Abstract: A virtual host for protocol transforming traffic traversing between an IP-compliant source and non-IP compliant destination is disclosed. The virtual host includes a communications channel configured to channel process traffic, transforming IP-compliant traffic into a non-IP protocol appropriate for the destination.

Abstract: Systems and methods employing authenticated connections to a central server to establish and authenticate a peer-to-peer connection between peer devices. The invention circumvents the potential vulnerability of clear-text transmission of secrets through a series of encrypted data transfers. A secret key is encrypted and then transmitted from one peer device to another using authenticated connections to the server. The secret key is then used to transmit encrypted data over a peer connection between the peer devices for the purpose of authenticating the peer devices on each end of the connection.

Abstract: The objective of this invention is to ensure that programs that generate and send data packets are well behaved. This invention discloses a method and system that consist of an end station and a network interface, such that, the network interface is capable of determining the authenticity of the program used by the end station to generate and send data packets. The method is based on using a hidden program that was obfuscated within the program that is used to generate and send data packets from the end station. The hidden program is being updated dynamically and it includes the functionality for generating a pseudo random sequence of security signals. Only the network interface knows how the pseudo random sequence of security signals were generated, and therefore, the network interface is able to check the validity of the pseudo random sequence of security signals, and thereby, verify the authenticity of the programs used to generate and send data packets.

Abstract: Methods and systems consistent with the present invention provide a Supernet, a private network constructed out of components from a public-network infrastructure. Supernet nodes can be located on virtually any device in the public network (e.g., the Internet), and both their communication and utilization of resources occur in a secure manner. As a result, the users of a Supernet benefit from their network infrastructure being maintained for them as part of the public-network infrastructure, while the level of security they receive is similar to that of a private network. The Supernet has an access control component and a key management component which are decoupled. The access control component implements an access control policy that determines which users are authorized to use the network, and the key management component implements the network's key management policies, which indicate when keys are generated and what encryption algorithm is used.

Abstract: A new ((n)th) black box is produced for a digital rights management (DRM) system. The (n)th black box is for being installed in and for performing decryption and encryption functions in the DRM system. The (n)th black box is produced and delivered to the DRM system upon request and includes a new ((n)th) executable and a new ((n)th) key file. The (n)th key file has a new ((n)th) set of black box keys and a number of old sets of black box keys. The request includes an old ((n?1)th) key file having the old sets of black box keys. A code optimizer/randomizer receives a master executable and randomized optimization parameters as inputs and produces the (n)th executable as an output. A key manager receives the (n?1)th key file and the (n)th set of black box keys as inputs, extracts the old sets of black box keys from the (n?1)th key file, and produces the (n)th key file including the (n)th set of black box keys and the old sets of black box keys as an output.

Abstract: An access management apparatus receives a command message having setting and changing functions, performs corresponding processing, and transmits results. A checking unit checks the presence/absence of a data element to be accessed. Access is permitted based on looking up a setting access condition if the data element is not set and looking up a changing access condition if the data element is set. A control table contains identification information, location information, a data setting access condition, and a data changing access condition of each of a plurality of data elements. When receiving a command, a determining unit determines whether the designated data element is already set by looking up location information of the data element in the control table. A data setting/changing unit sets or changes data in accordance with the access condition looked up.

Abstract: Methods for transferring among key holders in encoding and cryptographic systems the right to decode and decrypt messages in a way that does not explicitly reveal decoding and decrypting keys used and the original messages. Such methods are more secure and more efficient than typical re-encoding and re-encryption schemes, and are useful in developing such applications as document distribution and long-term file protection.

Abstract: A basic input/output system may include two modules one of which may be dynamically linked to the other. A first BIOS module may dynamically link to a second BIOS module. The BIOS modules may be stored in the same or different memories. One BIOS module may be executed conditionally. A function in a BIOS module may be dynamically linked through a header entry point.

Abstract: Some embodiments of the present invention are directed to a system that enables filtered application-to-application communication in a server farm in a multi-channel reliable hardware environment (e.g. InfiniBand). The system may also improve the performance of application-to-application communication between servers in the farm. The implementation of multi-channel reliable communication hardware may reduce the number of communication software layers above.

Abstract: An apparatus and for enabling functionality of a component, wherein the apparatus includes an identification module having an identification number stored therein, and a hash function module in communication with the identification module. A host is provided and is in communication with the identification module, and a guess register in communication with the host is provided. An encryption module is provided and is in communication with the guess register, and a public key module in communication with the encryption module is provided, wherein the public key module has a public key stored therein. A comparator in communication with the encryption module and the hash function module is provided, such that the comparator may compare a first bit string to a second bit string to generate a function enable output for the component.

