Abstract: Techniques are described relating to coordinating asynchronous communication among a plurality of client microservices in a managed services domain of a cloud computing environment. An associated computer-implemented method includes receiving at a single request topic queue of a message broker application programming interface (API) at least one message associated with a topic from at least one publisher microservice among the plurality of client microservices. The method further includes identifying an authorization identification parameter included in each of the at least one message. The method further includes publishing each of the at least one message to a respective bucket within a single response topic queue of the message broker API, the respective bucket corresponding to one of at least one subscriber microservice among the plurality of client microservices associated with the authorization identification parameter included in the message.

Abstract: A system for preserving charging event messages in a mobile telecommunications network when a charging server is unavailable includes a message broker comprising persistent storage. The system also includes a network element that generates a charging event message, attempts to send the charging event message to a charging server, and writes the charging event message to the message broker in response to determining that the attempt to send the charging event message to the charging server has failed. The system also includes a replay agent that subscribes to the message broker for notifications associated with the charging server, receives a notification from the message broker about the charging event message, reads the charging event message from the message broker, and causes the charging event message to be sent to the charging server when the charging server is available.

Abstract: Systems and methods for encrypted processing are provided. For example, an apparatus for encrypted processing includes: an input interface adapted to receive input from a device; an encrypted processor connected to the input interface; a program store control connected to the encrypted processor, the program store control controlling use of and access to at least two program stores, where at least one program store acts as a primary program store and at least one program store acts as a back-up program store; and an output interface connected to the encrypted processor for outputting at least one of commands or data; where the encrypted processor is programmed to: receive and validate a request; determine whether a valid request is a program update request for a first program; and initiate a lock mechanism into a locked state.

Abstract: Systems and methods for encrypted processing are provided. For example, an apparatus for encrypted processing includes: an input interface adapted to receive input from a device; an encrypted processor connected to the input interface; a program store control connected to the encrypted processor, the program store control controlling use of and access to at least two program stores, where at least one program store acts as a primary program store and at least one program store acts as a back-up program store; and an output interface connected to the encrypted processor for outputting at least one of commands or data; where the encrypted processor is programmed to: receive and validate a request; determine whether a valid request is a program update request for a first program; and initiate a lock mechanism into a locked state.

Abstract: Described is a system and method for propagating, synchronizing and expiring user specific information among multiple output devices. In some implementations, retention information is provided along with the user specific information and the output device and/or output device controller will determine when to expire the user specific information based on the retention information. In other implementations, the output device controller and/or output device may periodically request updates from other output devices, output device controllers and/or the inventory management system to determine whether to expire user specific information.

Abstract: The present invention relates to an arrangement for transmission of signal units to at least one receiver. The receiver is being arranged to receive a number of signal units within a frequency range and a comparator unit being arranged to make possible for at least a portion of the signal units to be forwarded or at least partially be blocked with respect to the receiver. A verification unit is arranged to verify that the forwarded signal units correspond to a corresponding signal unit in a memory. If the forwarded signal unit do not correspond to a corresponding signal unit in the memory the particular signal unit is being registered by means of a specific signal in a register unit.

Abstract: A communication device is described comprising a receiver configured to receive a message from a communication terminal indicating that the communication terminal requests a data service and indicating that a cost of providing the data service is to be associated with a provider of the data service and including security information; a determining circuit configured to determine, based on the security information, whether the communication terminal is authorized to be provided with the requested data service with a cost of providing the data service being associated with a provider of the data service; and a controller, configured to establish a communication connection for providing the data service and to associate a cost of the communication connection with the provider of the data service if the authorization has been successful.

Abstract: In a content protection scheme, and in response to a request for a content segment received by a server, the server generates and associates with the segment a message that confers entitlement to a session-specific key from which one or more decryption keys may be derived. The decryption keys are useful to decrypt the segment at runtime as it is about to be rendered by a player. Before delivery, the server encrypts the segment to generate an encrypted fragment, and it then serves the encrypted fragment (and the message) in response to the request. At the client, information in the message is used to obtain the session-specific key. Using that key, the decryption keys are derived, and those keys are then used to decrypt the received encrypted fragment. The decryption occurs at runtime. The approach protects content while in transit to and at rest in the client browser environment.

