Abstract: Methods, apparatus and program products which monitor access points through which data can be exchanged with a network, identify an unauthorized access point, and determine the location of the identified unauthorized access point.

Abstract: A method for restricting access to an encryption key of an encrypted file system (EFS), whereby access is provided only when a computer system is booted in a trusted state. The EFS encrypts the files within a TPM chip according to TCPA specifications and simultaneously creates the encryption key, which is also stored in the TPM. The key is sealed to one or more platform control register (PCR) states (i.e., the TPM will export the key only when the PCRs are in a pre-defined state.). The original PCR states are modified during boot up of the computer system via a secure hashing algorithm, which extends a value of one PCR to a next PCR at each stage of the boot process and then hashes the value with the remaining content of the next PCR. When the system boot process is completed and before control passes to the user, the values within the PCRs are compared to values stored in a PCR table within the TPM, and the encryption key is exported to the OS kernel only when the PCR values match the table values.

Abstract: A tamper detection mechanism for a personal computer (PC) and a method of use thereof is disclosed. Accordingly, a first aspect of the present invention comprises a tamper detection mechanism. The tamper detection mechanism comprises a first Root-of Trust Measurement (RTM) module which is coupled to and fixed within the PC, a second RTM module being removably attached to the PC and a diagnostic program for comparing a copy of the first RTM module with a copy of the second RTM module to determine whether the first RTM module is valid. A second aspect of the present invention comprises a method of provided tamper detection for a PC. The method comprises providing a first RTM module, providing a second RTM module and utilizing a diagnostic program to compare a copy of the first RTM module with the a copy of the second module to determine whether the first RTM module is valid.

Abstract: A method and system for storing to a server a private key that was created on a TCPA-enabled client computer by the user. The user's private key is wrapped in a server non-migratable public key and sent to the server. When the user wants to migrate the user private key to a TCPA-enabled client computer, the user sends a request to the server for the user's private key along with the user's personal migration data for user identification. The server wraps the user's private key in the TCPA-enabled client computer's non-migratable public key, and transmits this “blob” to the client computer, which unwraps the blob to reveal the user's private key.

Abstract: Features of a data processing system, such as its configuration, are protected utilizing a machine-specific limited-life password. The data processing system includes execution resources for executing a watchdog program, a limited-life value generator, and non-volatile storage that stores a machine-specific value at least partially derived from relatively unique information associated with the data processing system (and preferably also derived from a secret control password). In response to each attempted access to the protected features of the data processing system, the watchdog program generates at least one machine-specific limited-life password from the machine-specific value and a limited-life value generated by the limited-life value generator. The watchdog program allows access to the protected features in response to entry of the machine-specific limited-life password and otherwise denies access.

Abstract: A method and system for managing cryptology keys in a TCPA subsystem such as a Trusted Platform Module (TPM). The TPM encrypts/decrypts data being communicated with a processing system. Internal to the TPM is limited memory for storing cryptology private keys used in the encryption/decryption. Under the TCPA specification, the keys are hierarchical, such that a parent key must be in the TPM to load into the TPM the requested child cryptology private key. Thus there is an expense associated with replacing an existing key. This expense is determined by the probability that the evicted key will be needed and thus re-stored in the future and the likelihood that ancestor keys will have to be loaded into the TPM in order to load the requested child key. The present invention presents a method for determining this expense, in order to determine which key should be evicted.

Abstract: A system and method for isolating a computer system from entry of a personal identification number (PIN) to a smart card. The system and method includes a computer system that is in communication with an unsecure network to allow a user to engage in a purchase transaction. The system and method also includes a smart card reader in which a smart card is inserted and read. A secure personal-identification-number (PIN) entry device is coupled between the computer system and the smart card reader. The secure PIN entry device is used for entering a correct code for the PIN. Communication between computer system and secure PIN entry device is disconnected until the correct code for the PIN is entered at secure PIN entry device and sent to the smart card in order to authorize use of the smart card for the purchase transaction. In response to the correct code for the PIN being entered and sent to the smart card, communication between computer system and secure PIN entry device is established.

