Abstract: Methods and apparatus in accordance with the present invention are operable to carry out certain functions including: receiving an encrypted program at a processing apparatus; transmitting at least some identification information related to the processing apparatus over a network to an administrator; receiving an encrypted decryption key at the processing apparatus over the network from the administrator in response to the at least some identification information; decrypting the encrypted decryption key; decrypting the encrypted program using the decryption key; re-encrypting the program using at least some of the identification information ; and storing the identification information and the re-encrypted program in a first storage device.

Abstract: A system, apparatus, and method are provided for entitlement security and control. According to one embodiment, an entitlement request is received from a downstream access control system seeking entitlement permission on behalf of a user, a group of users, all users associated with the downstream access control system, or on behalf of the downstream access control system as a whole, the entitlement request is matched against entitlement rules and roles that are retrieved from a metadata repository, and the entitlement permission is granted if the entitlement request satisfies the entitlement rules and roles.

Abstract: Atrusted branded email method and apparatus in one aspect detects branded electronic messages and performs validation before it is sent to a recipient. In another aspect, an electronic messages is branded by embedding branding assets and validation signatures. Algorithms that generate validation signatures are dynamically selected to further strengthen the security aspects. Branding assets are presented to a user using a distinct indicia that represents to the user that the branding assets are secure.

Abstract: The present invention performs “flow control” based on the remaining encryption capacity of an encrypted outbound network interface link of a network routing device, such as a router or switch. As the encrypted link begins to run low on encryption key material, this invention begins to discard datagrams queued for transit across that link, in order to signal distant host computers that they should slow down the rate at which they are sending datagrams. The invention, which is particularly useful in cryptographically protected networks that run the TCP/IP protocol stack, allows fine-grained flow control of individual traffic classes because it can determine, for example, how various classes of data traffic (e.g., voice, video, TCP) should be ordered and transmitted through a network. Thus, the invention can be used to implement sophisticated flow control rules so as to give preferential treatment to certain people, departments or computers.

Abstract: Security-state-reporting and data-control functionality introduced into a computer system to monitor and report the security state of the computer system and to store and make selectively available, for processes executing within a computer system, security-state-associated data. The hardware element includes two control registers, a current-security-state control register (“CSS”) and a current-data-bank control register (“CDB”). When the CSS is read, the CSS reports the current security state of the computer system, with security states represented as unsigned integers starting from a highest security level of 0 and decreasing with unsigned integers of increasing magnitudes. The CDB controls access to one or more data-register banks, positioning a data-register window to allow access only to those data-register-bank registers associated with the currently reported security state.

Abstract: The present invention is useful for routing data traffic in data communications networks where some or all of the network interface links are protected by cryptographic techniques, e.g., encryption. The invention routes datagram traffic in such networks toward interface links perceived to have strong encryption protection and away from interface links perceived to have weak or weakening encryption protection, based on the remaining encryption capacity for such links.

Abstract: A network device coordinates with other devices in a network to create a distributed filtering system. The device detects an attack in the network, such as a distributed denial of service attack, and forwards attack information to the other devices. The devices may categorize data into one or more groups and rate limit the amount of data being forwarded based on rate limits for the particular categories. The rate limits may also be updated based on the network conditions. The rate limits may further be used to guarantee bandwidth for certain categories of data.

Abstract: The invention concerns a method for implementing in an electronic component a cryptographic algorithm using calculating means. The invention is characterized in that it consists in carrying out the following steps: a) selecting a value e among a specific number of values eI, ei being integers, b) checking if ei verifies a predetermined relationship: if so, then e=ei, and storing e for use in calculating said cryptographic algorithm.

Abstract: The loss of a computer's primary O.S. password, BIOS password, or HDD password (or even an application password) is sensed by a secondary O.S. based on a number of failed log on attempts to the affected component. The password can be reset by having the secondary O.S. generate an intermediate password automatically, verify user authorization, and then make the intermediate password available to, e.g., the primary O.S., so that the affected component can be accessed and its password reset without help desk personnel intervention.

Abstract: A memory card includes a user ID hold unit holding user ID data provided to identify the user of the memory card, a first protection information memory unit holding first protection information restricting access to memory card, and a second protection information memory unit holding second protection information restricting access for each content data. Memory card refers to the user ID data to identify the user of the reproduction apparatus of interest and prohibits any unauthorized user from changing first and second protection information.

Abstract: Methods, apparati, and computer-readable media for detecting the presence of malicious computer code in a plurality of e-mails. In a method embodiment of the present invention, the following steps are performed for each e-mail: calculating a feature vector (80), said feature vector (80) being representative of a presence of at least one preselected feature in the e-mail; calculating at least one score (S) based upon said feature vector (80), each said score (S) being representative of a frequency of occurrence of an instance of a feature; determining whether any score (S) exceeds a preselected malicious threshold representative of malicious computer code; and when a score (S) exceeds a preselected malicious threshold, blocking said e-mail.

