Abstract: Methods, apparatus, and networks configured to manage network congestion using packet recirculation. The networks employ network elements (e.g., Rbridges in Layer 2 networks and switches/routers in Layer 3 networks) that are configured to support multi-path forwarding under which packets addressed to the same destination may be routed via multiple paths to the destination. In response to network congestion conditions, such as lack of availability of a non-congested port via which a shortest path to the destination may be accessed, a packet may be routed backward toward a source node or forwarded toward a destination along a non-shortest path. The network elements may employ loopback buffers for looping packets back toward a source via the same link the packet is received on.

Abstract: Methods and systems may provide for obtaining a query image of a scene, wherein the query image includes embedded information and represents the scene at a time of capture. The embedded information may include location data and perspective data. Additionally, user input may be received, wherein the user input identifies a different time than the time of capture. A time-shifted image of the scene may be obtained based on the user input and the embedded information in the query image. Crowd sources and/or other public information sources may also be used to obtain the time-shifted image. In one example, the time-shifted image represents the scene at the different time.

Abstract: Methods and apparatus for implementing notification by network elements of packet drops. In response to determining a packet is to be dropped, a network element such as a switch or router determines the source of the packet and returns a dropped packet notification message to the source. Upon receipt of notification, networking software or embedded hardware on the source causes the dropped packet to be retransmitted. The notification may also be sent from the network element to the destination computer to inform networking software or embedded logic implemented by the destination computer that the packet was dropped and notification to the source has been sent, thus alleviating the destination from needing to send a Selective ACKnowledge (SACK) message to inform the source the packet was not delivered.

Abstract: Methods, apparatus and network architectures relating to the use of a Hop-by-Hop packet forwarding technique using “stepping stone” switches. The network architectures include use of stepping stone switches interspersed with non-stepping stone switches such as conventional network switches comprising network elements such switches, routers, repeaters, etc. The stepping stone switches are configured to route packets as multiplexed flows along tunneled sub-paths between stepping stone switches in a hop-by-hop manner with error recovery, as opposed to conventional routing under which packets are routed from a source to a destination using an arbitrary path or along a (generally) lengthy flow-based path. Accordingly, packets from a source endpoint are routed to a destination endpoint via multiple sub-paths connecting pairs of stepping stone switches, with each sub-path traversing one or more conventional switches and constituting a logical Hop in the Hop-by-Hop route.

Abstract: A method of securely storing electronic information includes a step in which target electronically stored information is encrypted with a first encryption key and then partitioned into a first set of encrypted ESI partitions a subset of which is able to reconstruct the unpartitioned encrypted ESI. This first set of encrypted ESI partitions is then encrypted with a first set of user encryption keys to form a first set of user-associated encrypted ESI partitions that are made available to a first set of users. When access to the target electronically stored information is changed, the target electronically stored information is accessed and then re-encrypted with a second encryption key to form a second encrypted ESI. This second encrypted ESI is then partitioned and distributed to a second set of users.

Abstract: Methods, apparatuses, and systems for controlling interconnections between nodes using virtual nodes are described. A physical node—such as a router, bridge, switch, etc.—stores a virtual cost associated with a virtual link that links virtual nodes of the physical node. A first physical port and a second physical port of the physical node are designated as belonging to a first virtual node and a third physical port of the physical node is designated as belonging to the second virtual node. The first physical port is associated with a first network partition and the second physical port is associated with a second network partition. The physical node transmits a routing information packet that includes the virtual cost.

Abstract: A method of securely storing electronic information includes a step in which target electronically stored information is encrypted with a first encryption key and then partitioned into a first set of encrypted ESI partitions a subset of which is able to reconstruct the unpartitioned encrypted ESI. This first set of encrypted ESI partitions is then encrypted with a first set of user encryption keys to form a first set of user-associated encrypted ESI partitions that are made available to a first set of users. When access to the target electronically stored information is changed, the target electronically stored information is accessed and then re-encrypted with a second encryption key to form a second encrypted ESI. This second encrypted ESI is then partitioned and distributed to a second set of users.

Abstract: One embodiment of the present invention provides a system that maintains keys using limited storage space on a computing device, such as a smart card. During operation, the system receives a request at the computing device to perform an operation involving a key. While processing the request, the system obtains an encrypted key from remote storage located outside of the computing device, wherein the encrypted key was created by encrypting the key along with an expiration time for the key. Next, the system decrypts the encrypted key to restore the key and the expiration time, wherein the encrypted key is decrypted using a computing-device key, which is maintained locally on the computing device. Finally, if the expiration time has not passed, the system uses the key to perform the requested operation. Note that by storing the encrypted key in remote storage, the computing device is able to use the key without consuming local storage space to store the key.

Abstract: One embodiment of the present invention provides a system that facilitates securely forgetting a secret. During operation, the system obtains a set of secrets which are encrypted with a secret key Si, wherein the set of secrets includes a secret to be forgotten and other secrets which are to be remembered. Next, the system decrypts the secrets to be remembered using Si, and also removes the secret to be forgotten from the set of secrets. The system then obtains a new secret key Si+1, and encrypts the secrets to be remembered using Si+1. Finally, the system forgets Si.

