Abstract: A prime calculating apparatus calculating a prime and determining whether the prime has been duly generated. The prime calculating apparatus (i) generates a random number, (ii) calculates a multiplication value R by multiplying a management identifier by the random number, and (iii) calculates a prime candidate N, according to N=2×(multiplication value R+w)×prime q+1, with respect to w satisfying an equation of 2×w×prime q+1=verification value (mod management information). Then, the prime calculating apparatus judges whether the calculated prime candidate N is a prime, and outputs the calculated prime candidate N as a prime when determining that it is a prime.

Abstract: A symmetric encryption/decryption method includes the steps of selecting a diffused mechanism, and the diffused mechanism includes at least one selected from a shift point, a block and a frame; obtaining a plurality of bits required for a cipher by the diffused mechanism and the element number of each dimension of a plaintext; carrying out at least one diffused operation for the plaintext; repeating the foregoing steps to achieve the effect of encrypting the plaintext. Since the sum of the encryption diffused times and the decryption diffused times equals to the diffused cycle, the cipher can be read and at least one dimensional diffused operation of the ciphertext can be carried out, and thus achieving the effect of decrypting the ciphertext.

Abstract: A tree is used to partition stateless receivers in a broadcast content encryption system into subsets. Two different methods of partitioning are disclosed. When a set of revoked receivers is identified, the revoked receivers define a relatively small cover of the non-revoked receivers by disjoint subsets. Subset keys associated with the subsets are then used to encrypt a session key that in turn is used to encrypt the broadcast content. Only non-revoked receivers can decrypt the session key and, hence, the content.

Abstract: A DVD terminal (20) makes a request for sending a sub-content to an authentication server (40) (in this case, attaches the “model name and serial number” of the DVD terminal (20)) (S302). The authentication server (40) generates a random number R (S304) and sends it to the DVD terminal (20) (S306). The DVD terminal (20) reads a terminal key and a terminal ID that are stored in a terminal information memory unit (25), decrypts the received random number R using a terminal key (SK_X) (S308) and sends this and the terminal ID (ID_X) to the authentication server (40) (S310). The authentication server (40) verifies the random number R and the terminal ID that are received from the DVD terminal (20) and encrypted, and judges whether the DVD terminal (20) is the authenticated terminal or not (S312).

Abstract: In a wireless communication system with an air interface comprised of a plurality of bursts, a communication device (102) receives a burst (200). The burst comprises payload (206, 208), a first indicator (202) and a second indicator (204). Upon receipt of the burst, the communication device determines a value of the first indicator to determine whether end-to-end encryption is applied to at least a portion of the payload, and determines a value of the second indicator to determine whether air interface encryption is applied to at least a portion of the payload.

Abstract: A system for distributing digital content over a computer network (e.g., the Internet) uses certificates to establish a trust relationship between a content provider and a display device. The certificates identify the display device and the content provider as well as unique characteristics of the distribution. For example, the content provider may be a book publisher and the display device may be a printer/binder.

Abstract: Example embodiments provide for a rule-based wizard type tool for generating secure policy documents. Wizard pages present a user with general Web Service security options or questions at a user interface, which abstracts the user from any specific code, e.g., XML code, used for creating a Web Service policy document. Based on user input selecting general criteria, security rules are accessed and evaluated for automatically making choices on behalf of the user for creating a secure policy document. Other embodiments also provide for presenting the user with an easily understandable visual representation of selected criteria of a policy document in, e.g., a tree like structure that shows relationships between various elements of the criteria.

Abstract: Example embodiments provide for a rule-based wizard type tool for generating secure policy documents. Wizard pages present a user with general Web Service security options or questions at a user interface, which abstracts the user from any specific code, e.g., XML code, used for creating a Web Service policy document. Based on user input selecting general criteria, security rules are accessed and evaluated for automatically making choices on behalf of the user for creating a secure policy document. Other embodiments also provide for presenting the user with an easily understandable visual representation of selected criteria of a policy document in, e.g., a tree like structure that shows relationships between various elements of the criteria.

Abstract: The present invention offers a prime calculating apparatus for achieving prime calculation where producing identical primes is avoided by simple management techniques. The prime calculating apparatus stores a known prime q and management information unique in the use range of primes. The prime calculating apparatus reads the management information; generates random information R based on the read management information; reads prime q; calculates prime candidate N, according to N=2×random information R×prime q+1, using the read prime q and generated random information R; tests whether the calculated prime candidate N is a prime; and outputs the calculated prime candidate N as a prime when the primality of the calculated prime candidate N is determined. Herewith, the prime calculating apparatus is able to calculate prime candidates from unique management information while avoiding producing identical primes.

Abstract: A prevention-based network auditing system includes a central compliance server generating network policies and configuring audits of the data communications network. The compliance server presents a graphical user interface (GUI) to describe the specific data gathering parameters, policies to be analyzed, and the schedule of analysis. One or more audit servers strategically deployed around the network employ heterogeneous data-gathering tools to gather information about the network in response to the configured audits, and transmit the gathered information to the compliance server. An audit repository stores the gathered information for use by the compliance server for security and regulatory policy assessment, network vulnerability analysis, report generation, and security improvement recommendations.

