Abstract: A method for establishing a security association between a client and a service node for the purpose of pushing information from the service node to the client, where the client and a key server share a base secret. The method comprises sending a request for generation and provision of a service key from the service node to a key server, the request identifying the client and the service node, generating a service key at the key server using the identities of the client and the service node, the base secret, and additional information, and sending the service key to the service node together with said additional information, forwarding said additional information from the service node to the client, and at the client, generating said service key using the received additional information and the base key. A similar approach may be used to provide p2p key management.

Abstract: A document verification apparatus includes a determining portion that determines whether a change that influences a verification result is made to at least one of an electronic document and a given condition, after it is verified whether or not the electronic document that has been input satisfies the given condition, and also includes an outputting portion that outputs the verification result after it is verified whether or not the electronic document satisfies the given condition, if it is determined that the change is made to at least one of the electronic document and the given condition, or outputs a result of a time when it is verified whether or not the electronic document satisfies the given condition most recently, if it is determined that the change is not made.

Abstract: The inventive data processing apparatus enables own memory device to store a plurality of key distribution approval data files each containing such a header data comprising a number of “link-count” data units each designating actual number of applicable contents data per decodable contents key based on an enabling key block (EKB) distribution key enciphering key (KEK) enciphered by a corresponding enabling key block (EKB) provided for by a hierarchy key tree structure. When storing a plurality of the enabling key blocks (EKB) in a memory device, such a key enciphering key (KEK) contained in an enabling key block (EKB) having a number of link-count data units is previously decoded and stored in the memory device. By way of applying the stored (KEK) when utilizing contents data, the enabling key block (EKB) processing step is deleted, whereby promoting higher efficiency in the utilization of contents data.

Abstract: Apparatus for use by a first party for key management for secure communication with a second party, said key management being to provide at each party, simultaneously remotely, identical keys for said secure communication without transferring said keys over any communication link, the apparatus comprising: a datastream extractor, for obtaining from data exchanged between said parties a bitstream, a random selector for selecting, from said bitstream, a series of bits in accordance with a randomization seeded by said data exchanged between said parties, a key generator for generating a key for encryption/decryption based on said series of bits, thereby to manage key generation in a manner repeatable at said parties.

Abstract: Methods, systems, and products are disclosed for identification verification. A signature, representing the presence of a device, is acquired. The signature is compared to a reference signature. When the signature favorably compares to the reference signature, then the identity of a user associated with the device is verified.

Abstract: The invention detects stealth worm propagation by comparing the repeat elements in sets of destinations of a source in multiple time windows to a fitted distribution of same, stored as a benchmark plot. Measurements are performed over N time windows, wherein a representation of the set of destinations to which a respective source has sent packets is determined for each source, in each time window. The counting is performed using a hash table. Once N such sets of destinations have been obtained, the number Xk of destinations that are common to N, N?1, N?2, . . . , 2, 1 windows is determined. Thus Xk is the number of destinations that a particular source sent packets to in k time windows. Xk is then compared to the corresponding value on the plot; anomalies indicate an attack from the respective source.

Abstract: Described is a technology by which a web proxy server forwards a client request for content to a web server over an unauthenticated connection, including when the client already has an authenticated connection to that web server. If the web content is received in response, the content is public, whereby the web proxy server caches the content and returns the content to the client. If the requested content is not received because of a need for authentication, the content is re-requested over the client's authenticated connection, or if one does not yet exist, returns the response to the client to complete the authentication process to establish an authenticated connection. A learning mechanism (e.g., that persists known private URLs) may be coupled to the selection mechanism to maintain references to objects that are private, and thereby avoid redundant retrieval attempts for known private objects over unauthenticated connections.

Abstract: Architecture for facilitating access of remote system software functionality by a host machine for the redirection of incoming and/or outgoing host traffic through the remote system for protection services to the host machine. The host machine can gain the benefits of effective protection software such as firewall, intrusion protection software, and anti-malware services, of the remote machine. The host machine can choose to exercise traffic redirection when there is a risk of being compromised, and then revert back to direct communications when the risk has been averted. The host machine takes advantage of the resources available on the remote machine in substantially realtime with minimal disruption to the host and/or the remote machine operations. This facilitates widespread and temporary protection of network systems for a more secure working environment and improved customer experience.

Abstract: A security management system, comprising: an authentication unit for authenticating an operator of an operating terminal in order to determine whether the operator is permitted to log in or release a lock; a current operator information inquiry unit for inquiring for login status information and current operator information; an authority information inquiry unit for inquiring for authority information regarding the operator and that regarding the current operator; a lock unit for detecting an event, where a predetermined lock condition is satisfied, in the login status to allow the operating terminal to change to a lock status, and for allowing the operating terminal to change to an operable status in response to a login instruction or an instruction for a release; and a lock control unit for transmitting the instruction for a release to the lock unit when a predetermined condition is satisfied.

