Abstract: A method and system distributes N shares of a secret among cooperating entities using hyperplanes over GF(2m), such that the secret can be reconstructed from K of the N shares (where K?N). In one embodiment, the secret is represented as a secret bit string of length m, which is embedded in a K-tuple. The K-tuple is then extended to an N-tuple by a linear transformation using arithmetic defined on GF(2m). N shares of the secret bit string are generated, with each of the N shares including an element of the N-tuple.

Abstract: A system for encrypting and decrypting messages using a browser in either a web or wireless device or secure message client software for transmission to or from a web server on the Internet connected to an email server or message server for the situation where the sender does not possess the credentials and public key of the recipients. The encryption and decryption is conducted using a standard web browser on a personal computer or a mini browser on a wireless device, or message client software on either a personal computer or wireless devices such that messages transmitted to the web or wireless browser or message client software can be completed and encrypted and signed by the user such that encrypted and signed data does not require credentials and public key of the recipients. A method for delivering and using private keys to ensure that such keys are destroyed after use is also provided.

Abstract: Multiple logical partitions are provided in a data processing system. A unique context is generated for each one of the logical partitions. When one of the logical partitions requires access to the hardware TPM, that partition's context is required to be stored in the hardware TPM. The hardware TPM includes a finite number of storage locations, called context slots, for storing contexts. Each context slot can store one partition's context. Each one of the partitions is associated with one of the limited number of context storage slots in the hardware TPM. At least one of the context slots is simultaneously associated with more than one of the logical partitions. Contexts are swapped into and out of the hardware TPM during runtime of the data processing system so that when ones of the partitions require access to the hardware TPM, their required contexts are currently stored in the hardware TPM.

Abstract: Systems and techniques relating to cryptographic keys include, in one implementation, a technique involving: generating a symmetric encryption key; and generating from the symmetric encryption key a family of symmetric encryption keys having a relationship such that a descendent key of the family is derivable from each key that is an ancestor of the descendent key in the family. Generating the family of symmetric encryption keys can involve cryptographically hashing the original symmetric encryption key and resulting hashed encryption keys. The technique can further include rolling over a key used in securing information by providing a next symmetric encryption key of the family in an order opposite that of an order of key generation; and a client can cryptographically hash a first symmetric encryption key to produce a second symmetric encryption key of the family and decrypt information associated with an electronic document with the key thus produced.

Abstract: A method and system distributes N shares of a secret among cooperating entities using hyperplanes over GF(q), such that the secret can be reconstructed from K of the N shares (where K?N). In one embodiment, the method constructs a K-tuple that contains the secret and elements of GF(q), where q is a power m of an odd prime p. The method further multiplies the K-tuple by a matrix of size (N×K) to produce an N-tuple using arithmetic defined on GF(q). Thus, N shares of the secret are generated, with each of the N shares including a component of the N-tuple.

Abstract: A system for authentication, encryption and/or signing, as well as corresponding devices and methods, that use temporary but repeatable encryption keys uniquely connected to the user and generated from a unique set of input parameters. The system comprises an input device (105) designed to extract predetermined characteristic values from value input by the user, which value is specific to the user, by means of a given algorithm, which algorithm is designed to remove the natural variation in the characteristic values in order to yield an identical set of characteristic values upon input of the same value, and a device (106) designed to generate at least one user specific encryption key comprising said characteristic values.

Abstract: Provided are an apparatus and method for inputting a graphical password that use representative pictures and elemental pictures of a graphic to form a graphical password and that receive the graphic via a wheel interface and a select button for user authentication. The apparatus includes: an input unit having a wheel interface and a select button; a display for displaying a graphic consisting of representative pictures and elemental pictures, and displaying a changed graphic in response to an input from the wheel interface; a memory for storing a graphical password of a user; and a controller for recognizing, when the select button is pressed, the graphic displayed on the display as a user-input graphical password, and determining whether the input graphical password matches the stored graphical password for user authentication.

Abstract: A method of authorising conditional access to an encrypted digital data product, includes storing at least one set of entitlements in a secure device, each entitlement including a product identifier and expiry information, receiving entitlement control messages from a decoder system including a device for decrypting encrypted digital data products using control words, each entitlement control message including a product identifier, and in a first mode, returning at least one control word in response to an entitlement control message including a product identifier if the product identifier corresponds to a product identifier in a stored entitlement including expiry information indicating the entitlement to be valid, and, in a second mode, progressively adjusting a counter to a pre-determined value and returning at least one control word in response also to entitlement control messages including a product identifier if the product identifier corresponds to a product identifier in a stored entitlement including

Abstract: A device, such as a cell phone, uses an image sensor to capture image data. The phone can respond to detection of particular imagery feature (e.g., watermarked imagery, barcodes, image fingerprints, etc.) by presenting distinctive graphics on a display screen. Such graphics may be positioned within the display, and affine-warped, in registered relationship with the position of the detected feature, and its affine distortion, as depicted in the image data. Related approaches can be implemented without use of an image sensor, e.g., relying on data sensed from an RFID device. A variety of other features and arrangements are also detailed.

