Abstract: The present invention relates to secure PIN entry in a distributed network. According to one or more embodiments of the present invention, a client connected to a server contains logic that is used to keep the PIN within the network computer and not send it over the network. In one embodiment, the server sends an instruction to the networked computing device telling it to capture a PIN locally. This instruction causes the networked computer to enter a secure PIN entry mode which logically disconnects the keyboard from the server. Upon receipt of the instruction from the server, one embodiment of the present invention receives keyboard entries on the client computer and places them into a local buffer. The client continues buffering the keyboard entries until an indication that the process is complete. Upon completion of the keyboard entries, they are translated into ASCII characters by the client and sent from the local client buffer to the smart card where the PIN may be verified.

Abstract: Disclosed is a remote operating system in which even if a remote-operated apparatus is connected to a network protected by a firewall and a remote-operating apparatus exists outside of the firewall, it is possible for the remote-operating apparatus to remotely operate the remote-operated apparatus by transmitting information containing an operation designation as a response to a command, such as a stream connection request, transmitted from the remote-operated apparatus.

Abstract: Provided is a method, system, and program for encoding and decoding input data. A key is generated comprising a list of a plurality of binary values, wherein the key is available to a user during decoding. The input data is encoded by using the key to initialize a replacement list. A determination is made whether to replace strings in the input data with a string reference to a matching string value, wherein the input data not replaced with reference to one matching string value comprises one or more literals. Each literal is replaced with a literal reference to one entry in the replacement list matching the literal. The encoded input data is decoded by accessing the generated key in response to user input and using the accessed key to decode the literals replaced with literal references to entries in the replacement list.

Abstract: A first node (client) (1) is in communication with one of a plurality of second nodes (5, 6, 7) connected to a local area network (LAN) (4) via a virtual private network including a link (3), such as the Internet, and a selected one of a plurality of third nodes (gateway servers) (21, 22, 23). Communication between the first node (1) and the third nodes (21, 22, 23) is encrypted, whereas communication between the third nodes and the second nodes (5, 6, 7) is unencrypted. Communication from the first node (1) to one of the second nodes (5, 6, 7) is initially set up via a selected one of the third nodes after suitable authentication. If that third node should subsequently fail, an alternative third node can be used. To detect the failure of a third node, the first node (1) sends a “heartbeat” packet (failure detection signal) to it. An operational third node responds with an answer, indicating that all is well.

Abstract: The present invention relates to a method for executing a security critical activity in a security device (40), wherein the security critical activity is executed with user involvement. Each security critical activity is divided into a number of situations/actions, belonging either to a proxy letter group or a user involvement group. The processor (42) of the security device (40) starts the execution of an action of a security critical activity, and then checks if this situation/action can be handled by a proxy letter or shall be handled by a user. If the user or the proxy letter grants the situation/action the execution of the action is continued and ended. This is repeated until all actions of the security critical activity have been executed. If neither the user nor the proxy letter grants the situation/action the execution of the security critical activity will be stopped.

Abstract: The semi-fragile watermark comprises a fragile watermark component and a robust watermark component. Features are extracted from the video stream and subsequent hashing and encryption processes are performed to generate the fragile watermark. The fragile watermark includes control data information at the block level as well as frame and group level information. The fragile watermark is added on top of the robust watermark, giving the system the ability to detect alteration at the block level as well as the group level. The resulting semi-fragile watermark has the advantage of being both sensitive to malicious attack while being robust enough to survive bit rate reduction and other types of manipulation typically performed on digital multimedia signals.

Abstract: A vulnerability checking tool for a host computer designed to examine security logs of attempted logins and revocations, to detect systematic attacks of a wide variety, and to generate a report file that can be examined for information concerning these types of events. Host computer files which contain data regarding attempted accesses and logins are used to create an event list based upon event criteria. The list is evaluated using a “floating period” time frame which advances by single event steps while no violation is detected within a particular floating period, and which advances by “jumps” when violations are detected in a time period so as to reduce the possibility of “over reporting” violations related to the same set of events.

Abstract: A public-key-encryption data-communication system includes a public-key-certificate issuer authority. The public-key-certificate issuer authority performs the issuance of a public key certificate and management operations, certification of a subject to be certificated, which is a certificate issuing request, and management such as registration processing are executed by a root registration authority or each registration authority. The public-key-certificate issuer authority performs processing for validating, invalidating, and deleting the certificate in accordance with a request from the root registration authority. The root registration authority accepts a request for issuing a public key certificate corresponding to the subject to be certificated which is under the control of a certificated registration authority, and transfers it to the public-key-certificate issuer authority in a form in which a signature is added to it.

Abstract: The invention concerns a method for testing sources generating random numbers, particularly sources set up in the context of cryptographic systems such as random number generators incorporated in chip cards. The invention is particularly designed to be used for testing and validating electronic devices such as chip cards, PCMCIA, badges, contactless cards or any other similar portable apparatus.

Abstract: In a data transmit/receive method for plurality of devices connected by a 1394 bus, a receiving device obtains a device-specific number of a transmitting device when starting to receive data. When a bus reset occurs, the receiving device again obtains the device-specific number from the transmitting device, and checks whether the device-specific numbers before and after the bus reset match. If the device-specific numbers differ, the receiving device obtains the device-specific number from all devices connected to the bus. If a device with the same device-specific numbers as prior to the bus reset is present among the obtained device-specific numbers, the channel number of the bus used for the transmitting of data is determined, and the receiving device starts receiving with that channel number. Then device authentication with the transmitting device is carried out, and key information for solving the encryption is obtained.

