Abstract: A method operates an electrical control device on the basis of license information, which is stored in a removable storage medium. The method includes the following steps, which are carried out by the control device: reading out a removable storage medium identification of the removable storage medium, reading a license file, which is stored in the removable storage medium, extracting a license file identification from the read license file, comparing the license file identification with the removable storage medium identification, and when the license file identification matches the removable storage medium identification, extracting license information from the license file and operating the control device in accordance with the license information and storing the license file identification and the license information in the control device.

Abstract: Systems and methods for end-to-end encryption and compression are described herein. A query is encrypted at a client using a homomorphic encryption scheme. The encrypted query is sent to a server where the encrypted query is evaluated over target data to generate encrypted response without decrypting the encrypted query. The result elements of the encrypted response are grouped, co-located, and compressed, without decrypting the encrypted query or the encrypted response. The compressed encrypted response is sent to the client where it is decrypted and decompressed to obtain the results of the query without revealing the query or results to the owner of the target data, an observer, or an attacker.

Abstract: Disclosed are various embodiments for synchronizing authentication sessions between applications. A token exchange service receives a first authentication token from a client computing device. The first authentication token corresponds to a registration of an application of the client computing device for a user account. The first authentication token is validated. A second authentication token is generated, corresponding to a browser-based session for the user account. The second authentication token is sent to the client computing device.

Abstract: A computer-implemented method, computer program product, and system are provided. The method includes generating, by a password management system using a set of Hardware Random Number Generators (HRNGs), at least one salt based on statistics of a set of random numbers with given distributions generated by the set of HRNGs. The method further includes forming, by a processor, a hashed password based on the at least one salt.

Abstract: The disclosed computer-implemented method for monitoring bait to protect users from security threats may include (i) monitoring a bait computing resource to detect attempts to access the bait computing resource, (ii) virtualizing the bait computing resource to prevent a false positive by hiding the bait computing resource from at least one trusted application that has been categorized as safe, (iii) detecting an attempt by a different application to access the virtualized bait computing resource, and (iv) performing a security action to protect a trusted user by reporting the attempt to access the virtualized bait computing resource by the different application. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: In order to achieve the dispersion of a processing load between communication devices that perform information transmission, an information communication system according to an exemplary aspect of the present invention includes a first transmission system configured to transmit information in a direction from a first communication device to a second communication device; and a second transmission system configured to transmit information in a direction opposite to the direction of the first transmission system, wherein part of transmission information is received as received information in each of the first transmission system and the second transmission system.

Abstract: Computer-implemented systems and methods are provided for providing access to a portion of a video to a requesting user. For example, a computer can receive an identification of a video, a starting point of a clip within the video, and an ending point of the clip within the video from a rights holder. The computer can define a video clip based on the identified video, the starting point, and the ending point. The computer can also provide a link by which a requesting user is provided access to the video clip.

Abstract: An information processing system includes a memory that stores a user and authorization information, indicative of processing permitted for the user to execute with respect to a server on a communication line, in an associated manner; a generating unit that generates second authorization information on the basis of first authorization information associated with a user who uses a first device; a transmitting unit that transmits the second authorization information to a second device located near the first device; a receiving unit that receives data and the second authorization information from the second device; and a requesting unit that requests the server to execute processing using the data, on the basis of the second authorization information.

Abstract: Technologies for secure programming of a cryptographic engine include a computing device with a cryptographic engine and one or more I/O controllers. The computing device establishes one or more trusted execution environments (TEEs). A TEE generates a request to program the cryptographic engine with respect to a DMA channel. The computing device may verify a signed manifest that indicates the TEEs permitted to program DMA channels and, if verified, determine whether the TEE is permitted to program the requested DMA channel. The computing device may record the TEE for a request to protect the DMA channel and may determine whether the programming TEE matches the recorded TEE for a request to unprotect a DMA channel. The computing device may allow the request to unprotect the DMA channel if the programming TEE matches the recorded TEE. Other embodiments are described and claimed.