Abstract: Methods, devices, and computer program products facilitate the application of a content use policy based on watermarks that are embedded in a content. Watermark extraction and content screening operations, which can include the application of content usage enforcement actions, may be organized such that some or all of the operations can be conducted at different times by different devices. The watermark extraction results can be stored in a secure location and accessed by other devices at different times. These operations can be conducted by one or more trusted devices that reside in a home network. The home network can also include a gateway device that can coordinate the operations of the various network devices and/or delegate the various watermark extraction and content screening operations.

Abstract: The invention relates to a value-added service applied to the broadcasting of video programs or content and more particularly to mobile television (Mobile TV). The invention promotes service continuity during the broadcasting of programs having an undefined duration and the broadcasting of which has been subject to a Pay-Per-View type purchase.

Abstract: A data storage architecture for networked access by clients includes a file server capable of communication with the clients via the network, physical storage organized as a plurality of logical volumes, and an encryption device in communication with both the file server and the physical storage. The encryption device is operable in response to signaling from the file server, including an indication of a range of blocks of data, to cause encryption of the range of blocks with an encryption key that is unique within the physical storage. The encryption device includes nested tables mapping block ranges to encryption keys. Consequently, undesirable key sharing across files, file systems, and other units can be avoided down to the block level.

Abstract: A method for use in playing content that is made up of data includes establishing in a device a physical media storing a first portion of the data making up the content, receiving a streamed second portion of the data making up the content, wherein the second portion of the data includes essential information for reconstructing the content from the first portion of the data, and playing the content by combining the first portion of the data with the second portion of the data to correctly reconstruct the content. A method for use in enhancing security of content that is made up of data includes removing information from the data making up the content that is essential for playing the content.

Abstract: A system for managing license files comprises a memory operable to store a socket module. The system further comprises a processor communicatively coupled to the memory and operable to receive a command to open a license file, wherein the command is associated with a first user identifier. The license file is stored in a first remote node and is associated with a second user identifier. If the second user identifier matches the first user identifier, the processor is further operable to use the socket module to establish a socket connection with the first remote node. The processor is further operable to, using the socket connection, retrieve from the first remote node a file descriptor associated with the license file. The processor is further operable to apply an update to the license file, wherein the update is addressed according to the file descriptor. If the second user identifier does not match the first user identifier, the processor is further operable to prevent the updating of the license file.

Abstract: The present invention provides systems and methods for secure transaction management and electronic rights protection. Electronic appliances such as computers equipped in accordance with the present invention help to ensure that information is accessed and used only in authorized ways, and maintain the integrity, availability, and/or confidentiality of the information. Such electronic appliances provide a distributed virtual distribution environment (VDE) that may enforce a secure chain of handling and control, for example, to control and/or meter or otherwise monitor use of electronically stored or disseminated information. Such a virtual distribution environment may be used to protect rights of various participants in electronic commerce and other electronic or electronic-facilitated transactions. Distributed and other operating systems, environments and architectures, such as, for example, those using tamper-resistant hardware-based processors, may establish security at each node.

Abstract: Methods that facilitate automatic selection of service bearers in a mobile based on user-initiated policies and service-provider-initiated policies set forth in a policy document are described herein. The mobile device initially receives a policy document from either the mobile device manufacturer or the service provider before the mobile device is provisioned on a communications network. The mobile device user and the service provider may make subsequent changes to the policy document. When a user-initiated policy change conflicts with a service-provider-initiated policy, the user-initiated policy change is disregarded in favor of the service-provider-initiated policy. The mobile device automatically selects an appropriate bearer based at least on the availability of service bearers in the current environment and the policies set forth in the policy document.

Abstract: There is disclosed a media file distribution system and method. An asset management and delivery system and method for the distribution of digital files and data is provided. There are two major functions, with sub-functions within each. The system first serves as a fully automated management system for a company involved in video/file distribution, such as in video on demand (VOD) or other digital file industries. The system can ingest, prepare, schedule, transmit, track and report on any aspect of the business chain. Secondly, it also serves as a product for both content providers and recipients to be able to view, manage and run their entire content offering remotely from anywhere through the Internet.

