Abstract: Machine instructions comprising a bootstrap code are buried within a critical component of an electronic game console where they cannot readily be accessed or modified. A preloader portion in a read only memory (ROM) is hashed by the bootstrap code and the result is compared to an expected hash value maintained in the bootstrap code. Further verification of the boot-up process is carried out by the preloader, which hashes the code in ROM to obtain a hash value for the code. The result is verified against a digital signature value that defines an expected value for this hash. Failure to obtain any expected result terminates the boot-up process. Since the bootstrap code confirms the preloader, and the preloader confirms the remainder of the code in ROM, this technique is useful for ensuring that the code used for booting up the device has not been modified or replaced.

Abstract: An authentication protocol can be used to establish a secure method of communication between two devices on a network. Once established, the secure communication can be used to authenticate a client through various authentication methods, providing security in environments where intermediate devices cannot be trusted, such as wireless networks, or foreign network access points. Additionally, the caching of session keys and other relevant information can enable the two securely communicating endpoints to quickly resume their communication despite interruptions, such as when one endpoint changes the access point through which it is connected to the network. Also, the secure communication between the two devices can enable users to roam off of their home network, providing a mechanism by which access through foreign networks can be granted, while allowing the foreign network to monitor and control the use of its bandwidth.

Abstract: Disclosed are methods for a client, having established one set of security keys, to establish a new set without having to communicate with an authentication server. When the client joins a group, master session security keys are derived and made known to the client and to the group's access server. From the master session security keys, the access server and client each derive transient session security keys, used for authentication and encryption. To change the transient session security keys, the access server creates “liveness” information and sends it to the client. New master session security keys are derived from the liveness information and the current set of transient session security keys. From these new master session security keys are derived new transient session security keys. This process limits the amount of data sent using one set of transient session security keys and thus limits the effectiveness of any statistical attacker.

Abstract: Disclosed are methods for an authentication client, having been authenticated by an authentication server, to leverage the effects of that authentication to implement a new communications password. The authentication client gets a new password from its user. From the new password and from information provided by the authentication server, the authentication client derives a “password verifier.” The password verifier is then shared with the authentication server. The new password itself is never sent to the authentication server, and it is essentially impossible to derive the new password from the password verifier. The authentication client and the authentication server, in parallel, derive a new set of authentication and encryption security keys from the new password and from the password verifier, respectively. This process may be repeated to limit the amount of data sent using any one particular set of security keys and thus to limit the effectiveness of any statistical attacker.

Abstract: A system and method is provided for evaluating the effectiveness of data encryption for hiding the identity of the source of Web traffic. A signature is constructed from encrypted Web traffic for a Web page sent by a target Web site, and the signature is compared with archived traffic signatures obtained by accessing various Web pages of interest in advance. If the signature of the detected encrypted Web traffic matches a stored traffic signature beyond a pre-set statistical threshold, a positive match is found, and the source of the traffic is identified. Countermeasures for reducing the reliability of source identification based on traffic signature matching are provided.

Abstract: A system and method that uses authentication inkblots to help computer system users first select and later recall authentication information from high entropy information spaces. An inkblot authentication module generates authentication inkblots from authentication inkblot seeds. On request, a security authority generates, stores and supplies an authentication inkblot seed set for a user. In response to an authentication inkblot, a user inputs one or more alphanumeric characters. The responses to one or more authentication inkblots serve as authentication information. A user-computable hash of the natural language description of the authentication inkblot is utilized to speed authentication information entry and provide for compatibility with conventional password-based authentication. Authentication with an authentication information match ratio of less than 100% is possible.

Abstract: A system and method is provided for handling network communications between a client and a target server on the Internet to protect the privacy and anonymity of the client. For a session between the client and the target server, a routing control server sets up a routing chain using a plurality of Web servers randomly selected from a pool of participating Web servers as routers for routing messages between the client and the target server. To prevent traffic analysis, an “onion encryption” scheme is applied to the messages as they are forwarded along the routing chain. A payment service cooperating with the routing control server allows a user to pay for the privacy protection service without revealing her real identity.

Abstract: Providing secure end-to-end notifications from a notification source to a notification sink despite the notification mechanism including one or more message transit points between the notification source and the notification sink. Initially, security information (e.g., the master security, the cryptographic algorithm, and the like) is negotiated out-of-band from the one or more message transit points so that the message transit points are not apprised of the security information. When a designated event occurs, the notification source generates a push message that includes the notification encrypted using the pre-negotiated security information. When the notification sink receives the push message, the notification sink decrypts the notification using the pre-negotiated security information, as well as supplemental information provided in the push message. Thus, the message transit points only have access to the encrypted form of the notification.

Abstract: Operating system upgrades in a trusted operating system environment allow a current trusted core of an operating system installed on a computing device to be upgraded to a new trusted core. The new trusted core is allowed to access application data previously securely stored by the current trusted core only if it can be verified that the new trusted core is the new trusted core expected by the current trusted core. In accordance with one implementation, the new trusted core is allowed to access only selected application data previously securely stored by the current trusted core.

Abstract: Manifest-based trusted agent management in a trusted operating system environment includes receiving a request to execute a process is received and setting up a virtual memory space for the process. Additionally, a manifest corresponding to the process is accessed, and which of a plurality of binaries can be executed in the virtual memory space is limited based on indicators, of the binaries, that are included in the manifest.

