Abstract: Embodiments of the invention are directed to a system, method, or computer program product for security confidence calculation for digital wallet integration. In this way, the invention provides instantaneous access to new payment methods, such as credit cards with prevention of misappropriation based on user device security confidence and token presentation. As such, the system allows for instant application approval, authorization, and instant integration of credit cards to a user's digital wallet. Thus allowing a user to instantaneously use the new credit card via his/her digital wallet without having to wait for the physical card to be received and activated.

Abstract: Techniques for generating a document according to attestation requirements are provided. A method determines attestation requirements for electronically signing an electronic document. The method modifies the document based in part on the requirements, and then provides the modified document to users requested to electronically sign the document, wherein the users are only permitted to electronically sign the document in circumstances satisfying the requirements. An electronic signature service can generate a document whose signing needs to be witnessed and/or recorded according to attestation requirements. The document may be associated with number of signers. The electronic signature service may determine one or more witnesses of the signers and may determine applicable attestation requirements based on the witnesses, the signers, and the document.

Abstract: A computer implemented method for validating the identity of a controller for an automated banking machine based on displayed indicia. The method includes detecting access to a secure compartment of an automated banking machine, displaying a security indicia visible from the secure compartment, receiving the security indicia at an input device and a first controller accessible from outside of the secure compartment, and validating the identity of the controller based on the received security indicia.

Abstract: Methods and systems are provided for the exchange of digital cash employing protocols for various entities to separately certify the validity of the parties, values and transactions while maintaining the anonymity of the buyer or user of the digital cash. Encrypted connections are established allowing various parties to enter into transactions to buy, sell, exchange and recover digital cash using a secure method that protects the personal information and identity of the user. The parties exchange tokens for other value in a transaction of financial settlement between themselves and wherein they are the only parties with knowledge of the amount and description of the transaction and in this way mimics a traditional cash transaction.

Abstract: Security keys for the provision of a secure service such as content provision are generated in an ancestral hierarchy, so that invalidation of a key in the hierarchy results in a need to reconfigure all other keys in the hierarchy to the extent they share common ancestry. When a user subscription to the service lapses, a decision on invalidation of their key is based in a determination of whether it's more costly to the subscriber to invalidate the key, or continue providing an unpaid-for service. Keys can be allocated to users from domains of the hierarchy on the basis of their economic value to the provider, with higher value users being allocated keys from domains which share fewer common ancestors with other users of other domains than those users share with each other, to minimize inconvenience to high value users of key reconfiguration.

Abstract: A copyright protection system includes a digital information processing apparatus for processing digital information of a work and a copyright managing server for managing the copyright of the digital information. The digital information processing apparatus includes an encrypted information receiving device for receiving the digital information encrypted using the first encrypting function; an encrypting device for encrypting the digital information using the second encrypting function; and a decrypting information transmitting device for transmitting decrypting information to the digital information processing apparatus. The copyright managing server includes decrypting a function transmitting device for transmitting a decrypting function to decrypt the encrypted information encrypted by the first encrypting function and the second encrypting function in response to the information transmitted by the decrypting information transmitting device.

Abstract: Disclosed is an authentication mechanism that provides much of the security of heavyweight authentication mechanisms, but with lower administrative and communicative overhead while at the same time not being limited to a 64-bit limit on the length of a cryptographic hash value. Removal of this limitation is achieved by increasing the cost of both address generation and brute-force attacks by the same parameterized factor while keeping the cost of address use and verification constant. The address owner computes two hash values using its public key and other parameters. The first hash value is used by the owner to derive its network address. The purpose of the second hash is to artificially increase that computational complexity of generating new addresses and, consequently, the cost of brute-force attacks. As another measure against brute-force attacks, the routing prefix (i.e., the non-node selectable portion) of the address is included in the first hash input.

Abstract: Techniques are disclosed for efficient computation of consecutive values of one-way chains and other one-way graphs in cryptographic applications. The one-way chain or graph may be a chain of length s having positions i=1, 2, . . . s each having a corresponding value vi associated therewith, wherein the value vi is given by vi=h (vi+1), for a given hash function or other one-way function h. An initial distribution of helper values may be stored for the one-way chain of length s, e.g., at positions given by i=2j for 0?j?log2 s. A given one of the output values vi at a current position in the one-way chain may be computed utilizing a first helper value previously stored for another position in the one-way chain between the current position and an endpoint of the chain. After computation of the given output value, the positions of the helper values are adjusted so as to facilitate computation of subsequent output values.

Abstract: The invention includes various systems, architectures, frameworks and methodologies that can securely enforce a privacy policy. A method is include for securely guaranteeing a privacy policy between two enterprises, comprising: creating a message at a first enterprise, wherein the message includes a request for data concerning a third party and a privacy policy of the first enterprise; signing and certifying the message that the first enterprise has a tamper-proof system with a privacy rules engine and that the privacy policy of the first entity will be enforced by the privacy rules engine of the first enterprise; sending the message to a second enterprise; and running a privacy rules engine at the second enterprise to compare the privacy policy of the first enterprise with a set of privacy rules for the third party.

Abstract: A system (140) prevents the spread of viruses in a network (100). The system (140) receives a hash value from a remote device (130), compares the hash value to a group of hash values associated with data messages including viruses, and generates a first message when the hash value matches one of the group of hash values. The first message instructs the remote device (130) to discard a received data message. The system (140) also generates a second message when the hash value does not match one of the group of hash values. The second message instructs the remote device (130) to forward the received data message to a user of the remote device (130).