Abstract: An apparatus and method of implementing multicast security in a given multicast domain, the given multicast domain having one or more network devices, receives multicast traffic that is encrypted with a global key, the global key being available to the given multicast domain and one or more other multicast domains, decrypts the received multicast traffic with the global key to produce decrypted multicast traffic, encrypts the decrypted multicast traffic with a local key to produce local encrypted multicast traffic, the local key being available to the given multicast domain, and forwards the local encrypted multicast traffic to the one or more network devices in the given multicast domain. In a further embodiment, the apparatus and method for implementing multicast security in a given multicast domain first receives a global key message that identifies the global key.

Abstract: A firewall fault-tolerant network interface system includes a switch circuit configured to detect when a firewall fails in a multi-firewall local network. When a failed firewall is detected, the switch circuit waits for a time-out period to expire to allow convergence. The switch circuit then intervenes when traffic from a server to the failed firewall is detected. The switch circuit translates the MAC address of the failed firewall to the MAC address of a functional firewall. Traffic from a server originally directed to the failed firewall is then redirected to a functional firewall. In a further refinement, the switch circuit provides the MAC address of a functional firewall in response to an ARP request from a server to the failed firewall. Thus, traffic from this server will be directed to the functional firewall without further intervention, reducing the overhead of the switch circuit.

Abstract: The invention concerns an architecture of a terminal (5) allowing communications between a smart card (8) and a web server (4), via an internet network (RI). The terminal (5) is equipped with a secure enclosure (6) comprising a smart card reader (8), a keyboard (62), and optionally, other computing resources (63). The non-secure part of the terminal (5) comprises a web browser (51) and a first communication node (50) that routes the requests received to the browser (51) or to the secure enclosure (6). The secure enclosure (6) comprises a second communication node (60) and an HTTP server (61). The smart card (8) comprises a third communication node (80) and an HTTP server (81). The web server (4) comprises a merchant application (41) that can be placed in communication with the smart card (8) and activate software applications (A1–An) of the latter.

Abstract: A memory stores confidential data Da. An unqualified person who intends to irregularly read out the confidential data Da tries to open a cover of a housing, break the housing, or drill through the housing. The housing deflects by physical impact applied thereto. Positional relations among pairs of electrodes also deflects in accordance with the deflection of the housing. The deflection of the positional relations among the electrodes shifts capacitance at the electrodes. A data management processor deletes the confidential data Da when it detects the capacitance shifts.

Abstract: An algorithm (such as the MD5 hash function) is applied to a file to produce an intrinsic unique identifier (IUI) for the file (or message digest). The file is encrypted using its IUI as the key for the encryption algorithm. An algorithm is then applied to the encrypted file to produce an IUI for the encrypted file. The encrypted file is safely stored or transferred within a network and is uniquely identifiable by its IUI. The encrypted file is decrypted using the IUI of the plaintext file as the key. The IUI serves as both a key to decrypt the file and also as verification that the integrity of the plaintext file has not been compromised. IUIs for any number of such encrypted files may be assembled into a descriptor file that includes meta data for each file, the IUI of the plaintext file and the IUI of the encrypted file. An algorithm is applied to the descriptor file to produce an IUI for the descriptor file.

Abstract: The invention concerns a method for protecting an electronic system implementing a cryptographic calculation process involving a modular exponentiation of a quantity (x), said modular exponentiation using a secret exponent (d), characterized in that said secret exponent is broken down into a plurality of k unpredictable values (d1, d2, . . . , dk), the sum of which is equal to said secret exponent.

Abstract: In a digital satellite television system in which a television receives its signal via receiver/decoder, such as a set top box, interactive applications can be downloaded and run on the receiver/decoder. The application code is arranged as modules, and the downloading of modules is preceded by searching a directory module within a specified local address. The modules are signed and the directory module is signed and encrypted so that a single encryption applies to all of the modules making up the application. Multiple public encryption keys are stored in ROM in the receiver/decoder, so that applications can be created by different sources, without the sources needing to know each other's private encryption keys. A facility is provided to enable an encryption key to be temporarily stored in RAM in the receiver/decoder, so that a manufacturer of the receiver/decoder can check its functionality. A signature of the directory may be hidden at a variable position in a block of dummy data in the directory module.