Abstract: A method of authenticating a content provider and assuring content integrity by which the content provider is authenticated and the content integrity is assured upon download, exchange or transfer of a variety of multimedia contents through a wired/wireless communication network. The method of authenticating the content provider and assuring the content integrity, including downloading packaged contents with an electronic signature made thereto into a device of a user through a wired/wireless communication network, finding a URL address from which a certificate for verification of a signature of the content provider is provided, in a header of the contents, acquiring the certificate of the content provider after moving to the URL address, extracting a public key required for the verification of the electronic signature from the acquired certificate, and verifying the electronic signature by using the extracted public key.

Abstract: A system and associated method for providing access to at least one specified application within a software system. The software system comprises security software and a software tool suite. The security software is adapted to authorize a user to access at least one specified application on a computer system comprising a security standard. The software tool suite is adapted to create or modify a user profile for the user. The user profile comprises at least one transaction necessary for the user to access the at least one specified application. The software tool suite is adapted to integrate in real time the user profile into the security software. The software tool suite is adapted to create a user profile report in real time to verify that the user profile is in compliance with the security standard of the computer system.

Abstract: Firewall system for interconnecting a first IP network (10) to a second IP network (16), these networks belonging to two different entities having each a different administration wherein any data packet transmitted/received by the first IP network is filtered by using a first firewall function and any data packet transmitted/received by the second IP network is filtered by using a second firewall function. The system comprises essentially a single firewall device (20) including filtering means (41, 43) performing both first firewall function and second firewall function, a console port (37) enabling the administrator in charge of each IP network to enter filtering rules for updating the associated firewall function and control means (39, 47, 49) interconnecting the console port and the filtering means for transmitting thereto the filtering rules so that each administrator may independently manage the system from the console port.

Abstract: A system and method for providing anti-virus protection to a web server. The method comprises the steps of: receiving web pages that are to be stored at the web server; stripping active elements from the web pages being stored at the web server; storing the web pages at the web server; receiving a request for a web page to be served by the web server; determining if active elements are required for the requested web page; inserting active elements into the requested web page if active elements are required; and serving the requested web page.

Abstract: First data to be sent by a first party to a second party is encrypted using an encryption key that is formed using at least a hash value generated by a keyed hash of at least one condition that typically serves as an identifier of an intended recipient of the first data. The encrypted first data is provided to a data recipient who requests a decryption key from the trusted party. The trusted party is responsible for verifying that the recipient meets the specified conditions before providing the decryption key. A valid decryption key is only provided if the correct conditions have been supplied to the trusted party.

Abstract: A method, an apparatus, a system, and a computer program product is presented for virtualizing trusted platform modules within a data processing system. A virtual trusted platform module along with a virtual endorsement key is created within a physical trusted platform module within the data processing system using a platform signing key of the physical trusted platform module, thereby providing a transitive trust relationship between the virtual trusted platform module and the core root of trust for the trusted platform. The virtual trusted platform module can be uniquely associated with a partition in a partitionable runtime environment within the data processing system.

Abstract: System for using a manufacturer issued certificate to authenticate a CTA device during registration with an IP telephony network. In response to providing the manufacturer issued certificate, the issuance of another certificate allows the CTA to be provisioned by a specific IP telephony network. The system includes a method of operating a cable telephony adapter in an IP telephony network. The method includes steps of storing a manufacturer issued certificate in the cable telephony adapter, providing the manufacturer issued certificate to the telephony network, receiving a network issued certificate, and registering for telephony services with the telephony network using the network issued certificate.

Abstract: Methods, systems and computer program products are disclosed for monitoring user behavior for a server application in a computer network. The methods, systems, and computer program products can monitor communication data between a server application and a client. The methods, systems, and computer program products can also include applying one or more detectors to the communication data to identify a variety of predetermined activity. Further, the methods, systems, and computer program products can include generating a threat score associated with the predetermined activity by comparing the identified predetermined activity with a security threshold criteria.

Abstract: A suspect user (110) seeks access to a network resource from an access authority (150) utilizing a passcode received from an authentication authority (130). Initially, an ID of a device is bound with a PIN, the device ID is bound with a private key of the device, and the device ID is bound with a user ID that has been previously bound with a password of an authorized user. The device ID is bound with the user ID by authenticating the user ID using the password. Thereafter, the suspect user communicates the device ID and the PIN from the device over an ancillary communications network (112); the authentication authority responds back over the ancillary communications network with a passcode encrypted with the public key of the device; and the suspect user decrypts and communicates over a communications network (114) the passcode with the user ID to the access authority.

Abstract: The invention prevents robots from browsing a Web site beyond a welcome page. When an initial request from an undefined originator is received, the Web site responds to it with a welcome page including a challenge. Then, on receiving a further request from the undefined originator, the Web site can check whether the challenge is fulfilled or not. If fulfilled, the undefined originator is assumed to be a human being and authorized to go on. If the challenge is not fulfilled, the undefined originator is assumed to be a robot, in which case site access is further denied. The invention prevents Web site contents from being investigated by robots while not requiring users to have to log on.