Abstract: A system for encrypting and decrypting data is provided. The system includes a client for receiving a data packet, setting a value of a crypto bit, and transmitting the data packet over a system bus. A crypto module receives the data packet from the system bus and performs a cryptology function on the data packet based on a first value of the crypto bit. A memory controller receives the data packet from the system bus and performs non-cryptology functions on the data packet based on a second value of the crypto bit.

Abstract: A theft prevention system capable of preventing theft of a target object by disabling the authorized key of the target object in the case where the authorized key has been stolen. When the authorized key is lost, a mobile telephone instructs a vehicle control device to set a warning mode. On receipt of this warning mode instruction, the vehicle control device sets warning mode, generates an electronic key, and transmits the generated electronic key to the mobile telephone, which receives and stores the electronic key. Once the warning mode is set in the vehicle, locking and unlocking are only possible using the electronic key. If the authorized key is found, the mobile telephone instructs the vehicle control device to set the normal mode. Upon receipt of this normal mode instruction, the vehicle control device sets the normal mode in the vehicle.

Abstract: A method, apparatus, and system of encryption, including embedding reconfiguration information within a ciphertext block destined for a decryptor. The decryptor identifies the reconfiguration information, extracts such information, and uses it to alter a pre-cipher, which is used for decryption. The encryptor alters its pre-cipher synchronously with the decryptor.

Abstract: A method is provided for separating people from direct access to personally identifiable information. The method involves use of a rules-based section which selectively blocks access to personally identifiable information where the access fails to comply with specified rules, and which selectively permits access to personally identifiable information where the access abides with the specified rules.

Abstract: A method for facilitating electronic certification, and systems for use therewith, are presented in the context of public key encryption infrastructures. Some aspects of the invention provide methods for facilitating electronic certification using authority-neutral service requests sent by an application, which are then formatted by a server comprising a middleware that can convert the authority-neutral request into certification authority specific objects. The server and middleware then return a response from a selected certification authority back to the service requesting application. Thus, the server and/or middleware act as intermediaries that facilitate user transactions in an environment having multiple certification authorities without undue burden on the applications or the expense and reliability problems associated therewith.

Abstract: A method is presented for managing authentication credentials for a user. A session management server performs session management with respect to the user for a domain that includes a protected resource. The session management server receives a request to access the protected resource, which requires authentication credentials that have been generated for a first type of authentication context. In response to determining that authentication credentials for the user have been generated for a second type of authentication context, the session management server sends to an authentication proxy server a first message that contains the authentication credentials for the user and an indicator for the first type of authentication context. The session management server subsequently receives a second message that contains updated authentication credentials for the user that indicate that the updated authentication credentials have been generated for the first type of authentication context.

Abstract: Processing of masked data using multiple lookup tables (LUTs), or sub-tables, is described. For each input value, an appropriate sub-table provides an output value that is the result of a non-linear transformation (e.g., byte substitution) applied to the input value. An additive mask can be applied to the input data. A transformation can be applied to the masked input data to transform the additive mask into a multiplicative-additive mask. Selected bits of the masked input data and the bits in the additive component of the multiplicative-additive mask can be used in combination to select one of the sub-tables. An entry in the selected sub-table, corresponding to a transformed version of the input data, can then be identified.

Abstract: Web server and Web cache operations to permit efficient user authorization and cross-domain authentication without repeated login requirements are described. Techniques to prevent unauthorized use of protected resources are also discussed.

Abstract: A method of securing communications between an application that includes a macro and a Web Service. The method includes an act of, at the macro, generating a request for data. The request for data comprises generating commands for retrieving data, generating security information, and embedding the commands for retrieving data and the security information in a request. The request for data is sent to the Web Service. The requested data is received from the Web Service if the security information provides appropriate authorization to receive the requested data.

Abstract: A virus and malware cleaner is generated for a personal computer. Scanning software determines the presence of suspicious attributes resident to the computer. When automated detection of the need for a Custom Cleaner occurs, specific system information, along with information about the suspicious attributes, is included in a Custom Cleaner Request. The request is automatically generated and transmitted to a server for processing. In response a Custom Cleaner may be automatically created from a database of parameterized instructions, then downloaded to the user's computer for execution. Automatic verification of the Custom Cleaner success in removing infected files may be sent to the server. In the event that a Custom Cleaner cannot be generated automatically, an escalation occurs in which a support technician becomes involved in preparing the Custom Cleaner. Escalation data accessed by the support technician may include automatically generated diagnostic hints.

Abstract: A system and method to detect and geographically locate rogue wireless access users to a computer network are described. The present invention maps an area covered by the wireless network into islands with substantially similar network performances based on information collected by a network management system. This information is collected throughout the day to form a spatial performance model which comprises historical records of each island, giving a dynamic picture of the area covered. The averages of these historical values of the performance parameters at each time interval of the day form the basis of comparison with the captured current values of the rogue user. Once a potential intruder has been identified from his Media Access Control and Internet Protocol addresses, the algorithm of the present invention is used to localize the suspect into the island which has the substantially similar performance characteristics as the rogue user's computer.