Abstract: A co-processor (44) executes a mathematical algorithm that computes modular exponentiation equations for encrypting or decrypting data. A pipelined multiplier (56) receives sixteen bit data values stored in an A/B RAM (72) and generates a partial product. The generated partial product is summed in a summer (58) with a previous partial product stored in a product RAM (64). A modulo reducer (60) causes a binary data value N to be aligned and added to the summed value when a particular data bit location of the summed value has a logic one value. An N RAM (70) stores the data value N that is added in a modulo reducer (60) to the summed value. The co-processor (44) computes the Foster-Montgomery Reduction Algorithm and reduces the value of (A*B mod N) without having to first compute the value of &mgr; as is required in the Montgomery Reduction Algorithm.

Abstract: A method and system is provided for communicating encrypted user passwords from a client to a server. During new environment negotiations, the server communicates to the client a server random seed value. The client then generates a client random seed value and, using the client random seed value, the server random seed value, and the user variable name, an encrypted user password. The client then communicates to the server the client random seed, the user variable name and the encrypted user password. Then the server validates the encrypted user password using the server random seed, the client random seed and the user variable name.

Abstract: A system in which an encrypted data file can be protected, accessed, and maintained by a plurality of users using cryptographically hashed passwords. The system provides for the creation in memory for each authorized user of a cryptographically hashed password as an entry in an unencrypted header file. The system compares an authorized user's cryptographically hashed password against a corresponding set of cryptographically hashed passwords in memory to determine whether the user is allowed access to the protected data file. The passwords are cryptographically one-way hashed with a “salt” value in such a way as to make reconstruction of original passwords by an unintended party virtually impossible, because the passwords never exist in memory in an unhashed state. Furthermore, the passwords are cryptographically “one-way” hashed so as not to be reconstructible.

Abstract: An international cryptography framework (ICF) is provided that allows manufacturers to comply with varying national laws governing the distribution of cryptographic capabilities. In particular, such a framework makes it possible to ship worldwide cryptographic capabilities in all types of information processing devices (e.g. printers, palm-tops). The ICF comprises a set of service elements which allow applications to exercise cryptographic functions under the control of a policy. The four core elements of the ICF architecture, i.e. the host system, cryptographic unit, policy activation token, and network security server, comprise an infrastructure that provides cryptographic services to applications. Applications that request cryptographic services from various service elements within the ICF are identified through a certificate to protect against misuse of a granted level of cryptography.

Abstract: A scalable access filter that is used together with others like it in a virtual private network to control access by users at clients in the network to information resources provided by servers in the network. Each access filter use a local copy of an access control data base to determine whether an access request made by a user. Changes made by administrators in the local copies are propagated to all of the other local copies. Each user belongs to one or more user groups and each information resource belongs to one or more information sets. Access is permitted or denied according to of access policies which define access in terms of the user groups and information sets. The rights of administrators are similarly determined by administrative policies. Access is further permitted only if the trust levels of a mode of identification of the user and of the path in the network by which the access is made are sufficient for the sensitivity level of the information resource.

Abstract: In a cryptosystem, communication terminals and encryptors can be grouped physically and logically. The communication mode can be switched by the encryptor between ciphertext communication and plaintext communication. The encryptor includes the session key memorizing unit for memorizing the session key and the mode switch for switching the communication mode between ciphertext communication and plaintext communication. The key manager distributes the session key generated by the session key generating unit and the valid/invalid information set by the valid/invalid setting unit to each encryptor. The valid/invalid judging unit judges whether the communication data should be sent in ciphertext or plaintext using the mode switch and the valid/invalid information.

Abstract: A method for verifying the authenticity of messages exchanged between a pair of correspondents in an electronic conducted over a data transmission system where the correspondents each include respective signing and verifying portions of a first signature scheme and a second signature scheme different from the first and utilizing an elliptic curve cryptosystem.

Abstract: A system for producing an output scrambled digital data stream from an input scrambled digital data stream. The input scrambled digital data stream includes a plurality of control messages (ECMs), each ECM including coded information for generating a control word (CW) associated with the ECM and being encoded using an ECM key. The input scrambled digital data stream also includes a plurality of segments of scrambled digital data, each segment of scrambled digital data being associated with one of the plurality of ECMs and being scrambled using the CW associated with the ECM.

Abstract: A system and method is provided which facilitates an expedited message control system which previously required the passage of messages from the Kerberos Server to a Kerberos Support Library, residing on a ClearPath NX Server, to a client workstation in a synchronous fashion. The present system expedites the message response to a client by allowing an intermediary such as the Kerberos Support Library (residing on the ClearPath NX Server), to respond on behalf of the Kerberos Server which does not need to be contacted, since synchronization of updated information is effectuated continually between the Kerberos Server and the Kerberos Support Library.

