Abstract: A method of protecting digital contents includes: requesting an external device or service to perform a part of a process of decrypting encrypted contents which correspond to a leaf node among a plurality of leaf nodes in a tree used in a revocation mechanism according to whether the leaf node has been revoked; and decrypting the encrypted contents based on a response to the request. Therefore, even when the data storage capacity of a device is small or the data processing capability thereof is low, the contents encrypted according to a broadcast encryption scheme can be decrypted.

Abstract: A network system provides IP Multimedia Subsystem (IMS) service from a network service provider to a customer. A plurality of network elements are connected to form a core domain of the network service provider. A master IMS instance is configured within the core domain and includes a core call session control function (CSCF) and a core home subscriber server (HSS). A partitioned IMS instance is configured as a virtual core within the core domain and includes a partitioned CSCF and a customer HSS accessible by a user of the customer from outside the core domain. A virtual IMS service control interface is coupled between the master IMS instance and the partitioned IMS instance so that the partitioned CSCF has access to the core CSCF for transfer of media.

Abstract: An approach that smoothes a cryptographic function's timing footprint is presented. A processor includes a “function timing smoother” that smoothes out spikes in the amount of time that a particular cryptographic function requires to execute. When a cryptographic function executes, the function timing smoother tracks the amount of time that the cryptographic function executes (current execution time) and compares the time with the amount of time that the same cryptographic function took for a previous execution (previous execution time). When the current execution time is less than the previous execution time, the function timing smoother adds instructions or varies an execution unit's clock speed in order to increase the cryptographic function's current execution time. Using this approach, a malicious user is not able to decipher sensitive information from the cryptographic function's timing footprint.

Abstract: Systems and methods for reducing problems and disadvantages associated with traditional approaches to encryption and decryption of data are provided. An information handling system may include a processor, a memory communicatively coupled to the processor, and a computer-readable medium communicatively coupled to the processor. The computer-readable medium may have instructions stored thereon, the instructions configured to, when executed by the processor: (i) periodically store, during an encryption or decryption operation performed on the computer-readable medium, one or more variables indicative of an encryption status of a volume of the computer-readable medium; (ii) determine, based on the one or more variables, whether the volume is in a partially encrypted or decrypted state; and (iii) in response to a determination that the volume is in a partially encrypted or decrypted state, boot from the volume and continue the encryption or decryption operation.

Abstract: Systems, apparatus and methods for privacy-protecting integrity attestation of a computing platform. An example method for privacy-protecting integrity attestation of a computing platform (P) has a trusted platform module (TPM), and comprises the following steps. First, the computing platform (P) receives configuration values (PCR1 . . . PCRn). Then, by means of the trusted platform module (TPM), a configuration value (PCRp) is determined which depends on the configuration of the computing platform (P). In a further step the configuration value (PCRp) is signed by means of the trusted platform module. Finally, in the event that the configuration value (PCRp) is one of the received configuration values (PCR1 . . . PCRn), the computing platform (P) proves to a verifier (V) that it knows the signature (sign(PCRp)) on one of the received configuration values (PCR1 . . . PCRn).

Abstract: A system and a method with quantum cryptography authentication. The system includes an optical link connecting a sender and a receiver. The sender transmitting a first optical pulse and a second optical pulse having a defined time delay therebetween. The first pulse is modulated with a first authentication phase shift; and the second pulse is modulated with phases selected from one basis of two non-orthogonal bases, and encoded with one of two orthogonal states within the one basis based on an information of the sender, and with a second authentication phase shift. The receiver includes a splitter receiving and splitting the first and the second pulse into pulses of interest. The split pulses of interest are modulated with the first authentication phase shift; and the second authentication phase shift, respectively. The receiver includes a second coupler whereby the split pulses of interest arrive at the second coupler simultaneously.

Abstract: A computer system includes a printer configured to print invisible coded data tags on print media. Each data tag includes a target and a dot arrangement representing a value. A pen-type device includes an image sensor configured to sense the targets and wirelessly transmit sensed data associated with the dot arrangements. A relay is configured to receive the transmitted data. One or more servers are interfaced to the relay, and are configured to process the received data from the relay and to perform an action based upon the processed data.

Abstract: Securely disclosing a personal identification number (“PIN”) associated with a financial account to an account holder and receiving a new PIN from the account holder. A PIN reveal application can interact with a hardware security module (“HSM”) using a PIN offset masking process and randomly generated account data to reveal the PIN to the account holder one or more PIN characters at a time. A PIN set application also can interact the HSM using a PIN offset masking process and randomly generated account data to receive a new PIN for the account one or more PIN characters at a time. In each of the PIN reveal and PIN setting processes, less than the entirety of the PIN is stored in an unencrypted format outside of the HSM only.

Abstract: Detecting buffer-overflow exploits scans generically for shellcode without using virus signatures and maintains close to a zero false-positive rate. Shellcode is detected generically without determining specifically which buffer-overflow exploit is being used. Protection is offered against unknown buffer-overflow exploits. A file is scanned to determine if a vulnerable buffer in that file includes suspect code that has characteristics of shellcode. Next, it is determined if the suspect code contains a routine to find the imagebase of Kernel32.dll using any of the techniques of PEB, TOS or SEH (process environment block, top of stack or structured exception handling). It is next determined if the suspect code contains a routine to search for APIs in the export table of kernel32.dll. Techniques for analyzing the suspect code include static analysis and executing the code in an emulator. A high sensitivity setting determines that shellcode is present when any of the techniques of PEB, TOS or SEH are found.

