Abstract: Controlling access to functionality within an installed software product. The invention includes an authorization module that dynamically references authorization information when specific functionality is requested by a requesting entity such as a user or an application program to determine if the requested functionality is authorized to be executed. Further, the invention dynamically provides an opportunity to the requesting entity to purchase unauthorized functionality. In this manner, functionality within the software product may be enabled or disabled at any time (e.g., during installation, post-installation, and re-installation).

Abstract: The invention relates to an personalized access policy server (pAPS) C1 deriving dynamically granted resources with respect to user's grants and with respect to already accessed resources. It relates to a method for providing dynamically defined limited Internet access to a user's terminal client A1, wherein a portal server C2 provides a portal web site with portal information identifying the set of accessible resources, the terminal client A1 has access to said portal web site; from the portal web site a set of granted resources B3 is dynamically derived with respect to user's grants and with respect to already accessed resources by the personalized access policy server. Further it relates to a portal system, a portal server C2, a personalized access policy server (pAPS) C1, a firewall B2, and corresponding computer software products.

Abstract: A network having a intrusion protection system comprising a network medium, a management node connected to the network medium and running an intrusion prevention system management application, and a plurality of nodes connected to the network medium and running an instance of an intrusion protection system application, at least one of the nodes having an identification assigned thereto based on a logical assignment grouping one or more of the plurality of nodes, each node sharing the identification being commonly vulnerable to at least one network exploit is provided. A method of transmitting a command and security update message to a subset of nodes of a plurality of network nodes comprising generating an update message by a management node of the network, addressing the update message to a network address shared by the subset of nodes, transmitting the update message, and receiving and processing the update message by the subset of nodes is provided.

Abstract: The present invention relates to an ingress-session-based authorization and access control method and system to control access from an initiator-host (IH) to objects (Target 1, Target 2) on a target host (TH) by receiving an access-request, preferably a request-message (M1), originally coming from the initiator-host (IH), that references an object (Target 1, Target 2) on the target host (TH) to access, assigning the access-request (M1) to an ingress-session and selecting a session-context (SC-U, SC-W, SC-Y) belonging to that ingress-session, checking whether the access to the referenced object (Target 1, Target 2) is authorized in the selected session-context (SC-U, SC-W, SC-Y)or not wherein references to objects (Target 1, Target 2) on the target host (TH) were handed over to the initiator-host (IH) as a response to an access-request already granted and wherein the object the reference is handed over for is authorized for access under the handed over reference in that session-context (SC-U, SC-W, SC-Y)the al

Abstract: A method and system for verifying identification of an electronic mail message. An electronic mail message including a signature and a key is received, the signature identifying a domain from which the electronic mail message originated and the key for verifying the signature. A key registration server of the domain is accessed to verify the key. The key registration server provides for verifying that a key used to sign an electronic mail message is valid and that the sender is authorized by the domain to send the electronic mail message from the return address.

Abstract: One embodiment of the present invention provides a system that facilitates confirmation of data communicated to a first device belonging to a first user from a second device belonging to a second user. During operation, the first device receives a message containing data from the second device. The first device then translates the data into a string of words (such as a human-friendly representation using a well-known function such as the One Time Password (OTP) dictionary defined in IETF RFC 1938) that can be recognized by a human. Next, the first device displays the string of words to the first user. The second device also translates the original data using the same well-known function. The first user and the second user then confirm that both strings of words match. The confirmation process is performed through a separate communication channel. This confirmation process ensures that the data sent by the second device is successfully received by the first device, and that it was sent by the second device.

Abstract: A system is provided for generating information for secure transmission from a first device to a second device. The system comprising a key scheduler for generating a dynamic secret key, a synchronization generator for generating a synchronization sequence and controlling the frequency of the dynamic secret key, a padding generator for generating a padding sequence, and a DEK generator for generating encrypted text. The system generating a stream of encrypted information that includes the synchronization sequence prior to and adjacent the encrypted text which is prior to and adjacent the padding sequence.

Abstract: One embodiment of the present invention provides a system that communicates cryptographic data through multiple network layers. During operation, the system receives the cryptographic data and divides the cryptographic data into multiple pieces. The system then encapsulates different pieces of the cryptographic data into fields associated with different network layers in a data packet, whereby an item of cryptographic data that is too large to be communicated in a single field can be communicated through multiple fields associated with different network layers.

Abstract: The present invention pertains to a transmission apparatus for generating an encrypted text by encrypting a plaintext, which includes a parameter storage unit for storing a random parameter (the number of terms whose coefficients indicate 1) adapted to an encryption key and an encryption apparatus and a decryption apparatus; an encryption unit for generating, from the plaintext, the encrypted text using the encryption key and the random parameter stored in the parameter storage unit, complying with an encryption algorithm based on the NTRU™ method; and a key updating unit for updating the random parameter stored in the parameter storage unit and the encryption key, as time passes.