Abstract: A controller of the computerized device monitors a configuration state of the computerized device by maintaining a record of the hardware or software configuration of the computerized device and recording, between user sessions, any detectable attachments or detachments of peripheral devices relative to the computerized device. The controller provides a two-level login procedure for the computerized device that ensures the user's high-security credentials are not presented to the controller until after the user has had the opportunity to be warned of detected configuration changes with respect to the computerized device. The controller provides a first login query to a user for a password. Upon reception of a successful first login response, the controller displays a warning screen that indicates, for example, whether the controller has detected any change to the hardware or software configuration of the computer since the user's last session.

Abstract: The present invention relates to a method and system for securely proving ownership of pseudonymous or anonymous electronic credentials. A credential system is described consisting of users and organizations. An organization knows a user only by a pseudonym. The pseudonyms of the same user, established for use with different organizations, cannot be linked. An organization can issue a credential to a pseudonym, and the corresponding user can prove possession of this credential to another organization that knows him under another pseudonym. During the prove of possession of the credential nothing besides the fact that he owns such a credential is revealed. A refinement of the credential system provides credentials for unlimited use, so called multiple-show credentials, and credentials for one-time use, so called one-show credentials.

Abstract: A method for the secure application of a cryptographic algorithm of the RSA type in an electronic component obtains the value of a public exponent e from a given set of probable values, without a priori knowledge of that value. Having determined the value for the public exponent e, the application of countermeasures using the value of e, to block error attacks and side channel attacks, particularly of the DPA and SPA type, are carried out on the application of a private operation of the cryptographic algorithm.

Abstract: The method and system which assure tight security over access to document data which is being handled in a system during scanning, copying, printing and faxing modes of operation. Security takes place with (1) substantially complete blockage of outside-world (network, telephone line) access to such data during the handling time, (2) prevention of any data writing to a hard-drive memory device, and (3) job-completion destruction of any data temporarily stored in a random access memory, before there is any post-job restoration to outside-world connectivity.

Abstract: An encryptor/decryptor capable of achieving secure cryptographic communication by applying appropriate padding to a cryptosystem such as NTRU cryptosystems. When an n-bit plaintext M is received, the OAEP+ padding is applied thereto. According to a conversion rule or a conversion function A that satisfies the conditions as described below, two bit strings m and r are obtained from the result of the OAEP+ padding. The conversion function A is a map to map a bit string consisting of k bits or less to the element of Lm×Lr, where Lm is the scope of m and Lr is the scope of r. The conversion function A should satisfy the following conditions: A is injective; A and the inverse map thereof can be computed by a polynomial time; and if an encryption function is denoted by E(m,r), a map E: A(X)?Le is a one-way function, where X is the scope of (m,r) and Le is the space of the entire ciphertext. After a bit string is divided into the two bit strings m and r, e=Er(m) is computed to be encrypted.

Abstract: A method and system is presented for configuring a group of OCSP (Online Certificate Status Protocol) responders so that they are highly available. Each of the grouped OCSP responders share a common public key. When responding to an OCSP request, an OCSP responder generates an OCSP response that is signed with a group digital signature; the certificate for the common or group public key can be attached to the OCSP response. An OCSP client uses the group public key to verify the group digital signature on an OCSP response from any of the OCSP responders. For an OCSP client, the availability of this group of responders is greater than the availability of any one member of the group.

Abstract: Digital Fingerprints are generated for data objects in a system where separate annotation files are created for data objects. This permits cross heterogeneous system relationship of a data object with associated annotations. The digital fingerprint is saved in an annotation store along with a first relationship between the digital fingerprint and the location of annotations as well as a second relationship between the digital fingerprint and location of copies of the data object. The digital fingerprint can be generated by any system that has a copy of the data object. Annotations or data objects can be found by searching for the digital fingerprint and its relationships.

Abstract: A system for improved decryption performance includes a computer in electronic communication with an encrypted network. A controller performs a decryption operation on an encrypted packet received from the network, and the computer asserts an interrupt prior to the system completing transfer of the decrypted packet back to host memory to reduce the additional latency a packet suffers during Secondary Use. An additional interrupt may be asserted after the Secondary Use operation is complete, to ensure that the Secondary Use packet is processed. A method for improving decryption performance similarly includes asserting an interrupt prior to the complete transfer of a decrypted packet from a controller back to host memory during Secondary Use. The method may further include asserting an additional interrupt after the Secondary Use operation is complete, to ensure that the Secondary Use packet is processed.

Abstract: A system and method of sharing digital literary works while protecting against an illegal reproduction through a communication network is disclosed. The system comprises a data communication network, a list providing server, at least one agent server, at least one user terminal, a main server, at least one sub-server, a premise communication network, and a network interface unit. The system is advantageous in that it enables users to share digital literary works produced for publicity, works having a low quality, or encrypted digital literary works through the network against a distribution of illegally reproduced digital literary works having the same quality as original literary works through a Sharing Web, thus preventing a reduction of sales amounts of original literary works due to such illegal reproductions.