Abstract: A method for enabling a mobile node to transmit encrypted data over a path including a wireless link and an untrusted link, while avoiding double encryption on any link. The data on the end-to-end path is encrypted using an application specific security mechanism, or an L2 mechanism is used for encrypting the data on the wireless link as mandated by the wireless standards, and an application specific security mechanism is used for encrypting the data on the untrusted link. By avoiding redundant double encryption, the method of the invention results in optimizing the use of network resources in bandwidth-limited wireless networks and increases the life of the mobile node battery.

Abstract: Pervasive security is provided by a combination of physical interfaces and network interfaces to a service to a user includes establishing by the user's client device network connectivity to the service, transmitting by the service an identifier to the user's client device, determining by the service whether the user enters the identifier into the service in physical proximity to the service, and invoking the service once the user has entered the identifier into the service while in physical proximity to the service. The service can provide indication that the service has been granted by sending a control page to the user's client device.

Abstract: A biometric authentication device has high security by preventing intra-device information from being falsified and stolen by a third party. A biometric authentication device includes a biometric information storage module, a biometric information authenticating module for individual authentication, a mutual authentication module with the terminal, a registration counter corresponding to the mutual authentication, an authentication counter corresponding to the biometric authentication, a stoppage flag set when the value of the counter is larger than a predetermined value, and authentication control module for preventing the module from operating depending on the stoppage flag.

Abstract: Branch domain controllers (DCs) contain read only replicas of the data in a normal domain DC. This includes information about the groups a user belongs to so it can be used to determine authorization information. Password information, however, is desirably replicated to the branch DCs only for users and services (including machines) designated for that particular branch. Moreover, all write operations are desirably handled by hub DCs, the primary domain controller (PDC), or other DCs trusted by the corporate office. Rapid authentication and authorization in branch offices is supported using Kerberos sub-realms in which each branch office operates as a virtual realm. The Kerberos protocol employs different key version numbers to distinguish between the virtual realms of the head and branch key distribution centers (KDCs).

Abstract: A system and method of performing cooperative non-repudiated message exchange from a first system to a second system in a computer network comprises checking for discrepancies between a current system time in the second system with an actual time; performing a time synchronization process to match the current system time with the actual time; exchanging public encryption keys between the first and second systems; sending a digitally signed message from the first system to the second system; decoding the digitally signed message; sending a digitally signed acknowledgment message from the second system to the first system; decoding the digitally signed acknowledgment message; and committing text of the digitally signed message to an official transcript on the first system.

Abstract: The invention relates to digital rights management, and proposes the implementation of a DRM agent (125) into a tamper-resistant identity module (120) adapted for engagement with a client system (100), such as a mobile phone or a computer system. The DRM agent (125) is generally implemented with functionality for enabling usage, such as rendering or execution of protected digital content provided to the client system from a content provider. In general, the DRM agent (125) includes functionality for cryptographic processing of DRM metadata associated with the digital content to be rendered. In a particularly advantageous realization, the DRM agent is implemented as an application in the application environment of the identity module. The DRM application can be preprogrammed into the application environment, or securely downloaded from a trusted party associated with the identity module.

Abstract: The invention relates to a method for automatic roaming between heterogeneous WLANs and/or GSM/GPRS/UMTS networks, in which method, for authentication, a mobile IP node (20) requests access to the WLAN at an access point (21, 22), in which method, upon request from the access server (23), the mobile IP node (20) transmits an IMSI stored on a SIM card (201) of the mobile IP node (20) to the access server (23), and in which method, based on the IMSI, using information stored in an SIM user database (34), the logic IP data channel of the WLAN is supplemented user-specifically towards corresponding GSM data for signal and data channels of a GSM network, and the authentication of the IP nodes (20) is carried out in an HLR (37) and/or VLR (37) of a GSM network.

Abstract: This invention provides multi-key content processing systems and methods, for processing content with at least one distribution target position. Each of the distribution target positions corresponds to an authorization key. An example method includes the steps of: encrypting said content with a content key; forming a key link based on said content key and the authorization key of said at least one distribution target position; and attaching said key link to the encrypted content.

Abstract: Systems and methodologies that proactively push down and enforce policies of a server(s) on mobile devices, when such devices connect to the server(s) for data synchronization. The subject invention employs a policy delivery and enforcement logic that is integrated as part of a communication channel (e.g. a single communication channel) with the mobile device(s). A hand shake can take place between the mobile devices and the server every time that a new policy occurs. Accordingly, non-compliant devices are denied service from the server.

Abstract: Disclosed are methods and systems for enabling analysis of communication content while preserving confidentiality. In one embodiment, communication content is processed to increase the similarity of superficially dissimilar instances of communication content and/or to increase the distinctiveness of superficially similar instances of communications content. In this embodiment at least part of the processed communication content is hashed to obscure the actual communication content. In one embodiment, social network analysis is performed on the communication content after hashing, and visualization of the social network analysis includes thread graphs and/or circular graphs.

Abstract: Unsent messages are securely stored in a client by determining whether a connection to a server exists. If the connection exists, the message can be sent using the intended recipient's public key. In response to a determination that a connection from the client to a server does not exist, information from the client can be used to encrypt a modulated data signal that is to be sent from the client to the server. The encrypted modulated data signal is stored on the client. When a determination is made that a connection from the client to the server exists, information from the client is used to decrypt the encrypted modulated data signal.

Abstract: A method and system for protecting against side channel attacks on cryptographic systems that attempt to recover information from externally detectable signals, such as electromagnetic fields or power input variations. A system operates in accordance with the subject invention to process a message using a cryptographic protocol involving a secret key d. The protocol includes a step for computing the result of iteratively performing a binary operation [op] on a digital quantity G, where a secret key d is taken as an integer value, such as elliptic curve scalar point multiplication or modular exponentiation.

Abstract: A user data management device, a storage medium which stores a control program, and a control method are disclosed which efficiently report the identity of a user who is using equipment to some or all members of the department in which that equipment is located, or to managers of that department, in order to be informed of the use status of that equipment, and control the use of that equipment by unauthorized users. The user data management device includes input means that inputs user data belonging to a user that will use the equipment, notification means that will provide one or more persons with identity data concerning a user who is using the equipment in which the user data was input, authentication means that authenticates the user from the user data, and notification determination means that will determine one or more persons to be provided with identity data, and then provide identity data to them that identifies the user authenticated with the authentication means by means of the notification means.