Abstract: Systems and methods of mitigating attacks, such as Denial of Service (DoS) attacks, in a communications network are presented. Source addresses of packets received at network devices are monitored in relation to known reliable addresses stored in a decision engine. If the source address, as stored in a source table, is known as being legitimate the packets are placed in a high priority queue for transmission at the highest rate. Packets with an unknown address are placed in a lower priority queue, the source address stored in a different source table, and the packet is serviced at a lower rate. Packets that become known to be legitimate are moved from the unknown table to the table from which high priority queues are serviced. In this way, an attacker that employs spoofing techniques is prevented from overtaxing network resources.

Abstract: The CPU 11 of the personal computer 1 controls the CPU 32 of the adaptor 26 made of a semiconductor ID to compute a hash value of a content-managing music data base recorded in the HDD 21 and store it into the nonvolatile memory 34. When playing back a content recorded in the HDD 21, the CPU 11 computes the hash value of the music data base recorded in the HDD 21, compares it with hash values stored cumulatively in the nonvolatile memory 34, and controls the playback of the content from the HDD 21 based on the result of the comparison.

Abstract: The present invention provides for validating that one or more modules reside on the same machine. When a second module wishes to establish communication with a first module, a shared memory that is accessible by the modules—but inaccessible by modules outside the machine—is used to store random data. The first module listens on a transport address corresponding to the random data for communication activity. The second module retrieves the random data from the shared memory, and then uses this data for determining the appropriate transport address to send information to when establishing the communication with the first module.

Abstract: Methods and apparatus, including computer program products, for presenting status of digital signatures. A digital document is received that defines a presentation structure and includes a digital signature. The digital document specifies a representation of the digital signature and a location in the presentation structure for the representation of the digital signature. A status is determined for the digital signature. A status representation is associated with the digital signature, where the status representation identifies the status determined for the digital signature. Without altering the representation of the digital signature, at least a portion of the digital document and the status representation of the digital signature are presented in a user interface, where the status representation is presented in the presentation structure at a location that depends upon the location of the digital signature.

Abstract: Content material is protected with a variety of watermarking processes. Different subsets of the protected content material are submitted to different watermarking processes. At the rendering device, a watermark detector is configured to detect one or more different watermarks. Only if the particular watermark(s) that the rendering device is configured to detect is removed from the protected content material will the rendering device permit the rendering of the protected material. If the particular watermark(s) that the rendering device is configured to detect is unpredictable, or if the particular segment that is protected by a particular watermark is undetectable, a wholesale removal of specific watermarks from the watermarked material will neither be efficient nor economically viable.

Abstract: A computer-implemented method is described for processing multimedia channels comprising: encrypting a first group of multimedia channels using a first type of encryption to produce a first group of encrypted multimedia channels; encrypting the first group of multimedia channels using a second type of encryption to produce a second group of encrypted multimedia channels; concurrently transmitting the first group of encrypted multimedia channels with the second group of multimedia channels to a plurality of multimedia subscribers having multimedia receivers capable of decrypting the first group of encrypted multimedia channels and/or the second group of multimedia channels.

Abstract: A method of transmitting contents, which are to be received at a reception side where a portion of the contents is previewed while the contents are not accessible for playing other than for a preview purpose, includes the steps of encrypting the contents by a first encryption key, generating information indicative of an elapsed time of the contents that indicates a relationship between positions on a time axis of the contents representing an amount of time that passes as the contents are played and a time count that accrues as a preview time when the contents are previewed, encrypting the first encryption key and the information indicative of an elapsed time of the contents by a second encryption key, thereby generating first encrypted information, encrypting the second encryption key and content-usage control information by a third encryption key, thereby generating second encrypted information, the content-usage control information indicating usage of the contents on the reception side, and transmitting the

Abstract: The present invention provides a data processing apparatus and method for managing processor configuration data. The data processing apparatus comprises a processor operable in a plurality of modes and a plurality of domains, said plurality of domains comprising a secure domain and a non-secure domain, said plurality of modes including at least one non-secure mode being a mode in the non-secure domain, at least one secure mode being a mode in the secure domain, and a monitor mode. The processor is operable such that when executing a program in a secure mode the program has access to secure data which is not accessible when said processor is operating in a non-secure mode.

