Abstract: A computer system and method for securing files in a file system equipped with storage resources that are accessible to an authenticable user operating with an untrusted client device under the semi-trusted client threat model. The file to be secured is stored in one or more blocks belonging to the storage resources along with symmetric per-block key(s) KBi assigned to each of the blocks in the file. The blocks are encrypted with the symmetric per-block keys to obtain encrypted blocks. The user is assigned user key(s) and each per-block key that was used for encryption is in turn encrypted with one of the user's keys to derive wrapped key(s) for each encrypted block. Wrapped key(s) are placed in encrypted block headers and introduce a level of indirection to encrypted file(s) that is appropriate for the semi-trusted client threat model.

Abstract: A format-preserving cipher including an encryption and a decryption scheme supporting non-linear access to input data by allowing the selection of portions of data from a potentially larger dataset to be encrypted, thus avoiding a necessarily sequential access into the input plaintext data. The cipher first defines a forward mapping from the allowable ciphertext values to an integer set of the number of such allowable ciphertext values, and a corresponding reverse mapping. It also supports exclusion of a certain set of characters from the ciphering process. Further, the encryption algorithm can encrypt the input plaintext data while preserving its original format and length and a corresponding decryption algorithm. The cipher advantageously embodies the encryption and decryption of multi-byte values or strings of data, thus fitting a variety of industrial needs.

Abstract: A computer system and method for securing files in a file system equipped with storage resources that are accessible to an authenticable user operating with an untrusted client device under the semi-trusted client threat model. The file to be secured is stored in one or more blocks belonging to the storage resources along with symmetric per-block key(s) KBi assigned to each of the blocks in the file. The blocks are encrypted with the symmetric per-block keys to obtain encrypted blocks. The user is assigned user key(s) and each per-block key that was used for encryption is in turn encrypted with one of the user's keys to derive wrapped key(s) for each encrypted block. Wrapped key(s) are placed in encrypted block headers and introduce a level of indirection to encrypted file(s) that is appropriate for the semi-trusted client threat model.

Abstract: Computer systems and methods ensuring high availability of cryptographic keys using a shared file system. The keys are encrypted with at least one shareable master key to generate corresponding encrypted cryptographic keys, which are stored in a key database in the shared file system. A master key manager with access to the key database is elected from among master key manager candidates and is assigned a common virtual address. All master key manager candidates have the shareable master key such that during a failover event the availability of the encrypted cryptographic keys is not interrupted as a new master key manager takes over the common virtual address from the previous master key manager. Additionally, a message authentication code (MAC) is deployed for testing the integrity of keys during their retrieval.

Abstract: A method of reducing the load on a first node in a cellular telecommunications network, which network includes a plurality of nodes, each of the nodes serving a plurality of telecommunications devices by providing communication resources thereto is disclosed. The method includes selecting a target telecommunications device for handover from the first node to a second of said nodes; handing over the target device to the second node; allocating communication resources to the target device to enable the second node to serve the target device; selecting a matched telecommunications device that is served by the first node; and adjusting the communication resources allocated to the matched device, which resources enable the first node to serve the matched device, so that they correspond to the resources allocated to the target device, which resources enable the second node to serve the target device.

Abstract: A novel approach is proposed for centralized administration of a multikey for a plurality of clients at a set of remote office/branch offices (ROBOs). A multikey having a set of properties, permissions, and policies is first associated with a secure item present at one or more of the ROBOs. A set of respective instances of the multikey are then generated for the ROBOs having the secure item, and the set of properties, permissions, and policies are associated with each of the respective instances of the multikey automatically. The instances of the multikey are then provided to the set of ROBOs for the encryption or decryption of the secure item present at the ROBOs.

Abstract: A method of reducing the load on a first node in a cellular telecommunications network, which network includes a plurality of nodes, each of the nodes serving a plurality of telecommunications devices by providing communication resources thereto is disclosed. The method includes selecting a target telecommunications device for handover from the first node to a second of said nodes; handing over the target device to the second node; allocating communication resources to the target device to enable the second node to serve the target device; selecting a matched telecommunications device that is served by the first node; and adjusting the communication resources allocated to the matched device, which resources enable the first node to serve the matched device, so that they correspond to the resources allocated to the target device, which resources enable the second node to serve the target device.