Abstract: An integrated, modular array of administrative and support services are provided for electronic commerce and electronic rights and transaction management. These administrative and support services supply a secure foundation for conducting transaction-related capabilities over electronic networks, and can also be adapted to the specific needs of electronic commerce value chains. In one embodiment a Distributed Commerce Utility having a secure, programmable, distributed architecture provides these administrative and support services. The Distributed Commerce Utility may comprise a number of Commerce Utility Systems. These Commerce Utility Systems provide a web of infrastructure support available to, and reusable by, the entire electronic community and/or many of its participants. Different support functions can be collected together in hierarchical and/or networked relationships to suit various business models or other objectives.

Abstract: Provided are apparatuses, systems and methods for providing security services. The apparatus includes a network interface unit for transceiving data between a control device and a management device, a controller for controlling provision of services requested from the control device through the network interface unit when a permit time, during which a target of security service is allowed to be given services, is longer than a used time, during which predetermined services are provided to the target of security service, and a used time processing unit for updating the used time by reflecting time during which the services are provided. When security services are performed, services of a controlled device can be provided during the permitted time according to a user or a control device.

Abstract: A method for paying back customers for unused service units remaining after a billing cycle. A payback amount is determined by the product of the number of unused service units remaining and the payback rate amount. The payback amount credited to the customer is the calculated payback rate or a maximum payback amount, wherever is smaller. A total payback amount can be determined based on a combination of payback amounts for various services, including voice services, texting services, email services, and/or data storage services.

Abstract: A method for pairing a first element and a second element, wherein the first element and the second element form a first decoding system among a plurality of receiving decoding systems in a broadcasting network. Each receiving decoding system is adapted to descramble scrambled audiovisual information received over the broadcasting network. A first key unique in the broadcasting network is selected. A second key is determined according to the first key, such that a combination of the first key and the second key enables to decrypt broadcasted encrypted control data that is received to be decrypted by each receiving decoding system, the encrypted control data being identical for each receiving decoding system. The first key and the second key are assigned respectively to the first element and the second element.

Abstract: A self-service terminal comprises: a plurality of session initiation devices, each associated with an initiation token, so that a customer can initiate a transaction using one of a plurality of different initiation tokens. The terminal further comprises a plurality of session suppliers, each session supplier being associated with one of the session initiation devices, and each session supplier being operable: (i) to receive from its associated session initiation device, information from an initiation token provided by a customer, and (ii) to create an electronic access token based on the received information. The terminal also comprises a session supplier aggregate operable to receive an electronic access token from one of the session suppliers for each session to be created; and a session component operable (i) to receive the electronic access token from the session supplier aggregate and (ii) to create a session based on the received electronic access token.

Abstract: Systems and methods are disclosed for providing usage control of communication services within an end user device. A system in the network receives input from a controlling party defining usage restrictions for the end user device. The system then generates a usage control profile, and transmits the usage control profile to the end user device. The end user device then monitors activities in the device to identify a communication attempt (e.g., an incoming voice call). When a communication attempt is identified, the end user device processes the usage control profile to determine whether the communication attempt is authorized, and allows the communication attempt to continue if the attempt is authorized. If the attempt is not authorized, then the end user device blocks the communication attempt.

Abstract: The invention concerns a method for transmitting a flow of digital data and of controlled messages associated with said flow addressed to mobile terminals. The flow comprises successive bursts of data of encrypted contents with control words included in the control messages transmitted in parallel with said flow. The method is characterized in that it consists in inserting a control message in each transmitted burst of contents, said message containing at least one control word designed to decrypt the contents of said burst.

Abstract: In a procedure for delivering streaming media, a Client first requests the media from an Order Server. The Order Server authenticates the Client and sends a ticket to the Client. Then, the Client sends the ticket to a Streaming Server. The Streaming Server checks the ticket for validity and if found valid encrypts the streaming data using a standardized real-time protocol such as the SRTP and transmits the encrypted data to the Client. The Client receives the data and decrypts them. Copyrighted material adapted to streaming can be securely delivered to the Client. The robust protocol used is very well suited for in particular wireless clients and similar devices having a low capacity such as cellular telephones and PDAs.

Abstract: Embodiments include a method and system for monitoring usage of an encrypted broadcast service, such as an encrypted television program, in a secure client module such as a SIM card. An encrypted entitlement control message is received from a head-end system via the intermediary of a client device. A service identifier indicative of the encrypted broadcast service is obtained from the decrypted entitlement control message and, in dependence of the decrypted entitlement control message, status data being indicative of a status of the broadcast service is generated. The service identifier and the status data are stored in a memory of said secure client module and can be transmitted to an external server.

