Abstract: A command processor providing user authentication and message tamper detection, comprising: an interface to read email; and a processor for (i) analyzing command processor messages to determine an authentication of a sender; (ii) analyzing command processor messages to determine if the command message has been altered from an authentic message content; and if the command processor message is from an authenticated sender and unaltered, passing the message to a command processor.

Abstract: Embodiments are directed to the providing a cloud keying and signing service and to securing software package distribution on the cloud. In an embodiment, a computer system instantiates a signing service configured to sign software packages. The computer system receives a signing request from a computer user requesting that a selected software package be signed. The signing request includes a computed hash of the selected software package. The computer system generates a private and public key pair on behalf of the computer user and stores the private key of the generated key pair in a secure data store.

Abstract: An apparatus and method for encoding and decoding additional information into a stream of digitized samples in an integral manner. The information is encoded using special keys. The information is contained in the samples, not prepended or appended to the sample stream. The method makes it extremely difficult to find the information in the samples if the proper keys are not possessed by the decoder. The method does not cause a significant degradation to the sample stream. The method is used to establish ownership of copyrighted digital multimedia content and provide a disincentive to piracy of such material.

Abstract: An encrypted-stream processing circuit includes: a decryption mechanism decrypting an encrypted stream; a stream-data processing mechanism separating a plurality of packets included in a stream decrypted by the decryption mechanism in accordance with a packet identifier identifying the packet, and creating a partial stream by extracting a part from the stream under the control of a CPU (Central Processing Unit); and an encryption mechanism encrypting the partial stream, wherein the decryption mechanism, the stream-data processing mechanism, and the encryption mechanism are included in a packaged integrated circuit, and are connected to the CPU through a bus.

Abstract: A packet based high bandwidth copy protection method is described that includes the following operations. Forming a number of data packets at a source device, encrypting selected ones of the data packets based upon a set of encryption values, transmitting the encrypted data packets from the source device to a sink device coupled thereto, decrypting the encrypted data packets based in part upon the encryption values, and accessing the decrypted data packets by the sink device.

Abstract: A method for long impulse response digital filtering of an input data stream, by use of a digital filtering system. Where the input data stream is divided into zero-input signals and zero-state signals. One of the zero-input signals and a corresponding impulse response of the digital filtering system is converted to the frequency domain to determine a respective zero-input response of the digital filtering system. One of the zero-state signals is convolved with a corresponding impulse response of the digital filtering system to determine a respective zero-state response of the digital filtering system, wherein at least part of the zero-input signal precedes the zero-state signal. The zero-state response of the digital filtering system is added to the zero-input response of the digital filtering system to determine the response of the digital filtering system. Apparatus for effecting this method is also disclosed.

Abstract: An apparatus and method for preventing information leakage attacks through a polarized cryptographic bus architecture. The polarized cryptographic bus architecture randomly changes the polarity of the target bit such that the leaked information cannot be consistently averaged to yield statistical key material. Further, to increase the prevention of information leakage attacks, a set of dual rails is used to write data to a given register bit.

Abstract: One embodiment of the present invention provides a system that uses digital certificates to facilitate enforcing licensing terms for applications that manipulate documents. During operation, the system obtains a credential, wherein the credential includes a private key and a digital certificate containing a corresponding public key. This digital certificate also contains a profile specifying allowed operations which can be performed on documents signed with the credential. Next, the system digitally signs a document using the credential, so that the resulting signed document is signed with the private key and includes a copy of the digital certificate with the profile specifying the allowed operations. The certificate issuer can subsequently revoke the digital certificate (which effectively revokes the license) if teens of a license agreement associated with the digital certificate are violated.

Abstract: An externalized entitlement management system comprises a policy administration point that is configured to receive one or more definitions or updates of entitlement policies specifying subjects, actions, and resources, and to update a first entitlement repository coupled to the policy administration point with the definitions or updates in response to receiving the definitions or updates; one or more policy decision points that are coupled to the policy administration point over a network; one or more policy enforcement points that are integrated into one or more respective first application programs, wherein each of the policy enforcement points is coupled to one of the policy decision points; and one or more action handlers in the policy administration point, wherein each of the action handlers is configured to intercept a particular action represented in an update to an entitlement policy, to transform the action into an entitlement update in a form compatible with a native entitlement mechanism of a seco

Abstract: A system for managing and controlling data. The system includes provisions for easily and rapidly updating and managing a computer system, particularly a complex computer system in which several computers communicate with one another. The system also includes a central database which plays a key role in the management and control of the computer system. Most of the management functions are retained in the central database and remote offices, which generally do not retain data management information, communicate with the central office to retrieve data management information. The system also includes a novel approach to manipulating data.

