Abstract: A general-purpose processor (CPU) is configured with a new mechanism facilitating an authenticated boot sequence that provides building blocks for client-side rights management when the system is online, and provides continued protection of persistent data even when the system goes offline or is rebooted. The CPU includes a cryptographic key pair, and a manufacturer certificate testifying that the manufacturer built the CPU according to a known specification. The operating system (OS) includes a unique block of code, or “boot block” that can establish OS identity by extraction from a digitally signed boot block or by computing a hash digest of the boot block. During booting, the CPU executes a single opcode, followed by the boot block, as an atomic operation to set the identity of the OS into the software identity register. The subscriber unit then can establish a chain of trust to a content provider.

Abstract: A method for defending a host, which is coupled to the Internet via a defensive firewall/router, against a denial of service attack, comprises periodically determining the status of the host; storing the status of the host; receiving at the defensive firewall/router a request from an entity on the Internet for service from the host; and responding to the entity in accordance with the stored status. The period that is set is not related to the request.

Abstract: If a condition which can be intuitively hit upon, such as the bit length of a prime number or an extension degree is designated, the expression data of a finite field corresponding to the condition can be automatically generated, and a finite field operation can be performed using the expression data.

Abstract: A method and apparatus in a data processing system for providing access to resources within the data processing system. A request is received from a requestor to access a resource in the data processing system. A cookie is sent to the requestor, wherein the cookie is used to access the resource. An identification of the requestor and the cookie is stored to form a stored identification and a stored cookie. Responsive to receiving a subsequent cookie from a source, an identification of the source and the cookie is compared with the stored identification and the stored cookie. Responsive to a match between the identification of the source and the cookie and the stored identification and the stored cookie, access to the resource is allowed.

Abstract: A burden caused by handling a large number of unique identifying information pieces such as authentication keys is to be lightened from both the user side and the protector side such as application creators. A proof data verification device sends authentication data to a proof data generation device. Signature data generation means and presignature data generation means in the proof data generation device cooperate with each other to generate proof data (a signature based on a discrete logarithm problem) from the received authentication data as well as held user unique identifying information and an access ticket, and send the proof data back to the proof data verification device. Verification means in the proof data verification device verify the signature, and if the verification is successful, the execution of program is allowed.

Abstract: A method for encryption and decryption of data items is provided by defining a cipher key based on variables in a Chaotic Equation. The method includes selecting a Chaotic Equation (110) from a set of Chaotic Equations, defining starting conditions of the variables of the equation (140), and applying the equation to each data item (120). The real and imaginary parts of the result of the iteration of the Chaotic Equation are combined with the data item by an arithmetic operation, for example, an XOR operation (120). Data items in a continuous stream with a rate dependency can be encrypted and decrypted on an item by item basis. The input or cipher key changes for each byte of the data encryption. Blocks of data (700, 701, 702, 703, 704) can be encrypted using the method with an identifier of the order of the blocks in the data stream. If blocks are received out of sequence, the identifiers can be used to maintain the correct decryption order.

Abstract: A portable profile carrier stores and securely transports a user's profile and data files from one computer to the next. The profile carrier is a two-component system comprising a smart card and a memory device. The smart card protects access to the memory device and authenticates a user via a passcode challenge. The composite profile carrier enables access to the user profile on the memory device when the smart card is present and the user is authenticated, and disables access when the smart card is absent or the user is not authenticated.

Abstract: A method and apparatus for performing cryptographic computations employing recursive algorithms to accelerate multiplication and squaring operations. Products and squares of long integer values are recursively reduced to a combination of products and squares reduced-length integer values in a host processor. The reduced-length integer values are passed to a co-processor. The values may be randomly ordered to prevent disclosure of secret data.

Abstract: The legitimacy of an untrusted mechanism is verified by submitting a first set of information and a second set of information to the untrusted mechanism in an unpredictable sequence. For each submission of either the first set or the second set of information, a response is received from the untrusted mechanism. Each response is tested to determine if the response is correct for the information set submitted. If any of the responses from the untrusted mechanism is incorrect, then it is determined that the untrusted mechanism is not legitimate. Because the submission sequence is unpredictable, it is highly difficult if not impossible for an illegitimate untrusted mechanism to “fake” proper responses. As a result, this verification process provides an effective means for testing and verifying the legitimacy of the untrusted mechanism.

Abstract: In the event that an electronic apparatus having a security function is forcibly put into an inoperable state because electric power is shut off once by an operation equivalent to theft, the inoperable state can be canceled by using a code notified by the dealer by telephone, without carrying the electronic apparatus in its dealer. After electric power is supplied again, the vehicle-mounted compact disc (abbreviated as CD) reproduction apparatus is used to play back a CD, and its TOC information is used as a judgment identification code C1. When the code C1 is identical to the authorized identification code A21, the electronic apparatus is made operable. In order to cancel the inoperable state after the number of inconsistencies becomes 10 or more, the individual code A22 of an EEPROM 21 is indicated and notified to the dealer. The dealer carries out calculation by using the individual code A22, and a result B2 of the calculation is notified to the user. The user inputs the calculation result B2.

