Abstract: Methods and apparatuses for enforcing terms of a licensing agreement between a plurality of parties involved in a particular hardware design through the use of hardware technologies. According to one embodiment, a hardware sub-design includes a license verification sub-design that is protected from user modification by encryption. In one embodiment, a license is generated based on a trusted host identifier within an external hardware device. In one embodiment, each trusted host identifier is unique, and no two integrated circuits share the same trusted host identifier. In another embodiment, the integrated circuit is a field programmable gate array or an application specific integrated circuit. In one embodiment, a license determines how long the hardware sub-design will operate when the hardware sub-design is implemented within an integrated circuit having a trusted host identifier.

Abstract: A system and method encrypt a license file associated with computer software using a private key. The license file includes one or more license keys, and each license key is associated with a feature of the computer software. The license file associated with the computer software is decrypted at runtime using a public key. A module determines whether a user is permitted to execute the computer software. The module is authenticated by one or more of a determination of whether a hash code included within the module matches a hash code generated by a user of the computer software at run time of the computer software, and an encryption of the module prior to run time of the computer software using the private key and a decryption of the module at run time of the computer software using the public key.

Abstract: According to an embodiment, a first linear transformation unit performs a linear transformation from mask data to first mask data. A second linear transformation unit performs a linear transformation from mask data to second mask data. A first calculator calculates first data based upon data to be processed and the first mask data. A selecting unit selects the first data or the second mask data. A non-linear transformation unit performs a non-linear transformation on the selected first data or second mask data. A second calculator calculates second data based upon the first data after the non-linear transformation and the mask data. A third linear transformation unit performs a linear transformation on the second data. The second data after the linear transformation by the third linear transformation unit is retained as new data to be processed, and the second mask data after the non-linear transformation is retained as new mask data.

Abstract: The public key of an RSA (asymmetric) software key pair is maintained confidentially on an authentication server, while the corresponding private key is maintained in encrypted, unstructured form on a mobile communication device (e.g. smartphone). The mobile device cannot verify locally whether a decrypted private key is correct, and a brute force, dictionary, or other attack that yields the correct private key among many decrypted keys does not allow determining which private key is correct without access to the authentication server. A relatively-long (128+ bit, e.g. 512-bit) public key exponent is used to make brute-force local verification of the private key impractical. The unstructured private key can secure other resources such as RSA keys used for digital signing. The enhanced security provided for the private key adds computational and logistical cost, but is of particular use if the mobile device controls access to external resources such as secure websites.

Abstract: Method for verifying that an item of information relating to an issuer has been registered correctly by a receiving entity while preserving the issuer's privacy, which method includes the following steps: a) the information relating to the issuer is coded in an issuing entity and said coding is sent to the receiving entity; b) the receiving entity generates a content test on the basis of the information coded in step a), and the content test is subsequently sent to the issuing entity; and c) the issuer verifies that the content test corresponds to the information which has been coded.

Abstract: There are provided an information recording medium, an information processing apparatus, an information processing method, and a computer program, which can realize users' convenience for using content in accordance with a license and copyright protection. An information recording medium stores an encrypted content file including encrypted content, usage right information of the encrypted content, and encryption key information necessary for a decrypting process for the encrypted content. Thus, a user can acquire a license (usage right information) and key information necessary for decryption of the content, together with the content, from the information recording medium, without acquiring the license (usage rights) by connection to a license provider.

Abstract: Methods, devices, systems and computer program products for providing secure communications between managed devices in a firewall protected area defined by a firewall and a network management station (NMS) in a network segregated from the firewall protected area are provided. Management information associated with managed devices in the firewall protected area is obtained from the managed devices by a de-militarized zone (DMZ) controller. The obtained management information is transmitted from the DMZ controller through the firewall to a gateway module associated with the NMS. Communications between the DMZ controller and the gateway module are enabled by a single firewall rule.

Abstract: Systems and methods for authenticating a user of a service are disclosed. A host of a service provides a user interface that can be accessed via a display of a terminal. Upon successfully transmitting a first set of credentials, the host requests a random image to be generated by an authentication server. The authentication server transmits the random image to the host, as well as to a mobile device that is associated with the user of the service. The mobile device receives a picture message including the image. The user interface displays a list of images on the display. The user matches the received image with an image among the list of images, wherein a successful match follows in the user being granted access to the service. Consequently, an additional layer of security using a visual identification of a user is provided.

Abstract: Digital certificate public information is extracted using a processor from at least one digital certificate stored within at least one digital certificate storage repository. The extracted digital certificate public information is stored to at least one dynamically-created certificate public information directory. At least a portion of the digital certificate public information stored within the at least one dynamically-created certificate public information directory is provided in response to a digital certificate public information request.

Abstract: Data is transmitted between a first user and a second user via an information technology communications network, in a method comprising the steps of: generating a first hash value for a selected one of the data items; digitally signing and encrypting the first hash value with a secret identifier associated with the first user; transmitting to a second user the encrypted first hash value; receiving and storing the transmitted encrypted first hash value for audit purposes and generating a second hash value for the received encrypted first hash value; encrypting the second hash value with a private identifier associated with a second user and a public identifier associated with the first user; and returning the encrypted second hash value to the first user.

