Abstract: Methods and apparatus for control of data and content protection mechanisms across a network using a download delivery paradigm. In one embodiment, conditional access (CA), digital rights management (DRM), and trusted domain (TD) security policies are delivered, configured and enforced with respect to consumer premises equipment (CPE) within a cable television network. A trusted domain is established within the user's premises within which content access, distribution, and reproduction can be controlled remotely by the network operator. The content may be distributed to secure or non-secure “output” domains consistent with the security policies enforced by secure CA, DRM, and TD clients running within the trusted domain. Legacy and retail CPE models are also supported.

Abstract: There is described a method of providing certification functionality.

Abstract: An encryption/decryption method is disclosed. The method comprises: using at least one public encryption algorithm for encrypting/decrypting data by using an encryption key, and using a digital certificate for obtaining the encryption key, being the digital certificate one intended for a purpose of guaranteeing a user's identity, with at least one field including a safe combination of bytes predetermined for containing a guarantee key intended for the purpose of guaranteeing the user's identity. The method also comprises a) selecting, according to at least one predetermined steganographic criterion, a subset of the bits of the field with the guarantee key and/or of at least another field of at least the digital certificate also including a safe combination of bytes but not containing the guarantee key, and b) generating from at least the selected bits the encryption key.

Abstract: A computer system that communicates cryptographic resource utilization information while processing data packets is described. During operation, the system receives a first data packet and generates a second data packet by performing a cryptographic transformation on the first data packet. Next, the system appends auxiliary information to the second data packet. This auxiliary information includes information associated with cryptographic resource utilization during the cryptographic transformation. Then, the system provides the second data packet including the auxiliary information.

Abstract: A system for managing license files comprises a memory operable to store a socket module. The system further comprises a processor communicatively coupled to the memory and operable to receive a command to open a license file, wherein the command is associated with a first user identifier. The license file is stored in a first remote node and is associated with a second user identifier. If the second user identifier matches the first user identifier, the processor is further operable to use the socket module to establish a socket connection with the first remote node. The processor is further operable to, using the socket connection, retrieve from the first remote node a file descriptor associated with the license file. The processor is further operable to apply an update to the license file, wherein the update is addressed according to the file descriptor. If the second user identifier does not match the first user identifier, the processor is further operable to prevent the updating of the license file.

Abstract: The present invention provides a method for transferring encrypted information from one storage area to other storage area wherein cryptographic data protection scheme having protection attributes are applied on the data. A crypto container having cryptographic properties represents cryptographically protected data. The attributes that have been attached to the container at the time when data is added or removed from the container determine the scheme of data protection being applied. Crypto container can be converted or serialized for storage or transmission, here the conversion spread only to the protected data parts which possibly includes crypto containers in protected form but may not the attached crypto attributes. These attributes must be stored or transmitted in another form.

Abstract: A method is provided for secure communication between a transmitter and a receiver. The transmitter comprises a non-volatile memory for storing a first portion of a count value, where the count value is updated after an elapse of a period of time. The transmitter comprises a volatile memory for storing a second portion of the count value. In response to receipt of a transmit request, the transmitter sets a use indicator corresponding to the first portion of the count value. Upon elapse of the period of time, the second portion of the count value is updated. The first portion of the count value is updated if the second portion of the count value overflows and if the use indicator corresponding to the first portion set. A message authentication code is generated based on at least the count value. A message transmitted to the receiver comprises at least the message authentication code.

Abstract: A method and apparatus for controlling digital evidence comprising creating a case record comprising information about an investigative case, electronically storing at least one piece of digital evidence into memory, and associating the stored at least one piece of evidence with the case record.

Abstract: A method and system for monitoring users on one or more computer networks, disassociating personally identifiable information from the collected data, and storing it in a database so that the privacy of the users is protected. The system includes monitoring transactions at both a client and at a server, collecting network transaction data, and aggregating the data collected at the client and at the server. The system receives a user identifier and uses it to create an anonymized identifier. The anonymized identifier is then associated with one or more users' computer network transactions. The data is stored by a collection engine and then aggregated to a central database server across a computer network.