Abstract: There is furnished a method for providing an individual temporary access to a commonly accessible computer processing system (CA computer). The CA computer has a plurality of application programs associated therewith. The method includes the step of detecting the coupling of a portable storage device to the CA computer. The storage device has stored therein an access code for indicating whether the user is authorized to temporarily access the CA computer and information including computing preferences of the individual. It is determined whether the individual is authorized to temporarily access the CA computer, based on the access code. The CA computer is modified in accordance with the information stored in the storage device and temporary access is provided to the CA computer, when the individual is authorized to temporarily access the CA computer. The activity of at least one of the individual and the CA computer is monitored, until the storage device is de-coupled from the CA computer.

Abstract: A distributed data processing system, computer program product, and method of efficiently serving secure network transactions is disclosed. The present invention achieves efficiency and scalability by distributing the work load involved in secure network communications among three classes of servers, inline crypto engines for performing encryption and decryption, dedicated handshake engines for establishing cryptographic parameters, and transaction servers for actually servicing the transactions. The server system can be scaled so that more resource-intensive operations, such as the handshaking procedure, can be distributed across a larger number of servers than less resource-intensive operations. In addition, an added benefit is realized by having transaction servers operate on unencrypted data in that a packet-sniffing firewall or site-wide web document caching system may be implemented, whereas such features were previously unavailable to secure Internet sites.

Abstract: Briefly, one embodiment of a platform for generating and utilizing a protected audit log is described. The platform comprises a system memory and a memory to contain an audit log. The audit log includes a plurality of single-write, multiple read entries. At least one of the entries of the audit log includes stored data integrity information loaded into the system memory during its power cycle.

Abstract: An intrusion detection system (IDS). An IDS which has been configured in accordance with the present invention can include a traffic sniffer for extracting network packets from passing network traffic; a traffic parser configured to extract individual data from defined packet fields of the network packets; and, a traffic logger configured to store individual packet fields of the network packets in a database. A vector builder can be configured to generate multi-dimensional vectors from selected features of the stored packet fields. Notably, at least one self-organizing clustering module can be configured to process the multi-dimensional vectors to produce a self-organized map of clusters. Subsequently, an anomaly detector can detect anomalous correlations between individual ones of the clusters in the self-organized map based upon at least one configurable correlation metric. Finally, a classifier can classify detected anomalous correlations as one of an alarm and normal behavior.

Abstract: Methods, systems, and computer program products for negotiating a secure end-to-end connection using a proxy server as an intermediary. The client first negotiates a secure connection between the client and the proxy so that any credentials exchanged will be encrypted. After the exchange of authentication credentials, the secure client-proxy connection is altered so that no further encryption takes place. The client and server then negotiate a secure end-to-end connection through the proxy, with the secure end-to-end connection being encapsulated within the insecure client-proxy connection. In this way, the overhead of creating a separate client-proxy connection for the secure end-to-end connection may be avoided, but the insecure client-proxy connection introduces only minimal overhead because it no longer encrypts any data that it carries.

Abstract: The invention provides a mechanism for a secure password entry by using cryptographic functions. This mechanism is applicable to the access of computers and programs. Upon a request of a program E a password p is read-in by receiving a program-specific identifier H(E) from the program E, receiving the password p, and generating from at least the program-specific identifier H(E) and the received password p a program-password-specific identifier F(H(E),p). The program-password-specific identifier F(H(E),p) is sent to the program E which then further processes the program-password-specific identifier F(H(E),p).

Abstract: In an electronic watermark detecting/inserting device which includes an electronic watermark detecting section (30) for detecting a first electronic watermark from a first DCT coefficient of an input digital image to produce a request for insertion of a second electronic watermark and an electronic watermark inserting section (20) for producing, in response to the request for insertion of the second electronic watermark, an output digital image which includes the first electronic watermark inserted therein and the second electronic watermark inserted subsequently to the first electronic watermark in the output digital image and which has the second DCT coefficient, a second DCT coefficient producing section (40) produces the second DCT coefficient from the output digital image. A DCT coefficient supplying section (50) supplies the second DCT coefficient from the second DCT coefficient producing section to the electronic watermark detecting section.

Abstract: Data messages transmitted between computers are encrypted to provide a high level of security, yet the throughput of the encrypted data is minimally affected. In this regard, a first computer encrypts a data portion of a message via a first encryption technique before transmitting the message to a second computer. The first computer also includes information associated with the first encryption technique in a header of the message and encrypts the header via a second encryption technique, which preferably is a highly secure encryption technique. The second computer receives the data message and decrypts the header. The second computer then utilizes the information in the header that is associated with the first encryption technique to decrypt the data portion.

Abstract: Device ID detecting means detects an ID of a device on another party. Next, it is checked whether the device ID is included in historical information stored in authentication histories storing means. If the device ID is included in the historical information, authenticating means performs authentication with authenticating means on another party. Thereafter, when an AV data transmission direction is provided from a user to command input means, the command is notified through command control means to AV data transmitting means which starts transmission of AV data.

Abstract: An IC card and a method thereof for adding or changing a program for a memory for writing without adversely affecting the function of the IC card and by keeping the security of a program to be written later by restricting writing by a write control program having a decryption function or a program code conversion function.