Abstract: A domain controller hierarchy includes one or more hub domain controllers in communication with one or more local domain controllers, such as local domain controllers at a branch office. The hub domain controller(s) is writable, while the local domain controller(s) is typically read-only. Non-secure and secure information is partitioned to specific local domain controllers at the one or more hub domain controllers. The non-secure and secure information is then passed from the hub domain controller only to the local domain controller associated with the given partition at the hub domain controller on request. For example, a user requests a logon at a client computer system at a local branch office, and the logon is passed from the local domain controller to the hub domain controller. If authenticated, the user logon account is passed to the local domain controller, where it can be cached to authenticate subsequent requests.

Abstract: The present invention provides a system, method and apparatus for protecting against high volume attacks. The present invention receives a packet, determines a source of the received packet, and updates a tree-based data structure based on the source of the received packet. The received packet is accepted or passed on whenever one or more statistics stored within the tree-based data structure do not exceed a threshold. The received packet is dropped whenever the one or more statistics exceed the threshold. The present invention can be implemented in hardware, software or a combination thereof. The software will implement the steps as one or more code segments of a computer program embodied on a computer readable medium.

Abstract: Providing path validation information for a system includes determining paths between a subset of certificate of the system and at least one trust root, storing each of the paths in a table prior to a request for path validation information, and fetching the validation information stored in the table in response to a request for path validation information. Providing path validation information may also include digitally signing the validation information. Providing path validation information may also include applying constraints to the validation information and only providing validation information that is consistent with the constraints. Determining paths may include constructing a directed graph of trusted roots and the subset of certificates and performing a depth-first acyclic search of the graph.

Abstract: Method to detect security vulnerabilities includes: interacting with a web application during its execution to identify a web page exposed by the web application; statically analyzing the web page to identify a parameter within the web page that is constrained by a client-side validation measure and that is to be sent to the web application; determining a server-side validation measure to be applied to the parameter in view of the constraint placed upon the parameter by the client-side validation measure; statically analyzing the web application to identify a location within the web application where the parameter is input into the web application; determining whether the parameter is constrained by the server-side validation measure prior to the parameter being used in a security-sensitive operation; and identifying the parameter as a security vulnerability.

Abstract: A method and apparatus for a high-bandwidth stream cipher. In one embodiment of the invention, the stream cipher has an output function that receives secret state bits from a block cipher and generates an encryption mask. In one embodiment of the invention, the encryption mask has a lesser or smaller number of bits than the secret state bits. The stream cipher uses the encryption mask to encrypt a video data stream to generate an encrypted video data stream.

Abstract: Embodiments of an N-Port ID virtualization (NPIV) proxy module, NPIV proxy switching system, and methods are generally described herein. Other embodiments may be described and claimed. In some embodiments, login requests are distributed over a plurality of available N-ports to allow servers to be functionally coupled to F-ports of a plurality of fiber-channel (FC) switches. Fiber-channel identifiers (FCIDs) are assigned to the servers in response to the logon requests to provide single end-host operations for each of the servers.

Abstract: Security language constructs may be translated into logic language constructs and vise versa. Logic resolution may be effected using, for example, the logic language constructs. In an example implementation, translation of a security language assertion into at least one logic language rule is described. In another example implementation, translation of a proof graph reflecting a logic language into a proof graph reflecting a security language is described. In yet another example implementation, evaluation of a logic language program using a deterministic algorithm is described.

Abstract: A method and system for securely logging onto a banking system authentication server so that a user credential never appears in the clear during interaction with the system in which a user's credential is DES encrypted, and the DES key is PKI encrypted with the public key of an application server by an encryption applet before being transmitted to the application server. Within the HSM of the application server, the HSM decrypts and re-encrypts the credential under a new DES key known to the authentication server, the re-encrypted credential is forwarded to the authentication server, decrypted with the new DES key known to the authentication server, and verified by the authentication server.

Abstract: An improved PIN-based authentication technique for authenticating the user of a client machine to a server automatically generates a personal identification number (PIN) for the user based on user-specific authentication information, such as encrypted cookie information. The server provides user-specific authentication information to a client machine. When the user submits an authentication request, user-specific authentication information is collected and uploaded to the server. The user-specific authentication information is processed to form a PIN, and authentication of the user proceeds based on the PIN and any other authentication factors provided. Since the disclosed techniques compute PINs automatically based on information exchanged between a client machine and a server, the user is relieved of any burden associated with registering and remembering a PIN.

Abstract: A system is provided that uses cryptographic techniques to support secure messaging between senders and recipients. A sender may encrypt a message for a recipient using the recipient's public key. The sender may send the encrypted message to the message address of a given recipient. A server may be used to decrypt the encrypted message for the recipient, so that the recipient need not install a decryption engine on the recipient's equipment.

