Abstract: A robust watermark embedded into a Direct Stream Digital (DSD) audio signal including a flat frequency response in a specific frequency range which does not extend below 20 kHz or above 100 kHz. The watermark is therefore hidden in the noise spectrum of the DSD signal, such that the watermark is inaudible to a listener. Since the noise spectrum contains important information that helps provide the DSD signals with sharp transients and an accurate impulse response, the watermark cannot be removed from the DSD signal without causing significant degradation to the signal's audio quality.

Abstract: A digital data file encryption apparatus and method, where a digital data server identifies the user and supplies an encrypted digital data file to the user in accordance with the identified result. A personal computer decrypts the encrypted digital data file supplied from the digital data server and reproduces the decrypted digital data file or re-encrypts it using an encryption key. The encryption key is generated on the basis of an identification number of a data storage medium or digital data playing device. A digital data playing device stores the re-encrypted digital data file downloaded from the personal computer in the data storage medium and decrypts the stored digital data file using the encryption key to reproduce it. A first internal key is added to the identification number to convert the identification number into the encryption key, which is then encrypted according to an encryption algorithm based on a second internal key.

Abstract: A system classifies an image file into a first group if authentication data included in the image file has been generated using a private key cryptosystem, and classifies the image file into a second group if the authentication data included in the image file has been generated using a public key cryptosystem. The system authenticates whether or not image data included in the image file has been altered using the authentication data. The system displays an indication of whether or not the image data included in the image file has been altered in a display area corresponding to the first group, if the image file is classified in the first group. The system displays an indication of whether or not the image data included in the image file has been altered in a display area corresponding to the second group, if the image file is classified in the second group.

Abstract: A Digital Rights Management (DRM) system has a plurality of DRM servers performing DRM functionality and an entering DRM-E server is enrolled into the system by an enrolling DRM-R server such that the entering DRM-E server is to be trusted within the system. The DRM-E server sends an enrollment request to the DRM-R server including a proffering identification and a public key (PU-E). The DRM-R server validates the proffering identification, and, if the request is to be honored, generates a digital enrollment certificate with (PU-E) for the DRM-E server to enroll such DRM-E server into the DRM system. The now-enrolled DRM-E server with the generated enrollment certificate is able to employ same to issue DRM documents within the DRM system.

Abstract: The local digital network comprises: access devices, for receiving data originating from outside the network and transmitting them at a point of the network; and presentation devices for receiving the data flowing in the network and presenting them at a point of the network. The data flow in the network in encrypted form and all the devices of the network use a single key, the local key of the network, for the encryption and decryption of the data. Preferably, the local key of the network is formed by a pair of public and private keys. The purpose of this network is to make it possible to copy data in the local network whilst preventing pirate copies destined for other local networks.

Abstract: An information processing apparatus has a detection unit to detect a recording medium and initiates a program read from the recording medium detected by the detection unit. In the information processing apparatus, an operation check unit performs an operation check of the recording medium detected by the detection unit. An authentication check unit performs an authentication check of the recording medium detected by the detection unit. An error notification unit notifies an operator of an error of the recording medium if at least one of a result of the operation check and a result of the authentication check is an error.

Abstract: The invention relates to a method of managing files. In this invention, a method of managing a file stored in an external memory device of a computer having an application that starts when it is read by the computer consists of a step of accepting an instruction for starting up the application, and a step of automatically deleting the application program from the external memory device when the started application terminates. This file managing method can automatically delete the application program from the external memory device when the started application terminates.

Abstract: Provided is an architecture (hardware implementation) for an authentication engine to increase the speed at which SHA1 multi-loop and/or multi-round authentication algorithms may be performed on data packets transmitted over a computer network. As described in this application, the invention has particular application to the variant of the SHA1 authentication algorithms specified by the IPSec cryptography standard. In accordance with the IPSec standard, the invention may be used in conjunction with data encryption/encryption architecture and protocols. However it is also suitable for use in conjunction with other non-IPSec cryptography algorithms, and for applications in which encryption/decryption is not conducted (in IPSec or not) and where it is purely authentication that is accelerated. Among other advantages, an authentication engine in accordance with the present invention provides improved performance with regard to the processing of short data packets.

