Abstract: Multiple peer domain name system (DNS) servers are included in a multi-master DNS environment. One of the multiple peer DNS servers is a key master peer DNS server that generates one or more keys for a DNS zone serviced by the multiple peer DNS servers. The key master peer DNS server can also generate a signing key descriptor that identifies the set of one or more keys for the DNS zone, and communicate the signing key descriptor to the other ones of the multiple peer DNS servers.

Abstract: Accountability among Autonomous Systems (ASs) in a network ensures reliable identification of various customers within the ASs and provides defensibility against malicious customers within the ASs. In one implementation, reliable identification is achieved by implementing ingress filtering on data packets originating within individual ASs and defensibility is provided by filtering data packets on request. To facilitate on-request filtering, individual ASs are equipped with a Filter Request Server (FRS) to filter data packets from certain customers identified in a filter request. Thus, when a requesting customer makes a filter request against an offending customer, the FRS within the AS to which the offending customer belongs conducts on-request filtering and installs an on-request filter on a first-hop network infrastructure device for the offending customer. Consequently, the first-hop network infrastructure device filters any data packet sent from the offending customer to the requesting customer.

Abstract: A computer in a network runs a verification procedure in which it sends data packets to another computer in the network. Some or all of the data packets contain, either individually or collectively, a secret piece of information, such as a secret code. The computer then makes a determination regarding the network links between it and the other computer. If, for example, the other computer is able to respond by providing the secret piece of information back, then the computer sending the data packets concludes that the devices along the network links en route to the other computer are properly forwarding data packets.

Abstract: Enhanced network data transmission security and individualized data transmission processing can be implemented by intermediaries in a communication path between two endpoint peers individually having the capability to identify and authenticate one or both of the endpoint peers. Communication session establishment, endpoint peer identity processing and authentication and data traffic encryption protocols are modified to allow intermediaries to track the communications between endpoint peers for a particular communication session and obtain information to authenticate the endpoint peers and identify data traffic transmitted between them. Intermediaries can use the identities of one or both of the endpoint peers to enforce identity based rules for processing data traffic between the endpoint peers for a communication session.

Abstract: An authentication protocol can be used to establish a secure method of communication between two devices on a network. Once established, the secure communication can be used to authenticate a client through various authentication methods, providing security in environments where intermediate devices cannot be trusted, such as wireless networks, or foreign network access points. Additionally, the caching of session keys and other relevant information can enable the two securely communicating endpoints to quickly resume their communication despite interruptions, such as when one endpoint changes the access point through which it is connected to the network. Also, the secure communication between the two devices can enable users to roam off of their home network, providing a mechanism by which access through foreign networks can be granted, while allowing the foreign network to monitor and control the use of its bandwidth.

Abstract: A system for providing a client's credentials to a computer program comprises a database remote from the client and a single signon server module. The single signon server module can receive a request for the client's credentials from the computer program, determine whether the client's credentials are stored in the database, and send the client's credentials from the database to the computer program in response to a determination that the client's credentials are stored in the database. The single signon server module can store the client's credentials in the database in response to a determination that the client's credentials are not stored in the database. The single signon server module can encrypt the client's credentials prior to storing the client's credentials in the database and can decrypt the client's credentials prior to sending the client's credentials to the computer program.

Abstract: A process for establishing secure mutual trust includes generating a one-time-password. The one-time-password is transferred between the devices in a communication occurring off of the network. Each device generates a set of authenticators by hashing a plurality of sub-strings of the password and the device's authentication certificate with a respective set of nonces. The devices exchange the respective sets of authenticators. Each device then alternates revealing its respective set of nonces and its authentication certificate in a multi-stage process. The devices re-calculate the authenticators based upon the respective set of nonces and authentication certificate revealed by the other device along with the one-time-password sub-strings that it posses. If each device determines that the authenticators re-calculated by the given device matches the authenticators previously received from the other device, secure mutual trust is established.

Abstract: Described are embodiments directed to negotiating an encapsulation mode between an initiator and a responder. As part of the negotiation of the security association, an encapsulation mode is negotiated that allows packets to be sent between the initiator and responder without encapsulation. The ability to send packets without encapsulation allows intermediaries, such as a firewall, at the responder to easily inspect the packets and implement additional features such as security filtering.

Abstract: A hierarchical key generation and distribution mechanism for a computer system in which devices are organized into secure enclaves. The mechanism enables network access to be tailored to approximate minimum needed privileges for each device. At the lowest level of the hierarchy, keys are used to form security associations between devices. Keys at each level of the hierarchy are generated from keys at a higher level of the hierarchy and key derivation information. Key derivation information is readily ascertainable, either from identifiers for devices or from within messages, supporting hardware offload of cryptographic functions. Because keys may be generated based on the enclaves in which the hosts participating in a security association are located, the system includes a mechanism by which devices can discover the enclave in which they are located.

Abstract: A hierarchical key generation and distribution mechanism for a computer system in which devices are organized into secure enclaves. The mechanism enables network access to be tailored to approximate minimum needed privileges for each device. At the lowest level of the hierarchy, keys are used to form security associations between devices. Keys at each level of the hierarchy are generated from keys at a higher level of the hierarchy and key derivation information. Key derivation information is readily ascertainable, either from identifiers for devices or from within messages, supporting hardware offload of cryptographic functions. Because keys may be generated based on the enclaves in which the hosts participating in a security association are located, the system includes a mechanism by which devices can discover the enclave in which they are located.

