Abstract: Techniques for establishing implicit trust of authorship certification are provided. A message's domain is validated in response to a valid domain certificate. A message's author is validated in response to an author identification, which is acquired from the message and which is supplied to a domain service of the author. The domain service is implicitly trusted based on the domain being validated via the domain certificate. The domain service uses the author's identification to traverse to a specific location within the domain that houses an author certificate for the author. The author certificate is compared against a message certificate that accompanies the message in order to establish trust with the author and the author's message.

Abstract: The invention relates to a system and method for providing multiple assembly caches for storing shared application resources. Each assembly cache may be associated with a different security policies, locations, internal structures and management. An application may be determined to have access to an assembly cache based on the permission and security policy of the application and security policy of the assembly cache. Additionally, one or more assembly caches may have other policies for cache retention, resolution, and creation.

Abstract: Disclosed herein are methods and systems for encoding digital watermarks into content signals. Also disclosed are systems and methods for detecting and/or verifying digital watermarks in content signals. According to one embodiment, a system for encoding of digital watermark information includes: a window identifier for identifying a sample window in the signal; an interval calculator for determining a quantization interval of the sample window; and a sampler for normalizing the sample window to provide normalized samples. According to another embodiment, a system for pre-analyzing a digital signal for encoding at least one digital watermark using a digital filter is disclosed.

Abstract: An encrypted document file and related file are received (S42), and character strings are extracted from the related file. The document file is registered in a database (150) together with the extracted character strings (S45).

Abstract: Provided are a method, system, and article of manufacture, wherein a first write only register is maintained in an encryption engine of a cryptographic unit. A second write only register is maintained in a decryption engine of the cryptographic unit. A cryptographic key is written in the first write only register and the second write only register, wherein the cryptographic key is inaccessible for reading from any entity that is external to the cryptographic unit.

Abstract: A system includes hosts that may be infected with mobile logic. One type of mobile logic is a worm, which can be a process that is capable of causing a (possibly evolved) copy of itself to execute on one or more hosts of the system. An infected host of the system can infect other hosts based on criteria, such as targeting, visibility, vulnerability, or infectability of the other hosts. A worm can be represented as a Turing Machine whose state can be determined using computational methods. A worm can be emulated in the system to determine worm detection capabilities of the system. Emulating the worm can allow the system to be tested with less negative impact than using the actual worm.

Abstract: A method for detecting intrusions that employ messages of two or more protocols is disclosed. Such intrusions might occur in Voice over Internet Protocol (VoIP) systems, as well as in systems in which two or more protocols support some service other than VoIP. In the illustrative embodiment of the present invention, a stateful intrusion-detection system is capable of employing rules that have cross-protocol pre-conditions. The illustrative embodiment can use such rules to recognize a variety of VoIP-based intrusion attempts, such as call hijacking, BYE attacks, etc. In addition, the illustrative embodiment is capable of using such rules to recognize other kinds of intrusion attempts in which two or more protocols support a service other than VoIP. The illustrative embodiment also comprises a stateful firewall that is capable of employing rules with cross-protocol pre-conditions.

Abstract: In accordance with embodiments, there are provided mechanisms and methods for securing execution of untrusted applications. These mechanisms and methods for securing execution of untrusted applications can enable embodiments to provide a “sandbox” environment in which applications that are less than trusted may execute. The ability of embodiments to provide such a protected environment for executing these untrusted applications can enable systems designers and system programmers to provide additional applications from third parties to users without being overly concerned about system security issues.

Abstract: This invention relates to a method and apparatus for an encryption system. The encryption system includes a server end and user's ends, in which the whole writable action about information outflow is recorded by the server end. The method of the present invention is used for encrypting the writable file by the user's ends to avoid unauthorized information outflow through out-connecting storing equipment. Therefore, all the files are just used within the Intranet of the company and the security system. Thus, the purpose of protecting information is achieved.

Abstract: By introducing a new copy control system into video signals subjected to picture quality restriction satisfactory only in small-sized PMP displays, a new business model in which copyrighters, consumers and makers can have mutual prosperity is created. “A new copy control rule of prohibiting a video signal output with a picture quality equivalent to that at time of recording from being copied, but permitting a video signal sufficiently degraded in picture quality as compared with time of recording to be copied” is added to the copy-never, copy-one-generation, and copy-free states belonging to the conventional copy control rule. The quality for which the copyrighter can permit copying corresponds to half the current number of DVD pixels. If a quality restricting scheme of thinning out pixels to half compared with time of recording is used, therefore, needs of consumers desiring to enjoy PMPs are satisfied while protecting rights of copyrighters.