Abstract: A method and system authenticates a storage device or storage router for use with driver software. The driver software may be permitted to be used with particular storage devices including storage routers and may be prohibited from being used with other storage devices or routers. In some cases, this may allow a vendor to restrict the use of its driver software, or at least certain functionality, to use with the vendor's storage devices or storage routers. A proof of purchase request is sent by a client device to a server over an IP network to authenticate the storage device or router (e.g., a server). The request may include a random number and one or more identifiers. The identifiers may include a server identifier, a software driver identifier and/or a client device identifier. The driver software may permit storage related communications with the server when a hash received from the server matches a hash internally generated by the software driver.

Abstract: The present invention discloses a method and system for distributed computation of an RSA inverse in an asynchronous network among participating network devices. The RSA inversion is self-verifiable and the result can be checked by every participating network device locally.

Abstract: Systems and methods for an associative policy model are provided. One embodiment of the present invention provides a method for implementing an associative policy. In this embodiment, the method includes providing a policy on a policy server, the policy having a service definition that contains first and second relational components, providing first and second network entities, operatively coupling the first and second network entities to the policy server, dynamically associating the first network entity with the second network entity (wherein such associating includes binding the first relational component of the service definition in the policy to the first network entity, and binding the second relational component of the service definition in the policy to the second network entity), and enforcing the policy on the first and second network entities.

Abstract: Remote configuration and utilization of a virtual tape management system via communication of encrypted data. At least one security administrator CPU is communicably attached to a virtual tape management CPU. At least one remote data storage CPU is communicably attached to the virtual tape management CPU and to the security administrator. First software within the virtual tape management CPU validates authorized remote access to at least one remote data storage CPU and encrypts the data. Second software facilitates remote configuration and utilization of the virtual tape management CPU. At least one hardware adaptor card connects the virtual tape management CPU to a host.

Abstract: A system, method, and computer program product for processing a query spanning separate databases while revealing only minimal information beyond a query answer, by executing only specific information-limiting protocols according to query type.

Abstract: A system, method and computer readable medium for providing secure IP-based streaming in a format independent manner is disclosed. The method on a content mastering system begins with an encoded media file consisting of content data and associated metadata. First, the metadata is read from the encoded media file. Next, the encoded media file including the content data and the associated metadata is encrypted. Then, in a streaming server system, the encoded/encrypted media file is divided into more than one data packet, streamed in accordance with one or more parameters in the metadata. Each data packet includes a portion of the encoded/encrypted media file and an offset value corresponding to a location within the encoded/encrypted media file. The data packets are then streamed to a client information processing system (i.e., the client) over a network.

Abstract: Improvements in security processing are disclosed which enable security processing to be transparent to the application. Security processing (such as Secure Sockets Layer, or “SSL”, or Transport Layer Security, or “TLS”) is performed in (or controlled by) the stack. A decision to enable security processing on a connection can be based on configuration data or security policy, and can also be controlled using explicit enablement directives. Directives may also be provided for allowing applications to communicate with the security processing in the stack for other purposes. Functions within the protocol stack that need access to clear text can now be supported without loss of security processing capability. No modifications to application code, or in some cases only minor modifications (such as inclusion of code to invoke directives), are required to provide this security processing.

Abstract: An on-access malware scanner (anti-virus, e-mail scanner) is provided which determines whether a scan to be performed has above a threshold level of complexity and if so divides the scan into a plurality of different tasks. These different tasks are then delegated to further computers (50, 52, 54) in a distributed processing approach with the further computers then returning their task results to the coordinating computer for combination to form an overall scan result. Computer files containing embedded files may be divided into separate computer files that are scanned as separate tasks. Furthermore, an individual computer file may be scanned for different properties by different computers as separate tasks. The selection of which tasks to distribute to which further computers may be made in dependence upon the complexity of the task to be delegated, the communication channel bandwidth to that further computer and the processing resources available at that further computer.

Abstract: A system, method, and computer program product enabling individual user devices to authenticate and validate a digital message sent by a distribution center, without requiring transmissions to the distribution center. The center transmits the message with an appended modulus that is the product of two specially selected primes. The transmission also includes an appended authentication value that is based on an original message hash value, a new message hash value, and the modulus. The new message hash value is designed to be the center's public RSA key; a corresponding private RSA key is also computed. Individual user devices combine a digital signet, a public modulus, preferably unique hardware-based numbers, and an original message hash to compute a unique integrity value K. Subsequent messages are similarly processed to determine new integrity values K?, which equal K if and only if new messages originated from the center and have not been corrupted.

Abstract: A method and system authenticates a storage device or storage router for use with driver software. The driver software may be permitted to be used with particular storage devices including storage routers and may be prohibited from being used with other storage devices or routers. In some cases, this may allow a vendor to restrict the use of its driver software, or at least certain functionality, to use with the vendor's storage devices or storage routers. A proof of purchase request is sent by a client device to a server over an IP network to authenticate the storage device or router (e.g., a server). The request may include a random number and one or more identifiers. The identifiers may include a server identifier, a software driver identifier and/or a client device identifier. The driver software may permit storage related communications with the server when a hash received from the server matches a hash internally generated by the software driver.