Abstract: Secret information is shared by a group of members by giving each member a first share of the information. To reconstruct the secret information, a subgroup consisting of some or all of the members generate second shares from their first shares, and distribute the second shares to the other members of the subgroup. Each member of the subgroup performs an operation on the second shares it receives and one second share it generated itself to obtain an intermediate result. The intermediate results are transmitted to one or more members of the subgroup, or to a central facility, where the original secret information is obtained from a further operation performed on the intermediate results. The original secret information can thereby be obtained without compromising the secrecy of the first shares, and without forcing the members to reveal their identities.

Abstract: Various aspects of the invention provide a method, apparatus, and software for selecting interconnectivity rules for a computer network environment and visualization on a display of a data processing system interconnectivity rules in an auto provisioning environment, including: selecting a network environment specification having characteristics describing the environment, the characteristics including: number of network security tiers, firewalls, and other network constraints; displaying a graphical representation of the selected network environment, including security tiers, and proposed firewalls, to a user on the display; selecting network objects for the selected network environment, the network objects being selected from a group of objects including: operating systems and other software applications having predefined or configurable characteristics including interconnectivity rules, and firewall rules; populating the displayed network environment with the selected objects; determining network interconn

Abstract: Disclosed as a system and method for providing enhanced security to processes running on a data processing system. The disclosed system and method selectively revokes execute privileges from memory pages being used for stacks of susceptible processes running on the data processing system. By selectively resetting execute privileges on a per page and per process basis, the system and method maintains system performance and provides enhanced security to processes running on the data processing system.

Abstract: One aspect of an embodiment of the invention provides a method and platform to prove to a challenger that a responder device possesses cryptographic information from a certifying manufacturer. This is accomplished by performing a direct proof by the responder device to prove that the responder device possesses the cryptographic information. The direct proof comprises at least one exponentiation being conducted using an exponent having a bit length no more than one-half a bit length of a modulus (n).

Abstract: Methods and systems are provided for improving access control, administrative monitoring, reliability, as well as flexibility of data transmission and remote application sharing over a network. Secure, stable network connections and efficient network transactions among multiple users are supported by an open and distributed client-server architecture. A datagram schema is adapted to enable dynamic datagram switching in support of a multitude of applications and network services. Mobile intelligent data carriers are provided that allow for the implementation of an authentication and encryption scheme. The intelligent data carriers are adapted to target deliver applications to authorized users, thereby achieving access control to not only data but also applications. The authentication and encryption scheme in one embodiment is based on physical or performance biometrics.

Abstract: A supplicant on a first computing system authenticating the first computing system to an authenticator on a second computing system in a manner that is independent of the underlying data link and physical layer protocols. The first computing system establishes a data link layer connection with the second computing system using specific data link and physical layer protocols. The supplicant on the first computing system and the authenticator on the second computing system then receive an indication that the data link layer connection has been established. The supplicant determines that authentication is to occur with the authenticator, and vice versa. The supplicant (and the authenticator) then instructs that authentication is to occur in a manner that is independent of the underlying data link and physical layer protocols used to establish the connection.

Abstract: A set of pluggable rules are used to define low-level security rules in terms of high-level security concepts. The rules are part of a pluggable module that can interact with a business logic to provide different granularities of control.

Abstract: Techniques are disclosed for federating identity management within a distributed portal server, leveraging Web services techniques and a number of industry standards. Identities are managed across autonomous security domains which may be comprised of independent trust models, authentication services, and user enrollment services. The disclosed techniques enable integrating third-party Web services-based portlets, which rely on various potentially-different security mechanisms, within a common portal page.

Abstract: An authorization data model factors roles into generic roles and responsibilities, using these attributes at run-time to complete an authorization process based on non-static privileges associated with currently defined roles and responsibilities. Multiple applications collect current variable authorization information at run-time, when prompted by a user request to access a protected resource, from an external central repository that maintains updated generic role and responsibility information independent of user identity, thus replacing a fixed authorization structure with a flexible wild-card based model.

Abstract: A multi-level secure multi-processor computer architecture. The inventive architecture provides an inexpensive security solution for integrated avionics and includes a plurality of nodes. The nodes are connected via a switch in a network configuration over which data is routed using labels. The switch is controlled to facilitate secure communication of data between the nodes. In the illustrative embodiment, the network is a Fibre Channel network including plural switches in which a system manager node serves to control routing between nodes based on a security policy. Each node has a central processing unit. The system manager is implemented as a node and sets up routing tables for selective connection of the nodes via the switch. The label assignments are stored in Fibre Channel network interface cards disposed on each node. The system manager also sets up label routing tables that authorize the interconnection of selective nodes.

Abstract: This invention relates to a clock control system including a CPU, a peripheral functional block for the CPU, a frequency multiplication circuit which multiplies the frequency of an input system clock and outputs the multiplied system clock, a plurality of frequency division circuits which divide the frequency of a signal output from the frequency multiplication circuit to generate clocks to be supplied to the CPU and peripheral functional block, and a clock controller which changes the frequency multiplication ratio of the frequency multiplication circuit to 1/N (positive integer) and then changes the frequency division ratio of the frequency division circuit arranged on the input stage of the peripheral functional block to 1/N in order to set the CPU to a low-power consumption mode, and a method of controlling the clock control system.

