Abstract: An access control system for an electronic entertainment device includes a processor and a memory comprising access control instructions for execution by the processor. The instructions periodically present a set of working queries during execution of an entertainment software application, accept answers to the working queries, and allow access to, or terminate, the entertainment software application based on the answers. Access is allowed for a supervisor configurable time period for each user and each entertainment software title.

Abstract: A message to be transmitted through a network is encrypted such that the resulting encrypted message has associated therewith a proof of correctness indicating that the message is of a type that allows decryption by one or more escrow authorities. Each of at least a subset of the servers of the network includes a module for checking the proof of correctness if the corresponding encrypted message passes through the corresponding server in being transmitted from a sender to a recipient through the network. The encrypted message is therefore transmitted through the network to the recipient such that in traversing the network the proof of correctness associated with the encrypted message is checked by a designated check module of at least one server of the network. If the check of the proof of correctness indicates that the proof is invalid, the module of the server performing the check may direct that the encrypted message be discarded.

Abstract: The present invention provides a method for generating a common key between a central station and a group of subscribers, e.g., at least three subscribers, exhibit the same standard of security as the DH method.

Abstract: A security protocol entity (20) is provided that includes a mechanism for enabling a first party (11) to communicate securely with a second party (60) through an access-controlling intermediate party (13) by nesting within a first security session (64) established with the intermediate party (13) a second security session (65) with the second party (60). The protocol data units, PDUs, associated with the second security session (65) are encapsulated in PDUs associated with the first security session (64) when sent out by the first party, the intermediate party extracting the encapsulated PDUs for sending on to the second party (possibly with a change to the destination address included in the PDU to be sent on). Each PDU includes a message type field explicitly indicating to the intermediate party (13) if a received PDU encapsulates another PDU intended to be sent on.

Abstract: An information processing apparatus and method consisting of the modules 1) peripheral control including power management resulting in increased battery life where a plurality of peripherals use a single power source to eliminate external power supplies, 2) universal conversion, an extensible system for taking any information as input and converting to any desired feasible output, 3) virtual user production, which creates a digital representation of a user through constant recording and analysis of completed work, which is disintegrated and stored in lists comprising tasks and related options. A list captures and represents the user's preferences. Dynamic and evolving lists define a virtual user capable of repeating any previously recorded task. A corresponding Web based communication provider automatically feeds additional tasks and options to the invention, which can grow substantially unassisted by the user.

Abstract: An authorization system and associated method for selectively authorizing a host system to use one or more items of protected information associated with the host system. The authorization system includes a portable authorization device that is removably couplable to the host system. The portable authorization device is capable of receiving and storing multiple items of authorization information associated with a plurality of respective items of protected information from one or more information authorities. Preferably, the portable authorization device is capable of communicating with multiple types of information authorities. The portable authorization device selectively authorizes the host system to use the one or more respective items of protected information based upon the respective authorization information stored therein.

Abstract: A client/server authentication system is disclosed. The system includes a filter, a plug-in, and an extension. The filter monitors sessions between a client and a server for proper authentication. The plug-in is coupled to the client and the server. The plug-in generates public and private key pairs, and receives and stores certificates. The extension is coupled to the filter. The extension generates script commands to cause the client and the server to perform required steps indicated by the filter.

Abstract: A system and method are disclosed for detecting intrusions in a host system on a network. The intrusion detection system comprises an analysis engine configured to use continuations and apply forward- and backward-chaining using rules. Also provided are sensors, which communicate with the analysis engine using a meta-protocol in which the data packet comprises a 4-tuple. A configuration discovery mechanism locates host system files and communicates the locations to the analysis engine. A file processing mechanism matches contents of a deleted file to a directory or filename, and a directory processing mechanism extracts deallocated directory entries from a directory, creating a partial ordering of the entries. A signature checking mechanism computes the signature of a file and compares it to previously computed signatures. A buffer overflow attack detector compares access times of commands and their associated files.

Abstract: A method of the Virtual Private Network (VPN) communication employed for a security gateway apparatus and the security gateway apparatus using the same, which allow a personal computer outside a local area network (LAN) to access, via a WAN, to a terminal on the LAN, virtually regarding the outside PC as a terminal on the LAN. The communication method is employed for a security gateway apparatus to connect, through concentration and conversion process, between a LAN and a WAN including a public network. Security Architecture for the Internet Protocol (IPsec) establishes VPN with an outside PC having a dialup connection to the WAN. During an Internet Key Exchange (IKE) communication that is performed prior to the IPsec communication, the security gateway apparatus integrates a Dynamic Host Configuration Protocol (DHCP) communication option into an IKE data, and designates the IP address of the outside PC from a tunneled IP packet.

Abstract: A system, computer program, and method of providing an automatic cooperative response ability to all members of a domain in light of a detected threat or other suspicious activity, such as, for example, a virus or denial of service attack, directed, at least initially, at less than all members of the domain. The system broadly comprises the domain; a log server; a detection server; and a profile server. The domain comprises a logical grouping of members having similar risk profiles. The detection server monitors and parses log and audit records generated by the members and copied to the log server. When the detection server identifies threatening or other suspicious activity it sets an alert status in a security profile stored on the profile server. The members periodically query the profile server for updates to the alert status and are thereby apprised of the alert.

