Abstract: Methods and systems of screening input strings that are intended for use by a Web server are described. In the described embodiment, an attack pattern is determined that can be used to attack a Web server. A search pattern is defined that can be used to detect the attack pattern. The search pattern is defined in a flexible, extensible manner that permits variability among its constituent parts. An input string that is intended for use by a Web server is received and evaluated using the search pattern to ascertain whether the attack pattern is present. If an attack pattern is found that matches the search pattern, then a remedial action is implemented.

Abstract: The present invention relates to a firewall for use in association with real-time Internet applications such as Voice over Internet Protocol (VoIP). The firewall applies an application proxy to the signaling and control channels and a packet filter to the bearer channels. One of the features of hybrid firewall is that the application proxy can instruct the packet filter as to which bearer channels to enable and disable for the duration of a real-time Internet application session. The hybrid firewall can also intelligently perform network address translation (NAT) on Internet protocol packets incoming and outgoing to the firewall.

Abstract: An image encoding/decoding system and method for producing a computer-generated security device which can be printed onto a document, such as a passport, to secure the document against data alteration. Deflection encoding means comprises means for applying a selected software lens to a source image and producing a deflected image. Encryption encoding means comprises means for applying an encryption function to the deflected image or a source image and producing an encrypted image. Overlaying means is provided for overlaying the deflected and encrypted images and producing therefrom the security device image. The deflected image may be detected from the security device image both by means of a manual lenticular lens corresponding to the software lens applied to a printing of the security image and by means of computer decoding processing applying the software lens.

Abstract: A method of automatically tracking a certificate pedigree is provided, in which a new user is provided with a piece of hardware containing a predetermined pedigree certificate stored therein, the predetermined pedigree certificate having a level of trust bearing a relationship to a category of hardware of which the provided piece of hardware is a member. An automated registration arrangement is provided which can be accessed only by users having a piece of hardware containing a predetermined pedigree certificate having a specified level of trust stored therein. When the new user accesses the automated registration arrangement using the provided piece of hardware, the automated registration arrangement provides the new user with an individual signature certificate having a level of trust commensurate with that of the pedigree certificate.

Abstract: A cryptographic processing method in which dependence of cryptographic processing process and secret information on each other is cut off; and in which, when a scalar multiplied point is calculated from a scalar value and a point on an elliptic curve in an elliptic curve cryptosystem, a value of a bit of the scalar value is judged; and in which operations on the elliptic curve are executed a predetermined times and in a predetermined order without depending on the judged value of the bit.

Abstract: The invention relates to a data storage medium storing data material having a data replay order, the stored data material being associated with dummy data material stored on the medium at a different position in the data replay order, in which metadata identifying the data material is encoded as a watermark in the dummy data material.

Abstract: A symmetric key stream processor 60 that encrypts and decrypts text in accordance with the RC4 algorithm has a main processing block 62 and a host interface 64. The main processing block 62 includes an Sbox memory 78 implemented with a synchronous dual-port RAM and an encryption logic block 80 with a finite state machine. The dual port memory architecture is used for efficiency during permutation and message processing.

Abstract: The integrity of a dynamic data object that comprises one or more dynamic data items is ensured by storing the dynamic data object and dynamic authorization data in a memory. The dynamic authorization data may, for example, be a count of how many failed attempts to gain authorization have previously been made, and this is modified at least whenever another failed attempt is made. Whenever the dynamic data object or the dynamic authorization data is changed, its corresponding hash value is recomputed and stored into the memory. The dynamic data object is considered authentic only if newly-generated values of the two hash signatures match those that were previously stored into the memory. Changes to the dynamic data object are permitted only after the user has executed passed an authorization procedure.

Abstract: The present invention relates to an optical disc authentication method and apparatus. The method, wherein each disc has a plurality of ways and a plurality of sectors in each way, includes the steps of measuring the quantity of sectors in each of a defined quantity of ways to provide a disc fingerprint comprising way sector quantity values for an original disc and a target disc and authenticating the target disc.

Abstract: The present invention is directed toward using patterns in APDU to perform identification data substitution. According to one or more embodiments of the present invention, a user inserts a smart card into a card reader connected to a client computing device. Then, the user enters a PIN. The PIN is embedded into an APDU which is sent to the card reader and is presented to the smart card. The APDU contains special patterns that specify to the card reader where and in what format the PIN should be embedded into a prototype APDU that is constructed in the card reader and presented to the card for verification.

Abstract: The digital data file management method reads a header of the digital data file stored on an external medium. Based on the read header, the digital data file is selectively uploaded and/or managed.