Abstract: The present invention discloses a system and methods for biometric security using keystroke scan biometrics in a smartcard-reader system. The biometric security system also includes a keystroke scan sensor that detects biometric samples and a device for verifying biometric samples. In one embodiment, the biometric security system includes a smartcard configured with a keystroke scan sensor. In another embodiment, the system includes a reader configured with a keystroke scan sensor. In yet another embodiment, the present invention discloses methods for proffering and processing keystroke scan samples to facilitate authorization of transactions.

Abstract: A time-based method for generating an authentication code associated with an entity uses an authentication code generated from a secret, a dynamic, time-varying variable, and the number of previous authentication code generations within the particular time interval. Other information such as a personal identification number (PIN) and a verifier identifier can also be combined into the authentication code.

Abstract: The present invention is intended to prevent sold digital information from being used in a non-compliant manner. Digital information accumulation capability 212 accumulates digital information 6 to be sold. License generating capability 227 generates the usage conditions for digital information 6. Encryption capability 229 encrypts digital information 6. Digital information key generating capability 228 generates a cryptographic key for decrypting encrypted digital information 6. Authentication capability 214 authenticates recording medium with license management capability 102-1 loaded in digital information vending apparatus 101. Licensed digital information writing capability 230 writes encrypted digital information and its usage conditions and cryptographic key onto authenticated recording medium with license management capability 102-1.

Abstract: A method for securing an electronic document (22) comprising attaching a biometric characteristic (20) and the electronic document (22) to form a biometric characteristic-document combination and encrypting the biometric characteristic-document combination to form an encrypted data package (24).

Abstract: A system that eliminates some of the security vulnerabilities in the prior art systems by using a new sequence of steps to perform initialization of the cable modem: Instead of performing authentication after the cable modem has been registered, the cable modem authentication step is performed immediately after the cable modem completes ranging. Thus an early authentication method and system are provided. The control of authentication is shifted from the cable modem to the CMTS. Instead of the CMTS relying on a Registration Request message (REG-REQ) to determine whether a cable modem must perform authentication (that is to determine if BPI+ is enabled) the CMTS configuration is what determines whether a cable modem must perform authentication.

Abstract: A system classifies an image file into a first group if authentication data included in the image file has been generated using a private key cryptosystem, and classifies the image file into a second group if the authentication data included in the image file has been generated using a public key cryptosystem. The system authenticates whether or not image data included in the image file has been altered using the authentication data. The system displays an indication of whether or not the image data included in the image file has been altered in a display area corresponding to the first group, if the image file is classified in the first group. The system displays an indication of whether or not the image data included in the image file has been altered in a display area corresponding to the second group, if the image file is classified in the second group.

Abstract: A characteristic amount is retained and calculated from an entered video signal. Embedment intensity is retained and calculated from the retained characteristic amount. Embedment information is embedded as digital watermarks into the entered video signal in accordance with the retained embedment intensity of the previous frame or field that is located at a position earlier in time than a target image subject to digital watermark embedment. As a result, an output signal of video having the digital watermarks embedded therein is produced. The digital watermarks are embedded into the target image with reference to another image located at a position earlier in time than the target image. Such digital watermark embedment suppresses a delay in output of an output image with reference to an input image.

Abstract: Content revocation is achieved by disabling licenses issued to a computing device for the content. A content revocation is delivered within a license to the computing device. Upon license storage the content revocation is recognized, validated, and stored in a secure state store under the public key of the content server (PU-CS) that issued the content. Each license has a (PU-CS) therein, and each license evaluation considers each content revocation stored in the state store and having the same (PU-CS). The license is disabled or otherwise affected based on the considered content revocation. A content revocation is one form of a license modification that may be delivered within a license.

Abstract: A system is described for uniquely mating components of a communication network such as a smartcard and a set-top box. When mated, the smartcard and set-top box are tied together and have a single identity. Further, the smartcard operates properly only when inserted into an authorized set-top box. Exchanges of information between both components are secured by encryption and authentication to guard against piracy of the exchanged information. The system provides the same authentication key to the set-top box and the smartcard. This key is used for authenticating communication between the set-top box and the smartcard. First, the authentication key is encrypted by a set-top box mating key. The set-top box employs this mating key to decrypt the authentication key. After it is derived, the authentication key is stored in the set-top box's memory. Further, the same authentication key is encrypted by a smartcard mating key.

