Abstract: Access to a plurality of logical devices is enabled regardless of the number of ports provided in a storage system and the number of logical devices that can be allocated to a single port, thereby improving the usability of the logical devices. A storage system comprises a plurality of logical devices, a target device which is the object of access from a computer, and a juke box system for allocating one of the plurality of logical devices to the target device. The juke box system changes the logical device that is allocated to the target device in accordance with a request from the computer.

Abstract: A system is provided to support dynamically changeable virtual mapping schemes in a data processing system. The present invention separates processing of data unit requirements from the selection of which storage subsystems to use for storage by using a storage methodologies inventory. A stored data management subsystem contains one or more hosts. A plurality of data storage elements is functionally coupled to the one or more hosts. The plurality of data storage elements is organized using a plurality of layers of mapping tables. The plurality of layers of mapping tables provides unique identification of location of the data such that individual data entries in a mapping table is variable and self-defining with respect to the amount of data managed.

Abstract: A multithreaded processor, fetch control for a multithreaded processor and a method of fetching in the multithreaded processor. Processor event and use (EU) signs are monitored for downstream pipeline conditions indicating pipeline execution thread states. Instruction cache fetches are skipped for any thread that is incapable of receiving fetched cache contents, e.g., because the thread is full or stalled. Also, consecutive fetches may be selected for the same thread, e.g., on a branch mis-predict. Thus, the processor avoids wasting power on unnecessary or place keeper fetches.

Abstract: A method, apparatus, system, and signal-bearing medium that in various embodiments determine whether to execute a command in a queue or whether to wait until another command or commands completed. The determination is based on a combination of an in-use vector and a scorecard vector. The in-use vector indicates which slots in various queues contain commands. The scorecard vector indicates the dependencies between various queues. In this way, the scorecard vector, and the thus the queue dependencies can be set and modified after the logic that processes the commands has been designed.

Abstract: Methods and apparatus for calculating Single-Instruction-Multiple-Data (SIMD) complex arithmetic. A coprocessor instruction has a format identifying a multiply and subtract instruction to generate real components for complex multiplication of first operand complex data and corresponding second operand complex data, a cross multiply and add instruction to generate imaginary components for complex multiplication of the first operand complex data and the corresponding second operand complex data, an add-subtract instruction to add real components of the first operand to imaginary components of the second operand and to subtract real components of the second operand from imaginary components of the first operand, and a subtract-add instruction to subtract the real components of the second operand from the imaginary components of the first operand and to add the real components of the first operand to the imaginary components of the second operand.

Abstract: Embodiments include various methods, apparatuses, and systems in which a processor includes an out of order issue engine and an in-order execution pipeline. For some embodiments, the issue engine may be remote from the execution pipeline and execution resources may be many clock cycles away from the issue engine. The issue engine categorizes operations as at least one of either a speculative operations which perform computations, or an architectural operations which has potential to fault or cause an exception. Potentially excepting operations may be decomposed into two separate micro-operations: a speculative micro-operation, which is used to generate data results speculatively so that operations dependent on the results may be speculatively issued, and an architectural micro-operation, which signals the faulting condition for the excepting operation. A STORE operation becomes an architectural operation and all previous faulting conditions may be guaranteed to have evaluated before a STORE is issued.

Abstract: A method, apparatus, and computer instructions in a data processing system for processing instructions are provided. Instructions are received at a processor in the data processing system. If a selected indicator is associated with the instruction, counting of each event associated with the execution of the instruction is enabled. Functionality may be provided in the performance monitoring application for initiating the measurement of secondary metrics with regard to identified instructions, data addresses, ranges of identified instructions, or ranges of identified data addresses, based on counter values for primary metrics. Thus, for example, when a primary metric counter, or a combination of primary metric counters, meets or exceeds a predetermined threshold value, an interrupt may be generated. In response to receiving the interrupt, counters associated with the measuring of secondary metrics of a range of instructions/data addresses may be initiated.

Abstract: A boot routine is initialized in a computer by bootstrapping a volume top file (VTF) located in a first addressable location accessible upon the initializing of the boot routine and the volume top file bootstrapping a set of firmware modules.