Abstract: Data recorded in a recording medium is encrypted with an encryption/decryption key, and the encryption/decryption key is encrypted with an encryption-only key. The encrypted encryption/decryption key is embedded in encrypted data. A decryption-only key the encryption/decryption key is embedded in a program for reading. The data and the program for reading are recorded in the recording medium. The data cannot be read without the program for reading. The program for reading cannot be used for recording other data even if it is copied.

Abstract: A method of attempting a write to an entity to cause performance of an action is provided in which a first message is sent to the entity which causes performance of the action and adjustment of initial values in respective security fields of the entity to respective first adjusted values, and a second message is sent to the entity which causes adjustment of the initial values to respective second adjusted values. The security fields have write restrictions which prevent values in the security fields being adjusted, in accordance with the first message, if the initial values have been adjusted in accordance with the second message, and vice versa. The action is only performed when the initial values have been adjusted in accordance with the first message. The respective first adjusted values are different than the respective second adjusted values.

Abstract: A method and a system, wherein the system comprises a first server operatively coupled to a router, to receive a copy of network traffic processed by the router, a database operatively coupled to the first server, wherein the server records parsed network traffic information onto the database, and a device operatively coupled to the first server to receive alerts regarding possible denial-of-service attacks, the alerts based upon network traffic falling outside a standard deviation range. A method that comprises receiving a data packet from a network, parsing the data packet, storing data in the fields of the data packet into a database, comparing observed data set values with a historical data set values, sending an alert to a device based upon network traffic falling outside a standard deviation range, and updating the historical data set values by averaging the observed data set values with an old historical data set values.

Abstract: An apparatus and associated method is provided for facilitating policy decision in a communication system, wherein the apparatus receiving a message, the message comprising a first destination device identification of a first destination device, determining a second destination device identification of a second destination device by accessing a location information of a wireless terminal, and replacing the first destination device identification with second destination device identification.

Abstract: Circuits, methods, and apparatus that prevent detection and erasure of a configuration bitstream or other data for an FPGA or other device. An exemplary embodiment of the present invention masks a user key in order to prevent its detection. In a specific embodiment, the user key is masked by software that performs a function on it a first number of times. The result is used to encrypt a configuration bitstream. The user key is also provided to an FPGA or other device, where the function is performed a second number of times and the result stored. When the device is configured, the result is retrieved, the function is performed on it the first number of times less the second number of times and then it is used to decrypt the configuration bitstream. A further embodiment uses a one-time programmable fuse (OTP) array to prevent erasure or modification.

Abstract: In an input process, a circuit and an input bit to the circuit are inputted to a plurality of computers. Firstly, one computer performs calculation and transmits the calculation result to another computer of the computers. Next, the another computer which has received the calculation result performs the next calculation. Thus, calculation is performed by one computer after another. When all the computers have performed calculation once, the last computer which has performed calculation transmits the calculation result to the first computer which has performed calculation. After this, calculation is performed by one computer after another and the calculation result is transmitted to the next computer, thereby repeating the calculation of each cycle. Thus, it is possible to realize calculation of a value of a given function by using a device including a plurality of computers, with a simpler configuration.

Abstract: A method of security testing a web application is presented. The method identifies a web application to be tested, determines potential security vulnerabilities of the web application, generates one or more security tests for testing the potential vulnerabilities, and executes the security test on the web application. The results of the security testing are then used to make the web application less vulnerable to security attacks.

Abstract: Systems and methods are provided that enable authentication of transaction coordination messages sent via insecure connections. Also provided are systems and methods for controlling transaction coordination and recovery. In many embodiments, there is an exchange between a coordinator and a sub-coordinator, such that the coordinator provides the sub-coordinator with a coordinator token, and the sub-coordinator provides the coordinator with a sub-coordinator token. The coordinator and sub-coordinator tokens are used to authenticate transaction coordination messages sent over one or more insecure connections between the coordinator and the sub-coordinator.

Abstract: Communication applications may include lists of users with which a user of the application communicates. If two users of a communications application each include the other user on their user lists, an implicit trust may be established between the users. For example, if user A includes user B in her list and user B includes user A in his list, then it may be determined that each user knows and/or trusts the other user. As a result, a connection or communications pathway may be automatically created between the client devices of the users to facilitate communications between the users based on the implicit trust.

Abstract: A method of authenticating a message that is purportedly sent from an account holder having a device that digitally signs messages using a unique private key includes receiving the message, a unique identifier associated with an account of the account holder maintained by an account authority, and a digital signature of the message, the message including a verification status generated by the device based on a comparison of biometric verification data provided to the device with biometric verification data of the account holder prestored within the device, verifying that the message was digitally signed using the private key, and if the digital signature successfully decrypts, acting upon the message as a function of the verification status included in the message and wherein the biometric verification data is a digital representation of a finger print, a retina scan, a facial scan, DNA, or a voice print of the account holder.