Abstract: An electronic data processing facility is for the processing of electronic data by changing users. The data processing facility runs an operating system for configuring the data processing facility and an application program for editing the data. It includes a data store for storing the data and a documentation memory for storing documentation data for documenting access to the data. It also includes a user object memory for storing user objects for authentication and documentation. The user object memory contains documentation user objects which can be stored in the documentation memory at the level of the application program for the purpose of documenting access to the data, and an authentication user object which can be assigned a right to access the data at the level of the operating system and which can be assigned a plurality of documentation user objects which are authenticated for this right as a result.

Abstract: The invention concerns a method for encrypting, with a random quantity (r), a calculation using at least a modular operation (3), the method consisting in multiplying a first modulo (n) by said random quantity, in taking as modulo of the operation, the result (m) of said multiplication and in carrying out a modular reduction of the result of the operation, on the basis of the first modulo (n).

Abstract: The present invention generally relates to the acceleration of customer premises equipment based virtual private networks (CPE-VPN). To provide virtual private network service from an enterprise network to a mobile client in a secure manner apparatus and method are provided whereby VPN service is provided which allows the wireless network to use data acceleration techniques. This is accomplished by providing a VPN acceleration server that terminates VPN tunnel from the enterprise network, accelerates the data for wireless transmission then encrypts the data for transmission to the mobile client (VPN acceleration client) over an encrypted acceleration tunnel. The encrypted acceleration tunnel may use PKI encryption.

Abstract: A method of controlling access to a resource using a verifying device uses watermarking device that embeds an authorization code in a signal using watermarking technology. The watermarked signal is then transmitted to a verifying device, e.g. as a television or radio program or as a commercial related to the resource. In the verifying device, the authorization code is extracted from the watermarked signal and an operation to be performed on the resource is authorized in dependence on the extracted authorization code. Preferably the authorization includes permission for executing a program, rendering and/or copying a multimedia object or for activating a cheat function in an electronic game.

Abstract: Methods and systems are provided for generating and verifying signatures of digital messages communicated between signers and verifiers. Using bilinear mappings, such as Weil or Tate pairings, these methods and systems enable generation and verification of efficient multisignatures, identity-based ring signatures, hierarchical proxy signatures, and hierarchical online/offline signatures.

Abstract: An apparatus, program product and method for managing access to a remote computing grid that is not normally accessible to a client. A client computer may communicate with the computing grid via a dropbox configured to receive and distribute data between the client computer and the grid. The connection may remain open while multiple commands are thus communicated to the computing grid, and the identity of the client submitting the commands may be authenticated.

Abstract: A method of scanning a computer file for virus infection attempts to identify whether the file contains program code and if it does, it then attempts to identify the compiler used to generate the code and performs a frequency distribution analysis of instructions found in the code to see whether it corresponds with an expected distribution for a program created with that compiler; if it does not, then the file is flagged as possibly having a viral infection.

Abstract: A technique for enabling a firewall device to allow encrypted data to securely pass between networks, and at the same time allow the firewall to selectively monitor the encrypted traffic that is allowed to pass is disclosed. In one embodiment, the technique is realized by detecting an exchange of a first encryption key between a host device and a remote device, and the first encryption key supports confidentiality protection of a first security policy between the host device and the remote device. Next, a second encryption key is exchanged with the host device when the exchange of the first encryption key is detected, and the exchange of the second encryption key supports confidentiality protection of a second security policy between the firewall and the host device. Next, based at least in part upon the second security policy, the first encryption key is requested and the first encryption key is sent under the protection of the second security key and in accordance with the second security policy.

Abstract: In one embodiment, a method for utilizing a pseudonym to protect the identity of a platform and its user is described. The method comprises producing a pseudonym that includes a public pseudonym key. The public pseudonym key is placed in a certificate template. Hash operations are performed on the certificate template to produce a certificate hash value, which is transformed from the platform. Thereafter, a signed result is returned to the platform. The signed result is a digital signature for the transformed certificate hash value. Upon performing an inverse transformation of the signed result, a digital signature of the certificate hash value is recovered. This digital signature may be used for data integrity checks for subsequent communications using the pseudonym.

Abstract: A disclosed gaming machine may securely communicate with devices over a public network such as the Internet. The gaming machine utilizes a combination of symmetric and asymmetric encryption that allows a single gaming machine to securely communicate with a remote server using a public network. The secure communication methods may be used to transfer gaming software and gaming information between two gaming devices, such as between a game server and a gaming machine. For regulatory and tracking purposes, the transfer of gaming software between the two gaming devices may be authorized and monitored by a software authorization agent.

Abstract: Methods and apparatus reduce the computational load for computing r=x mod n, given two numbers x and n, where x is 2t bits long and n is t bits long. Such reduced computational loading in modular reduction schemes is useful for, at least, network communication systems that include modular reduction in cryptography, particularly, public key encryption algorithms such as RSA, El Gamal, Rabin, and Diffie-Hellman.

