Abstract: A contents processing device permitting, when contents are to be stored in a recording medium, only a specified device to read out the stored contents is to be provided, and a contents processing device capable, where it is a mobile telephone, of flexibly adapting to a change of a unique telephone number or a type of the mobile telephone. For the purpose, the contents processing device for inputting and outputting contents to and from a recording medium is provided with contents storage means (RAM) for storing contents, an ID storage unit (ROM) for storing an ID capable of identifying the contents processing device, a recording medium input/output unit (memory card I/F) for inputting to and outputting from the recording medium, and a ciphering unit (ciphering program) for enciphering contents within the contents storage unit by use of a ciphering key generated from the ID within the ID storage unit and storing it from the recording medium input/output unit into the recording medium.

Abstract: An encoding method, decoding method and a communication method using single photons where information is directly encoded into each photon. In one embodiment at least two out of the three parameters of phases, polarization, and energy are used to encode information. In another embodiment, three or more non-orthogonal states with respect to each parameter are used. A further embodiment is also described which uses selective grouping of the results in order to more clearly detect the presence of an eavesdropper. Apparatus capable of performing the methods are also provided.

Abstract: The invention relates to a method and an arrangement for recording an information signal with first copy protection information to a storage medium using recording means, the recording being performed according to first copy rules identified by the first copy protection information. The method comprises the steps of detecting said first copy protection information identifying said first copy rules, recording at least second copy protection information according to said detected first copy rules, said first and at least second copy protection information identifying a legality message to be interpreted by reading means, the at least second copy protection information changing within a predefined time interval after the change in said detected first copy rules according to an interpreting rule.

Abstract: A method and system for handling a security exception. The method includes creating a security exception stack frame in secure memory at a base address. The method also includes writing a faulting code sequence address and one or more register values into the security exception stack frame, and executing a plurality of security exception instructions.

Abstract: The present invention is directed at providing a system and method for Automatic Client Authentication for a Wireless Network protected by PEAP, EAP-TLS, or other Extensible Authentication Protocols. The user doesn't have to understand the difference between the protocols in order to connect to the network. A default authentication protocol is automatically attempted. If not successful, then the authentication switches over to another authentication method if the network requests it.

Abstract: A trusted device, physically associated with a network appliance that does not include a CPU, communicates with at least one component of the appliance and is accessible via a network connection to the device for providing a signal indicative of a condition of the appliance. The appliance can be a storage box having bulk non-volatile memory storage locations. The component is an ASIC of a controller of the appliance. The trusted device acquires a true value of an integrity metric of the appliance which is reported by the trusted device to a challenger. The component then provides the root of trust for measurement. The trusted device provides the root of trust for reporting. In a RAID controller assembly, each RAID controller has its own trusted device.

Abstract: Content stored in a non-volatile storage device is protected from unauthorized modification and/or access. The device is configured as one or more regions, where one or more of the regions implements one or more content protection schemes. The current version of the contents stored in a region is compared to a previously stored valid version to determine if the current version has been modified without authorization. A region may be protected by use of an integrity metric (e.g., checksum, bit mask, and/or cyclic redundancy check value). The methodology may be implemented during the start up sequence of a computer system to protect the basic I/O system (BIOS) from unauthorized modification.

Abstract: To restrict actions such as spoofing and thereby prevent tapping and leakages of data by certifying whether or not each communication device such as a storage device on a communication line is to be connected to the communication line. Upon receipt of a packet that contains an IP address in its IP header and stores a certificate in its certificate payload from a storage device 300, an authentication device 200 compares an IP address that is recorded in the certificate and the IP address that is recorded on the IP header of the packet. If the comparison results in a match of these IP addresses, the authentication device 200 can certify that the storage device 300 is a device for which a certificate issuing device 100 has properly issued the certificate.

Abstract: A method and radio receiver are provided for receiving and deciphering RF signals having encrypted data information relevant to the receiver environment. According to one aspect of the present invention, the receiver includes an input for receiving an RF signal having a data stream including a key selector and encrypted data including a message, and a demodulator for demodulating the data stream and outputting encrypted data including the message. The receiver further includes a data decryption circuit including memory for storing one or more groups of decryption keys based on a characteristic of the receiver environment. The data decryption circuit selects a decryption key based on the key selector and decrypts the message based on the selected decryption key.

Abstract: Malware definition data for mobile computing devices 2 is generated from master malware definition data 44 by selecting those classes of malware threat to which the mobile computing device is vulnerable and then selecting the matching malware items from within the master malware definition data. A PC 6 to which the mobile computing device may be connected is responsible for downloading an updated version of the master malware definition data for its own use and generates appropriate mobile computing device malware definition data for transfer to the mobile computing device when it is connected to the PC. The scanner programs of both the PC and the mobile computing device may be similarly updated.

Abstract: A semiconductor device is composed of a first IC chip having a data processing function and a second IC chip having a non-volatile memory for storing confidential reference data. Both of the IC chips are provided with connection pads on the facing sides of the two chips, so that they can be bonded in a chip-on-chip configuration. Each of the connection pads of the second IC chip is located at the position of a corresponding connection pad of the first IC chip. An externally input data is compared with the reference data for verification. The input data is authenticated based on the result of the verification.

