Abstract: The present invention relates to an interface module for a host (2) such as a digital television decoder, permitting the processing of information coming from the host (2) in a conditioned manner subject to a conditional access system (11), comprising authorization means (7) by which the user justifies his access rights.

Abstract: IP security is provided in a virtual private network using network address translation (NAT) by performing one or a combination of the three types of VPN NAT, including VPN NAT type a outbound source IP NAT, VPN NAT type c inbound source IP NAT, and VPN NAT type d inbound destination IP NAT. This involves dynamically generating NAT rules and associating them with the manual or dynamically generated (IKE) Security Associations, before beginning IP security that uses the Security Associations. Then, as IP Sec is performed on outbound and inbound datagrams, the NAT function is also performed.

Abstract: A header object for a data file is comprised of sub-objects which specify properties of the data stream and contains information needed to properly verify and interpret the information within the data object. In order to allow the protection of any set of sub-objects without requiring that the sub-objects follow any specific ordering, a new sub-object is introduced which includes region specifiers identifying regions within sub-objects and verification information for those regions. This new sub-object in the header object allows the modification of non-protected regions and reorganization of sub-objects in a header without invalidating verification information.

Abstract: According to one embodiment of the invention, a configurable CableCARD adaptable for use by multiple conditional access (CA) providers. CableCARD comprises core logic configured to descramble incoming scrambled content, a first CA logic block and a second CA logic block. Connected to the core logic, the first CA logic block uses a first CA function associated with a first CA provider. The second CA logic block is also connected to the core logic. The second CA logic block uses a second CA function associated with a second CA provider. Where the incoming content is scrambled according to the second CA function, the connection between the first CA logic block and the core logic is disabled.

Abstract: An imaging system is provided with an authentication data storage that stores a plurality of pieces of authentication data in relationship to user IDs respectively representing owners of the plurality of communication devices. Further included is a reading system that reads out one of the plurality of pieces of the authentication data corresponding to a user ID if the user ID is transmitted from the external device in relationship to the image data, and a searching system searches for a communication device with which a connection authentication is established using the authentication data read out by the reading system within a predetermined communication area with respect to the imaging system. An imaging system forms an image represented by the image data transmitted in relationship to the user ID from the external device when the communication device is detected by the searching system.

Abstract: When a surgery and a remote control room in a remote location are connected through a communication circuit to perform an endoscope operation, image information is not encrypted and is sent as it is. Patient data including identification information, a name and so on relating to a patient is encrypted in an encrypting portion and then is sent. In the remote control room side receiving the patient data through the communication circuit, the patient data is decrypted by a decrypting portion when it is determined, based on the header portion, that the received data includes the patient data. Thus, the patient data is restructured and a structure, which can be displayed in a display device, including the image information can be obtained. As a result, the privacy of the patient data can be reserved, and the fast transmission can be achieved at low costs.

Abstract: The device and system of present invention identify the person to be identified according to a result given from certification bureau. These device or system mainly comprises a condition inputting section to input identification condition, a certification inputting section to input specifying information corresponding to the identification condition, a judging section to judge whether the specifying information accords with the corresponding identification condition or not, and a result outputting section to output certification result.

Abstract: An integrated circuit (IC) may include at least one smart card memory for storing a set of default requests and at least one alternate request for each default request. The IC may further include a microprocessor connected to the at least one smart card memory for communicating with a host device using the default requests and alternate requests. The microprocessor may selectively switch between using the default requests and the alternate requests when communicating with the host device. As such, this provides a “moving target” which makes it difficult for would-be hackers to determine which requests are used for which smart card operations and, thus, to decipher and interfere with data communications.

Abstract: Methods and apparatus, including computer program products, implement techniques for performing digital signature operations on electronic content. An electronic document includes a digital signature module. The electronic document is accessed using a user application. The digital signature module is used to perform one or more digital signature operations on the electronic document in the user application.

Abstract: Methods and systems for protecting the computer network against unauthorized access are disclosed. Information is reported about each network device connected to the network and/or one or more corresponding users. The reported information is correlated to determine if any unauthorized devices are connected to the network. To report the desired information, each device authorized to use the network may be provided with an agent configured to report information about the device to which it corresponds and information about one or more neighboring devices. A “reporting your neighbor” method may be used wherein each network device report its address and the address of its neighbors may be used to determine if any device is not reporting its address. Alternatively, each agent may report information about its device's physical location, e.g., by global positioning satellite (GPS). A door badge system may be used to provide user location information.

Abstract: A wireless electronic authentication device with an authenticating smart chip, a local radio communication circuit, an input circuit that receives user input, and a power supply, all housed in a portable housing. Preferably, the authentication device is a mobile telephone with an authenticating smart chip. The user enters a knowledge token, such as a password stated by voice or a personal identification number input at the keyboard, to indicate that he is both in possession of the authorization device and knows the critical information. The knowledge token may be entered in advance and merely confirmed by the user pressing a key on the keypad when a confirmation is requested. A method is provided for making use of the authentication device to perform authorizations. A similar method is disclosed for use in existing systems and then achieving a gradual transition from existing systems to the new authentication device.

