Abstract: The encryption device includes a random number generator for generating a random number; and a first selector for selecting one of q fixed values in response to the random number, a second selector for selecting one set of q sets of fixed S-box tables in response to the random number. An XOR XORs an input with an XOR of a key with the fixed value. A nonlinear transform transforms an input nonlinearly in accordance with the selected set of fixed S-box tables. Another encryption device includes a plurality of encrypting units coupled in parallel, and a selector for selecting one of the plurality of encrypting units in response to the random number. The masking with the fixed values improves the processing speed and reduces the required RAM area.

Abstract: The invention relates to methods and systems for reconnecting a client and providing user authentication across a reliable and persistent communication session. A first protocol that encapsulates a plurality of secondary protocols is used to communicate over a network. A first protocol service, using the first protocol, provides session persistence and a reliable connection between a client and a server. An operation may be executed or transacted between the client and the server. When there is a disruption in the network connection between the client and the server that interrupts the operation, the connection is automatically reestablished and the operation is continued.

Abstract: Methods, systems and architectures for processing renderable digital content are described. The various embodiments can protect against unauthorized access or duplication of unprotected content (i.e. decrypted content) once the content has reached a rendering device such as a user's computer. A flexible framework includes an architecture that allows for general media sources to provide virtually any type of multimedia content to any suitably configured rendering device. Content can be protected and rendered locally and/or across networks such as the Internet. The inventive architecture can allow third parties to write components and for the components to be securely and flexibly incorporated into a processing chain. The components can be verified by one or more authenticators that are created and then used to walk the chain of components to verify that the components are trusted.

Abstract: Disclosed herein is an encryption and decryption communication semiconductor device comprising at least, a communication interface for performing a transfer of data according to a predetermined communication system, one or two or more encryption/decryption circuits which encrypt or decrypt input data in accordance with a predetermined algorithm, and a plurality of external interfaces for performing the input/output of data from and to external devices. The communication interface, the encryption/decryption circuits and the plurality of external interfaces are formed on one semiconductor chip. In the cryption and decryption communication semiconductor device, input data sent from any one of the plurality of external interfaces is encrypted or decrypted by at least one of the encryption/decryption circuits and is capable of being outputted to any different one of the plurality of external interfaces.

Abstract: A programmable electronic device (10) stores a number of cipher-text software modules (14) to which access is granted after evaluating a user's token (55, 80, 82), a software-restriction class (58) for a requested software module (14), and/or a currently active access-control model (60). Access-control models (60) span a range from uncontrolled to highly restrictive. Models (60) become automatically activated and deactivated as users are added to and deleted from the device (10). A virtual internal user proxy that does not require users to provide tokens (80, 82) is used to enable access to modules (16) classified in a global software-restriction class (62) or when an uncontrolled-access-control model (68) is active. Both licensed modules (76) and unlicensed modules (18,78) may be loaded in the device (10). However, no keys are provided to enable decryption of unlicensed modules (18,78).

Abstract: System and method for authorizing access to an entity by a user, by binding an access control list to each entity; specifying for the user a set of user privileges; intersecting the access control list and set of user privileges in a compiled ACL table; incrementally refreshing the compiled ACL table responsive to run time modification of relevant tables containing the access control list and set of user privileges; and referencing the compiled access control list to authorize a user request to access an entity.

Abstract: In a data communications network, a split proxy can include a split proxy server disposed behind a firewall in a private portion of the data communications network; a split proxy client disposed in a client computing device positioned externally to the private portion of the data communications network; a split proxy client interface to at least one client application in the client computing device, and a split proxy server interface to at least one server application corresponding to the at least one client application in the private portion of the data communications network. A tunnel can be established between the split proxy client and split proxy server. The tunnel can host all Internet Protocol (IP) data traffic between the client application and the corresponding server application in the private portion of the data communications network.

Abstract: Methods, devices and systems for providing content providers with a secure way to multicast their data flows only to legitimate end users. By making a specific decision for each potentially legitimate end user requesting a specific data flow, differing subscriber profiles may be taken into account. Furthermore, end to end encryption is avoided by having a switch and/or router control the specific data flow to a specific end user. Each end user sends a request DTU to the switch and/or router asking for permission to join a multicast group. The switch and/or router extracts identification data from the request data transmission unit (DTU) and determines whether the requesting end user is cleared for the requested specific data flow. This determination may be made by sending a query DTU containing the identification data to a policy server which checks the identification data against preprogrammed criteria in its databases.

Abstract: Transmitting data sent from A first device includes random information, which is encrypted by using common information, and a checksum, and the transmitting data is sent to a second device. The second device receives the transmitting data, and sends back answering data that includes an answer message, which is encrypted by using the random information, and checksum, to the first device.

Abstract: A system and method for communicating a device's capabilities uses a digital watermark embedded in content data. The watermark includes parameters concerning a source unit's communications capabilities. The watermark is embedded within content data, such as multimedia data, of a data packet. A destination unit, upon receiving the data packet detects if a watermark is present, and if so extracts the source's capability parameters from the watermark. The destination unit then negotiates with the source unit to use certain capabilities based on the source capability information contained in the watermark.

