Abstract: The present invention authenticates a user for multiple resources distributed across multiple domains through the performance of a single authentication. User access requests for a protected resource in a first domain are received and redirected to a second domain. User authentication is performed at the second domain. In one embodiment, the system transmits an authentication cookie for the second domain to the user after authentication at the second domain. In another embodiment, the system further redirects subsequent resource requests for resources in the first domain or a third domain to the second domain. The second domain confirms the user's authentication for applicable portions of the first, second, and third domains using the cookie.

Abstract: Provided are a method, system and program for processing complexes to access shared devices. A lock to a plurality of shared devices is maintained and accessible to a first and second processing systems. The first processing complex determines a first delay time and the second processing complex determines a second delay time. The first processing complex issues a request for the lock in response to expiration of the first delay time and the second processing complex issues a request for the lock in response to expiration of the second delay time.

Abstract: Methods and apparatus are provided for sequencing data in a cryptography accelerator with multiple cryptographic processing cores. Cryptographic processing cores are grouped into blocks of cryptographic processing cores to efficiently process received data. Mechanisms are provided to order data sequences at both the cryptographic processing core block level and the cryptographic processing core level.

Abstract: An apparatus and method for wildcarded security policy are implemented. These include associating wildcarded resource identifiers with a corresponding security policy. A resource identifier received in an access request is matched to one of a list of said wildcarded resource identifiers, Matching is determined in accordance with a predetermined set of precedence values, each precedence value of the set corresponding to a predetermined wildcard element.

Abstract: A computer security system utilizing smart cards for computer access. A system for home or small business use generally is presented in which smart cards are utilized to gain access to computer functions. The user is presented with a login prompt that permits login using the smart card. The user is permitted to bypass use of the smart card and obtain access to the computer system, but such use of the computer system is logged for review by an administrator.

Abstract: An information processing system, method and recording medium for use therewith enables a user to search for (and locate) different types of information contained in a plurality of information files. The search is conducted on the basis of the types of information that are designated, The types of information can be directly designated or indirectly designated, e.g., by designating an information file. When an information file is designated, the designated type(s) of information corresponds to the type(s) of information contained in the designated information file. The located information can then be reproduced, e.g., on a display screen.

Abstract: A method and apparatus for utilizing a non-secure file server for storing and sharing data securely only among clients and groups authorized to read and modify the data. A first client that desires to store data on the file server encrypts the data with a first encryption key having an associated first decryption key. The client encrypts the first decryption key with a second encryption key having an associated second decryption key known to the first client. Additionally, the first decryption key is encrypted with respective encryption keys of other clients or groups intended to have access to the data stored on the file server and the clients and groups retain their respective decryption keys. All of the encrypted first decryption keys are stored within an access control list in association with the encrypted data on the non-secure file server.

Abstract: A method of computing an exponent of a message m in an RSA cryptosystem having a private key d, a public key e and system parameters p, q where p and q are primes and ed=1 mod (p?1) (q?1). The method comprises the steps of obtaining a value r, and exponentiating the value r to the power e to obtain an exponent re mod p, combining said exponent re with the message m to obtain a combined value re m and mod p; selecting a value s and obtaining a difference (d?s), exponentiating the combined value with said difference to obtain an intermediate exponent (rem)d?s, multiplying the intermediate exponent by a value ms to obtain a resultant value equivalent to r1?es md and multiplying the resultant value by a value corresponding to r1?es to obtain an exponent corresponding to md mod p.

Abstract: An apparatus and method for providing access rights information on computer accessible content are provided. The apparatus and method provide a mechanism through which access rights information is provided in association with information and content such that use of the information and content is controlled based on the access rights information. The apparatus and method include access rights information tags being associated with information and content. A web browser is provided with code, either in the web browser, or as a plugin application or browser extension, to process the access rights information and thereby control the usage of the associated information and content. In addition, an interface is provided through which a user may gain access to content that is associated with access rights information. The interface is generated based on the access rights information associated with the content and the access level of the user.

Abstract: A computer system provides the ability to construct and edit a Data Definition File (DDF) containing hierarchically related elements of data, some of which are dynamic in that they must execute in order to produce or retrieve data. A client computer system having knowledge of a DDF appropriate for its uses sends a request to a server, which contains or can retrieve the DDF requested by the client. The request contains parameters used by the server to customize the resulting keyed data file for the client's purposes. Upon receipt of the request, the server copies the DDF into a coupled memory, performs requested parameter substitutions, and executes dynamic elements to produce resulting data elements. The process is repeated recursively for all elements of the hierarchical structure, until no dynamic elements remain, then the resulting keyed data file is returned to the client for its uses.