Abstract: wherein the server system is configured to cause said other device to synchronize with the updated data in response to confirmation of identification information about said other device included in the identification information about the terminal transmitted by the transmission unit.

Abstract: In one implementation, a server receives a request from a client device to access a user account, wherein the user account provides access to one or more credentials associated with the user. The server determines that the client device is not associated with the user account and prompts the user to provide a biometric identification of the user. The server then receives data representing the biometric identification of the user from the client device. The server determines that the data representing the biometric identification of the user matches a biometric profile of the user associated with the user account. In response to the determination, the server associates the client device with the user account, such that the user is enabled to access the user account, and the associated one or more credentials, from the client device.

Abstract: In one embodiment a method, apparatus and system for is described for receiving a first input including a first decryption key and a second input including an encrypted second decryption key at a cryptographic decryption apparatus, the encrypted second decryption key to be decrypted by the cryptographic apparatus according to the first decryption key, storing a value of a key ladder length in a first register by a cryptographic processor, and using the stored value as a loop index by the cryptographic processor for a number of iterations of the cryptographic decryption apparatus executed as a loop, wherein at one stage in the loop execution of the cryptographic decryption apparatus, the second input includes the key ladder length, wherein the loop operation of the cryptographic decryption apparatus operates for a number of iterations equal to an initial value of the loop index. Related methods, apparatuses and systems are also described.

Abstract: A method, system, and computer program product for providing protected remote access from a remote access client to a remote access server over a computer network through a plurality of inspections. A remote access configuration file is created for the remote access client. A digital hash of the configuration file is then generated. The digital hash is compared with a configuration file stored at a predefined web location. If the comparison results in a match between the digital hash and the stored configuration file, a digital hash comparison is performed between an encrypted remote access configuration file and an encrypted configuration file stored at the predefined web location. If the plurality of inspections are passed, the remote access client is released from a quarantine state and a virtual private network (VPN) connection to the remote access server is established.

Abstract: Single sign-on techniques via an application or browser are described. In one or more implementations, a single instance of entry of authentication information is received that is entered via interaction with an application or browser of a computing device. Responsive to this receipt, the single instance of the entry of authentication information is used by the computing device automatically and without user intervention to cause authentication to obtain access to one or more network services that are accessible via a network by the application and the browser.

Abstract: A semiconductor integrated circuit for the processing of conditional access television signals that includes an input interface for receiving encrypted television signals and an output interface for output of decrypted television signals. The semiconductor integrated circuit is provided with some functionality restricted in some way by preventing one or more hardware circuit elements from operating, such as an MPEG decoder, display engine, IO ports or main CPU. To enable the functionality, a subscriber must pay for a service and then receives an encrypted message broadcast to the semiconductor integrated circuit that is decrypted and instructs functionality to be turned on or off.

Abstract: Metering is enabled through an arrangement in which a metering certificate is communicated to a mobile device using an over-the-air protocol. A metering trigger provides the metering certificate that includes a location to which metering data is posted by the mobile device and a public key of a public-private key pair, or alternatively provides a link to such metering certificate. A metering helper passes the metering certificate to a DRM system on the mobile device which collects metering data associated with the metering ID and uses the public key to encrypt the metering data into a metering challenge. The metering helper posts the metering challenge to the location. The metering service extracts the metering data from the metering challenge using a private key and generates a metering response that is received by the metering helper which prompts the DRM system to reset at least a portion of a data store in which the metering data is stored.

Abstract: A content protection management system that enables interoperability with other Content Protection and DRM technologies. A managed security domain provides a simple, consistent and reliable experience to whole-home network subscribers. The architectural concept for the whole-home network includes an underlying control plane with an overlaying content security control plane running a particular DRM technology.

