Abstract: In a hardware client for remote logon to a network, a two layer authentication protocol enables authorized users to log on while discouraging unauthorized users. The hardware client prevents logging on to the network if the hardware client is stolen. The hardware client itself is authenticated in the first authentication layer in order to establish a link to the network. Then a client computer authenticates in a second layer and further establishes a secure connection to the network. If the power of the hardware client goes off (as it would if or example it were unplugged for transport), then the authentication is not saved and therefore is lost. The hardware client must be reauthenticated before it can be used again.

Abstract: A wireless lock and key system using an encryption key pair. When a lock senses a person nearby, the random signal is generated. The key encrypts the signal and returns it to the lock. The lock decrypts the signal and compares it to the original to determine if the lock should be opened. The key may generate temporary tickets for guests to open the lock for limited times.

Abstract: Various embodiments are provided for authenticating an embedded device on a motherboard. An exemplary embodiment includes generating a unique authentication code (UAC) based on a serial number for a motherboard, and providing the UAC to a computer system having the motherboard. A determination is then made as to whether the provided UAC is correct for the motherboard, and an option ROM BIOS designed for the embedded device is executed when the provided UAC is correct for the motherboard.

Abstract: Techniques for registering certificates after the issuance of the certificates are provided. A service provider securely registers a client's identity and its certificate without depending on or using an existing basis of trust, such as that provided by domain-joined clients or a security directory (e.g., MICROSOFT's ACTIVE DIRECTORY). The service provider provides services, such as, by way of example and not a limitation, email services, web application services, application services, etc., based on identifiers (e.g., service IDs) issued to registered clients. The service provider subsequently uses the issued identifier to authenticate a client requesting a service or services, and to authorize the client to receive the requested service or services.

Abstract: The present invention provides an integrated VPN/firewall system that uses bath hardware (firmware) and software to optimize the efficiency of both VPN and firewall functions. The hardware portions of the VPN and firewall are designed in flexible and scalable layers to permit high-speed processing without sacrificing system security. The software portions are adapted to provide interfacing with hardware components, report and rules management control.

Abstract: A persisted object model is loaded from an object model document comprising a compiled executable file having an image source, a security source, and a loader. The loader is instantiated, and instantiates the object model from the image source and a security agent from the security source to control access to the instantiated object model. The loader returns to a commander a first reference to the instantiated security agent, whereby the commander in employing the first reference accesses the security agent rather than the instantiated object model. A commander issues a command to the instantiated object model by way of the first reference to the security agent, and the security agent receives and reviews same according to pre-defined rules to determine whether the object model should in fact receive the command. If so, the security agent forwards the command to the object model.

Abstract: Systems and methods for managing pestware processes on a protected computer are described. In one implementation, a reference point in the executable memory that is associated with a process running in the executable memory is located. A first and second sets of information from corresponding first and second portions of the executable memory are then retrieved. The first and second portions of the executable memory are separated by a defined offset, and each of the first and second portions of the executable memory are offset from the reference point. The process is identifiable as a particular type of pestware when the first and second sets of information each include information previously found to be separated by the defined offset in other processes that are of the particular type of pestware. In some variations, the reference point is a starting address and/or an API implementation in the process.

Abstract: To assist a destination/intermediary node in authenticating a communications packet as originating from a certain source node, the source node hides a cryptographically generated first special value based on the packet in a header portion of the communications packet. Upon receipt of the communications packet, the destination/intermediary node cyptographically generates a second special value also based on the packet for comparison to the first special value extracted from hiding in the header portion. If the first and second special values match, the destination/intermediary node has authenticated the communications packet as originating from the source node. The foregoing may be implemented in a number of situations, but has special use in connection with the detection of packet communications vulnerability assessment probe traffic by an intrusion detection system.

Abstract: We present technology that allows layman computer users to simply create, provision, and maintain secured infrastructure—an instant PKI. This technology can be used in a wide variety of applications including wired and wireless networks, secure sensor networks (such as medical networks), emergency alert networks, as well as simply and automatically provisioning network devices whether secure or not.

Abstract: A method, device and computer program for detecting point correspondences in sets of points and in particular for fingerprint verification. Points of note on fingerprint lines in a scanned fingerprint are compared with corresponding points of note on fingerprint lines in a reference fingerprint and matching pairs are formed from possible corresponding points of note in the scanned fingerprint and the reference fingerprint. A maximum number of such matching pairs is found. This allows an efficient method to be specified, for fingerprint verification for example, that requires only a small amount of working memory and computing power.

