Abstract: A system and method for a distributed multi-processing security gateway establishes a host side session, selects a proxy network address for a server, uses the proxy network address to establish a server side session, receives a data packet, assigns a central processing unit core from a plurality of central processing unit cores in a multi-core processor of the security gateway to process the data packet, processes the data packet according to security policies, and sends the processed data packet. The proxy network address is selected such that a same central processing unit core is assigned to process data packets from the server side session and the host side session. By assigning central processing unit cores in this manner, higher capable security gateways are provided.

Abstract: A method for generating key information for mutual access among multiple computers, the method including configuring each of a plurality of computers to access common seed data, where the common seed data is the same for each of the computers, and configuring each of the computers to intercept a key generator request for computer-specific seed data and, in response to the request, provide the common seed data to the key generator in place of the computer-specific seed data, thereby enabling any of the computers to generate the same key information.

Abstract: A data object is stored in a hosted storage system and includes an access control list specifying access permissions for data object stored in the hosted storage system. The hosted storage system provides hosted storage to a plurality of clients that are coupled to the hosted storage system. A request to store a second data object is received. The request includes an indicator that the first data object stored in the hosted storage system should be used as an access control list for the second data object. The second data object is stored in the hosted storage system. The first data object is assigned as an access control list for the second data object stored in the hosted storage system.

Abstract: Systems and methods that facilitate securing data associated with a memory from security breaches are presented. A memory component includes nonvolatile memory, and a secure memory component (e.g., volatile memory) used to store information such as secret information related to secret processes or functions (e.g., cryptographic functions). A security component detects security-related events, such as security breaches or completion of security processes or functions, associated with the memory component and in response to a security-related event, the security component can transmit a reset signal to the secure memory component to facilitate efficiently erasing or resetting desired storage locations in the secure memory component in parallel and in a single clock cycle to facilitate data security. A random number generator component can facilitate generating random numbers after a reset based on a change in scrambler keys used by a scrambler component to descramble data read from the reset storage locations.

Abstract: One or more rights objects (RO) files may be used for storing RO's preferably in the protected area available only to authenticated users. A RO navigation file is stored preferably in an unprotected public area containing status bits, where each status bit identifies whether a location in a RO file contains a valid RO or not. Preferably, there is a one-to-one correspondence between the location for a RO in a RO file and a location in the RO navigation file for the status bit which identifies whether its corresponding location in the RO file contains a valid RO or not. Whether a particular location in a RO file contains a valid RO or not can be found by checking its corresponding status bit in the RO navigation file. By finding out whether a particular location in a RO file contains a valid RO or not in this manner, it is possible to delete ROs without having to go through an authentication process. The process of finding an empty slot in the RO file for storing a new RO is also simplified.

Abstract: A method, system, and computer usable program product for using a dual mode reader writer lock. A contention condition is detected in the use of a lock in a data processing system, the lock being used for managing read and write access to a resource in the data processing system. A determination of the data structure used for implementing the lock is made. If the data structure is a data structure of a reader writer lock (RWL), the data structure is transitioned to a second data structure suitable for implementing the DML. A determination is made whether the DML has been expanded. If the DML is not expanded, the DML is expanded such that the data structure includes an original lock and a set of expanded locks. The original lock and each expanded lock in the set of expanded locks forms an element of the DML.

Abstract: A system for broadcasting multiple public identities corresponding to the same apparatus. For example, each public identity may correspond to different operational environments, while none of the public identities disclose a private identity that uniquely and permanently identifies the apparatus. This allows apparatuses to keep their unique identity a secret while still being able to communicate with other apparatuses in various environments.

Abstract: A system and method for a distributed multi-processing security gateway establishes a host side session, selects a proxy network address for a server based on network information, and using the proxy network address to establish a server side session. The proxy network address is selected such that a same processing element is assigned to process data packets from the server side session and the host side session. The network information includes a security gateway network address and a host network address. By assigning processing elements in this manner, higher capable security gateways are provided.

Abstract: An information processing device includes: a receiving unit that receives a first random number from another information processing device; a generating unit that generates a second random number; a time-variant-key generating unit that generates a time variant key for encryption according to the second random number; an encrypting unit that encrypts the first random number with the time variant key; and a transmitting unit that transmits the first random number encrypted by the time variant key and the second random number to the other information processing device.

Abstract: A method and apparatus for performing a function based on an executable code in response to receiving a request including function parameters are described. The executable code may be validated when loaded in a memory according to a signature statically signed over the executable code. A data location in the memory for storing the function parameters may be determined according location settings included inside the executable code. A target code location for storing a copy of the executable code may be determined based on the location parameters and the determined data location. A function is performed by executing the executable code from the target code location referencing the stored function parameters.

