Abstract: Authorizing information flows between devices of a data processing system is provided. In one illustrative embodiment, an information flow request is received from a first device to authorize an information flow from the first device to a second device. The information flow request includes an identifier of the second device. Based on an identifier of the first device and the second device, security information identifying an authorization level of the first device and second device is retrieved. A sensitivity of an information object that is to be transferred in the information flow is determined and the information flow is authorized or denied based only on the sensitivity of the information object and the authorization level of the first and second devices irregardless of the particular action being performed on the information object as part of the information flow.

Abstract: A method is provided for accessing a user operable device having limited access ability. The method comprises transmitting an inquiry from a mobile device of a user via a wide area transmission network to a key authority for obtaining an access key for accessing functions of the user operable device, receiving a request for information from the key authority, transmitting the requested information to the key authority, wherein the information is used by the key authority for co-coding the access key with one or more conditions for operating the user operable device, receiving the access key assigned by the key authority via the wide area transmission network, and transmitting the access key to a controller unit of the user operable device via a short range communication network for accessing the functions of the user operable device.

Abstract: A method of authenticating data transmitted in a digital transmission system, in which the method comprises the steps, prior to transmission, of determining at least two encrypted values for at least some of the data, each encrypted value being determined using a key of a respective encryption algorithm, and outputting said at least two encrypted values with said data.

Abstract: A monitor of malicious network traffic attaches to unused addresses and monitors communications with an active responder that has constrained-state awareness to be highly scalable. In a preferred embodiment, the active responder provides a response based only on the previous statement from the malicious source, which in most cases is sufficient to promote additional communication with the malicious source, presenting a complete record of the transaction for analysis and possible signature extraction.

Abstract: In one embodiment, a computer system performs a method for accessing a trusted assembly from a virtualized location. A computer system detects receipt of a request to access an assembly. The address of the assembly is expressed in the request as a virtualized location. The computer system resolves the virtualized location to a physical location where the assembly is physically stored. The resolving includes accessing an information store that maintains the current physical location corresponding to the requested assembly's virtualized location. The computer system determines whether the requested assembly qualifies as a trusted assembly by verifying that the assembly sufficiently complies with information encoded within the assembly. Lastly, upon determining that the requested assembly is trusted, the computer system accesses the requested assembly from the physical location.

Abstract: System for authenticating a user for logon to a content manager running on top of a database manager. A connect procedure connects the user to a database manager; and then a logon procedure logs on the user to the content manager selectively responsive to the user connecting to the database manager; the user being authenticated by a third party by way of a user exit or a trusted logon environment and privilege; or the user being authenticated by the content manager.

Abstract: Systems and techniques relating to cryptographic keys include, in one implementation, a technique involving: generating a symmetric encryption key; and generating from the symmetric encryption key a family of symmetric encryption keys having a relationship such that a descendent key of the family is derivable from each key that is an ancestor of the descendent key in the family. Generating the family of symmetric encryption keys can involve cryptographically hashing the original symmetric encryption key and resulting hashed encryption keys. The technique can further include rolling over a key used in securing information by providing a next symmetric encryption key of the family in an order opposite that of an order of key generation; and a client can cryptographically hash a first symmetric encryption key to produce a second symmetric encryption key of the family and decrypt information associated with an electronic document with the key thus produced.

Abstract: Provided are an apparatus and method for inputting a graphical password that use representative pictures and elemental pictures of a graphic to form a graphical password and that receive the graphic via a wheel interface and a select button for user authentication. The apparatus includes: an input unit having a wheel interface and a select button; a display for displaying a graphic consisting of representative pictures and elemental pictures, and displaying a changed graphic in response to an input from the wheel interface; a memory for storing a graphical password of a user; and a controller for recognizing, when the select button is pressed, the graphic displayed on the display as a user-input graphical password, and determining whether the input graphical password matches the stored graphical password for user authentication.

Abstract: A method, system and program product for maximizing virus check coverage, while minimizing redundancy in virus checking. The method includes evaluating, using an audit checking tool, whether or not a file in a working directory to be virus checked is a compressed file and, if the file is evaluated as being a compressed file, decompressing the compressed file evaluated using a decompression tool. Further, the method includes iterating the evaluating and decompressing steps to decompress any other files contained therein using the decompression tool and deleting a respective compressed file that is fully decompressed by the decompression tool without any errors from the working directory, while saving a respective compressed file that is not fully decompressed by the decompression tool. Furthermore, the method includes virus checking the working directory, such that, the virus checking does not virus check the respective compressed file that is deleted from the working directory.

Abstract: An operator recognition device is provided that eliminates the registration of data such as HMM data having a characteristic amount for which error in recognition occurs easily when recognizing an operator, and thus reduces the possibility of errors in recognition, and has stable recognition performance. When registering HMM data that is used when performing recognition processing, a speaker recognition device 100 eliminates the registration of HMM data of a password having a characteristic amount of the spoken voice component that is similar to a characteristic amount that is indicated by HMM data that is already registered, and does not allow the registration of HMM data for which it is estimated that error in recognition will occur easily during the recognition process.

Abstract: A hash key is generated based on an information object and a lookup operation is performed in a hash table based on the hash key. A determination is made whether an entry in the hash table at an index corresponding to the hash key identifies a labelset for the information object. A labelset, identifying a sensitivity of the information object, is stored in the entry at the index corresponding to the hash key for the information object if a labelset for the information object is not identified in the entry in the hash table. Information flows involving the information object are authorized based on a lookup of the labelset associated with the information object in the hash table. The hash table may be a multidimensional hash table.