Abstract: An information processing apparatus has a detection unit to detect a recording medium and initiates a program read from the recording medium detected by the detection unit. In the information processing apparatus, an operation check unit performs an operation check of the recording medium detected by the detection unit. An authentication check unit performs an authentication check of the recording medium detected by the detection unit. An error notification unit notifies an operator of an error of the recording medium if at least one of a result of the operation check and a result of the authentication check is an error.

Abstract: Provided is an architecture (hardware implementation) for an authentication engine to increase the speed at which SHA1 multi-loop and/or multi-round authentication algorithms may be performed on data packets transmitted over a computer network. As described in this application, the invention has particular application to the variant of the SHA1 authentication algorithms specified by the IPSec cryptography standard. In accordance with the IPSec standard, the invention may be used in conjunction with data encryption/encryption architecture and protocols. However it is also suitable for use in conjunction with other non-IPSec cryptography algorithms, and for applications in which encryption/decryption is not conducted (in IPSec or not) and where it is purely authentication that is accelerated. Among other advantages, an authentication engine in accordance with the present invention provides improved performance with regard to the processing of short data packets.

Abstract: A database-modeled security policy includes policy statements stored in a database. Each policy statement has associated standards, guidelines, and procedures. Policy statements are grouped together into tag groups, which are in turn grouped together to form metapolicies. A security administrator uses a security policy management application to create metapolicies for specific audiences. A lightweight directory access protocol module manages access to the security policy. The security policy management application also provides scoring, reporting, and project management functionalities.

Abstract: A specific client computer acquires content that has been stored in a content server. To accomplish this, the ID of the client computer is registered with the content server. The IP address, etc., of the content server is encrypted to obtain a check code and the check code is transmitted to the client computer and to a center server. The check code, etc., is transmitted from the client computer to the center server. The center server decrypts the check code transmitted from the client computer and the check code transmitted from the content server. The IP address, etc., of the content server is obtained by the decryption. If the IP address, etc., obtained from the check code transmitted from the client computer and the IP address obtained from the check code transmitted from the content server agree, the center server decides that the client computer is an authorized computer and transmits the IP address of the content server to the client computer.

Abstract: When a network connection request is sent from a user's personal computer (2) to a server (1) on the Internet (5), the server (1) sends an authentication confirmation number generated by a random number generating unit (13) to the personal computer (2) of the connection requester. The connection requester connects a portable telephone (3) to a modem (4) and enters the authentication confirmation number displayed on the personal computer (2) through operation of keys of the portable telephone (3). An authentication unit (16) authenticates the connection request of the connection requester to set up connection to the network if the telephone number of the portable telephone (3) stored in a user information storage unit (12) agrees with the telephone number sent to the modem (4) and if the authentication confirmation number entered through the portable telephone (3) is correct.

Abstract: A software audit system is provided in conjunction with an anti-virus system. A computer virus scan request received by the anti-virus system (16) is used to trigger an audit data generator (18) to generate audit data. The audit data generator (18) may also serve to ban certain computer programs from execution and monitor the concurrent usage of other computer programs.

Abstract: Systems and methods are disclosed for using an arbitrary fixed channel to carry third-party information. In one embodiment, the present invention provides systems and methods for enabling existing content rendering devices to accept content encoded in a proprietary format, such as an encoding format used by a digital rights management system. The encoded content is rendered by the device in the normal manner, and decoded by a retrofitting appliance connected to the device's output. The retrofitting appliance may apply decoded rules and controls to the decoded content, thereby managing use of the content.

Abstract: In a signal processing device and its method as well as a program storing medium, psychological auditory sense analysis of the survival state of an input signal of the time when the input signal has been compressed is performed in response to the compression processing, and the result of the very analysis is outputted as the psychological auditory sense encoded information, and digital watermarking information is superimposed on the input signal on the basis of the psychological auditory sense encoded information, so that it is possible to easily realize digital watermarking information that has large compression resistance and digital watermarking information that has small compression resistance.

