Abstract: A system to exchange and authenticate public cryptographic keys between parties that share a common but secret password, using a pair of random numbers, a pair of Diffie-Hellman public keys computed from the random numbers and the password, a Diffie-Hellman symmetric secret key computed from the Diffie-Hellman public keys and the random numbers, and hashed values of arguments that depend upon these elements.

Abstract: The present invention provides location privacy against third parties while allowing route-optimized communication between the correspondent node and the mobile node. The mobile node's home address is hidden from an external observer thereby thwarting traffic analysis based attacks where a Home Address is correlated with a Care of Address of a mobile node (MN). A “privacy label” is used in place of a home address associated with the mobile node. The privacy label is supplied by the mobile node to the correspondent node in a way that that allows the privacy label to be bound to the home address, but does not allow the home address to be visible during the exchange. The privacy label may be also used to help prevent against replay attacks.

Abstract: A method and apparatus for fine-grained, trust-based rate limiting of network requests distinguishes trusted network traffic from untrusted network traffic at the granularity of an individual user/machine combination, so that network traffic policing measures are readily implemented against untrusted and potentially hostile traffic without compromising service to trusted users. A server establishes a user/client pair as trusted by issuing a trust token to the client when successfully authenticating to the server for the first time. Subsequently, the client provides the trust token at login. At the server, rate policies apportion bandwidth according to type of traffic: network requests that include a valid trust token are granted highest priority. Rate policies further specify bandwidth restrictions imposed for untrusted network traffic.

Abstract: The present invention is directed to a distributed architecture of an information handling system, including a buried nucleus inaccessible for inspection without heroic means while the buried nucleus is in operation, and a trusted authority for generating a secure protocol. The secure protocol controls the operation of the buried nucleus.

Abstract: A method, and a corresponding apparatus, provide for real-time network-based recovery from information warfare (IW) attacks on a network that includes subnets, with each subnet including one or more nodes. The method includes executing a pre-IW attack routine to identify IW attack recovery information, in response to an IW attack, executing an IW attack response routine, and executing a real-time network-based recovery routine. The pre-IW attack routine includes monitoring conditions on the network and at each of the subnets and nodes. When an IW attack occurs at an entity in the network, a condition flags are set to indicate the specific entity or entities being attacked. A condition flag set to 0 implies full operational capability of the entity, a condition flag set to 1 implies recent IW attack or IW attack in progress at the entity, and a condition flag set to 2 implies recovery of the entity from the IW attack.

Abstract: A security element which is difficult to copy includes a layer composite which has microscopically fine, optically effective structures of a surface pattern, which are embedded between two layers of the layer composite. In a plane of the surface pattern, which is defined by co-ordinate axes x and y, the optically effective structures are shaped into an interface between the layers in surface portions of a holographically non-copyable security feature. In at least one surface portion the optically effective structure (9) is a diffraction structure formed by additive superimposition of a macroscopic superimposition function (M) with a microscopically fine relief profile (R). Both the relief profile (R), the superimposition function (M) and also the diffraction structure are functions of the co-ordinates x and y. The relief profile (R) is a light-diffractive or light-scattering optically effective structure and, following the superimposition function (M), retains the predetermined profile height.

Abstract: Computer-implemented methods, apparati, and computer-readable media for blocking the replication of computer worms in a computer. A method of the present invention comprises the steps of: for an e-mail program installed on the computer, finding the location of a temporary holding area used by the e-mail program for storing and opening e-mail attachments; monitoring the temporary holding area for openings of target programs stored within the temporary holding area; and upon the opening of a target program for execution, implementing a worm mitigation procedure.

Abstract: Authenticity of digital data, security policies, and usage of game software are enforced on a game console. When the software is secured prior to distribution on media, a private key is used to encrypt a header digest that includes a digest of each section of the software and information specifying a region, a rating, and media type of the software. A hashing algorithm is applied to produce the digests. On the game console, a public key is used to decrypt the header digest for comparison to a hash of the header. A digest of each section of digital data is computed and compared to the corresponding digest in the header to authenticate the data. The console will not execute the software unless the parameters in the header information match those stored in the console and the computed digests for each section match those in the header on the medium.

Abstract: A system and method for mass distribution of data products, such as geographic databases. An authorization server maintains a first portion of each of several data products, and each of several data distribution terminals maintains the second portion of each data product. A user may couple a portable data storage device with a data distribution terminal and select a desired data product. The terminal may then responsively obtain from the authorization server the first portion of the selected data product and record onto the data storage device both the first portion and second portion of the data product. The user may then couple the data storage device with a machine, such as a navigation system, which may then access the data product. The authorization server may secure the first portion before sending it to the data distribution terminal. The authorization server may do so by encrypting the first portion and tying the first portion together with an authorization key.

Abstract: The present invention is provided with: a distributing server for multiplexing copy control information and recording information, the copy control information indicating a number of times for restricting copying after recording, to be indicated after recording in a recording information apparatus is completed and when outputting the recording information and the copy control information; a transmitting unit for distributing the multiplexed recording information and copy control information to a recorder at an output speed higher than the reproducing speed of the recording information from the optical disk; a set top box for obtaining the distributed recording information and copy control information; and the recorder for recording the obtained recording information and copy control information into the optical disk, without modifying the copy control information.