Abstract: When a network connection request is sent from a user's personal computer (2) to a server (1) on the Internet (5), the server (1) sends an authentication confirmation number generated by a random number generating unit (13) to the personal computer (2) of the connection requester. The connection requester connects a portable telephone (3) to a modem (4) and enters the authentication confirmation number displayed on the personal computer (2) through operation of keys of the portable telephone (3). An authentication unit (16) authenticates the connection request of the connection requester to set up connection to the network if the telephone number of the portable telephone (3) stored in a user information storage unit (12) agrees with the telephone number sent to the modem (4) and if the authentication confirmation number entered through the portable telephone (3) is correct.

Abstract: A specific client computer acquires content that has been stored in a content server. To accomplish this, the ID of the client computer is registered with the content server. The IP address, etc., of the content server is encrypted to obtain a check code and the check code is transmitted to the client computer and to a center server. The check code, etc., is transmitted from the client computer to the center server. The center server decrypts the check code transmitted from the client computer and the check code transmitted from the content server. The IP address, etc., of the content server is obtained by the decryption. If the IP address, etc., obtained from the check code transmitted from the client computer and the IP address obtained from the check code transmitted from the content server agree, the center server decides that the client computer is an authorized computer and transmits the IP address of the content server to the client computer.

Abstract: A software audit system is provided in conjunction with an anti-virus system. A computer virus scan request received by the anti-virus system (16) is used to trigger an audit data generator (18) to generate audit data. The audit data generator (18) may also serve to ban certain computer programs from execution and monitor the concurrent usage of other computer programs.

Abstract: The present invention provides for token based signing of an unsigned binary which may be a stream of bits (e.g., 0's and 1's). The unsigned binary is signed using a secret key which resides in a token (e.g., a smart card), which makes the secret key available to the token holder. The unsigned binary is downloaded and verified for authenticity by the token coupled to a computing device. In one embodiment, the downloaded unsigned binary is encrypted. If the unsigned binary is authentic, it may be used to replace the prior firmware on that computing device.

Abstract: In one embodiment, a content license is created that defines parameters for accessing a piece of digital content. A first logical expression in the content license defines a plurality of playback devices that are authorized to access the piece of digital content. A second logical expression in the content license defines at least one time interval when the plurality of playback devices are authorized to access the piece of digital content. The content license is used to access the piece of digital content.

Abstract: An apparatus to enable operation of a computer by authorized users when in a secure mode of operation is provided. One exemplary apparatus includes a hub configured to be in communication with the computer. The hub includes a card reader, a card microprocessor and an encryption engine. The apparatus also includes a card configured for insertion into the card reader. The card includes a card microprocessor. In addition, the apparatus includes a user authentication device configured to validate the user as an authorized user of the card. If the user is validated as the authorized user, then the card microprocessor passes a key to the hub microprocessor in response to the validation of the user as the authorized user of the card. The encryption engine of the hub is then activated to operate in a secure mode of operation.

Abstract: The invention describes a method for controlling access in a telecommunication system comprising a first transmitter-receiver unit, a second transmitter-receiver unit and a remote-controllable server.

Abstract: The present invention relates to a method, a system and a computer-readable medium storing computer-executable components in connection with transfer of information data to a recipient. The invention is based on the idea that generation of random number data and the calculation of digital signatures are performed before information data is accessible to a digital pen. Since asymmetric encryption of data is a demanding operation for said digital pen to perform in terms of processing power, a lot of time can be saved if the generation of random number data and asymmetric encryption of said random number data is performed in advance, when the pen is in an idle, non-communicating mode, for example during battery loading of the pen or when the pen is lifted from the position-coded paper. This alleviates delay times when the pen is in its communicating mode.

Abstract: A contents database 114 memorizes the discriminating information for discriminating contents and the temporal information as to the time of content duplication associated with the discriminating information. A recording program 113 acquires the discriminating information of contents to be duplicated and duplicates the contents in association with the acquired discriminating information and with the temporal information memorized in the contents database 114. This substantially prohibits duplication in large quantities without significantly impairing the interests of a user.

Abstract: An electronic information file is divided into a plurality of information elements, which are combined in different orders to generate two or more information blocks and to generate a primary distribution information file holding information on the method for dividing/rearranging the information elements. Like the electronic information file, the primary distribution information file is divided into key fragments and rearranged to generate key blocks and to generate a second distribution information file holding information on the method for dividing/rearranging the primary distribution information file. The information blocks, the key blocks and the secondary distribution information file are combined to generate and store or transmit two or more packages. When the electronic information is used, the primary distribution information file is restored on the basis of the secondary distribution file to restore the electronic information file on the basis of the primary distribution information file.