Abstract: Aspects for securely storing program code of an embedded system includes accepting a digitation file from a distribution source into on-chip memory of an adaptive computing engine (ACE). The digitation file is then secured and transferred to off-chip memory.

Abstract: A technique for protecting secrets may involve enclosing master secret keys in an encapsulation module functioning like an envelope on a host that may run an untrusted operating system. The encapsulation module itself can be obfuscated and protected with various software security techniques, such as anti-debugging techniques, which make reverse-engineering more difficult. Session or file keys could then be derived from the master key stored in the encapsulation module on the host, wherein each of the keys protects a session or a file on the host. Additionally, a code can be provided to prevent the master secret and the keys from being swapped to a non-volatile storage device of the host.

Abstract: A technique for encrypting a file without changing file size may involve encrypting a first set of a plurality of blocks of a file in a first encryption mode using the first set of encryption keys and/or the first set of configuration rules, and a second set of the plurality of blocks of the file in a second encryption mode using a second set of the encryption keys and/or a second set of the configuration rules without causing the file to increase in size before and after the encryption. Here, the first and the second encryption modes are chosen to be different, so are the first and the second sets of the encryption keys and/or the configuration rules to reduce security risk of the file being encrypted.

Abstract: A technique for secure file encryption first choose a file encryption key randomly among a set of file encryption keys and encrypts a file using the chosen file encryption key based on a set of encryption rules. The file encryption key can then be encrypted via a directory master secret (DMS) key for an extra layer of security so that an intruder cannot decrypt the encrypted file even if the intruder gains access to the DMS-encrypted file encryption key. Finally, the DMS-encrypted file encryption key can be stored in a metadata associated with the file.

Abstract: Aspects for consumer product distribution in the embedded system market are described. The aspects include forming a secure network for distributing product digitation files capable of configuring operations of an adaptive computing engine (ACE), and providing an agent server within the secure network for controlling licenses of the product digitation files, wherein a separation of responsibility and control of the distributing and licensing exists.

Abstract: A system and apparatus for inserting a watermark into a compiled computer program selectively replaces specified optimizations by non-optimized code to encode bit values of the watermark. The watermark is read by decoding the executable code and assigning the decoded bit values, determined by the presence or absence of optimized code, to bit positions in a signature.

Abstract: A novel approach is proposed for centralized administration of a multikey for a plurality of clients at a set of remote office/branch offices (ROBOs). A multikey having a set of properties, permissions, and policies is first associated with a secure item present at one or more of the ROBOs. A set of respective instances of the multikey are then generated for the ROBOs having the secure item, and the set of properties, permissions, and policies are associated with each of the respective instances of the multikey automatically. The instances of the multikey are then provided to the set of ROBOs for the encryption or decryption of the secure item present at the ROBOs.

Abstract: A method and apparatus for encoding/decoding between interchange format data and structured data utilizes a scripting language. The structure of the data can be controlled by the sequence of commands in the script and changes to the structure can be implemented by changing the script. A parser/interpreter is the only software necessary to implement the technique.

Abstract: Aspects for structuring consumer product distribution in the embedded system market that allows for increased revenue potential are described. The aspects include establishing a secure network with a number of control points for distributing product digitation files capable of configuring operations of an adaptive computing engine (ACE), and utilizing the control points as revenue generation events during the distributing.

Abstract: Aspects for handling multiple security protocols in a processing system are described. The aspects include utilization of an adaptable computing engine (ACE) as a security processor within a processing system on a computer network. Reconfiguration of the security processor occurs as needed to implement at least two security protocols of the computer network.

Abstract: Aspects for consumer product distribution in the embedded system market are described. The aspects include forming a secure network for distributing product digitation files capable of configuring operations of an adaptive computing engine (ACE), and providing an agent server within the secure network for controlling licenses of the product digitation files, wherein a separation of responsibility and control of the distributing and licensing exists.

Abstract: A method and apparatus for inserting a watermark into a compiled computer program. A location process specifies an insertion point in the compiled program and a watermark generating process inserts a watermark, based on data to be encoded, into the program at the insertion point. The location process is also utilized to specify the location of watermark data to be decoded.