Abstract: The present invention relates to a data processing system and method as well as to a computer program product for realizing such a data processing system and method. Conventionally, access to system resources is controlled within, for example, MQSeries, via security settings or security definition contained within profiles that are used to initialize a data processing system. Typically, each computer program or user has associated access permissions which may, from time to time, be varied by a system administrator. It will be appreciated that to issue on a resource by resource or user by user basis individual changes to access permission would require a significant amount of work. Suitably, the present invention provides a system and method for implementing grouping of security access control for a number of resources or users. Therefore, a single security change request can be used to effect a change of access permissions associated with a number of separate or at least closely coupled resources.

Abstract: A method consistent with certain embodiments, of processing a received encrypted frame signal, wherein the received encrypted frame signal is indicative that a specific video frame is encrypted, involves receiving a video signal including the received encrypted frame signal; wherein the received video signal comprises a received bit stream; synthesizing the received encrypted frame signal to produce a synthesized encrypted frame signal that is in synchronization with the received encrypted frame signal; determining if a sink wireless receiver is locked to the received bit stream, and if so, passing the received encrypted frame signal to the sink device; and if the sink wireless receiver is not locked to the received bit stream, passing the synthesized encrypted frame signal to the sink device. This abstract is not to be considered limiting, since other embodiments may deviate from the features described in this abstract.

Abstract: The present invention leverages randomly generated areas with random attributes from two-dimensional media forms to embed information relating to a media's ownership and/or distribution source. This provides a means to establish a media's source despite attacks. By providing embedded user-unique identification, media can enable detection for identifying the source of copied media without the embedded information substantially interfering with the intended purpose of the media itself. In one instance of the present invention, media is transformed into a two-dimensional media form with randomly generated areas having a subset of overlapping areas. User-unique keys are then utilized to determine attributes for each of the areas. This permits creation of statistically unique locations for each user key. The statistical qualities are biased and utilized to determine a logarithmic magnitude watermark value to embed in the media at that location.

Abstract: The invention provides a method and system for performing specialized services for files at a server, such as scanning files for viruses. A filer or other server is connected to one or more supplementary computing devices that scan requested files to ensure they are virus free prior to delivery to end users. When an end user requests a file the following steps occur: The server determines whether the file requested must be scanned before delivery to the end user. The server opens a channel to one of the external computing devices and sends the filename. The external computing device opens the file and scans it. The external computing device notifies the filer the results of the file scan operation. The server sends the file to the end user provided the status indicates it may do so.

Abstract: A group administration organization device admits a user device to an authorized group by request and sends authority permission information to the user device. The user device holds the authority permission information received from the group administration organization device and, on access, sends authority proof information created from the authority permission information using a group signature scheme to a service provider device as requested by it. The service provider device, upon being accessed, requests the authority proof information and verifies the authority proof information received from the user device in accordance with the request on the basis of the group signature scheme. When the verification result indicates validity, the service provider device provides a service. Thus, there is no need for the service provider to manage personal information of the user because the user device proves to the service provider device using the group signature scheme that it belongs to the authorized group.

Abstract: A protocol, method, apparatus and computer program product for providing and utilizing a host credential authorization protocol (HCAP) is presented. The protocol is utilized by an AAA server and a posture validation server. The AAA server and the posture validation server are utilized to determine whether a host is allowed access to a device.

Abstract: A data security device for providing a network transport connection via a transparent network proxy that employs different encryption security mediums along a communications session between two endpoints by emulating one of the endpoints at an intermediate node such that the communication session appears as an atomic, secure connection to the endpoints yet provides appropriate security over the end-to-end connection. A sender node sends a connection request to establish a secure communication session with an intended receiver node. A transparent proxy on an intermediate node receives the request and establishes the link employing an encryption mechanism. The transparent proxy establishes a second link with the intended receiver, and applies a second, less expensive encryption mechanism. The transparent proxy combines the two links to form the trusted, secure connection but incurring only the mitigated expense over the second link.

Abstract: A method for disabling a traitor receiver in a broadcast encryption system includes examining augmentations of at least one redistributed version of a file in a group of files, wherein each authorized receiver acquired decryption keys only for the particular augmentations that it used. A level to which the augmentations correspond to a first set of super codes previously assigned to each authorized receiver is determined. A conclusion is drawn regarding the number of receivers that are traitor receivers. The receivers concluded to be traitor are selectively revoked. The process is repeated by selecting another set of super codes; selected to reduce the number of authorized receivers concluded to be traitor receivers. The sets of super codes are selected such that the number is made larger to achieve quicker revocation of a traitor receiver at the cost of increasing chance of an incorrect revocation of an innocent receiver.

Abstract: A preset security level system and a method for utilizing the preset security level system. The system includes a plurality of security levels, each of which enables a different level of security. Each of the security levels has associated therewith security features, such that low security level features are associated with a low security level, etc. The system and method enable a system administrator to select a desired security level, which selection automatically results in the activation of the associated security features, rather than manually activate each desired security feature.

Abstract: An apparatus and method for providing real-time tracking of virus information as reported from various computers on a distributed computer network. Each client computer on the distributed network contacts an anti-virus scanning site. The site provides a small program or applet that resides in temporary memory of the client computer. The client-user invokes the scan with supplied pattern updates for detecting recent viruses. When the scan has been completed, the user is prompted to supply a country of origin. The name of the virus, its frequency of occurrence, and the country are forwarded as a virus scan log to a virus tracking server, which receives the virus information and thereafter stores it in a database server, which is used to further calculate virus trace display information. A tracking user contacts the virus tracking server and receives map information, which traces the virus activity.