Abstract: Reversible and self reversing multi-value scrambling functions created by applying multi-value inverters are disclosed. The generation of possible multi-value inverters is also presented. Corresponding multi-value descrambling functions are also disclosed. The multi-value functions are used in circuits that scramble and descramble multi-value signals. The multi-value functions can also be used in signal generators. Such signal generators do not require the use of multipliers. The auto-correlation of the signals generated by the signal generators is also presented. Electronic circuits that implement the multi-value functions are also described.

Abstract: The present invention is a MILS network system employing functional separation of messages without customized switches. The MILS network system may maintain separation of data while eliminating a requirement of full message encryption. In an embodiment of the invention, a function may be employed whereby a keyed digest of a message is created. The function may receive a message and a key, and may emit a keyed digest value. The key may be representative of a particular level of security, thus promoting the separation of data. Messages may include an embedded keyed digest when sent through a switch to a MILS node. At the MILS node, the keyed digest may be recalculated, if it matches, the message may be passed to a host.

Abstract: The invention is in the field of security and trustworthy computing. The invention relates to a method for managing identities in a device comprising a trusted platform module. In the method an identity related command is used for performing identity related action; a delegation agent, a storage key for secure storage, and a delegation for the identity related command are created. Further, said delegation is sealed using the created storage key to a trustworthy system state; and the sealed delegation is delivered to the delegation agent.

Abstract: Providing services within a network of service providers sharing an authentication service and a set of business rules. A central server receives a first request from a first server to provide a first service to a user via a client without forcing the user to present credentials. In response to the received first request, the central server stores data identifying the first service on the client. The central server further receives a second request from a second server to provide a second service to the user via the client after the user presents the credentials to the second service. After receiving the second request and the presented credentials, the central server allows the user access to the second service. In response to allowing the user access to the second service, the central server further allows the user access to the first service as a result of the stored data.

Abstract: A password management system is provided. The password management system includes a plurality of enterprise applications accessible by local and remote desktop computers by providing single sign-on security information. Each of the plurality of enterprise applications require separate login information which is stored in a secure back-end system along with the single sign-on security information. Scripts located, for example, on remotely accessible servers and/or on the local desktop computer, allow a user to logon with a single sign-on and have access to the plurality of enterprise applications. The script uses the single sign-on security information, and perhaps other information, to authenticate the user and access the login information for each of the enterprise applications. The script is further operable to automatically interface with the enterprise applications through user input windows, such as by scripting login information automatically into the enterprise application login windows.

Abstract: Systems and/or methods (“tools”) are described that enable encrypted media files to be sent without revocation lists while permitting the encrypted media files to be passed to trusted entities. The tools may also ensure continuation of protection when media files are passed between different protection systems.

Abstract: A packet based high bandwidth copy protection method is described that includes the following operations. Forming a number of data packets at a source device, encrypting selected ones of the data packets based upon a set of encryption values, transmitting the encrypted data packets from the source device to a sink device coupled thereto, decrypting the encrypted data packets based in part upon the encryption values, and accessing the decrypted data packets by the sink device.

Abstract: The invention relates to a system and method of hiding cryptographic private keys. While public/private key encryption systems are considered to be secure, the private keys ultimately must be stored in some location—in fact, in some digital commerce systems the private key is sent to the end user as part of an executable file such as an audio player and audio file. Thus, attackers can obtain access to the private key. The broad concept of the invention is to split the private key up into parts which are obfuscated, but still kept in a form that allows the encrypted data to be decrypted. One technique for obfuscating the private key uses modulo arithmetic.

Abstract: To provide a technique of allowing a terminal device to operate by downloading not only an application program but also an OS from a network without providing any special unit or equipment. A system includes: an OS delivery server that has OS data previously stored therein; an application delivery server that has application data previously stored therein; an intra-LAN server that receives the OS data from the OS delivery server and stores the OS data, activates the OS data as the OS of its own, and receives the application data from the application delivery server and stores the application data; and a network terminal device that is capable of receiving the OS data and the application data from the intra-LAN delivery server, activating the OS data as the OS of its own, and activating an application contained in the application data on the OS.

Abstract: A system and method for implementing an enhanced transport layer security (ETLS) protocol is provided. The system includes a primary server, an ETLS servlet and an ETLS software module. The primary server operates on a computer network and is configured to communicate over the computer network using a non-proprietary security protocol. The ETLS servlet also operates on the computer network and is securely coupled to the primary server. The ETLS servlet is configured to communicate over the computer network using an ETLS security protocol. The ETLS software module operates on a mobile device, and is configured to communicate over the computer network using either the non-proprietary security protocol or the ETLS security protocol Operationally, the ETLS software module initially contacts the server over the computer network using the non-proprietary security protocol, and subsequently contacts the server through the ETLS servlet using the ETLS security protocol.

