Abstract: Systems and methods for cryptographically processing data as a function of a Cassels-Tate pairing are described. In one aspect, a Shafarevich-Tate group is generated from a cohomology group. A Cassels-Tate pairing is determined as a function of elements of the Shafarevich-Tate group. Data is then cryptographically processed as a function of the Cassels-Tate pairing.

Abstract: Embodiments of the present invention include a system and method for making it safe to execute downloaded code. The method includes accessing an application, the application making a system call to a library of a computer system for a resource, establishing a requesting thread. The method further includes the library sending a request message to a local security filter; the local security filter validating the requesting thread and returning a digital signature, that uniquely identifies the requesting thread, to the application. The application making a system call to a kernel of the computer system wherein the kernel uses the digital signature from the security filter to validate the requesting thread before allowing access to the requested resource.

Abstract: A personal authorisation device wearable by a user includes an input operable to receive data for authenticating a user, a memory operable to store validation information derived from the user authentication data, and an output operable to provide an authorisation code. The device further includes a tamper detector that triggers if the device is removed from its wearer. Triggering of the tamper detector serves to disable use of the device.

Abstract: A system for analyzing similarities between a first and second corpus or between a set of concepts and a corpus uses natural language processing and machine intelligence methods to replace terms or phrases in the corpus with concepts, determine the frequency of each concept in the corpus, and convert the corpus into a concept frequency file to enable easy comparison of the two corpuses or easy retrieval of items from the corpus that contain concept. Difference analysis and a combination of content and spectral analysis may be employed.

Abstract: A system and method that allows a device to complete a single complete authentication sequence to a AAA server resulting in as many secure sessions required for the different applications or subsystems determined by the client's identity and the AAA server's policy. As the device is authenticated, it is determined where there are other sessions for the device. The sessions are established by generating unique new keying material that is passed to each session. This can be accomplished by (a) the authenticator or AAA server issuing the keys and distributing them to both the supplicant and applications (via their authenticators); or (b) authenticator or the AAA server mutually generating the session unique keys with the supplicant that are then distributed to the applications (via their authenticators).

Abstract: A method for a firewall-aware application to communicate its expectations to a firewall without requiring the firewall to change its policy or compromise network security. An application API is provided for applications to inform a firewall or firewalls of the application's needs, and a firewall API is provided that informs the firewall or firewalls of the application's needs. An interception module watches for connect and listen attempts by applications and services to the network stack on the local computer. The interception module traps these attempts and determines what user is making the attempt, what application or service is making the attempt, and conducts a firewall policy look-up to determine whether the user and/or application or service are allowed to connect to the network. If so, the interception module may instruct the host and/or edge firewall to configure itself for the connection being requested.

Abstract: A digital certificate transferring method for transferring a second digital certificate from a certificate transferring apparatus to a communication apparatus storing a first digital certificate which is different from the second digital certificate is provided. In the method, the certificate transferring apparatus transfers, to the communication apparatus via a safe communication channel established by using a first digital certificate, the second digital certificate and identifying information of a communication destination to which the communication apparatus accesses to request authentication using the second digital certificate.

Abstract: A system and method that provide resilient watermarking of digital data, including numeric and categorical relational data. The method and system are premised upon a framework considering the higher level semantics to be preserved in the original data. The system and method also provides a technique for enabling user-level run-time control over the properties that are to be preserved, as well as the degree of change introduced. The system and method are resilient to various important classes of attacks, including subset selection, addition, alteration, or resorting, horizontal or vertical data partitioning, and attribute remapping. For numeric relational data, approximately 40-45% of the embedded watermark may survive approximately 45-50% of original data loss, while for categorical relational data, the watermark may survive approximately 80% of original data loss with only approximately 25% degradation of the watermark.

Abstract: The invention features a system and method for authenticating and authorizing a user to log onto a network element in a telecommunications optical network. The administration of security for the network is handled by a centralized authority. The centralized authority maintains the accounts for individuals authorized to log onto the network elements and their associated privileges. In one embodiment, to log onto a network element a user provides a user identifier and user authentication information to the centralized authority. The centralized authority then processes the user identifier and user authentication information to authenticate the user. If authenticated, the centralized authority determines a privilege level for the user and generates an affirmative response that includes the user identifier and the privilege level. Provided with the affirmative response, the network element logs the user onto the network element with the associated privilege level.

Abstract: A sending computer system generates a message and creates one or more security tokens to encrypt portions of the message. The computer system includes in the message a markup language identifier for the one or more security tokens used for encryption, and includes identification of the value type used to create the tokens. The computer system then serializes at least the portion of the message that identifies the one or more security tokens, without serializing other portions of the message that aid relaying of the message to a receiving computer system. A receiving computer system deserializes at least the portion of the message that identifies the one or more security tokens, and then uses deserialized token data to decrypt encrypted portions of the message. Each created security token can be made with customized data and fields, and can be made with a customized value type.

Abstract: A system and method for generating a message integrity code, MIC, for a MAC protocol data unit in a wireless local area network, WLAN, operating according to the IEEE 802.11 standard. A MAC service data unit, MSDU, sequence control sequence number, SN, input to the MIC algorithm is suppressed, e.g. set to all zeros, when calculating the MIC. Only the fragment number, FN, portion of the sequence control is included in calculation of the MIC. The MIC may therefore be calculated before an actual SN has been determined. All MPDUs include sequential packet numbers, PNs. A station receiving MPDUs checks the PNs of MPDUs having the same SN, and rejects messages which do not have a proper sequential set of PNs.