Abstract: To solve problems in that a load on a VPN device is large in a case where the number of terminal devices increases in encrypted communication using a VPN technique, and that only communication between the terminal device and the VPN device is encrypted, thus disabling end-to-end encrypted communication, a communication system is provided, including: a terminal device; a plurality of blades; and a management server that manages the blades, in which: the management server selects a blade, authenticates the terminal device and the selected blade, and mediates encrypted communication path establishment between the terminal device and the selected blade; the terminal device and the blade perform encrypted communication without the mediation of the management server; and the management server requests a validation server to authenticate each terminal.

Abstract: A method for user authentication and identity theft protection. A typing typeprint is used to validate users for access to a computer system. The typeprint may also include a watermark, a timestamp, or voice stamp for further security. The method provides multi-modal biometric protection by supplementing keystroke-scan methods with fingerprint, voice-scan, signature-scan and mouse-scan verification. The authentication program may be built into a keyboard.

Abstract: A method of securely utilizing downloaded data includes the steps of opening a media player; opening a data file; requesting a portable token from and used by a client, the portable token being a physical device removeably coupleable to a client computer; reading a distinguishing number from the token; and verifying a digital message linking the data file to the token using the media player, the distinguishing number, and a private key in the token. The digital message is required to access the data.

Abstract: Processes and apparatus for establishing a secure joint test action group port on a chip are disclosed herein.

Abstract: A system and method for providing secure authentication for website access or other secure transaction. In one embodiment, when a user accesses a website, the web server identifies the user, and sends an authentication request to the user's mobile device. The mobile device receives the authentication requests and sends back authentication key to the web server. Upon verifying the authentication key, the web server grants the access to the user.

Abstract: A plurality of encryption communication apparatuses to which terminal apparatuses are connected are connected via a network, data received from the terminal apparatus which is a transmission source is encrypted by the encryption communication apparatus and transmitted to the other encryption communication apparatus, and data received from the other encryption communication apparatus is decrypted and transmitted to the terminal apparatus which is a transmission destination. Upon initiation of first communication with the other encryption communication apparatuses, the encryption communication apparatus generates and exchange encryption keys according to an encryption key exchange protocol, records them in the encryption key control table and, and sets validity time so as to control that.

Abstract: The present invention relates to a method of enabling secure transfer of a package of information in a digital communications network from a sender to a receiver. According to the method a package of information is encrypted and provided to the receiver. A third party is provided with an encryption key having such a format that it is unable to decrypt said package of information. The encryption key is, upon positive identification of the receiver, providable from said third party to the receiver, and enables, with the involvement of a supplementary encryption key of the receiver, decryption of the package of information.

Abstract: The invention that addresses the problem of authentication of the transport packet stream (which constitutes a flow within a session), which has been admitted into a managed packet network. Authentication and the subsequent policing of the flows supporting an identified client's authorized service prevent a large class of denial of service attacks described below. Specifically, the invention addresses two different matters: 1) key distribution and management 2) various forms of using a shared key for the authentication of transport packets on the user-to-network-interface (UNI).

Abstract: A unique system and method that facilitates visually identifying authentic UI objects, bundles, or windows is provided. A detection component can detect when user-based input has activated a verification mode with respect to one or more trusted UI objects rendered on-screen. A verification component can verify at least one of a source and identity associated with one or more UI objects in order to ensure the integrity related therewith. A verification rendering engine can re-render the one or more trusted UI objects in a manner that is based at least upon whether the one or more trusted UI objects are verified, thus improving visual recognition of verified trusted UI objects over non-verified UI objects.

Abstract: In one embodiment, a method of implementing trusted compliance operations inside secure computing boundaries comprises receiving, in a secure computing environment, a data envelope from an application operating outside the secure computing environment, the data envelope comprising data and a compliance operation command, verifying, in the secure computing environment, a signature associated with the data envelope, authenticating, in the secure computing environment, the data envelope, notarizing, in the secure computing environment, the application of the command to the data in the envelope, executing the compliance operation in the secure environment; and confirming a result of the compliance operation to a client via trusted communication tunnel.