Abstract: A high-speed dubbing unit 10 for dubbing digital data from an optical disk 15 to a hard disk 16 at a high speed is connected via a public telephone line to a payment imposing unit 20. A control unit 13 is provided for generating in its basic data generator 13B basic data for imposing the payment from at least data indicative of the user identification and data indicative of the speed for recording the data read out from the optical disk 15 into the hard disk 16 and transmitting the basic data to the payment imposing unit 20. The payment imposing unit 20 performs the imposing of the payment according to the basic data received from the control unit 13 and transmits data indicative of the completion of imposing the payment to the control unit 13. In response to the data indicative of the completion of the payment, the control unit 13 directs the high-speed dubbing unit 10 to start recording the data read out from the optical disk 15 into the hard disk 16.

Abstract: The Digital Video Authenticator (DVA) addresses law enforcement concerns for a means to authenticate digital video (DV) so that it will be admissible and trusted as evidence in court. The DVA is a peripheral device attached to a commercial digital video recording device whose purpose is to generate and record authentication data simultaneously as DV is recorded by the video recording device. Verification of the authenticity of a DV sample will be accomplished using non-real-time software tools. The DVA system and method reads digital video (DV) data from a digital video recording device; parses the DV data into elements representing video, audio, control and timing data; and creates digital signatures that can be used to validate the original DV tape. The combination of secure digital signatures and repeatability of the DV data stored on tape provides the basis for proving the original video has not been modified.

Abstract: A block key to encrypt block data is generated using an ATS (arrival time stamp) appended to each of TS (transport stream) packets included in a transport stream correspondingly to the arrival time of the TS packet. The ATS is a random data depending upon an arrival time, and so a block-unique key can be generated, which enhances the protection against data cryptanalysis. A block key is generated from a combination of an ATS with a key unique to a device, recording medium or the like such as a master key, disc-unique key, title-unique key or the like. Since an ATS is used to generate a block key, any area for storage of an encryption key for each block may not be provided in a recording medium.

Abstract: A security verification method for verifying whether improper settings that indicate composite errors of security settings exist in an object system, which is an object of examination, includes steps of: reading data transfer paths that represent data movement in the object system and that are generated based on program operation information that describes operations of a program that is used in the object system, integrating the access rights of data transfer paths that have been read; and searching for improper paths among the data transfer paths for which access rights have been integrated based on security verification policies in which improper paths, which are paths of data movement that are improper from the standpoint of security, have been set in advance.

Abstract: An approximate message authentication code (AMAC) which, like conventional message authentication codes, provides absolute authentication of the origin of the message, yet provides an approximate integrity check for the content of the message. The approximate integrity check will be computed probabilistically and will likely be the same for messages having only a small percentage of different bits. A distance measure on the AMACs, such as a Hamming distance measure, may be used to determine whether the number of bit differences between the messages is likely to be within an acceptable amount. The AMAC is a probabilistic checksum based on a shared key. The AMAC uses the message and a shared key as inputs. Optionally, an initial value may also be used as an input. In one version of the invention, the data in the message M are permuted and arranged (physically or logically) into a table having |A| bits in each column and T2 rows, where T is may be an odd integer.

Abstract: An access control method for use with a broadcast communication network is described. The access control method includes the steps of receiving an encoded program at a subscriber unit via the broadcast communication network, and preventing decoding of the encoded program at the subscriber unit for at least one preselected time period, preselected in accordance with a preference of a user of the subscriber unit. Alternatively, the encoded program received at the subscriber unit may be decoded for at least one preselected time period, preselected in accordance with a preference of the user of the subscriber unit. Related methods and apparatus are also described.

Abstract: An image processing apparatus capable of preventing a copy protect function of a video or other contents signal from being disabled. An encoder encodes a contents signal from a DVD reproduction unit. A copy protect circuit performs copy protect processing on the encoded signal and outputs it. The copy protect circuit is controlled by control data input from CPU via an I2C_IF circuit. At this time, verification data from the CPU is stored in, and then read from registers in the I2C_IF circuit. Then, the CPU verifies the destination of transmission of the control data.

Abstract: A system and method for automatically protecting private video content using embedded cryptographic security is disclosed. A substantially continuous video signal representing raw video content is divided into individual frames. Each frame stores a fixed amount of data in digital form. Each individual frame is encrypted into encrypted video content using an encryption cryptographic key. The encrypted frames is stored on a transportable storage medium. Encrypted frames are retrieved from the transportable storage medium. A decryption cryptographic key is verified prior to decryption. Each encrypted frame is decrypted using the decryption cryptographic key. The decrypted frames are combined into a substantially continuous video signal representing the raw video content in reconstructed form. In a further embodiment, private video content automatically authenticated using embedded cryptographic security, either alone or in conjunction with the encryption of video content.

