Abstract: Methods, signals, devices, and systems are provided for delegating rights in a distributed computer system from a principal to one or more deputies. The deputies have identities separate from the principal. This allows the deputies to persist after the principal logs off the system, and permits deputization across boundaries imposed by namespaces and particular network protocols. A deputy may also delegate rights to additional deputies. Deputization is accomplished using certificates, credentials, public and private keys, process creation, and other tools and techniques.

Abstract: A data processing system and method are described for permitting a server computer system to remotely provide a client computer system's settings password to the client computer system. The client and server computer systems are coupled together utilizing a network. A network settings password is established within the client. The network settings password is required prior to permitting access to system settings included within the client. The client receives the network settings password from the server computer system utilizing the network. Access to the system settings is permitted in response to the receipt of the network settings password. In this manner, the server computer system remotely provides a network settings password to the client computer system.

Abstract: Features of a data processing system, such as its configuration, are protected utilizing a machine-specific limited-life password. The data processing system includes execution resources for executing a watchdog program, a limited-life value generator, and non-volatile storage that stores a machine-specific value at least partially derived from relatively unique information associated with the data processing system (and preferably also derived from a secret control password). In response to each attempted access to the protected features of the data processing system, the watchdog program generates at least one machine-specific limited-life password from the machine-specific value and a limited-life value generated by the limited-life value generator. The watchdog program allows access to the protected features in response to entry of the machine-specific limited-life password and otherwise denies access.

Abstract: An electronic device and a remote device cooperate to enable a display of an electronic device when a distance between the electronic device and the remote device is less than a transmit range and to disable the display when the distance is greater than the transmit range. Disabling the display of the electronic device may improve the security of data on display. Moreover, the disabling and enabling of the display may be carried out automatically, thereby possibly relieving the authorized user from logging out or powering-off the electronic device to secure the display. When the authorized user carries the remote device, the display may be enabled and disabled as the user moves relative to the electronic device.

Abstract: In the method for establishing a session key, a network and a mobile transfer codes between one another. The mobile and the network perform mutual authentication based on the codes. Besides performing this mutual authentication, the mobile and the network to establish the session key based on the codes. In one embodiment, the messages forming part of the intended session are sent with the codes, and form a basis upon which the codes for authentication have been derived.

Abstract: The invention is a cryptographic system using chaotic dynamics. A set of initial conditions is generated from the private key and becomes input to the chaotic system. The chaotic system generates a set of final conditions from which the public key is derived. The public key is distributed to the public. The public key can be used to encrypt a message that is then decrypted using the private key. An adjustable back door of the invention derived from a set of interim conditions can be used in conjunction with the public key to derive the private key. The degree of difficulty involved in deriving the private key is dependent on the adjustable back door. That is the value of the back door can be adjusted to vary the difficulty involved in deriving the private key. In one embodiment of the invention, the chaotic system is based on the “N-body” problem to provide cryptographic security.

Abstract: A secure storage device with the identical external dimensions, form factor and hardware connectivity configuration of a standard removable storage device, for securing digital data such as digital images from digital cameras at the acquisition stage. Original digital camera data is saved in the memory of the secure storage device after performing one or more security functions, including encryption, creation of an authentication file, adding data to the image data such as fingerprinting, and adding secure annotations such as separate data included in an image header. These processes are transparent to a host device receiving secure data from the storage device because standard protocol is used to write to the secure storage device. The device prepares original authentication data from original digital camera data, and encrypts and stores both the original authentication data and the original image data.

Abstract: A method for detecting security vulnerabilities in a web application includes analyzing the client requests and server responses resulting therefrom in order to discover pre-defined elements of the application's interface with external clients and the attributes of these elements. The client requests are then mutated based on a pre-defined set of mutation rules to thereby generate exploits unique to the application. The web application is attacked using the exploits and the results of the attack are evaluated for anomalous application activity.

Abstract: A storage medium (PM) 13 includes a controller 130 and two types of storage regions, the concealed region 134 and the open region 131. The open region 131 includes an open RW 133 storing a digital content, an open ROM-W region 132a storing, as revocation information, identification information of an electronic appliance that is prohibited from accessing the digital content, and an open ROM region 132 storing, as master revocation information, identification information of an electronic appliance that is prohibited from updating the revocation information. When the storage medium is loaded into an electronic appliance that has identification information which is registered in the open ROM region 132, the controller 130 prohibits the electronic appliance from updating the revocation information.

Abstract: A method of screening a software file for viral infection comprising defining a first database of known macro virus signatures, a second database of known and certified commercial macro signatures, and a third database of known and certified local macro signatures. The file is scanned to determine whether or not the file contains a macro. If the file contains a macro, a signature for the macro is determined and screened against the signatures contained in said databases. A user is alerted in the event that the macro has a signature corresponding to a signature contained in said first database and/or in the event that the macro has a signature which does not correspond to a signature contained in either of the second and third databases.

Abstract: Various embodiments of a method and system for detecting unauthorized signatures to or from a local network. Multiple sensors are connected at an internetworking device, which can be a router or a switch. The sensors operate in parallel and each receives a portion of traffic through the internetworking device, at a session-based level or at a lower (packet-based) level. Depending on the type of internetworking device (router or switch) the load balancing mechanism that distributes the packets can be internal or external to the internetworking device. Also depending on the level of packet distribution (session-based or packet-based), the sensors share a network analyzer (if session-based) or both a network analyzer and a session analyzer (if packet-based).

