Abstract: A document rights management system (DRM) defines an unrenderable origin designator in a media item that does not display or alter the physically rendered version of an instantiation of the media item. The unrenderable designator does not appear as an obscured or occluded feature in a printed or displayed versions. The rendered version is unaffected by the unrenderable designator because it does not result in any displayable features. The unrenderable designator is stored in a display list of the media item and appears as an attribute of objects such that the function to cause the display object to be undisplayable, or unrenderable, are not immediately apparent. The DRM system encodes a designator in an attribute of a display object for rendering according to a media rendering format such as PDF, such that the designator causes the display object to be unrenderable and indicates the origin of the media item.

Abstract: A network access control system includes an information device that has access to a relay device which relays communication in a communication network, by the use of access information, and performs communication via the relay device, and a management unit that finds information devices, wherein when the found information device has no access to the relay device and is a second information device which is allowed to have access to the relay device by a first information device, the management unit transmits the access information to the second information device without a request for authentication.

Abstract: A flexible network security system and method is provided for permitting a trusted process. The system includes a port monitoring unit for extracting information about a server port being used through a network communication program, an internal permitted program storage for extracting information about a program for which communication is permitted by the firewall and registering the extracted information, an internal permitted port storage registering the extracted information if the network communication program is registered in the internal permitted program storage; and a device for making the firewall flexible, determining whether a destination port of a packet of inbound traffic has been registered in the internal permitted port storage, and if the destination port has not been registered, transmitting the corresponding packet to the firewall, and if the destination port has been registered, allowing the corresponding packet to bypass the firewall.

Abstract: A method comprising, receiving a source code, identifying a data structure access in the source code, determining whether the data structure access is associated with a security check function, defining the data structure access as a security sensitive operation responsive to determining that the data structure access is associated with the security check function, and defining a security specification to include the security check function and the security sensitive operation.

Abstract: A method and system manage a hierarchy of passwords for users accessing a hierarchy of access control devices. First, a codeword is acquired and a syndrome of the codeword is determined. Next, the codeword is randomly modified with a probability p to produce a modified codeword. The modified codeword is selected and assigned to a user as a password, if the modified codeword is recoverable.

Abstract: A method for installing authentication credentials on a remote network device. A remote network device without valid authentication credentials may be connected to a port of an authenticating network switch, and the authentication protocols of the port may be enabled. A Network Access Control (NAC) credential service validates the remote network device comparing a received remote device identifier against a previously stored remote device identifier. The received remote device identifier may be received from the remote network device using a network when the remote network device attempts to access a private network. The NAC credential service disables the authentication protocols of the port in response to validating the received remote device identifier. The NAC credential service installs authentication credentials on the remote network device using encrypted data, so an untrusted entity cannot view the authentication credentials.

Abstract: A secure correlation identifier (SCID) for authentically correlating notifications received from event sources with subscriptions, a SCID authentication system and method of filtering unsolicited messages are provided. The SCID comprises a correlation identifier for making the SCID unique, a sequence of bits concatenated with the correlation identifier and a secure tag concatenated with the concatenation of the correlation identifier and the sequence of bits. The system comprises a SCID generator for generating a SCID to be used in a message and a SCID authenticator for authenticating the SCID. The method comprises the steps of receiving a notification message having a SCID, verifying that that SCID is authentic, accepting the message if the SCID is authentic and rejecting the message if the SCID is not authentic.

Abstract: A monitoring device is provided on a LAN to which a communication device that is a target of a denial-of-service attack is connected, and monitors a packet transmitted to the communication device via an ISP network. A restricting device is provided on the ISP network, and restricts a packet to the LAN. The monitoring device detects an attack by the packet on the communication device, and transmits protection request information indicating a request for protection against the attack to the restricting device. The restricting device restricts a packet transmitted to the communication device via the ISP network based on the protection request information.

Abstract: An electronic certificate issuance system comprising at least one communication device, and an electronic certificate issuing device for issuing a set of an electronic certificate and a private key corresponding to the electronic certificate as a certification set for each of the at least one communication device, is provided. The electronic certificate issuing device includes a first connecting interface, an obtaining system, which is adapted to obtain a node ID assigned to each of the at least one communication device, a generating system, and a writing system. The at least one communication device includes a second connecting interface, a judging system, and an installing system.

Abstract: A method for generating an n-bit result includes a secured containment device (SCD) receiving a request to generate the n-bit result. The request includes an n-bit generator input and a master secret identifier. The request is sent from an application executing on a host system using an input/output (I/O) interface. The SCD disables all I/O interfaces on the SCD between the host system and the SCD. After disabling all the I/O interfaces on the SCD between the host system and the SCD, the SCD provides the n-bit generator input and the master secret identifier to a secured hardware token over a second I/O interface, receives the n-bit result from the secured hardware token over the second I/O interface, enables at least the first I/O interface after the n-bit result is generated, and provides, after enabling the first I/O interface, the n-bit result to the application using the first I/O interface.

