Abstract: A recording medium including at least a lead-in region, a recording region in which information is recorded, and a lead-out region. In this configuration, medium information including medium identification information and relevant information is recorded in at least any one of the lead-in region, the recording region, and the lead-out region.

Abstract: A distinct-count estimate is obtained in a guaranteed small footprint using a two level hash, distinct count sketch. A first hash fills the first-level hash buckets with an exponentially decreasing number of data-elements. These are then uniformly hashed to an array of second-level-hash tables, and have an associated total-element counter and bit-location counters. These counters are used to identify singletons and so provide a distinct-sample and a distinct-count. An estimate of the total distinct-count is obtained by dividing by the distinct-count by the probability of mapping a data-element to that bucket. An estimate of the total distinct-source frequencies of destination address can be found in a similar fashion. By further associating the distinct-count sketch with a list of singletons, a total singleton count and a heap containing the destination addresses ordered by their distinct-source frequencies, a tracking distinct-count sketch may be formed that has considerably improved query time.

Abstract: It is convenient to allow access to a private network, such as a corporate intranet, or outward facing extranet application, from an external network, such as the Internet. Unfortunately, if an internal authentication system is used to control access from the external network, it may be attacked, such as by a malicious party intentionally attempting multiple invalid authentications to ultimately result in an attacked account being locked out. To circumvent this, an authentication front-end, proxy, wrapper, etc. may be employed which checks for lockout conditions prior to attempting to authenticate security credentials with the internal authentication system.

Abstract: A method and apparatus for measuring data presentation is measured for authenticity and accuracy using a cryptographic capability. The data may include both presentation data and metadata related to measuring and reporting results of outputting the presentation data. After measurement, the presentation data may be presented to an output device. The output device may be a display, a sound device or other computer output. Related statistics may be collected, for example, user identity, computer identity, time, duration, and interference from other sources. In the case of displayed presentation data, unblocked viewing area, and presentation data area size may also be collected. In an exemplary embodiment, the presence of a user and/or user interaction with the presentation data may be recorded and reported. The recorded data may be securely reported to a participating host or server, by a secure channel and/or by signing and/or encrypting.

Abstract: An authentication apparatus for solving problems involving convenience and security is disclosed. The authentication apparatus according to the present invention is an authentication apparatus having a plurality of authentication mechanisms, the apparatus determining (S23) whether authentication information that has been input by a card reader for inputting authentication information of an object of authentication is that of a user who is capable of changing over the plurality of authentication mechanisms, displaying (S24) a list of the plurality of authentication mechanisms if it is determined that the user is capable of making the changeover, and registering (S26) the authentication mechanism, which has been selected in the display list, as the effective authentication mechanism.

Abstract: Methods and systems are provided that allow multiple identity-based digital signatures to be merged into a single identity-based “aggregate” digital signature. This identity-based aggregate signature has a shorter bit-length than the concatenation of the original unaggregated identity-based signatures. The identity-based aggregate signature can be verified by anyone who obtains the public keys of one or more Private Key Generators (PKGs), along with a description of which signer signed which message. The verifier does not need to obtain a different public key for each signer, since the signature scheme is “identity-based”; the number of PKGs may be fewer than the number of signers.

Abstract: According to one embodiment, there is provided a playback apparatus which plays back content including an encrypted video object and an encrypted resource file, including a memory including a file cache area, a module configured to decrypt the video object, a playback process module configured to play back the decrypted video object and to output a resource file acquisition request, a module configured to determine whether the resource file is decrypted, to decrypt the resource file, to write the decrypted resource file over the encrypted resource file, to update the management information, and to send the decrypted resource file to the playback process module, and a module configured to determine whether the resource file is decrypted, to encrypt the decrypted resource file, to write the encrypted resource file over the decrypted resource file, to update the management information, and to send the encrypted resource file to the storage.

Abstract: In a particular embodiment, a wireless security system is disclosed. The wireless security system includes a client module deployed on a wireless device, a network module, and a server module. The client module is adapted to authenticate a wireless device while the wireless device is operating independently from the network module and the server module. In another embodiment, a method of distributing security policy information from a server to a mobile computing device is disclosed. The method includes authentication of a connection between the server and a gatekeeper, sending a policy package to the gatekeeper, initiating data synchronization between the mobile computing device and the gatekeeper, authenticating the mobile computing device, and sending the policy package from the gatekeeper to the mobile computing device.

Abstract: An apparatus for processing data includes a processor operable in a plurality modes including at least one secure mode being a mode in a secure domain and at least one non-secure mode being a mode in a non-secure domain. When the processor is executing a program in a secure mode the program has access to secure data which is not accessible when the processor is operating in a non-secure mode. The processor is responsive to one or more exception conditions for triggering exception processing using an exception handler. The processor is operable to select the exception handler from among a plurality of possible exception handlers in dependence upon whether the processor is operating in the secure domain or the non-secure domain.

Abstract: A model restricts un-trusted data/objects from running on a user's machine without permission. The data is received by a protocol layer that reports a MIME type associated with the DATA, and caches the data and related cache file name (CFN). A MIME sniffer is arranged to identify a sniffed MIME type based on the cached data, the CFN, and the reported MIME type. Reconciliation logic evaluates the sniffed MIME type and the CFN to determine a reconciled MIME type, and to update the CFN. A class ID sniffer evaluates the updated CFN, the cached data, and the reconciled MIME type to determine an appropriate class ID. Security logic evaluates the updated CFN, the reported class ID, and other related system parameters to build a security matrix. Parameters from the security matrix are used to intercept data/objects before an un-trusted data/object can create a security breach on the machine.