Abstract: This invention provides methods and apparatus for enabling access to restricted information contained at a semi-trusted web-server. Restricted information is information that is only available to a selected group of authorized clients. A client desiring access to the restricted information authenticates itself with a trusted web-server, and obtains a client credential. The client then contacts the semi-trusted web-server with the credential and obtains access to the restricted content. The restricted information may be encrypted at the semi-trusted web-server, so that the restricted information is secure even if the semi-trusted web-server is not completely secure.

Abstract: The aim of the present invention is to propose a method that allows the reduction of the bandwidth needs in a structure that implements an operating center and a plurality of user units, ensuring the availability for the final user, of a product amongst a vast choice and being able to be downloaded by said user in a short period of time. This aim is achieved by a system that implements at least one operating center that has a great number of products, a plurality of user units comprising security and storage means, characterized in that the link between at least one group of user units is of the bidirectional type and that the operating center comprises means for the transfer of a product that is stored in the storage means of a user unit to another user unit.

Abstract: A browsing sequence for a plurality of items is provided. A tree which relates the plurality of items is also provided. The tree is non-unary and has a height of at least two. A user selection to prune the browsing sequence based on a selected one of the items is received. Based on the user selection, all items which are tree-descendants of the selected one of the items are removed from the browsing sequence.

Abstract: The invention presents novel method, apparatus, and data structures for storing, maintaining, and executing processing logic on a computer system. Processing logic is encoded into its distinct, constituent elements that are flexibly linked, facilitating reuse and reconfiguration. Executable responses are selected for an input signal by identifying a correspondence between the input signal and an expression, evaluating the expression to a resulting value, and identifying a correspondence between the expression and its resulting value, and an executable response.

Abstract: An apparatus and method for the encoding and storage of signals representing at least image information onto a storage medium is claimed. A source generator is configured to convert the signals into digitized image information. A compressor is configured to receive the digitized image information from the source generator and compress the digitized image. An encryptor is configured to receive the compressed digitized image information from the compressor and encrypt the compressed digitized image information. A storage device is configured to then store the encrypted compressed digitized image information onto the storage medium.

Abstract: It is one objective of the present invention to limit the frequency whereat a user can display or reproduce digital content data, such as photograph data or music data, and instead, to reduce the price of such digital content data and accelerate its sale via the Internet. According to the present invention, an information processing apparatus comprises: a reception unit, for externally receiving, via a network, a content data file to which an encrypted life counter has been added; a processor, for processing the content data file; a subtraction unit, for subtracting a specific value from the encrypted life counter; and a controller, for inhibiting the processing means from processing the content data file when the value held by the encrypted life counter has been reduced to a value smaller than the specific value.

Abstract: A method for improving fault tolerance and data throughput rates in the transfer of data between computing entities across a virtual private network comprises the steps of: logically dividing a memory means associated with a first said communicating entity into a plurality of areas; receiving encrypted data from said second communicating entity; storing said encrypted data in the first memory area associated with said first communicating entity; writing said encrypted data stored in said first memory area into a second memory area associated with said first communicating entity; decrypting said encrypted data stored in said second memory area; and writing said decrypted data from said second memory area to said first memory area.

Abstract: Methods, systems, computer program products and business methods are provided which provide or utilize updates of firmware (i.e. data stored in a programmable memory device of a processing system) based on rules provided as extensions to certificates associated with an update. Such updates may be provided by obtaining an update image corresponding to the update of the programmable memory and obtaining a certificate associated with the update image, the certificate having update application rules in at least one extension of the certificate. The certificate may be provided as part of the update image. The update application rules are extracted from the extension of the certificate and the programmable memory selectively updated based on the update image and the update application rules extracted from the obtained certificate. Certificates for use in such firmware updates are also provided.

Abstract: A secure communication method for allowing a mobile host to communicate with a correspondent host over a Virtual Private Network. The method comprises negotiating one or more Security Associations between the mobile host and a correspondent host of a Virtual Private Network. Subsequently, a communication is initiated between the mobile host and a Security Gateway and an authentication certificate sent to the Security Gateway, the certificate containing at least the identity of a Security Association which will be used for subsequent communication between the mobile host and the correspondent host. Data packets can then be sent from the mobile host to the correspondent host using the identified Security Association, via the Security Gateway. However, the data packets are forwarded by the Security Gateway to the correspondent host only if they are authenticated by the Security Gateway.

Abstract: A biometrically secured memory IC is disclosed for biometrically securing digital data stored therein. The memory IC comprises a biometric sensing device such as a fingerprint imager and an integrated circuit. The biometric sensing device and the integrated circuit are irremovably bonded together such that the sensing device and the integrated circuit form a single physical unit. Biometric information provided to the sensing device is captured and a signal indicative of the biometric information is provided to the integrated circuit. The signal is then converted into digital data indicative of the signal using an A/D converter. A processor compares the digital data indicative of the biometric information with first digital data indicative of a biometric characteristic of an authorized user, which is stored in first memory to produce a comparison result. If the comparison result is indicative of a match the processor provides access to second digital data stored in second memory.