Abstract: To provide a method and a system for creating a mini time key from a time key, a plurality of mini time keys are created within a unit time period. First, a unit time decryption key is prepared immediately after the unit time is created. Then, the last mini time key is created by applying a one-way function to the unit time decryption key. A desired mini time key is created by applying the one-way function to a mini time key following the desired mini time key. In other words, the mini time keys are created as a timed series arranged in a descending order beginning with the last mini time key. In this manner, even when a specific mini time key is externally leaked for a specific reason, a following mini time key in a timed series can not be created by using this mini time key. In addition, even when the mini time keys are sequentially published, the security of the unit time decryption key is maintained.

Abstract: A process for establishing secure mutual trust includes generating a one-time-password. The one-time-password is transferred between the devices in a communication occurring off of the network. Each device generates a set of authenticators by hashing a plurality of sub-strings of the password and the device's authentication certificate with a respective set of nonces. The devices exchange the respective sets of authenticators. Each device then alternates revealing its respective set of nonces and its authentication certificate in a multi-stage process. The devices re-calculate the authenticators based upon the respective set of nonces and authentication certificate revealed by the other device along with the one-time-password sub-strings that it posses. If each device determines that the authenticators re-calculated by the given device matches the authenticators previously received from the other device, secure mutual trust is established.

Abstract: Embodiments of the inventions are generally directed to methods, apparatuses, and systems for the dynamic evaluation and delegation of network access control. In an embodiment, a platform includes a switch to control a network connection and an endpoint enforcement engine coupled with the switch. The endpoint enforcement engine may be capable of dynamically switching among a number of network access control modes responsive to an instruction received from the network connection.

Abstract: A method is provided of at least partially securing communications, via a HIP proxy (16), between a first host (12) which is not HIP enabled and a second host (14) which is HIP enabled, the method comprising: sending (A) a query from the first host (12) to resolve the IP address of the second host (14); in response to said query, retrieving (B, C) an IP address (IPfa) and HIT (HIThip) associated with the second host (14), returning (E) from the proxy (16) a substitute IP address (IPres) associated with the second host (14), and maintaining (D) at the proxy (16) a mapping between the substitute IP address (IPres), the retrieved IP address (IPfa) and the retrieved HIT (HIThip); and upon receipt (F) of a session initiation message (TCP SYN) at the proxy (16) from the first host (12) including as its destination address the substitute IP address (IPres), using the mapping to negotiate a secure HIP connection (22) between the proxy (16) and the second host (14).

Abstract: A personal computer PC transmits to a server encoded user information and encoded license information, etc. contained in a secure recording medium. The server decodes the encoded license information to obtain license information. Then, the server deletes the encoded license information contained in the secure recording medium via the personal computer PC. The server decodes the decoded user information contained in a secure recording medium to obtain user information. Then, the server encodes the license information based on the user information to write the obtained encoded license information into the secure recording medium via the personal computer PC. In this manner, license information can be moved between two secure media and convenience can be improved.

Abstract: A method and device for performing a cryptographic operation by a device controlled by a security application executed outside thereof in which a cryptographic value (y) is produced a calculation comprising at least one multiplication between first and second factors containing a security key (s) associated with the device and a challenge number (c) provided by the security application. The first multiplication factor comprises a determined number of bits (L) in a binary representation and the second factor is constrained in such a way that it comprises, in a binary representation, several bits at 1 with a sequence of at least L?1 bits at 0 between each pair of consecutive bits to 1 while the multiplication is carried out by assembling the binary versions of the first factor shifted according to positions of the bits at 1 of the second factor, respectively.

Abstract: An encryptor is provided for encrypting AV data sent from an interface. A controller controls recording of the encrypted AV data by controlling a recorder for recording the encrypted AV data in a magnetic disk. The recorder is controlled by the controller so as to reproduce the data recorded on the disk. A decrypter decrypts the reproduced data that is sent to the interface.

Abstract: A facility for setting and revoking policies is provided. The facility receives a request from a controlling process a request to set a policy on a controlled process, and determines whether the controlling process has privilege to set the policy on the controlled process. If the facility determines that the controlling process has privilege to set the policy on the controlled process, the facility sets the policy on the controlled process, which causes the policy to be applied to the controlled process to determine whether the controlled process has authorization to access one or more resources.

Abstract: Disclosed are a method and bi-directional communication device, such as a cable modem, router, bridge, or other communication device adapted to communicate via a network and having a firewall, for identifying those packets associated with inappropriate activity. The communication device includes at least one user discernable indicator associated with the firewall. The at least one user discernable indicator contemporaneously indicates that a number of packets associated with the inappropriate activity has exceeded a threshold level.

Abstract: The present invention relates to a personal authentication apparatus which registers biometric information unique to each individual person, captures biometric information on the person anew when authenticating the person, and checks the captured biometric information against registered biometric information, whereby the security of registration is improved. A keyhole into which a physical key is inserted and a sensor which detects biometric information such as palm vein patterns are provided. Registration of a user is permitted only if a key is inserted and turned in the keyhole and a person registered as an administrator is authenticated based on biometric information.

