Abstract: A method of generating or entering a password or passphrase on a computer system 1. The method comprises storing a plurality of sets of values in a memory 5 of the system 1, the values of each set defining respective elements which belong to a common domain, the domains of respective sets being distinct from one another, selecting at least one value from each stored set or from each of a plurality of the stored sets, and combining the selected values or elements thereof to form a password or passphrase.

Abstract: A test method for Internet-Protocol packet networks that verifies the proper functioning of a dynamic pinhole filtering implementation as well as quantifying network vulnerability statistically, as pinholes are opened and closed is described.

Abstract: A system and method for assessing the risk to information resources that may include the generation and/or use of a security risk index. The security risk index may represent the security of information resources. The security risk index may be based on at least one factor. The at least one factor may be individually quantified. The at least one factor may include a threat factor associated with a rate or frequency of security events that threaten the security of the information resources, a vulnerability factor associated with a likelihood of a security event breaching the security of the information resources, an impact factor associated with an expected cost of a breach of the security of the information resources, or another type of factor. The security risk index of a subset of information resources including at least one resource may enable various comparisons and observations with respect to the security of the subset of information resources.

Abstract: A data transfer device for transferring data to a removable data storage item. The data transfer device encrypts data to be stored using an encryption key, and additionally encrypts a copy of the encryption key using the encryption key. The data transfer device then stores the encrypted data and the encrypted encryption key to the removable data storage item.

Abstract: An integrity hash is obtained of rights information stored at a client device. The rights information is associated with content stored at the client device. The integrity hash is encrypted using a client device key to generate an encrypted hash. The client device key is externally inaccessible from the client device. The encrypted hash is stored on the client device.

Abstract: A centralized process is provided for elevating portions of an application running under a user account to administrator privilege. A service security identifier is temporarily associated with the user and the portions of the application to be elevated to administrator privileges. The service security identifier is registered in the access control list to be accessed by the operating system. The centralized process may be used in the activation of software products.

Abstract: A test method for Internet-Protocol packet networks that verifies the proper functioning of a dynamic pinhole filtering implementation as well as quantifying network vulnerability statistically, as pinholes are opened and closed is described.

Abstract: A method and system for determining whether resources of a computer system are being hidden is provided. The security system invokes a high-level function of user mode that is intercepted and filtered by the malware to identify resources. The security system also directly invokes a low-level function of kernel mode that is not intercepted and filtered by the malware to identify resources. After invoking the high-level function and the low-level function, the security system compares the identified resources. If the low-level function identified a resource that was not identified by the high-level function, then the security system may consider the resource to be hidden.

Abstract: To establish trust between first and second entities, the first entity sends an attestation message to the second entity, including a code ID, relevant data, a digital signature based on the code ID and data, and a certificate chain. The second entity verifies the signature and decides whether to in fact enter into a trust-based relationship with the first entity based on the code ID and the data in the attestation message. Upon so deciding, the second entity sends a trust message to the first entity, including a secret to be shared between the first and second entities. The first entity obtains the shared secret in the trust message and employs the shared secret to exchange information with the second entity.

Abstract: A system produces certified content by receiving original content acquired from a content acquisition device and receiving a device identity associated with the content acquisition device. The system produces a certification value indicating the original content was acquired from the content acquisition device having the device identity. The system associates the certification value to the original content to produce certified content that can be verified to represent the original content that was acquired from a content acquisition device having the associated device identity while preventing modification to the original content by processing not associated with certification processing. This process is performed in an uninterrupted manner to ensure certified content reflects an accurate device identity. The system can be implemented entirely within a content acquisition device itself, or in a computer system coupled to a content acquisition device.

Abstract: A method and apparatus for verifying configuration changes for network devices using digital signatures are disclosed. In one approach, a method comprises the computer-implemented steps of receiving trust information defining one or more trusted signatories; receiving configuration information comprising a hostname, one or more configuration directives for a host associated with the hostname, and one or more digital signatures of the hostname and configuration directives; attempting to verify the one or more digital signatures based on the trust information; and applying the configuration directives to a network element only when the one or more digital signatures are verified successfully.

