Abstract: Systems (100) and methods for selectively controlling access to data streams communicated from a first communication device (FCD) using a timeslotted shared frequency spectrum and shared spreading codes. Protected data signals (1301, . . . , 130S) are modulated to form first modulated signals (1321, . . . , 132S). The first modulated signals are combined with first chaotic spreading codes to form digital chaotic signals. The digital chaotic signals are additively combined to form a protected data communication signal (PDCS). The PDCS (136) and a global data communication signal (GDCS) are time division multiplexed to form an output communication signal (OCS). The OCS (140) is transmitted from FCD (102) to a second communication device (SCD) over a communications channel. The SCD (106, 108, 110) is configured to recover (a) only global data from the OCS, or (b) global data and at least some protected data from the OCS.

Abstract: A risk value is calculated to suit a state and environment of an analysis target system, by presenting data for determining whether or not a calculated risk is correct, and presenting portions for parameters to be changed such as weights related to a threat, a vulnerability and a measure contained in the risk model.

Abstract: A server system receives messages from client computing devices. Each of the messages corresponds to a transaction. The server system assigns each respective transaction to a respective fresh virtual machine. Furthermore, the server system performs, as part of a respective virtual machine processing a respective transaction, a modification associated with the respective transaction to a shared database. The shared database is persisted independently of the plurality of virtual machines. In response to determining that processing of the respective transaction is complete, the server system discards the respective virtual machine. In response to determining that the respective transaction is associated with a cyber-attack, the server system uses checkpoint data associated with the respective transaction to roll back the modifications associated with the respective transaction to the shared database.

Abstract: In one embodiment, the present invention pertains to a method and system for deterring unauthorized use of media content in a computing system and network. In one embodiment, the invention comprises detecting an unauthorized use of the media content in a computing system or network, the media content having a characteristic digital waveform format and an associated indicator for indicating to a compliance mechanism an unauthorized use of the media content. On detecting an unauthorized use of the media content, the media content characteristic digital waveform format is degraded. In this embodiment of the invention, unauthorized use is non-compliance with a use restriction applicable to the presentation of the media content in the computing system or network. In accordance with this embodiment of the invention, the media content is rendered incomprehensible to an unauthorized user experiencing the media content, thereby likely deterring further unauthorized use of the media.

Abstract: A digital memory such as a memory card for mobile communication equipment, is adapted to be accessed by a plurality of users and have protected data stored therein. The memory is dynamically partitionable in private memory areas for storing data therein and has associated therewith a secrecy tool for securely allocating to the users respective private areas and permitting the users to access the respective private areas via a secure session channel to perform read/write commands in the respective private areas. Typically, the memory/card includes: a card interface controller for managing a physical communication layer between the digital memory and external host equipment, an internal memory having associated therewith a hardware lock to control access to the internal memory, a set of cryptographic modules to manage the secure session channel between the users and the digital memory, and a memory certificate for certifying a public key associated with the digital memory.

Abstract: A constrained proxy key is used to secure communications between two devices via an intermediary device. A first proxy key is generated at a host device (key generator device) based on a shared secret key, one or more constraints on the first proxy key, and a key derivation function. At least the shared secret key and key derivation function are known to the host device an a client device (authentication device). The first proxy key is sent to a proxy device to use in authenticating communications with the client device. An authenticated message is generated by the proxy device using the first proxy key and sent to the client device. The client device locally generates a second proxy key using the key derivation function, one or more constraints, and the shared secret key for authenticating the proxy device. The proxy device is authenticated if the client device successfully accesses the authenticated message from the proxy device using the second proxy key.

Abstract: Even if failure, or the like, occurs during the encryption process, the encryption process is surely resumed. A flag changing unit changes an encryption flag of one disk to being encrypted after an encryption request is received and before the encryption of the data stored on the one disk is started. The flag changing unit changes the encryption flag of the one disk to having been encrypted and changes the encryption flag of the other disk to being encrypted before copying the encrypted data from the one disk to the other disk is started. The flag changing unit changes the encryption flag of the other disk to having been encrypted after copying to the other disk is completed.

Abstract: A method, apparatus, and/or system for execution prevention is provided. A state indicator for a first subset of a plurality of memory pages of executable code in a memory device is set to a non-executable state. A state indicator for a second subset of the plurality of memory pages is set to an executable state, where the second subset of the plurality of memory pages includes indirection stubs to functions in the first subset of the plurality of memory pages. Upon execution of an application, a function call is directed to a corresponding indirection stub in the second subset of the plurality of memory pages which modifies the state indicator for a corresponding function in the first subset of the plurality of memory pages prior to directing execution of the called function from the first subset of the plurality of memory pages.

Abstract: A method and apparatus for providing a passphrase-based security setup for a hybrid network including multiple network interfaces configured for communicating over one or more communication media are provided. The method includes receiving a passphrase from a user at a network interface of the multiple network interfaces. The received passphrase is then used for authenticating the device for one or more network interfaces. The authentication can be performed irrespective of a communication medium used by the network interfaces.

Abstract: The present invention provides a method and a system for improving security of a key device in the information security filed. In order to solve the problem that the security performance of the key device is lower due to the possible tamper of the data needed for encryption and signature in prior art, the present invention provides the method, including steps in which the key device is connected to a computer, then is used to receive the data input by the user through a computer and display the same after a user makes a successful authentication; and to make digital signature or encryption of the data input after the user confirms the content displayed. The above-mentioned system comprises an authentication module, a data receiving module, a display module, a confirmation information receiving module, and a key module.