Abstract: A dynamic wavelet feature-based watermark for use with digital video. Scene change detection separates digital data into one or more scenes, wherein each of the scenes is comprised of one or more frames. A temporal wavelet transformation decomposes the frames of each scene into dynamic frames and static frames. The static frames of each scene are subjected to a spatial wavelet transformation, so that the watermark can be cast into middle frequency sub-bands resulting therefrom. Polyphase-based feature selection or local block-based feature selection is used to select one or more features. The watermark is cast into the selected features by means of either (1) a comparison of energy in polyphase transform components of the selected feature, or (2) a change in value of blocked wavelet coefficients of the selected feature.

Abstract: A data processing apparatus extracts a root key by decrypting an enabling key block. The data processing apparatus then produces a content key on the basis of a random number and encrypts the content key using the root key. Furthermore, the data processing apparatus encrypts an ID of the data processing apparatus using the produced content key thereby producing a storage key. The data processing apparatus then produces encrypted content by encrypting a content using the storage key. Furthermore, the data processing apparatus stores the encrypted content together with the data produced by encrypting the content by the root key into a removable storage medium. The content, stored into the removable storage medium in the above-described manner, can be played back only by a specific limited device.

Abstract: A smart card and a settlement terminal are provided by which, when common-key cryptography is used for value transfer between smart cards, the security of the whole system can be improved by enabling easy updating of a cryptographic key used for the value transfer. A smart card transmits/receives value data to/from another smart card. The smart card includes an information accumulating unit for accumulating value data, a transfer key used to update the value data, and an update key used to update the transfer key; a communication unit for receiving a transfer key encrypted by use of the update key, the transfer key being transmitted from another smart card; and an arithmetic processing unit for decrypting the encrypted transfer key by use of the update key to update the transfer key accumulated in the information accumulating unit by use of the decrypted transfer key.

Abstract: A method, system and computer program product for computing a message authentication code for data in storage of a computing environment. An instruction specifies a unit of storage for which an authentication code is to be computed. An computing operation computes an authentication code for the unit of storage. A register is used for providing a cryptographic key for use in the computing to the authentication code. Further, the register may be used in a chaining operation.

Abstract: A unique volume license key (VLK) is provided to a volume license holder. A signed file containing the VLK and the data derived from volume license holder's submitted computing environment information is provided to the volume license holder along with the licensed software. The license file is stored in a central location, such as on an installation server, or locally on client machines, in a rather large file of any type. Upon logon, the license file is read, the data authenticated and the system is activated. If license data cannot be authenticated, a connected system either fully functions in grace period or run in reduced functionality mode until authentication succeeds. If the system is disconnected, the system is functional only with disconnected features until it joins a network again. In a completely off-line installation, the license file is generated by the volume license holder using software vendor assigned specific VLK and software vendor provided security hardware device.

Abstract: An encryption method includes the steps of (a) generating random data including a first part and a second part, the first part specifying an operation to be performed on plain text data and the second part being used in the operation, (b) performing the specified operation on the plain text data using the second part of the random data, and (c) transmitting a result of the operation together with the random data.

Abstract: The invention described herein utilizes a universally known and accepted unique item that is independently identifiable and valuable so as to be constituted for difficulty of counterfeiting as an authenticator item. The identity of this item is included in an authorization calculation which can only be accomplished by an authorizing issuing authority. In a preferred embodiment of the invention, the authenticator is a serial numbered item such as a currency bill or note. The document may be created in a decentralized fashion using ordinary plain paper and the document may even take electronic or other forms. The issuing authority must have the critical or important details of the document and must authorize the creation of the document before it can be created. Further the document's authenticity may be verified without communication back to the issuing authority.

Abstract: We propose a multi user information theoretically secure scheme. Our scheme allows any two parties in a multi user system to exchange messages securely using encryption, and to sign messages. Our scheme achieves a significant saving in the number of total keys in the system and in the keys each user must store. The encryption, and signing algorithms proposed in the scheme are as efficient as possible. Our scheme is designed so that it is possible to easily and efficiently revoke and add membership of new users into the system. It is also designed so that authentication and security against man in the middle attacks can be added at low cost. In addition, we introduce a novel and efficient way to use steganography for key replenishment.

Abstract: Systems and methods are provided for managing and distributing keys between routers using protocol exchange messages between routers as key distribution vehicles. According to one embodiment of the invention, a router of an autonomous system uses its private key to send cryptographic information associated with another router to a peer router as part of its protocol exchange messages. The peer router is able to extract the cryptographic information and store it in a look-up table. Such protocol exchange messages may occur as part of an Interior Gateway Protocol or an Exterior Gateway Protocol. According to another embodiment of the invention, a chain authentication system is created as boundary routers of autonomous systems having a trust relationship share cryptographic information for other autonomous systems as part of protocol exchange messages for the exterior gateway protocol.