Abstract: A memory initialization method for a plurality of memories. The memories are initialized according to predetermined initial parameters. A first quantity of the memories is detected. Optimum parameters are set according hardware information of the memories. The memories are re-initialized according to the optimum parameters. A second quantity of the memories is detected. The parameters for memory initialization are adjusted when the first quantity and the second quantity are different.

Abstract: Methods, systems, and media are disclosed for improved granularity of a response-request communication on a networked computer system. One example embodiment includes receiving the request-response communication by the networked computer system, and associating the request-response communication with a port, having a nodelay setting, from a set of ports on the networked computer system. Further, the example embodiment includes enabling, based upon the associating, the nodelay setting upon connection of the request-response communication with the port. Further still, the example embodiment includes sending, in accordance with the enabling, the request-response communication to a destination in communication with the networked computer system.

Abstract: Systems, methods, and devices are provided for kernel configurations. One embodiment includes a kernel configuration tool, a system file accessible by the kernel configuration tool, and means for automatically detecting and moving a kernel configuration in association with boot and shutdown routines.

Abstract: A peer-to-peer collaborative network system is described. The peer-to-peer collaborative network system uses an authentication system with multiple levels of authentication. This allows some collaboration applications to allow a collaboration with a high authentication level, but not to allow a collaboration with a lower level of authentication. Other collaborative applications can allow a collaboration with the lower level of authentication.

Abstract: A method and apparatus for restricting access of an application to computer hardware. The apparatus includes both an authentication module and a validation module. The authentication module is within the trusted firmware layer. The purpose of the authentication module is to verify a cryptographic key presented by an application. The validation module is responsive to the authentication module and limits access of the application to the computer hardware. The authentication modules may be implemented in software through a firmware call, or through a hardware register of the computer.

Abstract: An on-line value bearing item (VBI) printing system that includes one or more cryptographic modules and a central database is disclosed. The cryptographic modules are capable of implementing the USPS Information Based Indicia Program Postal Security Device Performance Criteria and other required VBI standards. The modules encipher the information stored in the central database for all of the on-line VBI system customers and are capable of preventing access to the database by unauthorized users. Additionally, the cryptographic module is capable of preventing unauthorized and undetected modification, including the unauthorized modification, substitution, insertion, and deletion of VBI related data and cryptographically critical security parameters.

Abstract: The present invention is useful for routing data traffic in data communications networks where some or all of the network interface links are protected by cryptographic techniques, e.g., encryption. The invention routes datagram traffic in such networks toward interface links perceived to have strong encryption protection and away from interface links perceived to have weak or weakening encryption protection, based on the remaining encryption capacity for such links.

Abstract: Firewall system for interconnecting a first IP network (10) to a second IP network (16), these networks belonging to two different entities having each a different administration wherein any data packet transmitted/received by the first IP network is filtered by using a first firewall function and any data packet transmitted/received by the second IP network is filtered by using a second firewall function. The system comprises essentially a single firewall device (20) including filtering means (41, 43) performing both first firewall function and second firewall function, a console port (37) enabling the administrator in charge of each IP network to enter filtering rules for updating the associated firewall function and control means (39, 47, 49) interconnecting the console port and the filtering means for transmitting thereto the filtering rules so that each administrator may independently manage the system from the console port.

Abstract: If a CRL is cached for an increased speed of a certificate validation process, when a certification authority issues a CRL in an urgent situation, the accuracy of the certificate validation result cannot be secured because the cached CRL is not the latest one. This problem is solved as follows. When it issues a CRL, the certification authority sends a CRL issuance notification to certificate validation servers. The certificate validation servers that received the CRL issuance notification cache the latest CRL. Thus, the accuracy of the certificate validation result can be secured.

Abstract: A system for proactive forced renewal of content protection implementations in devices includes a key generation facility to generate and allocate keys for the devices, and to generate revocation data corresponding to revoked keys in response to at least one of a security compromise and on a periodic basis independent of a security compromise; and a device manufacturer to receive the keys from the key generation facility, to embed the keys in content protection implementations for the devices, to distribute the devices, and to renew the content protection implementations in devices after the devices are distributed, in response to at least one of a security compromise and on a periodic basis independent of a security compromise.

Abstract: A method of verifying data timeliness with time-based derived cryptographic keys is disclosed. A master key is received. Based on both the master key and a current time, an interval key is derived. Data, which was encrypted with the interval key, is decrypted with the interval key.

