Abstract: The present invention provides a technique for validating TCP communication between a client requesting resources and a server providing requested resources to protect the specified server from a denial of service attack wherein a plurality of clients initiate communication with a server, but do not complete the communication for the purpose of denying service to the server from other legitimate clients. Through systematic transmission regulation of TCP packets, an intermediary apparatus or set of apparatuses, can, to a high degree of certainty, validate client connections to protect the server from this saturated condition. The communication is then reproduced by the apparatus or apparatuses.

Abstract: In general, the invention relates to a method for performing a command on a token. The method includes receiving a first command authentication message digest (CAMD), a command, and scrambled data from a sender, and making a first determination that the sender is allowed to send commands to the token. The method further includes, based on the first determination, generating a second CAMD on the token using the command, the scrambled data, and an Administrative Command Authentication Secret (ACAS), making a second determination that the first CAMD and the second CAMD match, and based on the second determination, performing the command by the token.

Abstract: Disclosed is a method of registering only an authorized optical network terminal among a plurality of optical network terminals with the same serial number, in an optical line terminal, using a public key encryption algorithm, in a Gigabit Passive Optical Network (GPON). According to an exemplary aspect, a GPON system encrypts a physical layer OAM message transmitted/received for serial number registration of an optical network terminal, using a key distributed according to a public key encryption algorithm, and authenticates registration of the optical network terminal using the encrypted physical layer OAM message. Accordingly, it is possible to securely authenticate registration of an authorized optical network terminal and block registration of unauthorized optical network terminals.

Abstract: Method and apparatus for distribution and synchronization of cryptographic context information is described. An aspect of the invention relates to synchronizing an encryptor and key management logic in a video distribution system. A request message is received from the encryptor. The request message includes authentication data and stream-dependent parameters associated with an internet protocol (IP) packet stream to be encrypted. Authenticity of the encryptor is verified using the authentication data. A cryptographic context for the IP packet stream is generated having the stream-dependent parameters and at least one encryption key. A reply message is sent to the encryptor having the at least one encryption key. Key stream messages having the cryptographic context are distributed towards user devices. The user devices are receiving an encrypted version of the IP packet stream generated by the encryptor.

Abstract: The invention relates to a method for identifying an object comprising at least one object identifier with an object code that is used to verify the authenticity of the object.

Abstract: Devices are provided with secret information to indicate which other devices are eligible to establish communication sessions. Information leaks about the eligibility of devices are prevented when no communication sessions are established. Each device makes a set of preference information items publicly available. Each preference information item selects an eligible device in cloaked way. Each protected information item contains protected information such as an encrypted random number that can be decrypted only by the eligible device. When a request to establish a communication is processed by a first and second device, the first and second device indicate which of their preference information items should be used. The devices then each attempt to decrypt the protected information from the other one's indicated preference information item and each combines the result with the protected information used to make the preference information item that it indicated to the other.

Abstract: A storage device partitions data from a host into multiple partitioned data and distributes, encrypts and stores them together with a parity in multiple memory mediums. This storage device executes processing of restoring the partitioned data or the parity stored in a memory medium subjectable to encryption re-key based on decrypted data of the partitioned data or the parity stored in each memory medium other than the memory medium subjectable to encryption re-key among the multiple memory mediums, storing the restored partitioned data or the parity in a backup memory medium while encrypting the restored partitioned data or the parity with a new encryption key, and thereafter interchanging the backup memory medium and the memory medium subjectable to encryption re-key so that the backup memory medium will be a memory medium configuring the parity group and the memory medium subjectable to encryption re-key will be the backup memory medium.

Abstract: Mechanisms are disclosed that allow for execution of unsigned content and the securing of resources in a closed system when such unsigned content is executing on the system. For example, an access layer is used between an operating system layer of the closed system and the actual unsigned content. This access layer may contain various sub-layers, such as a graphics layer, an audio layer, an input layer, and a storage layer. These layers can control access that the unsigned content can have to the native operating system layers and the associated resources of the closed system. By providing such an access layer, unsigned content, e.g., video games, can run on the closed system that is typically designed to run only signed content.

Abstract: The disclosure relates to a method and a system for authorising a connection between a computer terminal and a source server, including an initialization phase wherein: the terminal connects to a gateway server, the gateway server sends a secret key to the terminal, the terminal hides the password in a data file by applying an encryption algorithm bootstrapped by the secret key, then deletes the secret key and the password, and a connection phase wherein: the terminal sends the data file containing the password to the gateway server, the gateway server extracts the files password by executing a reverse encryption algorithm bootstrapped by the secret key, and sends the password to the source server without saving it, the source server analysis the received password and authorizes the connection with the terminal if the password is authenticated.