Abstract: A method of implementing dynamic pseudorandom keyboard remapping of a system including a keyboard in communication with an operating system of a computing device includes encrypting an original keyboard scan code corresponding to each of a plurality of keyboard keys, using a mapping algorithm, wherein the mapping algorithm encrypts the original keyboard scan code by using both the original keyboard scan code and a current one of a sequence of pseudorandom numbers generated using a pseudorandom number generator (PRNG) algorithm and an initial seed value; and decrypting the original keyboard scan code based on an encrypted scan code generated and transmitted from the keyboard to the operating, responsive to a keystroke of the keyboard, wherein the operating system also uses the mapping algorithm, the PRNG algorithm, and the initial seed value.

Abstract: A system for implementing dynamic pseudorandom keyboard remapping includes a keyboard in communication with an operating system of a computing device; the keyboard configured to encrypt an original keyboard scan code corresponding to each of a plurality of keyboard keys, using a mapping algorithm, wherein the mapping algorithm encrypts the original keyboard scan code by using both the original keyboard scan code and a current one of a sequence of pseudorandom numbers generated using a pseudorandom number generator (PRNG) algorithm and an initial seed value; and the operating system configured to decrypt the original keyboard scan code based on an encrypted scan code generated and transmitted from the keyboard thereto, responsive to a keystroke of the keyboard, wherein the operating system also uses the mapping algorithm, the PRNG algorithm, and the initial seed value.

Abstract: Rendering subject information for a protected message received and stored at an electronic communications device, wherein the message is initially received by the electronic communications device without subject information. Selected information is extracted from the protected message and stored on the electronic communications device as subject information for the protected message.

Abstract: A method for accessing an application on an internal network comprises configuring a first host name in a computer as associated with an internal network. A second host name in the computer is configured as associated with an external data communication network, where the second host name is an alias that resolves to an internet protocol address of an authentication server in the internal network. A first application hosted over the internal network is invoked. In response to the invocation of the first application, a request to invoke the first application including stored user authentication credentials is transmitted to the authentication server. A restricted application hosted over the internal network is invoked where the invocation command includes the second host name. In response to the invocation of the restricted application, a request that does not include user authentication credentials is transmitted to invoke the restricted application to the authentication server.

Abstract: The digital data file management method reads a header of the digital data file stored on an external medium. Based on the read header, the digital data file is selectively uploaded and/or managed.

Abstract: A two-party approximation protocol is transformed into a private approximation protocol. A first input x?{0, 1, . . . , M}n and a second input y?{0, 1, . . . , M}n of a two party approximation protocol approximating a function of a form ƒ(x, y)=?j=1ng(xj, yj) is received. Variable B is set as a public upper bound on ƒ(x, y). Variable l is set l=O*(1). The following is performed until ? j = 1 l ? z j ? l t or B<1, where t is an arbitrary number: (1) a private importance sampling protocol with the first input x, the second input y, and a third input 1k, is executed independently for j?[l], where k is a security parameter, an output of the private importance sampling protocol is shares of Ij?[n]?{?}; (2) l coin tosses z1, . . . , zl are independently generated where zj=1 iff Ij??; and (3) B is divided by 2 if ? j = 1 l ? z j ? l t or B<1 is not satisfied.

Abstract: User credentials are validated within a network infrastructure element such as a packet data router or switch. The network element has authentication and authorization logic for receiving one or more packets representing an input application message logically associated with OSI network model Layer 5 or above; extracting user credentials from the one or more packets; authenticating an identity associated with the user credentials; authorizing privileges to the identity; and forwarding the application message to an intended destination if the identity is successfully authenticated and/or authorized. The authentication and authorization logic in the network element can invoke extension authentication and authorization methods that may be provisioned after the network element is deployed in a networked system.

Abstract: A method of installing software on a computer associated with a user, the computer being coupled to a system including one or more document handling devices connected to the computer via a communications network. The method includes, in a document handling device, determining a user identity associated with the user, and in at least part of the system, identifying the computer using the determined user identity and causing a software package to be transferred to the computer via the communications network, thereby causing the software to be installed.

Abstract: In a packet-based communication between a mobile radio and a base station in a radio communication system, an authenticity of a packet based on authentication data associated with the packet is tested. Packets that fail the authenticity test are removed from the communication. A security condition is detected when a number of failed packets for the communication exceeds a security threshold, and in response thereto, action is taken to correct or reduce the security condition. The removed packets are preferably not discarded, but instead are stored used for analysis, and based on that analysis, appropriate action can be taken.

Abstract: According to the teachings presented herein, a wireless communication device reverts from subscription credentials to temporary access credentials, in response to detecting an access failure. The device uses its temporary access credentials to gain temporary network access, either through a preferred network (e.g., home network) or through any one of one or more non-preferred networks (e.g., visited networks). After gaining temporary access, the device determines whether it needs new subscription credentials and, if so, uses the temporary access to obtain them. Correspondingly, in one or more embodiments, a registration server is configured to support such operations, such as by providing determination of credential validity and/or by redirecting the device to a new home operator for obtaining new subscription credentials.