Abstract: Methods, apparatuses, and computer-readable media for protecting confidential data on a network. An embodiment of the inventive method comprises the steps of: monitoring 110 data directed to a website; identifying 120 a data string having at least one confidential characteristic; categorizing the data string with a categorization level; examining 140 the website for at least one characteristic consistent with confidential data; creating 155 a website characteristic profile; comparing 170 the website characteristic profile with the data string's categorization level for compatibility; and determining 180 whether the data string can be communicated to the website.

Abstract: A digital value is generated in an integrated circuit such that the generated value substantially depends on circuit parameters that vary among like devices. The generated digital value is then used, for example, to access protected information in the device or to perform a cryptographic function in the integrated circuit.

Abstract: Providing a mobility key for a communication session for a mobile station includes facilitating initiation of the communication session. A master key for the communication session is established, where the master key is generated at an authentication server in response to authenticating the mobile station. A mobility key is derived from the authentication key at an access node, where the mobility key is operable to authenticate mobility signaling for the communication session.

Abstract: An online publishing portal enables geographically-spaced common-brand users to publish locale-specific, content-controlled messages. The online publishing portal provides selective access to pre-constructed, digital, plate-ready macrotemplates. A dynamic document server stores the macrotemplates and authorizes selective access thereto based upon user-supplied credentials. The user, having authenticated credentials, may access a select macrotemplate, which necessarily comprises a plurality of digital, plate-ready microtemplates, including at least one restricted access template and at least one open access template. Authorized users may edit a select microtemplate as dictated by the user's level of authorization. The user may thus send the content-controlled digital, plate-ready file to a publisher for publishing information or messages compiled upon the macrotemplate. The portal thereby enables geographically-spaced common-brand users to publish locale-specific, content-controlled messages.

Abstract: In an encrypted communication system that includes a first and a second device, the first device encrypts a 1st key using a public key of the second device to generate 1st encrypted data, which is then transmitted to the second device, receives 2nd encrypted data from the second device, which is then decrypted using a secret key of the first device to obtain a 2nd key, and generates, based on the 1st and 2nd keys, a 1st encryption key for use in communication with the second device. The second device encrypts a 3rd key using a public key of the first device to generate the 2nd encrypted data, which is then transmitted to the first device, receives the 1st encrypted data, which is then decrypted using a secret key of the second device to obtain a 4th key, and generates, based on the 3rd and 4th keys, a 2nd encryption key for use in communication with the first device. The first and second devices perform encrypted communication using the 1st and 2nd encryption keys.

Abstract: A generating section generates a presentation symbol string for receiving a next authentication request to an authenticated ID, a storing section stores a transformation rule and a sending destination of the presentation symbol string to be associated with each ID, a sending section sends “the generated presentation symbol string” to a display terminal, which is “the sending destination of the presentation symbol string stored in the storing section to be associated with the authenticated ID”, an updating section causes the storing section to further store the presentation symbol string sent to be associated with the authenticated ID to perform update, a receiving section receives an authentication request that designates an ID and a transformed symbol string from an access terminal, and an authenticating section causes authentication of the ID to succeed when a condition is satisfied where “the received transformed symbol string matches a transformation result obtained by applying ‘the transformation rule st

Abstract: A method of managing alerts issued by intrusion detection sensors (11a, 11b, 11c) of an information security system (1) including an alert management system (13), each alert being defined by an alert identifier and an alert content. Each of the alerts issued by the intrusion detection sensors (11a, 11b, 11c) is associated with a description including a conjunction of valued attributes belonging to attribute domains. The valued attributes belonging to each attribute domain are organized into a taxonomic structure defining generalization relationships between said valued attributes, the plurality of attribute domains thus forming a plurality of taxonomic structures. The description of each of said alerts is completed with sets of values induced by the taxonomic structures on the basis of the valued attributes of said alerts to form complete alerts. The complete alerts are stored in a logic file system (21) to enable them to be consulted.

Abstract: A software licensing system includes a license generator located at a licensing clearinghouse and at least one license server and multiple clients located at a company or entity. When a company wants a software license, it sends a purchase request (and appropriate fee) to the licensing clearinghouse. The license generator at the clearinghouse creates a license pack containing a set of one or more individual software licenses. The license generator digitally signs the license pack and encrypts it with the license server's public key. The license server is responsible for distributing the software licenses from the license pack to individual clients. When a client needs a license, the license server determines the client's operating system platform and grants the appropriate license. The license server digitally signs the software license and encrypts it using the client's public key. The license is stored locally at the client.

Abstract: In a music-content management system, a client handles three types of data, i.e., a file for encrypting content and storing the content, a key that encrypted the content, and a use condition description for each service in which the content is used. The file stores one type of content encryption system and one type of encrypted content. The file also stores information regarding use condition descriptions for respective services.

Abstract: A computerized method and system for routing between network servers. A central database coupled to a central server on a data communication network stores information for identifying locations of a plurality of network servers on the network. Each network server provides at least one service via the network. The central server receives a request from the user for a selected service including a carry through keyword for controlling routing of the user to the selected service. The central server retrieves location information from the central database to identify the location of the network server providing the selected service and attaches the carry through keyword to the retrieved location information. The central server then routes the user with the carry through keyword to the network server, which directs the user to the selected service based on the carry through keyword.