Abstract: A cryptographic device protocol provides a generic interface allowing pre-OS applications to employ any of a variety of cryptographic devices within the pre-OS environment. The generic interface can be used independent of the specific cryptographic devices and is independent of the cryptographic or hashing algorithms used by each device. Cryptographic functions may be performed in the pre-OS environment by pre-OS applications communicating with cryptographic device drivers using the cryptographic device protocol that is independent of the cryptographic devices. Each cryptographic device may be identified by a unique device identifier and may have a number of keys available to it, with each key being identified by a unique key identifier.

Abstract: A system and method for distributed peer attack alerting is disclosed. The method includes accessing a peer community wherein the peer community comprises a plurality of nodes comprising a network and wherein at least one of the plurality of nodes comprises an attack identifier. The method further includes identifying an attack at one of the plurality of nodes. In addition, the method includes transmitting an alert to the plurality of nodes, the alert comprising information associated with the attack and automatically configuring at least one attack identifier associated with one of the plurality of nodes in response to the alert.

Abstract: A cryptographic device protocol provides a generic interface allowing pre-OS applications to employ any of a variety of cryptographic devices within the pre-OS environment. The generic interface can be used independent of the specific cryptographic devices and is independent of the cryptographic or hashing algorithms used by each device. Cryptographic functions may be performed in the pre-OS environment by pre-OS applications communicating with cryptographic device drivers using the cryptographic device protocol that is independent of the cryptographic devices. Each cryptographic device may be identified by a unique device identifier and may have a number of keys available to it, with each key being identified by a unique key identifier.

Abstract: Protected content distribution is accomplished by a first entity generating a set of asymmetric key pairs, creating a plurality of sets of private keys by selecting a combination of private keys from the set of asymmetric key pairs for each created set, and distributing the sets of private keys to playback devices. A second entity produces protected content including encrypted content and a public key media key block, encrypts a symmetric content key with each public key in the set of asymmetric key pairs to form the public key media key block and encrypts a content title with the symmetric content key to form the encrypted content. A playback device stores one set of private keys, receives the protected content, and decrypts and plays the content title stored in the protected content when a selected one of the set of private keys stored by the playback device successfully decrypts the encrypted symmetric content key stored in the public key media key block of the received protected content.

Abstract: A system and method for distributed peer attack alerting is disclosed. The method includes accessing a peer community wherein the peer community comprises a plurality of nodes comprising a network and wherein at least one of the plurality of nodes comprises an attack identifier. The method further includes identifying an attack at one of the plurality of nodes. In addition, the method includes transmitting an alert to the plurality of nodes, the alert comprising information associated with the attack and automatically configuring at least one attack identifier associated with one of the plurality of nodes in response to the alert.

Abstract: A computer system is configured to verify a connection to a web site. The computer system includes a user interface programmed to receive a uniform resource locator and a call sign associated with the web site. The computer system also includes a validator module programmed to calculate a hash value based on the uniform resource locator, a public key associated with the web site, and a salt, and the validator being programmed to compare the hash value to the call sign to verify the connection to the web site.

Abstract: Public-key authentication, based on public key cryptographic techniques, is utilized to authenticate a person opening an account. The person provides a declaration to use only public-key authentication and a copy of his/her public key to an authorized agent, such as a credit bureau. The person provides a signed request to open an account with a merchant based on public-key authentication. This merchant requests a credit report from the credit bureau, providing the credit bureau the applicant's public key. The credit bureau uses the public key to locate a credit report. Barring theft of the user's private key, the credit report will be that of the requesting user with a high probability. The credit bureau can then provide the requested information to the merchant, and the merchant can provide notification to the person that the account is authorized or not, based on what the merchant reads in the credit report.

Abstract: A method and system for authenticating that a user responding to a HIP challenge is the user that was issued the challenge is provided. Upon receiving information from a sender purporting to be a particular user, the authentication system generates a HIP challenge requesting information based on the user's identity. Upon receiving a response to the challenge, the authentication system compares the response with the correct response previously stored for that user. If the two responses match, the authentication system identifies the user as the true source of the information.

Abstract: A method and system for determining the reputation of a sender for sending desirable communications is provided. The reputation system identifies senders of communications by keys sent along with the communications. The reputation system then may process a communication to determine whether it is a desirable communication. The reputation system then establishes a reputation for the sender of the communication based on the assessment of whether that communication and other communications sent by that sender are desirable. Once the reputation of a sender is established, the reputation system can discard communications from senders with undesired reputations, provide to the recipient communications from senders with desired reputations, and place in a suspect folder communications from senders with an unknown reputation.

