Abstract: A method and system for controlling access to features on an electronic device, such as a printer, is disclosed. The electronic device is shipped with multiple software features, but one or more of the features may be disabled. According to aspects of the present invention, when a customer subsequently licenses or purchases one of the disabled features, the feature is enabled as follows. A key corresponding to the disabled feature is stored on a portable storage device. When the portable storage device is inserted into the electronic device, the key is customized based on device-specific information of the electronic device, thereby reducing a possibility that the key can be copied and used for enabling the feature on more than one device. The customized key is then used to enable the feature in the electronic device.

Abstract: Utilizing a hardware transactional approach to execute a code section by employing pseudo-transactions, after initially utilizing software locking, is disclosed. A method is disclosed that utilizes a software approach to locking memory to execute a code section relating to memory. The software approach employs a pseudo-transaction to determine whether a hardware approach to transactional memory to execute the threshold would have been successful. Where the hardware approach to transactional memory to execute the code section satisfies a threshold based on success of at least the pseudo-transaction, the method subsequently utilizes the hardware approach to execute the code section. The hardware approach may include starting a transaction inclusive of the code section, conditionally executing the transaction, and, upon successfully completing the transaction, committing execution of the transaction to the memory to which the code section relates.

Abstract: A network communications method communicates a certificate from a client machine to a server machine through a security module. The protocol used between the client and server machines is HTTP or an equivalent protocol, and a security protocol such as SSL or an equivalent is implemented between the client machine and the security module. The steps of the method include inserting the certificate into a cookie header of a request in HTTP or an equivalent protocol, and then transmitting the request from the security module to the server machine.

Abstract: A quantitative model combines a one-dimensional risk-assessment approach with expert knowledge to enable calculation of a probability or likelihood of exploitation of a threat to an information system asset without referring to actuarial information. A numerical value is established for one or more threats of attack on the information system asset based on expert knowledge without reference to actuarial data, and likewise, based on expert knowledge without reference to actuarial data, a numerical value is established for each of one or more access and privilege components of one or more vulnerabilities to attack on the information system asset. A security risk level for the information system asset is computed based upon the numerical values for threat and the access and privilege components for vulnerability so established.

Abstract: A converter uses a predetermined parameter a. A generating unit accepts generated inputs x1, . . . , xn, and generates generated outputs, y1, . . . , yn, using recurrence formulas, y1=F1(x1, a) and yi+1=Fi+1(xi+1, yi) (1?i?n?1). A key accepting unit accepts key inputs, k1, . . . , kn, and gives them as generated inputs to said generating unit. A repetition controller gives the generated outputs as generated inputs to said generating unit, for an “m” (m?0) number of times, and sets one of the generated outputs to be given at the end as a random number string, r1, . . . , rn. The data accepting unit accepts data inputs, d1, . . . , dn. The converting unit converts data using, ei=di?ri, and, outputs data outputs, e1, . . . , en. The converter can be used both for encrypting and decrypting data.

Abstract: A computer system, method, and computer program product for controlling data communication in an ad-hoc network that connects a wireless device and a nearby wireless device. The method stores an application directory, determines a priority for each entry in the application directory, identifies a selected entry based on the priority, and examines the attributes and security parameters associated with the selected entry. When the security parameters indicate to use a secure connection, the method establishes a security association to support the data communication by querying a database for an existing security association that will satisfy the security parameters. When the query is successful, the method reuses the existing security association. When the query is unsuccessful, the method creates a new security association by establishing a privileged side channel to the nearby wireless device, negotiating the new security association over the privileged side channel, and storing the new security association.

Abstract: Embodiments of the invention are directed to systems that detect maliciously formed TCP/IP retransmit packets attempting to pass through an intrusion detection system (IDS) and prevent them from reaching their destination by forcing early flow termination. The IDS may be configured to track a hash of certain fields in each packet. This set of hashes is maintained for all of the packets in the currently open TCP window for each flow. If the hash of a retransmit packet does not match the cached hash of the corresponding original packet, the system concludes that there is an attack under way and terminates the flow. The hash function may range in complexity and security from low complexity and relative insecurity to high complexity and high security. Hash algorithms may also be used in conjunction with a private seed value concatenated with the packet fields prior to hashing.

Abstract: In a method for protecting an exponentiation calculation by means of the Chinese remainder theorem, in particular the combining step (16), wherein the Garner combination algorithm is preferably used, is verified for its correctness prior to outputting (24) the results of the combining step (18). In doing so, the combination algorithm is verified directly prior to outputting the result of the exponentiation calculation, so as to eliminate the outputs of an incorrect result, for example due to a hardware error attack, so as to ward off the error attack.

Abstract: A method and system is disclosed for authenticating jobs submitted to a computing grid. The method may comprise receiving a grid job for performing on the computing grid, authenticating the grid job for performing on the computing grid, marking the grid job as authentic for acceptance by grid computers of the computing grid, and distributing the grid job marked as authentic to the grid computers. Additionally, a method and system is disclosed for screening jobs on the computing grid. The method may comprise receiving a grid job from a grid customer, deriving a pilot task from the grid job, executing a pilot run of the pilot task on a subset of grid computers on the computing grid, checking for successful performance of the pilot task on the subset of grid computers, and submitting the grid job to grid computers for performance if the pilot run of pilot task is successful.

