Abstract: A tamper-resistant certification device receives a certified digital time stamp from a trusted third party, resets a time function and produces a time stamp receipt in an on-line mode; The tamper-resistant certification device receives a digital file from a mobile computing device, and produces a certified digitally signed digital file including a copy of the digital file, time stamp receipt and temporal offset in an off-line mode to evidence the content of the digital file within a defined tolerance of a day and/or time. A processor may be portioned into tamper and non-tamper resistant portions.

Abstract: According to one embodiment of the present invention, a method for evaluating a software system includes defining a rating of the tamper resistance of a software system and breaking down the rating into a plurality of metrics relevant to the tamper resistance of the software system. A score may then be calculated for each metric and the scores may be combined into a composite score for the rating.

Abstract: Methods and systems authenticate and authorize an extranet client to a secure intranet business application with a perimeter network topology, where connections to the secure intranet business application from outside the secure intranet are not permitted. A perimeter network proxy is authenticated within the secure intranet. The perimeter network proxy corresponds to an authenticated extranet client. If the perimeter network proxy is authenticated, information on an intranet business application client is acquired and used to create a session with the intranet business application. The intranet business application client corresponds to the extranet client, and the extranet client uses the session to submit requests to the intranet business application.

Abstract: Systems, methods, media, and other embodiments associated with automated security management are described. One example system embodiment includes logic to collect, organize, and maintain data concerning electronic information resources, data concerning security criteria to which the electronic information resources may be subjected, and data concerning security risks to which the electronic information resources may be susceptible. The system may include logic to make an automated security management decision based on analyzing the data concerning the electronic information resources, the data concerning the security criteria, and the data concerning the security risks.

Abstract: An automated configuration management system (ACMS) oversees resources of a virtualized ecosystem by establishing a baseline configuration (including, e.g., security controls) for the resources; and, repeatedly, monitoring and collecting data from the resources, analyzing the data collected, making recommendations concerning configuration changes for the resources of the virtualized ecosystem based on the analysis, and either adopting and implementing the recommendations or not, wherein new states of the virtualized ecosystem and reactions to recommended changes are observed and applied in the form of new recommendations, and/or as adjustments to the baseline. The recommendations may be implemented automatically or only upon review by an administrator before being implemented or not.

Abstract: A user access security subsystem of a computer information database system utilizes computer grouping criteria and user type criteria to control user access to both computer profile data and system administrative features. Computer grouping criteria determine profile data access for the respective users. User type criteria determine which administrative features are accessible to the respective users, thus what administrative authority is delegated to the users. Combining computer grouping and user type criteria restricts a given user to exercising the delegated administrative authority only with respect to the particular grouping of computers to which the user has been granted access through the associated login group. To maintain access security, a given user may grant to another only those access rights that are equal to or more restrictive than the given user's rights. The subsystem enforces access restrictions by tailoring the user interface based on the associated login group and user type.

Abstract: Securing the boot phase of a computing system implemented as a distributed architecture device can be performed by a system or method that uses hash functions and public key infrastructure (PKI) to verify the authenticity of modular subsystems. The modular subsystems can verify each other's authenticity, and can prevent unauthorized components from being inserted into the system when the system is without power.

Abstract: The presence of an installation on a data processing system may be detected by providing a signature that includes m files having paths associated therewith, respectively. A number n files on the data processing system are determined that match files in the signature and a files found ratio given by n/m is determined. A transformation is applied to the signature by replacing at least a portion of at least one of the paths with a new path. Then, a distance is determined between the n files on the data processing system and the m signature files. The distance corresponds to a sum of a number of path segments associated with the m signature files that cannot be matched to a corresponding path segment associated with files on the data processing system. The presence of the installation on the data processing system is determined based on the files found ratio and the distance.

Abstract: A method for mitigating false-positives as detected by antivirus software comprising accessing an operating system file that has been identified as malware; creating a signature for the operating system file; comparing the created signature to a signature database; and, if the created signature is not found in the signature database, defining the operating system file as malware. An operating system file, as used herein, is any file included as a part of the operating system binary executable file set, as well as any files added from third party vendors that integrate with or plug into the operating system.

Abstract: Apparatus having corresponding methods and computer programs comprise: a key input module to receive a first cryptographic key; and a reverse key expansion module to generate a second cryptographic key based on the first cryptographic key, wherein each of the first cryptographic key and the second cryptographic key comprises a plurality of words, and wherein the reverse key expansion module comprises a first word module to generate the first word of the second cryptographic key based on the first word of the first cryptographic key and the last two words of the first cryptographic key, and a remaining word module to generate the remaining words of the second cryptographic key, the remaining word module comprising at least one word module to generate a word of the second cryptographic key based on the corresponding word, and the immediately previous word, of the first cryptographic key.

