Abstract: A selective encryption encoder and method of dual selective encryption. The selective encryption encoder has a packet identifier that identifies packets of at least one specified packet type, the at least one specified packet type being any of a plurality of packet types including packets containing a video slice headers or packets carrying data appearing in an active area of the image. A packet duplicator duplicates the identified packets to produce first and second sets of the identified packets. The packets are sent to and from a primary encryption encoder to encrypt the first set of identified packets under a first encryption method. A secondary encrypter encrypts the second set of identified packets under a second encryption method.

Abstract: In accordance with one aspect of attesting to a value of a register and/or memory region, an operating system of a device receives a request, in response to an ATTEST operation being invoked, to make a signed attestation of a value. The operating system signs a statement that includes the value using a private key of a pair of public and private keys of a processor of the device. The value may be stored in a register and/or a region of memory.

Abstract: A digital watermark is added to audio or visual content. An illustrative embodiment segments the content, permutes the segments, and transforms such data into another domain. The transformed data is altered slightly to encode a watermark. The altered data can then be inverse-transformed, and inverse-permuted, to return same to substantially its original form. Related watermark decoding methods are also detailed, as are ancillary features and techniques.

Abstract: A method and apparatus for distributing keys in a multicast domain is provided. In a secure multicast domain, a request to join a multicast group for a time period occurs. A key distributor which controls access to the multicast data group determines if the request will be accepted. If the request is accepted the key distributor assigns the member to a virtual channel, wherein each virtual channel is defined by a time period. A data group key is forwarded to the member as is a virtual channel key. The member can then receive and decode events from the data group on the assigned virtual channel.

Abstract: A system and method for enabling a remote control to automatically and dynamically set-up a V-chip in a consumer appliance. The remote control is configured with an ID code which ID code is transmittable to the consumer appliance. Within the consumer appliance is stored a plurality of V-chip parameter tables. The consumer appliance is responsive to the ID code transmittable by the remote control to select one of the plurality of V-chip parameter tables to be used by the V-chip to determine accessibility to programming.

Abstract: An intrusion detection system (IDS). An IDS which has been configured in accordance with the present invention can include a traffic sniffer for extracting network packets from passing network traffic; a traffic parser configured to extract individual data from defined packet fields of the network packets; and, a traffic logger configured to store individual packet fields of the network packets in a database. A vector builder can be configured to generate multi-dimensional vectors from selected features of the stored packet fields. Notably, at least one self-organizing clustering module can be configured to process the multi-dimensional vectors to produce a self-organized map of clusters. Subsequently, an anomaly detector can detect anomalous correlations between individual ones of the clusters in the self-organized map based upon at least one configurable correlation metric. Finally, a classifier can classify detected anomalous correlations as one of an alarm and normal behavior.

Abstract: The present invention relates to digital signature operations using public key schemes in a secure communications system and in particular for use with processors having limited computing power such as ‘smart cards’. This invention describes a method for creating and authenticating a digital signature comprising the steps of selecting a first session parameter k and generating a first short term public key derived from the session parameter k, computing a first signature component r derived from a first mathematical function using the short term public key, selecting a second session parameter t and computing a second signature component s derived from a second mathematical function using the second session parameter t and without using an inverse operation, computing a third signature component using the first and second session parameters and sending the signature components (s, r, c) as a masked digital signature to a receiver computer system.

Abstract: A system and method of designing a secure solution which meets the needs of a customer but which is appropriate and repeatable and may use components which are insecure or not trusted. In its preferred embodiment, the security system includes subsystems selected from access control, information flow, identity and credentials management, integrity and assurance In each subsystem, elements are employed to reduce the effect of perils and to provide a repeatable system design.

Abstract: A method and apparatus for selectively enforcing network security policy using group identifiers are disclosed. One or more access controls are created and stored in a policy enforcement point that controls access to the network, wherein each of the access controls specifies that a named group is allowed access to a particular resource. A binding of a network address to an authenticated user of a client, for which the policy enforcement point controls access to the network, is created and stored. The named group is updated to include the network address of the authenticated user at the policy enforcement point. A packet flow originating from the network address is permitted to pass from the policy enforcement point into the network only if the network address is in the named group identified in one of the access controls that specifies that the named group is allowed access to the network.