Abstract: A method of authorizing a user in communication with a workstation is disclosed. According to the method, a system automatically determines a plurality of available user information entry devices in communication with the workstation. The system then determines predetermined user authorization methods each requiring data only from available user information entry devices. The user then selects one of the determined authorization methods for use in user authorization. Optionally, each authorization method is associated with a security level relating to user access to resources. Once the authorization method is selected, the user provides user authorization information in accordance with a determined user authorization method and registration proceeds.

Abstract: A transponder is provided, in particular a passive and/or backscatter-based transponder, for an RFID system, wherein at least one first piece of information can be stored in a first memory area on the transponder that is accessible in clear text only by a read access internal to the transponder, and a second piece of information can be stored in a second memory area that is accessible in clear text through an air interface for read access, and the second piece of information is generated from the first piece of information using an asymmetric encryption method. The invention further relates to an RFID system for wireless data exchange comprising a transponder and a base station, and a method for requesting write and/or read access to a transponder, in particular a passive and/or backscatter-based transponder.

Abstract: An approach is provided that allows an administrator to set a new password at a wireless access point, such as a traditional WAP or a wireless router. The wireless access point creates a message that includes the new password. The message is encrypted using the old password that was previously set for the wireless network. The encrypted message is wirelessly transmitted from the wireless access point to the active client devices (those clients currently accessing the wireless network). The clients decrypt the message using the old password that was previously provided to the clients. The clients retrieve the new password from the message. The clients construct a new message that is encrypted using the new password. The new message is wirelessly transmitted from the clients to the wireless access device and serves as an acknowledgement.

Abstract: An improved approach for managing and sending electronic data which allows one to access electronic data corresponding to a hardcopy document is provided. For example, when the hardcopy bearing a visible image is output, an identification image corresponding to identification data identifying the document is added to the visible image. The identification data can be recognized from the identification image, and used to retrieve various information in a database corresponding to the document.

Abstract: Enables control of data transmission within a network. For this, for example, a network relay apparatus makes a determination as to permission to transmit data, based on a condition relating to at least one of the transmission origin of the data and transmission destination of the data. An administration unit contains administration information indicating permission to use shared devices by users of clients. The connection relay apparatus for a target client acquires user identifying information from the target client. The administration unit acquires the user identifying information from the connection relay apparatus for a target client, and referring to the administration information, detects a target shared device that is one of the shared device permission to use of which has been granted to a user of the target client.

Abstract: A method to identify a child process to a parent process in an operating system includes obtaining a token and login identifier from the operating system. The parent process creates a remote procedure call communications endpoint to communicate with the child process. Thereafter, a child process is spawned by the parent process. A child-initiated request to communicate with the parent process is then received by the parent process. In order to verify the identity of the child-initiated request, the parent process impersonates the child process and receives as identifier that identifies the requestor child process. The requestor process identifier and the spawned child identifier are compared. Based on the comparison, the parent process responds to the child-initiated request. In another embodiment, process identifiers are used by the parent process to verify the identity of a child process the requests communication with the parent process.

Abstract: The present invention is a method and system for high-assurance data tagging for input/output feeds. The method may include executing a high-assurance tagging application on a microprocessor (e.g., the microprocessor being designed for use in a high-assurance embedded system). Further, the method may include analyzing a message with the high-assurance tagging application and generating and attaching a tag to the message. In addition, the method may include binding the tag to the message by applying a message authentication scheme and providing a mechanism for down-stream applications to identify information about data included in the message by reference to the tag.

Abstract: The secure backup system is in a mobile telecommunication network and has at least one mobile station with data, a backup entity for storing a backup file of the data, and cryptographic means for encrypting and decrypting the data. The cryptographic means contains a decryption key consisting of at least a first key part, a second key part and a key recreation key part. The key parts are stored in different entities.

Abstract: A network scan system includes a network scanner accessible by a computer and capable of communicating with the computer through a firewall. A method of operating the network scan system includes installing a hypertext transfer protocol (HTTP) server module into the computer, transmitting a uniform resource locator (URL) of the computer to the network scanner using the HTTP server module, and transmitting scanned data to the computer from the network scanner using the transmitted URL. Accordingly, it is possible to exchange data between the network scanner and the computer using the HTTP server module installed into the computer even if a firewall is installed.

Abstract: Systems and methods that mitigate affects of malware and facilitate remediation processes. An analysis engine generates a list of actions for resources associated with the malware, and prioritizes/sorts the actions for execution. Such list of actions can be generated automatically via an action list generation component associated with the analysis engine. Likewise, a sorting component as part of the analysis engine can prioritize operations between detected malware to typically ensure a smooth operation during remediation processes (e.g., avoid conflicts).

Abstract: Disclosed herein are a secure Near Field Communication (NFC) apparatus and method for supporting various security modules. The NFC apparatus includes an NFC unit, a protocol conversion unit and a security module. The NFC unit transmits information corresponding to a first signal based on a first protocol via non-contact NFC and generates a second signal based on the first protocol from information received via non-contact NFC. The protocol conversion unit converts a signal based on a second protocol into a first signal based on the first protocol and converts the second signal based on the first protocol into a signal based on the second protocol. The security module receives and outputs signals based on the second protocol.