Abstract: An encryption apparatus capable of effectively preventing encryption data from being illegally generated is provided. Based on apparatus identification data of an integrated circuit (IC), which is input from a computer, a secure application module (SAM) selects an encryption method from among a plurality of different encryption methods. Based on the code of the IC, the SAM selects plaintext data to be encrypted from among the plurality of different pieces of plaintext data. The SAM outputs encryption data such that the selected plaintext data is encrypted by the selected encryption method.

Abstract: A data blob has an operator's certificate that specifies a network. The data blob is encrypted by the network using a private key that authenticates that a user device owns a MAC address. The network sends the encrypted data blob to the user device, which decrypts it using a private key that is locally stored in the user device. From that the user device obtains the operator's certificate, locks the user device to a network specified by the operator's certificate, and sends a response message signed with the private key. The network grants access to the user device based on the signed response message. Various embodiments and further details are detailed. This technique is particularly useful for a WiMAX or WLAN/WiFi network in which there is no SIM card to lock the device to the network.

Abstract: An encoding method comprises generating a character map of an alphanumeric character string, identifying runs of like character type symbols in sequential positions, and removing the runs of character type symbols from the character map. The center for the center infix run is determined, and the characters of each character type are encoded into binary encoded substrings. A decoding method comprises parsing the one or more run fields in the alphanumeric header to determine a number of characters of each type of a plurality of character types represented in the binary encoded string, generating a character map having a string of character type symbols representing the binary encoded string, including determining a reduced character map, centering the character type symbols for a center infix run about the center of the reduced character map, completing a final character map, and decoding each binary encoded string.

Abstract: Sampling and transforming (“twisting”) of biometric data are performed at client based on information known at client only. Twisting includes shuffling the arrays of biometric data and may include changing of values in these arrays. Twisted biometric data are submitted to server. Amount of information contained in twisted data is enough to verify and/or identify the client using proposed correlation procedure, however, is not enough to restore the client's real biometrical data in case of interception of submitted data and in case of compromising security of server. As a result the privacy of the client is guaranteed in the highest degree.

Abstract: A user authentication method of authenticating a user on an on-line basis using a user's e-mail address and hardware information is provided. The user authentication method includes the steps of: transmitting a user's authentication client platform hardware information and e-mail address to an authentication server module through an authentication client module installed in the authentication client platform; and the authentication client module determining user authentication according to whether or not the e-mail address and hardware information received from the authentication server module is identical to user's e-mail address and hardware information stored in an authentication database. A user's authentication request and authentication is confirmed through an e-mail in the case that authentication fails in the primary authentication process. The user authentication method performs authentication by using a user's hardware information and e-mail address, their uniqueness of which is verified.

Abstract: A method and system for creating security policies for firewall and connection policies in an integrated manner is provided. The security system provides a user interface through which a user can define a security rule that specifies both a firewall policy and a connection policy. After the security rule is specified, the security system automatically generates a firewall rule and a connection rule to implement the security rule. The security system provides the firewall rule to a firewall engine that is responsible for enforcing the firewall rules and provides the connection rule to an IPsec engine that is responsible for enforcing the connection rules.

Abstract: An information processing device, comprising a reading unit that reads, from a recording medium that records information relevant to authentication, the information relevant to authentication, an acquisition unit that acquires information about a contact destination designated in association with the recording medium, when reading of the information from the recording medium by the reading unit remains continuously possible during a period of time between completion of a process instructed by a user who is authenticated based on the information recorded in the recording medium and elapse of a predetermined period of time after the completion, and a transmission unit that sends predetermined information to the contact destination specified by the acquired information.

Abstract: A digital watermark is added to audio or visual content. An illustrative embodiment segments the content, permutes the segments, and transforms such data into another domain. The transformed data is altered slightly to encode a watermark. The altered data can then be inverse-transformed, and inverse-permuted, to return same to substantially its original form. Related watermark decoding methods are also detailed, as are ancillary features and techniques.

Abstract: An information security device is provided that, when information is circulated through a chain, permits changing of a usage rule for the information or collection (deletion) of the information after the circulation. An information security device (200) includes: a receiving unit (201) that receives a content and a collection command; a content storing unit (202) that stores a content and its usage rule; a collection command confirmation unit (203) that checks the validity of a received collection command; a content deletion unit (204) that deletes a content; a chain information storage unit (205) that stores chain information containing sending and receiving information of a content; a destination list storage unit (206); a sending unit (207) that sends a content and a collection command; and a control unit (208) that controls the processing for a collection command. When a collection command is sent after content distribution, the content can be collected (deleted) in the destination of circulation.