Abstract: A method for transmitting data between a first and a second point comprises the steps of transmitting data, from the first to the second point, together with a signature comprising bits of a first authentication code, and transmitting an acknowledgement, from the second to the first point. The length of the first authentication code is greater than the length of the signature and the first authentication code comprises hidden authentication bits. The acknowledgement is produced by using hidden authentication bits of a second authentication code presumed to be identical to the first, produced at the second point.

Abstract: According to the invention, techniques for authenticating that a digitally signed document is genuine. Specific embodiments according to the present invention can determine whether a digital signature was generated by a digital signature generator, or if the digital signature was generated by a third party posing as the digital signature generator. Specific embodiments can provide independent verification of digital signer identity based upon prior signed messages, time/date stamps, and the like. Techniques according to the present invention can be embodied in methods, apparatus, computer software and systems.

Abstract: In an array of groups of cryptographic processors, the processors in each group operate together but are securely connected through an external shared memory. The processors in each group include cryptographic engines capable of operating in a pipelined fashion. Instructions in the form of request blocks are supplied to the array in a balanced fashion to assure that the processors are occupied processing instructions.

Abstract: In one embodiment, a method of processing a received unit of data received at a node comprises using a first key to determine if at least a portion of the received unit of data was encrypted using a key that is compatible with the first key. The method further comprises determining whether to take a fault-containment action based on at least in part whether at least a portion of the received unit of data was encrypted using a key that is compatible with the first key. The method further comprises, when at least some of the received unit of data is relayed to the second node, using a second key to encrypt at least a portion of the received unit of data that is relayed to the second node in order to generate an encrypted version of the received unit of data that is relayed. The first key differs from the second key.

Abstract: A method is provided for re-initializing a cryptographic processing module (102) at a location designated as an unclassified environment. The method includes storing in a database (122) a module unique recovery vector (310, 510) assigned to a cryptographic processing module. The method also includes indexing the module unique recovery vector in the database using a unique module identifying code (for example, a serial number) assigned to the cryptographic processing module. The method further includes sugsequently communicating the module unique recovery vector from the database, over a computer network (120), to a remote comupting environment (400) that is unclassified. The module unique recovery vector is used to re-initialize the cryptographic processing module.

Abstract: A method of processing data from a file includes obtaining a first portion of the file, encrypting the first portion of the file to create a first encrypted portion, obtaining a second portion of the file, encrypting the second portion of the file to create a second encrypted portion, and storing the first and second encrypted portions such that each of the first and the second encrypted portions can be individually accessed. A method of processing data from a file includes receiving a request to access a first portion of the file, wherein data in the first portion of the file is encrypted, and data in a second portion of the file is encrypted, and decrypting the data in the first portion, and not the data in the second portion.

Abstract: A secure e-mail service, executable on a recipient e-mail server or associated computer system, implements inverted security control over recipient content stored by the recipient e-mail server. Recipient content is received in conjunction with e-mail messages transmitted directed to recipients from sender computer systems unassociated with the secure e-mail service. The secure e-mail service includes a policy engine that operates on e-mail messages, as received from a communications network, to evaluate metadata features of the message and select a corresponding encryption key. The service further includes a content processing engine that operates to encrypt a portion of the message in a manner that allows subsequent decryption of said portion using the selected encryption key. A service interface enables transfer of the e-mail message, including the portion as encrypted, to the recipient e-mail server, which supports access by the recipients.

Abstract: The present invention provides a data recognition apparatus for copy protection which recognizes software distributed through a disc in physically different ways through RFID and a USB memory, a method thereof, and storage mediums therefor. The apparatus comprises a disc insertion section for recognizing a first storage medium in the form of a disc with an RFID tag attached; an RFID reading section for reading the RFID tag; a USB port section for recognizing a second storage medium having the shape of a USB memory; a decoding section for decoding data stored in the first storage medium or the second storage medium; and a transmission section for transmitting the decoded data to the system.