Abstract: A method, apparatus, and computer instructions for process-based access controls on computer resources to processes. An access mechanism is provided in which a specific invoker obtains an object access identity (ACI). Another mechanism is provided in which a specific object, such as a file system resource, requires a specific object access identity to obtain one of the forms of access denoted by an access control list. A process may “grant” an identifier that is later “required” for a system resource access. Objects may specify their own access requirements and permitted access modes. The granted identifier, ACI, is stored in the process's credentials once these credentials match a specific “grant” entry in the access control list. This identifier has no meaning outside of being used to make an access decision for a specific resource. When a process tries to access the object, the object's access control list is scanned for “required” entries.

Abstract: A system and method are described supporting secure implementations of 3DES and other strong cryptographic algorithms. A secure key block having control, key, and MAC fields safely stores or transmits keys in insecure or hostile environments. The control field provides attribute information such as the manner of using a key, the algorithm to be implemented, the mode of use, and the exportability of the key. A MAC algorithm is applied across the key and control for generating a MAC field that cryptographically ties the control and key fields together. Improved security is provided because tampering with any portion of the key block results in an invalid key block. The work factor associated with any manner of attack is sufficient to maintain a high level of security consistent with the large keys and strong cryptographic algorithms supported.

Abstract: A client server system and devices thereof, which perform a distributed processing while performing access control. when a client device demands a job of the server device, the server device outputs an authentication demand message to an authentication server via a network. The authentication device performs authentication of a user taking account of an effective range of authentication information and effective dates and returns results of authentication to the server device via the network. The server device implements the demanded job in accordance with the results of authentication.

Abstract: A method that provides access to Privileged Accounts to users by way of a two-way-encrypted credential store. In accordance with this invention, a process that needs to retrieve credentials for a third party system causes the operating system to launch a second process. This second process runs under a secured user id without interactive access. The requesting process can then pass generalized command streams to the second process, including tokenized credential retrieval requests. These tokenized credential retrieval requests are processed to authenticate the requests, perform audit logging of requests and retrieval of credentials. Tokenized credential requests transformed by the second process into credentials, which can be embedded within a command stream and then either forwarded to a sub-process or returned to the requesting process.

Abstract: Authentication information is generated for a group where members within a group are able to communicate with each other, but a non-members is not able to participate in that communication. The authentication information provides the determination of whether the member belongs to the group.

Abstract: Secure identification of a user in an electronic communications environment, wherein a host computer communicates with a plurality of electronic devices operated by the user. The user is issued a user code, known only to the user and stored in the host computer. User identification involves the host computer generating a pseudo-random security string and applying the user code to the pseudo-random security string to generate a transaction code. The host computer also transmits the pseudo-random security string to one of the electronic devices which displays the pseudo-random security string to the user. The user generates the transaction code by applying their known user code to the displayed pseudo-random security string. The user enerated transaction code is entered into an electronic device, then transmitted back to the host computer. Positive identification is achieved when the host computer determined transaction code matches the user generated transaction code.

Abstract: An electronic signal transmission device comprises a first communication section to be connected to a first electronic device of a signal transmitting side; a second communication section to be connected to a second electronic device of a signal receiving side; an authentication section for executing an authentication process with the first electronic device and supplying key information for decryption; a decryption section for executing a decryption process of an encrypted signal supplied from the first electronic device based on the key information from the authentication process; and a supply section for directly supplying the encrypted signal from the first electronic device and the key information to the second communication section in order to avoid signal delay by the authentication.

Abstract: A method and system are directed towards enabling authentication in a distributed environment. The method employs a hashed salted password associated with a user in part to pre-authenticate the user. If the user is pre-authenticated, a ticket is transmitted to a client. The ticket includes a cryptographic digest of a concatenation of the local and remote addresses that is exclusive or'ed with a timestamp to generate a modified authenticator. The modified authenticator is directed at binding the timestamp to the client to minimize reuse of an authenticator. A packet that includes the authenticator is sent to a server. The server is configured to determine another remote and local IP address associated with the packet. Employing the remote and local addresses, the server extracts the timestamp from the modified authenticator. If the timestamp is within a pre-determined time window, the user may be authenticated.