Abstract: Methods and systems are disclosed a digital investigation tool capable of recovering and decrypting content. The tool combines digital techniques with decryption capability for a wide range of encryption algorithms. In one implementation, the tool identifies the type and/or vendor of the encryption algorithm used to protect the content. The tool then automatically obtains the decryption information needed to decrypt the content. Depending on the encryption algorithm used, the information may include a master key, user-specific keys, user IDs, passwords, and the like. The decryption information may be accumulated in a local or remote storage location accessible by the tool, or it may be acquired in real time on an as-needed basis from a third-party encryption vendor, a key server, and the like. Such an arrangement allows law enforcement agencies as well as corporate security personnel to quickly recover and decrypt content stored on a computer system.

Abstract: Authentication system comprising an input device comprising a plurality of input elements configured for inputting respectively characters in response to an input of a sequence of at least one character carried out by a user, the input device comprising at least one determination means coupled to at least one input element in order to determine a force exerted on the said at least one input element, the system comprising a recording means for recording a series of at least one force exerted on the said at least one input element, a memory configured for storing a series of at least one reference force, and comparison means configured for comparing the series of at least one exerted force with the series of at least one reference force.

Abstract: According to one embodiment, a node that is a root node of a network forming a directed acyclic graph topology, which is composed of plural nodes including the node serving as the root node and having a parent-child relationship among nodes of adjacent hierarchies, includes a generating unit, an encrypting unit, and a transmitting unit. The generating unit generates a group key, and a list indicating a first node to which a distribution of the group key is inhibited. The encrypting unit encrypts the group key so as to be capable of being decrypted by a first child node other than the first node out of the child nodes of the root node. The transmitting unit transmits a first message, including an encrypted group key, which is the group key that is encrypted with respect to the first child node, and the list.

Abstract: The subject matter of this specification can be embodied in, among other things, a method that includes receiving, from a web browser, a request for a token that authorizes a third party server to access a user's data stored by a content provider server. The token specifies a first scope of authorization that indicates a portion of the user's data that the third party server is permitted to access. The method also includes determining if the first scope is substantially the same as or a subset of a second scope of a previously issued token and transmitting the token in response to the received request if the first scope is determined to be substantially the same as or a subset of the second scope.

Abstract: The invention provides a low-cost access control device for identification and authentication in both the “digital” and “physical” worlds by contact-bound respectively contact-less interfaces and where individual users of the device can securely update access control credentials and cryptographic keys from a remote system without the need for any additional hardware or specialized software. The access control credentials and the at least one cryptographic key shall be readable by an access control system via the contact-less interface of the device, thereby enabling or denying the holder of the device access.

Abstract: A method may be for detecting potentially suspicious operation of an electronic device configured to operate in the course of activity sessions. The method may include within the device, a metering, from an initial instant of the number of activity sessions having a duration below a first threshold, and a comparison of this number with a second threshold.

Abstract: Methods, apparatus and systems for embedding auxiliary information in encrypted host signals are provided. The present invention enables secure application of digital watermarks at any point in the transmission and/or distribution of digital content by enabling the insertion of a plurality of digital watermarks, without the knowledge of the encryption/decryption keys, into a digital host content that has been encrypted with an encryption key. The embedded watermarks persist throughout the content subsequent to the decryption of the content. The disclosed techniques are applicable to content that has been encrypted using a variety of different encryption techniques and algorithms, including stream ciphers, block ciphers, symmetric and asymmetric encryption algorithms. These methods are further adapted to enable the insertion of watermarks into a content that is compressed prior to encryption.

Abstract: Methods and apparatus for providing media content offered by media content subscription service to portable media player devices associated with subscribers of the service are described herein. In various embodiments, particular fulfillment module, request module and media player are provided to fulfillment server(s) of the subscription service, request client devices, and portable media player devices, respectively.

