Abstract: An information security device is provided that, when information is circulated through a chain, permits changing of a usage rule for the information or collection (deletion) of the information after the circulation. An information security device (200) includes: a receiving unit (201) that receives a content and a collection command; a content storing unit (202) that stores a content and its usage rule; a collection command confirmation unit (203) that checks the validity of a received collection command; a content deletion unit (204) that deletes a content; a chain information storage unit (205) that stores chain information containing sending and receiving information of a content; a destination list storage unit (206); a sending unit (207) that sends a content and a collection command; and a control unit (208) that controls the processing for a collection command. When a collection command is sent after content distribution, the content can be collected (deleted) in the destination of circulation.

Abstract: A method of authenticating data transmitted in a digital transmission system, in which the method comprises the steps, prior to transmission, of determining at least two encrypted values for at least some of the data, each encrypted value being determined using a key of a respective encryption algorithm, and outputting said at least two encrypted values with said data.

Abstract: A data processing device comprises a storage unit adapted to store an initial value of a pair of a public key and a private key and a communication unit adapted to execute communication with an external device with use of the initial value of the pair of the public key and the private key stored in the storage unit, thereby enabling encryption communication without generating the pair of the public key and the private key.

Abstract: A data processing apparatus is operable to identify one of a plurality of code words present in a watermarked version of a material item. The marked version is formed by combining each of a plurality of parts of a code word with one of a plurality of units from which the material item is comprised. The apparatus comprises a recovery processor operable to recover at least one part of the code word from a corresponding unit of the marked material item, and a correlator. The correlator is operable to generate for the marked material unit, a dependent correlation value for the part of the code word recovered from the material unit and the corresponding part of at least one of the re-generated code words from the set. A detector is operable to determine whether at least one of the code words is present in the marked material item from the dependent correlation value for the part of the code word exceeding a predetermined threshold.

Abstract: An apparatus and method that reuse a pair of public and private keys. The method includes determining whether a pair of public and private keys that have already been used in a first encryption process are still usable; and reusing the pair of public and private keys in a second encryption process if the pair of public and private keys are determined as being reusable. Accordingly, it is possible to considerably reduce the amount of computation and time that is generally required to calculate a pair of public and private keys, by allowing the pair of public and private keys to be reused.

Abstract: A method is provided for accessing a user operable device having limited access ability. The method comprises transmitting an inquiry from a mobile device of a user via a wide area transmission network to a key authority for obtaining an access key for accessing functions of the user operable device, receiving a request for information from the key authority, transmitting the requested information to the key authority, wherein the information is used by the key authority for co-coding the access key with one or more conditions for operating the user operable device, receiving the access key assigned by the key authority via the wide area transmission network, and transmitting the access key to a controller unit of the user operable device via a short range communication network for accessing the functions of the user operable device.

Abstract: A method and system for password validation. A user identifier (ID) and a user keying password are received from a user in conjunction with reception of a request from the user to obtain access to an application. The user keying password is a sequence of characters including at least one character from a first set of characters and at least one character from a second set of characters. The first set of characters are text characters allowed for defining a user password. The second set of characters are keying characters not allowed for defining a user password. It is determined whether the received user keying password matches a keying password reference. The keying password reference is based on a password definition rule.

Abstract: A data communication method for forwarding a session control message designating a destination server with an IP address to the destination server via a session management server, wherein, when an application program or encrypted communication software on a client issues a connection request designating a destination server with an IP address, the client or the session management server automatically converts the IP address into a desired resource identifier identifiable a domain, thereby to determine the domain to which the received connection request message should be forwarded.

Abstract: An information processing apparatus includes a content usage control information analyzer configured to read content usage control information recorded on an information recording medium and to perform content usage processing according to the content usage control information. The content usage control information analyzer determines whether the usage of content corresponding to the content usage control information is allowed based on a value of a flag included in the content usage control information and device information whether the information processing apparatus is an extended device having an extended function or a basic device without an extended function.

Abstract: A network security handshake exchange for combining user and platform authentication. The security handshake exchange performs operations on a pre-master secret to increase identity verification and security. The pre-master secret is augmented and authenticated with platform identity and user identity credentials of one endpoint. A second phase of exchanges may include exchange of a master secret that is the pre-master secret modified with platform identity and user identity of the other endpoint.

Abstract: In one embodiment, a computer system performs a method for accessing a trusted assembly from a virtualized location. A computer system detects receipt of a request to access an assembly. The address of the assembly is expressed in the request as a virtualized location. The computer system resolves the virtualized location to a physical location where the assembly is physically stored. The resolving includes accessing an information store that maintains the current physical location corresponding to the requested assembly's virtualized location. The computer system determines whether the requested assembly qualifies as a trusted assembly by verifying that the assembly sufficiently complies with information encoded within the assembly. Lastly, upon determining that the requested assembly is trusted, the computer system accesses the requested assembly from the physical location.

