Abstract: A contents information output system which is capable of ensuring security in outputting contents information to a recording medium. A data management apparatus identifies a RF-ID tagged display medium to which contents information is to be outputted, and determines whether or not output of contents information to the identified display medium is permitted. Further, the data management apparatus determines whether or not the contents information designated by a print instruction is registered, and an RF-ID reader-integrated printing apparatus outputs the contents information designated by the print instruction to the display medium, based on the determination by the data management apparatus.

Abstract: The present invention provides a technique that allows for a valid modification that is authorized by the author of data, while assuring the originality of the data. An information processing apparatus for processing original data created by a predetermined author is provided. The information processing apparatus includes a modification-information storing unit for storing modification information regarding a modification onto a storage medium when the original data is modified, and a modification-assuring-information creating unit for creating modification assuring information for assuring that the modification information is true.

Abstract: The presence of an installation on a data processing system may be detected by providing a signature that includes m files having paths associated therewith, respectively. A number n files on the data processing system are determined that match files in the signature and a files found ratio given by n/m is determined. A transformation is applied to the signature by replacing at least a portion of at least one of the paths with a new path. Then, a distance is determined between the n files on the data processing system and the m signature files. The distance corresponds to a sum of a number of path segments associated with the m signature files that cannot be matched to a corresponding path segment associated with files on the data processing system. The presence of the installation on the data processing system is determined based on the files found ratio and the distance.

Abstract: A system and method for generating a security indicator on a display of a computing device (e.g. a mobile device), to indicate when the computing device is in a secure state while locked. A determination is made (e.g. by a data protection system) as to whether at least some of the secure data stored on the computing device can be decrypted by any applications on the computing device, while the computing device is in the locked state. An icon or other identifier can be displayed to indicate that the secure state has been attained. In one embodiment, the secure state is considered to have been attained, if it is determined that all tickets that have been issued to applications on the computing device while the computing device was unlocked have been released, and any decrypted encryption keys that may be used to decrypt the secure data have been deleted.

Abstract: The present invention provides for maintaining security context during a communication session between applications, without having to have executable code in either application for obtaining or generating a security context token (SCT) used to secure the communication. On a service side, a configuration file is provided that can be configured to indicate that automatic issuance of a SCT is enabled, thereby allowing a Web service engine to generate the SCT upon request. On the client side, when a message is sent from the client application to the service application, a policy engine accesses a policy that includes assertions indicating that a SCT is required for messages destined for the Web service application. As such, the policy engine requests and receives the SCT, which it uses to secure the message.

Abstract: A client quarantine agent requests bill of health from a quarantine server, and receives a manifest of checks that the client computer must perform. The quarantine agent then sends a status report on the checks back to the quarantine server. If the client computer is in a valid security state, the bill of health is issued to the client. If the client computer is in an invalid state, the client is directed to install the appropriate software/patches to achieve a valid state. When a client requests the use of network resources from a network administrator, the network administrator requests the client's bill of health. If the bill of health is valid, the client is admitted to the network. If the bill of health is invalid, the client is placed in quarantine.

Abstract: In a network including a centralized controller and a plurality of routers forming a security perimeter, a method for selectively discarding packets during a distributed denial-of-service (DDoS) attack over the network. The method includes aggregating victim destination prefix lists and attack statistics associated with incoming packets received from the plurality of routers to confirm a DDoS attack victim, and aggregating packet attribute distribution frequencies for incoming victim related packets received from the plurality of security perimeter routers. Common scorebooks are generated from the aggregated packet attribute distribution frequencies and nominal traffic profiles, and local cumulative distribution function (CDF) of the local scores derived from the plurality of security perimeter routers are aggregated.

Abstract: A microphone unit comprising a voice input for receiving a voice input signal, an analog to digital converter for creating a digital signal from voice signal, a voice coding device for creating a voice coded signal output from the digital signal, encryption means for encrypting the voice coded signal, and a modulator for generating a transmittable signal that can be supplied to a radio via the microphone input. Additionally, the microphone unit is capable of performing the steps in reverse upon receiving an encrypted signal. The received signal output from the radio is demodulated, un-encrypted, voice decoded, converted from a digital voice signal to an analog voice signal, and output via a speaker which is preferably built into the microphone unit.

Abstract: A communication apparatus includes a reference signal generating section, a transmitting section, a propagation estimating section, a first data acquiring section, and a decoding section. The reference signal generating section generates a first reference signal to enable a communicating party to estimate a propagation environment. The transmitting section transmits the first reference signal. The propagation estimating section estimates a first propagation estimation value of the propagation environment using a second reference signal transmitted from the communicating party. The first data acquiring section generates first data using the first propagation estimation value. The decoding section decodes a transmission signal encoded using a second propagation estimation value that is estimated by the communicating party using the first reference signal, to obtain second data using the first data.

Abstract: Conventional mechanisms exist for denoting such a communications group (group) and for establishing point-to-point, or unicast, secure connections between members of the communications group. In a particular arrangement, group members employ a group key operable for multicast security for unicast communication, thus avoiding establishing additional unicast keys for each communication between group members. Since the recipient of such a unicast message may not know the source, however, the use of the group key assures the recipient that the sender is a member of the same group. Accordingly, a system which enumerates a set of subranges (subnets) included in a particular group, such as a VPN, and establishing a group key corresponding to the group applies the group key to communications from the group members in the subnet.