Abstract: The present invention relates to an information processing system, an information processing apparatus and method, and a program in which the purchase of content can be facilitated. When a device to which content data is downloaded and a device for giving an instruction to purchase the content data are different, a purchase form for purchasing the content data is sent to the device for giving an instruction to purchase the content data. The user ID and password are input into the purchase form, and the device to which the content data is downloaded is determined by the user ID. If the device to which the content data is downloaded cannot be specified because the user registers a plurality of devices, a destination determination form for specifying the device to which the content data is downloaded is sent. The content data is then distributed to the device indicated in the destination determination form. The present invention is applicable to a server for executing processing concerning content data.

Abstract: A personal video recorder (PVR) enables delivery of audio-visual content and associated metadata to storage devices. The PVR is configured to access a plurality of services using a plurality of storage modules. Each storage module is dedicated to a single designated content provider. One or more of the storage modules are removably coupled to the PVR. A disconnected storage module can be reconnected to another PVR different from the PVR from which the storage module was disconnected. Where authorization is required to access content stored on the storage module, authentication is performed each time the removable storage module is reconnected to a PVR.

Abstract: A method for auto provisioning for a communication device in a wireless communication network comprises the steps of: receiving a request from a station; determining the validity of the request according to a verification code carried by the request; sending a response to the station; receiving a security message from the station; retrieving a security key carried by the security message; and executing network provisioning according to the security key.

Abstract: A method for use in playing content that is made up of data includes establishing in a device a physical media storing a first portion of the data making up the content, receiving a streamed second portion of the data making up the content, wherein the second portion of the data includes essential information for reconstructing the content from the first portion of the data, and playing the content by combining the first portion of the data with the second portion of the data to correctly reconstruct the content. A method for use in enhancing security of content that is made up of data includes removing information from the data making up the content that is essential for playing the content.

Abstract: An electronic system is provided, in which a smart chip, a smart chip controller, a processor, a system memory, and an access management module is provided. The smart chip controller communicates with the smart chip. The processor performs a mutual authentication with the smart chip. The system memory is accessible to the smart chip and the processor. The access management module is coupled between the processor and the smart chip controller. The access management module prevents the processor accessing a certain range of the system memory according to a block command from the smart chip controller, in response of that the mutual authentication between the processor and the smart chip is failed.

Abstract: A host machine provisions a virtual machine from a catalog of stock virtual machines. The host machine instantiates the virtual machine. The host machine configures the virtual machine, based on customer inputs, to form a customer's configured virtual machine. The host machine creates an image from the customer's configured virtual machine. The host machine unwraps a sealed customer's symmetric key to form a customer's symmetric key. The host machine encrypts the customer's configured virtual machine with the customer's symmetric key to form an encrypted configured virtual machine. The host machine stores the encrypted configured virtual machine to non-volatile storage.

Abstract: The invention relates to video distribution systems and, more particularly, to a system that blanket transmits video/audio content such as digital data (for example, via satellite downlink transmission) to each customer's computer-based recording, storage and playback system. Customers preselect from a list of available digital data or other content in advance using an interactive screen selector, and pay for only the video/audio content that is actually viewed.

Abstract: A flexible product distribution and payment system for computer network based electronic commerce is disclosed. Primary content data is made available to customers through a detachable local storage medium, such as a DVD or CD-ROM disc, or over a network connection. The primary content is capable of being accessed and played back through a computer or game console at the customer site. The primary content distribution may comprise a superset of content that is intended to be used by the customer. The customer is allowed to view and access the encoded primary content, and is charged only for the primary content that is used. Content that is encoded on the medium but that is not used by the customer remains on the medium but is not charged. A content database and customer database maintained at the primary customer site maintain records of products ordered and used by the customer, as well as identification and use patterns associated with the user.

Abstract: Techniques are provided for adjusting the number of devices allowed to use a digital product (e.g., software) under a license. In one embodiment, the technique may involve setting the allowed number of devices to a first upper/lower limit for a first time period, and, after the first time period has expired, increasing/lowering the allowed number of devices to a second upper/lower limit for a second time period. The technique may involve, readjusting the allowed number for a third time period, thereby allowing for a changing number of device installations of the digital product.