Abstract: A functional-level instruction-set computing (FLIC) architecture executes higher-level functional instructions such as lookups and bit-compares of variable-length operands. Each FLIC processing-engine slice has specialized processing units including a lookup unit that searches for a matching entry in a lookup cache. Variable-length operands are stored in execution buffers. The operand length and location in the execution buffer are stored in fixed-length general-purpose registers (GPRs) that also store fixed-length operands. A copy/move unit moves data between input and output buffers and one or more FLIC processing-engine slices. Multiple contexts can each have a set of GPRs and execution buffers. An expansion buffer in a FLIC slice can be allocated to a context to expand that context's execution buffer for storing longer operands.

Abstract: A process that collects and analyzes data from computer mainframe system events and/or messages as they occur, utilizing a System Management Facility (SMF) interface, a SubSystem Interface (SSI), an Event Notification Facility (ENF) interface, and generates alert message(s) when installation-developed rules so indicate, to provide real-time mainframe event and message monitoring, with notification to multiple targets based on either of two factors: a) configuration parameters defined by auditors and security administrators, and b) statistical analysis and correlation of historical event data (profiling).

Abstract: A reprogrammable subscriber terminal of a subscription television service which can have the control program code of its control processor modified by downloading new program code from the headend. The control processor stores a boot program in an internal read only memory. Upon start up and resets, the boot program determines whether the control program should be changed from a command sent from the headend. The command, termed a parameters transactions, includes the number of expected download program code transactions required to complete the control code modification, the memory space areas where the code is to be loaded, and the channel over which the download program code transactions are to be transmitted. The channel is tuned and when the boot program receives all the download program code transactions accurately and stores them, the boot program will cause the control program to be restarted at a selected address of the new or modified control program code which has been downloaded.

Abstract: An apparatus for encryption and decryption, capable of use in encryption and decryption of advanced encryption standard. Byte substitution operation and inverse byte substitution operation are to be combined. Byte substitution operation can be expressed as y=M*multiplicative_inverse(x)+c while inverse byte substitution operation can be expressed as x=multiplicative_inverse(M?1*(y+c)), wherein M and M?1 are inverse matrix of each other and c is a constant matrix. Since the two equations employ a look-up table, that is, multiplicative_inverse(x), the lookup tables for use in byte substitution and inverse byte substitution operations are to be combined according to the invention so as to lower hardware complexity of the implementation. In addition, main operations of column mixing operation and inverse column mixing operation are to be rearranged to combine the two operations in part, resulting in simplified hardware implementation.

Abstract: Method and apparatus for deflecting connection flooding attacks. Specifically, the stateful firewall allows all connection attempts to flow into the destination host, but monitors the connection attempts to ensure that only legitimate connections are allowed. If the firewall detects that a connection is half-open for longer than a certain timer threshold, it will instruct the destination host to tear down the half-open connection, thereby freeing up resources in the destination host for other connection attempts. The timer threshold can be dynamically adjusted if a connection flooding attack is detected.

Abstract: A method of authentification of data sent in a digital transmission characterized by the organization and authentification of the data prior to transmission into a hierarchy of at least one root directory unit (75), subdirectory unit (76) and file unit (77), data in a file (77) being acted upon by an authentification algorithm and an associated file authentification value (82) stored in the referring subdirectory unit (77), this file authentification value (82) being in turn acted upon by an authentification algorithm and an associated subdirectory authentification value (79) stored in the referring root directory. Other aspects of the invention relate to the authentification of a second root directory (78) by generation of a second authentification value (83) and the authentification of data before encapsulation in tables or sections of a transport stream.

Abstract: A voice-over-Internet-Protocol (VoIP) client codes audio data as printable ASCII characters, then embeds the ASCII audio data inside a cookie that is sent over the Internet within an HTTP GET message. The GET message is sent to a server acting as a call proxy or external manager that forwards the audio data to a remote client. Return audio data is sent back to the client in the normal data field of an HTTP response message from the server. When the client receives the HTTP response, it sends another GET message without audio data, allowing the server to send another response. This empty GET allows VoIP to pass through strict firewalls that pair each HTTP response with a GET. For secure-sockets layer (SSL), client and server exchange pseudo-keys in hello and finished messages that establish the SSL session. Audio data is streamed in SSL messages instead of encrypted data.

Abstract: Apparatuses and methods are provided for interface logic that is configurable to operatively couple cryptography support logic and cryptography providing logic. The interface logic provides at least one management function to the cryptography providing logic. The management function includes at least one of the following four management functions: an identity management function, a file management function, a container management function, and a cryptography management function.

Abstract: Biometric data, such as fingerprint data, of at least one authorized user of a digital multimedia product is embedded into a digital multimedia product, to thereby control use of the digital multimedia product by a prospective user who obtains access to the digital multimedia product. The digital multimedia product, including the biometric data of the at least one authorized user that is embedded therein, is stored in a digital storage medium. At least some use of the digital multimedia product by a prospective user is prevented upon failure to match biometric data of the prospective user to the biometric data that is embedded in the digital multimedia product.

Abstract: A storage device includes a tamper-resistant module and a flash memory. In correspondence with a command, a CPU inside the tamper-resistant module judges the security of data received from the outside, then recording the data as follows: High-security and small-capacity data is recorded into a memory inside the tamper-resistant module. High-security and large-capacity data is encrypted, then being recorded into the flash memory. Low-security data is recorded as it is into the flash memory. This recording method permits large-capacity data to be stored while ensuring a security (i.e., a security level) corresponding thereto.