Abstract: A key scheduler for an encryption apparatus using a DES encryption algorithm is disclosed.

Abstract: Methods and apparatuses for providing cryptographic assurance based on ranges as to whether a particular data item is on a list.

Abstract: A system (8) for synchronizing a user password between mainframe (10) and alternative (11, 12) computer operating environments includes a mainframe access module (20) that receives a current user password from an associated mainframe client computer (22) and provides a user with access to selected applications or data in the mainframe operating environment (10) according to the current user password. The mainframe access module (20) also receives a new user password in response to providing the access and communicates the new user password. A mainframe platform (14, 16, 18) coupled to the mainframe access module (20) receives the new user password, stores the new user password, and communicates the new user password. A messaging platform (24, 26, 28) coupled to the mainframe platform receives the new user password from the mainframe platform (14, 16, 18) and communicates a broadcast message containing the new user password.

Abstract: A method for authenticating a document in which a document key for the document is generated by examining one or more attributes of a physical media that underlies the document. An original image is then imparted onto the physical media so that the original image is associated with the document key in a way that enables a subsequent recovery of the document key from the original image. This tying together of the underlying physical media, through the document key, with an original image enables detection of a forgery which was performed either through an alteration of the original image, or ink stripping and re-printing, or a printing of the original image on another physical media.

Abstract: In one embodiment of the invention, a real-time firewall processor includes a controller and a filter. The controller specifies a filtering characteristic based on a control protocol from a call server serving a firewall between a source and a destination networks. The filter is coupled to the controller to filter a packet in a call transmitted from the source network based on the filtering characteristic, the filter accepting the packet if the packet satisfies the filtering characteristic and rejecting the packet otherwise.

Abstract: A client-forced authentication mechanism for network communication enables a client to choose to “force” the establishment of an authenticated connection with a server that supports both authenticated and non-authenticated connections, while allowing the client to communicate with older servers that do not support client-forced authentication. To establish an authenticated connection with a server, the client includes authentication request data in a communication packet to the server. The authentication request data are designed such that a server supporting forced authentication would recognize them and give a predefined response, while an older server that does not recognize such data would respond with a well-defined error message according to the underlying network communication protocols. The exact format, location, and contents of the authentication request data depend on the underlying communication protocols and may be implemented in various ways.

Abstract: A system of Flash EEprom memory chips with controlling circuits serves as non-volatile memory such as that provided by magnetic disk drives. Improvements include selective multiple sector erase, in which any combinations of Flash sectors may be erased together. Selective sectors among the selected combination may also be de-selected during the erase operation. Another improvement is the ability to remap and replace defective cells with substitute cells. The remapping is performed automatically as soon as a defective cell is detected. When the number of defects in a Flash sector becomes large, the whole sector is remapped. Yet another improvement is the use of a write cache to reduce the number of writes to the Flash EEprom memory, thereby minimizing the stress to the device from undergoing too many write/erase cycling.

Abstract: A secure real time voice communication system 70 is provided that allows for the secure transmission of voice communications between a sending device 72 and a receiving device 78 through the public switch telephone network 76. The device 72 uses an encryption decryption engine 30 which is capable of executing a number of encryption algorithms which are selected using an encryption selection table 80. An encryption key can be calculated from a periodic key value and a public variable key value. Further, the encryption algorithm used can be periodically changed during a voice communication session so that multiple encryption techniques can be used within the same communication session.

Abstract: Methods and apparatuses for providing cryptographic assurance based on ranges as to whether a particular data item is on a list. According to one computer-implemented method, the items on the list are sorted and ranges are derived from adjacent pairs of data items on the list. Next, cryptographically manipulated data is generated from the plurality of ranges. At least parts of the cryptographically manipulated data is transmitted onto a network for use in cryptographically demonstrating whether any given data item is on the list. According to another computer-implemented method, a request message is received requesting whether a given data item is on a list of data items. In response, a range is selected that is derived from the pair of data items on the list that define the smallest range that includes the given data item. A response message is transmitted that cryptographically demonstrates whether the first data item is on the list using cryptographically manipulated data derived from the range.

Abstract: An information device system includes a terminal device and a personal computer. The terminal device has a USB interface and a wireless transceiver circuit. The personal computer has a USB controller which can communicate with the USB interface of the terminal device when they are connected with each other, and also a transceiver circuit adapted to wirelessly communicate with the wireless transceiver circuit of the terminal device. A record medium, which can be read by the personal computer, contains a program for judging what communication state the system is in, a cable communication state, a wireless communication state, or a non-communication state, and restricting processing the personal computer can perform in accordance with the result of the judgment. The degree of restriction is lowest when the system is in the cable communication state, intermediate when the system is in the wireless communication state, and highest when the system is in the non-communication state.