Abstract: An audio input interface (122) receives a digital audio signal and identifies an audio bitstream which is optionally decrypted by a decryption unit (123), and decoded by an audio decoding unit (124). An audio digital to analog converter (126) converts the decoded audio bitstream to an analog audio signal which is optionally decrypted by an audio analog decryption unit (127). A video input interface (142) receives a digital video signal and identifies a video bitstream which is optionally decrypted by a video digital decryption unit (143), and decoded by a video decoding unit (144). A video digital to analog converter (146) converts the decoded video bitstream to an analog video signal that is optionally decrypted by a video analog decryption unit (147). An analog transmitter (150) mixes the analog audio signal and analog video signal and transmits an analog output signal to a television (110).

Abstract: A portfolio selector technique is described for selecting publicly traded companies to include in a stock market portfolio. The technique is based on a technology score derived from the patent indicators of a set of technology companies with significant patent portfolios. Typical patent indicators may include citation indicators that measure the impact of patented technology on later technology, Technology Cycle Time that measures the speed of innovation of companies, and science linkage that measures leading edge tendencies of companies. Patent indicators measure the effect of quality technology on the company's future performance. The selector technique creates a scoring equation that weights each indicator such that the companies can be scored and ranked based on a combination of patent indicators. The score is then used to select the top ranked companies for inclusion in a stock portfolio.

Abstract: On an optical disk, data is recorded. In a prescribed region of the disk, an identifier is provided for indicating whether or not a barcode-like mark is present on the optical disk. The identifier and the barcode-like mark are in different locations on the disk. The prescribed region is a control data area in which physical feature information regarding the optical disk is recorded. The prescribed region is also a guard bond area in which at least an address is recorded.

Abstract: A method, apparatus and computer program product are disclosed for certifying the authenticity of an application program and for securely associating certified application programs whose certification has been verified, with persistent application data that they own. The invention prevents other application programs, including certified application programs whose certifications have been verified, from accessing data not of their own.

Abstract: A technique, system, and computer program for protecting data stored by a computer system in a computing environment having a connection to a public network. The stored data is created and accessed by a software application, which encrypts it for storing and decrypts it for processing. A secret, immutable value specific to the computer system on which the software is running is combined with information identifying an authorized user in order to form the input key used by the encryption and decryption facilities of the software. Optionally, the secret value can be exposed to the user in order to move the encrypted data to another environment.

Abstract: A method and apparatus is provided for executing electronic transactions with teens, especially where such transactions are limited only to those vendors that have been approved by the teen's parents. In one embodiment, a virtual automatic teller machine (VATM) is provided in which funds are transferred from an existing account, such as a saving account, checking account, or credit card account, to an Internet passport account. The VATM account mimics a bank account, i.e. it gives the user the appearance of an ATM machine. Functionally, the VATM allows the user to transfer funds from an existing account into the Internet passport account. The VATM does this by emulating an ATM machine as it appears to the Automated Clearing House (ACH) system. The ACH system is a separate network from the Internet.

Abstract: A method and apparatus for distributing information products is described that comprises: receiving an encrypted launch code; decrypting the encrypted launch code with a string, R, as the key to recover a first candidate authentication code and an indicium of a first information product; and installing the first information product onto the computer when the candidate authorization code matches a first known authorization code.

Abstract: A mobile computer and a packet encryption and authentication method which are capable of controlling an activation of a packet encryption and authentication device belonging to the mobile computer according to the security policy at the visited network of the mobile computer. The mobile computer is provided with a packet encryption and authentication unit having an ON/OFF switchable function for applying an encryption and authentication processing on input/output packets of the mobile computer.

Abstract: Secure communication may be conducted between two or more parties over a network, e.g the Internet without prior security arrangements among the parties or agreed to encryption/decryption software. A sending party is connected to a data network through a computer and has access to a communications network, e.g. a public switched telephone network. The sender prepares a file designated, e.g. “X” containing confidential information for secure transmission over the Internet or the like to one or more receivers. In one embodiment, the sender downloads encryption/decryption or “crypto” software stored at a location on the Internet e.g. location “U” in a Uniform Resource Locator (URL). The “crypto” software is written in executable code or an interpretive language such as JAVA. The sender selects a key “K” and encrypts the plain text file “X” into cipher text.

Abstract: An encryption key processing system includes a user terminal system which uses a key and a sub-system for holding information regarding the user terminal system, the sub-system generating predetermined public information, secret information corresponding to the public information and a secret key dependent on an identifier of said user terminal system, sending a secret key to the user terminal system in secret and the user terminal system generating and using a key and necessary information based on a secret key and public information received from the sub-system.

Abstract: A secure and reliable method for verifying in the host system that the expected PSD is coupled to the host system includes generating a random number in the host system and encrypting the random number with a PSD state identification number. The encrypted random number is then sent to the PSD. The PSD decrypts the encrypted random number received using the PSD state identification number and sends the decrypted random number to the host system. The host system compares the decrypted random number received from the PSD to the random number generated in the host system. If they are the same, the host system has verified the expected PSD and has also verified that the PSD has not completed any transactions apart from the host system. A method for verifying that the expected host is coupled to the PSD mirrors the method for verifying the expected PSD.