Abstract: The present invention discloses a system and method for configuration of access rights to sensitive information handled by a sensitive Web-Service. In a case of requested configuration changes initiated by the client system the Web-Server system provides a configuration data file to the client system preferably using a SOAP-communication protocol. The changes of the configuration data file are exclusively performed offline at the client side and the updated configuration data file is signed with authentication information and sent as a part of a SOAP-request to the Web-Server system. The Web-Server system provides a filter component for identifying and discarding non-SOAP requests as well as an access control manager for providing authentication examination for incoming SOAP-requests. After successful passing these components the SOAP-request is used for updating the existing configuration data file.

Abstract: The invention provides a method of forensic digital watermarking that randomly selects an orientation and/or embedding protocol for a forensic digital watermark signal to be embedded in the content signal. It then embeds the forensic digital watermark signal at the selected orientation in the content signal. The embedding applies a different orientation to the digital forensic watermark for each instance of embedding a forensic watermark. This thwarts averaging and over-embedding attacks and enables generational forensic tracking.

Abstract: A system that allows secure processing in a case where a download-requesting terminal and a download-destination terminal are different devices is implemented. A content distribution server receives a ticket carrying a signature of a download destination from a terminal requesting downloading of content, and verifies the ticket to verify that a device serving as the download destination is a device authorized by the download-requesting terminal, thereby verifying the authenticity of the device serving as the download destination without directly authenticating the device serving as the download destination. Furthermore, a content-signing key [Ksig] or a hash value is exchanged as data that can be cryptographically processed only at the download-requesting device and the download-destination device, so that, for example, checking of the integrity of the content is allowed only at a legitimate download-destination device.

Abstract: The invention provides a method of forensic digital watermarking that randomly selects an orientation and/or embedding protocol for a digital watermark signal to be embedded in the content signal. It then embeds the digital watermark signal at the selected orientation in the content signal. The embedding applies a different orientation to the forensic watermark for each instance of embedding a watermark. This thwarts averaging and over-embedding attacks.

Abstract: Documents and other items can be delivered electronically from sender to recipient with a level of trustedness approaching or exceeding that provided by a personal document courier. A trusted electronic go-between can validate, witness and/or archive transactions while, in some cases, actively participating in or directing the transaction. Printed or imaged documents can be marked using handwritten signature images, seal images, electronic fingerprinting, watermarking, and/or steganography. Electronic commercial transactions and transmissions take place in a reliable, “trusted” virtual distribution environment that provides significant efficiency and cost savings benefits to users in addition to providing an extremely high degree of confidence and trustedness. The systems and techniques have many uses including but not limited to secure document delivery, execution of legal documents, and electronic data interchange (EDI).

Abstract: A transaction device adds or injects a random noise component into signals representing (x,y) coordinate signals associated with user interface with an input screen associated with the device. The noise component can be generated by converting to analog the output of a random number generator, and then adding the noise component to the x-axis and/or y-axis component of the (x,y) coordinate signal. Alternatively the noise component can be injected into the x-axis and/or y-axis operating potential for the input screen. The result is a masking of the original (x,y) positional information. The randomly generated number is only available internal to the device. The device can use this number to de-crypt the true (x,y) signals, which signals can then be re-encrypted before transmitting from the device.

Abstract: A system and associated method for providing access to at least one specified application within a software system. The software system comprises security software and a software tool suite. The security software is adapted to authorize a user to access at least one specified application on a computer system comprising a security standard. The software tool suite is adapted to create or modify a user profile for the user. The user profile comprises at least one transaction necessary for the user to access the at least one specified application. The software tool suite is adapted to integrate in real time the user profile into the security software. The software tool suite is adapted to create a user profile report in real time to verify that the user profile is in compliance with the security standard of the computer system.

Abstract: A method and apparatus for protection of computer assets from unauthorized access is described. A protection engine is incorporated into microprocessor support circuitry to control access to computer assets, for example, BIOS memory and peripheral devices. The protection engine is capable of monitoring the state of an switch and controlling access to computer assets based, in part, on the state of the switch. The protection engine is capable of authenticating the source of interface control commands using cryptographic techniques. The protection engine provides protection against computer viruses, malicious cookies and java/javascript applets, macros, unauthorized remote access to a computer system, and other forms of unauthorized access.