Abstract: Random partial shared secret recognition is combined with using more than one communication channel between server-side resources and two logical or physical client-side data processing machines. After a first security tier, a first communication channel is opened to a first data processing machine on the client side. The session proceeds by delivering an authentication challenge, identifying a random subset of an authentication credential, to a second data processing machine on the client side using a second communication channel. Next, the user enters an authentication response in the first data processing machine, based on a random subset of the authentication credential. The authentication response is returned to the server side on the first communication channel for matching. The authentication credential can be a one-session-only credential delivered to the user for one session, or a static credential used many times.

Abstract: A method for establishing a new security association between a mobile node and a network source, the method comprising creating a first token comprising a security association between a network source and a mobile node, the first token being encrypted using a first key known to the mobile node and a first trust authority within a home network associated with the mobile node, and creating a second token comprising the same security association between the network source and the mobile node, the second token being encrypted using a second key known to the first trust authority and a second trust authority associated with the network source, wherein the first token and the second token are sent to the second trust authority using a chain of trust infrastructure.

Abstract: A distributed denial of service attack can be defended against by challenging requests at a machine upstream from the target of the attack. The upstream machine limits access to the victim machine in response to indication of the victim machine being attacked. The upstream machine begins trapping protocol data units destined for the victim machine and challenging requests to access the victim machine with tests that require sentient responses, such as Turing tests. The upstream machine then updates a set of rules governing access to the victim machine based, at least in part, on responses to the challenges or administered tests.

Abstract: A user is enabled to easily access a data area on a network, and to use the data area with security, wherein a recording medium records an address for accessing a prescribed area of a storage apparatus installed in an other apparatus and keys to be used for encrypting data. When the recording medium is installed in the apparatus, the address is read-out from the recording medium and, based on the read-out address, accessing to the prescribed area is started. When the user actually accesses the recording medium, the prescribed area is accessed. In the apparatus to which the recording medium is installed, processing such as a path conversion is carried out as required so that the user is able to operate without mentioning such procedure.

Abstract: A system, method and computer program product for exploit-based worm detection and mitigation are disclosed. The system, method, and computer program product are configured to identify a signature representing content prevalent in network traffic, determine if the traffic including the signature exhibits propagation, determine if the traffic including the signature exhibits connectedness, and generate a worm signature based on the signature if the signature exhibits both connectedness and propagation.

Abstract: A system and method are disclosed for providing client-side protection of broadcast or multicast multimedia content for non-real-time playback. A set-top box function receives a request to record multimedia content and determines whether recording of the multimedia content is restricted. Upon receiving the multimedia content, the set-top box decrypts the multimedia content for real-time playback. If recording of the multimedia content is restricted, the set-top box re-encrypts the multimedia content and generates a packaged file including the re-encrypted multimedia content and one or more of a content identifier, a set-top identifier, a network reference to a copyright policy server, and a record policy of the multimedia content. The packaged file is either stored locally or transferred to remote storage. A remote system having access to the packaged file obtains the packaged file and enforces a copyright policy of the multimedia content before releasing the multimedia content for non-real-time playback.

Abstract: System for authenticating a user for logon to a content manager running on top of a database manager. A connect procedure connects the user to a database manager; and then a logon procedure logs on the user to the content manager selectively responsive to the user connecting to the database manager; the user being authenticated by a third party by way of a user exit or a trusted logon environment and privilege; or the user being authenticated by the content manager.

Abstract: A data migration system performs a tamper-resistant data migration for regulatory compliance systems. The system generates a secure hash for the data object, adds a timestamp to the hash, produces a signature for the data object using a private key, and includes the signature in a signature summary of data objects. Immediately prior to data migration, the system signs the signature summary of the set of data objects to be migrated. The signature of the data object maintains integrity of the data object by preventing undetectable modification to a data object during migration. The signed signature summary maintains completeness by preventing undetectable removal of a data object from or insertion of a data object into the set of data objects during migration.

Abstract: An arrangement for providing data in the context of security management for a franking system has a remote data center at which a list of data sets is stored the data sets containing security information as well as information regarding associated security policies, appertaining at least to security measures and the location of their storage in the franking system. A method for server-controlled security management of performable services in an electronic system includes the steps of receiving a request for a desired service, determining a security feature to be selected and generating a data set corresponding thereto, selecting a logical channel and transferring to data set via that channel establishing the service end, and waiting for receipt of a further service request or for the ending of the communication connection.