Abstract: A method for authenticating a device including the steps of operating the device to create at least one failure condition; obtaining a measurement based on the at least one failure condition; and, comparing the measurement based on the at least one failure condition with a previously stored measurement based on the at least one failure condition to determine an identity of the device. An apparatus and an article of manufacture for authenticating a device is also disclosed.

Abstract: Several embodiments of the present invention provide a means for improving data access security in computer systems to support high-security applications, and certain of these embodiments are specifically directed to providing sector-level encryption of a virtual hard disk in a virtual machine environment. More specifically, certain embodiments are directed to providing sector-level encryption by using plug-ins in a virtual machine environment, thereby providing improved data access security in a computer system that supports high-security applications. Certain embodiments also use encryption plug-ins associated with standard encryption software for exchanging data between a virtual machine (VM) and its associated virtual hard drive(s) (VHDs). Moreover, several embodiments of the present invention are directed to the use of plug-in encryption services that interface with, and provide services for, a VM via a VM Encryption API (or its equivalent).

Abstract: A method, apparatus and computer program product for providing protection for a document is presented. Document content of the document is obtained. An occurrence of a security code within the document content is detected, the security code associated with the document content. A security policy associated with the security code is identified. The identified security policy is then applied to the document content.

Abstract: A wireless communications system may include wireless communications devices with each including a wireless transceiver and a processor coupled thereto for transmitting and receiving communications and using a challenge-response authentication protocol. The wireless communications devices may also include a master wireless communications device and a slave wireless communications device. The master wireless communications device may transmit a polling message including an unencrypted portion and an initial encrypted challenge portion. The slave wireless communications device may transmit a polling reply message including an unencrypted portion and an initial encrypted response portion based upon receiving the polling message from the master wireless communications device.

Abstract: A digital watermark is added to audio or visual content. An illustrative embodiment segments the content, permutes the segments, and transforms such data into another domain. The transformed data is altered slightly to encode a watermark. The altered data can then be inverse-transformed, and inverse-permuted, to return same to substantially its original form. Related watermark decoding methods are also detailed, as are ancillary features and techniques.

Abstract: The present invention provides a method and system for mitigating distributed denial of service (DDoS) attacks using central management and shared resources. The present invention implements a shared model for mitigating devices distributed in a packet network to mitigate a DoS attack. Mitigating devices are distributed in the packet network to support different network devices during a DoS attack. Configuration information is loaded dynamically into the mitigating devices to adjust the mitigation effort to different network devices. The present invention also implements a shared model for detecting devices distributed in the packet network to detect the presence of a DoS attack. Baselines are created to distinguish between valid packets and invalid packets. When invalid packets are detected, a notification occurs to other devices or a central management system.

Abstract: A subscription-based computing device has hardware and a subscription enforcer implemented in the hardware. The enforcer has an accumulator that accumulates a usage value as the computing device is being used and an expiration value register that stores an expiration value. The enforcer allows the computing device to operate in a subscription mode without hindrance and with full use when the usage value is less than the stored expiration value, and allows the computing device to operate in an expiration mode with hindrance and without full use when the usage value reaches the stored expiration value to signal that the subscription for the computing device has expired.

Abstract: According to one embodiment, a content protection device includes a writing module configured to write protection information into file management information item in order to protect a content which is specified to be protected, wherein the writing module is configured to write the protection information corresponding to sectors which stores content key management information file includes content key link information item includes content key position information item of encrypted content key corresponding to content which is specified to be protected, or to write protection information corresponding to at least part of a sectors which stores content key management file includes encrypted content key corresponding to content which is specified to be protected.

Abstract: Malicious network activities do not make use of the Domain Name System (DNS) protocol to reach remote targets outside a local network. This DNS-based enforcement system for confinement and detection of network malicious activities requires that every connection toward a resource located outside the local network is blocked by default by the local enforcement box, e.g. a firewall or a proxy. Outbound connections are allowed to leave the local network only when authorized directly by an entity called the DNS Gatekeeper.

Abstract: The present invention relates to an information processing system, and an information processing apparatus and method in which authentication processing on a network can be easily performed. A setting terminal device sends registration information input by a user to a CE-device registration setting server. The CE-device registration setting server generates connection information for connecting CE devices to the Internet based on the registration information. The setting terminal device receives the connection information from the CE-device registration setting server and stores it in a memory card. When the memory card is attached, the CE device reads the connection information so as to connect to a network. The present invention can be applied to electronic devices connected to a network.

Abstract: The present invention relates to a method for encryption of the content in a database, for accomplishing increased protection against unauthorised access to the data. The method assures that every row and item is re-encrypted with a valid key. More specifically this process, the so-called KeyLife process, is executed every time a row is inserted, updated or retrieved after a scanning operation. The key life value, defining the number of days a key is valid for each item, could differ for the items, and could typically be between 30 and 90 days. The scanning operation, checking the validity of the presently used keys, the so-called KeyLife checking, is executed each time a new key generation is created.