Abstract: A Set Top Box (STB) or client computer includes a communication interface operable to receive digital messages and digital content, memory operable, and processing circuitry coupled to the communication interface and to the memory. The STB is operable to receive a digital message, extract a key portion from the digital message, decrypt the key portion, descramble the digital content using the decrypted key portion, extract a rights portion from the digital message, decrypt the rights portion, determine protected and unprotected digital content based upon the rights portion, write the unprotected digital content to an unprotected portion of the memory, and write the protected digital content to a protected portion of the memory. The decrypted key portion may include a plurality of Program IDs (PIDs) and the decrypted rights portion may include protection data for each PID. A security processor may prevent a central processing unit from accessing the protected portion of the memory.

Abstract: A system, method, and computer program product for managing limited-use software on a host computer having an operating system is disclosed. A software application can be installed in the operating system as a virtualized application using light weight virtualization technology. Rights usage information for the software application is received, the rights usage information comprising a rule describing permitted use of the software application on the host computer. A determination is made whether to enable the virtualized application based at least in part on the rights usage information. Responsive to the determination, the virtualized application is enabled to be executed on the host computer.

Abstract: A system and method providing for appending of a note or instruction to the contents of an email such that the note or instructions is only appended to emails of selected recipients of a group of recipients, with only the email going to the other recipients of the group of recipients is provided.

Abstract: The present invention controls to read encrypted digital data from a detachable storage medium, in which the digital data and a decode key for decoding encryption of the digital data are stored. In reading the digital data, the decode key is read, the decode key is deleted from the storage medium, the encrypted digital data is read, and then encryption of the encrypted digital data is decoded by the read decode key.

Abstract: An authentication method authenticates between subscribers of a communications system using an asymmetric elliptic curve encryption algorithm. The method involves providing a first and at least one second subscriber having a first or second secret key known only to the respective subscriber and a public key; authenticating an inquiry transmitted by the first subscriber with respect to the validity of the first certificate contained therein and associated with the first subscriber; calculating the response of the second subscriber associated with the inquiry; randomized encryption of the calculated response and a second certificate associated with the second subscriber using the public key; decryption and authentication of the response transmitted by the second subscriber with respect to the validity of the second certificate contained therein.

Abstract: A content receiver writes out, together with content received from a content server, time supply source designation information indicating a second time supply source designated by a copyright protection system (DRM) to an exchangeable medium in association with the content. When the time supply source designation information is recorded in the exchangeable medium, a content reproducer performs viewing expiration time determination for the content recorded in the exchangeable medium referring time obtained on the basis of the second time supply source indicated by the time supply source designation information instead of a first time supply source referred to in order to specify present time used in determining a viewing expiration time in a content protection system (CPS).

Abstract: Usage rights for a digital work are established prior to creation of the corresponding content. The rights can be associated with the content after the content is created. A content creation, such as a video recorder or a still camera, device can store labels of the rights and can associate usage rights with content in real time as the content is created.

Abstract: A method for pairing a first element and a second element, wherein the first element and the second element form a first decoding system among a plurality of receiving decoding systems in a broadcasting network. Each receiving decoding system is adapted to descramble scrambled audiovisual information received over the broadcasting network. A first key unique in the broadcasting network is selected. A second key is determined according to the first key, such that a combination of the first key and the second key enables to decrypt broadcasted encrypted control data that is received to be decrypted by each receiving decoding system, the encrypted control data being identical for each receiving decoding system. The first key and the second key are assigned respectively to the first element and the second element.

Abstract: Methods, systems and communication nodes for bootstrapping key establishment to exchange encryption keys between a terminal-based client and an application server using Session Initiation Protocol (SIP) signaling are described.

