wireless domain services (WDSs) share client authentication information permitting relatively seamless roaming between subnets with minimal interruptions and delays. In one embodiment, a wireless domain service network communication method is performed utilizing partial authentication processes. A mobile node engages in an authentication protocol with a first wireless domain service (WDS) access point in a first subnet. The authentication credentials are forwarded to a second wireless domain service in a second subnet if the authentication protocol is successfully completed. The forwarded authentication credentials are utilized to authenticate the client entering the service area of the second wireless domain service in the second subnet.

Abstract: A system and method of configuring an embedded system from removable media. The removable media is connected to the embedded system and the embedded system determines if the removable media includes a configuration key. If the removable media includes a configuration key, the embedded system determines if the configuration key includes configuration data applicable to the embedded system and, if the removable media includes a configuration key and the configuration key includes configuration data applicable to the embedded system, the embedded system applies the configuration data to the embedded system.

Abstract: A token generator such as a keyfob is used to access the computer of an authentication entity different from the authentication entity that issued the token generator. The token generator stores authentication entity identification information identifying the authentication entity that issued the token generator. The token generator causes a user computer to transmit an authentication request including such authentication entity identification information together with a token generated in synchronization with the authentication entity issuing the token generator, so that the authentication request can be routed to the appropriate authentication entity that issued the keyfob for validation. The authentication request can be sent directly to the authentication entity that issued the token generator. The authentication request can also be sent to the authentication entity that issued the token generator via another authentication entity to which the user computer attempts to access.

Abstract: A Voice over IP (VoIP) or Real Time Messaging (RTM) firewall device is claimed that protects VoIP or RTM network traffic by identifying and controlling the delivery of such network traffic that is unsolicited and undesired by the recipient (i.e. VoIP or RTM spam). The system involves applying a unique marking to RTM messages close to a point of message origination and then at a point close to message termination for the intended recipient examining a reputation store for information on the unique marking and using that information in conjunction with a set of policy rules to decide whether to pass, reject, pass on to an RTM store or otherwise filter the RTM message. The unique marking serves to identify a source characteristic of the message such as the message originator, a corporate affiliation for the originator, or a RTM network characteristic of the originator such as a transmission gateway.

Abstract: An intermediary isolation server receives e-mails and isolates any viral behavior from harming its intended destination. After the intermediary receives an e-mail, it determines that the e-mail has associated executable code, and then identifies the environment in which the e-mail code would be executed if delivered. The intermediary then executes the code by emulating how it would be executed in its ultimate environment. If a viral-like behavior is detected, appropriate action is taken to prevent the execution of the code at its intended destination. The attachment is executed in a contained environment that allows for the contained environment to be easily restarted in a clean state.

Abstract: Circuits, methods, and apparatus that prevent detection and erasure of a configuration bitstream or other data for an FPGA or other device. An exemplary embodiment of the present invention masks a user key in order to prevent its detection. In a specific embodiment, the user key is masked by software that performs a function on it a first number of times. The result is used to encrypt a configuration bitstream. The user key is also provided to an FPGA or other device, where the function is performed a second number of times and the result stored. When the device is configured, the result is retrieved, the function is performed on it the first number of times less the second number of times and then it is used to decrypt the configuration bitstream. A further embodiment uses a one-time programmable fuse (OTP) array to prevent erasure or modification.

Abstract: Content such as computer software, data representing audiovisual works, and electronic documents can converted from a machine-bound state to user-bound state without modification to the content data itself. Instead, keys used to access the content are converted from the machine-bound state to the user-bound state. In particular, the keys are kept in a passport data structure which can represent either a machine-binding or a user-binding. A machine-bound passport can be upgraded to a user-bound passport without modifying the bound content. The private key of the machine-bound passport, in cleartext form, is included in the user-bound passport and encrypted using a user-supplied password to bind the private key to the user. In addition, private user information is collected and verified and included in the user-bound passport.

Abstract: A system and method are provided which are necessary for exchanging information among a sales agent a1, user a2 and manufacturer A, for preparing a parts check list on an on-line basis, and for storing information to be provided. If, for example, the sales agent a1 or user a2 wants to acquire information from the manufacturer A, manufacturer A will directly confer a password to sales agent a1 with whom manufacturer A directly deals with, while sales agent a1 will directly confer a password to user a2 with whom sales agent a1 directly deals with, on behalf of manufacturer A. This arrangement makes it possible to easily and securely provide, to a specified information seeker, information required by that information seeker.

Abstract: A method for distributing encryption keys for use in communication systems such as trunked radio communication systems. Group traffic keys are encrypted at a key administrator and passed to a distribution facility for storage and distribution. The distribution facility passes the encrypted group traffic key to communication devices where the group traffic keys are decrypted and used to encrypt/decrypt traffic.

Abstract: In a networked computing environment, a server is equipped to assure the integrity of the service components of a service, including the direct service providing component and one or more supporting components as requested, and a client is equipped to request on behalf of an application in need of the service the integrity assurance. The client is further equipped to either request or accept the service, only upon receiving the integrity assurance. In one embodiment, the request for integrity assurance, and the subsequent conditional request or acceptance of the service is performed in real time.

Abstract: One embodiment of the present invention provides a system that uses digital certificates to facilitate enforcing licensing terms for applications that manipulate documents. During operation, the system obtains a credential, wherein the credential includes a private key and a digital certificate containing a corresponding public key. This digital certificate also contains a profile specifying allowed operations which can be performed on documents signed with the credential. Next, the system digitally signs a document using the credential, so that the resulting signed document is signed with the private key and includes a copy of the digital certificate with the profile specifying the allowed operations. The certificate issuer can subsequently revoke the digital certificate (which effectively revokes the license) if terms of a license agreement associated with the digital certificate are violated.

Abstract: A keyed-build system for controlling the distribution of software. The system and method of the present invention control distribution of software by keying computer-executable programs with device identifications. Each of the computing devices of the keyed-build system contains a device identification that is uniquely associated with and is embedded in the device. A computer-executable program for use in a particular computing device is keyed with the device's unique device identification during the build process of the program. When the computer-executable program is launched on a computing device, the device identification in the program is compared with the device identification embedded in the computing device. If the two device identifications do not match, the computer-executable program is disabled.

Abstract: A location stamp automatically attached to messages indicates location information such as longitude and latitude information from a GPS device. The location stamp helps a receiver to identify the location of the sender or a transaction, identify the sender, and provides context to the message that further indicates the messages meaning. Applications of the location stamp include authentication of the location of a sender or a transaction and identifying the location of a sender for a search and rescue.