Abstract: A presence server includes a receiver to receive a variety of publishing and subscribe requests from a variety of sources; a plurality of elements to process the requests; and a presence manager to flexibly configure the elements as a function of the type of the requests received. A method for processing presence information includes receiving a variety of publishing and subscribe requests from a variety of sources; processing the requests with a plurality of elements; and configuring the elements as a function of the type of the requests received.

Abstract: A proprietary portable audio player system for protecting digital content copyrights, which includes a proprietary portable audio player, a web access interface, and an online music server. The proprietary portable audio player has a hardware unique device identity. The proprietary portable audio player has a playback token acquirement mode and uses a first transmission medium to link with the online music server to thereby obtain a playback token for a corresponding music file playback. The online music server pre-stores a plurality of music files with compression formats, a plurality of playback tokens, and a mapping table. When a playback token signal from the web access interface is received, the online music server accordingly issues a playback token corresponding to a specific music file, updates the mapping table, and sends the playback token to the proprietary portable audio player through the first transmission medium.

Abstract: A mobile communication terminal for efficient digital broadcasting conditional access and a method of the mobile communication terminal.

Abstract: A system, device and method for allowing protected content to be transferred to end user communication devices that support different digital rights management (DRM) formats or schemes than the DRM format of the content provider. The method includes providing a Limited Rights Issuer (LRI) that issues content and associated digital rights to one or more of the end user devices within a domain defined by a Domain Authority with which the LRI has registered. The Limited Rights Issuer also translates content and associated digital rights information from the DRM format of an upstream DRM system to the DRM format of a downstream DRM system, which includes the end user devices within the defined domain. The system allows select end user devices to enjoy interoperability of content protected under different DRM schemes, while allowing content providers to still maintain a suitable level of DRM protection for their content.

Abstract: The present invention provides systems and methods for secure transaction management and electronic rights protection. Electronic appliances such as computers equipped in accordance with the present invention help to ensure that information is accessed and used only in authorized ways, and maintain the integrity, availability, and/or confidentiality of the information. Such electronic appliances provide a distributed virtual distribution environment (VDE) that may enforce a secure chain of handling and control, for example, to control and/or meter or otherwise monitor use of electronically stored or disseminated information. Such a virtual distribution environment may be used to protect rights of various participants in electronic commerce and other electronic or electronic-facilitated transactions. Distributed and other operating systems, environments and architectures, such as, for example, those using tamper-resistant hardware-based processors, may establish security at each node.

Abstract: A group authentication method adaptable to a communication system is disclosed. The communication system includes a user group, a serving network, and a home network. The user group includes at least one mobile station. The home network pre-distributes a group authentication key to itself and all the mobile stations in the same user group and generates a mobile station authentication key for each mobile station. The home network generates a group list for recording related information of the user group. The home network has a database for recording the group list. The serving network has a database for recording the group list and a group authentication data received from the home network. The group authentication method includes following steps. The serving network performs an identification action to a mobile station. The communication system performs a full authentication action or a local authentication action according to the result of the identification action.

Abstract: In a procedure for delivering streaming media, a Client first requests the media from an Order Server. The Order Server authenticates the Client and sends a ticket to the Client. Then, the Client sends the ticket to a Streaming Server. The Streaming Server checks the ticket for validity and if found valid encrypts the streaming data using a standardized real-time protocol such as the SRTP and transmits the encrypted data to the Client. The Client receives the data and decrypts them. Copyrighted material adapted to streaming can be securely delivered to the Client. The robust protocol used is very well suited for in particular wireless clients and similar devices having a low capacity such as cellular telephones and PDAs.

Abstract: The invention proposes to divide a content to be transmitted via a network into a set of slices and to generate a set of files from this set of slices. The slices (or the files) are encrypted before downloading in such a way that the client cannot use the slice (or the file) before having acquired the associated decryption key. The invention thereby allows protecting a downloaded content on a slice-by-slice basis (or on a file-by-file basis) rather than protecting a downloaded content as a whole. The transmission (in download mode) between the server and the client is ruled by the HTTP protocol that is accepted by all firewalls and NAT. Consequently, the transmitted content is accessible for any client device that has access to the Web without restriction. Advantageously, the slices can be decoded independently of each other.