Abstract: A storage medium control apparatus capable of improving the processing performance, while protecting copyright protection information in a security mode, includes: a secure resource which executes mutual authentication processing with an authentication area of a storage medium, and performs encryption or decryption of data; a normal resource which sends or receives data to or from the storage medium; an encryption control unit which performs encryption or decryption of data by controlling the secure resource in the secure mode; a storage medium control unit which sends or receives data encrypted by the encryption control unit or data decrypted by the encryption control unit to or from the storage medium by controlling the normal resource, in the secure mode; and a storage medium processing unit which performs predetermined processing for the data decrypted by the encryption control unit or unencrypted data read from the storage medium by the storage medium control unit.

Abstract: A system and method for communicating information using Layer 1 from a powered device to power source equipment via Ethernet. In one embodiment, Layer 1 information such as power management, classification, temperature, and disconnect information is transmitted from a powered device to power source equipment using an AC signal that has a cycle defining a first time period during which the AC signal is turned on and a second time period during which the AC signal is turned off. A type of information being sent by the powered device can be determined based on characteristic on/off times of the AC signal cycle.

Abstract: One embodiment of the present invention provides a system for implementing a sleep proxy. The system starts by receiving a request at the sleep proxy for information pertaining to a service provided by a device. In response to this request, the system determines if the device is a member of a list of devices for which the sleep proxy takes action. If so, the system determines if the sleep proxy can answer the request. If so, the sleep proxy sends a response to the request on behalf of the device. In a variation on this embodiment, if the system cannot answer the request on behalf of the device, the system sends a wakeup packet to the device, wherein the wakeup packet causes the device to exit a power-saving mode so that the device can respond to the request directly.

Abstract: A system and method of power management for computer processor systems, the method including measuring power usage; monitoring execution of instructions for a finishing instruction; determining a finishing instruction address for the finishing instruction; determining measured power usage for the finishing instruction; and storing the finishing instruction address in association with the measured power usage in a Power History Table (PHT). The information stored in the PHT can be employed to manage the power used by the computer processor system.

Abstract: Embodiments of the present disclosure provide a power-optimizing memory analyzer, a method of operating a power-optimizing memory analyzer and a memory system employing the analyzer or the method. In one embodiment, the power-optimizing memory analyzer is for use with an array of memory blocks and includes a task database configured to provide a parameter set corresponding to each of a set of tasks to be performed in a system. The power-optimizing memory analyzer also includes an allocation module configured to determine offline, a group of memory blocks in the array corresponding to the parameter set for each task and based on providing a power reduction for the array. The power-optimizing memory analyzer further includes a power profiling module configured to generate run-time power profiles of memory power states for each task allowing transparent and dynamic control of the memory power states while maintaining a required quality of service.

Abstract: Embodiments of the present disclosure provide a power controller, a method of operating a power controller and a semiconductor memory system. In one embodiment, the power controller is for use with a memory and includes an access module configured to provide an active state of the memory to allow memory access. The power controller also includes a retain-till-access module configured to cycle a portion of the memory between the active state and a low leakage data retention state of the memory. The power controller further includes an expanded retain-till-access module configured to extend the active state of the memory for a specified period of time before returning the memory to the low leakage data retention state.

Abstract: Power management for a computing device is described based on idle thread code execution and other conditions. In one example, a controller is operated at a first power state. Then the controller is transitioned from the first power state to a second lower power state after it starts executing idle thread code. As an additional optional feature it may be determined whether any one or more of a plurality of conditions is true and the controller may be transitioned from the first power state to the second power state if one or more of the plurality of conditions is true.

Abstract: A computer system including at least one wake-up unit to sense whether a wake-up event occurs in a standby mode to decrease power consumption, a power supplying unit to supply power to the at least one wake-up unit, and a controlling unit to control a power supplying unit to the at least one wake-up unit in the standby mode according to predetermined setting corresponding to whether the at least one wake-up unit is operable.