Abstract: The present invention relates generally to a system and method for verifying, settling, guaranteeing and printing checks at a remote location, preferably an electronic retailer's facilities, via a network, preferably the Internet. The preferred method for verifying, settling, guaranteeing and printing checks over a network at a remote location comprises the following steps. A client computer is connected to a merchant server at a location remote from the client computer. An order is transmitted from the client computer to the merchant server. Payment by check is selected. The client computer is connected to a check server. Customer data is input to the client computer. The customer data is transmitted from the client computer to the check server. The customer data is transmitted from the check server to a check verification server. The check verification server transmits an approval, preferably comprising the customer data and a guarantee of payment to a merchant, to the client computer and the check server.

Abstract: A security unit to prevent unauthorized retrieval of data includes an encrypting unit for encrypting data in accordance with commands received by the security unit, and a common register for storing both intermediate results and final results of the data encryption. A switching element operatively coupled to the register selectively outputs the contents of the register. The switching element is controlled to prevent external access to the intermediate results of the encryption. The security unit is particularly useful as part of a memory unit that is attachable to a recording/reproduction device such as a digital audio recorder/player.

Abstract: A data player for reading contents encrypted by a decoding key from a digital medium, and playing the encrypted contents by using the decoding key which is stored in a key storage unit, comprises: a key obtaining unit for performing mutual authentication with the key storage unit to obtain the decoding key stored in the key storage unit; a key holding unit for holding the decoding key; a playback state obtaining unit for monitoring the playback state of the digital medium; and a contents decoding unit for decoding the encrypted contents by using the decoding key. The decoding key is obtained by the key obtaining unit and stored in the key holding unit, and the encrypted contents read from the digital medium is decoded with the decoding key by the contents decoding unit to play the contents. The decoding key stored in the key holding unit is discarded according to the playback state of the digital medium which is obtained by the playback state obtaining unit.

Abstract: A system and method for automatically protecting private video content using cryptographic security for legacy systems is disclosed. A substantially continuous video signal representing video content in the process of being recorded on a transportable storage medium is intercepted. The intercepted substantially continuous video signal is divided into individual frames. Each frame stores a fixed amount of data in digital form. Each individual frame is encrypted into encrypted video content using an encryption cryptographic key and is stored. The encrypted frames are retrieved and decrypted using a decryption cryptographic key. The decrypted frames are combined into a substantially continuous video signal and output as video content in the process of being played from the transportable storage medium. In a further embodiment, private video content automatically authenticated using embedded cryptographic security, either alone or in conjunction with the encryption of video content.

Abstract: An object of the invention is to provide a transmitting system of which data is difficult to be tapped and which is suitable for flexibly determining a watching and listening fee. In order to achieve the object, there is provided a combination of a transmitting method comprising steps of, transmitting encoded data which has been encoded, to a receiving side, changing the encoding in a predetermined unit, and performing recording according to requirement, from the receiving side of information concerning decoding of the encoded data, and a receiving method comprising steps of, receiving the encoded data which has been encoded, from a transmitting side, requiring the information concerning the decoding of the encoded data, to the transmitting side, and decoding the encoded data by using the obtained information concerning the decoding.

Abstract: A secure electronic content system and method is provided. The system includes a controller including an interface component, a host system coupled to the controller, the host system configured to present content under predetermined conditions, the host system operable with a navigation protocol, the host system further including a system manager operable with an associations component configured to be at least partially run by the host system, a translator configured to provide meanings and generate commands within the host system at least a first digital rights management (DRM) component configured to provide encoding and access rules for the content; and a file system component including a file system application programming interface (API) configured to provide a logical interface between a plurality of components.

Abstract: A digital AV data transmitting unit includes a data significance deciding section for deciding the significance degree of digital AV data, and a transmitting-side plurality-of-authentication-rules storing section storing a plurality of types of authentication rules. Also included are a transmitting-side authentication selecting section for selecting one type of authentication rule from the transmitting-side plurality-of-authentication-rules storing means in accordance with a decision result by the data significance deciding section when receiving an authentication request, and a transmitting-side authenticating section for performing authentication in accordance with the selected authentication rule.