Abstract: Media content is received for a plurality of devices based on a user selection. The media content includes digital rights for the plurality of devices. The media content is transferred to at least one of the plurality of devices in accordance with the digital rights.

Abstract: Methods and apparatus in accordance with the present invention are operable to carry out certain functions including: receiving an encrypted program at a processing apparatus; transmitting a machine ID over a network to an administrator; receiving registration data over the network from the administrator in response to the machine ID; transmitting the registration data over the network to a distributor; receiving an encrypted decryption key and an encrypted virtual ID at the processing apparatus over the network from the distributor in response to the registration data; decrypting the encrypted decryption key using the virtual ID, and decrypting the encrypted program using the decryption key; re-encrypting the program using the virtual ID; and storing the encrypted virtual ID and the re-encrypted program in a first storage device.

Abstract: A CableCARD device for manipulation of a stream of data has an inband data input for receiving a stream of video data from a host, the stream of video data being encrypted and encoded according to a first coding. A decrypter decrypts the encrypted data. A transcoder transcodes the stream of video data to convert the stream of video data to a second coding, producing a transcoded data stream. An encrypter encrypts the transcoded data stream. An inband data output sends the encrypted transcoded data stream back to the host. This abstract should not be considered limiting, since other embodiments may incorporate more, fewer or different elements that those described in this abstract.

Abstract: Provided are apparatuses, methods, and user interfaces for requesting access to a program or service, receiving the requested program or service and displaying the requested program or service at a user terminal. In one example, a request for a period of time for access to the program or service is transmitted from a user terminal via a broadcast network. The period of time may be converted to a key decryption count corresponding to the period of time and key interval, the key interval being a period of time separating adjacent key stream messages in a key stream corresponding to a content data stream for the program or service. The encrypted program or service may be decrypted at the user terminal based on the period of access, key interval, and/or key decryption count.

Abstract: A present invention license reallocation system and method facilitates flexible and effective licensing distribution. The license reallocation system and method enables convenient movement of licensed information between hardware devices while ensuring appropriate compliance with license terms. An expired license indication is generated on license expiration. The expired license indication indicates that prior license keys associated with proprietary information are expired. Upon receipt of a valid expired license indication and expired license keys new license key(s) is issued presumably for a different hardware. A license serial number (LSN) that is both globally unique and mutable is utilized to generate license keys. In one embodiment, the license serial number includes system serial number (SSN) and an extension serial number (ESN).

Abstract: A method and system for surreptitiously detecting and analyzing sites suspected of transferring steganographic communications, is accomplished by analyzing a targeted site for steganographic communications via a server that directs a plurality of clients to analyze the targeted site. The clients are dispatched according to the objectives of the server and the data retrieved by previous clients, which have been directed to scan the site. The client's data is aggregated and analyzed to determine if a steganographic communication is present.

Abstract: A content reproduction system that allow the user to rent or purchase any desired contents for reproduction without depending on a predetermined type of information of the user. The content reproduction system includes: a recording medium storing a license ticket including an encrypted master key; and a reproduction apparatus that receives from the user a request for a selected content and the information of the selected content, acquires distribution content information corresponding to the selected content, stores it in association with the license ticket into the recording medium. When reproducing the content, the reproduction apparatus generates a content using an encrypted content decryption key and an encrypted content that are contained in the distribution content information, and using a master decryption key information corresponding to the distribution content information, and reproduces the generated content.

Abstract: A method for subscribing a service and distributing encryption key based on public-key encryption algorithm in a digital CATV system are disclosed. In accordance with an aspect of the present invention, there is provided a method including the steps of: a) generating a charged service application message; b) generating a session connection request message, signing based on a digital signature scheme with appendix on the session connection request message and transmitting to the head-end; c) generating a symmetric-based session key, signing a digital signature on the key, encrypting based on a public-key of the subscriber, transmitting the session key to the subscriber; decrypting the session key message, verifying the digital signature, extracting the session key from the session key message and storing at a Condition Access Module; and d) signing a digital signature on the charged service request message, encrypting using the extracted session key and transmitting to the head-end.

