Abstract: Systems, methods and media for encrypting and decrypting content files are disclosed. More particularly, hardware and/or software for adding an additional level of indirection to a title key encryption scheme are disclosed. Embodiments may include generating by a cryptographic system a binding key based on binding information. Embodiments may also include encrypting by the cryptographic system a secret key with the binding key and generating a title key associated with at least one content file. Embodiments may also include encrypting by the cryptographic system the title key with the secret key and the at least one content file with the title key. Further embodiments may include receiving an indication that the binding information has changed, generating a new binding key based on the new changed binding information, and re-encrypting the secret key with the new binding key.

Abstract: A switching device, method, and computer program utilizes a copy technique to detect unauthorized access to a communications network. An interface of the switching device is connected to receive an original packet and copy the original packet to create a copied packet. A processor within the switching device is operable to analyze information related to the original packet or the copied packet to detect an anomaly related to the original packet or the copied packet. The processor is further operable to cause the copied packet to be forwarded to an intrusion detection system within the communications network upon detecting the anomaly.

Abstract: A data storage system providing transparent encryption. The data storage system has a hardware encryption/decryption engine and a register coupled to the hardware encryption/decryption engine. The register is for securely storing a key for encrypting and decrypting data. The key may not be read from outside the data storage system. More specifically, the key may not be read by the operating system. The user does not have access to the encryption key, but may have a password that is passed to a controller coupled to the encryption/decryption engine. The controller verifies the password and causes data received from main memory to be encrypted by the hardware encryption/decryption engine using the key. The controller also transfers the encrypted data to the data storage device.

Abstract: A public key (PK) framework for allowing a relying party to act as a trust anchor to authenticate a subscriber. The framework provides a directory system under the control of the relying party, wherein the directory system includes: a storage system for storing certificates received from subscribers in a database, wherein the certificates are issued by a plurality of different certificate authorities; a management system for managing records in the database associated with subscribers; and a validation system that allows the relying party to retrieve certificates from the database in order to authenticate subscribers.

Abstract: Described are a system and method for providing data protection. A storage management system in communication with first and second storage arrays is configured to implement a data protection procedure for protecting data stored in the first storage array using the second storage array. An environmental information processor receives information related to an event that can threaten the data stored in the first storage array and, based on the received information, issues a command to the storage management system. The command causes the storage management system to initiate the data protection procedure as a precautionary action for protecting the data stored at the first storage array.

Abstract: A method of identifying material which includes the step of inserting an identifying code into a signal as a watermark, and deriving a signature from the material. The code and signature are stored in a database. The watermarked signal may be distributed and/or transmitted through a network. The signal may be processed in the network. A monitor derives from the received signal, the signature and the code. The derived signature and the derived code are compared with the stored signature and code to check the provenance of the material. The watermark contains an authorization code allowing duplication of the material.

Abstract: Several deterrence mechanisms suitable for content distribution networks (CDN) are provided. These include a hash-based request routing scheme and a site allocation scheme. The hash-based request routing scheme provides a way to distinguish legitimate requests from bogus requests. Using this mechanism, an attacker is required to generate O(n2)amount of traffic to victimize a CDN-hosted site when the site content is served from n CDN caches. Without these modifications, the attacker must generate only O(n) traffic to bring down the site. The site allocation scheme provides sufficient isolation among CDN-hosted Web sites to prevent an attack on one Web site from making other sites unavailable. Using an allocation strategy based on binary codes, it can be guaranteed that a successful attack on any individual Web site that disables its assigned servers, does not also bring down other Web sites hosted by the CDN.

Abstract: A data processing device of the invention has an ID creator unit (300) which adds ID information which is set by a CPU and the number of sectors, and outputs a result of the addition as ID information; a scramble SEED value table (103) which produces an initial scramble SEED value, by using the ID information which is outputted from the ID creator unit (300); a normal scramble filter (104) which produces a scramble SEED value (402) for data to be transferred; a frame jumping scramble filter (301) which holds a scramble SEED value of a jumping destination (401) in preparation for jumping; and a selector (105) which selects one of the scramble SEED value (401) and the scramble SEED value (402) and outputs the selected value to the normal scramble filter (104). Accordingly, the data processing device can perform a scrambling process and a de-scrambling process, without depending on the reliability of the data being transferred.

Abstract: An information recording medium contains a semiconductor memory as a storage device for storing data and having plural areas to be managed by mutually independent file systems, an area information storage for storing information about size and position of each area of the semiconductor memory, a host interface for receiving a command for setting each area size of the semiconductor memory from an accessing device, and an area size setter for setting the size and position of each area of the semiconductor memory. The area size setter sets the area size of each area in the semiconductor memory based on the specified setting condition according to the command received from the accessing device.