Abstract: A secret communications system realizes point-to-multipoint or multipoint-to-multipoint connections of both quantum channels and classical channels. Multiple remote nodes are individually connected to a center node through optical fiber, and random-number strings K1 to KN are individually generated and shared between the respective remote nodes and the center node. Encrypted communication is performed between each remote node and the center node by using the corresponding one of the shared random-number strings K1 to KN as a cryptographic key. The center node is provided with a switch section for quantum channels and a switch section for classical channels. Switching control on each of these switch sections is performed independently of the other by a controller.

Abstract: Disclosed is a method and apparatus for detecting prefix hijacking attacks. A source node is separated from a destination network at a first time via an original path. The destination network is associated with a prefix. At a second time, a packet is transmitted from the source node to the destination network to determine a current path between the source node and the destination network. A packet is also transmitted from the source node to a reference node to determine a reference node path. The reference node is located along the original path and is associated with a prefix different than the prefix associated with the destination network. The current path and the reference node path are then compared, and a prefix hijacking attack is detected when the reference node path is not a sub-path of the current path.

Abstract: The payload of a set of storage devices is encrypted using a payload key that is stored within the set of storage devices itself. However, the payload key is obtainable only if a user has access to n of the storage devices. A first set of keys can be distributed among a set of n storage devices, such that each key is usable to encrypt and/or decrypt a key stored on a different one of the n storage devices. The first set of keys is usable to encrypt portions of the information needed to regenerate another key (e.g., the payload key or a key used to encrypt the payload key). A different portion of the information needed to regenerate the other key is stored on each of the n storage devices. Accordingly, the other key cannot be obtained unless the user has access to all n storage devices.

Abstract: A method is provided to handle an electronic mail message such that the receiver of the e-mail message can verify the integrity of the message. A request is provided from a sender's side to a service. The request includes information regarding the e-mail message. The service processes at least a portion of the request to generate a result. For example, the service may encrypt the portion of the request, according to a public/private key encryption scheme, to generate a digital signature as the result. The service provides the result to the sender's side. At the sender's side, the result is incorporated into the e-mail message and the result-incorporated message is transmitted via an e-mail system. At the receiver's side, the result-incorporated e-mail message is processed to assess the integrity of the received e-mail message.

Abstract: Methods, systems, and machine-readable mediums are disclosed for policy enforcement. In one embodiment, the method comprises receiving a communication and executing a workflow to apply one or more policies to the communication. The workflow includes a logical combination of one or more conditions to be satisfied and one or more actions to be executed to enforce the one or more policies on the communication.

Abstract: A policy verification method in an information processing system for verifying whether the policy rule operates correctly. The method verifies the policy in an information processing system including at least one component, using policies describing a series of system management operations to be performed when an event occurs, and automatically executing system management operations according to the policies when the event occurs. The method acquires configuration information on the component constituting the information processing system. The method acquires all the events that may occur in the information processing system from an event list stored in advance and the configuration information acquired, and generates them as a test item. The method executes the test item generated and verifying the propriety of the policy according to the result of the system management operations executed by the policy.

Abstract: Systems and methods can automatically generate and process signature files for an electronic signature list. Data records can be periodically searched for signature-relevant status changes. A multiplicity of documents in paper form can be provided. Each document can contain a predefined blank region for receiving a personal signature and also control information items assigned to the signature. The multiplicity of documents that have received the personal signatures can be scanned-in in a batch processing operation. At least one signature containing the personal signature in electronically processable form and a representation of the assigned control information items file can be generated for each document. The assigned control information items of each document can be independent of their corresponding personal signature in its electronically processable form. The signature files can be dispatched via a communications network controlled by the control information items.

Abstract: A cipher key is generated by first information shared in secrete between a data transmitting unit 10 and a data receiving unit 20, second information derived from duplication control information of transmit data and third information which is time change information shared between the data transmitting unit and the data receiving unit to cipher data by a CPU 12 by using the above-mentioned cipher key to transmit, from the data transmitting unit 10 to the data receiving unit 20, transmit data in which the duplication control information and the time change information are added to the ciphered data.

Abstract: An apparatus and method for managing a plurality of certificates are provided. The apparatus for managing a plurality of certificates includes a plurality of certificates, a certificate search table, a low-performance file system, and a verification module. The certificate search table includes information about the plurality of certificates. The low-performance file system extracts a corresponding certificate from among the plurality of certificates that are received from a host device, with reference to the certificate search table based on a root certificate authority ID and information about a public key of a certificate of a certificate authority that issued the host device certificate. The verification module uses the extracted certificate to verify the host device certificate.

Abstract: A method of enciphering data which is applicable to cipher-transmission of digital information data, in which the HD-SDI signal DHS is subjected to enciphering process using common key data DEY which is common to encipherment and decipherment to produce enciphered HD-SDI signal DHSE, the common key data DEY are subjected to enciphering process using open key data DOY to produce enciphered common key data DXY, and the enciphered HD-SDI signal DHSE accompanied with the enciphered common key data DXY are send to be transmitted, so that such a fear that the common key data DEY are eavesdropped on the transmission thereof can be effectively reduced.