Abstract: An authentication process using a combined code as a shared secret between a client and target service is provided. The combined code is provided out-of-band and includes data to perform two-way authentication for both the client and the target service. The target service may provide the client with a certificate to establish a secure channel. The client may use the data in the combined code to validate the target service. When the target service is validated, the client may provide credentials in the combined code to the target service for authentication. In one example implementation, the combined code includes a hash of a public key. The client may compute another hash of another public key in the certificate provided by the target service and validate the service by comparing the hash in the combined code and the computed hash.

Abstract: A trustable community for a computer system includes multiple software components that have security interdependence. A trustable community attempts to stop malware from compromising one software component within the community by conditioning operation of the software component upon a determination of present trustworthiness of itself and other software components within the community. Present trustworthiness may be determined through hash checks and application of community rules defining conditions under which software components are trustworthy.

Abstract: In some embodiments, a method and apparatus for distributing private keys to an entity with minimal secret, unique information are described. In one embodiment, the method includes the storage of a chip secret key within a manufactured chip. Once the chip secret key is stored or programmed within the chip, the chip is sent to a system original equipment manufacturer (OEM) in order to integrate the chip within a system or device. Subsequently, a private key is generated for the chip by a key distribution facility (KDF) according to a key request received from the system OEM. In one embodiment, the KDF is the chip manufacturer. Other embodiments are described and claims.

Abstract: A system and method to securely deliver software updates to an appliance are provided. The system comprises a key generator, a reporting module, and a certificate signing request (CSR) module. The key generator may be configured to generate, at the processing system, verification data for the processing system. The reporting module may be configured to communicate the verification data from the processing system to a verification database. The certificate signing request (CSR) module may be configured to obtain a signed certificate from a certificate authority (CA) based on the verification data stored in the verification database.

Abstract: A method and system has been provided for identifying and processing secure data frames flowing between a source port and a switch port in a network. A data frame from the source port is received at the switch port. The network address of the source port is detected from the data frame. An entry corresponding to the network address of the source port is searched for in a forwarding table. The data frame is identified as a secure or a non-secure data frame on the basis of the entry in the forwarding table. Non-secure data frames are redirected and processed.

Abstract: A system for performing authentication of a first user to a second user includes the ability for the first user to submit multiple instances of authentication data which are evaluated and then used to generate an overall level of confidence in the claimed identity of the first user. The individual authentication instances are evaluated based upon: the degree of match between the user provided by the first user during the authentication and the data provided by the first user during his enrollment; the inherent reliability of the authentication technique being used; the circumstances surrounding the generation of the authentication data by the first user; and the circumstances surrounding the generation of the enrollment data by the first user. This confidence level is compared with a required trust level which is based at least in part upon the requirements of the second user, and the authentication result is based upon this comparison.

Abstract: One embodiment of the present invention provides a system that establishes a secure connection with a peer. During operation, the system obtains an identity for the peer. Next, the system looks up the identity for the peer in a local store, which contains identities for trusted peers. If this lookup fails, the system asks a user if the peer can be trusted. If the user indicates that the peer can be trusted, the system establishes a secure connection with the peer.

Abstract: There is proposed a method for executing a workflow, comprising providing the workflow comprising process level activities, at least one process level activity being able to access system resources, the access to the system resources being mediated by a plurality of backend modules. A backend module of the plurality of backend modules carries out the steps of receiving a hierarchical attribute certificate, validating the attribute certificate, checking whether the attribute certificate grants a right to execute the backend module, checking whether a predefined execution path from the process level activity to the backend module has been traversed, and if both checking steps are successful, executing the backend module. Moreover, there is proposed a respective device, computer program medium and computer program product.

Abstract: A signature generation apparatus and a signature verification apparatus preventing an occurrence of an inappropriate signature verification error. The signature generation apparatus (110) including a signature generation unit (114) calculating signature vector (s, t) for a message m using a private key, and generating signature data S indicating polynomials sl and sh specifying the polynomial s and a polynomial th which is a quotient when the polynomial t is divided by q.

Abstract: A technique permitting an X.509 certificate to simultaneously support more than one cryptographic algorithm. An alterative public key and alternative signature are provided as extensions in the body of the certificate. These extensions define a second (or more) cryptographic algorithm which may be utilized to verify the certificate. These are not authenticated by the primary signature and signature algorithm in the primary cryptographic algorithm. These newly defined extensions are reviewed by a receiving entity if the entity does not support the cryptographic algorithm of the primary signature.