Abstract: A system and method are described supporting secure implementations of 3DES and other strong cryptographic algorithms. A secure key block having control, key, and hash fields safely stores or transmits keys in insecure or hostile environments. The control field provides attribute information such as the manner of using a key, the algorithm to be implemented, the mode of use, and the exportability of the key. A hash algorithm is applied across the key and control for generating a hash field that cryptographically ties the control and key fields together. Improved security is provided because tampering with any portion of the key block results in an invalid key block. The work factor associated with any manner of attack is sufficient to maintain a high level of security consistent with the large keys and strong cryptographic algorithms supported.

Abstract: A method of establishing an e-mail secure transmission link between an initiator and a responder for the transmission of secure e-mail messages over a network comprising creation of a unique initiator designator or number, generation of a unique initiator exchange key component including the unique initiator designator or number, transmission of a request from the initiator to the responder to establish the e-mail secure transmission link and the unique initiator exchange key component, acceptance of the request by the responder to establish the e-mail secure transmission link, creation of a unique responder designator or number, combining of the unique responder designator and the unique initiator exchange key component to create a unique initiator/responder exchange key at the responder site, generation of a unique responder exchange key component including the unique responder designation, transmission of the unique responder exchange key component from the responder to the initiator, combining the unique

Abstract: An intrusion detection system, and a related method and computer program product, for implementing intrusion detection in a remote, on-demand computing service environment in which one or more data processing hosts are made available to a remote on-demand user that does not have physical custody and control over the host(s). Intrusion detection entails monitoring resources defined by the on-demand user (or a third party security provider) for intrusion events that are also defined by the on-demand user (or security provider), and implementing responses according to event-action rules that are further defined by the on-demand user (or security provider). An intrusion detection system agent is associated with each of the data processing hosts, and is adapted to monitor the intrusion events and report intrusion activity. If there are plural intrusion detection system agents, they can be individually programmed to monitor and report on agent-specific sets of the intrusion events.

Abstract: A system and methods of detecting an occurrence of a violation of an email security policy of a computer system. A model relating to the transmission of prior emails through the computer system is defined which is derived from statistics relating to the prior emails. For selected emails to be analyzed, statistics concerning the selected email are gathered. Such statistics may refer to the behavior or other features of the selected emails, attachments to emails, or email accounts. The determination of whether a violation of an email security policy has occurred is performed by applying the model of prior email transmission to the statistics relating to the selected email. The model may be statistical or probabilistic. A model of prior email transmission may include grouping email recipients into cliques. A determination of a violation of a security policy may occur if email recipients for a particular email are in more than one clique.

Abstract: An unauthorized access prevention system includes a countermeasure method determination unit determining a method of taking countermeasures to protect a destination against unauthorized access based on a rate indicating a probability that predetermined traffic is unauthorized access. The rate is determined by calculating a number of times that the countermeasures were taken and subtracting a number of times that countermeasures were suspended, and dividing the resultant number of times that countermeasures were taken without suspension by the number of times that countermeasures were taken, for the predetermined traffic. The system also includes a storage device storing the number of times that countermeasures were taken and the number of times that countermeasures were taken without suspension. A countermeasure execution control unit controls when to take the countermeasures in the determined method.

Abstract: The invention is concerned with enabling substantially anonymous purchases of media products or other products (or access to an on-line service) to be made on-line. In order to initiate a purchasing session, consisting of one or more purchasing transactions, the purchaser authenticates himself to a home provider computer (3) which ten allots an anonymous client identifier (clientID) to the client for the purposes of that session. The purchaser (1) contacts a vendor computer (6), using the anonymous identifier (clientID) and an anonymising HTTP proxy, in order to place an order for one or more products or services for which the vendor computer has the right to authorize delivery. In order to obtain delivery of the product or service from the repository computer (5), the purchaser (1) provides the clientID to the repository computer (3).

Abstract: An image forming system which is capable of enhancing security in an i-copy function. A server apparatus stores document data once having been printed in association with a sheet identifier recorded on a print sheet on which the document data has been printed. An image reader section reads the sheet identifier from the print sheet when a copy command is issued by the user authenticated based on an entered user identifier by a CPU of a MFP. A printer section reads out and prints the document data from the server apparatus. When the sheet identifier has not been read from the print sheet based on the copy command over a predetermined time period, the document data is inhibited from being printed by the printer section.

Abstract: UIMID of a UIM 50 owned by the owner of a portable phone 40 is stored in an owner information registration area 410b of phone 40. A CPU 405 of portable phone 40, upon receiving content, compares a UIMID of a UIM 50 inserted in phone 40 to the UIMID registered in owner information registration area 410b. The storing of the content in a nonvolatile memory 410 is permitted only when the two UIMIDs agree with each other.

Abstract: A method of decoding symbols in which a first codeword has been spread by a second codeword to recover first information and second information is provided. The decoding occurs jointly, with an overall output determining both the first and second information. A first parallel code multiplying operation for each codeword of the second code is followed by a second parallel code multiplying operation for the first code. An overall maximum output of the second parallel code multiplying operations determines the output information.

Abstract: A first party has a first and a second cryptographic key. A second party has a third and a fourth cryptographic key, the fourth cryptographic key being derived from the first and third cryptographic keys thereby providing an association between the parties. To enable a third party to verify the existence of an association between the first and second parties, the second party generates a number that in association with the second cryptographic key, the third cryptographic key and the fourth cryptographic key define a first cryptographic parameter, a second cryptographic parameter and a third cryptographic parameter respectively. By using these parameters and the second and third cryptographic keys, the third party can verify if the first and second parties are associated.