Abstract: A machine instruction is provided that includes an opcode field to provide an opcode, the opcode to identify a perform pseudorandom number operation, and a register field to be used to identify a register, the register to specify a location in memory of a first operand to be used. The machine instruction is executed, and execution includes for each block of memory of one or more blocks of memory of the first operand, generating a hash value using a 512 bit secure hash technique and at least one seed value of a parameter block of the machine instruction; and storing at least a portion of the generated hash value in a corresponding block of memory of the first operand, the generated hash value being at least a portion of a pseudorandom number.

Abstract: A method, system, and computer program product to generate results for a query to an encrypted database stored on a host are described. The system includes a host comprising a storage device to store the encrypted database, and a a secure processor to generate indexes and index metadata from the encrypted database, each index identifying records of the encrypted database associated with a range of data for at least one field stored in the records of the encrypted database and the metadata indicating the range of data identified by the associated index. The system also includes an interface of the host to receive the query, and a host processor to generate a sub-query form the query for each field associated with the query. Based on sub-query results obtained through the index metadata, the secure processor searches a subspace of the encrypted database to generate the results of the query.

Abstract: According to some exemplary embodiments, a computer-implemented timestamp method includes maintaining, at a cryptographic service provider (CSP), one or more timestamp policies specifying when digital timestamps should be issued. A timestamp request is received at the CSP from a timestamp authority that manages timestamping and is accompanied by a corresponding timestamp data structure. With a computer processor, a difference is determined between a first time specified in the timestamp data structure and a second time indicated by an internal clock of the CSP. The timestamp request is rejected if the first timestamp data structure fails to comply with a predetermined timestamp policy, where the predetermined timestamp policy requires that the difference between the first time and the second time be below a predetermined threshold.

Abstract: A machine instruction is provided that includes an opcode field to provide an opcode, the opcode to identify a perform pseudorandom number operation, and a register field to be used to identify a register, the register to specify a location in memory of a second operand to be used. The machine instruction is executed, and execution includes obtaining a modifier field of a register associated with the machine instruction; based on the modifier field having a first value, performing a deterministic pseudorandom number seed operation, which includes obtaining seed material based on information stored in the second operand; using a 512 bit secure hash technique and the seed material to provide one or more seed values; and storing the one or more seed values in a parameter block.

Abstract: A method for updating code images in a system includes booting a first image of a code with a sub-system processor, receiving a second image of the code, performing a security and reliability check of the second image of the code with the sub-system processor, determining whether the security and reliability check of the second image of the code is successful, storing the second image of the code in a first memory device responsive to determining that the security and reliability check of the second image of the code is successful, designating the second image of the code as an active image, and sending the second image of the code to a second memory device, the second memory device communicatively connected with the first memory device and a main processor.

Abstract: A method for updating code images in a system includes booting a first image of a code with a sub-system processor, receiving a second image of the code, performing a security and reliability check of the second image of the code with the sub-system processor, determining whether the security and reliability check of the second image of the code is successful, storing the second image of the code in a first memory device responsive to determining that the security and reliability check of the second image of the code is successful, designating the second image of the code as an active image, and sending the second image of the code to a second memory device, the second memory device communicatively connected with the first memory device and a main processor.

Abstract: According to some exemplary embodiments, a computer-implemented timestamp method includes maintaining, at a cryptographic service provider (CSP), one or more timestamp policies specifying when digital timestamps should be issued. A timestamp request is received at the CSP from a timestamp authority that manages timestamping and is accompanied by a corresponding timestamp data structure. With a computer processor, a difference is determined between a first time specified in the timestamp data structure and a second time indicated by an internal clock of the CSP. The timestamp request is rejected if the first timestamp data structure fails to comply with a predetermined timestamp policy, where the predetermined timestamp policy requires that the difference between the first time and the second time be below a predetermined threshold.

Abstract: Methods and apparatus are provided for authenticating communications between a user computer and a server via a data communications network. A security device has memory containing security data, and security logic to use the security data to generate an authentication response to an authentication message received from the server in use. An interface device communicates with the security device. The interface device has a receiver for receiving from the user computer an authentication output containing the authentication message sent by the server to the user computer in use, and interface logic adapted to extract the authentication message from the authentication output and to send the authentication message to the security device. Includes a communications interface for connecting to the server via a communications channel bypassing the user computer. Either the security device or interface device sends the authentication response to the server via the communications channel bypassing the user computer.

Abstract: A machine instruction is provided that includes an opcode field to provide an opcode, the opcode to identify a perform pseudorandom number operation, and a register field to be used to identify a register, the register to specify a location in memory of a second operand to be used. The machine instruction is executed, and execution includes obtaining a modifier field of a register associated with the machine instruction; based on the modifier field having a first value, performing a deterministic pseudorandom number seed operation, which includes obtaining seed material based on information stored in the second operand; using a 512 bit secure hash technique and the seed material to provide one or more seed values; and storing the one or more seed values in a parameter block.

Abstract: A method for integrity checking for a cryptographic engine in a computing system includes monitoring a state of a side channel of the cryptographic engine during operation of the cryptographic engine by a side channel monitor; comparing the state of the side channel to a side channel model of the cryptographic engine to determine whether a mismatch exists between the state of the side channel and the side channel model; and based on a mismatch between the state of the side channel and the model of the side channel, indicating an error in the cryptographic engine.