Abstract: We present technology that allows layman computer users to simply create, provision, and maintain secured infrastructure—an instant PKI. This technology can be used in a wide variety of applications including enabling secure communications to components of a vehicle, and enabling secure communications between the vehicle and associated infrastructure.

Abstract: Network devices access a communications network and engage in secure associations with one or more network access points upon authenticating the access points and upon verifying the discovery information that is broadcast by the access point. Once a secure association is created, management frames that are subsequently transmitted between the network devices and the access points and that are used to control the secure association are verified to further enhance the security of the communications network.

Abstract: The present invention comprises fast new methods for computing high-precision solutions of Frobenius equations that arise in elliptic-curve cryptography. In particular, this invention may be used to accelerate the computation of the number of points on an elliptic curve over a finite field. The advantage over methods in prior art is that the invention is faster than previously known methods. The methods enable optimally fast canonical lifting of elliptic curves defined over finite fields, optimally fast pre-computations to determine an efficient representation of intermediate quantities, and optimally fast lifting of finite-field elements to compute multiplicative representatives. Furthermore the invention enables rapid computation of norms and traces amongst other applications.

Abstract: An apparatus for default encryption of content for distribution, consistent with certain embodiments, has a conditional access system. A conditional access management system communicates with and manages the conditional access system. A memory stores default encryption information for use by transmission equipment containing content encryption capability to encrypt certain content upon a communication failure between the content encryption system and the conditional access management system controlling it. This abstract is not to be considered limiting, since other embodiments may deviate from the features described in this abstract without departing from certain embodiments of the invention.

Abstract: Hijacking of an application is prevented by monitoring control flow transfers during program execution in order to enforce a security policy. At least three basic techniques are used. The first technique, Restricted Code Origins (RCO), can restrict execution privileges on the basis of the origins of instruction executed. This distinction can ensure that malicious code masquerading as data is never executed, thwarting a large class of security attacks. The second technique, Restricted Control Transfers (RCT), can restrict control transfers based on instruction type, source, and target. The third technique, Un-Circumventable Sandboxing (UCS), guarantees that sandboxing checks around any program operation will never be bypassed.

Abstract: Methods and systems thereof for controlling access to resources are described. When a user attempts to access a resource via a remote interface such as a Web server, the request is initially evaluated by a source of policy definitions such as a policy server. This source returns a policy decision to the remote interface. The policy decision is stored in memory by the remote interface. The remote interface can then evaluate subsequent requests from the user for the resource using the stored policy decision instead of having to communicate again with the source for the policy decision. Enhancements to this approach are also described. Accordingly, policy definitions and decisions are more efficiently implemented.

Abstract: A method for controlling access to a process to be executed on a data processing system is provided. An interface is provided for coupling a security device to the data processing system. The security device is a separate hardware device from the data processing system. User input of an identifier for accessing the security device is received, the identifier is verified, and the security device is accessed, in response to the identifier being verified, to obtain authentication data for the process to be executed on the data processing system. The authentication data is injected into a login process associated with the process to be executed to automatically authenticate a user to the process to be executed. The security device uses private-public key authentication to authenticate the user to the process to be executed without the user being aware that private-public key authentication is being performed.

Abstract: The present invention extends to methods, systems, and computer program products for securely inspecting electronic messages. A computer system receives a control message that is passed through one or more receiving path components, positioned in a message receiving path, to a security component. The security component authenticates the received control message and passes the received control message to an inspection control component. The inspection control component activates message inspection in accordance with instructions contained in the received control message. When message inspection is activated, the computer system passes accessed messages to corresponding inspection components positioned in message paths (either receiving or sending) of the accessed message. The inspection component generates an inspection report (e.g., including a portion of contents of the accessed message) in accordance with instructions contained in a previously authenticated control message.

Abstract: Methods and associated systems for providing secured data transmission over a data network are disclosed. Security association updates may be provided in a load-balanced system. Before encryption, the system may calculate values for header fields that need to be updated as a result of an encryption process. Encrypted packets may be decrypted by a parallel decryption system. After decryption, the system may calculates value for fields in the header information that need to be updated as a result of the decryption process.