Abstract: Transferring application secrets in a trusted operating system environment involves receiving a request to transfer application data from a source computing device to a destination computing device. A check is made as to whether the application data can be transferred to the destination computing device, and if so, whether the application data can be transferred under control of the user or a third party. If these checks succeed, a check is also made as to whether the destination computing device is a trustworthy device running known trustworthy software. Input is also received from the appropriate one of the user or third party to control transferring of the application data to the destination computing device. Furthermore, application data is stored on the source computing device in a manner that facilitates determining whether the application data can be transferred, and that facilitates transferring the application data if it can be transferred.

Abstract: An implementation of a technology, described herein, for facilitating the automated generation of input-validation software filters. The implementation of the invention provides an easy graphical user interface (GUI). With this GUI, a user (such as a system administrator) is able to quickly enter a set of parameters defining what valid inputs constitute—in particular, when such inputs come from a computing component. Consequently, the user does not have to manually generate filtering instructions on how to filter input from a computing component. This abstract itself is not intended to limit the scope of this patent. The scope of the present invention is pointed out in the appending claims.

Abstract: A system controls access to broadcast messages received by a plurality of mobile devices. Selected mobile devices are provided with a broadcast encryption key (BEK). The broadcast messages are encrypted using the BEK prior to broadcasting so that the selected mobile devices containing the BEK can decrypt the broadcast messages. The broadcast messages are then broadcast.

Abstract: Authorizing a requesting entity to have a service perform a particular action in a manner that is at least partially independent of the underlying target data structure. An authorization station maintains a number of role templates that each define basic access permissions with respect to a number of command methods. The authorization station also maintains a number of role definitions that each define access permissions for specific requesting entities by using one or more of the role templates. When the authorization station receives a request from the requesting entity, the authorization station then identifies the appropriate role definition. Using this role definition, the authorization station determines access permissions for the requesting entity with respect to the requested action.

Abstract: Directly operating on data structures in a generic manner regardless of the type of data structure being operated upon and without requiring dedicated executable code for manipulating data structures of the particular data type. A common set of commands (e.g., insert, delete, replace, update, query) are recognized that may be used to operate on data structures of a number of different data types. A navigation module accesses a request to execute one of the common command methods on at least an identified portion of an identified data structure. Then, the navigation module accesses a navigation assistance module to access a set of rules associated with the particular data type, the set of rules allowing the navigation module to find the portion of the data structure that is to be operated on. If appropriate, the command operation is then executed on the identified portion of the data structure.

Abstract: A messaging data structure for accessing data in an identity-centric manner. An identity may be a user, a group of users, or an organization. Instead of data being maintained on an application-by-application basis, the data associated with a particular identity is stored by one or more data services accessible by many applications. The data is stored in accordance with a schema that is recognized by a number of different applications and the data service. The messaging data structure includes fields that identify the target data object to be operated upon using an identity field, a schema field, and an instance identifier field. In addition, the desired operation is specified. Thus, the target data object is operated on in an identity-centric manner.

Abstract: A model for accessing data in an identity-centric manner. An identity may be a user, a group of users, or an organization. Instead of data being maintained on an application-by-application basis, the data associated with a particular identity is stored by one or more data services accessible by many applications. The data is stored in accordance with a schema that is recognized by a number of different applications and the data service. When a user is to perform an operation on the identity's data, the corresponding application generates a message that has a structure that is recognized by the data service. The message represents a request to perform an operation on the data structure corresponding to the identity. The data service receives and interprets the message. If authorized, the data service then performs the operation.

Abstract: This invention concerns a system and method for securely distributing subsetted fonts from a distributor to a client. The system includes a signing module to construct an authentication tree having leaves formed of glyphs, one or more intermediate levels of nodes computed as one-way functions of the glyphs, and a root computed as a one-way function of the nodes. The signing module digitally signs the root of the authentication tree using a private signing key unique to the font creator or distributor. The system has a subsetting module to construct a font subset file that contains selected glyphs and other data to be included in a font subset. The font subset file also holds the digitally signed root of the font authentication tree and one or more authentication values of the authentication tree that represents non-selected glyphs and data of the font that are not contained in the font subset. The font subset file is distributed to requesting clients.

Abstract: A system and method facilitates a fair exchange of time-independent information goods between a first party's computer and a second party's computer over a network, such as the Internet. The first party's computer creates a digital contract proposal concerning the exchange of information goods. The first party's computer digitally signs the contract proposal and stipulates a condition which, when satisfied by the second party, will create a valid contract. The first party's computer then transmits the signed contract proposal over the network to the second party's computer. The second party has one of two options: (1) satisfy the condition in the contract proposal to create a valid contract and return the valid contract to the first party, or (2) store the signed contract proposal without satisfying the condition and supply the information goods to the first party.

Abstract: A cryptography system architecture provides cryptographic functionality to support an application requiring encryption. decryption, signing, and verification of electronic messages. The cryptography system has a cryptographic application program interface (CAPI) which interfaces with the application to receive requests for cryptographic functions. The cryptographic system further includes at least one cryptography service provider (CSP) that is independent from, but dynamically accessible by, the CAPI. The CSP provides the cryptographic functionality and manages the secret cryptographic keys. In particular, the CSP prevents exposure of the encryption keys in a non-encrypted form to the CAPI or application. The cryptographic system also has a private application program interface (PAPI) to provide direct access between the CSP and the user. The PAPI enables the user to confirm or reject certain requested cryptographic functions, such as digitally signing the messages or exportation of keys.