Abstract: When software is initially loaded to RAM 20, an engine 30A is installed at the beginning of an otherwise empty area of RAM 20. When the protected application is called, the engine first creates a series of steps (FIG. 3D), including a CALL command to a protection block 38. On reaching the call 36, the protection block 38 is executed, to complete various security checks. If these are successful, step 2 is created and written over the call 36 so that execution of steps 2 and 3 can continue as normal. Consequently, the protected software (steps 1, 2 and 3) is not exposed to scrutiny unless the security checks have successfully been completed.

Abstract: A method of securing information. The method comprises: obtaining a path to the information; and performing a security check regarding the path.

Abstract: A method and system for verifying binding of an initial trusted device to a secured processing system binds an initial device or replacement when no binding information is available from another device in the system. A platform credential is issued only when a valid binding is verified, by sending a proof of binding to a credential provider, such as the manufacturer. The method secures against security breaches that can occur when a device is removed from the system during the binding process. The binding information is generated in the device upon installation and includes system identification information so that at each initialization, upon return of binding information from the system to the device, the device can ensure that it is installed in the proper system and abort operation if the system does not match.

Abstract: A scalable enterprise computer system having the capability to provide transaction security as well as providing subscription filtering is described. As a method of transacting an event in the enterprise computer system a connection with an information broker by the publishe established after which it is determined if the event registered with the information broker. Next, a subscription corresponding to the registered event by a subscriber is accepted by the information broker, after which a platform neutral event is created that is then populated with event content which is then published to and received by the information broker.

Abstract: A dynamic-content web crawler is disclosed. These New Crawlers (NCs) are located at points between the server and user, and monitor content from said points, for example by proxying the web traffic or sniffing the traffic as it goes by. Web page content is recursively parsed into subcomponents. Sub-components are fingerpinted with a cyclic redundancy check code or other loss-full compression in order to be able to detect recurrence of the sub-component in subsequent pages. Those sub-components which persist in the web traffic, as measured by the frequency NCs (6) are defined as having substantive content of interest to data-mining applications. Where a substantive content sub-component is added to or removed from a web page, then this change is significant and is sent to a duplication filter (11) so that if multiple NCs (6) detect a change in a web page only one announcement of the changed URL will be broadcast to data-mining applications (8).

Abstract: A security service layer and method for controlling a communication between a client running an application and a target wherein a message including parameters specifying the communication is analyzed and, based on the analyzing result, at least one service routine is selected from a number of available service routines. The communication is then controlled on the basis of the selected service routines. The client and the application running at the client may be security unaware since all security relevant functions are executed on behalf of the application by the service security layer. Application dependent service routines are selected dynamically during the communication between the client and the target. A service routine may include security mechanisms or support mechanisms, such as data handling.

Abstract: A customer computer 12, vendor computer 16 and verification computer 14 are interconnected by means of a network 18, such as the internet The customer 12 can initiate a transaction, such as the purchase of information from the vendor 16. However, the vendor 16 will not proceed until verification of the transaction has been received from the site 14. This is not provided until the customer 12 has sent a unique fingerprint of data to the site 14, identifying the customer machine by reference to hardware device types or serial numbers, software types or licences, e-mail addressed or the like. This fingerprint is stored for future reference in showing that the transaction was validly implemented by the customer machine 12.

Abstract: According to the present invention, techniques, including a method and system, for restoring and/or validating data and/or associated signature log entries are provided. One embodiment of the present invention provides a method for validating a restored message, having an entry generated in a signature log for a message, where the entry includes cryptographic information associated with the message; Next, when said message is lost, the restored message is generated responsive to a request; and the restored message is validated using the signature log. In another embodiment a method for validating a selected log entry by using a signature log having a plurality of recorded log entries is provided. The method includes: computing a cryptographic value for the selected log entry; and determining if the cryptographic value is part of another recorded log entry.

Abstract: One embodiment of the present invention provides a system that uses a portable security token (PST) to facilitate cross-certification between a first certification authority (CA) and a second CA, wherein the first CA and associated subscriber devices constitute a first public-key infrastructure (PKI) domain, and wherein the second CA and associated subscriber devices constitute a second PKI domain. During operation, the system uses the PST to transfer certification information between the first CA and the second CA, wherein the PST communicates with the first CA and the second CA through a location-limited communication channel. Next, the system uses the certification information to issue a cross-certificate to the first CA. Note that the cross-certificate is signed by the second CA.

Abstract: Patch servers, patch clients and corresponding methods are provided that may increase secret protection and key loss tolerance. A patch server includes a first key generation platform and a second key generation platform different from the first one. A first and second private key group containing a plurality of first or second private keys, respectively, is generated using the first or second key generation platform, respectively. One of the first private keys is selected from the first private key group, and one of the second private keys is selected from the second private key group. A first digital signature is generated based on the patch and the first selected private key. A second digital signature is generated based on the patch and the second selected private key. The patch is transmitted to the patch client together with the first and second digital signatures.