Abstract: A data structure is transmitted from a first computer to a second computer by transmitting a plurality of messages from the first computer to the second computer. Each message contains data of a node of the structure and one or more references to child pointer locations in previously transmitted nodes. The data of each transmitted node is stored in the second computer, and the location of each node is stored in a table of addresses and the or each reference includes an index into the table of addresses. The first computer may then use indexes into the table to identify which nodes need updating, and thus avoid the need for the first computer to know how the second computer is allocating nodes in memory. The or each reference may include an index into an array of child pointers belonging to a node, may include the sequence number of the parent node of the node being transmitted and may also include the index into the parent node's children to the pointer to the node being transmitted.

Abstract: Apparatus (104) for connecting two or more computer networks having two or more network interface machines (201, 202, 203) each arranged to be connected to a respective computer network with a bidirectional communications link (105, 106, 107) enabling the network interface machine to receive data from and transmit data to the computer network. The network interface machines are connected together with at least one content checker (210, 211) to enable data to be transmitted from one network interface machine to another, and arranged such that data transmitted from one network interface machine to another network interface machine must pass via a content checker. Each network interface machine is arranged to transmit flow control data. The network interface machines are connected to the content checkers only by unidirectional communications links.

Abstract: A data structure is transmitted from a first computer to a second computer by transmitting a plurality of messages from the first computer to the second computer. Each message contains data of a node of the structure and one or more references to child pointer locations in previously transmitted nodes. The data of each transmitted node is stored in the second computer, and the location of each node is stored in a table of addresses and the or each reference includes an index into the table of addresses. The first computer may then use indexes into the table to identify which nodes need updating, and thus avoid the need for the first computer to know how the second computer is allocating nodes in memory. The or each reference may include an index into an array of child pointers belonging to a node, may include the sequence number of the parent node of the node being transmitted and may also include the index into the parent node's children to the pointer to the node being transmitted.

Abstract: Methods, apparatus, and programs for a computer for network security content checking: in particular ones which simplify the critical element of a content checker so it can be trusted and implemented in logic.

Abstract: A system for automated checking of data content includes content checkers (208) to (214) arranged in parallel and connected between an input sub-system (204) and an output sub-system (216). The content checkers (208) to (214) check different data formats. Incoming data from an external computer system (202) is passed by the input sub-system (204) to the checkers (208) to (214), which report check results to both input and output sub-systems (204) and (216). From the four check results, the input sub-system (204) judges the data's acceptability for forwarding to a sensitive computer system (218). Unacceptable data is discarded; acceptable data passes to the output sub-system (216), which also judges the data's acceptability from the four check results.

Abstract: A data content checker arrangement for protecting communication between a sensitive computer system (102) and an external computer system (104). The arrangement includes a store (108) connected to input and output sub-systems (106) and (114) and to content checkers (110) and (112) arranged in parallel. The input and output sub-systems (106) and (114) are connected to the external computer system (104) and the sensitive computer system (102) respectively. Data received from the external computer system (104) is encrypted by the input sub-system (106) using an encryption key to which the content checkers (110) and (112) have access. The content checkers (110) and (112) can therefore decrypt, read and check the data. If the data passes a content checker's checks, the checker digitally signs and stores it, decrypted, in the store (108); if the checks are not passed, the checker discards the data.

Abstract: Apparatus (104) for connecting two or more computer networks having two or more network interface machines (201, 202, 203) each arranged to be connected to a respective computer network with a bidirectional communications link (105, 106, 107) enabling the network interface machine to receive data from and transmit data to the computer network. The network interface machines are connected together with at least one content checker (210, 211) to enable data to be transmitted from one network interface machine to another, and arranged such that data transmitted from one network interface machine to another network interface machine must pass via a content checker. Each network interface machine is arranged to transmit flow control data. The network interface machines are connected to the content checkers only by unidirectional communications links.

Abstract: Methods and apparatus for network security content-checking, in particular simplifying the critical element of a content-checker so that it can be trusted and implemented in hardware logic. A method comprises determining whether a digitally encoded document contains any embedded documents; content-checking, by means of at least one hard-ware-implemented content-checker, at least one of the embedded documents separately from those parts of the digitally encoded document within which it was embedded; and releasing a version of the digitally encoded document responsive to the content-checking.

Abstract: This invention relates to an optical star network in which different communities of users, such as different businesses, are provided through use of quantum key distribution (QKD). At least one QKD device is located at the central hub of the star network and communicates with QKD devices at the endpoints to establish a separate quantum key, i.e. a cryptographic key established by QKD, with each endpoint. A separate key manager is provided for each different community and each key manager is arranged to use the appropriate quantum keys for endpoints within that community to deliver the same community key to each endpoint. This community key can be used by for encrypting network traffic between members of the same community with security. Traffic passing through the network switch is encrypted, but the community keys are not delivered via the switch and hence the switch an error in the switch does not compromise security.