Abstract: A method for protecting a victim includes locating at least one router, providing a set of addresses associated with at least one replica and a victim to each of the at least one router, intercepting a request packet sent from a requesting source to the victim by one of the at least one router, directing the request packet to the at least one replica, and creating a response packet specifying the victim as a response source and the requesting source as a response destination.

Abstract: One embodiment of the present invention provides a system that prevents loops from occurring when spanning tree configuration messages are lost while executing a spanning tree protocol on bridges in a network. During operation, the system executes the spanning tree protocol on a bridge. This spanning tree protocol configures each port coupled to the bridge into either a forwarding state, in which messages are forwarded to and from the port, or a backup state, in which messages are not forwarded to or from the port. The system also monitors ports coupled to the bridge to determine when messages are lost by the ports. If one or more messages are lost on a port, the system refrains from forwarding messages to or from the port until no messages are lost by the port for an amount of time.

Abstract: A method and system for utilizing and encryption or decryption agent so as to preclude access by the encryption agent or decryption agent, respectively, to the information being encrypted or decrypted. To preclude access by the encryption agent, a blinding function is applied to the information prior to forwarding such information to the encryption agent for encryption. To preclude access to the information by the decryption agent, a blinding function is applied to the encrypted information prior to forwarding the encrypted information to the decryption agent for decryption. Once the information has been returned, the information is unblinded, leaving an encrypted or decrypted message respectively.

Abstract: A method and system is disclosed for utilizing an ephemeral encryption or decryption agent so as to preclude access by the ephemeral encryption agent or decryption agent, respectively, to the information being ephemerally encrypted or decrypted. To preclude access by the ephemeral encryption agent, a blinding function is applied to the information prior to forwarding such information to the encryption agent for encryption. To preclude access to the information by the ephemeral decryption agent, a blinding function is applied to the encrypted information prior to forwarding the encrypted information to the decryption agent for decryption. Once the information has been returned, the information is unblinded, leaving an encrypted or decrypted message respectively.

Abstract: Content is distributed via a network. Hierarchical watermarks are embedded in the content to prevent unauthorized copying of the content. In particular, a first digital watermark is embedded by a content source prior to distributing content to an intermediary distributor. The first watermark identifies the content source and the distributor. Clients that request copies of the content from the distributor receive copies that have a second digital watermark embedded. The second digital watermark identifies the distributor and the client. This approach alleviates the burden placed on the content source to embed watermarks to each copy of the content that is distributed to clients.

Abstract: A method and apparatus for progressively processing data is described. One or more embodiments of the invention provide for using multiple processing nodes to perform data processing. Each node may perform part or all the steps involved in data processing. Processing nodes use progress indicators to communicate the status of the processing progress. An embodiment of the invention use progressive processing and progress indicators to perform incremental processing where data processing is performed in sequence by multiple processing nodes. Another embodiment uses progressive processing and progress indicators to delegate processing by one processing node to another processing node dedicated to providing a specific service. This method provides for efficient usage and management of data processing resources, and allows single intermediate processing node to share the processing load with other processing nodes.

Abstract: A technique verifies the presence of a user to applications stored on a distributed network system using a single password. The technique generally comprises computing a one-way hash value of the password that is initially provided by the user to a workstation during a login procedure. This initial hash value is stored by the workstation so that it may be readily accessible for authenticating the user to other applications of the system. These other applications query the user as to its identity by issuing an operating system application programming interface (API) call that specifies, e.g., "quiz user for password". The API call invokes a routine that requests the user's password and, in response to that password, hashes it and compares the resulting hash value with the stored hash value. If the values match, the user is reliably authenticated.

Abstract: A public-key encryption system is used to reliably transmit packets over a network subject to malicious failures. Each node on the network is associated with a public and private key. A transmission over the network identifies its originating node and also includes a digital-signature code word generated by encoding predetermined portions of the transmission using the private key of the originating node. When a transmission is received, the receiving node verifies that the transmission was originated by the identified originating node by manipulating the packet contents using the public key associated with the originating node. The packet is accepted only if the digital-signature code word in the packet corresponds to contents of the packet and the public key of the originating node.

Abstract: A method for multicast communication wherein a multicast message is distributed to all the nodes in a multicast range. If a multicast message has a multicast range which is larger than one link in the network then the message is forwarded along a unique set of pathways through the range. The unique set of pathways is called a multicast spanning tree and is unique to all nodes which can communicate directly by virtue of a list of known nodes. The network is divided into areas each of which contains a group of directly communicating nodes. A group of nodes designated as level two nodes facilitates communication between the nodes in different areas.

Abstract: A method for multicast communication wherein a multicast message is distributed to all the nodes in a multicast range. If a multicast message has a multicast range which is larger than one link in the network then the message is forwarded along a unique set of pathways through the range. The unique set of pathways is called a multicast spanning tree and is unique to all nodes which can communicate directly by virtue of a list of known nodes. The network is divided into areas each of which contains a group of directly communicating nodes. A group of nodes designated as level two nodes facilitates communication between the nodes in different areas.