Abstract: A system for encrypting and decrypting messages using a browser in either a web or wireless device or secure message client software for transmission to or from a web server on the Internet connected to an email server or message server for the situation where the sender does not possess the credentials and public key of the recipients. The encryption and decryption is conducted using a standard web browser on a personal computer or a mini browser on a wireless device, or message client software on either a personal computer or wireless devices such that messages transmitted to the web or wireless browser or message client software can be completed and encrypted and signed by the user such that encrypted and signed data does not require credentials and public key of the recipients. A method for delivering and using private keys to ensure that such keys are destroyed after use is also provided.

Abstract: A digital watermark is added to audio or visual content. An illustrative embodiment segments the content, permutes the segments, and transforms such data into another domain. The transformed data is altered slightly to encode a watermark. The altered data can then be inverse-transformed, and inverse-permuted, to return same to substantially its original form. Related watermark decoding methods are also detailed, as are ancillary features and techniques.

Abstract: A method, apparatus and computer program product for providing protection for a document is presented. Document content of the document is obtained. An occurrence of a security code within the document content is detected, the security code associated with the document content. A security policy associated with the security code is identified. The identified security policy is then applied to the document content.

Abstract: Several embodiments of the present invention provide a means for improving data access security in computer systems to support high-security applications, and certain of these embodiments are specifically directed to providing sector-level encryption of a virtual hard disk in a virtual machine environment. More specifically, certain embodiments are directed to providing sector-level encryption by using plug-ins in a virtual machine environment, thereby providing improved data access security in a computer system that supports high-security applications. Certain embodiments also use encryption plug-ins associated with standard encryption software for exchanging data between a virtual machine (VM) and its associated virtual hard drive(s) (VHDs). Moreover, several embodiments of the present invention are directed to the use of plug-in encryption services that interface with, and provide services for, a VM via a VM Encryption API (or its equivalent).

Abstract: A method of manufacturing a device containing a key is disclosed. The method generally includes the steps of (A) fabricating a chip comprising a random number generator, a nonvolatile memory and a circuit, (B) applying electrical power to the chip to cause the random number generator to generate a signal conveying a sequence of random numbers, (C) commanding the chip to program a first arbitrary value among the random numbers into the nonvolatile memory, wherein the device is configured such that the first arbitrary value as stored in the nonvolatile memory is unreadable from external to the device and (D) packaging the chip.

Abstract: A central server in a network of a hybrid peer to peer type, receives a request from a client for obtaining a digital document, where the request contains a reference of the digital document. The server selects a peer system of the network likely to contain the digital document, and generates an access key for controlling access to the digital document by the client, where the access key is generated by an encrypting method using a private key of the central server, a current time when the encrypting method is executed and an address of the client on the network. The server then sends a message to the client, where the message has the reference of the digital document, an address of the selected peer system on the network and the generated access key.

Abstract: A method and apparatus for generating a data structure to be embedded in a ranging signal or in a synchronization preamble of a digital signal are disclosed. In a preferred embodiment, a plurality of blocks 0 through i, where i is an integer, are formed from random sequences of components A0 to Ai, each of the components being N bits, and each block including A0 through Ai components. A plurality of random sequences of components B0 through Bi, where i is an integer, of 2N bits is also formed. The components A0 through Ai in blocks 0 to i are formed into a matrix and the polarities of the components A0 through Ai are made to correspond to the polarities of a Hadamard matrix. The components A0 through Ai of each block are randomly permuted with components B0 through Bi. When the permuted components of the blocks are embedded in a ranging signal or in a synchronization preamble of a signal, the blocks will appear to an unauthorized user of the signal as being unrelated.

Abstract: Information rights management (IRM) systems enable information to be protected after it has been accessed by or delivered to an authorized individual. For example, this might be to allow an email to be viewed for a limited time by specified individuals but to prevent that email from being forwarded. However, existing IRM systems are limited in the situations in which they may operate. An IRM server is provided which communicates with one or more policy evaluators which are independent of the IRM server. Results from the different policy evaluators may be combined by the IRM server and one or more identity providers may be used in conjunction with each policy evaluator. By enabling the IRM server to act as a broker between authors, recipients and policy evaluators situations in which IRM systems may operate are greatly extended.