Abstract: Techniques are disclosed for sharing information in a wide variety of contexts. An information sharing system is described that allows both an explicit capture process and an implicit capture process to add information items to a staging area. Further, the information sharing system supports both implicit and explicit consumption of information items that are stored in said staging area. A rules engine is provided to allow users to create and register rules that customize the behavior of the capture processes, the consuming processes, and propagation processes that propagate information from the staging areas to designated destinations. Techniques are also described for achieving exactly-once handling of sequence of items, where the items are maintained in volatile memory. Techniques are also provided for recording DDL operations, and for asynchronously performing operations based on the previously-performed DDL operations.

Abstract: An access management system for managing network access of an end-user to one or more online content sources of a number of content providers. The system comprises a content proxy unit that stores the concealed addresses of the content sources. The content proxy unit is designed to receive a request for accessing one or more content sources from the end-user. The system further comprises an access management unit that stores an access rights record of the end-user. The access management unit is designed to authorize the request according to the access rights record of the end user. If the request is authorized, the content proxy unit facilitates the accessing using the concealed addresses of the requested content sources.

Abstract: A self-service terminal comprises: a plurality of session initiation devices, each associated with an initiation token, so that a customer can initiate a transaction using one of a plurality of different initiation tokens. The terminal further comprises a plurality of session suppliers, each session supplier being associated with one of the session initiation devices, and each session supplier being operable: (i) to receive from its associated session initiation device, information from an initiation token provided by a customer, and (ii) to create an electronic access token based on the received information. The terminal also comprises a session supplier aggregate operable to receive an electronic access token from one of the session suppliers for each session to be created; and a session component operable (i) to receive the electronic access token from the session supplier aggregate and (ii) to create a session based on the received electronic access token.

Abstract: A copy protection apparatus and method enabling storage of copy protection information separately from protected content is disclosed. One embodiment includes a digital data signal receiver to receive a digital data signal, the digital data signal receiver also to receive a copy protection signal produced from a copy protection information file being storable on a copy protection information storage device, a digital to analog converter operatively connected to the digital data signal receiver for converting the digital data signal to an analog signal, and a signal modifier connected to the digital to analog converter and the digital data signal receiver to produce a viewable copy protected analog signal from the analog signal and the copy protection signal, the copy protection signal specifying a modification to the analog signal to change video lines of the analog signal.

Abstract: The present embodiments provide methods, apparatuses, and systems to distribute content over a network. Some embodiments provide methods to distribute content within a local media network. These methods receive a request for a first content to be transferred to a sink device, request from the source an access criteria for a first content that is protected according to a first digital rights management (DRM), forward the access criteria to the sink device, receive an evaluation of the access criteria from the sink device regarding at least whether the sink device can interpret the first DRM, determine according to the evaluation received from the sink device whether the sink device can utilize the first content that is protected according to the first DRM, and initiate a transfer of the first content from the source device to the sink device when the sink device can utilize the first content.

Abstract: A disclosed data recovery method, image processing apparatus, controller board, and data recovery program enable data stored encrypted in a storage unit within an information processing apparatus to be recovered when an internal encryption key of the apparatus becomes unavailable. A first encryption key is stored in a secure memory, a second encryption key is stored in a first storage unit, and data is stored in a second storage unit. The second encryption key is decrypted with the first encryption key. The second encryption key is backed up outside the information processing apparatus as a backup key, such as by printing it on a sheet with a plotter. When the first encryption key becomes unavailable, the backup key is restored back in the information processing apparatus. The data stored in the second storage unit is then decrypted with the restored backup key.

Abstract: A method for making statistics of media flow information may include: sending a request for making statistics of media flow information to a BGF; and receiving statistic information of the media flow from the BGF, wherein the statistic information of the media flow is metered by the BGF after receiving the request for making statistics of media flow information A system and a BGF are also disclosed in embodiments of the present invention. In the present invention, the accurate metering ability of the BGF is employed to acquire accurate statistic information of the media flow, thereby accurate service charging may be implemented and service charging based on used network resources amount and QoS may be supported. Furthermore, the statistic information of the media flow, such as start time, end time, flow count information and statistic information of actual QoS, may help operation and maintenance of the network.