Abstract: A client receives encrypted content from content server. The header of the content includes license-identifying information for identifying a license required to utilize the content. The client requests a license server to transmit the license identified by the license-identifying information. When receiving the request for a license, the license server carries out a charging process before transmitting the license to the client. The client stores the license received from the license server. The stored license serves as a condition for encrypting and playing back the content. As a result, content can be distributed with a high degree of freedom and only an authorized user is capable of utilizing the content.

Abstract: An apparatus to enable operation of a computer by authorized users when in a secure mode of operation is provided. One exemplary apparatus includes a hub configured to be in communication with the computer. The hub includes a card reader, a card microprocessor and an encryption engine. The apparatus also includes a card configured for insertion into the card reader. The card includes a card microprocessor. In addition, the apparatus includes a user authentication device configured to validate the user as an authorized user of the card. If the user is validated as the authorized user, then the card microprocessor passes a key to the hub microprocessor in response to the validation of the user as the authorized user of the card. The encryption engine of the hub is then activated to operate in a secure mode of operation.

Abstract: The present invention provides an additional-watermark embedding apparatus for embedding predetermined additional data into original data. The additional-watermark embedding apparatus includes an adder for summing the original data and the additional data, a first amplifier for amplifying the original data according to a predetermined non-linear input-output characteristic, a second amplifier for amplifying the summed data supplied from the adder according to a predetermined non-linear input-output characteristic, a subtractor for taking the difference between the amplified data obtained by the second amplifier and the amplified original data obtained by the first amplifier, and an embedder for embedding modified additional data which is obtained by modifying the waveform of the additional data according to the original data and which is supplied from the subtractor into the original data.

Abstract: A memory stores a hash value of content management data. When an IEEE1394 interface authenticates a personal computer connected thereto via a network, the IEEE1394 transmits content management data to the personal computer while receiving a hash data of the content management data from the personal computer. The IEEE1394 interface then determines whether the received hash value of the content management data matches the stored hash value of the content management data. This arrangement prevents the unauthorized copying of content data, and limits the number of uses of the content data.

Abstract: Theft, distribution, and piracy of digital content (software, video, audio, e-books, any content of any kind that is digitally stored and distributed) is generally accomplished by copying it, if possible, or, if it is protected from being copied in any fashion, such piracy is based upon a number of reverse engineering techniques. Aside from the straightforward copying of unprotected content, all of these other methods require first an understanding of the protective mechanism(s) guarding the content, and finally an unauthorized modification of that protection in order to disable or subvert it. Methods that prevent a skilled individual from using reverse engineering tools and techniques to attain that level of understanding and/or prevent anyone from performing such modifications can offer significant advantages to content creators who wish to protect their products.

Abstract: A security system for preventing unauthorized use of a computer device. An extractable security piece includes an extractable main private key and a main PC public key. A PC security area which is a non-extractable part of the computer device includes a PC private key and an extractable main public key, which, together with the keys of the extractable security piece, constitute a Public Key Infrastructure. The extractable security piece and the PC security area include processing means for mutual authentication of the extractable security piece and the PC security area after the extractable security piece, which had been previously removed, has been reinserted in the computer device, thereby enabling the authorized user to access data stored in the computer device.

Abstract: A terminal device, a memory module and a system for and method of distributing electronic content. A content provider stores a number of multimedia files. A first integrated circuit card interface receives a host integrated circuit card containing first authorization information, and a second integrated circuit card interface receives a user integrated circuit card containing second authorization information. An input device permits selection of one or more multimedia files from the stored of multimedia files. A control unit is responsive to insertion into the second integrated circuit card interface of a user interface card containing second authorization information compatible with the first authorization information contained in a host integrated circuit card inserted in the first integrated circuit card interface to actuate an output device to provide the content of multimedia files selected by the input device.

Abstract: A system for providing rights controlled access to digital media comprises a server data processor and a client data processor connected by a communications network. The user data processor provides access to a data object in accordance with rules associated with the data object by the server data processor. The client data processor comprises a machine key device and a user key device. The machine key device is preferably an installed component of the client data processor that provides encryption, decryption, and authentication functionality for the client data processor. The user key device is preferably a removable, portable device that connects to the client data processor and provides encryption, decryption, and authentication functionality for the user. A method restricts the use of a data object to a particular user and a particular data processor through the use of additional layers of encryption.