Abstract: The invention relates to a packaging material with a forgery-proof security feature, whereby the security feature comprises a coded image arrangement which is provided on the packaging material and which reveals an image or image sequence by superimposing a related decoder element.

Abstract: A mobile terminal transmits an N-th authentication key to an authentication server when the mobile terminal has moved from a coverage area under a certain radio access point to a coverage area under another radio access point. The N-th authentication key is generated by applying a hash function to a random number a number of times one smaller than an (N?1)th authentication key which was transmitted when the mobile terminal moved to the coverage area under the certain radio access point. Upon receipt of the N-th authentication key from the mobile terminal, the authentication server applies the hash function once to the N-th authentication key, and compares the result with the (N?1)th authentication key. Then, the authentication server determines that the authentication is successful when there is a match between both keys.

Abstract: A method for detecting changes to a production location is provided. The method includes receiving a selection of a portion of the production location that is to be protected and identifying a larger portion of the production location that contains the selected portion of the production location. Upon identifying the larger portion, a routine is created for evaluating the identified larger portion of the production location for changes. That routine is performed in order to detect changes to the production location.

Abstract: A method and apparatus is provided in which a trustable operating system is loaded into a region in memory. A start secure operation (SSO) triggers a join secure operation (JSO) to halt all but one central processing unit (CPU) in a multi-processor computer. The SSO causes the active CPU to load a component of an operating system into a specified region in memory, register the identity of the loaded operating system by recording a cryptographic hash of the contents of the specified region in memory, begin executing at a known entry point in the specified region and trigger the JSO to cause the halted CPUs to do the same.

Abstract: A method for offloading a secure protocol handshake. The method includes establishing a connection between a host system and a remote peer, and determining whether the secure protocol handshake is offloaded to a network interface card (NIC). When the secure protocol handshake is offloaded to the NIC, an offload request is sent to offload the secure protocol handshake, where the offload request includes a value of at least one cryptographic key. The method further includes performing cryptographic operations associated with the secure protocol handshake using the value of at least one cryptographic key to obtain at least one secret key, and returning a status of the secure protocol handshake to the host system.

Abstract: A method, system, apparatus, and computer program product are presented to support computing systems of different enterprises that interact within a federated computing environment. Federated single-sign-on operations can be initiated at the computing systems of federation partners on behalf of a user even though the user has not established a user account at a federation partner prior to the initiation of the single-sign-on operation. For example, an identity provider can initiate a single-sign-on operation at a service provider while attempting to obtain access to a controlled resource on behalf of a user. When the service provider recognizes that it does not have a linked user account for the user that allows for a single-sign-on operation with the identity provider, the service provider creates a local user account. The service provider can also pull user attributes from the identity provider as necessary to perform the user account creation operation.

Abstract: The present invention provides for an icon with an additional level of functionality that allows a user to validate that current information (e.g., a web page) originates from the true owner of the icon and is not merely a copy. The method includes a user requesting a web page from a web site using a web browser. The web server receives the request, retrieves the web page and forwards it to an authentication server. The authentication server inserts an authenticity key into the web page, then the page (including the authenticity key) is returned to the user. If the page includes an authenticity key, the authenticity is verified at the user's computer because the user computer includes logic (e.g., software) to verify the authenticity. During the user configuration process, the user defines an authenticity stamp which determines the format of an authenticated page.

Abstract: A method for isolating legitimate network traffic during a denial of service attack involves receiving a plurality of packets from a network, detecting an attack from the network on a first virtual network stack, wherein the attack on the first virtual network stack comprises at least one from the group consisting of the denial of service attack and an extreme network load, if the attack is detected, forwarding a plurality of packets associated with a subsequent connection to a temporary data structure associated with a second virtual network stack, wherein the second virtual network stack is a lowest priority queue configured at connection setup time, determining whether the subsequent connection is legitimate, and forwarding at least one of the plurality of packets associated with the subsequent connection to a temporary data structure associated with the first virtual network stack if the subsequent connection is legitimate, wherein a higher priority mapping is assigned by a classifier to the subsequent co

Abstract: The present invention relates to a method and a system for performing digital rights management. The idea of the invention is that a master right associated with a content is stored at a first authorized device (211). An authorized device is a device which can be considered trusted and performs actions with contents according to the associated rights. These devices enforce rights that are bound to contents, and perform the security tasks of the DRM system employed. A subright is derived from the master right, which subright controls what type of access a second authorized device (261) is given to the associated content. Finally, the subright is distributed to the second authorized device, given that the second device complies with predetermined distribution criteria associated with the master right. The device distributing the subright authenticates the device which is to receive the subright, ensuring that the second device can be trusted.

Abstract: An arrangement is provided for performing MD5 digesting. The arrangement includes apparatuses and methods that pipeline the MD5 digesting process to produce a 128 bit digest for an input message of any arbitrary length.