Abstract: The present invention provides a method and system for providing a security element that is directed at inhibiting malicious activity by displaying a browser window in such a way that the user can trust and know the source of the window. Additional information and ornamentation is displayed on the window to help ensure that an end user is not confused or misled (“spoofed”) into believing that the window originates from a trusted source. When a call is made to open a browser window, the status bar is displayed by default. The status bar provides additional information, such as the security zone, to the user to help the user in determining the source of the content. The security zone informs the user the location from where the content is originating. This additional information helps to ensure that the user has the necessary information on whether or not to trust the source.

Abstract: A method for preventing cloning of a genuine security element is described. The method includes associating a random number generator (RNG) in the security element with a portion of a non-volatile memory (NVM) in the security element, and activating the RNG to automatically write, during a normal operation mode of the security element, a new random number into the portion of the NVM whenever an attempt is made to write into the portion of the NVM. Any unit other than the RNG is preferably prevented from writing data into the portion of the NVM during the normal operation mode of the security element. Related apparatus and method are also described.

Abstract: A method for permitting encrypted communications between two stations which are operable with encryption algorithms that accept encryption keys having work factors with different values, by: in a first determining step, determining the lower one of the different values; providing an initial encryption key having a first work factor value; comparing the first work factor value with the lower one of the work factors determined in the determining step; when, in the comparing step, the first work factor value is greater than the lower one of the work factor values determined in the determining step, performing the following steps: performing a first hash function on the initial encryption key to produce a first output, and deriving from the first output a first intermediate key having a work factor value not greater than the lower one of the different work factor values determined in the determining step; performing the first hash function on the first intermediate key to produce a second output, and deriving fro

Abstract: A telematics system that includes a security controller is provided. The security controller is responsible for ensuring secure access to and controlled use of resources in the vehicle. The security measures relied on by the security controller can be based on digital certificates that grant rights to certificate holders, e.g., application developers. In the case in which applications are to be used with vehicle resources, procedures are implemented to make sure that certified applications do not jeopardize vehicle resource'0 security and vehicle users' safety. Relationships among interested entities are established to promote and support secure vehicle resource access and usage. The entities can include vehicle makers, communication service providers, communication apparatus vendors, vehicle subsystem suppliers, application developers, as well as vehicle owners/users.

Abstract: A method and related system obtains consent from a user for electronic delivery of sensitive information. The user operating a first computer accesses a web page on a server system to input the consent. The web page prompts for the consent from the user. Once the consent is received at the server system, the consent is stored and sensitive information is delivered electronically to an e-mail address specified by the user. Once consent is indicated, it is communicated from the individual's computer to another computer such as a server over, for example, a modem connection. Having secured the individual's consent, the additional sensitive information may be delivered to the individual's computer as, for example, a URL attachment to an email message.

Abstract: A method, apparatus, and computer instructions for responding to a denial of service attack. The method comprising from a remote data processing system detects an occurrence of the denial of service attack in which invalid credentials are presented to the data processing system. Connections from the remote data processing system to the data processing system are blocked in response to detecting the occurrence of the denial of service attack. A command is selectively sent to a server data processing system to block connections from the remote data processing system, in response to detecting the occurrence the denial of service attack.

Abstract: A process for managing and authorizing rights in a computer system accounts for the dynamic, multi-dimensional, and granular nature of rights. A database structure divides works and rights into two related tables. A works table includes information sufficient to identify works managed by the system, while a rights table identifies a right associated with a work and includes one or more date fields delimiting the right. The rights table may also include type of use information. Additional tables, such as a work relation table, a party table, or an order table, may be provided. The process involves managing and querying the database structure and has broad applicability to intellectual, real, and personal property; contract management; and similar items. The process may be performed in a computer system operating in standalone mode, client/server mode, or over the Internet.

Abstract: Hacking of a class of Set-Top Boxes known as Integrated Receiver-Decoders (IRDs) used to receive satellite broadcasts for display on television sets is prevented by use of connections to the reprogramming enable pin of a flash memory. If a user attempts to reprogram the boot sector of the flash memory in order to obtain free service via privacy, the set-top box is destroyed. The invention relates to the design and manufacture of IRDs that are resistant to hacking via unauthorized reprogramming.

Abstract: A method of authenticating an article includes the steps of, at an issuing station, selecting an inherent feature of the article and converting the feature into digital data to form an identification code for the article. An encryptor is used to encrypt the identification code utilizing a secret private key of an asymmetric encryption key pair and associated with the issuing party. The encrypted code is made available on a label accompanying the article. During a subsequent phase and at an authentication station, digital data relating to the feature is determined directly from the article and the code is decrypted utilizing a public key of the pair obtained from a third party in accordance with rules of a public key infrastructure. The determined data and the data relating to the feature retrieved from the decrypted code are compared to authenticate the article.

Abstract: Sharing of data between one domain and at least one other domain over a network is facilitated by the use of tokens. A user token set in a cookie stored on the user's system at log-on to a first domain is used to create, or is associated with, a secure token passed by a first domain to a second domain when the user, in a session with the second domain, requests resources, access to which includes authorization by a first domain. The secure token facilitates various actions pertinent to a user in a session with said second domain, including, for example, the maintenance of an active, concurrent session between a user and a first domain, and authentication and authorization without log-on at a second domain or other domains.