Abstract: A communication system, which performs communication using a transmission packet encrypted by an IP-SEC encrypting method, includes a first encrypting circuit that encrypts a transmission packet by an IP-SEC encrypting method, a second encrypting circuit that encrypt header data to be used to decode the transmission packet encrypted by the first encrypting circuit, and a transmitting circuit that transmit the transmission packet whose header is encrypted by the second encrypting circuit. The communication system further includes a first decoding circuit that decode the authentication data of the reception packet using information to be used to decode the authentication data recorded in the IP-SEC header of the transmission packet and a second decoding circuit that decodes the reception packet using the authentication data decoded by the first decoding circuit.

Abstract: An encryption capable communication device (10) can include a transceiver (38 and 44) and a processor (12) coupled to the transceiver. The processor can be programmed to receive notification of a secure call alert indicative of a desire for secure communications between an alerting device and the encryption capable communication device serving as a recipient device and further cause the recipient device to switch (64) to a secure mode in response to receipt of the notification. The processor can be further programmed to initiate a key exchange (67) between the alerting device and the recipient device if needed and automatically respond (70) to the secure call alert by the recipient device in the secure mode when a user of the recipient device selectively responds to the secure call alert. The processor can also establish a symmetric traffic key during the key exchange using Automatic Public Key exchange techniques.

Abstract: A computing system includes data encryption in the data path between a data source and data storage devices. The data storage devices may be local or they may be network resident. The data encryption may utilize a key which is derived at least in part from an identification code stored in a non-volatile memory. The key may also be derived at least in part from user input to the computer. In a LAN embodiment, public encryption keys may be automatically transferred to a network server for file encryption prior to file transfer to a client system.

Abstract: Example embodiments provide for authenticating a device to multiple servers without using delegation or having to have a password stored on the device. Multiple certificates that are typically non-delegable are used to authenticate the device to each server. One certificate is used to authenticate the client with the front-end server and a second certificate is used to authenticate the client against a back-end server. Rather than having both certificates reside with the device, however, the second certificate is originally stored by the client in the back-end. It is then retrieved “on-the-fly” by the front-end upon authentication of the client and used to authenticate itself as the client in order to act on behalf of the client when retrieving data from the back-end server.

Abstract: Methods and apparatus for providing a control channel in a data network. A method is provided that operates to provide a control channel in a data network. The method includes receiving one or more server digests, and generating a control channel digest from the one or more server digests. The method also includes communicating with a device, and transmitting the control channel digest to the device.

Abstract: A storage system encrypts a plain text received from an external device and stores the cryptogram into a disk unit and, thereafter, decrypts the stored data in the disk unit and transmits the decrypted text to the external device. The storage system includes an encryption unit for encrypting first data received from the external device, a decryption unit for decrypting the encrypted data into second data, and a comparison unit for comparing the first and second data. When the first data and the second data are in disagreement, the first data is encrypted by an encryption unit different from the encryption unit encrypted the first data and the encrypted data is decrypted by the decryption unit into third data, whereupon the first data and the third data are compared. When the first data and the third data are also in disagreement, a failure report is sent to the external device.

Abstract: The device tracking location adherence and route adherence technology, according to an exemplary embodiment of this invention, at least provides for secure message reception from a remote device. The present invention allows for secure data transmission between a remote device and while employing a small amount of bandwidth thereby providing a cost-effective data transmission system. This is especially advantageous where a fleet of remote devices is employed within a network.

Abstract: Devices, systems and related methods are disclosed for improving operational security of a network and/or network devices, such as wireless access points (APs). In the disclosed systems, a network device is not fully operational until it is attached to a network and downloads sensitive information. The information is stored in the network device so that when the device is disconnected from the network, the sensitive information is erased from the device, making the device inoperative and removing sensitive information, such as passwords, network security keys, or the like. Disabling the network device in this manner not only prevents the theft of sensitive network access information, by also discourages theft of the device itself because it cannot be used on another network without the configuration information. In addition to downloading configuration information, the network device can also download an executable image that is likewise not permanently resident on the device.

Abstract: A method of authenticating an object in which a computer system receives indicating data from a sensing device. The indicating data is generated in response to sensing of coded data provided on or in a surface associated with the object and is indicative of an identity of the object and at least part of a signature. The signature is in turn a digital signature of at least part of the identity. The computer system uses the indicating to determine a received identity and a received signature part, before using the using the received identity to determine at least a determined signature part. The determined signature part is then compared to the received signature part to authenticate the object.

Abstract: In accordance with one embodiment of the present invention, a method includes receiving a packet at a physical interface of a network security gateway. The packet is tagged with a first VLAN identifier associated with an external network. The method also includes communicating a copy of the packet to a first processor, analyzing the copy of the packet at the first processor to determine whether the packet violates a security condition, and communicating a reply message from the first processor to the interface. The reply message indicates whether the packet violates a security condition. If the packet does not violate a security condition, the method includes re-tagging the packet with a second VLAN identifier associated with a protected network by using a second processor at the physical interface. The method further includes communicating the re-tagged packet to the protected network if the packet does not violate a security condition.