Abstract: A computer system includes a security subsystem which is able to trustfully track which files or storage areas of a storage device have been altered since a last virus scan. The trusted information can then be used to accelerate scans for undesirable code or data such as viruses and invalid or corrupt registry entries. In the case of viruses, files or storage areas which have been altered are scanned against a super-set of virus definitions. Unaltered files or storage areas are scanned against a subset of virus definitions.

Abstract: A technique for sanitizing data storage devices, such as magnetic disks, is disclosed. Logical data storage units such as files or portions thereof may be individually deleted and sanitized on a disk. A disk is divided into physical disk regions, each comprising one or more blocks. The contents of the disk are encrypted using a separate encryption key for each physical disk region. If a file or other data structure located in a first disk region and encrypted using a first encryption key is to be deleted, the logical portions (i.e., blocks) of that region that do not belong to the file are re-encrypted using a second encryption key, and the first encryption key is deleted.

Abstract: A system and method to reduce external access to hypervisor interfaces in a computer system, thereby reducing the possibility of attacks. In a preferred embodiment, addresses for calls are used to fill a table, where the addresses are specifically selected for a requesting computer. For example, in one embodiment, a routine searches for the adapter type of a requesting computer and populates the table with calls specific to that type of adapter. Other types of calls are not put in the table. Instead, those calls are replaced by routines that will return an error. In other embodiments, the operating system type is used to determine what addresses are used to populate the table. These and other embodiments are explained more fully below.

Abstract: An IPSec processor is a network security device. It is designed primary for an environment requesting for a throughput of Gigabits per second. By using a new architecture, the parallel processing and pipeline processing become more efficient, thereof higher performance. An IPSec Core in the IPSec processor employs the sharing structure, which raise the utility of the Encryption Engine and Authentication Engine. Moreover, the IPSec Core can be duplicated, allowing a parallel processing. Because the IPSec Core deals with IPSec processing, the Pre_Operation, operation, and post_operation, it becomes a complete set of processing unit and easy for duplicating. In addition, several features have been created for a hardware base implementation, including the processing of the bundled SA case, early verification of the packet, and no need to build an additional context in order to perform a crypto operation.

Abstract: A method of placing a watermark in a video stream estimates motion between frames in the video stream, and computes a representative motion for a frame. Before embedding the watermark in that frame, the method spatially adjusts a digital watermark by the representative motion. This method is particularly suited for embedding a watermark in a video stream compressed using motion estimation. In this case, the method uses the motion vectors in the video stream to compute a dominant motion for a frame, and then shifts the watermark by this dominant motion before embedding it in the frame.

Abstract: The present invention extends to methods, systems, and computer program products for securely inspecting electronic messages. A computer system receives a control message that is passed through one or more receiving path components, positioned in a message receiving path, to a security component. The security component authenticates the received control message and passes the received control message to an inspection control component. The inspection control component activates message inspection in accordance with instructions contained in the received control message. When message inspection is activated, the computer system passes accessed messages to corresponding inspection components positioned in message paths (either receiving or sending) of the accessed message. The inspection component generates an inspection report (e.g., including a portion of contents of the accessed message) in accordance with instructions contained in a previously authenticated control message.

Abstract: A security protocol for combining user and platform authentication. The security protocol includes a first handshake phase to issue attestation identity credentials, and a second handshake phase to authenticate based on the attestation identity credentials issued in the first handshake phase. The security protocol also includes a session resumption phase to resume a previous session.

Abstract: A device scanner system at a security checkpoint queries a powered on electronic device for device-reported data via a network connection. The device-reported data includes the operational status of at least one component of the electronic device, a configuration of the electronic device, and a current ownership of the electronic device. Responsive to receiving the device-reported data, the device scanner system retrieves expected data for the electronic device. The device scanner system assigns a security level to the electronic device indicating whether the device-reported data matches the expected data, such that the electronic device is screened based on data reported by the powered on electronic device.

Abstract: The invention relates to a method of transforming a digital signal for it to be transmitted, the signal being decomposed into several regions each containing digital data, the signal comprising header data specific to each region and which comprise at least one part representing the amplitude of the data of the region considered, wherein the method comprises a step of modifying, among the header data specific to at least one region of the signal, the part of the header data representing the amplitude of the data of the region considered.

Abstract: A method for providing user notification signals in digital phone such as IP phones or cell phones that use encryption. In one embodiment, a digital phone receives an encrypted data packet. The phone determines that the encrypted data packet satisfies a criterion. The phone generates a user notification signal that is perceivable by a user of the phone in response to determining that the encrypted data packet does not satisfy the criterion. The user notification signal may comprise a tone, synthesized speech, or other signal that is audible in a handset or speaker of the phone. Alternatively, the user notification signal is visually displayed in an electronic display of the phone. The criterion may comprise a failure to authenticate one or more encrypted data packets that are provided to the phone in a secure protocol. The process may be performed at a voice gateway or cellular base station.