Abstract: A machine instruction is provided that includes an opcode field to provide an opcode, the opcode to identify a perform pseudorandom number operation, and a register field to be used to identify a register, the register to specify a location in memory of a first operand to be used. The machine instruction is executed, and execution includes for each block of memory of one or more blocks of memory of the first operand, generating a hash value using a 512 bit secure hash technique and at least one seed value of a parameter block of the machine instruction; and storing at least a portion of the generated hash value in a corresponding block of memory of the first operand, the generated hash value being at least a portion of a pseudorandom number.

Abstract: A method, system, and computer program product to generate results for a query to an encrypted database stored on a host are described. The system includes a host comprising a storage device to store the encrypted database, and a a secure processor to generate indexes and index metadata from the encrypted database, each index identifying records of the encrypted database associated with a range of data for at least one field stored in the records of the encrypted database and the metadata indicating the range of data identified by the associated index. The system also includes an interface of the host to receive the query, and a host processor to generate a sub-query form the query for each field associated with the query. Based on sub-query results obtained through the index metadata, the secure processor searches a subspace of the encrypted database to generate the results of the query.

Abstract: Embodiments of the present invention provide a system, method, and computer program product for updating software on an embedded computer device. According to one aspect of the present invention, a concurrent embedded application update is performed in which selected state information for one or both of an embedded virtual machine and a plurality of applets on an embedded computer device is securely exported to a host computer device. After software updates have been installed, the selected state information can be restored on the embedded computer device from which it was exported and/or it can be migrated to a second embedded computer device.

Abstract: A computer method, computer system, and article for enabling digital signature auditing. The method includes the steps of: receiving at least one signature request issued by at least one application, forwarding a first data corresponding to the received at least one signature request to at least one signing entity for subsequent signature of the first data, storing an updated system state that is computed using a function of: i) a reference system state and ii) a second data corresponding to the received at least one signature request, where the reference system state and the updated system state attest to the at least one signature request, and repeating the above steps, using the updated system state as a new reference system state, where the steps of the method are executed at a server of a computerized system.

Abstract: A computer method, computer system, and article for enabling digital signature auditing. The method includes the steps of: receiving at least one signature request issued by at least one application, forwarding a first data corresponding to the received at least one signature request to at least one signing entity for subsequent signature of the first data, storing an updated system state that is computed using a function of: i) a reference system state and ii) a second data corresponding to the received at least one signature request, where the reference system state and the updated system state attest to the at least one signature request, and repeating the above steps, using the updated system state as a new reference system state, where the steps of the method are executed at a server of a computerized system.

Abstract: A machine instruction is provided that includes an opcode field to provide an opcode, the opcode to identify a perform pseudorandom number operation, and a register field to be used to identify a register, the register to specify a location in memory of a first operand to be used. The machine instruction is executed, and execution includes for each block of memory of one or more blocks of memory of the first operand, generating a hash value using a 512 bit secure hash technique and at least one seed value of a parameter block of the machine instruction; and storing at least a portion of the generated hash value in a corresponding block of memory of the first operand, the generated hash value being at least a portion of a pseudorandom number.

Abstract: A machine instruction is provided that includes an opcode field to provide an opcode, the opcode to identify a perform pseudorandom number operation, and a register field to be used to identify a register, the register to specify a location in memory of a second operand to be used. The machine instruction is executed, and execution includes obtaining a modifier field of a register associated with the machine instruction; based on the modifier field having a first value, performing a deterministic pseudorandom number seed operation, which includes obtaining seed material based on information stored in the second operand; using a 512 bit secure hash technique and the seed material to provide one or more seed values; and storing the one or more seed values in a parameter block.

Abstract: A method for processing requests in a channel can include receiving a first request in the channel, running calculations on the first request in a processing time TP, in response to a receipt of a plurality of subsequent requests, creating a batch, adding each of the plurality of subsequent requests to the batch and processing the batch in a time TB.

Abstract: A method, system, and computer program product to generate results for a query to an encrypted database stored on a host are described. The method includes generating indexes from the encrypted database, each index identifying records of the encrypted database associated with a range of data for at least one field stored in the records of the encrypted database, and generating index metadata associated with each index, the index metadata indicating the range of data identified by the associated index. The method also includes generating a sub-query from the query for each field associated with the query and determining a subspace of search within the encrypted database based on sub-query results obtained through the index metadata. The method further includes searching the subspace of the encrypted database to generate the results of the query.

Abstract: A method of decoding a two-dimensional enhanced-density barcode. A first and a second barcode are encoded in the enhanced-density barcode. The enhanced-density barcode includes a set of blocks. Each block includes a predefined number of sub-pixels. The blocks of the enhanced-density barcode being arranged relatively to each other in a geometrical lattice having a first and a second lattice direction. The method includes the steps of distorting of the enhanced-density barcode in the first lattice direction, resulting in a first distorted barcode, distorting of the enhanced-density barcode in the second lattice direction, resulting in a second distorted barcode, reconstructing the first barcode by low-pass filtering the first distorted barcode, reconstructing the second barcode by low-pass filtering the second distorted barcode.