Abstract: A method for managing network traffic flow is provided. The method includes receiving network traffic content, storing at least a portion of the network traffic content to a memory, sending a copy of the network traffic content to a processor, which determines whether the network traffic content contains content desired to be detected. Another method for managing network traffic flow includes receiving network traffic content, flagging the network traffic content, sending the flagged network traffic content to a module, which is configured to pass unflagged data to a user and prevent flagged data from being sent to the user, and sending a copy of the network traffic content to a processor, which determines whether the network traffic content contains content desired to be detected.

Abstract: Systems and methods of authentication and data sharing across applications and platforms based on a single authentication are described. The systems and methods allow a user, based on a single log on to an application, to be automatically logged on to other applications and to fetch and store preference, state, and setting data across enterprise computing systems that include multiple computing platforms and applications. A data registry stores authentication and non-authentication data. An interface for automatically executing authentication transactions for the applications and facilitating the share of non-authentication data is also provided. The non-authentication data is user configurable to provide flexible application support across the enterprise, such as through the preservation of state information, preferences, settings, and application data across multiple computers.

Abstract: A method for implementing one-to-one binary functions defined on the Galois field GF(28) is very useful for forming fast and low power hardware devices regardless of the binary function. The method includes decoding an input byte for generating at least one bit string that contains only one active bit, and logically combining the bits of the bit string according to the binary function for generating a 256-bit string representing a corresponding output byte. The 256-bit string is then encoded in a byte for obtaining the output byte.

Abstract: Techniques are disclosed to provide public-key encryption systems. More particularly, isogenies of Abelian varieties (e.g., elliptic curves in one-dimensional cases) are utilized to provide public-key encryption systems. For example, the isogenies permit the use of multiple curves instead of a single curve to provide more secure encryption. The techniques may be applied to digital signatures and/or identity based encryption (IBE) solutions. Furthermore, the isogenies may be used in other applications such as blind signatures, hierarchical systems, and the like. Additionally, solutions are disclosed for generating the isogenies.

Abstract: A scheme for performing secure communications in a wireless local network. In one aspect of the invention, software hosted on a host processing unit maintains multiple queues. A networking module adapted to communicate with the host processing unit includes corresponding FIFO buffers to service the queues. The networking module also comprises an arbiter and a security engine. The arbiter is responsible for determining which queue is to be serviced next contingent upon a priority scheme. The security engine preferably incorporates a cipher performing encryption and decryption in a sequential or chain mode. Once one of the queues is granted by the arbiter, the security engine fetches data from the granted queue and then encrypts or decrypts the data using the cipher.

Abstract: A method and system for distributing quantum cryptographic keys among a group of user devices through a switch connected to the user devices are provided. A switch [1000] establishes a connection between two user devices [405a, 405b] according to a schedule. A Quantum Key Distribution (QKD) session is established between the two user devices [405a, 405b] to facilitate sharing of secret key material between the two user devices. Connections and QKD sessions may be established for different pairs of the user devices.

Abstract: Proprietary programs for execution in game systems or other computers are downloaded from an Internet server in encrypted form to protect the programs from unauthorized use. The encrypted programs can be decrypted and executed only in a secure cryptoprocessor that initially ordered the software for download. Unlike DRM protected music, video, and text, decrypted program instructions need never be revealed to users. Each cryptoprocessor contains a unique chip identifier that is transmitted to the server in encrypted form to control encryption of a random session key that controls decryption of the downloaded programs. Hence, each copy of the encrypted software is encrypted differently. If the crypto processor is in a cartridge, it can be manually unplugged from one computer or game system and plugged into another system.

Abstract: A certification authority (CA, 120) generates decryption key data (K?Fj) for each set (F) in the complement cover (804) for a plurality of digital certificates. The CA encrypts all or a portion of the validity proof data (cj(i)) for each digital certificate (140.i) for each time period j for which the validity proof is to be provided. For each certificate, the decryption can be performed with decryption keys (Kij) that can be obtained from the decryption key data (K?Fj) for any set containing the certificate. The CA distributes the encrypted portions of the validity proof data to prover systems that will provide validity proofs in the periods j. To perform certificate re-validation in a period j, the CA constructs the complement cover for the set of the revoked certificates, and distributes the decryption key data (K?Fj) for the sets in the complement cover.

Abstract: Encrypted email message structures can contain recipient information that can reveal, to any recipient, all of the other recipients of an email message. Because some recipients, such as recipients to whom the message was “blind carbon-copied”, should remain hidden from the other recipients, individual encrypted messages can be created. One encrypted message can be created for all of the recipients who are intended to be revealed, such as the recipients listed in the TO and CC fields of an email header. A second encrypted message can be created for all of the recipients of the message who are intended to be hidden, such as the recipient listed in the BCC field of an email header. Alternatively, multiple encrypted messages can be created individually for each recipient in the BCC field, if the BCC recipients are to be hidden even from other BCC recipients.