Abstract: Devices are identified by their owners and authorization to network two or more devices is based on device ownership. Data structures such as address books can store information about an owner of a device and maintain an entry indicating that a particular entry identifies the owner of the device. Other entries in the address book are contacts of the owner. A host device can authorize a client for communication with the host based on a relationship between the owner of the client and the owner of the host as indicated by the presence of the contact information of the client's owner in the host's address book. Devices and can enable communication and sharing of services and levels of access permissions based on the relationship of the owners' of the respective devices.

Abstract: A method and apparatus is disclosed for managing encryption keys in a computer system in which in response to the change of a system key the old key and new key are both maintained for subsequent use.

Abstract: An apparatus and method associated with an Internet Protocol Television (IPTV) service in a mobile environment are provided. A streaming server may provide a mobile terminal with a mobile certificate and an encryption key. In response to a content request received from the mobile terminal, the streaming server may provide the mobile terminal with encrypted content and a Downloadable Conditional Access System (DCAS) code. The mobile terminal may decrypt the encrypted content using the encryption key and the DCAS code, and may play back the decrypted content.

Abstract: A method of receiving, by a memory card, a rights object (RO) from a rights issuer (RI) via a terminal. The method includes: receiving from the terminal, a provisioning setup request message including information about a size of rights to be installed in the memory card; checking whether there is a space in the memory card for the rights; transmitting, to the terminal, a provisioning setup response message including a status indicating a result of processing the provisioning setup request message; and receiving, from the terminal, a rights provisioning request message for installing the rights into the memory card, the rights provisioning request message including rights information. The rights information is based on rights being extracted from a RO response message if a device identifier (ID) in the RO response message matches an ID of the memory card which is different from an ID of the terminal.

Abstract: Computer systems and methods are provided for authenticating a user seeking to conduct at least one interaction with a secured capability provided by a computer. The method includes providing a first identifier to at least one verification server and providing a second identifier to an electronic device being used by the user. The first identifier and the second identifier each corresponds to the secured capability. The method further includes providing the electronic device with a user-selectable link configured to, upon being selected by the user, initiate a program to run on the electronic device. The program is configured to transmit a third identifier to the at least one verification server. The third identifier corresponds to the secured capability. The method further includes receiving authorization information from at least one of the electronic device and the at least one verification server. The method further includes using a processor (e.g.

Abstract: Avoiding encryption of certain blocks in a deduplication vault. In one example embodiment, a method of avoiding encryption of certain blocks during a backup of a source storage into a deduplication vault storage may include analyzing each allocated plain text block stored in a source storage at a point in time to determine if the allocated plain text block is already stored in the deduplication vault storage. If the allocated plain text block is not stored in the deduplication vault storage, the block may be encrypted and the encrypted block may be analyzed to determine if the encrypted block is already stored in the deduplication vault storage. If neither the allocated plain text block nor the encrypted block is already stored in the deduplication vault storage, the encrypted block may be stored in the deduplication vault storage.

Abstract: A method for encoding high dynamic range (HDR) images involves providing a lower dynamic range (LDR) image, generating a prediction function for estimating the values for pixels in the HDR image based on the values of corresponding pixels in the LDR image, and obtaining a residual frame based on differences between the pixel values of the HDR image and estimated pixel values. The LDR image, prediction function and residual frame can all be encoded in data from which either the LDR image of HDR image can be recreated.

Abstract: In general, techniques are described for provisioning layer two access in computer networks. A network device located in a public network comprising an interface and a control unit may implement the techniques. The interface establishes a session with a mobile device. The control unit requests security state data identifying a security state of the mobile device via the established session. The interface receives a mobile device identifier and the security state data from the mobile device via the session. The mobile device identifier identifies the mobile device. The control unit publishes the security state information to a database such that the security state information is associated with the mobile device identifier.

Abstract: A method may include receiving session control messages and counting the session control messages of a same type having a same transaction identifier (ID). The method may further include blocking the session control messages of the same type having the same transaction ID when the count exceeds a threshold number. The method may further include determining whether the blocked session control messages are associated with an anomalous event and, when the blocked session control messages are not associated with the anomalous event, increasing the threshold number.

Abstract: Various embodiments of a system and method for digital rights management using a secure end-to-end protocol with embedded encryption keys are described. A DRM framework may implement a secure end-to-end protocol configured to protect messages sent between trusted endpoints by encrypting and decrypting the messages within software applications executing on each trusted endpoint. An encryption key embedded within a binary representation of a DRM client may be used by the DRM client to encrypt and decrypt messages sent over the secure protocol. The DRM client may request authentication using the secure protocol and receive an authentication token used by the DRM client to acquire a license to view protected content. The encryption key may be chosen from a pool of encryption keys and embedded in the DRM client during the software build process for the DRM client. The secure protocol may be designed according to Representational State Transfer guidelines.