Abstract: A system and method is disclosed for detecting and/or mitigating an overload condition from one or more first computers, such as a distributed denial of service (DDoS) attack, viral attack, or the like, targeting one or more of a plurality of second computers located on a network. While one or more DDoS attacks are mitigated, a meter, detection apparatus, software, or method, detects the condition being mitigated in a data cleaning center, and provides an alert or notification regarding the mitigated attack. Another preferred embodiment relates, in general terms, to a system and method for detecting and/or mitigating an overload or attempted overload condition targeting a domain name server. A network connection is provided for receiving one or more DNS requests from one or more client computers located on a network.

Abstract: A mobile or other device connects to a server via a publicly accessible network such as the Internet. After installation upon the device, a virtual private network (VPN) client connects to the server and downloads a VPN profile. In one embodiment the device creates public/private key pairs and requests enrollment of a digital certificate. In another embodiment a digital certificate and public/private key pairs are provided. The device also receives a digital certificate from the server and verifies the server certificate by requesting the user to supply a portion of a fingerprint for the certificate. The invention further includes an automatic content updating (ACU) client that downloads a user profile for the VPN, requests certificate enrollment, and updates the VPN client and other applications when new content is available. A security service manager (SSM) server includes, or is in communication with, a Web server, multiple databases, an enrollment gateway and an internal certification authority (CA).

Abstract: A proxy server that is inserted between a plurality of network access servers, typically an access points, and an authentication server. When an original authentication request is received by an network access server, the network access server forwards the request to the proxy server which forwards the request to an authentication server. The authentication server then sends the session information to the proxy server which stores the keying material as a dynamic credentials. When the client re-authenticates with one of the plurality of access servers, the re-authentication request is handled by the proxy server using the dynamic credentials. The proxy server may re-authenticate the client using a different method than the method that was originally used. For example, the original authentication may be by Extensible Authentication Protocol-Transport Layer Security (EAP-TLS) and subsequent reauthentications may use Wi-Fi Protected Access (WPA).

Abstract: Methods and systems are provided to allow users that are authenticated by a trusted external service to gain controlled levels of access to selected local computing resources without requiring the user to also have conventional access control capabilities for the resources.

Abstract: An authenticated and metered flow control method provides a network interface with the capability to determine the authenticity of programs used to generate and send data packets, thereby ensuring that users who send data packets are well behaved. The method is based on using a hidden program that was obfuscated into the program used for generating and sending data packets. More specifically, the hidden program generates a pseudo random sequence of security signals that are included in the sequence of data packets that are sent from the user to the network interface. Only the network interface knows how the pseudo random sequence of security signals was generated, and therefore, the network interface is able to check the validity of the pseudo random sequence of security signals, and thereby verify the authenticity of the programs used to generate and send data packets.

Abstract: A data protection system is provided that reduces, to a degree, the amount of encrypted data that is distributed to a plurality of terminals. In the data protection system a terminal whose decryption keys are exposed by a dishonest party is made to be unable to decrypt the data correctly, while other terminals are able to decrypt the data correctly. The data protection system includes a plurality of terminals, and an encryption device that encrypts distribution data distributed to each terminal. Each terminal is corresponded with one node on a lowest level of a 4-ary tree structure or the like having a plurality of hierarchies.

Abstract: Decryption keys used in decrypting encrypted configuration data for a programmable logic device are erased following decryption of encrypted configuration data. A self-erasing key memory delivers a decryption key to a programmable logic device and then automatically erases itself. The keys are then no longer available outside the programmable logic device.

Abstract: The invention relates to a method for securing a networked system comprising system components having hardware and software modules connected via a system bus. According to the invention, the system components each comprise an authentication feature for the hardware modules and/or a further authentication and/or integrity securing feature each for the software modules. Further, a central testing module attached to the system bus for testing the authenticity features and/or the integrity securing features is provided.

Abstract: The objective of the present invention is to propose a method that allows preventing the use of more than one identical security module for the identification and use of resources administered by an operating centre. This objective is achieved by an anti-cloning method based on the memorization of the identification numbers of the user units connected to said security module. During a connection with an operating centre these numbers are transmitted and compared with the numbers of a previous transmission. Differences are accepted as long as new numbers are added to a list previously transmitted. The security module is declared invalid if the numbers previously memorized are not included in the transmitted numbers.

Abstract: A mechanism for redirecting a code execution path in a running process. A one-byte interrupt instruction (e.g., INT 3) is inserted into the code path. The interrupt instruction passes control to a kernel handler, which after executing a replacement function, returns to continue executing the process. The replacement function resides in a memory space that is accessible to the kernel handler. The redirection mechanism may be applied without requiring a reboot of the computing device on which the running process is executing. In addition, the redirection mechanism may be applied without overwriting more than one byte in the original code.

Abstract: A publishing user publishes digital content and issues to itself a corresponding digital publisher license to allow itself to render the published digital content. The publishing user is supplied with a publishing certificate from a digital rights management (DRM) server, where the publishing certificate allows the publishing user to so publish the digital content and to so issue the publisher license.