Abstract: Methods and systems consistent with the present invention provide dynamic security policies that change the granularity of the security at the node level, process level, or socket level. Specifically, a channel number and virtual address are associated with various processes included in a process table. Since a security policy is required for all processes, secure and insecure processes located on the same channel may communicate with one another. Moreover, processes located on different channels may communicate with one another by a gateway that connects both channels. This scalable blanketing security approach provides an institutionalized method for securing any process, node or socket by providing a unique mechanism for policy enforcement at runtime or by changing the security policies.

Abstract: A method and apparatus provides user authentication by communicating primary authentication information, such as user identification data and/or password data to an authentication unit via a primary channel such as over the Internet. An authentication code is generated by the authentication unit on a per session basis and is sent to a destination unit via a first secondary channel during the session. The destination unit then retransmits the authentication code, on a second secondary channel, to the first unit in a way that is transparent to a user of the first unit. The first device then send the received re-transmitted authentication code back to the authentication unit via the primary channel during the session.

Abstract: Methods and arrangements are provided that can be used to identify users to an operating system during initialization through an advanced graphical user interface (GUI). The resulting GUI can be visually compelling and functional while advantageously remaining easy for the developer to create, maintain and modify. A markup language rendering engine is loaded substantially near the beginning of an operating system initialization procedure, and provided with markup language code that solicits at least one user input associated with a user logon process when rendered by the markup language rendering engine. The markup language code can be written in Hypertext Markup Language (HTML), Dynamic HTML, eXtensible Markup Language (XML), eXtensible Hypertext Markup Language (XHTML), Standard Generalized Markup Language (SGML), etc.

Abstract: A system for mapping and translating address information in a network is provided. The system includes a client-side address translator (120) and a server-side address translator (140). The client-side address translator (120) is configured to receive a data packet from a client (110). The data packet includes a first destination address representing the real destination address. The client-side address translator (120) maps the first destination address to another address using a mapping algorithm and transmits the data packet with the via the network (160). The server-side address translator (140) receives the data packet, translates the mapped address information back to the real destination address and forwards the data packet using the real destination address.

Abstract: A system and method for securing data on a wireless device. A secured zone is defined by a boundary sensor. A data processing system is coupled to the boundary sensor and a wireless device. If the data processing system detects that the signal strength of the wireless device has fallen below a first predetermined value for longer than a second predetermined value, the data processing system deletes a digital certificate corresponding to the wireless device from memory. Thus, when the wireless device is reintroduced into the secured zone, in response to determining that a digital certificate corresponding to the wireless device is not stored in memory, the disabling module disables the wireless device from operation within the secured zone.

Abstract: A firewall apparatus including plural virtual firewalls, each virtual firewall including a dependent firewall policy, is disclosed. The firewall apparatus includes: a distribution management table for managing a user name and a virtual firewall ID; a part configured to receive authentication information for network connection from a user terminal, and hold a user name included in the authentication information; a part configured to report the authentication information to the authentication server; and a part configured to receive an authentication response from the authentication server, and hold a user ID, included in the authentication response, to be provided to the user terminal. The firewall apparatus registers the user ID in the distribution management table associating the user ID with the user name.

Abstract: An encrypted stream of video information (20) contains first video frames (22) and second video frames which are accessible and not accessible during trick play respectively. From a source stream encrypted that is for decryption with repeatedly changing control words sections of the stream are identified where respective first ones of the frames occur in the stream. Control words for decryption (24) are included in the stream. At least part of the control words are included in the stream at positions selected synchronized to the identified sections.

Abstract: This invention includes an image quality priority level decision processing unit (40) which evaluates the magnitude of an image quality of each of a plurality of first image data formed from biometric images associated with the same target on the basis of a specific index having the relationship of a monotone function with authentication accuracy of biometric authentication, and outputs each of the first image data upon adding a priority level thereto on the basis of the evaluation result, a first image storage (6, 81) unit which stores each of the first image data having a priority level added thereto from the image quality priority level decision processing unit (40), a second image storage unit (8, 61) which stores second image data used for comparison/collation with the first image data, an image collation unit (7) which compares/collates the second image data stored in the second image storage unit (8, 61) with the first image data stored in the first image storage unit (6, 81) and outputs the comparison

Abstract: The subject invention relates to a method and apparatus for multiplication of numbers. In a specific embodiment, the subject invention can be used to perform sequential multiplication. The subject invention also pertains to a method and apparatus for modular reduction processing of a number or product of two numbers. In a specific embodiment, sequential multiplication can be incorporated to perform modular reduction processing. The subject method and apparatus can also be utilized for modular exponentiation of large numbers. In a specific embodiment, numbers larger than or equal to 2128 or even higher can be exponentiated. For example, the subject invention can be used for exponentiation of number as large as 21024, 22048, 24096, or even larger.

Abstract: A gaming machine that authenticates the gaming software at boot-up or after a reset. A processor in conjunction with the boot memory reads the bits of data and files from a non-volatile memory device via a single read of each bit. The files are each validated while the bits of non-volatile memory data are simultaneously validated. After all the files and the data are validated then the gaming software is authenticated.