Abstract: A system performs an electronic surveillance in a packet-switched network. The system includes a first card (300), a second card (400), and an electronic surveillance device (120). The first card (300) stores first data identifying a first operational mode and second data identifying a time period. The second card (400) stores activation information. The electronic surveillance device (120) reads the first card (300) and conditions itself for operating in the first operational mode for the specified time period. The electronic surveillance device (120) also reads the second card (400) and performs a packet capture operation in accordance with the first operational mode for the specified time period in response to reading the second card (400).

Abstract: A server and method is provided to provide a specific service to network users. The server and method automatically provide user-to-server security using VLANs. The server manages VLAN based on the request from a user for creating/deleting/joining/leaving VLANs. The server allows user to control groupings and overcomes the VLAN limit with the filtering policies on the switching infrastructure. In the second aspect of invention, the server and method provide a specific address based on requests from users. The server dynamically handles the management and facilitation of the requests. The server offers users reassignment of IP addresses from a first set of characteristics to a second set of characteristics with minimal user intervention. This allows users the ability to run a broader range of protocols. In the third aspect of invention, the server and method is provided to provide a routable IP address to a remote computer.

Abstract: Mass data (the contents of arrays, large data structures, linked data structures and similar data structures stored in memory) are common targets for attack. The invention presents a method and system of protecting mass data by mapping virtual addresses onto randomly or pseudo-randomly selected actual addresses. This mapping distributes data values throughout the memory so an attacker cannot locate the data he is seeking, or identify patterns which might allow him to obtain information about his target (such as how the software operates, encryption keys, biometric data or passwords stored therein, or algorithms it uses). Additional layers of protection are described, as well as efficient techniques for generating the necessary transforms to perform the invention.

Abstract: In order to remove security vulnerability in an IP-SAN and eliminate unauthorized access by spoofing, firewalls are installed in valid user servers and storage devices, and a distributed firewall manager for managing the firewalls integrally is provided in the IP-SAN. The distributed firewall manager obtains discovery domain information from an iSNS server, determines nodes registered in the iSNS server as the nodes of valid users, and autocreates a security policy according to sets consisting of an iSCSI name and portal information. This security policy is distributed to all of the firewalls as a common policy, whereupon access control is executed to deny TCP connection requests from unauthorized access sources.

Abstract: A communications system and method for dynamically creating at least one pinhole in a firewall are provided. The communications system includes a protected node capable of initiating a communication session with an outside node. In this regard, the protected node is capable of receiving flow parameters regarding the communication session as the communication session is setup. The system also includes a firewall disposed along a communications path between the protected node and the outside node. The protected node is capable of sending at least a portion of the flow parameters to a firewall-controlled proxy, which in turn, is capable of forwarding the portion of the flow parameters to the firewall. Thereafter, the firewall is capable of creating at least one pinhole based upon the portion of the flow parameters to thereby permit the transmission of information between the outside node and the protected node during the communication session.

Abstract: A method (300;400) and system (100) for transmitting information across a firewall (130b) between multiple endpoints (120) and gateways (135), in a resource management environment (such as the TME) having characteristics that are firewall-incompatible. A gateway proxy (125g) and an endpoint proxy (125e) are associated with the endpoints and the gateways, respectively. The two proxies are connected to each other by means of a pass through communication tunnel crossing the firewall, which tunnel is secured by mutual authentication of the gateway proxy and the endpoint proxy at its ends. Each endpoint and each gateway is tricked into communication only with the respective proxy. Particularly, a listening port is allocated on the endpoint proxy on behalf of each endpoint, so that the corresponding gateway will open a connection back to the endpoint proxy on the listening port for transmitting any packet to the endpoint.

Abstract: A biometric key (10) having a body or housing (11) incorporating a biometric sensor (17) uses a plurality of contacts (19, 20, 21) enabling the key to gain access to a facility. There is also provided a receptor (25) for receiving the biometric key (10), wherein the biometric key (10) and receptor (24) have contacts (19, 20, 21) and mating contacts (30, 31, 32), respectively, for communicating. The biometric key (10) can communicate biometric data acquired from a key operator to the receptor (25). The biometric key (10) can communicate with the receptor (25) when received in a first orientation and also when received in a second orientation where the contacts (19, 20, 21) are inverted from the first orientation.

Abstract: Method and system for verifying the authenticity and integrity of files transmitted through a computer network. Authentication information is encoded in the filename of the file. In a preferred embodiment, authentication information is provided by computing a hash value of the file, computing a digital signature of the hash value using a private key, and encoding the digital signature in the filename of the file at a predetermined position or using delimiters, to create a signed filename. Upon reception of a file, the encoded digital signature is extracted from the signed filename. Then, the encoded hash value of the file is recovered using a public key and extracted digital signature, and compared with the hash value computed on the file. If the decoded and computed hash values are identical, the received file is processed as authentic.

Abstract: Multiple Array Management Functions (AMFs) are connected to multiple redundancy groups over a storage area network (SAN), such as a fiber-channel based SAN. The multiple AMFs share management responsibility of the redundancy groups, each of which typically includes multiple resources spread over multiple disks. The AMFs provide concurrent access to the redundancy groups for associated host systems. When a host requests an AMF to perform an operation on a resource, the AMF synchronizes with the other AMFs sharing control of the redundancy group that includes the resource to be operated on, so as to obtain access to the resource. While performing the operation, the AMF send replication data and state information associated with the resource such that if the AMF fails, any of the other AMFs are able to complete the operation and maintain data reliability and coherency.