Abstract: The apparatus controls access to the contents. The apparatus comprises MO device, MPEG2 decoder, and MO media as physical elements. Information for identifying these physical elements (identifying information) is allocated to each of these physical elements. License information, indicating whether access to the contents is to be allowed or not, is recorded on a MO media. Access to the contents recorded on the MO media is controlled based on the license information and the identifying information.

Abstract: The security keys in the mobile terminals and access points of a wireless local area network (WLAN) are created, utilized and managed for a communication session between a mobile terminal and access point. Both the WLAN link level security protection and IP security functions of the network use the same Internet Key Exchange (IKE) key management protocol and use certificates in the same certificate hierarchy. When the mobile terminals associates with the network, it uses the IKE protocol with private keys and certificates to generate WLAN link level keys with the access point and provide mutual authentication.

Abstract: A method is provided for asymmetrically encrypting data communicated between a ground platform and multiple airborne platforms. The method includes packet encrypting ground-based data so as to preserve routing information while encrypting the remaining data. The packet-encrypted data is then transmitted to the airborne platforms. The method also includes bulk encrypting airborne-based data so as to maximize security. The bulk-encrypted data is then transmitted to the ground platform.

Abstract: In an apparatus for authenticating a digital signature, a signature generating part encrypts a digital document by using a private key defined by a signer and digest information for checking whether the digital document has been tampered with, and generates a digital signature. A signature synthesizing part creates image information by synthesizing the digital signature and a predetermined mark. And an image embedding part embeds the image information created by said signature synthesizing part into an indicated position in the digital document.

Abstract: System for updating an encrypted key, by means of which the WEP of IEEE 802.11 can be applied to a wireless LAN system having plural APs and a large number of STAs. A key management server is LAN-connected to the APs. A set of plural (k) encrypted keys used for wireless communication between the entire APs and STAs is provided and managed monistically. If an encrypted key is updated in the key management server, the updated key is delivered to each of the APs and the STAs.

Abstract: One embodiment of the present invention provides content-based intrusion detection for a computer system by using an agile kernel-based auditing system. This auditing system operates by receiving an audit specification that specifies target attributes to be recorded during an auditing process. The audit specification also specifies an auditing criterion that triggers recording of the target attributes. Upon receiving the audit specification, the auditing system is configured to record the target attributes during system calls whenever the auditing criterion is satisfied. Next, an application program is monitored by the auditing system to produce an audit log containing the recorded target attributes. This audit log is examined in order to detect patterns for intrusion detection purposes. In one embodiment of the present invention, configuring the auditing system involves compiling the audit specification to produce a kernel module, and then loading the kernel module into a kernel of an operating system.

Abstract: The invention relates to a method for personalization of GSM chips. At least one subscriber identification character (TMSI) and a card number (ICCID) are stored in the memory area of said chips in addition to a secret key (KI) and other optional data for personalization purposes. The invention aims to eliminate an unnecessarily high degree of complexity linked to management of all card data in an authentication centre (AC) and to preserve secret chip data in a more secure manner. According to the invention, final data is only written on the chip when the subscriber logs into a subscriber network. One advantage is that only initial data is written into the card enabling the customer to contact the computer centre of the information provider. During first contact the final data is traded between the card and the computer centre and written into the card. The computer centre is simply required to manage cards which have really been issued to customers.

Abstract: There is disclosed a security device for use in a wireless network comprising a plurality of base stations that communicate with a plurality of mobile stations. The security device prevents unprovisioned mobile stations from accessing an Internet protocol (IP) data network through the wireless network. The security device comprises a first controller for receiving from the unprovisioned mobile station an IP data packet comprising an IP packet header and an IP packet payload and encrypting at least a portion of the IP payload. The security device also comprises a second controller for determining that the unprovisioned mobile station is, in fact, unprovisioned. In one embodiment, the first controller comprises a data processor that executes an encryption program stored in a memory associated with the data processor.

Abstract: An access site allows a client application to access a server application on behalf of a subscriber who has an account at the client site. A client application registers with the access site and receives a certificate for the client application. A subscriber is directed to the access site upon an indication that she would like to use the features of the client application that integrate with the server application. The subscriber specifies access rights to the access site, and issues a validation token in association with the specified access rights. When the client site needs the server application to process subscriber data, it forwards the validation token to the access site, using the certificate. The access site validates this information, and where appropriate the server application processes the subscriber data and returns the results to the client application.

Abstract: A secure telecommunication system 10 is provided that allows for communication between a device 14 and a receiving device 16 of encrypted data messages through a data communications network 12. The device 14 utilizes an encryption decryption engine 30 which is operable to execute a plurality of encryption algorithms. The encryption algorithms can be accessed using a key value that is used to access an encryption selection table 28. The encryption selection table 28 can indicate a number of encryption algorithms to be applied in sequence.