Abstract: A method and system of processing a cryptographic packet includes receiving a first cryptographic packet in a host CPU. A first set of data required to execute the first cryptographic packet is identified. The first cryptographic packet and the required first set of data is transferred to a cryptographic co-processor. The first cryptographic packet is executed in the cryptographic co-processor. The host CPU is notified that the execution of the first cryptographic packet is complete. The executed first cryptographic packet is received in the host CPU.

Abstract: The present invention provides an apparatus and method for performing cryptographic operations on a plurality of input data blocks within a processor. In one embodiment, an apparatus for performing cryptographic operations is provided. The apparatus includes a cryptographic instruction and translation logic. The cryptographic instruction is received by fetch logic in a microprocessor as part of an instruction flow. The cryptographic instruction prescribes one of the cryptographic operations. The translation logic translates the cryptographic instruction into micro instructions. The micro instructions are ordered to direct the microprocessor to load a second input text block and to execute the one of the cryptographic operations on the second input text block prior to directing the microprocessor to store an output text block corresponding to a first input text block. Consequently, the output text block is stored during execution of the one of the cryptographic operations on the second input text block.

Abstract: In an encryption storage apparatus (data storage apparatus) (1), when entered an allocation request signal (a1), a key management section (7) outputs a generation request signal (b) to a random number generation section (3). The random number generation section (3) generates a pseudorandom number as an encryption key (c) at the entering timing of the generation request signal (b), and the key management section (7) causes a volatile key storage section (4) to store the encryption key (c) and returns a corresponding key number (a2) to a user side. When the user enters an encryption instructing signal (a3) and the key number (a2) to the key management section (7), the key management section (7) reads out the corresponding encryption key (c), and an encryption section (5) converts entered data (d1) into encrypted data (d2) and stores the encrypted data (d2) in a nonvolatile storage section (2).

Abstract: A method for performing data integration between two or more computer systems provided over a network includes extracting data from a first database associated with a first computer system of first type, the extracted data having a first file format and a first character-set format. The data are encrypted using a first security key. The encrypted data are stored in a shared volume provided in a storage system, the storage system being coupled to a plurality of computer systems. The encrypted data are received from the shared volume of the storage system at a second computer system of second type, the first and second computer system being of different computer systems. The received data are converted from the first file format to a second file format, the first file format being suitable for the first computer system and the second file format being suitable for the second computer system. The received data are decrypted using a second security key that is associated with the first security key.

Abstract: Systems, methods and computer program products for high availability enhancements of virtual security module servers. Exemplary embodiments include a command processing method, including receiving a command from a virtual machine monitor in an I/O controller of a recipient virtual security appliance, determining a load of a crypto engine of the recipient virtual security appliance to assign a master/slave flag, the crypto engine having a master virtual trusted platform module and a slave trusted platform module, assigning a master/slave flag to the command to identify a command type, determining the command type in the I/O controller, receiving output from the crypto engine and returning the output to the virtual machine monitor.

Abstract: A smart card which includes a non-volatile read/write memory and a processor connected to the memory, and further configured to cause the processor to perform a method for enhancing data security and managing the contents of memory during periods when the computational power of the processor is underutilized. The method includes steps for determining if a command or character has been received, processing and/or responding to the command or character once received, implementing a security measure and/or managing memory, and performing a tamper protocol in response to detecting a security breach, all of which is performed while waiting to receive the next command or character.

Abstract: A digitally controlled device is provided to interface between a user of adjustable power unit and an adjustable power module, where the user provides an analog user input signal for adjusting the performance of the adjustable module using a user defined standard. The digitally controlled device provides the adjustable power module an analog input signal adapted to the standard used by the module. The digital controller device for controlling adjustable power module that comprises at least one analog to digital converter for converting analog user input signal to digital input, a micro-controller adapted to receive the input digital information and operate at least one digital to analog unit in response to the digital input information and at least one digital to analog converter unit adapted to produce analog input signal for controlling adjustable module.