Abstract: A method for controlling access to digital information is performed based on a plurality of decryption keys sent by the information provider. A first type of decryption key instructs a user's host system to reproduce the digital information in accordance with a first level of reproduction quality degradation. Additional keys may specify other degradation levels. The quality of the digital information may be degraded based on a time condition or a use condition. Alternatively, only a portion of the information may be made viewable by a user. In order to obtain full and unrestricted access, the user must obtain a type of decryption key from the provider which removes all previous limitations on reproduction quality degradation.

Abstract: It is a technological object of the present invention to provide an information processing device, a card and a card system that have a high level of security. In order to achieve the object described above, the present invention provides a data processing apparatus comprising at least a first information processing device and a second information processing device connected to the first information processing device by a signal line, the data processing apparatus having a means for changing power consumption on the signal line during transmission of a signal through the signal line in accordance with an actual state of the power consumption that would be observed when the means were not used.

Abstract: A flexible product distribution and payment system for computer network based electronic commerce is disclosed. Primary content data is made available to customers through a detachable local storage medium, such as a DVD or CD-ROM disc, or over a network connection. The primary content is capable of being accessed and played back through a computer or game console at the customer site. The primary content distribution may comprise a superset of content that is intended to be used by the customer. The customer is allowed to view and access the encoded primary content, and is charged only for the primary content that is used. Content that is encoded on the medium but that is not used by the customer remains on the medium but is not charged. A content database and customer database maintained at the primary customer site maintain records of products ordered and used by the customer, as well as identification and use patterns associated with the user.

Abstract: A semiconductor memory card comprising a control IC 302, a flash memory 303, and a ROM 304. The ROM 304 holds information such as a medium ID 341 unique to the semiconductor memory card. The flash memory 303 includes an authentication memory 332 and a non-authentication memory 331. The authentication memory 332 can be accessed only by external devices which have been affirmatively authenticated. The non-authentication memory 331 can be accessed by external devices whether the external devices have been affirmatively authenticated or not. The control IC 302 includes control units 325 and 326, an authentication unit 321 and the like. The control units 325 and 326 control accesses to the authentication memory 332 and the non-authentication memory 331, respectively. The authentication unit 321 executes a mutual authentication with an external device.

Abstract: A database for reliably identifying a Security Profile of a device that generates digital signatures is managed by (a) maintaining the database in a secure environment, (b) recording in the database for each one of a plurality of devices manufactured in the secure environment, (i) a public key of a public-private key pair of the manufactured device, and in association therewith, (ii) a Security Profile of the manufactured device, the public key and Security Profile thereby being securely linked together, and (c) thereafter, when a linked public key successfully authenticates a digitally signed message, identifying the Security Profile associated with the linked public key as pertaining to the manufactured device to which belongs the private key utilized in digitally signing the message. Furthermore, a reference is communicated in a secure manner, the reference including the public key and Security Profile linked therewith for at least one of the manufactured devices.

Abstract: The present invention relates to an optical disc authentication method and apparatus. The method, wherein each disc has a plurality of ways and a plurality of sectors in each way, includes the steps of measuring the quantity of sectors in each of a defined quantity of ways to provide a disc fingerprint comprising way sector quantity values for an original disc and a target disc and authenticating the target disc.

Abstract: A method and system for authenticating the identity of a user by an authority makes use of presenting biometric data for the user in a predetermined shared secret sequence. The method and system can be augmented by requesting an additional shared secret, such as a PIN or additional credentials, to establish multiple layers of authentication. Varying the layers of authentication results in greater or lesser security, and the accuracy for any given layer can be relaxed without compromising the integrity of the entire method.

Abstract: The preferred embodiments described herein provide a method and system for calling line authenticated key distribution. In one preferred embodiment, an authentication key is provided to a calling party if the calling party is phoning from a calling line associated with an authorized user. This preferred embodiment provides a more secure authentication key distribution method as compared to the prior art since preventing an unauthorized user from gaining access to an authorized user's calling line is more feasible and reliable than attempting to prevent an unauthorized user from obtaining an authorized user's password. Other preferred embodiments are provided, and each of the preferred embodiments described herein can be used alone or in combination with one another.

Abstract: A method for providing secure access to console functions of a computer system and authentication of a console device is disclosed. The method comprises first initiating a first EKE sequence to generate a unique shared secret per device utilizing a default device identifier and associated default shared secret on a system-attached device from which a console operation is desired to be enabled. Then, a shared secret is generated from the first EKE sequence, and the generated shared secret is utilized in place of the default device shared secret in subsequent console authentication procedures for that device. Following, the shared secret is securely stored within a storage location of the system and on the system-attached device. The device's shared secret is subsequently replaced on each connection from that device.