Abstract: A method of transmitting data between a plurality of inter-connected elements. The method comprises receiving a message from a first element, said message comprising a routing key plus optionally a data payload. The routing key is processed to identify a plurality of said inter-connected elements, and data is transmitted to said identified plurality of inter-connected elements.

Abstract: A method for preventing a user from interpreting optional stored data information even when the user extracts the optional stored data, and an apparatus thereof. The apparatus for encrypting and processing data in a flash translation layer includes a flash memory and a controller. The flash translation layer searches at least one page of the flash memory storing the data when a write of optional data is requested from the controller, generates, corresponding to respective searched pages, a page key according to a predetermined encrypting function when the searched page supports an encryption, and encrypts and stores the data by the page key in the respective searched pages.

Abstract: A controlling device provides conditional access to secured content renderable by an appliance. The controlling device transmits a data frame to the appliance and encrypts at least a part of the data frame that includes data to be used by the appliance to provide access to the secured content. At the appliance a decryption key complimentary to the encryption key is used to decrypt the received the data frame. The appliance allows the secured content to be rendered only after the appliance determines that the data in the received, decrypted data frame includes the data the appliance requires to provide access to the secured content.

Abstract: Providing for analysis of artifacts of electronic devices to generate data that is substantially unique to a particular device or to a class of devices is described herein. In some aspects, analyzed artifacts are chosen based on reliable reproducibility of such data over many analyses. The substantially unique data can be associated with a particular electronic device(s) to distinguish such devices from other devices. In some aspects, the generated data is first transformed into an identifier, such as a number, word, string of data, etc., to distinguish the electronic device in remote communication, to provide a key in an encryption/decryption algorithm, and so on. The data can be reproduced by reanalyzing the artifacts, and thus need not be stored for future consumption, mitigating risks involved in storing sensitive data.

Abstract: A storage device has a storage medium, a key generator and a controller. The key generator generates an encryption/decryption key from selected bits of program code within the storage device. The controller controls access to the storage medium and applies the encryption/decryption key to encrypt and decrypt data written to or read from the storage medium.

Abstract: A method for secure communications. At least one encryption key can be generated based on a pass-phrase that associates a unique identifier of a client system with a customer. Customer data encrypted with the at least one encryption key can be received such that the customer data is uniquely associated with both the client system and with the customer. The client system cannot decrypt the customer data if the unique identifier of the client system is changed. The client system cannot decrypt the customer data if the customer is changed.

Abstract: A security system, method and device for use in a network for providing a real-time stream are provided. A server updates security association of a terminal device by periodically providing a key stream. When the key stream for changing the security association of the terminal device is received from the server, the terminal device updates stored key stream information after identifying at least one changed field in the key stream and performs a security policy with the server using the updated key stream information. When a security setting operation is performed through a stream notification periodically provided from the server, an unnecessary waste of system resources can be reduced by updating only a specific changed field through the stream notification and reducing the load of generating a security association table.

Abstract: The present invention relates to a mobile communication method in which a mobile station performs a handover from a handover source radio base station to a handover target radio base station. The mobile communication method includes the steps of: (A) acquiring, at the handover target radio base station, from the handover source radio base station or a switching center, a key for calculating a first key for generating a certain key used in a communication between the handover target radio base station and the mobile station; and (B) acquiring, at the handover target radio base station, from the switching center, a second key for calculating a first key for generating a certain key used in a communication between a next handover target radio base station and the mobile station.

Abstract: A data object is stored in a hosted storage system and includes an access control list specifying access permissions for data object stored in the hosted storage system. The hosted storage system provides hosted storage to a plurality of clients that are coupled to the hosted storage system. A request to store a second data object is received. The request includes an indicator that the first data object stored in the hosted storage system should be used as an access control list for the second data object. The second data object is stored in the hosted storage system. The first data object is assigned as an access control list for the second data object stored in the hosted storage system.

Abstract: A method, system, and computer usable program product for using a dual mode reader writer lock. A contention condition is detected in the use of a lock in a data processing system, the lock being used for managing read and write access to a resource in the data processing system. A determination of the data structure used for implementing the lock is made. If the data structure is a data structure of a reader writer lock (RWL), the data structure is transitioned to a second data structure suitable for implementing the DML. A determination is made whether the DML has been expanded. If the DML is not expanded, the DML is expanded such that the data structure includes an original lock and a set of expanded locks. The original lock and each expanded lock in the set of expanded locks forms an element of the DML.