Abstract: Secure communication between a resource-constrained device and remote network nodes over a network with the resource-constrained acting as a network node. The remote network nodes communicate with the resource-constrained device using un-modified network clients and servers. Executing on the resource-constrained device, a communications module implements one or more link layer communication protocols, operable to communicate with a host computer, operable to communicate with remote network nodes and operable to implement network security protocols thereby setting a security boundary inside the resource-constrained device.

Abstract: A method for determining compliance with a data distribution or usage policy applied with respect to a digital medium is presented. The method comprising: assigning numerical values to breaches of the policy; assigning a quota of breaches of the policy to at least one user subjected to the policy, the quota being expressed in terms of the numerical value; monitoring information distribution or usage covered by the policy in order to detect breaches of the policy by users; upon detection of an action breaching the policy by a given one of the users: determining whether a numerical value has been assigned to the type of the breach; comparing the numerical value assigned to the type of breach with a respective quota assigned to the given user, and allowing the action to be executed only if the comparing indicates that the respective quota assigned to the given user is sufficient to cover the breach.

Abstract: The present invention extends to methods, systems, and computer program products for securing audio-based access to application data. A client sends and a server receives a request for audio-based access to application data. The server sends a first audio challenge for a user credential in response to the request. The client receives the first audio challenge and sends a user credential. The server receives the user credential and sends a second audio challenge. The second audio challenge is configured to be understandable to a user of the client but difficult to recognize using automated voice recognition techniques. The client receives the second audio challenge and sends an additional portion of data responsive to the second audio challenge. The server receives the additional portion of data and calculates a client authorization based on the received user credential and received additional portion of data.

Abstract: A device for mitigating data flooding in a data communication network. The device can include a first module and a second module. The first module can identify flooding data transmitted from at least one offending host and intended for at least one threatened host. The second module can generate a data rate limit that is communicated to at least one of the plurality of edge nodes defining an entry node. The data rate limit can be based upon an observed rate of transmission of flooding data transmitted from the offending host to the entry node and a desired rate of transmission of flooding data transmitted to the threatened host from at least one other of the plurality of edge nodes defining an exit node.

Abstract: A tamper-resistant certification device receives a certified digital time stamp from a trusted third party, resets a time function and produces a time stamp receipt in an on-line mode; The tamper-resistant certification device receives a digital file from a mobile computing device, and produces a certified digitally signed digital file including a copy of the digital file, time stamp receipt and temporal offset in an off-line mode to evidence the content of the digital file within a defined tolerance of a day and/or time. A processor may be portioned into tamper and non-tamper resistant portions.

Abstract: A system and method for retrieving certificate of trust information for a certificate validation process. Fetching servers periodically retrieve certificate revocation lists (CRLs) from servers maintained by various certificate issuers. The revoked certificate data included in the retrieved CRLs are stored in a central database. An authentication server receives a request from a client for access to a secure service and initiates a validation process. The authentication server retrieves revoked certificate data from the central database and compares the retrieved revoked certificate data to certificate of trust information received from the client along with the request. The authentication server denies access to the secure information if the certificate of trust information matches revoked certificate data from the central database, allows access if the certificate of trust information does not match revoked certificate data from the central database.

Abstract: A system, method, computer program product, and data management service that allows any comparison operation to be applied on encrypted data, without first decrypting the operands. The encryption scheme of the invention allows equality and range queries as well as the aggregation operations of MAX, MIN, and COUNT. The GROUPBY and ORDERBY operations can also be directly applied. Query results produced using the invention are sound and complete, the invention is robust against cryptanalysis, and its security strictly relies on the choice of a private key. Order-preserving encryption allows standard database indexes to be built over encrypted tables. The invention can easily be integrated with existing systems.

Abstract: A privacy protection system in which a user accesses via his/her personal computer (10) one or more web service providers (14, 16, 18) provides a trusted area (20) which includes storage memory (22) in which the user's profile is stored. The memory (22) is connected to fake identity generator (24) designed to generate a plurality of fake user identities (26a to 26c) and to transmit these to the service providers (14 to 18). The trusted area (20) also includes a response analyzer (30) for analyzing the responses (28a to 28c) generated by the service providers (14 to 18). From the responses the response analyzer generates the correct response, or an approximation of the correct response, for the user's true identity The system provides for obtaining personalized responses form service providers but without revealing the user's true identity.

Abstract: To render digital content encrypted according to a content key (KD) on a first device having a public key (PU1) and a corresponding private key (PR1), a digital license corresponding to the content is obtained, where the digital license includes the content key (KD) therein in an encrypted form. The encrypted content key (KD) from the digital license is decrypted to produce the content key (KD), and the public key (PU1) of the first device is obtained therefrom. The content key (KD) is then encrypted according to the public key (PU1) of the first device (PU1 (KD)), and a sub-license corresponding to and based on the obtained license is composed, where the sub-license includes (PU1 (KD)). The composed sub-license is then transferred to the first device.

Abstract: A computer file may be scanned for suspicious words 18 occurring within suspicious contexts 20. Thus, messages embedded by malware authors within their malware may be detected. The detection of such embedded messages may be used to identify otherwise unknown items of malware or as a pre-filtering technique for controlling the use of further scanning techniques.