Abstract: A method and apparatus for storage of user identifier/IP address pairs in a network. The network includes a DHCP server for assigning IP addresses to computer and other devices in the network, a device (such as a computer) coupled to receive an IP address from the DHCP server, an authentication server coupled with the device for receiving user identifier/IP address pairs from the device and authenticating the user, and a directory server coupled to receive authenticated user identifier/IP address pairs from the authentication server.

Abstract: A portable biometric device enables a designated person to unlock any one portal exclusive of other portals of a secure entity and or a secure service by choosing which of their personal biometric characteristics is presented to the portable biometric device. The portable biometric device includes a biometric sensor such that a biometric characteristic of a person for example a finger pattern is read dependent upon the person presenting the biometric characteristic to the biometric sensor. The reading is encoded in order for a processor to determine if the biometric characteristic has been predesignated for access via a predesignated one of the plurality of portals. If so, the processor selects an appropriate authorization code which is communicated by wireless transmission for unlocking the predesignated one of the portals, to the exclusion of any other of the portals. In an alternate example the processor is a central controller remote from the biometric device.

Abstract: One embodiment of the present invention provides a system for managing user attributes that determines access rights in a distributed computing system. The system modifies an attribute database, wherein the attribute database includes a plurality of possible user attributes and a plurality of users. Next, for a given user the system obtains an identity certificate from a certificate authority. This identity certificate is associated with a user from the attribute database. The system also assigns an attribute to the user from the possible user attributes, whereby the user is granted access rights based on the attribute and the identity certificate. This attribute is stored in the attribute database. Finally, modifications to the attribute database are distributed to a plurality of hosts coupled together by a network.

Abstract: A method and apparatus for detecting and protecting communication code information, such as for example Simple Network Management Protocol (SNMP) community names, while still allowing the information to be changed. A search for the proper code for a device is made. However if the code cannot be determined automatically, a user is prompted to insert a code. Also, the user is allowed to change the code as needed.

Abstract: A semiconductor device has multilevel memory cells, each cell storing at least three levels of data each. At least a first data composed of first data bits and a second data composed of second data bits are arranged in order that at least a bit of an N-order of the first bits and a bit of the N-order of the second bits are stored in one of the cells, the N being an integral number. A voltage corresponding to the N-order bits is generated and applied to the one of the cells in response to an address information corresponding thereto. Another semiconductor device has multilevel memory cells arranged so as to correspond to a physical address space, each cell storing 2n levels of data each expressed by n (n?2) number of bits (X1, X2, . . . , Xn). A logical address is converted into a physical address of the physical address space. Judging is made whether a logical address space including the logical address matches the physical address space.

Abstract: In order to restrict data access in a receiver/decoder, a plurality of sets of access rights are assigned to the data, each set of access rights being assigned to at least one party. The data, the sets of access rights and an identifier for each party are stored in a memory of the receiver/decoder. The identifier of a party requesting access to the data is compared with the or each identifier stored in the memory, and the party provided with the set of access rights assigned thereto in the memory of the receiver/decoder.

Abstract: A network authentication system provides verification of the identity or other attributes of a network user to conduct a transaction, access data or avail themselves of other resources. The user is presented with a hierarchy of queries based on wallet-type (basic identification) and non-wallet type (more private) information designed to ensure the identity of the user and prevent fraud, false negatives and other undesirable results. A preprocessing stage may be employed to ensure correct formatting of the input information and clean up routine mistakes (such as missing digits, typos, etc.) that might otherwise halt the transaction. Queries can be presented in interactive, batch processed or other format. The authenticator can be configured to require differing levels of input or award differing levels of authentication according to security criteria.

Abstract: A system and method for monitoring and controlling the total number of SSL port resources that are allowed to be tied up by a malicious or inept client making multiple requests from a single IP address. Smart SSL handshake timeout detection is used to track and deny service to any SSL clients that do denial of service (DOS) attacks.

Abstract: A mechanism to dynamically present basic authentication and cookie information to a web browser user. As part of a login, a user will have entered a userid and password as part of the basic authentication process. He or she also can configure the web browser to display cookies that are sent to the browser for setting. After their initial display, however, this information is either hidden or not easily accessible to the user. The present invention is a mechanism that allows a web browser user easy access to his or her logged-on userid and cookies.

Abstract: The present invention provides a solution to the needs described above through an improved method and apparatus for an improved security system mechanism in a business applications management system platform. The security management system partitions a number of business objects into a number of hierarchical domains. A security list is then created and configured to grant a member the right to perform a security operation on the business object located within the hierarchical domain. The security list is created by adding the security operation to the security list, applying the security operation to one of the multiple domains, and adding members to the security list.