Abstract: The Digital Video Authenticator (DVA) addresses law enforcement concerns for a means to authenticate digital video (DV) so that it will be admissible and trusted as evidence in court. The DVA is a peripheral device attached to a commercial digital video recording device whose purpose is to generate and record authentication data simultaneously as DV is recorded by the video recording device. Verification of the authenticity of a DV sample will be accomplished using non-real-time software tools. The DVA system and method reads digital video (DV) data from a digital video recording device; parses the DV data into elements representing video, audio, control and timing data; and creates digital signatures that can be used to validate the original DV tape. The combination of secure digital signatures and repeatability of the DV data stored on tape provides the basis for proving the original video has not been modified.

Abstract: Systems and methods are disclosed for using an arbitrary fixed channel to carry third-party information. In one embodiment, the present invention provides systems and methods for enabling existing content rendering devices to accept content encoded in a proprietary format, such as an encoding format used by a digital rights management system. The encoded content is rendered by the device in the normal manner, and decoded by a retrofitting appliance connected to the device's output. The retrofitting appliance may apply decoded rules and controls to the decoded content, thereby managing use of the content.

Abstract: The present invention proposes an encryption/decryption method able to resist against various attack strategies such as Simple Power Analysis, Timing Analysis or Differential Power Analysis. The method is carried out by a plurality of encryption/decryption modules arranged in series, wherein an encryption/decryption module, different from the first module, starts encryption/decryption operations as soon as said module receives a part of the results of encryption/decryption operations from the immediately preceding encryption/decryption module.

Abstract: Methods and apparatus for creating a license defining permissions to use electronic content. The methods include selecting a plurality of habitat types, each an aspect of a user environment to which a license can be bound, the selection based on input from a retail customer; determining one or more habitat values and relations for each selected type; and creating a license to use the electronic content, the license including an and-or logic expression of habitat terms, each term containing one of the selected types and its set of corresponding values and relations. Each habitat term may include a key for decrypting or unlocking the electronic content.

Abstract: An electronic program guide (EPG) hardware card is disclosed. The card is insertable into a television tuning device having EPG capability. A non-volatile memory, such as flash memory, is situated within a case of the hardware card, and has data stored thereon representing one or more loader programs for the device. Each program corresponds to an EPG provider, and gives the device the capability to receive EPG information from this provider. The case of the hardware card may have a form factor such as a Smart Card, a Compact Flash, a Smart Media, or another form factor. Alternatively, the data stored on the card represents non-executable information corresponding to an EPG provider. A business model and a server-based embodiment are also disclosed.

Abstract: The information reproduction device for reproducing contents information based on license information added to the contents information and required for reproducing the contents information, includes a determining section for determining whether encrypted contents information is the officially copied contents information or privately copied contents information based on the contents of the license information, and a reproduction section configured to reproduce the contents information determined as the privately copied contents information by the determining section under more severe restriction than the officially copied contents information. Thus, the contents copied by the proper route (officially copied contents) can be distributed in a more advantageous form than the contents copied without proper authorization.

Abstract: Content revocation is achieved by disabling licenses issued to a computing device for the content. A content revocation is delivered within a license to the computing device. Upon license storage the content revocation is recognized, validated, and stored in a secure state store under the public key of the content server (PU-CS) that issued the content. Each license has a (PU-CS) therein, and each license evaluation considers each content revocation stored in the state store and having the same (PU-CS). The license is disabled or otherwise affected based on the considered content revocation. A content revocation is one form of a license modification that may be delivered within a license.

Abstract: At the time of moving a content from an e-book content receiving terminal 102 to a copyright protection medium 103, from among a plurality of usage rules set to the content, those defined by the copyright protection medium 103 is moved to the copyright protection medium 103 by a content moving section 106, and those not defined by the copyright protection medium 103 are transmitted to a usage rule management server 104 via a communications section 105. On the other hand, at the time of moving the content from the copyright protection medium 103 to the e-book content receiving terminal 102, the usage rules from the copyright protection medium 103 and the usage rules from the usage rule management server 104 are combined together. In this manner, even when a content is moved through a copyright protection medium in a which usage rules of the content are not fully defined therein, none of the usage rules is lost.