Abstract: A method and system are disclosed for preventing rendering of content at overlapping time periods on more rendering devices than permitted by a license associated with the content.

Abstract: A certification is received from a user stating that captured content does not comprise a particular restricted element and a request from the user for an adjustment of a digital rights management rule identified for the captured content based on the captured content comprising the particular restricted element. At least one term of the digital rights management rule is adjusted to reflect that the captured content does not comprise the particular restricted element. The usage of the captured content by the user is monitored to determine whether the usage matches the certification statement.

Abstract: An optical receiver comprising at least one processor and a memory including at least one of an encryption key or a decryption key and at least one of encryption microcode or decryption microcode that includes processor-executable instructions that, when executed by the at least one processor, cause the optical transceiver to perform the following: an act of performing an encryption or decryption operation on data received from a host computing system to thereby authenticate the optical transceiver.

Abstract: A media-independent handover key management architecture is disclosed that uses Kerberos for secure key distribution among a server, an authenticator, and a mobile node. In the preferred embodiments, signaling for key distribution is based on re-keying and is decoupled from re-authentication that requires EAP (Extensible Authentication Protocol) and AAA (Authentication, Authorization and Accounting) signaling similar to initial network access authentication. In this framework, the mobile node is able to obtain master session keys required for dynamically establishing the security associations with a set of authenticators without communicating with them before handover. By separating re-key operation from re-authentication, the proposed architecture is more optimized for a proactive mode of operation. It can also be optimized for reactive mode of operation by reversing the key distribution roles between the mobile node and the target access node.

Abstract: A method and apparatus for logging based identification are described. In one embodiment, the method comprises extracting entries of a hash chained log that represents a series of previous transactions. The method may also comprise ordering hash values of the entries extracted from the hash chained log into an ordered list. In one embodiment, the method may further comprise producing a cryptographic hash of the ordered list.

Abstract: A code authentication architecture is used to sign code by adding one or more digital signatures to it. The digital signatures identify what authority signed the code, what the code contains, what type of program the code is, or other identifying information. When the signed code is later executed on a computer system, its identity is obtained by accessing encrypted information of the code stored on disk. The architecture then determines whether the identity satisfies at least one requirement imposed on the code for some purpose. If the code has been altered from when it was signed or it fails to satisfy a requirement imposed, the code will not have a valid identity. In addition to verifying the identity of the code, the architecture also validates executing code immediately responsible for managing the code and additional executing code in a chain of hosts responsible for managing one another.

Abstract: Provided is an apparatus and method of securely moving security data. An apparatus for securely moving security stored in a first apparatus to a second apparatus, includes a status setting unit which set status information of the security data to a disabled state; a data providing unit which creates a copy of the security data and determines whether the created copy can be transmitted to the second apparatus; and a data deleting unit which deletes the security data when the copy is completely transmitted.

Abstract: An optical transceiver module is authenticated in a host system. A host generates a data string and writes the data string to a first predetermined memory location known to the transceiver. The data string is cryptographically altered (either encrypted or decrypted) by the transceiver and written to a second predetermined memory location known to the host. The host retrieves the cryptographically altered data string and performs a complementary cryptographic operation (either a decryption or encryption, respectively) thereon, creating a resulting data string. If the resulting data string is equal to the data string written to the first predetermined memory location, the transceiver is authenticated. The host and the transceiver may switch roles, with the transceiver generating the data string, the host cryptographically altering it, and so on. The host encrypts data strings when the transceiver decrypts data strings, and vice versa.

Abstract: A trusted apparatus including an input filter, security mode indicator working with a proxy node thwart the possibility of spyware being able to observe user input when a security mode signal indicates security mode asserted. The trusted apparatus may further include any combination of the user input device, the proxy node, and a router. A personal computing device may include the trusted apparatus. The proxy node may include the router. The proxy node operates to create an authentic response based upon the authentic input from the input filter, and may be operated to create revenue, which is also a product of these processes.

Abstract: A system and method for automated security testing are disclosed. The disclosure provides for automated discovery of security vulnerabilities through the monitoring of activities that occur throughout the separate components of a computing platform during a testing session through a communications interface.

Abstract: An improved Internet File Safety Information Center (IFSIC) is disclosed. The improved IFSIC allows an Internet user to look up the authenticity and safety information about a file or group of files by computing a hash value from the file or group of files and sending the hash value to a central server on the Internet to retrieve such information. A user identifier and other information can be sent to the central server along with the hash value. The improved IFSIC can be supported by targeted advertising, can provide file update information, can provide a better filter for files attached to email messages, and can be used to ensure the integrity of operating systems and installed programs.