Abstract: A system and method communicates information from an entity that a registry can use to authenticate the entity to a user. If the registry authenticates the entity, it displays information that represents a shared secret between the registry and the user.

Abstract: A network communications method communicates a certificate from a client machine to a server machine through a security module. The protocol used between the client and server machines is HTTP or an equivalent protocol, and a security protocol such as SSL or an equivalent is implemented between the client machine and the security module. The steps of the method include inserting the certificate into a cookie header of a request in HTTP or an equivalent protocol, and then transmitting the request from the security module to the server machine.

Abstract: A system for reproducing contents in a different device conveniently in use while protecting a copyright of digital contents includes a contents recording and transmission device, a reception and reproduction device, and an external storage medium having an ID. The external storage medium is connected to the reception and reproduction device. The ID is transmitted to the recording and transmission device, and ascertained. Then contents are delivered. The external storage medium has a list of contents stored therein. In the case where the contents are recorded in a plurality of devices, only a device to which the external storage medium is connected is made to be capable of reproducing the contents. A contents reproducing function is implemented as a program in a component form.

Abstract: A secure release of a job request is managed at a document processing system that has been issued a private key and a public key. In one embodiment, the job request includes a first part specifying job information that is encrypted using a symmetric key, and a second part specifying the symmetric key that is encrypted with a recipient's public key. The document processing system begins release of the job request upon receipt of the symmetric key encrypted using its public key. The document processing system uses its private key to decrypt the encrypted symmetric key. The decrypted symmetric key is then used to decrypt the first part of the job request, thereby permitting the document processing system to complete performance of the job request.

Abstract: In one embodiment, a method is provided that may include encrypting, based least in part upon at least one key, one or more respective portions of input data to generate one or more respective portions of output data to be stored in one or more locations in storage. The method of this embodiment also may include generating, based at least in part upon the one or more respective portions of the output data, check data to be stored in the storage, and/or selecting the one or more locations in the storage so as to permit the one or more respective portions of the output data to be distributed among two or more storage devices comprised in the storage. Many modifications, variations, and alternatives are possible without departing from this embodiment.

Abstract: The invention provides federated functionality within a data processing system by means of a set of specialized runtimes. Each of the plurality of specialized runtimes provides requested federation services for selected ones of the requestors according to configuration data of respective federation relationships of the requestors with the identity provider. The configuration data is dynamically retrieved during initialization of the runtimes which allows the respective runtime to be specialized for a given federation relationship. Requests are routed to the appropriate specialized runtime using the first requestor identity and the given federation relationship. The data which describes each federation relationship between the identity provider and each of the plurality of requesters is configured prior to initialization of the runtimes.

Abstract: A method and apparatus for providing improved security and improved roaming transition times in wireless networks. In the present invention, the same pairwise master key (PMK) from an authentication server can be used across multiple access points and a new pairwise transition key (PTK) is derived for each association of a station to any of the access points. A plurality of access points are organized in functional hierarchical levels and are operable to advertise an indicator of the PMK cache depth supported by a group of access points (N) and an ordered list of the identifiers for the derivation path. Access points in each level in the cache hierarchy compute the derived pairwise master keys (DPMKs) for devices in the next lower level in the hierarchy and then deliver the DPMKs to those devices. An access point calculates the PTK as part of the security exchange process when the station wishes to associate to the access point. The station also computes the PTK as part of the security exchange process.

Abstract: In a quantum cryptography key distribution system for sharing a secret key between a transmitter and a receiver site, an unbalanced interferometer system in the transmitter site has a Mach-Zehnder interferometer switch with a phase modulator while the receiver site records photon arrival time slots. The system utilizes a whole of arrival photons in the receiver site and dispenses with any phase modulator in the receiver site. This system serves to improve a photon utilization efficiency.

Abstract: A software update device capable of communicating with a target update device via a network, the software update device including: a certification information setting unit for generating a first certification information, and transmitting the first certification information to the target update device via a first communication path; a certification requesting unit for transmitting a second certification information to the target update device, and requesting the target update device to execute a certification process with the first and second certification information; and a transmitting unit for transmitting an update software for updating a software of the target update device to the target update device via a second communication path when the certification process succeeds, the second communication path having a process load less than that of the first communication path.

Abstract: A method makes use of the fact that call modules, such as APIS, making calls to a critical operating system (OS) function are typically called by a call instruction while, in contrast, a RLIBC attack typically uses call modules that are jumped to, returned to, or invoked by some means other than a call instruction. The method includes stalling a call to critical OS function and checking to ensure that the call module making the call to the critical OS function was called by a call instruction. If it is determined that the call module making the call to the critical OS function was not called by a call instruction, the method further includes taking protective action to protect a computer system.