Abstract: An embodiment relates generally to a method of preventing resource access conflicts in a software component. The method includes intercepting a lock operation in the software component and testing an associated lock type of the lock operation against a set of rules. The method also includes determining an action based on the associated lock type conflicting one of the rules of the set of rules.

Abstract: Techniques are described for using unique features of a storage medium for authentication of data as originating from the storage medium, and also for installing software and data to a storage medium in a way which inhibits unauthorized copying of the software and data to another storage medium. Cryptoprocessing keys are created using unique features of the storage medium such as location information related to storage of selected elements of a software installation on the storage medium, or alternatively defective block information relating to the storage medium. The cryptoprocessing keys are used to encrypt data for transmission to a remote server. The remote server uses the cryptoprocessing keys to decrypt the data and authenticates the data as having been encrypted with the correct keys. In order to control operation of software on a storage medium, location information unique to the storage medium is employed to create links between software modules comprising the software.

Abstract: Various embodiments include a method and system for configuring a smart energy network using an auxiliary gateway where an auxiliary gateway is capable of communicating with an energy services interface and a link key database. The auxiliary gateway, on a smart energy network, extracts the unique identifier from a communication related to the smart energy device. The auxiliary gateway may then use the unique identifier to retrieve the smart energy device information from the link key database and communicate the smart energy device information to the energy services interface. The energy services interface may then use the smart energy device information to decrypt a communication from the smart energy device or access manufacturer specific functionality of the smart energy device.

Abstract: An anti-tamper module is provided for protecting the contents and functionality of an integrated circuit incorporated in the module. The anti-tamper module is arranged in a stacked configuration having multiple layers. A connection layer is provided for connecting the module to an external system. A configurable logic device is provided for routing connections between the integrated circuit and the connection layer. Specifically, the configurable logic device is programmable to create logical circuits connecting at least one of the input/output connectors of the integrated circuit to at least one of the input/output connectors of the connection layer. Configuration information for programming the reconfigurable logic device is stored in a memory within the module.

Abstract: An encryption part or a decryption part of an encryption/decryption apparatus or a part common to both parts is used both for encryption and decryption of a datum to be stored and the encrypted memory content and for the generation of the address-individual key and the address-dependent key, respectively.

Abstract: An apparatus and method for performing cryptographic operations within microprocessor. The apparatus includes an instruction register having a cryptographic instruction disposed therein, a keygen unit, and an execution unit. The cryptographic instruction is received by a microprocessor as part of an instruction flow executing on the microprocessor. The cryptographic instruction prescribes one of the cryptographic operations, and also prescribes that a user-generated key schedule be employed when executing the one of the cryptographic operations. The keygen unit is operatively coupled to the instruction register. The keygen unit directs the microprocessor to load the user-generated key schedule. The execution unit is operatively coupled to the keygen unit. The execution unit employs the user-generated key schedule to execute the one of the cryptographic operations. The execution unit includes a cryptography unit.

Abstract: A method and an element of ciphering by an integrated processor of data to be stored in a memory, including applying a ciphering algorithm which is a function of a key specific to the integrated circuit and of an initialization vector, and of memorizing at least the ciphered data, the initialization vector depending at least on the address of storage of the data in the memory.

Abstract: Provided are a method and apparatus for secure communication between cryptographic systems using a Real Time Clock (RTC). The method and apparatus allow a transmitting cryptographic system to transfer partial RTC data and a receiving cryptographic system to restore entire RTC data, thereby minimizing data to be transferred between the cryptographic systems. The method includes: calculating a largest RTC deviation between a transmitting cryptographic system and a receiving cryptographic system; calculating the smallest number of bits of partial data on an RTC required for restoring entire data on the RTC on the basis of the calculated largest RTC deviation; calculating the partial RTC data on the basis of the calculated smallest number of bits of the partial RTC data; and transferring the calculated partial RTC data to the receiving cryptographic system.

Abstract: A block-level storage device is provided that implements a digital rights management (DRM) system. In response to receiving a public key from an associated host system, the storage device challenges the host system to prove it has the corresponding private key to establish trust. This trust is established by encrypting a secure session key using the public key. The host system uses its private key to recover the secure session key. The storage device may store content that has been encrypted according to a content key. In addition, the storage device may encrypt the content key using the secure session key.

Abstract: A method includes determining, at a first requesting component of an integrated circuit device, a first key value based on a first set of one or more bits of a first address associated with a first access request of the first requesting component. The method further includes transmitting the first key value from the first requesting component to a resource component of the integrated circuit device. The method also includes determining, at the resource component, an authorization of the first access request based on the first key value and a second set of one or more bits of the first address.