Abstract: A method for protecting Security Accounts Manager (SAM) files within a Windows® operating system is disclosed. A SAM file encryption key is generated by encrypting a SAM file via a syskey utility provided within the Windows® operating system. The SAM file encryption key is then stored in a virtual floppy disk by selecting an option to store SAM file encryption key to a floppy disk under the syskey utility. A blob is generated by performing a Trusted Platform Module (TPM) Seal command against the SAM file encryption key along with a value stored in a Performance Control Register and a TPM Storage Root Key. The blob is stored in a non-volatile storage area of a computer.

Abstract: A method of identifying material comprises the step of inserting an identifying code into a signal as a watermark, and deriving a signature from the material. The code and signature are stored in a database. The watermarked signal may be distributed and/or transmitted through a network. The signal may be processed in the network. A monitor derives from the received signal, the signature and the code. They are compared with the stored signature and code to check the provenance of the material.

Abstract: In an information processing apparatus which is equipped with plural storage devices, there are provided a security information comparison unit for, in a case where data is moved from a movement source storage device to a movement destination storage device, comparing security information of the movement source storage device with security information of the movement destination storage device, and a data movement control unit for controlling the movement of the data based on a comparison result by the security information comparison unit. Thus, it is possible to strongly secure safety with respect to the movement and/or copy of the data among the storage devices by a user.

Abstract: Generating a binding between a source address and one or more roles of a user accessing the network and distributing the binding to a filter node. The source address is currently assigned to the device. The binding may be generated by one or more nodes on an ingress path used during authentication of the user. The binding may be distributed to the filter node on demand or without any request from the filter node. Responsive to a determination that the user is associated with a new source address, a new binding is generated to associate a new source address with the one or more roles for the user. The new binding is distributed to the filter node. Another aspect is a method of enforcing a role based security policy at a filter node, using bindings of source addresses to roles.

Abstract: A device for locating a DES key value that corresponds to a packet identification (PID) contained at a variable possible location which comprises part only of a 32-bit packet header. A table stored in memory contains for each DES key: (i) a packet header having 32 bits with a PID of either 12, 9 or 8 bits contained at a defined location and with zero values elsewhere, and (ii) a mask value also having 32 bits with ones contained at the said defined location of the PID and zeros elsewhere. The table is divided into regions for respective packet format types. An incoming packet header at an input is combined with a first one of the mask values from the table to provide a combined value that consists of the value held in the input packet header at the defined location and zeros elsewhere. This combined value is compared with the corresponding packet header stored in the table. When they are not equal, the combining and comparison is repeated for the next row of the table.

Abstract: Aspects of the invention provide a method and system for securely managing the storage and retrieval of data. Securely managing the storage and retrieval of data may include receiving a first disaster recovery code and acquiring a first password corresponding to the first disaster recovery code. A first disaster recovery key may be generated based on the first disaster recovery code and the first password. Another aspect of the invention may also include generating the received first disaster recovery code based on said first password and the first disaster recovery key. The generated disaster recovery code may be securely stored on at least a portion of a storage device or a removable media. Data stored on the storage device may be encrypted using the first generated disaster recovery key. Additionally, data read from the storage device may be decrypted using the generated first disaster recovery key.

Abstract: A system to exchange and authenticate public cryptographic keys between parties that share a common but secret password, using a pair of random numbers, a pair of Diffie-Hellman public keys computed from the random numbers and the password, a Diffie-Hellman symmetric secret key computed from the Diffie-Hellman public keys and the random numbers, and hashed values of arguments that depend upon these elements.

Abstract: A system, method and computer program product are provided for preventing unauthorized program modules from communicating. Initially, at least one program module is identified utilizing a central processing unit call history. Thereafter, an authorization test is performed on the at least one program module for preventing unauthorized program modules from communicating.

Abstract: The present invention provides location privacy against third parties while allowing route-optimized communication between the correspondent node and the mobile node. The mobile node's home address is hidden from an external observer thereby thwarting traffic analysis based attacks where a Home Address is correlated with a Care of Address of a mobile node (MN). A “privacy label” is used in place of a home address associated with the mobile node. The privacy label is supplied by the mobile node to the correspondent node in a way that that allows the privacy label to be bound to the home address, but does not allow the home address to be visible during the exchange. The privacy label may be also used to help prevent against replay attacks.

Abstract: A controller of a recording device issues a secure command to a storage device, and then waits the time estimated necessary for the storage device to execute the secure command before issuing the next secure command. When a controller of the storage device is executing the previous command, it notifies the recording device of being in process. When the previous command has been completed normally, the controller moves to the next process. Information for estimating the execution time of the command is obtained from the storage device in advance.

Abstract: Disclosed is a method for slowing down the spread of viruses by limiting the number of Transmission Control Protocol (“TCP”) connection attempts to arbitrary Internet Protocol (“IP”) addresses that can be in progress at any given time—a common method employed by viruses to spread to other hosts from an infected host. This is achieved by setting a small limit on the number of connection attempt requests that can be in progress at any given time and can be implemented regardless of whether anti-virus software is installed on the system.