Abstract: An association between a system's in-band identification credentials with out-of-band identification credentials may arise by making a universal serial bus device emulation in the form of either a virtual mass storage device or a virtual network adaptor. In the case of the former, a machine readable name is decoded to determine which KVM port a target device is connected to. Such can be used to associate a system's known in-band identification credentials with decoded out-of-band identification credentials from the virtual mass storage device. In the case of the latter, the target may be searched and queried through an out-of-band path to ascertain in-band identification credentials.

Abstract: Identifier-based signcryption methods and apparatus are disclosed both for signing and encrypting data, and for decrypting and verifying data. The signcryption methods use computable bilinear mappings and can be based, for example, on Weil or Tate pairings. A message sender associated with a first trusted authority carries out integrated signing/encryption processes to send a signed, encrypted message to an intended recipient associated with a second trusted authority. The recipient then carries out integrated decryption/verification processes to recover the original message and verify its origin.

Abstract: Systems and methods to communicate securely includes communicating quantum encryption data on a first wavelength-division multiplexing passive optical network (WDM-PON); and communicating data over separate classical channels of a second WDM-PON, wherein the second WDM-PON synchronizes with the first WDM-PON while providing data communication over the classical channels.

Abstract: A domain controller hierarchy includes one or more hub domain controllers in communication with one or more local domain controllers, such as local domain controllers at a branch office. The hub domain controller(s) is writable, while the local domain controller(s) is typically read-only. Non-secure and secure information is partitioned to specific local domain controllers at the one or more hub domain controllers. The non-secure and secure information is then passed from the hub domain controller only to the local domain controller associated with the given partition at the hub domain controller on request. For example, a user requests a logon at a client computer system at a local branch office, and the logon is passed from the local domain controller to the hub domain controller. If authenticated, the user logon account is passed to the local domain controller, where it can be cached to authenticate subsequent requests.

Abstract: Configuration tasks needed to form a wireless LAN are performed using a simple method while increasing security during configuration. In a wireless network configuration system GH1 including an encryption key setting system LH1, where an access point 20 determines after the power thereto is turned ON that configuration for connection to a wireless LAN has not yet be carried out, the access point 20 activates a restricted receiving mode in which only an initial configuration packet is accepted. A terminal 50 that has sent an initial configuration packet and the access point 20 that has received such initial configuration packet while the restricted receiving mode is active each create an identical WEP key with reference to the data on a CD-ROM 51 or the data in a ROM 12, respectively, and set and register the created WEP key in itself.

Abstract: Disclosed is a technique capable of proper execution of access control based on various security policies set by a home user with regards to a packet sent from a visitor node. According to the technique, a MR (Mobile Router) 10 which manages a mobile PAN 30 determines whether a sender of a packet from a communication terminal connected to the mobile PAN is a home user's node which is allowed direct access into a home network or a visitor node (VN 31), and forwards the packet from the home user's node to an HA 20 while forwarding the packet from the visitor node to a policy server 36 located in a DMZ 35. This allows the policy server to perform access control on every packet from a visitor node which attempts to gain access into the home network based on a security policy 36a.

Abstract: A system, method and apparatus for associating data is presented. An association system generally includes a vulnerability information system, user identification system and association tool. The vulnerability information system performs a scan of client devices to identify vulnerable devices. The vulnerability information is transmitted to the association tool where it is cross referenced with user identification information received from the user identification system. The association tool identifies the user associated with the vulnerable devices and this information may be stored to generate historical trend information. In addition, the information may be displayed graphically or may be used to generate reports and identify metrics that can be monitored in order to improve reliability, efficiency and the like.

Abstract: A system, method, and computer program product enforce a universal security policy across several systems. In one embodiment, the system comprises a translation module that translates the universal security policy into local security rules enforceable by the security components of the several systems. The system also comprises a policy pushing module that transmits the translated local security rules to each of the several systems. Further, the system can include an analysis module for detecting local security rules in the several systems that are inconsistent with the universal security policy.

Abstract: Various embodiments pertain to managing electronic devices using an electronic device as a root of trust. According to one embodiment, registration information for an electronic device 150 is received 220. The registration information identifies the electronic device 150 and an environment 130 that the electronic device 150 is trusted in. The electronic device150 is specified 230 as a root of trust device 150 for the trusted environment 130 based on the registration information. The root of trust device 150 is specified 240 as the root of trust for a new electronic device 170 based on new information that identifies the root of trust device 150 and identifies the new electronic device 170. The new electronic device 170 is managed 250 using the root of trust device 150 without requiring the user of the root of trust device 150 and the new electronic device 170 to configure any electronic devices.

Abstract: A device uses a user authentication factor to generate a symmetric key for use in symmetric cryptography. The user authentication factor is encrypted and stored for authentication during decryption.