Abstract: A data handling apparatus (400) for a computer platform (1) using an operating system executing a process, the apparatus comprising a system call monitor (402) for detecting predetermined system calls, and means (402, 404, 406) for applying a data handling policy to the system call upon a predetermined system call being detected, whereby the data handling policy is applied for all system calls involving the writing of data outside the process. A corresponding method is disclosed.

Abstract: The present invention provides methods for using abstractions of people, including dynamic and static groups of people, to enhance the efficiency of the specification and automation of policies for sharing information between users with a “need-to-know.” An instance of the present invention can also provide these users information based on a “time-to-know.” By providing access to information based on group affiliation and properties of the content of the information, the present invention maintains optimal information privacy while minimizing encumbrances to sharing data with appropriate users and even at appropriate times. The present invention can be integrated with other communication technologies to facilitate access to information in a time appropriate manner. Other instances of the present invention employ automated and semi-automated, mixed-initiative techniques, to make information-sharing decisions.

Abstract: Authentication credentials from legacy applications are translated to Kerberos authentication requests. Authentication credentials from the legacy application are directed to an authentication proxy module. The authentication proxy module acts as a credential translator for the application by receiving a set of credentials such as a user name and password, then managing the process of authenticating to a Kerberos server and obtaining services from one or more Kerberized applications, including Kerberos session encryption. A credential binding module associates a user corresponding to authentication credentials from a legacy authentication protocol with one or more Kerberos credentials. Anonymous authentication credentials may be translated to authentication requests for a network directory services object, such as a computer object or service object.

Abstract: According to one embodiment, a content recording apparatus is connected with a permission server that permits recording of content through a network. The content recording apparatus reads content encrypted based on a first encryption scheme and binding information from a disposed second recording medium, and uses the binding information to decode the read content encrypted based on the first encryption scheme. The content recording apparatus uses the permission server to authenticate permission of recording of the content, encrypts the decoded content based on a second encryption scheme when recording of the content is permitted, and records the content encrypted based on the second encryption scheme and the binding information in the first recording medium.

Abstract: A method of recognizing an audio and/or visual format in a digital transmission network such as the Internet wherein formats include a quasi-continuous or divided in packets sequence of data, at least part of the sequence of data is analyzed for the presence of one or more bit patterns, and a notice is given in response to recognition of a predetermined format in an analyzed bit pattern.

Abstract: A computerized method, program product, and a service to protect critical data by first splitting the data into N streams. A partitioning algorithm is applied to each stream to remove a portion of the data, the portion removed from one stream being included in another stream. Each stream is then encrypted with its own encryption key. Each encrypted stream plus at least two encryption keys not used to encrypt a particular encrypted stream are stored in a separate and unique memory location, such as a different server having its own security access procedures that are different from other servers and which may be located in different cities or countries. Retrieval of the data requires a program to know the memory locations of the data streams, and the inverse of the partitioning algorithm. Accessing one memory location may yield an encrypted stream and at least one encryption key for a different stream at a different memory location.

Abstract: The invention relates to a protocol for disabling/erasing access rights to scrambled data. According to the invention, the access rights entered in an access control module comprise the following variables: right identification variable (R ID), action date variable (AD V) and right status variable (S V). The status variable can have one of three encoded values, namely enabled, disabled or erased right. The inventive protocol consists in: transmitting (A) at least one access right management message comprising the right identification variable (R IDx), the action date variable (AD Vx) and the status assignment variable (S Vx), the latter corresponding to a enabled, disabled or erased right; assigning (B) the action date (AD Vx) of the message to the action date (AD V) of the right entered; and allocating (C) the status assignment variable (S Vx) of the message, corresponding to an enabled, disabled or erased access right, to the status variable (S V) of the entered access right.

Abstract: In accordance with one or more aspects, at a first device both an indication of data to be copied and a request to perform graphical copying of the data is received. The data is graphically encoded to generate an image that is displayed by the first device. In a second device, a request to perform graphical pasting of data is received. The second device captures the image displayed by the first device and decodes data graphically encoded in the image. The decoded data is pasted to a location of the first device.