Abstract: A computer system contains selectively available boot block codes. A first boot block is of the conventional type and is stored in storage media such as flash ROM on a system planar with the processor of the computer system. A second boot block is located on a feature card and contains an immutable security code in compliance with the Trusted Computing Platform Alliance (TCPA) specification. The boot block on the feature card is enabled if the first boot block detects the presence of the feature card. The computer system can be readily modified as the computer system is reconfigured, while maintaining compliance with the TCPA specification. A switching mechanism controls which of the boot blocks is to be activated. The feature card is disabled in the event of a computer system reset to prevent access to the TCPA compliant code and function.

Abstract: A method for providing security with a secure chip, includes: creating a migratable keyblob using a first random number, where the migratable keyblob contains a key; wrapping the migratable keyblob with a public key of the key's parent key; encrypting the first random number with a pass phrase for a user of the key; storing the encrypted first random number; and migrating the migratable keyblob from the computer to itself. If the private key of the secure chip is stolen, the thief can only unwrap keys which are ancestors of the key in the migratable keyblob. To obtain the key in the migratable keyblob, the random number used to create it is required. However, the pass phrase of the user is required to decrypt it. This increases the security of the key stored in the migratable keyblob and its children keys.

Abstract: A data processing system and method are described for providing a networked printer's physical location. The printer, a server computer system, and client computer systems are coupled together utilizing a network. The server computer system first transmits a command to the printer to disable the print function of the printer. Entry of a physical location of the printer is then permitted. The print function of the printer is reenabled by the server computer system only in response to an entry of the physical location of the printer into the printer.

Abstract: A business method employing hardware complaint to the Trusted Computing Platform Alliance (TCPA) Specification is implemented to allow a credit card company to remotely install a credit card private key into a TCPA module to create a Trusted Platform Module (TPM). More specifically, when a credit worthy user applies for a credit card, the user will send the credit card company a public portion of a "non-migratable storage key," which is accredited a TPM endorsed by a Certification Authority. The credit card company will create its own public/private key pair according to the TCPA Specification, to create a TCPA header, and wrap the full structure by encrypting it with the public portion of the TCPA non-migratable storage key. The credit card company then sends by email the encrypted bundle with a certificate for it, and sends a corresponding pass phrase by regular mail.

Abstract: A method for providing security in password-based access to computer networks, the network including a server and a remote user, includes: signing a phrase by a security chip of the server using an encryption key; associating the signed phrase with the remote user; signing the phrase with an encryption key obtained by the security chip when a request for access to the computer network is received from the remote user; comparing the phrase signed with the obtained encryption key with the signed phrase associated with the remote user; and granting access to the remote user if the phrase signed with the obtained encryption key is the same as the stored signed phrase associated with the remote user. The use of the encryption key protects against “dictionary attacks”. Use of the security chip protects against offline attacks. These provide greater security for the computer network.

Abstract: Access to secure data through a portable computing system is provided only when a timer within the system is running. The timer is reset with the portable system connected to a base system, either directly, as by a cable, or indirectly, as through a telephone network. In an initialization process, the portable and base systems exchange data, such as public cryptographic keys, which are later used to confirm that the portable system is connected to the same base system. In one embodiment, the initialization process also includes storing a password transmitted from the portable system within the base system, with this password later being required within the reset process.

Abstract: A method, system and computer program product for transmitting a broadcast over the Internet by a broadcaster where users located approximately within a defined distribution area of the broadcaster can receive or interpret the broadcast. A broadcaster may transmit an encrypted broadcast over the Internet while transmitting a decryption key to users of computer systems over the air within its defined distribution area. Only users that are located approximately within the defined distribution area of the broadcaster may receive the decryption key and hence be able to decrypt the encrypted broadcast. Furthermore, a broadcaster may receive a request from a user of a computer system to transmit a broadcast over the Internet to that user. Upon determining the approximate location of the user, the broadcaster may transmit the broadcast over the Internet to that user if that user is located approximately within the defined distribution area of the broadcaster.

