Abstract: A plurality of file encryption groups are created for a plurality of files based on attributes of each file. An event is detected and a selected file encryption group is divided into a plurality of sub-groups in response to the event. The division is based on an access pattern for each file in the selected file encryption group.

Abstract: An apparatus may include a root of trust for measurement (RTM) module coupled to a verified platform security property policy module and a comparison module. The comparison module may operate to prevent transfer of control to an operating system (and/or halt the boot process) if a policy included in the platform security property policy module is violated. A system may include a memory coupled to a processor, a platform security property policy module, and a comparison module. The memory may include an RTM. A method may include beginning execution at an entry point within an RTM, determining that the RTM is trustworthy, determining that a main initialization code associated with a platform is trustworthy and transferring control to the main initialization code, and otherwise, refraining from transferring control to the main initialization code.

Abstract: Security policy manager devices are leveraged by manager objects to use highly secure user transparent communications to provide detection of questionable activities at every node, automatic collection of information related to any potential attack, isolation of the offending object with arbitrary flexibility of response (e.g. flexibly determining the level of certainty of an attack for initiation of a response in accordance with the number of nodes to be partitioned that is determined by the collected data concerning the potential attack), changing trust relationships between security domains, limiting the attack and launching offensive information warfare capabilities (e.g. outbound from the compromised node while limiting or eliminating inbound communications) in log time and simultaneously and/or concurrently in different but possibly overlapping sections or segments of a digital network of arbitrary configuration.

Abstract: A method is disclosed of making information contents of memory-cells of a volatile semiconductor memory irretrievable. In a first step a digital pattern is generated and in a second step the information contents are overwritten with the digital pattern at least two times. The digital pattern is predefined, comprising both zeros and ones and overwrites the information contents alternately with its complementary pattern.

Abstract: A method receives input data and determines if a salt value exists. The method generates a salt value and stores the salt value in a table entry if the salt value does not exist. The method further retrieves the salt value from the table entry if the salt value exists and generates a hash from the salt value and the input data. The method further includes generating a password from the hash and returning the password to an application to gain entry to the application. Also a program storage device readable by a machine includes instructions that cause the machine to perform similarly to the method.

Abstract: Methods and systems of screening input strings that are intended for use by a Web server are described. In the described embodiment, an attack pattern is determined that can be used to attack a Web server. A search pattern is defined that can be used to detect the attack pattern. The search pattern is defined in a flexible, extensible manner that permits variability among its constituent parts. An input string that is intended for use by a Web server is received and evaluated using the search pattern to ascertain whether the attack pattern is present. If an attack pattern is found that matches the search pattern, then a remedial action is implemented.

Abstract: A method (and system) for guaranteeing authenticity of an object, includes providing a sample of material obtainable only by at least one of chemical and physical processes such that the sample is random and not reproducible, associating a number reproducibly to the sample by using a specific reader, and forming at least one coded version of the number, the at least one coded version being obtained by a key signature, and the version being recorded into an area of the object.

Abstract: A method for content access control operative to enable authorized devices to access protected content and to prevent unauthorized devices from accessing protected content, the method comprising: providing a plurality of authorized devices; dividing the plurality of authorized devices into a plurality of groups, each of the plurality of authorized devices being comprised in at least one of the plurality of groups, no two devices of the plurality of authorized devices being comprised in exactly the same groups; determining whether at least one device of the plurality of authorized devices is to be prevented from having access to the protected content and, if at least one device is to be prevented, removing all groups comprising the at least one device from the plurality of groups, thus producing a set of remaining groups; and determining an authorized set comprising groups from the set of remaining groups, such that each device of the plurality of authorized devices which was not determined, in the determining

Abstract: In a distributed digital signature generation method, the method includes the steps of: generating partial signature keys by distributed processes, generating partial digital signatures by using the partial signature keys for the hash value of an input digital document to which additional information such as time is added, combining a predetermined threshold number of partial digital signatures, performing a transformation process on the partial digital signatures according to the combination, and generating an integrated digital signature from the result of the transformation process, in which a least common multiple of predetermined values is used as a transformation number, and it is judged whether an incorrect partial digital signature exists and the number is one, and the incorrect partial digital signature is identified when the number is one.

Abstract: The present invention discloses an improved information security system and method. A polymorphic engine is used to enhance the security features of a software application and the data generated by or made available to the application and/or the operating system. The polymorphic engine operates to randomly alter the standard executable code of the original application while preserving its functional characteristics. Each polymorphed instance of the application differs from any other instance of the same application in form only. Various other security features operate to protect the polymorphic engine itself and/or the polymorphed code generated therefrom. These other security features include: just-in-time instruction code decryption; virtual CPU instruction code pre-processing; call mutation; stack manipulation; secure hook-capture of device input; secure display device output; application level decryption of encrypted hardware data streams; and a dynamic, randomly configured graphical keypad interface.