Abstract: A content author provides content to be displayed, including some content elements for which display is conditional on the state of the machine in which the content will be viewed. The conditional statements controlling the display of these content elements, in one embodiment refer to states provided by a state monitor. The state may refer to the state of any aspect of the viewing environment, including hardware, software, firmware, user preferences, software operating modes, and any other detectable state. The resulting content is optionally combined with other similar content via a structural transform. This content is transformed with a presentation transform. One of the transforms checks the states and resolves the conditional statements included by the content author. The result of the transforms is presentation data. A display of this presentation data includes the content which, according to the conditional statements and the state of the viewing environment is appropriate for display.

Abstract: Media content is received for a plurality of devices based on a user selection. The media content includes digital rights for the plurality of devices. The media content is transferred to at least one of the plurality of devices in accordance with the digital rights.

Abstract: An access control method is described for an encrypted program transmitted by an operator to a plurality of groups of subscribers, where each group of subscribers has a group key KG, and each subscriber is able to receive from the operator an operating key KT, enciphered by the group key KG for decryption of the transmitted program. The method further involves linking the enciphered operating key KT to a random value R to generate a secret code, transmitting the secret code to subscribers prior to transmission of the encrypted program, and transmitting the random value R to subscribers for calculation of the operating key KT.

Abstract: In a program execution method in which a program to be executed is stored in a central unit and a terminal unit acquires the program from the central unit and executes the program, when the central unit receives an acquisition request from the terminal unit, it creates a load module different from the program, which produces the same computation results and differs in the location where essential information is to be embedded, and transmits the load module to the terminal unit together with the essential information necessary for executing the program. The terminal unit receives the program, stores the program on a memory, and executes the program based on the embedded essential information. This method makes it difficult for malicious third parties to illegally execute the program by reverse analysis, and enhances the security of the load module to be executed.

Abstract: In an electric conference system using a large-screen display, presentation in an environment with a plurality of portable terminals connected is not taken into consideration. To do this, a host computer for an electric conference system is arranged to store a member ID to specify a terminal, generate a password, display the generated password on a large-screen display and make the password open to participants of a conference, authenticate the terminal on the basis of a member ID and a password, which are contained in a connection request received from the terminal, and process a command received from the terminal on the basis of the authentication result.

Abstract: A method and system for collecting data from devices using a homomorphic encryption of the data is provided. A collection system of a device adds contributions to homomorphically encrypted data and forwards the requests to another device. When the device receives a reply to the request, it uncombines its contribution to the homomorphic encryption of the data. The device then forwards the reply to the previous device. The initiator device ultimately removes its contribution to the encryption and identifies the data.

Abstract: A method for performing double domain encryption is provided. In one embodiment a memory device receives content encrypted with a transport encryption key. The memory device decrypts the content with the transport encryption key and then re-encrypts the content with a key unique to the memory device. The memory device then stores the re-encrypted content in the memory device.

Abstract: An interactive system for managing access via a communications network by one or more users to multiple secured Locations. The system comprises a plurality of entry control Devices assigned for use in gaining access to the Locations by multiple users with multiple keys assigned in a hierarchy to the Locations, a searchable database configured to store information on said keys and said entry control Devices, and Software stored on a readable medium and configured to produce a graphical hierarchy report on the keys depicting the hierarchy of the keys and their respectively assigned Locations and/or entry control Devices.

Abstract: An encryption device includes a first unit that acquires value information denoting a value of information to be encrypted, and a second unit that calculates a strength parameter denoting an encryption strength, based on the value information. It is thus possible to determine the strength parameter reasonably according to the information to be encrypted.

Abstract: For achieving the protection of copyright, by suppressing illegal copy production thereof, in particular, when transmitting contents with using a wired or wireless LAN, as well as, for preventing the transmission of contents from deviating from a range of a personal use thereof, a contents transmitter apparatus and a contents receiver apparatus make an authentication, mutually, before transmitting contents therebetween.

Abstract: A system and method for preventing an application program, which is licensed to a customer to be exclusively executed in a processor based on a certain processor design, from being executed properly in unauthorized processors is provided. The system includes a scrambling module and a recovery module. The scrambling module scrambles a selected portion of the application program using an identifier which identifies the authorized processor design. The recovery module adds an unscrambling program to the application program such that when the program is running in a processor, it retrieves a second identifier from the processor and unscrambles the scrambled portion of the application program using the retrieved second identifier. If the second identifier does not correspond to an authorized processor design, the unscrambling operation will incorrectly unscramble the scrambled portion and the application program will not run properly.