Abstract: A method for protecting data between a circuit and a memory is disclosed. The method generally includes the steps of (A) generating a particular address among a plurality of addresses for accessing a particular area among a plurality of areas in the memory, (B) determining a particular key among a plurality of keys associated with the particular area, (C) generating a cipher stream from both the particular address and the particular key and (D) modifying a data item with the cipher stream such that the data item is encrypted during a transfer between the circuit and the memory.

Abstract: A method and apparatus for restricting access of an application to computer hardware. The apparatus includes both an authentication module and a validation module. The authentication module is within the trusted firmware layer. The purpose of the authentication module is to verify a cryptographic key presented by an application. The validation module is responsive to the authentication module and limits access of the application to the computer hardware. The authentication modules may be implemented in software through a firmware call, or through a hardware register of the computer.

Abstract: A controller receives an encrypted media stream (“EMS”) and an identifier indicative of a selected content key from a headend. The EMS is encrypted with an encryption key and can be decrypted with a corresponding decryption key which is determinable from the selected content key. The controller receives indexes and content keys from the headend prior to receiving the EMS. Each index respectively corresponds to an identifier with one index corresponding to the identifier indicative of the selected content key. The content keys correspond to the indexes with one content key corresponding to the index corresponding to the identifier indicative of the selected content key. The controller selects the index corresponding to the identifier indicative of the selected content key upon receiving the EMS, determines the selected content key from the selected index, determines the decryption key from the selected content key, and decrypts the EMS with the decryption key.

Abstract: A security information implementation system includes a storage section 120a for storing first encrypted security information EDK (MK) provided by encrypting final security information DK according to internal security information MK and second encrypted security information EMK (CK) provided by encrypting the internal security information MK according to conversion security information CK and an LSI 120b including a seed generation section 131 for storing a first constant value containing address information on which a conversion seed is generated based and a second constant value and a third constant value on which a test conversion seed is generated based and outputting the first constant value and the second constant value or the third constant value as the conversion seed or the test conversion seed in response to a test signal and a mode setup value; a one-way function circuit 32 for converting the conversion seed or the test conversion seed output from the seed generation section 131 according to the f

Abstract: A method of operating a multi-level security system including the steps of providing a plurality of processors. At least some of said processors are equipped with a data card which permits simultaneous processing of different classification levels of information and the dynamic reallocation of processors to different classification levels.

Abstract: A television program ratings method and system includes transferring information associated with households from a cable provider to a ratings provider such that the ratings provider has access to information associated with sampled households and lacks access to information associated with non-sampled households. To this end, identity information and usage information associated with the households are respectively anonymized and encrypted. Knowledge of the identities of the sampled households enables the anonymized identity information and the encrypted usage information for the sampled households to be respectively de-anonymized and decrypted. The ratings provider knows which households are sampled households. As such, the ratings provider de-anonymizes and decrypts the information associated with the sampled households and then uses the de-anonymized and decrypted information to determine television program ratings.

Abstract: A method for protecting at least one first datum to be stored in an integrated circuit, including, upon storage of the first datum, performing a combination with at least one second physical datum coming from at least one network of physical parameters, and only storing the result of this combination, and in read mode, extracting the stored result and using the second physical datum to restore the first datum.

Abstract: A messaging system includes a first mailbox storage assigned to receive a message for the first processor and a first lock indicator having a first state to indicate that the first mailbox storage can receive a message and a second state to indicate that the first mailbox storage cannot receive a message. The system also includes a second mailbox storage assigned to receive a message for the second processor and a second lock indicator having a first state to indicate that the second mailbox storage can receive a message and a second state to indicate that the second mailbox storage cannot receive a message. The lock indicators are changed to their second state when a message is placed in their respective mailbox storage and are changes to their first state in response to its contents being read by the respective processor.

Abstract: A communication system comprises a covert channel detector. The covert channel detector can be used in a multi-level security system (MLS) or multiple single levels of security (MSLS). The covert channel detector detects covert channels in a cryptographic system. The cryptographic system can be used in a military radio system.

Abstract: A key management of cryptographic keys has a data package including one or more cryptographic keys that are transferred to a personal device 100 from a secure processing point 150 of a device assembly line in order to store device specific cryptographic keys in the personal device 100. In response to the transferred data package, a backup data package is received by the secure processing point 150 from the personal device 100, which backup data package is the data package encrypted with a unique secret chip key stored in a tamper-resistant secret storage 125 of a chip 110 included in the personal device 100. The secure processing point 150 is arranged to store the backup data package, together with an associated unique chip identifier read from the personal device 100, in a permanent, public database 170.

