Abstract: A control unit is described for technical installations, devices and/or machines having a microprocessor, a programmable memory and a housing enclosing the microprocessor and programmable memory. Data lines lead out of the housing for connection with an external device for writing data to the programmable memory. The control unit is enclosed in the housing such that the operability of the control unit is at least partly destroyed when the housing is opened. The control unit furthermore has a check device that checks for authorization a write access by which data are written to the programmable memory over the data line, and causes the data to be written to the programmable memory only in case of a successful check of authorization.

Abstract: A method, system, apparatus, or computer program product is presented for morphing a honeypot system on a dynamic and configurable basis. The morphing honeypot emulates a variety of services while falsely presenting information about potential vulnerabilities within the system that supports the honeypot. The morphing honeypot has the ability to dynamically change its personality or displayed characteristics using a variety of algorithms and a database of known operating system and service vulnerabilities. The morphing honeypot's personality can be changed on a timed or scheduled basis, on the basis of activity that is generated by the presented honeypot personality, or on some other basis. The morphing honeypot can also be integrated with intrusion detection systems and other types of computer security incident recognition systems to correlate its personality with detected nefarious activities.

Abstract: A system includes of a main device and a recording medium device. The main device includes a reception unit that receives a digital work from an external distribution server, an internal storage area for storing the digital work, a playback unit that plays back the digital work, and a unique information storage area for storing information that is unique to the main device. The main device also includes an encryption unit that encrypts the digital work using the unique information, a decryption unit that decrypts, using the unique information, the encrypted digital work having been read from the recording medium device, a write unit that writes the encrypted digital work into the recording medium device which is portable, and a read unit that reads the encrypted digital work from the recording medium device.

Abstract: The present invention provides a personal authentication apparatus that includes a permissibility information file for registering information indicating whether setting an ID common to more than one person is permitted or not. In the apparatus, only if setting of an ID common to more than one person is prohibited, an information registering section refers to the permissibility information file to check whether or not a first ID currently obtained for registration is identical to any of second IDs stored in an information storing section. Then, only if the first ID differs from any of the second IDs, the information registering section registers the first ID and biometric information currently obtained in an information storing section.

Abstract: A random wave envelope is created from a set of bounded random numbers by additively combining a triangle, a square and a sine wave. The random wave envelope is then used to create a sequence of wave random numbers from the wave envelope, which are used to generate random-variant keys for encryption in place of the pre-placed encryption key. An ambiguity envelope is thus created over the transmission of data packets as random-variant-keys are used that are distinct and separate for each packet and may also be distinct and separate for each incoming and outgoing packet. The random-variant keys are only created at the time of the actual use for encrypting or decrypting a data packet and not before and then discarded after one time use. The random-variant keys may be used in wireless network using wireless access points, cellular phone and data networks and ad hoc mobile wireless networks.

Abstract: A facility for performing an access control check is provided. The facility receives a request to perform an access control check to determine whether authorization exists to access a resource. The access control check is performed against the identity of a principal, a policy that applies to the principal, and the identity of the resource the principal wants to access. The principal may either be an application program or a combination of an application program and an identity of a user in whose context the application program is executing.

Abstract: A system and method for secure wireless cryptographic communication among participants in a wireless computing network is presented. This secure communication method is based on a random modulation technique and a domino match. Once the initial modulation scheme is selected, each data transmission includes an indication of what modulation scheme should be used for the next data transmission. If a given number of bits are to be used, the modulation scheme for the final transmission may be limited to complete the bit transfer. The bit value assignments within particular modulation schemes may also be varied for each subsequent transmission.

Abstract: An elliptic curve cryptography method which generates a public key for use in a communication encryption using an elliptic curve, including: changing a number of a secret key (d) of (k) bits to an odd number; encoding the secret key to yield an encoded secret key (d) in which a most significant bit (MSB) is (1) and a rest positional number is (1) or (?1); and computing the public key (Q=Dp) by multiplying the encoded secret key (d) by a predetermined point (P) on the elliptic curve by a scalar multiplication.

Abstract: Encrypted communications to a secure server. A user at a terminal, communicatively coupled to the secure server by a secure link, can obtain web pages from web sites in a network, in encrypted form, via the secure link. Addresses associated with the web pages are altered to make it appear as if the web pages come from the secure server rather than from the web sites. Spoofing units may be used as alternative access points to the secure server, with the secure server sending the requested web pages directly to the terminal.

Abstract: A data processing system, circuit arrangement, and method to communicate data over a multi-channel serial communications interface (14) using a dedicated encrypted virtual channel from among multiple virtual channels supported by the communications interface (14). Encryption for the dedicated encrypted virtual channel is provided by a hardware encryption circuit (34) that is coupled to the interface, such that encryption may be performed at a relatively low level, and with substantial protection from compromise, particularly along chip boundaries. In one particular application, access control may be provided for a digital data stream using a multi-chip access control scheme that relies on one chip (148) to provide access control over a received digital data stream, with another chip (150) utilized to process the digital data stream once authorized to do so.

