Abstract: A user recognition and identification system and method is presented in which text entered by a user at a keyboard is evaluated against previously recorded keystrokes by the user for the presence of repeatable patterns that are unique to an individual.

Abstract: A private key delivery system and a private key delivery method are disclosed. The private key delivery system includes a transmitter, a receiver, and an optical transmission line connecting the transmitter and the receiver. The transmitter includes a single photon generating unit for simultaneously generating two or more single photons having different wavelengths using a quantum dot structure that has quantum dots of various sizes, an optical splitter for splitting the single photons by wavelengths, a phase modulating unit for modulating each of the single photons split by the wavelengths with private key information, and an optical multiplexer for multiplexing the modulated single photons of the different wavelength and for transmitting the multiplexed single photons to the optical transmission line. The multiplexed single photons are received by the receiver, and the private key information is taken out from the received single photons.

Abstract: Controlling access to disseminated messages includes implementing one or more key management policies that specify how various encryption keys are maintained and in particular, when encryption keys are made inaccessible. Deleting a particular key renders inaccessible all copies of messages, known or unknown, associated with the particular key, regardless of the location of the associated messages. A message may be directly or indirectly associated with a deleted key. Any number of levels of indirection are possible and either situation makes the message unrecoverable. The approach is applicable to any type of data in any format and the invention is not limited to any type of data or any type of data format.

Abstract: A method and system for securely enrolling personal identity credentials into personal identification devices. The system of the invention comprises the manufacturer of the device and an enrollment authority. The manufacturer is responsible for recording serial numbers or another unique identifier for each device that it produces, along with a self-generated public key for each device. The enrollment authority is recognized by the manufacturer or another suitable institution as capable of validating an individual before enrolling him into the device. The enrollment authority maintains and operates the appropriate equipment for enrollment, and provides its approval of the enrollment. The methods described herein discuss post-manufacturing, enrollment, backup, and recovery processes for the device.

Abstract: A controller of a recording device issues a secure command to a storage device, and then waits the time estimated necessary for the storage device to execute the secure command before issuing the next secure command. When a controller of the storage device is executing the previous command, it notifies the recording device of being in process. When the previous command has been completed normally, the controller moves to the next process. Information for estimating the execution time of the command is obtained from the storage device in advance.

Abstract: A method, system and computer program product for computing a message authentication code for data in storage of a computing environment. An instruction specifies a unit of storage for which an authentication code is to be computed. An computing operation computes an authentication code for the unit of storage. A register is used for providing a cryptographic key for use in the computing to the authentication code. Further, the register may be used in a chaining operation.

Abstract: An imaging system is provided with an authentication data storage that stores a plurality of pieces of authentication data in relationship to user IDs respectively representing owners of the plurality of communication devices. Further included is a reading system that reads out one of the plurality of pieces of the authentication data corresponding to a user ID if the user ID is transmitted from the external device in relationship to the image data, and a searching system searches for a communication device with which a connection authentication is established using the authentication data read out by the reading system within a predetermined communication area with respect to the imaging system. An imaging system forms an image represented by the image data transmitted in relationship to the user ID from the external device when the communication device is detected by the searching system.

Abstract: A system and method for representing multiple security groups as a single data object are provided. With the system and method, a complex group object is created that consists of a group set value and a mask value. The complex group object represents a plurality of groups by the group set value. The mask value is used to apply to group identifiers received during an authentication process to generate a value that is compared against the group set value to determine if the group identifiers are part of the complex group. For example, in a first step of authorization processing, the group identifier received in an authorization request is bit-wise AND'd with the mask value for the complex group data object. In a second step, the masked group identifier from the received request is compared to the group set value of the complex group object.

Abstract: A header object for a data file is comprised of sub-objects which specify properties of the data stream and contains information needed to properly verify and interpret the information within the data object. In order to allow the protection of any set of sub-objects without requiring that the sub-objects follow any specific ordering, a new sub-object is introduced which includes region specifiers identifying regions within sub-objects and verification information for those regions. This new sub-object in the header object allows the modification of non-protected regions and reorganization of sub-objects in a header without invalidating verification information.

Abstract: A method and apparatus are disclosed which incorporate a system for enabling the adaptive modification of the security level of a node in a network based on software use of nodes in the network. The system is particularly applicable to dynamic network i.e. networks in which nodes may be mobile and in which the network topology is not constant.

Abstract: A method for authenticating computers is disclosed. The method comprises issuing a credential from a first computer to a second computer. When the second computer authenticates to the first computer, the second computer transmits the credential and a first challenge to the first computer. The first computer determines whether the credential is valid, computes a first response to the first challenge, and generates a second challenge. The first computer transmits the first response and the second challenge to the second computer. The second computer determines whether the first response is valid and computes a second response to the second challenge. The second computer transmits the second response to the first computer in order to verify and authenticate the computers.