Abstract: A portable storage device, for example a secure smart card, contains network identification information and configuration information for a processing unit that is connectable to a data communications network, which processing unit includes a device reader for reading the portable storage device. The portable storage device includes storage and an access controller. The storage holds a network identity and configuration information for the processing unit and at least one encryption key. The access controller is operable to control access to the storage by implementing key-key encryption. An embodiment of the invention thus provides a medium not only for storing a network identity and configuration information for processing unit, but also for other secure information such as an encryption key associated therewith.

Abstract: An electronic data management system for accurately determining the authenticity of the electronic data and the specification of the source of unauthenticated electronic data. A drawing output processor transmits original electronic drawing data A1 to an order receiving unit with a tag T attached. The order receiving unit and a manufacturing unit transmit a manufacturer's copied data B2(T) copied from the original data A1(T) to an inspection unit. The inspection unit transmits the inspection result Fa for the product M, the client's copied data A2 re-copied from the original data A1, and the manufacturer's copied data B2 (T) to a determination unit. The determination unit compares the tag T extracted from the manufacturer's copied data B2 with the original value of the client's copied data A2 and the original value of the manufacturer's copied data B2 and determines the authenticity of the client's copied data A2 and the manufacturer's copied data B2.

Abstract: A system and method are disclosed for preventing detection of a computer connection to an external device. The external device is connected to the computer via a connectionless port. A key to be used to generate valid authorization information to be included in all valid data packets sent between the computer and the external device is provided. The external device is configured to reply to any packet in which the required valid authorization information is not present with the packet that would be sent if the connectionless port were not in use.

Abstract: Dynamic varying of encrypting of a stream of data at an encryption unit based on data content is disclosed. The dynamic varying of the encrypting, which can be responsive to passage of a predefined number of units of physical data or passage of a predefined number of conceptual units of data, is accomplished by changing at least one encryption parameter over different portions of the data. The at least one encryption parameter can comprise one or more of an encryption key, an encryption granularity, an encryption density scale, an encryption density, an encryption delay, an encryption key update variable, and an encryption key update data trigger. The change in encryption parameter is signaled to a receiver's decryption unit and used by the decryption unit in decrypting the dynamically varied encrypted stream of data. The stream of data may comprise, e.g., MPEG compressed video or audio.

Abstract: Systems and methods for providing network access, e.g. Internet access, are described. An architecture includes a host organization network through which network access is provided. The host organization network can be advantageously deployed in public areas such as airports and shopping malls. An authentication/negotiation component is provided for authenticating various users and negotiating for services with service providers on behalf of the system users. The authentication/negotiation component can include one or more specialized servers and a policy manager that contains policies that govern user access to the Internet. An authentication database is provided and authenticates various users of the system. An access module is provided through which individual client computing devices can access the Internet. In one embodiment, the access module comprises individual wireless access points that permit the client computing devices to wirelessly communicate data packets that are intended for the Internet.

Abstract: One embodiment of the present invention provides a system that facilitates accessing to a plurality of applications that require passwords. When the system receives a request for a password from an application running on a remote computer system, the system first authenticates the request to ensure that it originated from a trusted source. Next, the system uses an identifier for the application to look up the password for the application in a password store, which contains passwords associated with the plurality of applications. If the password exists in the password store, the system sends the password or a function of the password to the application on the remote computer system. Hence, the system creates the illusion that there is a single sign on to a large number of applications, whereas in reality the system automatically provides different passwords to the applications as they are requested.

Abstract: A component for use in a prospective vehicle obtains from a certification authority a certification that an authentic vehicle is associated with a cryptographic key. The certification certifies that the cryptographic key is bound to information identifying the authentic vehicle. The component utilizes the cryptographic key obtained from the certification authority in cryptographic communication with the prospective vehicle, and determines whether the prospective vehicle is the authentic vehicle based on whether the cryptographic key is successfully utilized in the cryptographic communication. Upon determining the prospective vehicle is the authentic vehicle, the component may allow the prospective vehicle to operate the component.

Abstract: A coding device for implementing a cryptographic encryption and/or access authorization includes a data processing unit, a decoupling unit, a power supply interface, a main clock supply unit, and a power profile generator generating a power profile and superimposing it on a power profile of the data processing unit to prevent an attack by correlation analysis of the power profile.

Abstract: A key protected data stream and an encryption key are received at a gateway device. The gateway devices unprotects the data stream based upon the encryption key. The unprotected received data is modified by the gateway to generate a modified data. The modified data is protected based upon the encryption key to generate a key protected modified data. The gateway then transmits the key protected modified data to one or more clients along with the encryption key.

Abstract: Each of the embodiments of the present invention supplies date information issued from a third party to a digital signature of a first user apparatus for an electronic document. Originality of the electronic document is ensured by applying the digital signature of the third party to a set of the digital signature and date information. No electronic document is transmitted to the third party apparatus during originality assurance of the electronic document. Accordingly, it is possible to decrease loads to the third party and associated networks even if the third party apparatus is congested with accesses. Since there is registered an undeniable signature for a second user apparatus, it is possible to prevent the second user apparatus from denying the reception.