Abstract: An authentication method sends an open request to a common directory server for a first key, the first key being a trusted embedded authentication common directory service key wrapped in a public key of a public-private key pair. The open request includes an authentication request value that identifies the open request as a verified setup directory service, the public key, an email address and a specified third additional out-of-band communication channel. The common directory server sends a first reply directly back to the directory server with a first half of the first key offset by a unique value and wrapped using the public key. A second reply is sent to the email address, which includes a second half of the first key offset by the first half of the first key. A third reply is sent to the specified third additional out-of-band channel, which includes the unique value.

Abstract: A reputation server is coupled to multiple clients via a network. Each client has a security module that detects malware at the client. The security module computes a hygiene score based on detected malware. The security module provides the hygiene score and an identifier of a visited web site to a reputation server. The security module also provides identifiers of files encountered at specified web sites to the reputation server. The reputation server computes secondary hygiene scores for web sites based on the hygiene scores of the clients that visit the web sites. The reputation server further computes reputation scores for files based on the secondary hygiene scores of sites that host the files. The reputation server provides the reputation scores to the clients. A reputation score represents an assessment of whether the associated file is malicious.

Abstract: An IC chip, an information processing apparatus, a software module control method, an information processing system, an information processing method, and a program for ensuring security before booting a software module reliably are provided. A reader/writer and a mobile phone terminal to be accessed by the reader/writer through proximity communication are provided. In the mobile phone terminal, a first software module transmits commands to second and third software modules. The first software module manages states of the second and third software modules. If during boot-up of the third software module, the processing of the second software module is started and completed, then the first software module resumes the boot-up of the third software module.

Abstract: The described embodiments of invention comprises a method and an apparatus for regulating access to objects by authorized entities. Authorized entities are entities authorized for access by either an owner entity of the regulated object or an entity authorized to authorize access to the regulated object. Each user, which may be a physical person or another information system, is identified using standard user validation techniques. When an object is first created or introduced to the system, that information is associated with an owner, who is one user on the system. The present embodiment allows the owner to define relationships with other users, either generally or regarding a particular object. The owner may or may not have trusted relationships with other users. A second user that has a trusted relationship with the owner automatically has access to the object without additional intervention by the owner. In addition, the second user may have a trusted relationship with another user.

Abstract: A Distributed Denial of Service (DDoS) attack detection and defense apparatus and method are provided. The Distributed Denial of Service (DDoS) attack detection and defense apparatus includes: a flow information collection unit to collect, from one or more input packets with an IP address of an attack target system as a destination IP address, flow information including source IP addresses of the input packets and packet counts of one or more flows that are classified for each of the source IP addresses and each of different protocol types; an inspection unit to calculate packets per second (PPS) values of the flows based on the packet counts; and a response unit to determine a DDoS attack response method for each of the flows based on the PPS value and the protocol type of a corresponding flow and to process the corresponding flow using the determined DDoS attack response method.

Abstract: In one embodiment, a method includes identifying a plurality of portions of a file and comparing the plurality of portions of the file to a plurality of stored patterns. The plurality of stored patterns include portions of known malware. The method also includes determining, from the plurality of portions of the file and based on the comparing of the plurality of portions of the file to the plurality of stored patterns, a set of matching portions. The set of matching portions include one or more of the plurality of portions of the file. In addition, the method includes determining a score for each portion in the set of matching portions and providing information regarding the set of matching portions. The information includes the scores determined for each portion of the set of matching portions.

Abstract: Scalable session management is achieved by generating a cookie that includes an encrypted session key and encrypted cookie data. The cookie data is encrypted using the session key. The session key is then signed and encrypted using one or more public/private key pairs. The encrypted session key can be decrypted and verified using the same private/public key pair(s). Once verified, the decrypted session key can then be used to decrypt and verify the encrypted cookie data. A first server having the private/public key pair(s) may generate the cookie using a randomly generated session key. A second server having the same private/public key pair(s) may decrypt and verify the cookie even if the session key is not initially installed on the second server. A session key cache may be used to provide session key lookup to save public/private key operations on the servers.

Abstract: An apparatus for providing a secure predefined boot sequence may include a processor. The processor may be configured to verify a predefined boot sequence certificate that defines a boot sequence for a device, verify one or more software elements referenced by the predefined boot sequence certificate, and execute one or more software elements that have been verified in the sequence defined by the predefined boot sequence certificate. Corresponding methods, systems, and computer program products are also provided.

Abstract: External network connectivity of an internal host can be measured by giving an external computer a payload identifying the internal host and instructions to deliver the payload to an external host. The external host may receive the payload and contact the internal host. The internal host's response and receipt of the payload may then determine the Internet connectivity of the internal host. The path from the computer through the trusted host to the internal server shows external network connectivity without exposing the internal host to the external network directly.

Abstract: Technologies are disclosed to transfer responsibility and control over security from player makers to content authors by enabling integration of security logic and content. An exemplary optical disc carries an encrypted digital video title combined with data processing operations that implement the title's security policies and decryption processes. Player devices include a processing environment (e.g., a real-time virtual machine), which plays content by interpreting its processing operations. Players also provide procedure calls to enable content code to load data from media, perform network communications, determine playback environment configurations, access secure nonvolatile storage, submit data to CODECs for output, and/or perform cryptographic operations. Content can insert forensic watermarks in decoded output for tracing pirate copies.