Abstract: A controller for controlling communications between a system and a transport medium includes a receiving circuit to receive data and associated security control information. A first cryptographic engine cryptographically processes the data received from the transport medium based on the security control information. The controller also includes a second cryptographic engine to process data generated in the system according to a security protocol before transmission to the transport medium.

Abstract: A mobile ad-hoc network may include a plurality of nodes including a source node and at least one adjacent node. The source node may include a wireless communications device for establishing a wireless communications link with the at least one adjacent node, a plain text source, and a seed generator for performing a one-way algorithm using a secret key for generating a seed. Furthermore, the source node may also include a key encryptor for receiving the seed and generating a key sequence based thereon, and a logic circuit for generating cipher text for transmission over the wireless communications link and based upon the key sequence and the plain text.

Abstract: The invention relates to using a universally unique identifier in a database to uniquely identify, both within and outside of the database system, a user. A storage system, according to the invention, includes a first storage area having an object stored therein; and a second storage area having stored therein an object identifier that identifies the object. The object identifier is unique within and outside of the storage system, and can be a Universal Unique Identifier (UUID). The invention also relates methods for storing and retrieving objects identified based on the unique identifier.

Abstract: A method and apparatus for initializing security information for a network device. Two protocols are used. A first protocol, which has no encryption capability, is used to create an initial account. However, the initial account corresponds to a second protocol, and this second protocol does have encryption capability. A security parameter which is used to encrypt data and which corresponds to the initial account is transmitted by the network device to the network management application. The security parameter may be transmitted from the network device to the network management application openly via the first protocol. The network management application then uses this security parameter to encrypt sensitive security information needed for initially configuring the network device. The encrypted security information can now be transmitted securely over the network to the network device by means of the second protocol.

Abstract: In a data communications system a remote data source outputs data as a series of application data units (ADUs). Each ADU is individually encrypted with a different key. The keys are transmitted (for example using Internet multicasting) via a communications network to one or more customer terminals. At the terminals a sequence of keys is generated for use in decrypting the ADUs. A record is kept of the keys generated, and this record may subsequently be used to generate a receipt for the data received by the customer. The keys may be generated, and the record stored within a secure module such as a smartcard.

Abstract: A stealth firewall. The stealth firewall can include a first network interface to an external network; a second network interface to an internal network; a packet filter for restricting access to the internal network, the packet filter ignoring requests from the external network to access the internal network; and, a state machine. Importantly, the state machine can be pre-configured to transition across one or more internal states conditioned upon receiving particular requests to access the internal network. The state machine further can include at least one state transition reachable through a pre-specified sequence of states which causes the packet filter to permit access to the internal network.

Abstract: The invention is a secure server, or trust engine, having server-centric keys, or in other words, storing cryptographic keys and user authentication data on a server. Users access cryptographic functionality through network access to the trust engine; however, the trust engine does not release actual cryptographic keys or other authentication data. Therefore, the system provides that the keys and data remain secure. The server-centric storage of keys and authentication data provides for user-independent security, portability, availability, and straightforwardness, along with a wide variety of implementation possibilities.

Abstract: The invention provides a method for a sender to send a message on a tangible medium and ensure that it is privacy protected until verification that the medium has been received by the authorized recipient. The invention provides a method in which a sender creates an encrypted content message that may be decrypted using a content decryption key that is unknown to the authorized recipient. The sender creates an encrypted authentication message that may be decrypted using a recipient's key that is known to the authorized recipient but is unknown to others, except perhaps to the sender. The sender fixes the encrypted content message and the encrypted authentication message onto a tangible medium and then permits the authorized recipient to obtain the tangible medium. The authorized recipient uses the recipient's key to decrypt the encrypted authentication message and then creates a valid reply that is based upon or which uses the decrypted authentication message.

Abstract: A computer-implemented method, apparatus, and computer readable medium for detecting publicly identified and publicly unidentified macro viruses within code (15) adapted for use on a digital computer (1). A detection module (17) analyzes the code (15) to determine whether the code (15) contains instructions causing a macro (8) to be moved to a global environment (13), and whether said code (15) also contains instructions causing the same macro (8) to be copied to a local document (11). When these two conditions are satisfied, detection module (17) declares that a macro virus is present within the code (8). A repair module (19) can be coupled to the detection module (17) and to the code (15) for deleting the code (15) when the detection module (17) declares that the code (15) contains a macro virus.

Abstract: A system for trusting sites in a communication network, the communication network including a plurality of user nodes inter-linked through a proxy node to a site server. The system includes the proxy that is associated with an advanced policy being responsive to input certificates for verifying one or more declarations. Each one of the declarations is associated with a symbol. A user accessing from a user node, through a proxy node to a server site. The proxy node authenticating the site and then the server site providing to the proxy node, through said communication network, one or more credentials that refer to the site. The proxy node testing the credentials against the advanced policy in order to verify the declarations and displaying in respect of each verified declaration the corresponding symbol.