Abstract: A sender computer maps a randomized concatenation of a message ? to a point “x” in space using a function that renders it infeasible that a second message can be mapped nearby the message ?. The function can be a collision intractable or non-collision intractable function that maps the message to a point “x” on a widely-spaced grid, or the function can map the message to a point “x” of an auxiliary lattice. In either case, the sender computer, using a short basis (essentially, the private key) of a key lattice finds a lattice point “y” that is nearby the message point “x”, and then at least the points “x”, “y”, and message are sent to a receiver computer. To verity the signature, the receiver computer simply verifies that “y” is part of the lattice using a long basis (essentially, the public key), and that the distance between “x” and “y” is less than a predetermined distance, without being able or having to know how the lattice point “y” was obtained by the sender computer.

Abstract: A method and apparatus are disclosed for improving public key encryption and decryption schemes that employ a composite number formed from three or more distinct primes. The encryption or decryption tasks may be broken down into sub-tasks to obtain encrypted or decrypted sub-parts that are then combined using a form of the Chinese Remainder Theorem to obtain the encrypted or decrypted value. A parallel encryption/decryption architecture is disclosed to take advantage of the inventive method.

Abstract: A method and apparatus for managing access to a signal representative of an event of a service provider, including receiving said signal in a smart card, said signal being scrambled using a scrambling key, receiving, in said smart card, data representative of a first share; constructing said scrambling key using said first share and at least one additional share, said additional share being stored in said smart card; and descrambling said signal using said constructed scrambling key to provide a descrambled signal, wherein the step of constructing said scrambling key comprises calculating the Y-intercept of the line formed on said Euclidean plane by said first, and said at least one additional share.

Abstract: A method and apparatus for data security for a distributed file system. A distributed file system interface is coupled to the one or more client applications, and a storage server and a meta-data server are coupled to the distributed file system interface. The meta-data server receives open-file requests from the distributed file system interface and in response creates a security object. The meta-data server also generates an partial encryption key and stores the partial encryption key in the security object. The block storage server completes the encryption key, and the meta-data server encrypts the list of blocks that are in the file and stores the encrypted block list in the security object. The security object is then returned to the distributed file interface and used in subsequent file access requests.

Abstract: A secure system and method for managing and monitoring remote devices preferably includes periodic pulling of configuration information from an accessible platform rather than pushing information from a central site. In one implementation, an electronic mail system is used as a staging platform in combination with a defined polling arrangement to transfer encrypted configuration information in a robust and secure method for updating remote device configurations.

Abstract: A console-based multi-user authentication process allows multiple users of a game console to be authenticated together in a single request/reply exchange with an authentication entity. The results of which is the possession of a single ticket that can be used to prove authenticity of multiple authentication principals to one or more online services. Also described is a handshake process that can be used to initially establish an authentication account for each game console, in which the account creation server can trust that a genuine game console is making the request.

Abstract: A method for mutual authentication of components in a network using a challenge-response method, including the steps of requesting at least one data pair including a first random number and a first response from an authentication center, passing the first random number to a terminal which uses an internally stored key and the first random number to calculate the first response, sending the calculated first response to the network, sending a second random number from the terminal to the network, and responding to the second random number with a second response calculated in the authentication center. The first response sent from the terminal to the network is also used as the second random number, and the network has previously requested the second response from the authorization center together with the first random number and the first response as a triplet data set.

Abstract: A method and apparatus for authenticating a message, said method including receiving, at a device, data representative of a first share, constructing a key using said first share and at least two additional shares, said at least two additional shares being stored at said device; and authenticating a message using said constructed key.

Abstract: A first communication network is used to securely communicate a key that is used for communications over a different network. In one embodiment, a CDMA network is used to securely communicate a key that is used for communications in a data network. The key used in the data network may be used for authentication and/or enciphering or encryption.

Abstract: A method and apparatus for adding and updating protocol inspection knowledge/information to a firewall system during operation and without interrupting firewall services. The invention allows inspection modules, which contain protocol information, to be added and updated to the system without requiring a service restart of the firewall system.

Abstract: Methods, systems, and computer program products for negotiating a secure end-to-end connection using a proxy server as an intermediary. The client first negotiates a secure connection between the client and the proxy so that any credentials exchanged will be encrypted. After the exchange of authentication credentials, the secure client-proxy connection is altered so that no further encryption takes place. The client and server then negotiate a secure end-to-end connection through the proxy, with the secure end-to-end connection being encapsulated within the insecure client-proxy connection. In this way, the overhead of creating a separate client-proxy connection for the secure end-to-end connection may be avoided, but the insecure client-proxy connection introduces only minimal overhead because it no longer encrypts any data that it carries.