Abstract: Methods and systems for remotely configuring and monitoring a communication device are provided, especially useful in a computer network environment such as the Internet. A communication device or network appliance compares communications entering the communication device to a list of communication types established as known security risks, for example hacker attacks, unauthorized attempted access to network resources, or similar network security threats. If the received communication corresponds to a known security risk, the communication is classified as either a high security risk or low security risk, and an alert signal is transmitted to a remote monitoring center. Upon receiving the alert signal, the remote monitoring center assigns a priority to the alert signal based upon the type of the communication that triggered the transmission of the alert signal. Based on the assigned priority, the prioritized alert signal is then forwarded to a remote monitoring agent for resolution.

Abstract: A method is employed to propagate rights management (RM) protection to an email and to an attachment thereof comprising an RM-protectable document. The email with the RM-protectable attachment is authored, and a content key (KD) and a bind ID are generated. RM protection is first applied to the RM-protectable attachment of the email based on the generated (KD) and the generated bind ID, and the RM-protected attachment is attached to the email. RM protection is then applied to the email with the attached RM-protected attachment based on the generated (KD) and the generated bind ID. The RM-protected email and the RM-protected attachment thereof thus share the generated (KD) and the generated bind ID such that a license obtained for the RM-protected email and having therein the generated bind ID and the generated (KD) can be applied to render the RM-protected email and also the RM-protected attachment thereof.

Abstract: Detecting loss of stream cipher synchronization between a transmitter and a receiver in a video processing system may be achieved by receiving, by the receiver, an encrypted video frame from the transmitter, obtaining an encrypted value for a selected pixel in the encrypted video frame, decrypting the encrypted pixel value using a first portion of the receiver's current key stream, re-encrypting the pixel value using a second portion of the receiver's current key stream, sending the re-encrypted pixel value from the receiver to the transmitter, obtaining, by the transmitter, a plaintext value for the selected pixel from a corresponding original video frame and encrypting the plaintext pixel value using a second portion of the transmitter's current key stream, and comparing the re-encrypted pixel value received from the receiver with the encrypted pixel value generated by the transmitter and detecting a loss of cipher synchronization when the values do not match.

Abstract: A method of determining a counterfeit security document which includes a number of coded data portions indicative of an identity of the security document; and at least part of a digital signature of at least part of the identity. The method includes using a sensing device to sense at least one coded data portion and generate indicating data. The indicating data is used by a processor to obtain a determined identity and at least one determined signature part, which are then used to determine if the security document is a counterfeit document.

Abstract: Typical conventional content based database security scheme mechanisms employ a predefined criteria for identifying access attempts to sensitive or prohibited data. An operator, identifies the criteria indicative of prohibited data, and the conventional content based approach scans or “sniffs” the transmissions for data items matching the predefined criteria. In many environments, however, database usage tends to follow repeated patterns of legitimate usage. Such usage patterns, if tracked, are deterministic of normal, allowable data access attempts. Similarly, deviant data access attempts may be suspect. Recording and tracking patterns of database usage allows learning of an expected baseline of normal DB activity, or application behavior. Identifying baseline divergent access attempts as deviant, unallowed behavior, allows automatic learning and implementation of behavior based access control. In this manner, data access attempts not matching previous behavior patterns are disallowed.

Abstract: The present invention provides a personal video recorder and control method thereof, by which two scrambled transport streams can be descrambled to fit the open cable standard. The present invention includes storing a video stream of a recording channel in a storage means, determining whether a video stream of a displaying channel is transferred the POD module, descrambling the stored video stream of the recording channel using the POD module if the video stream of the displaying channel is not transferred to the POD module, and storing the descrambled video stream in the storage means.

Abstract: A method and system for activating and obtaining a license for a software product is disclosed. A local license is obtained from a storage medium of the software product and is stored with the software product on a user's computer. The local license allows for one of multiple license types to be activated from a single software product. The user enters a product key containing a channel ID. The compact disk or other storage medium is searched for the appropriate local license for the channel ID. The local license includes a MSIID, a channel ID range for each supported license type, a license type for each channel id range, and an optional product expiration date for the license type. The license type is determined by looking up the product key's channel id in the local license's channel id range table. If activation is required based on the license type, then an installation ID including a product ID (PID) and a hardware ID (H/W ID) are transmitted to an activation authority.

Abstract: Systems, devices and methods are presented for providing controlled use of information stored publicly within the domain name system (DNS). Controlled use is established by storing encrypted data at the DNS servers and establishing trust, in the form of transfer of keying material, with requisite parties. The invention provides backward compatibility with existing DNS servers, in that, it provides for storage of encrypted data in existing resource records. The invention benefits from allowing storage in the DNS to be divided into both public and private classification, such that a user can identify and store certain public information that is available to all parties that have access to the DNS, while other information that has been classified as private is only available to parties which have established a trust.

Abstract: An architecture for secure network communications includes a security layer sandwiched between an upper connection layer and a lower connection layer. An application program need not deal directly with the details of security handshakes, encryption, and decryption. Instead, the application sends plain text data to the upper connection layer, which passes it to the security layer. The security layer manages the necessary security handshakes, and encrypts the data. The security layer then passes the encrypted application data to the lower connection layer, which transports it using TCP or another transport protocol. The security layer need not manage the transport protocol, as this is done by the connection layers. Encrypted data received over the network at the lower connection layer is passed to the security layer for decryption, and then to the upper connection layer for transport to the application.