Abstract: There is provided an information processing apparatus/method characterized by inputting information data, generating security data to be used to protect the information data, encoding the information data to generate encoded data, extracting a unique predetermined code indicating a specific meaning from encoded data within a security section in accordance with the security data, superimposing the security data on the predetermined code, scrambling the encoded data except for the predetermined code within the security section, and outputting the superimposed predetermined code and the scrambled encoded data.

Abstract: A method and apparatus for protecting against a replay attack in a database system makes use of customer records including a counter, and freshness records that include the customer counters and a freshness record counter. The counter from the customer records, the customer records in the freshness records, and the freshness record counter are used by a cryptographic device together with a cryptographic device counter to verify the freshness of the customer record prior to updating the customer record with respect to a recent transaction.

Abstract: A method for controlling access to digital information is performed based on a plurality of decryption keys sent by the information provider. A first type of decryption key instructs a user's host system to reproduce the digital information in accordance with a first level of reproduction quality degradation. Additional keys may specify other degradation levels. The quality of the digital information may be degraded based on a time condition or a use condition. Alternatively, only a portion of the information may be made viewable by a user. In order to obtain full and unrestricted access, the user must obtain a type of decryption key from the provider which removes all previous limitations on reproduction quality degradation.

Abstract: Content revocation is achieved by disabling licenses issued to a computing device for the content. A content revocation is delivered within a license to the computing device. Upon license storage the content revocation is recognized, validated, and stored in a secure state store under the public key of the content server (PU-CS) that issued the content. Each license has a (PU-CS) therein, and each license evaluation considers each content revocation stored in the state store and having the same (PU-CS). The license is disabled or otherwise affected based on the considered content revocation. A content revocation is one form of a license modification that may be delivered within a license.

Abstract: Systems and methods are disclosed for using an arbitrary fixed channel to carry third-party information. In one embodiment, the present invention provides systems and methods for enabling existing content rendering devices to accept content encoded in a proprietary format, such as an encoding format used by a digital rights management system. The encoded content is rendered by the device in the normal manner, and decoded by a retrofitting appliance connected to the device's output. The retrofitting appliance may apply decoded rules and controls to the decoded content, thereby managing use of the content.

Abstract: The present invention provides systems and methods for secure transaction management and electronic rights protection. Electronic appliances such as computers equipped in accordance with the present invention help to ensure that information is accessed and used only in authorized ways, and maintain the integrity, availability, and/or confidentiality of the information Such electronic appliances provide a distributed virtual distribution environment (VDE) that may enforce a secure chain of handling and control, for example, to control and/or meter or otherwise monitor use of electronically stored or disseminated information. Such a virtual distribution environment may be used to protect rights of various participants in electronic commerce and other electronic or electronic-facilitated transactions. Distributed and other operating systems, environments and architectures, such as, for example, those using tamper-resistant hardware-based processors, may establish security at each node.

Abstract: Data administration method which prevents the infringement of a copyright by encrypting and distributing digital content, and readily grasps which contents are contained in the digital content included in the data. Preparing symbol information symbolized so as to visually and auditorily recognize the contents of the digital content that conduct distribution (Step S12), embedding the symbol information in a header data section (Step S13), encrypting the digital content (Step S15), embedding consent information including the information on the contents key in the header data section as an electronic watermark (Step S16), and compositing the real data section and the consent-information-added header data section and distributing the composite data (Step S17).

Abstract: A method and apparatus for establishing a secure communications channel between a first repository and a second repository using a repository transaction protocol. A registration identifier and registration message including an identification certificate, and an identifier of a master repository that encrypted the identification certificate are generated by the first repository. The registration identifier and message are sent to the second repository and the identity of the first repository by is verified by verifying the identification certificate. Messages containing at least one session key are exchanged between the first and second repositories and a usage transactions related to a digital work are conducted between the first repository and the second repository using the session keys.

Abstract: A playback instructing unit in a disk playback controller has a function to instruct a CPU to play back an optical disk at different access positions in an absolute authentication process and an arbitrary authentication process. An absolute decision unit has a function to be activated by an absolute authentication instruction from the playback instructing unit and authenticate the decided result from an authentication decision means according to a first rule (which declares normal authentication based on a normal decision). An arbitrary decision unit has a function to be activated by an arbitrary authentication instruction from the playback instructing unit and authenticate the decided result from the authentication decision unit according to a second rule (which declares normal authentication based on an abnormal decision).