Abstract: A biometrics authentication device which detects body characteristics, performs verification against registered biometrics data, and performs individual authentication, by which confidentiality is improved even when biometrics data is separated, distributed and stored. A biometrics information key is created from biometrics data detected by a detection device, the biometrics data is divided into a plurality of portions, and the portions are stored on different media. The biometrics information key is stored on one media, and at the time of authentication, the separated biometrics data portions are combined and a biometrics information key is created and is compared with the biometrics information key, to judge the linked relationship. Hence confidentiality of the association of the individual separated data portions can be improved even when the biometrics data is separated, distributed and stored, contributing to prevent illicit use resulting from leakage or theft of biometrics data.

Abstract: A method and apparatus for monitoring sensitive data on a computer network is described. In one embodiment, a method for protecting sensitive data from being leaked to a computer network comprises monitoring data related to a user that is presented on one or more web pages through a common interface, which enables a search for sensitive data on the one or more web pages of the one or more web sites and determining a disclosure of the sensitive data on a web page of one or more web pages.

Abstract: A method for generating key information for mutual access among multiple computers, the method including configuring each of a plurality of computers to access common seed data, where the common seed data is the same for each of the computers, and configuring each of the computers to intercept a key generator request for computer-specific seed data and, in response to the request, provide the common seed data to the key generator in place of the computer-specific seed data, thereby enabling any of the computers to generate the same key information.

Abstract: An XML digital signature mechanism for providing message integrity. A sending party serializes a source XML document into a serialized byte array, calculates the source offset and length of the array of the signed part in the serialized byte array, and calculates a source hash value using the serialized array and the source offset and length. The serialized byte array is a non-canonicalized array. The array and source hash value used to sign a part or the whole of the serialized byte array is sent to a receiving party. The receiving party calculates the target offset and length of the signed part in the serialized byte array and calculates a target hash value of the signed part by using the array and the target offset and length. The receiving party compares the target hash value and the source hash value to verify the integrity of the target XML document.

Abstract: A client generates a session key and a delegation ticket containing information for a requested delegation operation. The client generates a first copy of the session key and encrypts it using a public key of a proxy. The client generates a second copy of the session key and encrypts it using a public key of a server. The client then puts the encrypted session keys and delegation ticket into a first message that is sent to the proxy. The proxy extracts and decrypts its copy of the session key from the first message. The proxy then encrypts a proof-of-delegation data item with the session key and places it and the delegation ticket along with the encrypted copy of the session key for the server into a second message, which is sent to the server. The server extracts and decrypts its copy of the session key from the second message and uses the session key to obtain the proof-of-delegation data. Authority is successfully delegated to the proxy only if the server can verify the proof-of-delegation data.

Abstract: A computer system in which an encryption-decryption process performed by one encryption-decryption module can be moved to another without stopping the process for a read/write request from a host computer. The computer system has a host computer, and a storage system for storing encrypted data. The storage system provides a storage area for accepting access from the host computer. In performing a process for changing the data encrypted and stored by the destination source, the move destination encrypts the data decrypted by the move source which further encrypts and stores the data encrypted by the move destination, and after all data is stored, the move source decrypts and stores the further encrypted data.

Abstract: After checking a receiving message appearing on an output device, a network administrator inputs an authentication result to a setting terminal using an input device, such as a keyboard. Upon receiving the authentication result from the network administrator, the setting terminal registers, if the received authentication result is permission to access a network device, a MAC address of a traveling employee's terminal that is the sender of the authentication request in the network device as an access permitted terminal. After the registering in the network device is completed, the setting terminal sends the authentication result indicative of permission to access the network device to the employee's terminal, i.e., the sender of the authentication request.

Abstract: The present invention relates generally to digital watermarking and steganographic encoding. One claim recites a method including: receiving data corresponding to at least a portion of digital data; separating the data into a plurality of portions; determining a measure relative to a predetermined measure for each of the portions, wherein the measure comprises a measure related to a predetermined digital watermark signal; based at least in part on the measure, identifying which out of the plurality of portions are likely to host digital watermarking therein. Of course, other combinations are provided as well.

Abstract: An apparatus, system, and method are disclosed that provides a user-specific transportable computing environment. The apparatus, system, and method facilitate users configuring their own personal computing environment on a properly configured computing host. Users can insert a personal environment key into the computing host and automatically activate and configure any software they are licensed to use. The personal environment key may include all the data, licenses, and keys necessary to activate software that the user has rights to use.

Abstract: Each domain is provided with an access right management device which creates a resource-sharing policy and performs processing for resource-sharing policy negotiation between a plurality of domain administrators. An access right management device that has created a resource-sharing policy identifies, for each policy unit included in the resource-sharing policy, an access right management device that is a negotiating partner to negotiate with about the policy unit in question. The access right management device generates negotiation information including an identification name of the identified negotiating-partner access right management device and the policy unit in question and sends the negotiation information to the negotiating-partner access right management device. Only when all policy units are agreed on by respective identified negotiating-partner access right management devices, the resource-sharing policy is set on shared resources.