Abstract: A server certificate issuing system confirms existence of a Web server for which a certificate is to be issued. The web server includes means for generating an entry screen to input application matters for an issuance of a server certificate, means for generating a key pair a public key and a private key, means for generating a certificate signing request file (CSR) containing the generated public key, and means for generating a verification page indicating intention of requesting the issuance of the certificate. A registration server retrieves the CSR from a received server certificate request and accesses the Web server to read the verification information, and compares the read verification information with the CSR. If the verification information read from the Web server is identical to the CSR, it is determined that the Web server for which the server certificate is to be issued exists.

Abstract: Provided is ad-hoc creation of groups based on contextual information comprising. Two mechanisms are used to restrict valid members of a group. First, to make sure that devices are somehow related, devices provide contextual information that is compared to the contextual information provided by other devices willing to join the group. Only devices providing “similar” contextual information are accepted as possible candidates in the group. Second, to scope the group, a time window is used to limit the duration of the group creation. In other words, access to the group is reserved to the devices that can provide similar context information to existing member of the group in a defined time window. Security properties are ensured by enabling a visual check of the list of group participants. For instance, a member can verify that the displayed pictures indeed represent the attendees of an ongoing meeting.

Abstract: The security of an entity is protected by using passcodes. A passcode device generates a passcode. In an embodiment, the passcode is generated in response to receipt of user information. The passcode is received by another system, which authenticates the passcode by at least generating a passcode from a passcode generator, and comparing the generated passcode with the received passcode. The passcode is temporary. At a later use a different passcode is generated from a different passcode generator.

Abstract: A mediating apparatus is provided on an IP network, and stores an access control list (ACL) retained in a VPN gateway unit. The mediating apparatus: receives a retrieval request from a VPN client unit; acquires a private IP address of a communication unit by reference to ACL; searches DNS to acquire therefrom an IP address of the VPN gateway unit; generates a common key that is used for authentication between the VPN client unit and the VPN gateway unit and for encrypted communication therebetween; sends the IP address of the VPN gateway unit, the private IP address of the communication unit, and the common key to the VPN client unit; and sends the IP address of the VPN client unit and the common key to the VPN gateway unit.

Abstract: The present invention relates to relocation of the control of communication between a first station and a second station from a first communication system controller to a second communication system controller. The communication is ciphered by means of a first ciphering key. In the method, after the initiation of the relocation of control of the communication from the first controller to the second controller a request for relocation is transmitted to the second controller. The request contains the first ciphering key and at least one other ciphering key.

Abstract: Methods and apparatus, including computer systems and program products, related to techniques for creating a chain of transfer for a digital document in which every transferor and transferee participates in the transfer. A first entity, e.g., an offeror with current control of the document, generates an offeror certificate associated with the digital document, and encrypts the offeror certificate with the offeror's private key. The offeror transmits the encrypted offeror certificate to a second entity, e.g., an offeree that will be the subsequent controller of the document. The offeree generates an offeree certificate from the offeror certificate, encrypts the offeree certificate with the offeree's private key, and transmits the encrypted offeree certificate to the offeror. When the offeror receives the offeree certificate, the offeror adds the offeree to a chain of transfer for the document and generates a transfer certificate for the offeree.

Abstract: A process is disclosed for notarizing a document, by a client in the presence of a notary, comprising the steps of registering the notary, the client and the document, from a local workstation coupled to a central office, to provide for assigning at least one respective encryption key for identifying each of the notary, the client and the document to be notarized; associating in the central office, the respective encryption keys of the client with the notary and with the; generating a transaction code, based on the step of associating the respective encryption keys, for authorizing execution of the to provide the notarizing; executing the; and embedding selected ones of the respective encryption keys together with a notary seal in the document.

Abstract: There is disclosed a method, apparatus, computer program and computer program product for facilitating secure data communications. The secure data communications is carried out using a secret key for encrypting data flowing between first and second entities over a communications link. First it is determined that the communications link has been idle. Once it is determined that there is now data to flow over the previously idle communications link, the generation of a new secret key is initiated. This new secret key is then used for encrypting data sent between the first and the second entities over the communications link.

Abstract: A computer-implemented system and method for policy inheritance, comprising, defining a first group wherein the first group refers to at least one of: a user and a group different from the first group, defining a second group wherein the second group is nested within the first group, defining a first policy wherein the first policy includes a resource, a subject and one of, an action and a role, and wherein the subject includes the first group, inheriting the first policy by the second group, wherein the resource is part of a resource hierarchy, and wherein the first policy can be used to control access to the resource.

Abstract: The present invention relates to a technique for authenticating data stored on media in order to prevent piracy. According to the present invention, a lookup table contains broken or modified modulation rules comprising one or more authentication keys or components thereof, that are derived by the table's intentional breaking of standard 8-14 and 8-16 modulation rules. The authentication keys are formed and remain hidden without being transferred in the audio/video. Additionally, the lookup table is employed using conventional hardware and/or software in CD or DVD players. Each output value according to the present invention is a function of the physical characteristics of a disc that does not travel with the audio or video or graphics data. Authentication systems of the present invention optionally encompass singular, multiple or multi-level authentication systems, each of which successively must be deciphered before the audio/video is finally available.