Abstract: An interactive television program guide for supporting programming blackouts is provided. In some embodiments, the interactive television program guide may unschedule the reminding and recording of blacked-out programs that have been scheduled by a user for reminding or recording. In some embodiments, the interactive television program guide may prevent a user from scheduling blacked-out programs for reminding and recording. In some embodiments, the interactive television program guide may prevent a user from ordering blacked-out pay-per-view programs. In some embodiments, the interactive television program guide may provide blackout information in information displays. In some embodiments, the interactive television program guide may provide replacement media for blacked-out programs.

Abstract: A license managing apparatus comprises an inputting device, an encrypting device for encrypting information inputted from the inputting device to produce encrypted information, and an outputting device for outputting the encrypted information. The encrypting device encrypts at least identification information of the game apparatus to be licensed and license condition information thereof to produce the foregoing encrypted information. The game apparatus includes an inputting device for inputting the outputted encrypted information, an encryption decoding device for decoding the inputted encrypted information, and a controller for controlling execution of a game program. The game apparatus further includes a storing device for storing identification information of the game apparatus, and a storing device for storing internal information.

Abstract: Methods and apparatuses for minimizing co-channel interference in communications systems are disclosed. A method in accordance with the present invention comprises scrambling a first header of the first signal using a first scrambling code, scrambling a second header of the second signal using a second scrambling code, and transmitting the first signal and the second signal with the scrambled first header and the scrambled second header over different channels of the communication system.

Abstract: Embodiments of the system may utilize a Knowledge Broadcasting System for specifying content metadata and locating Internet documents. In this instance embodiments of the invention comprise an improved manner of specifying the content of an Internet document in such a way that the users of the system are able to retrieve relevant Internet documents. This is accomplished using a three-tiered search engine where the first-tier is denoted as a category search, the second tier is denoted as a context search, and the third-tier is denoted as a keyword search. At each step relevant information is filtered out and the focus of the search is narrowed. In the general search, the user narrows the focus of the search by selecting a hierarchical definition.

Abstract: One embodiment of the invention relates to a management method for conditional access data processing by at least three decoders associated to a subscriber. These decoders include activation/deactivation means for conditional access data processing and local communication means structured to allow communication between the subscribers' decoders. This method comprises a reception step, a determination step, and a comparison step. In addition conditional access data processing by said first decoder (STB) is deactivated if the latter has not received messages from the required number of different decoders. Another embodiment of the invention relates to a decoder that allows the implementation of the method according to the invention and characterized in that it includes local communication means (10) structured to transmit messages to other decoders and to receive messages originating from said other decoders, and processing means for messages received by said local communication means (10).

Abstract: A computer implemented web based access control facility for a distributed environment, which allows users to request for access, take the request through appropriate approval work flow and finally make it available to the users and applications. This program also performs an automatic task of verifying the health of data, access control data as well as the entitlements, to avoid malicious user access. The system also provides an active interface to setup a backup, to delegate the duty in absence. Thus this system provides a comprehensive facility to grant, re-certify and control the entitlements and users in a distributed environment.

Abstract: Systems and methods of mitigating attacks, such as Denial of Service (DoS) attacks, in a communications network are presented. Source addresses of packets received at network devices are monitored in relation to known reliable addresses stored in a decision engine. If the source address, as stored in a source table, is known as being legitimate the packets are placed in a high priority queue for transmission at the highest rate. Packets with an unknown address are placed in a lower priority queue, the source address stored in a different source table, and the packet is serviced at a lower rate. Packets that become known to be legitimate are moved from the unknown table to the table from which high priority queues are serviced. In this way, an attacker that employs spoofing techniques is prevented from overtaxing network resources.

Abstract: The present invention provides for validating that one or more modules reside on the same machine. When a second module wishes to establish communication with a first module, a shared memory that is accessible by the modules—but inaccessible by modules outside the machine—is used to store random data. The first module listens on a transport address corresponding to the random data for communication activity. The second module retrieves the random data from the shared memory, and then uses this data for determining the appropriate transport address to send information to when establishing the communication with the first module.

Abstract: An input is ciphered in at least one of a sector forming circuit 13, a scrambling circuit 14, a header appendage circuit 15, an error correction encoding circuit 16, a modulation circuit 17 and a synchronization appendage circuit 18, used for processing input data for forming a recording signal. Not only key for ciphering itself in the circuits but also the information as to which of the circuits has been used for ciphering becomes the key for ciphering. This realizes ciphering difficult to decode by a simplified structure.