Abstract: A process for establishing secure mutual trust includes generating a one-time-password. The one-time-password is transferred between the devices in a communication occurring off of the network. Each device generates a set of authenticators by hashing a plurality of sub-strings of the password and the device's authentication certificate with a respective set of nonces. The devices exchange the respective sets of authenticators. Each device then alternates revealing its respective set of nonces and its authentication certificate in a multi-stage process. The devices re-calculate the authenticators based upon the respective set of nonces and authentication certificate revealed by the other device along with the one-time-password sub-strings that it posses. If each device determines that the authenticators re-calculated by the given device matches the authenticators previously received from the other device, secure mutual trust is established.

Abstract: Exemplary embodiments disclosed herein may include a method and system for creating pair-wise security keys, comprising receiving an identity key from a website, generating a master key, creating a pair-wise symmetric key or asymmetric key pair by utilizing an encryption function of the identity key and the master key, and storing the pair-wise public or symmetric key at the client and the website.

Abstract: Some embodiments are directed to processing packet data sent according to a security protocol between a first computer and a second computer via a forwarding device. The forwarding device performs a portion of the processing, and forwards the packet data to a third computer, connected to the forwarding device, for other processing. The third computer may support non-standard extensions to the security protocol, such as extensions used in authorizing and establishing a connection over the secure protocol. The packet data may be subject to policies, such as firewall policies or security policies, that may be detected by the third computer. The third computer sends the results of its processing, such as a cryptographic key, or a detected access control policy, to the forwarding device.

Abstract: The present invention extends to validating measurable aspects of computing system. A provider causes a challenge to be issued to the requester, the challenge requesting proof that the requester is appropriately configured to access the resource. The requester accesses information that indicates how the requester is to prove an appropriate configuration for accessing the resource. The requester formulates and sends proof that one or more measurable aspects of the requester's configuration are appropriate. The provider receives proof that one or more measurable aspects of the requester's configuration are appropriate and authorizes the requester to access the resource. Proof of one more measurable aspects of a requester can be used along with other types of authentication to authorize a requester to access a resource of a provider. Solutions to challenges can be pre-computed and stored in a location accessible to a provider.

Abstract: This disclosure pertains generally to client authentication. One aspect of the disclosure relates to a first server for presenting evidence to a Domain Controller (DC) of a first authentication context being submitted from a client to the first server to obtain a delegable credential, wherein the credential can be used to request a second authentication context from that client to a second server. Another aspect relates to the first server providing a pass-thru with evidence to a DC. The evidence relates to a first authentication context being submitted from a client to the first server that it obtained a delegable credential. The pass-thru is used in combination with the credential to request a second authentication context from the client to a second server.

Abstract: A method and system for protecting an application that implements a communication protocol against exploitation of a communication-based vulnerability is provided. A protection system provides a protection policy that specifies how to recognize messages that expose a specific vulnerability and specifies actions to take when the vulnerability is exposed. A protection policy specifies the sequence of messages and their payload characteristics that expose a vulnerability. The protection system may specify the sequences of messages using a message protocol state machine. A message protocol state machine of an application represents the states that the application transitions through as it receives various messages. The message protocol state machine of the protection policy may be a portion of the message protocol state machine of the application relating to the vulnerability. The protection system uses the message protocol state machine to track the states that lead up to the exposing of the vulnerability.

Abstract: Machine instructions comprising a bootstrap code are buried within a critical component of an electronic game console where they cannot readily be accessed or modified. A preloader portion in a read only memory (ROM) is hashed by the bootstrap code and the result is compared to an expected hash value maintained in the bootstrap code. Further verification of the boot-up process is carried out by the preloader, which hashes the code in ROM to obtain a hash value for the code. The result is verified against a digital signature value that defines an expected value for this hash. Failure to obtain any expected result terminates the boot-up process. Since the bootstrap code confirms the preloader, and the preloader confirms the remainder of the code in ROM, this technique is useful for ensuring that the code used for booting up the device has not been modified or replaced.

Abstract: A system and method is provided for handling network communications between a client and a target server on the Internet to protect the privacy and anonymity of the client. For a session between the client and the target server, a routing control server sets up a routing chain using a plurality of Web servers randomly selected from a pool of participating Web servers as routers for routing messages between the client and the target server. To prevent traffic analysis, an “onion encryption” scheme is applied to the messages as they are forwarded along the routing chain. A payment service cooperating with the routing control server allows a user to pay for the privacy protection service without revealing her real identity.

Abstract: In an exemplary method implementation, a method includes: designating a neighborhood administrator; receiving notification of a delinquent router from the designated neighborhood administrator; and excluding the delinquent router responsive to the notification. In an exemplary mesh router implementation, a mesh router is capable of establishing a wireless mesh network with other mesh routers, the mesh router is further capable of designating a neighborhood administrator mesh router; and the mesh router is adapted to exclude another mesh router that is associated with a particular certificate when the particular certificate has been identified as delinquent by the designated neighborhood administrator. mesh router.

Abstract: Systems and methodologies for implementing automation-resistant interactive computing services are provided herein. Function invocation mechanisms can be utilized as described herein to facilitate invocation and/or activation of one or more functions of an interactive service upon performance of an interaction falling within a predefined class of interaction with selected multimedia content. The described functionality invocation mechanisms can operate similarly to a traditional captcha image by requiring interaction that is easily understandable and performable by a human user but is prohibitively difficult for an automated program to carry out. Techniques such as masking relationships between user interaction and function invocation and varying elements of the selected multimedia content for respective accesses can be utilized to provide additional resistance to automation. Described invocation mechanisms can additionally be merged with advertising, which can optionally be targeted to a particular user(s).