Abstract: In a digital information recording/reproducing apparatus, information recorded on a hard disk with copy restriction thereof is protected from being copied onto other hard disks by means of a PC, etc., to be produced a large number of illegal copies, i.e., infringing a copyright. The information is recorded onto a hard disk drive through encryption thereof, with using an identification being number unique thereto, when it is recorded onto the hard disk. With this, normal reproduction is prevented, since the drive identification number necessary for decryption is different from, even if it is copied onto the other hard disk. Also, a version information of the hard disc is memorized in an information management circuit. When the information is illegally copied onto the other hard disc, the version information is changes; therefore it does not coincide with the version information memorized in the information management circuit.

Abstract: Cryptographic systems and methods that support multiple modes of operation, such as CBC, CTR and/or CCM modes. In one aspect, a method for encrypting data includes reading a plaintext data block from a memory, storing the plaintext data block in an input buffer, encrypting the plaintext data block in the input buffer using a first mode to generate a first ciphertext, storing the first ciphertext in an output buffer, encrypting the plaintext data block in the input buffer using a second mode to generate a second ciphertext. For example, in a CCM mode of operation wherein the first mode is a CTR (counter) mode and the second mode is a CBC (cipher block chaining) mode, the block of plaintext that is initially read from memory and stored in the data input register is applied to both the CTR and CBC modes, thereby reducing a number memory read operations as in conventional CCM modes.

Abstract: Information or contents cannot be reproduced even from a regular storage medium which is encrypted in accordance with a predetermined encryption system, due to erroneous detection of watermarks. Detection of the watermarks and restriction over reproduction depending thereon is conducted only in a case where the medium is not encrypted. In case of detecting that the data is not encrypted in accordance with a predetermined encryption system by an encryption detection circuit and when the watermarks are detected by a watermark detection circuit, reproduction of the data is stopped by a reproduction restricting circuit. In a case that it is detected to be encrypted in the predetermined encryption system by the encryption detection circuit, the reproduction restricting circuit will not stop the reproduction thereof.

Abstract: A universal method and system for downloading game software to legacy gaming machines. A gaming machine includes a locked enclosure; a first computing device disposed within the locked enclosure, the first computing device being programmed to enable game play of the gaming machine; a second computing device disposed within the locked enclosure of the gaming machine, the second computing device being configured for network access, and an interface between the first and the second computing devices. The second computing device is configured to receive game software components over the network that are compatible with (e.g., executable by) the first computing device but not compatible with (e.g., not executable by) the second computing device and to transfer the received game software components to the first computing device over the interface. The second computing device may include, for example, a PC.

Abstract: System, methods, and computer readable media for determining whether a computer file (340) has been infected by an attacking agent. A scanning engine (205) generates a new hash of a critical viral target region of the file (340) and compares it to a stored hash of the critical viral target region. The scanning engine (205) determines whether the file (340) has been scanned by the most recent version of a detection module (425) associated with the attacking agent. If the hashes are identical and the file (340) has been scanned by the most recent version of the detection module (425), the scanning engine (205) determines that the file (340) is free of infection by the attacking agent.

Abstract: A random number sequence is previously generated by the function f8 for data confidentiality processing, which generates a random number sequence, and stored in a random number sequence memory (buffer). When data (message) is input, the random number sequence stored in the random number sequence memory is obtained, and the data (message) is encrypted by an XOR circuit to generate ciphertext data. In case of decrypting data, a random number sequence is also previously generated by the function f8 for data confidentiality processing and stored in the random number sequence memory (buffer). When the ciphertext data is input, by the XOR circuit, the random number sequence stored in the random number sequence memory is read and the ciphertext data is decrypted into the data (message).

Abstract: A system and method for delegating at least one administrative duty associated with namespace management from an authentication system to at least one administration system. An application programming interface provides communication between the authentication system and the administration system. The authentication system receives a request from the administration system, verifies the authority of the request, and performs the action(s) specified in the request to manage a namespace.

Abstract: Detecting and protecting against denial of service flooding attacks that are initiated against an end system on a computer network. In accordance with one aspect of the invention, a filter is established at a network location. The filter prevents data packets received at a first network location and deemed responsible for the denial of service flooding condition from being forwarded to a subsequent network location. Data packets received at the first network location are then monitored to determine whether the flow of any data packets from a network source exhibit a legitimate behavior, such as where the flow of data packets exhibits a backoff behavior. The filter is then modified to permit data packets that exhibit legitimate behavior to pass through the filter.

Abstract: A confidential datum, such as a private key used in public key signature systems, is secured in a digital wallet using a “generation camouflaging” technique. With this technique, the private key is not necessarily stored in the digital wallet, not even in an encrypted form. Instead, the wallet contains a private key generation function that reproduces the correct private key when the user inputs his or her pre-selected PIN. If the user inputs an incorrect PIN, an incorrect private key is outputted. Such private key can be configured so that it cannot be readily distinguished from the correct private key through the use of private key formatting, and/or the use of pseudo-public keys corresponding to the private key. The techniques described herein are also applicable to other forms of regeneratable confidential data besides private keys.