Abstract: A conditional activation system distributes a security policy to the computer systems of an enterprise. Upon receiving a security policy at a computer system, the computer system may install the received security policy without activation. When a security policy is installed without activation, it is loaded onto a computer system but is not used to process security enforcement events. The computer system may then determine whether a security policy activation criterion has been satisfied and, if so, activate the security policy.

Abstract: A flow cytometry apparatus and methods to process information incident to particles or cells entrained in a sheath fluid stream allowing assessment, differentiation, assignment, and separation of such particles or cells even at high rates of speed. A first signal processor individually or in combination with at least one additional signal processor for applying compensation transformation on data from a signal. Compensation transformation can involve complex operations on data from at least one signal to compensate for one or numerous operating parameters. Compensated parameters can be returned to the first signal processor for provide information upon which to define and differentiate particles from one another.

Abstract: Signatures are sought in a source text. These signatures may be defined by regular expressions, and thus may include substrings. These substrings are located by a substring locator may be implemented using a finite state machine or a trie with walkers. When a substring is located, the existence and location of the substring is reported to a signature locator. The signature locator tracks reported substrings and determines whether a signature has been found. Complex signatures are supported which may include, for example, two substrings separated by a specific number of wildcards, or by at least and/or at most a certain number of wildcards. High performance which allows real-time searching of network traffic for signatures is enabled.

Abstract: A processing system has a processor that can operate in a normal ring 0 operating mode and one or more higher ring operating modes above the normal ring 0 operating mode. In addition, the processor can operate in an isolated execution mode. A memory in the processing system may include an ordinary memory area that can be accessed from the normal ring 0 operating mode, as well as an isolated memory area that can be accessed from the isolated execution mode but not from the normal ring 0 operating mode. The processing system may also include an operating system (OS) nub, as well as a key generator. The key generator may generate an OS nub key (OSNK) based at least in part on an identification of the OS nub and a master binding key (BK0) of the platform. Other embodiments are described and claimed.

Abstract: In an embodiment of the present invention, a technique is provided for remote attestation. An interface maps a device via a bus to an address space of a chipset in a secure environment for an isolated execution mode. The secure environment is associated with an isolated memory area accessible by at least one processor. The at least one processor operates in one of a normal execution mode and the isolated execution mode. A communication storage corresponding to the address space allows the device to exchange security information with the at least one processor in the isolated execution mode in a remote attestation.

Abstract: In one embodiment, a method for utilizing a pseudonym to protect the identity of a platform and its user is described. The method comprises producing a pseudonym that includes a public pseudonym key. The public pseudonym key is placed in a certificate template. Hash operations are performed on the certificate template to produce a certificate hash value, which is transformed from the platform. Thereafter, a signed result is returned to the platform. The signed result is a digital signature for the transformed certificate hash value. Upon performing an inverse transformation of the signed result, a digital signature of the certificate hash value is recovered. This digital signature may be used for data integrity checks for subsequent communications using the pseudonym.

Abstract: In one embodiment, a method of remote attestation for a special mode of operation. The method comprises storing an audit log within protected memory of a platform. The audit log is a listing of data representing each of a plurality of IsoX software modules loaded into the platform. The audit log is retrieved from the protected memory in response to receiving a remote attestation request from a remotely located platform. Then, the retrieved audit log is digitally signed to produce a digital signature for transfer to the remotely located platform.

Abstract: An example processing system comprises a processor to execute in an isolated execution mode in a ring 0 operating mode. The processor also supports one or more higher ring operating modes, as well as a normal execution mode. The processing system also comprises memory, as well as a machine-accessible medium having instructions. When the processing system executes the instructions, the processing system configures the processor to run in the isolated execution mode, configures the processing system to establish an isolated memory area in the memory, and loads initialization software into the isolated memory area. The processing system may provide a manifest that represents the initialization software. The initialization software may be verified, based at least in part on the manifest.

Abstract: A method of integrating a device into a secure network. The method includes establishing a tunnel between an authenticator, which has a first public key and a first secret, and a device, which has a second secret and a second public key. The method also includes hashing the first secret at the authenticator using the first public key, the second public key and a random number generated from the tunnel protocol to produce a hash of the first secret. The method further includes establishing an authenticated session between the device and the authenticator when the hash of the first secret matches a hash of the second secret.

Abstract: A network includes a connected device and a connected client. The device includes a receiver to receive ping messages, a counter to count the ping messages received, and a transmitter to transmit a reply message that includes a ping load value that is responsive to the count value. The client includes a timer to measure a delay time, a transmitter to transmit a ping message to the device after the delay time has elapsed since transmitting a previous ping message to the device, a receiver to receive the reply message, and a controller to adjust the delay time responsive to the device ping load.

Abstract: An apparatus and associated methods for the synchronization of shared content are generally described.