Abstract: Disclosed is a traffic encryption key (TEK) management method for automatically generating a TEK for a multicast or broadcast service by a base station to periodically update a TEK used by a subscriber station. The base station transmits the first Key Update Command message for updating a group key encryption key (GKEK) for encrypting the TEK and the second Key Update Command message for updating the TEK to the subscriber station to update the TEK. The base station establishes an M & B TEK Grace Time which is different from a TEK Grace Time established by the subscriber station, transmits the first message including a new GKEK to the subscriber station through a primary management connection before the M & B TEK Grace Time, and transmits the second message including a new TEK encrypted with the new GKEK thereto through a broadcast connection after the M & B TEK Grace Time.

Abstract: A sender's encrypted communication apparatus and a recipient's encrypted communication apparatus autonomously generate keys for encryption with respective key generators, store the generated encryption keys in respective encryption key memories, and store part of the generated encryption keys in respective authentication memories. The keys stored in the authentication memories are used for mutual authentication when the sender's encrypted communication apparatus and a recipient's encrypted communication apparatus are connected to each other.

Abstract: One embodiment of the present invention provides a system that manages secret keys for messages. During operation, the system receives a desired expiration time T from an encrypter, and possibly a nonce N, at a server that manages keys. If N is not sent by the encrypter, it is generated by a key managing server. Next, the system chooses a secret ST, with an expiration time close to T, and an identifier IDS from a database for which secret ST can be retrieved using the identifier IDS. If such an ST is not already in the database, the server generates a new ST and IDS. The system then calculates a hash H=h(N,ST), and sends H and IDS from the server to the encrypter. The encrypter then encrypts M with H to form {M}H, and communicates ({M}H, N, IDS) to a message reader. The message reader then sends N and IDS to the server. The server then uses IDS to lookup ST, recalculates H=h(N,ST), and sends H to the message reader, thereby enabling the message reader to decrypt {M}H to obtain M.

Abstract: A method and a circuit for extracting a secret datum from an integrated circuit taking part in an authentication procedure that uses an external device that takes this secret datum into account, the secret datum being generated on request and made ephemeral.

Abstract: A method and an element for ciphering with an integrated processor data to be stored in a memory, including applying to each data block to be ciphered a ciphering algorithm which is a function of at least one key specific to the integrated circuit, and before applying the ciphering algorithm thereto, combining the data block to be ciphered with the result of a function of the storage address of the ciphered block in the memory, and/or of combining the key with the result of a function of the storage address of the ciphered block in the memory and of a digital quantity different from the ciphering key.

Abstract: A method and a circuit of generation of several secret quantities by an integrated circuit according to the destination of these secret quantities, including taking into account a first digital word forming a single identifier of the integrated circuit chip and coming from a physical parameter network, and of individualizing this identifier according to the application.

Abstract: A method for re-encrypting encrypted data in a secure storage file system, including obtaining selected data to re-encrypt from the secure storage file system using a user data access record and the encrypted data, decrypting the selected data using a symmetric key, re-encrypting the selected data using a new symmetric key to obtain new encrypted data, encrypting the new symmetric key using a public key to obtain a new encrypted symmetric key, storing the new encrypted data and the new encrypted symmetric key if the public key is associated with a file system user having read permission, and storing an encrypted hash data if the file system user has write permission.

Abstract: A communications system in which a sending computer encrypts a message using a key associated with the computer which is to receive the message; and the receiving computer uses a key associated with the sending computer in the decryption process. The sending computer is equipped with a set of keys and each key within the set may be used for the encryption process, depending on the destination of the message; and the receiving computer chooses its key based on who the sending computer is.

Abstract: A memory device containing data to be protected is integrated with a microprocessor and includes a first and a second memory portion with different accessibilities. The integration of the memory device on the same integrated circuit (IC) or chip as the microprocessor permits a combination of protective hardware and software measures that are not possible with a memory device that is on a different IC than the microprocessor. The first memory portion holds an initialization program that also serves as a boot program during decryption, and the second memory portion holds a user program, for example, a program for decrypting and/or decoding received data. Such data may be, for example, audio data encoded according to the MP3 standard and encrypted with a secret or public password against unauthorized reception.

Abstract: Methods and apparatus are presented for providing local authentication of subscribers traveling outside their home systems. A subscriber identification token 230 provides authentication support by generating a signature 370 based upon a key that is held secret from a mobile unit 220. A mobile unit 220 that is programmed to wrongfully retain keys from a subscriber identification token 230 after a subscriber has removed his or her token is prevented from subsequently accessing the subscriber's account.