Abstract: A message to be transmitted through a network is encrypted such that the resulting encrypted message has associated therewith a proof of correctness indicating that the message is of a type that allows decryption by one or more escrow authorities. Each of at least a subset of the servers of the network includes a module for checking the proof of correctness if the corresponding encrypted message passes through the corresponding server in being transmitted from a sender to a recipient through the network. The encrypted message is therefore transmitted through the network to the recipient such that in traversing the network the proof of correctness associated with the encrypted message is checked by a designated check module of at least one server of the network. If the check of the proof of correctness indicates that the proof is invalid, the module of the server performing the check may direct that the encrypted message be discarded.

Abstract: A security protocol entity (20) is provided that includes a mechanism for enabling a first party (11) to communicate securely with a second party (60) through an access-controlling intermediate party (13) by nesting within a first security session (64) established with the intermediate party (13) a second security session (65) with the second party (60). The protocol data units, PDUs, associated with the second security session (65) are encapsulated in PDUs associated with the first security session (64) when sent out by the first party, the intermediate party extracting the encapsulated PDUs for sending on to the second party (possibly with a change to the destination address included in the PDU to be sent on). Each PDU includes a message type field explicitly indicating to the intermediate party (13) if a received PDU encapsulates another PDU intended to be sent on.

Abstract: The invention provides a data management apparatus which can use data advantageously in terms of data capacity. A database server performs a registration process and a providing process. When a data registration request is received from a seller, the registration process registers audio data included in the received data registration request in association with data name information, password information, and the like. At the same time, the registration process transmits usage certificate data that includes the information to a user. When a data usage request is received from a portable terminal, and when a password of a record in which the same data name as that included in the received data usage request is registered matches a password included in the received data usage request, the providing process transmits audio data specified by the data name included in the received data usage request to the portable terminal.

Abstract: The present invention provides a method for generating a common key between a central station and a group of subscribers, e.g., at least three subscribers, exhibit the same standard of security as the DH method.

Abstract: An access control system for an electronic entertainment device includes a processor and a memory comprising access control instructions for execution by the processor. The instructions periodically present a set of working queries during execution of an entertainment software application, accept answers to the working queries, and allow access to, or terminate, the entertainment software application based on the answers. Access is allowed for a supervisor configurable time period for each user and each entertainment software title.

Abstract: An authorization system and associated method for selectively authorizing a host system to use one or more items of protected information associated with the host system. The authorization system includes a portable authorization device that is removably couplable to the host system. The portable authorization device is capable of receiving and storing multiple items of authorization information associated with a plurality of respective items of protected information from one or more information authorities. Preferably, the portable authorization device is capable of communicating with multiple types of information authorities. The portable authorization device selectively authorizes the host system to use the one or more respective items of protected information based upon the respective authorization information stored therein.

Abstract: A system and method are disclosed for detecting intrusions in a host system on a network. The intrusion detection system comprises an analysis engine configured to use continuations and apply forward- and backward-chaining using rules. Also provided are sensors, which communicate with the analysis engine using a meta-protocol in which the data packet comprises a 4-tuple. A configuration discovery mechanism locates host system files and communicates the locations to the analysis engine. A file processing mechanism matches contents of a deleted file to a directory or filename, and a directory processing mechanism extracts deallocated directory entries from a directory, creating a partial ordering of the entries. A signature checking mechanism computes the signature of a file and compares it to previously computed signatures. A buffer overflow attack detector compares access times of commands and their associated files.

Abstract: A client/server authentication system is disclosed. The system includes a filter, a plug-in, and an extension. The filter monitors sessions between a client and a server for proper authentication. The plug-in is coupled to the client and the server. The plug-in generates public and private key pairs, and receives and stores certificates. The extension is coupled to the filter. The extension generates script commands to cause the client and the server to perform required steps indicated by the filter.

Abstract: A method of the Virtual Private Network (VPN) communication employed for a security gateway apparatus and the security gateway apparatus using the same, which allow a personal computer outside a local area network (LAN) to access, via a WAN, to a terminal on the LAN, virtually regarding the outside PC as a terminal on the LAN. The communication method is employed for a security gateway apparatus to connect, through concentration and conversion process, between a LAN and a WAN including a public network. Security Architecture for the Internet Protocol (IPsec) establishes VPN with an outside PC having a dialup connection to the WAN. During an Internet Key Exchange (IKE) communication that is performed prior to the IPsec communication, the security gateway apparatus integrates a Dynamic Host Configuration Protocol (DHCP) communication option into an IKE data, and designates the IP address of the outside PC from a tunneled IP packet.