Abstract: A policy description for a web service is received at a web service client. The policy description includes a predefined security policy constraint, requires that an application requesting execution of the web service also provide a security token generated by a security token service, and requires that the security token complies with the predefined security policy constraint. A message is generated that is compliant with the policy description for obtaining the security token. The message is sent to the security token service. The security token generated by the security token service is received in response to receipt of the message. The security token is compared against the predefined security policy constraint to verify compliance of the security token generated by the security token service against the predefined security policy constraint.

Abstract: A method, a memory data carrier (30) as well as a terminal (10) are proposed for accessing a portable memory data carrier (30) having a standardized memory element (34) and an additional module (40). The method permits a data transmission selectively to the memory element (34) or to the additional module (40). According to the method application data intended for the additional module (40) are generated, routing information for the application data, with information about the application data, is generated and added to the application data (108), the resulting data stream is embedded in data blocks according to a transmission protocol adapted to the memory element (34) and transmitted, it is determined by the memory data carrier (30) whether a received data block contains routing information, and the data contained in the data block are routed to the additional module (40) if the data block contains routing information.

Abstract: Disclosed is a method of preventing a denial of service (DoS) attack using transmission control protocol (TCP) state transition. Flow of packets transmitted between a client and a server using TCP is monitored to prevent the DoS attack, e.g., SYN flooding, and to efficiently reduce the load on the server and provide more secure service. By applying the method to a firewall, a proxy server, an intrusion detection system, etc., of a server, it is possible to make up for vulnerabilities regarding a DoS attack without disturbing a conventional TCP state transition operation and detect, verify and block DoS attacks abusing the vulnerabilities, thereby providing more secure service.

Abstract: A play limit is set for a media file. The play limit can be, for example a date, or a number of times that the file has been played. When the file exceeds the play limit, the quality of the file playing is degraded.

Abstract: This disclosure describes techniques for determining whether a network session originates from an automated software agent. In one example, a network device, such as a router, includes a network interface to receive packets of a network session, a bot detection module to calculate a plurality of scores for network session data based on a plurality of metrics, wherein each of the metrics corresponds to a characteristic of a network session originated by an automated software agent, to produce an aggregate score from an aggregate of the plurality of scores, and to determine that the network session is originated by an automated software agent when the aggregate score exceeds a threshold, and an attack detection module to perform a programmed response when the network session is determined to be originated by an automated software agent. Each score represents a likelihood that the network session is originated by an automated software agent.

Abstract: Systems, methods, devices, and machine readable media for detecting malicious software on a computing device with a mobile device are provided. One method includes causing a mobile device to mount a non-volatile memory of the computing device, scanning the non-volatile memory of the computing device with the mobile device using a low-level read operations scan, collecting data on the mobile device from the low-level read operations scan, and evaluating the data collected on the mobile device for malicious software on the computing device.

Abstract: Security is enabled in an electrical system by examining a configuration file for a substation present in the electrical system, where the substation includes one or more electrical devices and one or more network devices. Based on the examination of the configuration file, information is determined on a characteristic of an electrical device that is selected from a group including a type, allowed role of the electrical device and allowed communication modes for the electrical device. Based on the determined information, a basis for controlling the role and communication modes for the electrical device is identified. A security policy is configured in a network device in the substation to incorporate the identified basis. Based on the configured security policy in the network device, communication patterns for the electrical device are allowed that are associated with the allowed role and allowed communication modes for the electrical device.

Abstract: A method and apparatus for transmitting and receiving graphical data are provided. The apparatus for transmitting includes a graphical data generating unit that generates graphical data; an encoder that converts the graphical data into a JPEG 2000 code stream; and a transmitting unit that transmits video streams and the code stream. The apparatus for receiving includes a receiving unit that extracts an JPEG 2000 code stream; a decoder that decodes the code stream; and a display unit that displays a video stream included in the received stream and the decoded code stream. The method for transmitting the graphical data includes generating graphical data; converting the data into a JPEG 2000 code stream; and transmitting video streams and the JPEG 2000 code stream. The method for receiving the graphical data includes extracting a JPEG 2000 code stream; decoding the code stream; and displaying the decoded code stream and a video stream.

Abstract: A manageability engine (ME) receives an authentication response from a user during pre-boot authentication and registers the user with a key distribution center (KDC), indicating that the user has successfully authenticated to the PC. The KDC supplies the ME with single-sign-on credentials in the form of a Key Encryption Key (KEK). The KEK may later be used by the PC to obtain a credential used to establish secure access to Enterprise servers.

Abstract: Embodiments for performing service binding between a client and a target server are disclosed. In accordance with one embodiment, a clear text client service binding value is received from a client at the target server, the client service binding value is compared to a server service binding value, and a communication channel is formed between the client and the target server when the client service binding value matches the server service binding value.