Abstract: A cable television system provides conditional access to services. The cable television system includes a headend from which service “instances”, or programs, are broadcast and a plurality of set top units for receiving the instances and selectively decrypting the instances for display to system subscribers. The service instances are encrypted using public and/or private keys provided by service providers or central authorization agents. Keys used by the set tops for selective decryption may also be public or private in nature, and such keys may be reassigned at different times to provide a cable television system in which piracy concerns are minimized.

Abstract: An enterprise communications system for implementing, accessing, using, and managing enterprise-specific resources includes one or more Mandate clients, each Mandate client including a wireless communication device and an enterprise-specific identity module installed in such wireless communication device, a digital mobile communications network operative to provide a wireless communications link to each Mandate client, a Mandate server interfaced with the digital mobile communications network and interconnected to the enterprise-specific resources, each enterprise-specific identity module having stored therein a unique authentication key and cryptographic algorithms, the unique authentication key and the cryptographic algorithms of each enterprise-specific identity module being available to the digital mobile communications network and the Mandate server, wherein each Mandate client, the digital mobile communications network and the Mandate server utilize the unique authentication key and the cryptographic al

Abstract: A security assurance technique for electronic information wherein an electronic information file 1 is divided into a plurality of information elements 2 and the divided information elements are selected and combined with their order changed to produce one or more information blocks 3, and division extraction data of the information elements is produced and the information blocks are formed and stored or transmitted, whereafter, when the electronic information is to be utilized, the information elements 4 included in the information blocks 3 are re-divided, re-arranged in the correct order and integrated based on the division extraction data to restore an original electronic information file 5, whereby, even if electronic information stored or being communicated is stolen, the value of the information is reduced to disable utilization of the information.

Abstract: In analyzing radiation from a communication link, single-photon counting can be used to advantage especially at low levels of radiation energy, e.g. in the detection of optical radiation. Preferred detection techniques include methods in which (i) received optical radiation is intensity-modulated in accordance with a preselected code, (ii) wherein it is the optical radiation which is intensity-modulated with the preselected code, and (iii) wherein the radiation modulated with a preselected code is received. For registration of the signals received by a sensing element of a single-photon detector, time of arrival is recorded, optionally in conjunction with registration of time intervals. Advantageously, in the interest of minimizing the number of pulses missed due to close temporal spacing of pulses, D-triggers can be included in counting circuitry.

Abstract: To overcome a watermark security system that is based on a limited set of possible watermark values, a collection of authentic watermarked material is created, and a substitution system provides material from this collection in lieu of the content material that the watermark verification system is intended to verify. In security systems that are designed to verify the existence of authentic watermarked material, without regard to the actual content of the material, this substitution scheme will be successful. In security systems that are designed to verify the existence of an entirety of a data set in order to authorize the presentation of select material from the data set, the substitution of authentic watermarked material for the non-selected material will also be successful. A dictionary of expected watermarks for the data set is provided.

Abstract: A system and method for generating a plurality of authentication tags using a plurality of authentication mechanisms is disclosed. The plurality of authentication tags can reflect different authentication strength-performance levels. It is a feature of the present invention that a receiver is afforded increased flexibility in adaptively choosing strength-performance levels. It is a further feature of the present invention that multiple authentication tags can be used in multicast environments, where different receivers may have different processor capabilities or security policies.

Abstract: A system for associating usage rights with digital content. Usage rights are created from a grammar. The usage rights specify a manner of use indicating one or more stated purposes for which the digital content can be at least one of used and distributed by an authorized party. The usage rights are associated with the digital content. Information is exchanged with a first repository for storing the digital content and the associated usage rights and for processing a usage transaction specifying the usage rights to determine if access to the digital content can be granted. Information is exchanged with a second repository for generating the usage transaction specifying the usage rights for requesting access to the digital content.

Abstract: Digital watermarks are embedded in image data (102)in order to enable authentication of the image data and/or replacement of rejected portions of the image data. Authentication codes are derived by comparing selected discrete cosine transform (DCT) (104) coefficients within DCT data (106) derived from the original, spatial-domain image data. The authentication codes thus generated are embedded in DCT coefficients (612) other than the ones which were used to derive the authentication codes. The resulting, watermarked data can be sent or made available to one or more recipients who can compress or otherwise use the watermarked data. Image data derived from the watermarked data—e.