Abstract: Plaintext/cyphertext pairs are generated for use in authenticating a device. The device performs a secure authentication algorithm on a secure authentication image file and a received plaintext challenge, and outputs a cyphertext response. If the cyphertext response matches a pre-stored cyphertext string associated with the plaintext challenge, then the device is authenticated. A master processor manages the generation of the plaintext/cyphertext pairs. Plaintext challenges are generated in the master processor using a binary counter and an n-bit key. Each plaintext challenge is transmitted to a first processor and a second processor. The first processor executes the secure authentication algorithm on each plaintext challenge and outputs a cyphertext response associated with each plaintext challenge. The second processor executes the secure authentication algorithm on each plaintext challenge and outputs a second cyphertext response associated with each plaintext challenge.

Abstract: Systems, devices, and methods for establishing a secure session for the transmission of data from an input device to a remote server device is disclosed. The input device may be an electronic check scanner attached to a banking customer's home personal computer. The customer may visit a bank's Internet website using the web browser or other application on their personal computer, and then submit scanned images of check to the bank. The bank, however, to ensure security and prevent fraud, may wish to establish a secure session between the devices and components in the system before the image data may be scanned and transmitted.

Abstract: A method, program and system (10) for processing data are disclosed. The method, program and system comprising the steps of: (a) receiving data representing a location of an item (e.g., people, personal property, real property, organizations, chemical compounds, organic compounds, proteins, biological structures, biometric values or atomic structures), (c) determining a plurality of fixed coordinates that represent the location (e.g., by “rounding” and/or comparing to a reference grid), (d) utilizing an algorithm (e.g., encryption, encoding and/or one-way function) to process the plurality of fixed coordinates (each separately or together), and (e) comparing the processed data to at least a portion of secondary data (perhaps comprising data previously stored in a database).

Abstract: The present invention provides an apparatus for securely acquire a circuit configuration information set corresponding to a new cryptosystem without increasing the number of reconfigurable circuits. A content playback apparatus 100 includes an FPGA 122 that is reconfigurable. The content playback apparatus 100 stores a decryption circuit program that shows the structure of a decryption circuit that executes decryption in accordance with a prescribed cryptosystem. The FPGA is reconfigured in accordance with the program to configure the decryption circuit. The playback apparatus 100 acquires, from outside, an encrypted file that has been generated by encrypting a file including a decryption circuit program corresponding to the new cryptosystem in accordance with the prescribed cryptosystem, and decrypts the encrypted file by the decryption circuit.

Abstract: A memory card receives an encrypted application program from a host apparatus. The memory card includes an Integrated Circuit (IC) card unit having a tamper resistant function, and a flash memory unit. The IC card unit also includes a tamper resistant storage unit, a program acquisition unit that acquires the encrypted application program from the host apparatus, a storage control unit which stores the acquired encrypted application program in the tamper resistant storage unit or the flash memory unit, and a move control unit. The memory control unit, when the application program stored in the tamper resistant storage unit is to be executed and the size of the application program to be executed in the decrypted form exceeds the size of free space of the tamper resistant storage unit, moves an arbitrary encrypted application program stored in the tamper resistant storage unit to the flash memory unit.

Abstract: A method includes determining that a driver load address is in a system service dispatch table (SSDT) addressable area. The method further includes determining whether the driver is authorized to be in the SSDT addressable area. If the driver is authorized to be in the SSDT addressable area, the driver is loaded in the SSDT addressable area and is able to hook operating system functions. Conversely, if the driver is not authorized to be in the SSDT addressable area, the driver is loaded outside the SSDT addressable area and is not able to hook operating system functions. In this manner, only authorized drivers are allowed to hook operating system functions.

Abstract: A method for securing patient identity comprising accessing an electronic medical records database including patient data for a plurality of patients. Each patient in the electronic medical records database is assigned a unique patient identifier. Patient data for a first patient, including a first patient identifier, is retrieved from the electronic medical records database. The first patient is de-identified from the patient data. De-identifying includes the creation of a first encoded patient identifier responsive to the first patient identifier. The de-identifying results in de-identified first patient data and includes the replacement of the first patient identifier with the first encoded patient identifier. The de-identified first patient data is transmitted to a data warehouse system. The method further comprises identifying a second patient in response to receiving report data that includes a second encoded patient identifier from the data warehouse system.

Abstract: One embodiment of the present invention provides a system for digitally signing electronic mail that originates from a browser. The system operates by first receiving a message from a browser at a mail server. The mail server formats the message and returns the formatted message to the browser so that the browser can sign the message. The mail server then receives the signature for the formatted message from the browser and encapsulates the formatted message and the signature into a secure message. Next, the mail server forwards the secure message to the intended recipients for the message.

Abstract: A system and method in a wireless network for discovering which resources (e.g., other wireless computing devices) are proximate a user's wireless computing device. Wireless signal strengths with respect to various base stations are compared with the signal strengths of other network devices or resources, to determine which devices are experiencing similar signal strengths. Devices with similar signal strengths are deemed proximate. Each participating computing device may send its signal strength reports to a proximity server, which distributes proximity data to network clients. Each client may receive and process the signal strength data for determining which other clients/resources are proximate, or the server can perform proximity computations and return a list of proximate clients. Once computed, the identities of the proximate clients can be used to query for additional data about the clients, such as the names and other details of their owners, or information about the resource.