Abstract: A method and system for prevention of piracy of a given software application via a communications network, such as the Internet. A given software application, installed on a user system, will not function until it is activated by a remote service provider. This will require the user to provide the remote service provider with user data, such as the user's personal identity information and the unique software identification code relating to the specific software. User data will then be compared to archived data in order to determine if the user is a pirator of the software. If not a pirator, the remote service provider may transmit undisclosed service data, such as a software activation code, to the user system. Once activated, the software will become fully operational and allow the user complete access to its functions. In this manner, piracy of a given software application can be prevented.

Abstract: This invention makes use of the capability of a network processor (as described more fully herein) to perform software directed tree searches. Pattern recognition data processing, as expanded upon in the detailed description, opens possibilities for data mining, virus protection, security and other functions. As realized in accordance with the varying embodiments of this invention, significant performance improvements are obtained and highly scaleable systems are created which are capable of examining large amounts of data, both in real time and in batch modes.

Abstract: Methods and arrangements are provided that can be used to identify users to an operating system during initialization through an advanced graphical user interface (GUI). The resulting GUI can be visually compelling and functional while advantageously remaining easy for the developer to create, maintain and modify. A markup language rendering engine is loaded substantially near the beginning of an operating system initialization procedure, and provided with markup language code that solicits at least one user input associated with a user logon process when rendered by the markup language rendering engine. The markup language code can be written in Hypertext Markup Language (HTML), Dynamic HTML, extensible Markup Language (XML), extensible Hypertext Markup Language (XHTML), Standard Generalized Markup Language (SGML), etc.

Abstract: Various embodiments of a method and system for detecting unauthorized signatures to or from a local network. Multiple sensors are connected at an internetworking device, which can be a router or a switch. The sensors operate in parallel and each receives a portion of traffic through the internetworking device, at a session-based level or at a lower (packet-based) level. Depending on the type of internetworking device (router or switch) the load balancing mechanism that distributes the packets can be internal or external to the internetworking device. Also depending on the level of packet distribution (session-based or packet-based), the sensors share a network analyzer (if session-based) or both a network analyzer and a session analyzer (if packet-based).

Abstract: A method and apparatus for the control of a subscriber identity module (SIM) in a data communication system, preferably a mobile communication system. The data communication system includes first and second subscriber registers (HLR1, HLR2) for maintaining subscriber records defining a subscriber identity module registry, a short message transmission system (SMSC) for transmission of messages in the communication system, and a mobile station (MS) connected to the subscriber identity module (SIM) for use by a subscriber in effecting mobile communications through the data communication system.

Abstract: An improved information retention management mechanism is disclosed wherein an information set may be purged from an information system without having to delete the information set from the system. Whenever an information set enters an information system, a key is associated with the information set. The information set is encrypted using the associated key, and the encrypted form of the information set is stored in the information system. The unencrypted form of the information set is not stored. To render the information set to a user, the encrypted form of the information set is accessed along with the associated key, and then decrypted using the associated key to derive the original information set. Once derived, the information set is rendered to the user. So long as the associated key remains in the system, this process may be carried out to render the information set to a user. At some point, in accordance with an information retention policy, the information set is selected for purging.

Abstract: A method (and system) for generating an output file from a source file where benign modifications to a content of the output file still render the output file authentic, includes constructing an index vector from the source file, quantizing the source file, generating an authentication mark from the quantized source file and the index vector, generating an authentication tag by appending the index vector to the authentication mark, and generating the output file by appending the authentication tag to the source file.

Abstract: The present invention is directed to a facility for distributing network security information. The facility receives network security information and recipient selection information specifying a characteristic of perspective recipients to be used in selecting recipients for the security information. The facility then compares the received recipient selection information to each of a plurality of perspective recipient profiles. Each perspective recipient profile corresponds to one or more perspective recipients and indicates one or more characteristics of the perspective recipients relating to the receipt of network security information. Based upon this comparison, the facility selects at least a portion of the plurality of perspective recipients as recipients of the network security information, and addresses the network security information to each of the selected recipients.

Abstract: The invention authenticates processes and inter-process messaging. In some examples of the invention, security is performed in three layers—the application layer, the middleware layer, and the transport layer. Some examples of the invention include software products. One software product comprises security software and middleware software stored on a software storage medium. The security software directs a processor to receive a log-in request for a process, generate a request to authenticate the process, transfer the request to authenticate the process, receive a security association for the process, and transfer the security association. The middleware software directs the processor to receive the security association from the security software, receive a message from the process, insert the security association into the message, and transfer the message. Another software product comprises security software stored on a software storage medium.

Abstract: An integrated, modular computer program system provides for the encryption and decryption of files utilizing conventional encryption algorithms and a relational key generated by the system. The computer program system also generates a series of labels that are encrypted and appended as a trailer to the encrypted message. The encrypted labels provide a history behind the particular encryption and they can be individually selected, separated, and decrypted from the total file. A rule based expert system is utilized as an intelligent label selection system to minimize message sensitivity. An access control module permits a user with a preassigned passphrase to have access to the encryption or decryption portion of the program by comparing a generated vector or key with a partially decrypted version of a second vector or key stored on a portable storage medium such as a floppy disk.