Abstract: Techniques are disclosed for achieving context-sensitive confidentiality within a federated environment for which content is aggregated in a distributed Web portal (or similar aggregation framework), ensuring that message portions that should be confidential are confidential to all entities in the federated environment except those entities to which the message portions may properly be divulged. The federation may comprise an arbitrary number of autonomous security domains, and these security domains may have independent trust models and authentication services. Using the disclosed techniques, messages can be routed securely within a cross-domain federation (irrespective of routing paths), thereby ensuring that confidential information is not exposed to unintended third parties and that critical information is not tampered with while in transit between security domains. Preferred embodiments leverage Web services techniques and a number of industry standards.

Abstract: Methods and systems for securely requesting, retrieving, sending, and storing files. One aspect involves receiving a request for a file from a client device that identifies a user and the client device, encrypting the file using a session key based at least in part on the user and the client device, and transmitting the encrypted file to the client device. Other aspects of the invention include storing the encrypted file on the client device in encrypted form such that the file may only be decrypted or accessed by the particular user on that particular client device.

Abstract: A printer that prints encrypted information in a document can be the key authority for that document. A document containing encrypted information and a source reference can be printed by a printer associated with a key module. The key module contains the key for decrypting the information. A scanner scanning the document obtains the source reference and the encrypted information. The scanner can use the source reference to send a key request to the printer and the printer can respond with the appropriate key. A decryption module associated with the scanner can use the key to decrypt the information. The decrypted information can be incorporated into a second document that can be electronically stored or printed.

Abstract: A method, system and program product for executing a cipher message assist instruction in a computer system by specifying, via the cipher message assist instruction, either a capability query installed function or execution of a selected function of one or more optional functions, wherein the selected function is an installed optional function, wherein the capability query determines which optional functions of the one or more optional functions are installed on the computer system.

Abstract: Disclosed is a method and apparatus for reducing communication system downtime when enabling cryptographic operation of a cryptographic system of the communication system where the cryptographic system includes a first cryptographic device operatively coupled to a plurality of second cryptographic devices via a communication network of the communication system. The method includes causing a pass-through mode of the second cryptographic devices to be suspended, sequentially determining a state of each of the second cryptographic devices, causing the second cryptographic devices and the first cryptographic device to substantially simultaneously operate in a secure mode if each of the second cryptographic devices is determined to have a first state, and causing the second cryptographic devices and the first cryptographic device to operate in the pass-through mode if at least one of the plurality of second cryptographic devices is determined to have a second state.

Abstract: An authentication server automatically selects one of plural authentications identified by authentication identifiers to authorize access by a user to a service dispensed by a service server of a provider identified by a provider identifier via a communication network. The server includes a module for selecting an authentication identifier in a memory as a function of the provider identifier and the type of the terminal and/or the network type of the communication network, and a module for authenticating the user by launching an authentication process associated with the authentication identifier.

Abstract: A system is provided for downloading pushed content includes a terminal capable of receiving service loading content that identifies download content and has a digital signature. The terminal is capable of authenticating the service loading content based upon the digital signature, and if the service loading content is authenticated, pulling the download content to the terminal. In this regard, the terminal is capable of authenticating the service loading content, and pulling the download content, in response to receiving the service loading content and independent of interaction from a user of the terminal. The terminal can also be capable of determining if an interruption occurs in receiving the download content such that the terminal receives less than the entire download content. And if an interruption occurs, the terminal can be capable of recovering the download content such that the terminal receives the plurality of data packets.

Abstract: One embodiment of the present invention enables global delivery of “on-demand” high fidelity media content to client computers via a network, such as, the Internet or a wide area network (WAN) while restricting unauthorized users from directly retrieving media content from its sources. The present embodiment includes a global media content delivery network that may include multiple “points of presence” which may be located throughout the world. Each point of presence may store a portion or the entirety of a media content library that may be provided to client devices. Each one of the points of presence may provide media content to client devices in their respective vicinity of the world. Once a client receives media, it is stored using hidden directories to prevent easy redistribution with other devices. An access key procedure and rate control restrictor may also be implemented to monitor and restrict suspicious media requests.

Abstract: A system is provided for hiding a data group in a wireless communication device, in which a predetermined data group is hidden according to a hiding request. The system for hiding a data group comprises an encryption module for receiving the hiding request and the predetermined groups in a memory in the wireless communication device and an access module. Next, the encryption module establishes mechanism for hiding a data group to hide the predetermined data group. The access module performs the mechanism for hiding a data group and decrypts a secret code encrypted by the encryption module when data in the predetermined data group is to be read.