Abstract: The secure management of encryption keys is obtained by preventing external access thereto and ensuring that the keys do not leave an encryption unit in their original form. This result is obtained via a facility which (a) generates a unique device encryption key and at least one program encryption key, (b) encrypts the program encryption key using the device encryption key, and (c) stores the result in local memory. Thereafter, responsive to receipt of an indication to encrypt data, the program encryption key is retrieved from memory and is decrypted using the unique device encryption key. The data is then encrypted using the decrypted program encryption key and the encrypted data is stored in a server for distribution to a user who enters a request for the data. When there is a need to transport the latter key to another element, then the program key is encrypted using a symmetrical encryption key that the facility shares with the other element and the result is supplied to that element.

Abstract: Remote configuration and utilization of an emulated device controller via communication of encrypted data external to the controller. In a preferred embodiment, first and second software means executing within a server central processing unit facilitates secured and verified access to emulated input/output devices on behalf of a user community. The emulated input/output devices are further associated with session oriented application programs executed on one or more host central processing units. A user requests utilization of one or more emulated input/output device types whereupon the security software validates the user's request. If authorized, a hardware adaptor card is initialized with an input/output device configuration reflecting the user's request and control is passed to session oriented programs whereupon the user input/output requests are facilitated via an emulated device as opposed to physical devices associated with the host processors.

Abstract: A method and apparatus in a computing platform located in an vehicle for restricting access to a plurality of software components, wherein the plurality of software components are used to interface with a plurality of devices located within the vehicle. A request is received from an application for a software component, wherein the request includes a data structure, wherein the software component is a requested software component. A determination is made as to whether the requested software component is present within the plurality of software components. An access level for the application is identified and a result is returned to the application based on whether the requested software component is present in the plurality of software components and based on the access level identified for the application.

Abstract: A technique which implements a primitive for computing, e.g., a checksum. Specifically, this primitive replaces a mod(M) operation with a series of simple elementary register operations. These operations include mod 2n multiplications, order manipulations (e.g., byte or word swaps), and additions—all of which are extremely simple to implement and require very few processing cycles to execute. Hence, use of our inventive technique can significantly reduce the processing time to compute various cryptographic parameters, such as, e.g., a message authentication code (MAC), or to implement a stream cipher, over that conventionally required. This technique has both invertible and non-invertible variants.

Abstract: An apparatus and methods for facilitating a reduction in data transmission bandwidth removes unnecessary data relating to encryption keys prior to sending a message or storing the encrypted information for a recipient. Encrypted data, such as message data for multiple recipients, is analyzed to determine whether encryption related data for other recipients may be removed.

Abstract: A cryptosystem utilizes the properties of discrete logs in finite groups, either in a public key message exchange or in a key exchange and generation protocol. If the group selected has subgroups of relatively small order, the message may be exponentiated by a factor of the order of the group to place the message in a subgroup of relatively small order. To inhibit such substitution, the base or generator of the cryptosystem is chosen to be a generator of a subgroup of prime order or a subgroup of an order having a number of relatively small divisors. The message may be exponentiated to each of the relatively small divisors and the result checked for the group identity. If the group identity is found, it indicates a vulnerability to substitution and is rejected.

Abstract: A local server (202) locally hosts the provision of digital certificate services to a client (102); while a central server (104) provides the actual digital certificate services. The local server (202) transmits (304) a custom entry form (210) to the client (102). In response to the client's (102) use of the custom entry form (210), the client (102) transmits (306) a standard request for digital certificate services to a central server (104), possibly via the local server (202). The central server (104) fulfills (310) the request, generating a standard response. The standard response is transmitted (312) to the local server (202), which generates (314) a custom display of the results contained in the standard response. The custom display is transmitted (316) to the client (102), fulfilling the client's request. Information is provided (320,330), enabling the local server (202) to create (322) appropriate custom entry forms (210) and to generate (314) the custom display from the standard response.

Abstract: A technique for compressing certificate information for use in portable credit instruments having limited storage capacity. An end user certificate typically actually comprises a chain of certificates, as SET transactions require not only the end user certificate and its parent certificates. Each certificate in the certificate chain is compared to a template for that certificate, and the differences are stored. Redundant differences within each certificate are deleted, as are differences which may be derived from differences stored for other certificates in the certificate chain. The remaining stored differences are then recorded on an end user credit instrument, such as a smart card. Preferably, the certificate chain is then recreated for verification purposes before the card is issued. PER encoding may also be employed to further compress the certificate information to be recorded on the credit instrument.

Abstract: An interface apparatus and method between a computer and an input peripheral are disclosed for activity sensing in the vicinity of the computer and signal activation indicative thereof to the computer so that the computer will not activate its normal security procedures, such as a password protected screen saver mode for example, during times of input peripheral inactivity so long as user presence is sensed. When a user leaves the vicinity of the computer, normal operation of a computer's resident security will control computer function. The apparatus when embodied in hardware includes a detector or sensor that detects the presence of the user, a controller receiving output signals from the detector and monitoring input peripheral activity, and host computer/input peripheral routing circuitry.