Abstract: The method involves exchange of a quantum signal between a first quantum node and a second quantum node as is usual in known quantum key distribution (QKD) scheme. The first quantum node communicates details of the quantum signal it sent or received with a first remote node. The first remote node thus has all the information to required to take the place of the first quantum node in the key agreement step with the second quantum node. The first quantum node may be arranged to transmit the quantum signal to the second quantum node, in which case the invention provides a distributed quantum transmitter with the control logic in the first remote node being distributed remotely from the actual quantum transmitter in the first quantum node. Communications between the first remote node and first quantum node may comprise or be protected by a quantum key derived by conventional QKD.

Abstract: The present invention relates to an improved quantum signal transmitter, which has a plurality of quantum output channels having at least one optical source and at least one optical splitter acting on the output of said at least one source. Such a transmitter can easily be used with existing passive optical network (PON) systems and can be a compact piece of equipment.

Abstract: A method of authentication between first (QNodeX) and second (QNodeY) network nodes within a network suitable for implementing quantum cryptography comprises steps in which the first and second nodes each generate a cryptographic hash ([MXY]AI, [MYX]AJ) of a message ([MXY], [MYX]) using respective authentication keys (AI, AJ) shared with a third network node (QNodeW). The messages may be those exchanged between the first and second nodes during agreement of a quantum key to be used between the nodes. An authentication key to be shared by the first and second nodes may be established using the quantum key. The invention therefore allows an authentication key to be established and shared between the first and second network nodes without direct physical intervention. Networks having large numbers of network nodes may be re-keyed following replacement or maintenance of a network node much more quickly and easily than is the case where re-keying is achieved by physically supplying shared authentication keys.

Abstract: A method of key distribution from a first entity to a second entity including the first entity communicating with a moveable key device so as to share a secret data with said moveable key device, relocating said moveable key device to a location having a quantum link with said second entity, transmitting a quantum signal from said moveable key device to said second entity on said quantum link, the quantum signal being based on said secret data; and said first entity and said second entity undertaking key agreement based on the quantum signal received by the second entity. Such a method allows the principles of quantum key distribution to be applied even in the absence of a suitable quantum communications link between the first and second entities.

Abstract: A method of establishing a quantum key for use between a first network node (QNode1) and a second network node (QNode3) in a network for carrying out quantum cryptography includes a key agreement step carried out by a third node (QNode2) and the second node (QNode3) and a subsequent authentication step carried out by the first and second nodes directly. As the key agreement step does not involve QNode1, another key agreement step may be simultaneously performed by another pair of network nodes QNode4, QNode5 to agree a quantum key for use by network nodes QNode1 and QNode5. The invention allows respective quantum keys to be established between a network node and each of a set of other nodes more rapidly than is the case if each quantum key is established serially by key agreement and authentication steps.

Abstract: Methods and apparatus for use in quantum key distribution (QKD) are described. A quantum QKD signal is generated at a source and transmitted through a fiber optic network to an endpoint, a key being agreed with communication over a classical QKD channel. The classical QKD channel contains additional information relevant to a network over which keys are distributed, and may be processed at nodes intermediate between the source and the endpoint.

Abstract: A method of performing quantum key distribution across a network. The method involves a first node first agreeing a quantum key with a first intermediate node in the path. Next the intermediate node exchanges a quantum signal with the next node in the path—which is a targeted node. The intermediate node communicates with the first node using the previous established quantum key details of the quantum signal sent or received by the intermediate node. The first node then performs a key agreement step to agree a quantum key directly with the targeted node. Having established a quantum key with the current targeted node the method can be repeated but with the next node in the network path as the targeted node until a destination node is reached. The final quantum key agreed with the destination node can then be used for encrypting communication between those nodes across the network.

Abstract: The invention relates to methods and apparatus for Quantum key distribution. Such methods including authenticating a first node in a communications network with a remote node in the communications network. The authentication may include connecting an authentication device to the first node, agreeing a quantum key between the first node and the remote node based on a quantum signal transmitted or received by the first node and performing an authentication step between the authentication device and the remote node on an encrypted channel. Authentication between the authentication device and remote node may be taken as authentication of the first node.

Abstract: Methods, apparatus, and programs for a computer for network security content checking: in particular ones which simplify the critical element of a content checker so it can be trusted and implemented in logic.

Abstract: Methods and apparatus for network security content-checking, in particular simplifying the critical element of a content-checker so that it can be trusted and implemented in hardware logic. A method comprises determining whether a digitally encoded document contains any embedded documents; content-checking, by means of at least one hard-ware-implemented content-checker, at least one of the embedded documents separately from those parts of the digitally encoded document within which it was embedded; and releasing a version of the digitally encoded document responsive to the content-checking.

Abstract: A system for automated checking of data content includes content checkers (208) to (214) arranged in parallel and connected between an input sub-system (204) and an output sub-system (216). The content checkers (208) to (214) check different data formats. Incoming data from an external computer system (202) is passed by the input sub-system (204) to the checkers (208) to (214), which report check results to both input and output sub-systems (204) and (216). From the four check results, the input sub-system (204) judges the data's acceptability for forwarding to a sensitive computer system (218). Unacceptable data is discarded; acceptable data passes to the output sub-system (216), which also judges the data's acceptability from the four check results.