Abstract: A system and method for determining in a global network the user network authentication status as the user goes from site to site within the network is provided. Additionally, the system and method provides for transparent or implicit multi-site logon functionality, including automatic introduction from one site to the other using a baseline authentication agency (102). The system and method provides an architecture for a core global network (100) (referred to herein as NET) that incorporates some or all of the following features and components: a set of baseline authentication agencies responsible for the core global network (NET) services, such as login and user-selected service-provider lookup; a shared NET domain and associated DNS records (106) used for cookie (110) sharing, login routing, and the like; and a collection of partner sites (108) accessible via the NET.

Abstract: Kernel objects for implementing a transaction have a security descriptor applied thereto. The kernel objects include, at least, a transaction object, a resource management object, and an enlistment object. The security descriptor, otherwise known as an access control list, identifies at least one user, an operation to be performed on the kernel object to which the security descriptor is applied, and a right indicating that the identified user is permitted or prohibited to perform the operation.

Abstract: Intrusion prevention for a computer is based on intrusion rules corresponding to active networked applications executing on the computer. The intrusion rules are a subset of a full ruleset that may include signatures of known attacks or heuristic rules. The subset changes as network connections for active applications are initiated and terminated, or as the active applications terminate.

Abstract: A file system protection mechanism for an operating system image for a portable computing device is provided to assist in ensuring a good user experience. A signed catalog file is embedded in a resource-sparing operating system (OS), such as a Windows CE image, for security enhancement and load verification purposes. The invention performs various checks on the image and the signature of the image to ensure that image has not been maliciously modified and that it complies with a release standard. Such a mechanism is important to protect image loads from external threats made possible by, e.g. recent incorporation of broadband wireless and wireline connectivity for portable computing devices. The signing technique includes creating a signed catalog of the image and embedding that catalog into the image as it is loaded onto the portable computing device.

Abstract: A request to render encrypted content is received and a chain of licenses corresponding to the content is located. The chain includes a leaf license linked to the content at one end of the chain, a root license at the other end of the chain, and any intermediate licenses therebetween. The leaf license and any intermediate licenses in the chain are each bound to the adjoining license in the chain toward the root license, and the root license is bound to an owner of a private key (PR-U). For each license in the chain, the license is verified and it is confirmed that the license allows the content to be rendered. A decryption key is obtained from the leaf license based on application of (PR-U) to the root license, the obtained key is applied to decrypt the encrypted content, and the decrypted content is rendered.

Abstract: Detection of an attack on a data processing system. An example method comprising, in the data processing system: providing an initial secret; binding the initial secret to data indicative of an initial state of the system via a cryptographic function; recording state changing administrative actions performed on the system in a log; prior to performing each state changing administrative action, generating a new secret by performing the cryptographic function on a combination of data indicative of the administrative action and the previous secret, and erasing the previous secret; evolving the initial secret based on the log to produce an evolved secret; comparing the evolved secret with the new secret; determining that the system is uncorrupted if the comparison indicates a match between the evolved secret and the new secret; and, determining that the system in corrupted if the comparison indicate a mismatch between the evolved secret and the new secret.

Abstract: The present invention provides an apparatus and method for performing cryptographic operations on a plurality of input data blocks within a processor. In one embodiment, an apparatus for performing cryptographic operations is provided. The apparatus includes a cryptographic instruction and execution logic. The cryptographic instruction is received by a computing device as part of an instruction flow executing on the computing device, wherein the cryptographic instruction prescribes one of the cryptographic operations. The execution logic is operatively coupled to the cryptographic instruction and executes the one of the cryptographic operations. The one of the cryptographic operations includes indicating whether the one of the cryptographic operations has been interrupted by an interrupting event.

Abstract: A client terminal reads a device ID fixedly assigned to itself, and sends the device ID to an authentication server to make a request for authentication. The authentication server authenticates the device ID accepted from the client terminal. When succeeding in the authentication, the authentication server issues and sends a ticket to the client terminal. The client terminal receives the ticket, and then sends the ticket to a locator server to make a request for registration of an IP address. The locator server verifies the correctness of the accepted ticket. When the correctness is confirmed, the locator server registers an ID and the IP address of the client terminal in a manner that they are associated with each other, and replies the completion of the registration.

Abstract: In a node (110) communicating with other nodes in a network (150), a system and method for performing cryptographic-related functions is provided. The node (110) receives and transmits inputs and outputs requiring cryptographic-related processing. When cryptographic processing is required, the node (110) transmits a predefined message to a cryptographic processing component in the node (110) that then performs the desired cryptographic-related processing.

Abstract: A method for processing instructions by a processing unit. An instruction set is dynamically set for the processing unit using a selected instruction map. The selected instruction map is selected as one being different from a normal instruction map for the processing unit. The instructions are processed at the processor using the instruction set. A set of authorized instructions are encoded using the selected instruction map.