Abstract: Improved security processing circuits are discussed which may be used alone or as part of a network interface device of a host system using a DES engine to accomplish 3DES processing. The security processing circuit is adapted for selectively encrypting outgoing data and decrypting incoming data, where the network interface device may be fabricated as a single integrated circuit chip. The improved circuit makes use of a unique circuit component arrangement to provide shortened path timings within the DES engine processing. To accomplish this overall timing performance improvement, the permutation and inverse permutation blocks are removed from these critical path timings of the three individual DES processing operations, and moved to the beginning and end of the 3DES process.

Abstract: A version number is associated with an encrypted key executable to allow real time updating of keys for a system which facilitates users signing on to multiple websites on different domains using an encrypted ticket. Two keys may be used at each site during updating of keys, each having an associated one digit Hex version tag. When a key is to be updated with a new key, the existing or old key is provided an expiration time. A second key is provided from the system in a secure manner with a new version number and made the current key which provides decryption of the encrypted ticket. The system tracks both keys while they are concurrent. After the existing key expires, only the second, or updated key is used to provide login services for users. The system periodically flushes old keys.

Abstract: A data processing device includes a crypto unit having an alignment buffer for providing data to transmit buffer elements of a media switch fabric in multiples of a predetermined number of bytes. Ciphered data for a packet can be split over first and second transmit buffer elements so as to reduce the amount of software intervention.

Abstract: When transmitting data such as audio data which require protection to be provided, difficulty levels of authentication are switched corresponding to processing power of equipments to communicate. Thus, for an equipment of low processing power may perform a Bluetooth communication based on the SDMI. Further, for a communicating counterparty which is an equipment of high processing power, such as a personal computer, sufficient countermeasures against hacking may be taken.

Abstract: A technique for language verification of a Java® card CAP file is provided. The Java® card CAP file is converted from an original Java® code file while conserving its original Java® semantics. The Java® card CAP file is converted into a corresponding converted Java® code file that is semantically identical to the Java® card CAP file. In a language-verification step, the converted Java® code file is then verified if it has been found to comply with a predetermined language specification.

Abstract: An invention is provided for authenticating software associated an embedded device on a motherboard having an IOP is disclosed. The method includes generating a unique authentication code (UAC) based on a serial number for a motherboard. The UAC is provided to a computer system having the motherboard, and a determination is made as to whether the provided UAC is correct for the motherboard. When the provided UAC is correct for the motherboard, the IOP is allowed to execute program instructions for the embedded device.

Abstract: A user terminal can be authenticated by an access point based on one message. In one embodiment, the present invention includes the access point receiving a message containing a shared secret encrypted with an access point public key, a user terminal certificate, and an authenticator string demonstrating possession by the user terminal of a user terminal private key. The access point can decrypt the shared secret using the private key of the access point paired with its private key. The access point can then authenticate the user terminal by checking the authenticator string using a user terminal public key included in the user terminal certificate to verify possession of the user terminal private key by the user terminal.

Abstract: A security system in which wireless transmitting security devices use a hybrid or dual encoding methodology, wherein a first part of a data message is encoded in a return-to-zero (RZ) format and a second part of the data message is encoded in a non-return-to-zero (NRZ) format, thereby increasing error detection and correction. In a first aspect of the invention, status information is included in the first part of the message and redundant status information is included in the second part of the message. In a second aspect of the invention, message sequence information is included in the second part of the message to avoid processing of stale or out-of-sequence messages.

Abstract: In a distributed sensor network, a method of key management is carried out in several phases, particularly key pre-distribution phase, shared key discovery phase, and as needed, a path key establishment phase. In the key pre-distribution phase, prior to DSN deployment, a ring of keys is distributed to each sensor node, each key ring consisting of randomly chosen keys from a large pool of keys which is generated off-line. A shared key exists between each two key rings with a predetermined probability. In the shared key discovery phase, which takes place upon deployment of the DSN, every sensor node discovers its neighbors in wireless communication range with which it shares keys, and the topology of the sensor array is established by forming secure communication links between respective sensor nodes.

Abstract: A method for protecting the identification of a subscriber when a service provider transmits a subscriber request to a content provider in a distributed network environment, such as Internet. After the user sends a request to a service provider to which he has subscribed, the service provider encrypts the user identifier before transmitting this request with the encrypted user identifier to the content provider. Upon reception, the content provider uses an authentication Web Service supplied by the service provider for certifying the user identifier. If the user identifier is certified, the content provider transmits the requested content to the service provider, which formats it before sending it to the user. The content provider may charge the user through the service provider.