Abstract: An encryption processing apparatus for performing common-key blockcipher processing, the encryption processing apparatus includes an encryption processing part that performs data transformation in which a round function is iterated for a plurality of rounds; and a key scheduling part that generates round keys used to execute the round function. The key scheduling part is configured to repeatedly apply an xs times multiplication over an extension field GF(2m), generated by an m-th order irreducible polynomial f(x) defined over GF(2), to an m-bit intermediate key generated by transformation of a secret key to generate a plurality of different round intermediate keys serving as data for generating a plurality of different round keys.

Abstract: A database management system (1) comprises up to fifty or more workstations (2), each for a user. The environment may, for example, be a hospital and the system manages medical records in a secure manner. Each user has a private key issued by a KGC (5). A database controller (3) updates a secure database (3) with data and associated signatures generated by the user workstations (2). Thus every record of the secure database (3) has a signature to provide full traceability and non-repudiation of data edits/updates. It is important for the system (1) that the signatures are verified on a regular basis, say every hour. Such a task would be extremely processor-intensive if the database (3) is large. However this is performed by a verification processor (4) of the system (1) in a much shorter time than heretofore, t1+n(&Dgr;), where t1 is the time for one verification, n is the number of signatures, and &Dgr; is a time value which is a very small proportion of t1 (less than 1%).

Abstract: Processing apparatus, such as a trusted platform, is provided with an access-control arrangement for handling a tree-structured hierarchy such as a key hierarchy. The access-control arrangement only permits access to a particular node of the hierarchy upon receiving a reliable indication that a mechanism expected to resist subversion will attempt to enforce appropriate access restrictions on that node. Such a mechanism is, for example, a protected process executing in a benign environment in the apparatus. The indication that the mechanism is in place is provided by a trusted source, such as a hardware root of trust responsible for initiating the mechanism. Access to the particular node opens the way to revealing that node, and any descendants, to the protected process.

Abstract: The present invention provides methods and apparatuses that utilize a plurality of portable apparatuses to securely operate a plurality of host computers. Each portable apparatus including an operating system and a list of software applications is installed in a removable data storage medium. An authorization procedure is implemented before establishing a connected-state operation between a portable apparatus and a host computer. The host computer loads the operating system in the portable apparatus into its random access semiconductor memory (RAM) through the established connected-state operation.

Abstract: A method includes decreasing a suspicion of a negative action by an application if the application has previously performed a positive action. The positive action is an action that is never or rarely taken by malicious code. In one example, the positive action is use of a user interface element by the application to have a user interaction with a user of the computer system. By taking into consideration the positive action by the application, the occurrence of false positives is minimized.

Abstract: A computer/computer network security alert management system aggregates information from multiple intrusion detectors. Utilizing reports from multiple intrusion detectors reduces the high false alarm rate experienced by individual detectors while also improving detection of coordinated attacks involving a series of seemingly harmless operations. An internal representation of a protected enclave is utilized, and intrusion detection system (IDS) information is correlated to accurately prioritize alerts. In one embodiment, the system is capable of utilizing data from most existing IDS products, with flexibility to add further IDS products.

Abstract: The invention concerns secure data transfer from a first radio communication device of a first party to a second radio communication device. A random first symmetric key is generated at the first terminal device. User data of the first terminal device is encrypted with the first symmetric key. The first symmetric key is encrypted with a public key of a third party. The encrypted first symmetric key is sent from the first terminal device to the second terminal device via a transfer device. The encrypted first symmetric key is decrypted at the second terminal device by utilizing a secret key associated with the public key and comprised in a security device of the third party. The encrypted user data is sent from the first terminal device to the second terminal device via the transfer device. The encrypted user data is decrypted at the second terminal device with the first symmetric key.

Abstract: A system for securely storing application keys is comprised of a database system, a peripheral hardware security module and cryptographic keys, wherein cryptographic keys comprise application keys, intermediate keys and a master key. Application keys are grouped according to characteristic and are associated with a particular intermediate key, which is utilized to scramble and descramble application keys within the associated group. Intermediate keys are associated with the master key, which is utilized to scramble and descramble the intermediate keys. Scrambling and descrambling of keys is performed within the peripheral hardware security module.

Abstract: A registry access manager (101) regulates access to executable class registry entities (103). A registry access manager (101) intercepts system calls (107) that access a registry (113). The registry access manager (101) detects attempts by processes (115) to access executable path entities (103) in the registry (113). The registry access manager (101) determines whether a robust, multifaceted security policy permits the attempted access, and blocks or permits the access accordingly.

Abstract: The present invention provides a system, method and apparatus for securely granting access to an event. For example, in one embodiment of the present invention, an apparatus, such as an electronic card, ticket or information carrier, contains biometric data about a user. When the “ticket” is purchased or authenticated, event access information is stored on the electronic card or ticket by an entity authorized by the event provider. The user is allowed access to the event when the biometric data stored on the electronic card or ticket matches the user's biometric data and the event access information is validated. The user's biometric data is authenticated via a biometric sensor on the electronic card or ticket. The user's biometric data can also be authenticated by the entity granting access to the event.