Abstract: Redundant Array of Inexpensive Platters (RAIP) uses data management and storage techniques and concepts from Redundant Array of Independent Disks (RAID) technology. These techniques and concepts that are used with multiple disks are incorporated into being used within a single disk drive. RAIP is used within a single disk drive having at least one platter and multiple heads. The at least one platter is utilized in the same or similar manner as at least one of the multiple disks in a redundant array of independent disks (RAID). RAIP is generally implemented by using each side of a platter of the single disk drive in the same or similar manner as each disk drive of multiple disk drives. A system and method of providing and implementing RAIP within a single disk drive is disclosed.

Abstract: An apparatus for broadcasting optical signals within an optoelectric computer network is disclosed. The optoelectric computer network includes multiple computers. Each of the computers includes a first fiber optic cable for sending optical signal beams and a second fiber optic cable for receiving optical signal beams. The apparatus for broadcasting optical signals within the optoelectric computer network includes a lens and a mirror array. The lens is capable of splitting an optical signal beam received from a first fiber optic cable of one of the computers into multiple optical signal beams. The mirror array, which is formed by an array of deformable mirrors, then individually directs each of the split optical signal beams to a respective second fiber optic cable of the selected remaining computers within the optoelectric computer network.

Abstract: Personal computer (PC) systems that are remotely managed are equipped with protected storage that is accessible only by Basic Input Output System (BIOS) code. The protected storage has the capacity to store a symmetrical encryption Key. An electronically erasable programmable read only memory (EEPROM) which normally contains the BIOS code is used to store accessible configuration data as well as previously remotely unaccessible sensitive access information (e.g., passwords). The EEPROM is write protected with standard write protect algorithms and access the alterable EEPROM data is through write requests to the BIOS code. Previously remotely unaccessible sensitive data is encrypted with the symmetrical encryption Key by the BIOS code. Remote access to the sensitive data is accomplished via change requests submitted to the BIOS code over a secure channel. The BIOS code has data that allows it to determine if the request is valid.

Abstract: A system for mapping a location of an electronic equipment in a defined area. The system comprises of a server which is typically a data processing system. An activation signal is sent to the electronic equipment. In response to the activation signal, the electronic equipment emits a pre-defined signal containing a unique signature of the electronic equipment. The signal is captured by a device connected to the server with a known location in the defined area. The server utilizes the known location of the device along with the unique signature of the electronic equipment to identify/determine the location of the electronic equipment.

Abstract: A telephone network and a method and system for its use is disclosed. In a first aspect of the present invention, a telephone network is disclosed. The telephone network includes an internet service provider (ISP) coupled to a local switching exchange. The local switching exchange receives and transmits calls to a plurality of devices. The network includes a plurality of modems coupled to the ISP. The network also includes a plurality of phone systems. Each of the phone systems including a cordless unit and a base station. Each of the plurality of phone systems also is associated with one of the plurality of modems, wherein a call can be routed to or from each of the cordless units through any of the modems to any of the plurality of devices. In a second aspect, a method and system for sending a call from a phone system to a device is disclosed. The phone system comprises a cordless unit and a base station. The phone system is also coupled to a modem.

Abstract: A method for migrating a base chip key from a first computer system to a second computer system is disclosed. A first computer system includes a base chip key 1, and a second computer system includes a base chip key 2. Using a first certificate for the base chip key 1, a manufacturer of the second computer system generates a second certificate for the base chip key 1. Similarly, using a first certificate for the base chip key 2, a manufacturer of the first computer system generates a second certificate for the base chip key 2. A first data packet is then sent from the first computer system to the second computer system. The first data packet includes a first random number and all the data required to reproduce the base chip key 1 in the first computer system. The first data packet is also encrypted with the base chip key 1's public key.