Abstract: A quantitative model combines a one-dimensional risk-assessment approach with expert knowledge to enable calculation of a probability or likelihood of exploitation of a threat to an information system asset without referring to actuarial information. A numerical value is established for one or more threats of attack on the information system asset based on expert knowledge without reference to actuarial data, and likewise, based on expert knowledge without reference to actuarial data, a numerical value is established for each of one or more access and privilege components of one or more vulnerabilities to attack on the information system asset. A security risk level for the information system asset is computed based upon the numerical values for threat and the access and privilege components for vulnerability so established.

Abstract: A system and method for providing cryptographic keys which are usable in a network of connected computer nodes applying a signature scheme. The method employs: generating a random secret key usable in the network of connected computer nodes; generating an exponent interval I having a plurality of exponent elements, the exponent interval having a specified first random limit, wherein each element of the plurality of exponent elements of the exponent interval has a unique prime factor tat is larger than a given security parameter; and, providing a public key comprising an exponent-interval description including The first random limit, and a public key value derived from the random secret key, such That the random secret key and a selected exponent value from the plurality of exponent elements in the exponent interval I are usable for deriving a signature value on a message to be sent within The network to a second computer node for verification.

Abstract: Content is encrypted according to a content key (CK) ((CK(content))), (CK) is protected according to a license server public key (PU-DRM), and rights data associated with the content is retrieved from a rights template and protected according to (PU-DRM). The protected items and a digital signature from the rights template are submitted as a rights label to the license server for signing. The license server verifies the rights template signature, and if such signature verifies signs the rights label to result in a signed rights label (SRL), and returns same. The SRL is concatenated with (CK(content)) and both are distributed to a user. To render the content, the user submits the SRL to the license server to request a license.

Abstract: A secure circuit assembly includes a printed circuit board including first and second surfaces and a secure boundary area in the first surface. A circuit to be protected is located in the secure boundary area. A first inner enclosure is attached to the first surface of the printed circuit board and covers the secure boundary area in the first surface. A first sensor film is attached to the first inner enclosure and is electrically coupled to the printed circuit board. The secure circuit assembly also includes first and second outer enclosures, the first outer enclosure covering the first inner enclosure and the second outer enclosure covering the second inner enclosure. A method for providing security to a circuit assembly is also disclosed.

Abstract: An authentication processing method and system includes an access control list on both a client system and a storage server system. The access control list stores authentication information for individual files. The authentication information is accessed and used to authenticate an application when the application requests access to a file. The client system adds information from the access control list to a data request sent to the storage server system. The storage server system controls access to the requested file based upon the information included with the data request and the access control list on the storage server system.

Abstract: A method and system for handling a malicious intrusion to a machine in a networked group of computers. The malicious intrusion is an unauthorized access to the machine, such as a server in a server farm. When the intrusion is detected, the machine is isolated from the rest of the server farm, and the machine is reprovisioned as a decoy system having access to only data that is ersatz or at least non-sensitive. If the intrusion is determined to be non-malicious, then the machine is functionally reconnected to the server farm, and the machine is reprovisioned to a state held before the reprovisioning of the machine as a decoy machine.

Abstract: A system and method for sharing files securely includes server software on a first device configured to communicate with server software operating on one or more other preauthorized devices, such as a second device. The servers communicate with each other securely using cryptographic information exchanged during a preauthorization phase using a range-limited communication channel. The server on the first device obtains file information from the other preauthorized device(s) and combines the information with local file information from the first device. This combined file information is sent to client software operating on the machine, which presents the combined file information to users.

Abstract: A converter uses a predetermined parameter a. A generating unit accepts generated inputs x1, . . . , xn, and generates generated outputs, y1, . . . , yn, using recurrence formulas, y1=F1(x1, a) and yi+1=Fi+1(xi+1, yi) (1?i?n?1). A key accepting unit accepts key inputs, k1, . . . , kn, and gives them as generated inputs to said generating unit. A repetition controller gives the generated outputs as generated inputs to said generating unit, for an “m” (m?0) number of times, and sets one of the generated outputs to be given at the end as a random number string, r1, . . . , rn. The data accepting unit accepts data inputs, d1, . . . , dn. The converting unit converts data using, ei=di?ri, and, outputs data outputs, e1, . . . , en. The converter can be used both for encrypting and decrypting data.

Abstract: A credential management device has a protected domain and a credential manager to perform credential transactions. A credential transaction may comprise determining if a platform is operating in a trusted mode and releasing an operation credential if the platform is operating in a trusted mode. A credential transaction may comprise validating incoming credentials from other platforms.

Abstract: An application view, which can represent a self-describing interface to functionality in a resource such as an application or enterprise system, can configure a security principal for a validated system user. A resource adapter can receive the request from the application view and can use a security principal map to map the security principal to a resource-appropriate principal. The resource adapter can perform a resource sign-on in a manner specific to the resource using the resource-appropriate principal.