Abstract: A computer includes a main body having a housing part, a main display unit connected to the main body which displays images, and an auxiliary display apparatus having an auxiliary display unit which displays additional images, wherein the auxiliary display apparatus is insertable into the housing part.

Abstract: A pipelined computer system with power management control in accordance with one or both of a power management signal and a power management instruction.

Abstract: A power supply system suitable for being located in a computer is provided. The system includes a first voltage regulator module (VRM), a second VRM, a first switch unit, and a second switch unit. The first VRM is used to supply a first power. The second VRM is used to supply a second power. The first switch unit is used for controlling the first power to be transmitted to a first central processing unit (CPU) socket by a first power supply path or to a second CPU socket by a second power supply path. The second switch unit is used for controlling the second power to be transmitted to the first CPU socket by the third power supply path or to the second CPU socket by the fourth power supply path.

Abstract: The power supply management system is provided with an information processor and a terminal that is connected to the information processor by a communication line and a power supply line and that is controlled for power supply by the information processor. The terminal includes a monitor unit that is capable of monitoring at least any one of a signal received from the outside through the communication line and a signal detected inside by using the electric power supplied through the power supply line and a change unit that changes an internal power supply path so as to supply electric power other than the electric power supplied through the power supply line on the basis of the monitoring results of the monitor unit.

Abstract: A digital registered data buffer is disclosed that has data paths each with a data input for receiving a digital data input signal (Dn), a clock input for receiving a clock input signal (CLK) and a data output providing a digital data output signal (Qn) for application to a data destination device such as memory devices. The buffer further has a clock output for providing an output clock signal (QCLK) to the data destination device and a phase-locked loop (PLL) with a clock input, a feedback input, a feedback output and a plurality of clock outputs. The buffer uses a pair of data registers, i.e. flip-flops (FF1, FF2) connected in series in each data path. The first data register in each data path is clocked by the clock input signal (CLK) and the second data register in each data path is clocked by one of the clock outputs (PDCLK) from the PLL.

Abstract: An embodiment of the invention provides an apparatus for computation of processor clock frequency ratios in a multi-processor system. The apparatus includes a computation engine configured to determine a processor clock frequency ratio by reading counter values of a first counter and of a second counter within a frequency ratio computation interval, and configured to determine a value of the second counter at an end of a frequency ratio valid interval where the frequency ratio is applied, wherein the frequency ratio valid interval is subsequent to the frequency ratio computation interval, and wherein the frequency ratio valid interval does not overlap the frequency ratio computation interval.

Abstract: An improved technique and associated apparatus for timing calibration of a logic device is provided. A calibration test pattern is transferred to a logic device first at a data rate slower than normal operating speed to ensure correct capture of the pattern at the device to be calibrated. Once the pattern is correctly captured and stored, the test pattern is transmitted to the logic device at the normal operating data rate to perform timing calibration. The improved technique and apparatus permits the use of any pattern of bits as a calibration test pattern, programmable by the user or using easily-interchangeable hardware.

Abstract: A method for autonomous dynamic voltage (v) and frequency (f) scaling (DVFS) of a microprocessor, wherein autonomous detection of phases of high microprocessor workload and prediction of their duration is performed (PID). The microprocessor frequency (f) will be temporarily increased (LUT) to an appropriate safe value (even beyond its nominal frequency) consistent with technological and ambient constraints in order to improve performance when the computer system comprising the microprocessor benefits most, while during phases of low microprocessor workload its frequency (f) and voltage (v) will be decreased to save energy. This technique exploits hidden performance capabilities and improves the total performance of a computer system without compromising operational stability. No additional hardware such as service processors is needed for contemporary computer systems supporting performance counters and DFVS already.