Abstract: A method, apparatus, and computer instructions for process-based access controls on computer resources to processes. An access mechanism is provided in which a specific invoker obtains an object access identity (ACI). Another mechanism is provided in which a specific object, such as a file system resource, requires a specific object access identity to obtain one of the forms of access denoted by an access control list. A process may “grant” an identifier that is later “required” for a system resource access. Objects may specify their own access requirements and permitted access modes. The granted identifier, ACI, is stored in the process's credentials once these credentials match a specific “grant” entry in the access control list. This identifier has no meaning outside of being used to make an access decision for a specific resource. When a process tries to access the object, the object's access control list is scanned for “required” entries.

Abstract: The present invention provides for authenticating a message. A security function is performed upon the message. The message is sent to a target. The output of the security function is sent to the target. At least one publicly known constant is sent to the target. The received message is authenticated as a function of at least a shared key, the received publicly known constants, the security function, the received message, and the output of the security function. If the output of the security function received by the target is the same as the output generated as a function of at least the received message, the received publicly known constants, the security function, and the shared key, neither the message nor the constants have been altered.

Abstract: Access control to contents is by a user of a terminal connected through a computer network to at least one server of a contents supplier. The user selects or accepts interactive data exchange through a wireless communication network between a trusted organization on the computer network, and a mobile terminal accessible to the user.

Abstract: Access to secure data through a portable computing system is provided only when a timer within the system is running. The timer is reset with the portable system connected to a base system, either directly, as by a cable, or indirectly, as through a telephone network. In an initialization process, the portable and base systems exchange data, such as public cryptographic keys, which are later used to confirm that the portable system is connected to the same base system. In one embodiment, the initialization process also includes storing a password transmitted from the portable system within the base system, with this password later being required within the reset process.

Abstract: Methods and apparatus for secure collection and display of user interface information in a pre-boot environment are disclosed. A disclosed system executes trusted software under a secure mode of a processor. In the secure mode, the processor may directly access an area of memory that normally cannot be accessed. One or more software routines, device drivers, digital certificates, hash codes, encryption keys, and/or any other data may be stored in the secure area of memory. Software routines and device drivers stored in the secure area of memory and/or certified by data in the secure area of memory may be “trusted.” Preferably, trusted software routines and/or device drivers are digitally signed by a trusted source (e.g., Microsoft). In addition to trusted interface objects, the pre-boot environment may include non-trusted interface objects. These non-trusted interface objects may use third party software routines and/or device drivers.

Abstract: A system and method for protecting sensitive information, for example, a user's personal information, stored on a database where the information is accessible via a communications network such as the Internet. An exemplary embodiment stores the sensitive information on an off-line server. The off-line server is connected to an on-line server. The on-line server is connected to the user via the Internet. The user interfaces with the on-line server, and at a scheduled time window, the sensitive information is made available to the on-line server by the off-line server. Outside of the time window, none of the sensitive information is kept on the on-line server. Thus by placing the sensitive information on-line for only limited periods of time the risk of compromise to the sensitive information is greatly reduced.

Abstract: A password strength checking method has the steps of inputting a password to be checked, generating a plaintext password candidate according to the same generation procedure as that used by a password guessing tool, determining whether or not the inputted password and the generated password candidate match each other, directing generation of the next password candidate when the match is not determined, determining strength of the inputted password based on the number of the generated password candidates when the match is determined, and outputting information of the determined password strength.

Abstract: Systems, apparatus and methods to monitor communications conducted via a host computer placed under the management of security measures such as firewalls or routers' filtering capabilities. A communications monitoring system which includes a packet input means for connecting to predetermined points on a network via a network interface and receiving communications packets flowing at the points; and matching means for performing real-time matching between two packet streams composed of received communications packets each time a communications packet is received. If the two packet streams are highly similar, it is highly likely that an attack or intrusion is being made and an alert is issued.

Abstract: Computing units of a computing environment are equipped with means to determine their respective integrity. Further, each computing unit is equipped, such that if its integrity is determined to have been compromised, the computing unit automatically takes itself out of service. In one embodiment, prior to the automatically removing itself from service, a degree of compromise is determined. If the degree of compromise is determined to be within an acceptable risk level, the compromised computing unit fails itself over to one or more other computing units in the computing environment.

Abstract: The invention allows SMS messages authentication through the use of a digital signature computed with the International Mobile Equipment Identity (IMEI) as a key. Particularly, a text messaging system having the ability to send SMS messages to remotely managed wireless terminal equipment is disclosed and includes a system to generate such digital signature and to store it in available Information Element fields of the TP-User Data of the SMS message. Receiving wireless terminal equipment that are configured for IMEI-based signature security, still keep the option to process both SMS messages having the IMEI-based signature or not. Receiving wireless terminal equipment not enabled for IMEI-based signature security process the SMS normally.

Abstract: A method is disclosed for enabling stateless server-based pre-shared secrets. Based on a local key that is not known to a client, a server encrypts the client's state information. The client's state information may include, for example, the client's authentication credentials, the client's authorization characteristics, and a shared secret key that the client uses to derive session keys. By any of a variety of mechanisms, the encrypted client state information is provided to the client. The server may free memory that stored the client's state information. When the server needs the client's state information, the client sends, to the server, the encrypted state information that the client stored. The server decrypts the client state information using the local key. Because each client stores that client's own state information in encrypted form, the server does not need to store any client's state information permanently.