Abstract: A Method and system are disclosed for accessing personal Web site or executing electronic commerce with security in a smart Java card. A personal Web site which includes personal or private information is stored in a personal smart Java card. Before a user can access the Web site stored in the smart Java card, the user is validated by any one of or in combination of PIN, facial images, hand images, eye image, voice characteristics, and finger prints. In addition, an encryption engine embedded in the smart Java card decodes and compares the entered PIN combined with a secure key or security certificate to verify the identity of the user. Before the bank account can be accessed freely by the user, the bank's computer system checks the combined secure data to ensure the authenticity of the card and the user's identity with multiple check points using Internet security protocols via Web browsers.

Abstract: The present invention provides a method for detecting a security module for link protection in an EPON, wherein an OLT and an ONU in the EPON can check whether or not an encryption module is present in each other and check the configuration of each other in order to avoid loss of a message when the message is encrypted for link protection between the OLT and the ONU in the EPON.

Abstract: The present invention relates to a system and methodology to facilitate communications security in a distributed computing and applications environment. A pass-phrase is generated to wrap a strong set of security credentials that are employed to establish trusted relationships between entities such as a service provider and one or more partners seeking access to the provider. The pass-phrase is generally constructed from weaker cryptographic material and is generally transported or communicated separately from the wrapped security credentials. When the partner desires to access service resources, the pass-phrase is employed to unlock the strong set of security credentials contained within the wrapper. The unlocked security credentials are then utilized to establish encrypted communications channels between the service provider and the partner.

Abstract: Described is apparatus for testing an intrusion detection system in a data processing system. The apparatus comprises an attack generator for generating attack traffic on a communications path in the data processing system. A collector receives responses generated by the intrusion detection system on receipt of the attack traffic. A controller coupled to the attack generator and the collector varies the attack traffic generated by the attack generator in dependence on the response received from the intrusion detection system by the collector.

Abstract: A system and method of providing standardized transmission of data by translating non-native requests and or non-native responses to and from a normalized format or to a format needed for processing the request and or response. The system works with trusted and untrusted connections and systems and supports encryption at multiple layers to establish non-repudiation for a security service that integrates and/or aggregates external security applications into a single service that can provide authentication and/or authorization.

Abstract: Digital signatures having an embedded view of signed data that lock the signed data but permit it to be repurposed are described. One of these digital signatures can be repurposed for signature by others, such as co-signers or counter-signers. Another of these digital signatures includes embedded information sufficient to recreate the embedded view using the signed data. A method for building a digital signature is also described that permits signing different parts of an electronic document.

Abstract: A method and system for securely and efficiently processing transactions on a client computer with secure and insecure components. A secure transaction module runs on the secure components and uses certificates to authenticate client/server transactions. Users can fill in server-supplied forms with a very high degree of confidence that no malicious software has interfered, and that the server will get exactly what the user intended. The module maintains some tamper-resistant storage with labels indicating that certain registers can only be changed based on cryptographically secured commands from remote server domains. If such registers are scarce, then additional ones are simulated. Applications include managing online accounts, purchase of monetary credits that can be spent online, moving credentials on and off smart cards, using proxy signers to divide certificate authority responsibilities, creating self-destructing email documents, and digital rights management.

Abstract: Quality of biometric prints is enhanced by any one of several different methods. In one embodiment, if a biometric print does not have a high enough quality, the biometric print is discarded. In another embodiment, a matching score is associated with the degree to which the two biometric prints match. In another embodiment, a ranking is associated with a biometric print, and the ranking is determined based upon two or more matching scores associated with the biometric print. In another embodiment, a variety of distinguishing features are derived from a given biometric print and are stored for authenticating a biometric print of a user requesting access to a secure entity. In an embodiment, a transformation is applied to at least a portion of a newly acquired biometric print to improve the match of the newly acquired biometric print to a stored biometric print.

Abstract: Methods and apparatus, including computer program products, that include providing to a client a definition of an object class representing attributes of a first collection of data elements and a list of possible operations on the first collection, each data element having attributes and possible operations in common with other data elements from the first collection. The method also includes customizing a usage policy of the first collection for a configuration of the client, receiving from the client a first request to execute an operation from the list on one or more data elements from the first collection, checking the first request against the definition and the usage policy, and executing the operation on the one or more data elements of the first collection.

Abstract: A final agent of the message provides a first encryption key to a first agent, interposed between a message sender and the final agent. The first agent but not the final agent knows an identity of the sender. The final agent provides a second encryption key to a second agent, interposed between the sender and the final agent. The second agent knows an identity of the sender. The first agent generates a third encryption key and provides the first encryption key and the third encryption key to the sender. The second agent generates a fourth encryption key and provides the second encryption key and the fourth encryption key to the sender. The first agent receives from the sender a message encrypted with the first, second, third and fourth keys, and in response, decrypts the message based on the third key. Afterwards, the first agent provides the message decrypted based on the third key to the second agent. In response, the second agent decrypts, based on the fourth key, the message provided by the first agent.