Abstract: A transmitting/receiving unit receives a SIP signal after occurrence of trouble in a SIP server and outputs a call ID of the SIP signal to a recovery-file searching unit. A session control unit once again procures a call process resource and an instance for a session corresponding to a recovery file and stores the call process resource data and the instance data in a main storage unit. The main storage unit stores anew session data included in the recovery file. A recovery-file creating unit creates the recovery file. An external storage unit stores therein the recovery file. The recovery-file searching unit retrieves from the external storage unit the recovery file that matches with the call ID output by the transmitting/receiving unit and outputs the recovery file to the session control unit and the main storage unit.

Abstract: A migration framework provides for the migration of services in a cluster. A migratable target contains a list of servers in the cluster capable of hosting a migratable service. A migration manager can migrate the service between servers in the migratable target, and can activate an instance of the service on the selected host server. The migration manager ensures that only one active instance of the service exists in the cluster. A service stub can serve a user request on servers in the migration target, such as by order of preference, until the user request is served on the server hosting the active instance. A lease manager can assign a lease period to determine how long a server hosts an active instance.

Abstract: A multiple execution-path flash system includes a main flash image with primary and secondary POST and Boot executable files. The secondary executables are offset from the primary executables by a predetermined offset address. If corrupted data is encountered during Boot, the exception handler sets an offset bit resulting in the predetermined offset address being added to the current instruction address. If corrupted data is encountered in the secondary executables, the offset bit is reset. An optional redundant flash image may also be used. A failure at the same relative address in the primary and secondary executables of the main flash image will cause the exception handler to transfer control to the redundant flash image. A subsequent failure at the same relative address in the primary and secondary executables of the redundant flash image will cause the redundant exception handler to transfer control back to the main flash image.

Abstract: Provided is a method, system, and program for processing Input/Output (I/O) requests to a storage network including at least one storage device and at least two adaptors, wherein each adaptor is capable of communicating I/O requests to the at least one storage device. An error is detected in a system including a first adaptor, wherein the first adaptor is capable of communicating on the network after the error is detected. In response to detecting the error, a master switch timer is started that is less than a system timeout period if the first adaptor is the master. An error recovery procedure in the system including the first adaptor would be initiated after the system timeout period has expired. An operation is initiated to designate another adaptor in the storage network as the master if the first adaptor is the master in response to detecting an expiration of the master switch timer.

Abstract: Provided is a method, system, and program for processing Input/Output (I/O) requests to a storage network including at least one storage device and at least two adaptors, wherein each adaptor is capable of communicating I/O requests to the at least one storage device. An error is detected in a system including a first adaptor, wherein the first adaptor is capable of communicating on the network after the error is detected. In response to detecting the error, a master switch timer is started that is less than a system timeout period if the first adaptor is the master. An error recovery procedure in the system including the first adaptor would be initiated after the system timeout period has expired. An operation is initiated to designate another adaptor in the storage network as the master if the first adaptor is the master in response to detecting an expiration of the master switch timer.

Abstract: Methods and apparatus are provided for: monitoring processor tasks and associated processor loads therefor that are allocated to be performed by respective sub-processing units associated with a main processing unit; detecting whether a processing error has occurred in a given one of the sub-processing units; re-allocating all of the processor tasks of the given sub-processing unit to one or more participating sub-processing units, including other sub-processing units associated with the main processing unit, based on the processor loads of the processor tasks of the given sub-processing unit and the processor loads of the participating sub-processing units; and at least one of: (i) shutting down, and (ii) re-booting the given sub-processing unit.

Abstract: Mechanisms for adaptively entering and exiting recovery mode. When a message is received from a particular message transaction, the appropriate processing instance is loaded from persistent memory to system memory. The processing instance then determines from its own state information whether or not it is in recovery mode. This indication of recovery or normal mode may be set by a system-wide recovery detection module. If the processing instance determines that it is in normal mode, then the processing instance executes code appropriate for normal operation without needing to execute any recovery code at all. If, on the other hand, the processing instance determines that it is in recovery mode, then it executes recovery code. Once the recovery code has completed successfully, the processing instance may then cause its own normal mode.