Abstract: A method is provided for establishing a split-terminated secure communication connection between a client and a server. A first network intermediary intercepts a secure communication connection request directed from the client to the server. A second intermediary having a digital certificate in the name of the server (and a corresponding private key) acts in place of the server to establish a first secure communication session with the client, during which it receives a secret from the client for generating the session key. The second intermediary supplies the secret and/or the session key to the first intermediary, which allows the first intermediary to establish follow-on secure communication sessions in which the secret is reused. The second intermediary may also supply the first intermediary with a copy of its certificate so that it can respond to new secure communication requests and, yet further, may also supply a copy of the private key.

Abstract: The present invention relates to a method for ensuring the security of an open platform. Specifically, the present invention pertains to a method of using a validation program, itself highly secure, to evaluate and securely flag files in software to be loaded and used on palmtop computing devices. The method prevents the infiltration and unauthorized installation of viruses, Trojans, and other known methods of compromising security in an open-platform system. Control of access to the operating system and the operation of applications and macros in a palmtop device is therefore maintained in the user.

Abstract: A system and method for non-real-time validation of an electronically signed message transmitted via an asynchronous communications link is provided. The method includes creating an electronic message comprising an electronically signed data entry created by executing a secure data application first portion (SDA1) module hosted by a mobile system. The method additionally includes passing the message to a communications management function first portion (CMF1) module via a synchronous interface. The CMF1 module is hosted by the mobile system. The method further includes transmitting the message from the CMF1 module to a communications management function second portion (CMF2) module in a temporally delayed manner using an asynchronous communications link. The CMF2 module is hosted by a central computer system (CCS) located remotely from the mobile system. The method further yet includes validating the electronically signed entry in a temporally delayed manner utilizing a user database.

Abstract: A data security device for providing a network transport connection via a transparent network proxy that employs different encryption security mediums along a communications session between two endpoints by emulating one of the endpoints at an intermediate node such that the communication session appears as an atomic, secure connection to the endpoints yet provides appropriate security over the end-to-end connection. A sender node sends a connection request to establish a secure communication session with an intended receiver node. A transparent proxy on an intermediate node receives the request and establishes the link employing an encryption mechanism. The transparent proxy establishes a second link with the intended receiver, and applies a second, less expensive encryption mechanism. The transparent proxy combines the two links to form the trusted, secure connection but incurring only the mitigated expense over the second link.

Abstract: A computer divides a target electronic document into a plurality of document segments. Then, the computer generates a signature (s, t) that includes a set of two values having a signature value s forming a signature on the electronic document and a deletion signature value t used for deletion, the signature value s which serves as a body of the signature being formed by a superposition of signature information on the individual document segments. Then, in a case where one of the plurality of document segments obtained by the division is to be extracted, the computer superimposes deletion information of a document segment to be deleted on the deletion signature value t to generate a new signature value t?, and produces an updated signature (s, t?).

Abstract: A method, integrated circuit chip, and computer program product for cryptographically processing an input value with Elliptic Curve Cryptography (ECC) using ECC scalar multiplication are provided. The ECC scalar multiplication is performed with the use of an enhanced acceleration table (EAT). The EAT uses multiple running totals, at least one of which has a multiplier above 2.

Abstract: A computer readable medium stores a data management program that manages data, provides the data to a client connected over a network, and is capable of performing communications in accordance with a plurality of types of protocols, the data management program causing a computer to execute a process for the data management, the process comprising managing an access right to the data; managing basic policy information concerning a protocol used for providing the data to the client; managing protocol information that sets, for each protocol, data capable of using the protocol as a protocol used for providing the data; analyzing an environment of the client when a data request from the client is received; and determining a protocol used for providing the requested data according to the analyzed client environment, the access right, the basic policy information and the protocol information.

Abstract: A device that relieves a service provider of the burden of managing personal information. A group administration organization device admits a user device to an authorized group by request and sends authority permission information to the user device. The user device holds the authority permission information received from the group administration organization device and, on access, sends authority proof information created from the authority permission information using a group signature scheme to a service provider device as requested by it. The service provider device, upon being accessed, requests the authority proof information and verifies the authority proof information received from the user device in accordance with the request on the basis of the group signature scheme. When the verification result indicates validity, the service provider device provides a service.

Abstract: A device for locating a DES key value that corresponds to a packet identification (PID) contained at a variable possible location which comprises part only of a 32-bit packet header. A table stored in memory contains for each DES key: (i) a packet header having 32 bits with a PID of either 12, 9 or 8 bits contained at a defined location and with zero values elsewhere, and (ii) a mask value also having 32 bits with ones contained at the said defined location of the PID and zeros elsewhere. The table is divided into regions for respective packet format types. An incoming packet header at an input is combined with a first one of the mask values from the table to provide a combined value that consists of the value held in the input packet header at the defined location and zeros elsewhere. This combined value is compared with the corresponding packet header stored in the table. When they are not equal, the combining and comparison is repeated for the next row of the table.

Abstract: A method of requesting and issuing a certificate from certification authority for use by an initiating correspondent with a registration authority is provided. The initiating correspondent makes a request for a certificate to the registration authority, and the registration authority sends the request to a certificate authority, which issues the certificate to the registration authority. The certificate is stored at a location in a directory and this location is associated with a pointer such as uniform resource locator (URL) that is derived from information contained in the certificate request. The initiating correspondent computes the location using the same information and forwards it to other corespondents. The other correspondents can then locate the certificate to authenticate the public key of the initiating correspondent.