Abstract: A circuit is provided for generating clock signals for clocking a digital signal processor (DSP) and a memory, the circuit comprising of a clock generator for receiving a first clock, generating a DSP clock signal by dividing the first clock by X, and generating a memory clock signal based on the first clock and the DSP clock signal, wherein the DSP is clocked by the DSP clock to generate a write command for writing data into the memory and to generate a read command for reading data in the memory, and data is written into the memory or read from the memory in response to the memory clock signal. A method is also provided for accessing a memory, the method comprising of receiving a first clock; generating a DSP clock signal by dividing by X the first clock; generating a memory clock signal according to the first clock and the DSP clock signal; outputting DSP data in response to the DSP clock signal; and reading data from a memory or writing the DSP data into the memory in response to the memory clock signal.

Abstract: The present invention provides a power negotiation protocol that enables PDs and PSEs to negotiate the amount of inline power that a PD consumes and the corresponding PSE provides. This power negotiation allows the PDs provide fine-grained power consumption level to PSEs, and the PSEs are able to manage inline power efficiently using the negotiation protocol of the present invention. The PDs can ask the PSEs for more power when needed rather than having to constantly reserve the maximum amount of power they can consume at all times. Similarly, the PDs can release reservation of excess power when their respective power requirements decrease. The PSEs can limit the amount of power that can be consumed by the PD, thereby providing the ability for an administrator to control how much power a given PD can consume.

Abstract: A lock-out circuit is adapted to selectively perform a lock-out function in an integrated circuit device. The lock-out function cuts off the supply of an operating voltage to the integrated circuit device whenever a power supply voltage for the device falls below a predetermined detection voltage. However, the lock-out function is disabled whenever the integrated circuit device performs an operation requiring a power supply voltage lower than the predetermined detection voltage.

Abstract: A device of this invention solely executes a power saving operation without influencing a repeater operation on a serial bus interface to which a plurality of devices are cascade-connected. A device such as a digital camera, printer, or the like, which is cascade-connected using an IEEE1394 serial bus interface, uses an IC prepared by forming both physical and link layers on a single chip. This IC has a port connected to a bus. When a power supply on the bus side is OFF, this port can insulate the bus in DC term. This device transits to a power saving mode such as a sleep mode, suspend mode, shutdown mode, or the like after an elapse of a predetermined wait time. In the shutdown mode, the system power supply of the device is turned off, but the IC can operate by electric power supplied from a cable. With this operation, a signal can be relayed between devices, and a packet for the link layer can be received.

Abstract: In a method and system for an improved power adapter providing power to a load, the power adapter is electrically coupled to the load via a multi-conductor connector. A change in a current flowing through a conductor of the connector is sensed in response to the coupling. The power output of the adapter is enabled after establishing initial contact, as sensed by the change in the current. Power supply identifier (PSID) information is enabled for communication through the conductor after enabling the power.

Abstract: Systems and methods for dynamic power management of electronic devices are disclosed. In one form, a system employing dynamic power management for electronic devices includes a central processing unit operable to process information via a communication bus. The system includes a clock generator and a voltage generator coupled to the processing unit and operably associated with the communication bus having multiple operating voltage levels. The clock generator and communication bus are operated at variable clock rates and voltage levels to ensure bandwidth requirements are satisfied for communicating and processing information. In this manner, power consumption of the system may be dynamically managed while providing sufficient bandwidth for the system.

Abstract: A network interface comprises a medium access control (MAC) device and/or a host interface. A regulator module communicates with the MAC device and/or the host interface and provides a first voltage level during an inactive mode and a second voltage level during an active mode. A physical layer (PHY) device that communicates with the MAC device and/or the host interface and the regulator module and that includes an energy detect module that detects energy on a medium during the inactive mode and an energy save module. The energy save module starts timing a first period and the regulator module transitions the MAC device and/or the host interface to the second voltage level when the energy is detected during the inactive mode. External communication with the MAC device and/or the host interface is enabled after the first period is up.

Abstract: A semiconductor integrated circuit includes a module configured to operate based on a clock signal, a voltage controlling unit configured to change a power supply voltage supplied to the module, a clock generating unit configured to supply the clock signal to the module, and a test circuit configured to operate at the power supply voltage based on the clock signal to emulate a delay of a critical path provided in the module, thereby testing whether the module properly operates at the power supply voltage, wherein the clock generating unit supplies a different signal, in place of the clock signal, to the module while the voltage controlling unit is changing the power supply voltage.