Abstract: Content including links to behaviors (code which can be executed and return supplemental content for insertion, or can modify existing content) is stored, and at run-time, the links to behaviors are followed and the supplemental content or the modifications to existing comment are used to create a final version of content which will be presented to the user. Security enhancements including a security check ensure that only behaviors which are secure will be run. Default content may be provided, which may be inserted if the security check is not passed, or if the content returned from the behavior is unusable for some reason.

Abstract: Restrictions on optical drive code changes, such as a predetermined number of region code changes for playing optical media with varying region codes, are enforced with an application solution. Each request to perform a region code change is authorized by retrieving a certificate to verify that a code change is permitted, decrementing the number of remaining authorized code changes reflected by the certificate, and storing the updated certificate for use at a subsequent code change request. The certificate is generated by application of one or more unique identifiers and encrypted during storage for security.

Abstract: A system and method are provided, whereby data that is easily re-created is separated from data that is not easily re-created, such that the easily re-created data can be disposed of based on a variety of events and the not easily re-created data can be kept in its original state. In one aspect of the invention, such easily re-created data is disposed of based on a “panic button” being pushed by a computer system user, such as when a user becomes aware that some malware has infected the computer system. In other aspects of the invention, such data is disposed of every time the computer system boots up, or detects via its anti-virus program that some malware is present. In other aspects of the invention, the easily re-created data can be rolled back or rolled forward without affecting the non-easily re-created data.

Abstract: A system comprising a personal computer configured to operate with another computer connected to a network of computers. The personal computer includes a microchip having a microprocessor with a control unit and at least two processing units, the control unit being configured to allow a user of the personal computer to control the two processing units, and the microchip including a power management component. The personal computer includes an internal firewall configured to allow and/or deny access to portions of the microchip both to the user of the personal computer and to a user of the microchip from the network of computers during a shared use of the microchip; and the internal firewall is configured to deny access to portions of the microchip from the network of computers.

Abstract: There is a need in the computer software and data industries to protect content from unauthorized access to private information. Alphanumeric passwords have been shown to offer very weak protection. Biometrics (personal traits such as fingerprints and hand-written signatures) offer superior protection, but still have a number of weaknesses. The most significant weakness is that there is no existing way to protect the stored biometric data itself; and once a person's fingerprint data has been obtained by an attacker, the use of that fingerprint can no longer be considered secure. The invention solves the problem by securing the access software application that manages the biometric data using tamper-resistant encoding techniques. These tamper-resistant encoding techniques include: data-flow, control-flow, mass-data and white-box encoding.

Abstract: An embodiment of the invention incorporates, or encapsulates, authentication mechanisms into an initiation phase of a transmission protocol session. In a preferred embodiment, Extensible Authentication Protocol (EAP) authentication steps are included in the three-way handshake of a request to establish a Transmission Control Protocol/Internet Protocol TCP/IP) session. An EAP authentication session request can be designated within the standard Transmission Control Protocol (TCP) segment by using unused flags in the segment header. Another way to designate the request is to include a predefined option value in the header.

Abstract: In a digital recording apparatus including a data control circuit 2a, a memory 4, an encryption circuit 5, an interface 6, a DVD drive 8, and a CPU 3, when encryption is required during recording, data is temporarily stored in the memory 4. After the encryption circuit 5 is enabled, the data is encrypted and recording by the DVD drive 8 on a recording medium is resumed. Thus, it is possible to make the encryption circuit operate only when recording a program requiring a content protection and to perform recording or reproducing from the required timing without interrupting the recording or reproducing even during start-up of the encryption circuit.

Abstract: Systems and methods for correlating and distributing intrusion alert information among collaborating computer systems are provided. These systems and methods provide an alert correlator and an alert distributor that enable early signs of an attack to be detected and rapidly disseminated to collaborating systems. The alert correlator utilizes data structures to correlate alert detections and provide a mechanism through which threat information can be revealed to other collaborating systems. The alert distributor uses an efficient technique to group collaborating systems and then pass data between certain members of those groups according to a schedule. In this way data can be routinely distributed without generating excess traffic loads.

Abstract: Systems and methods for correlating and distributing intrusion alert information among collaborating computer systems are provided. These systems and methods provide an alert correlator and an alert distributor that enable early signs of an attack to be detected and rapidly disseminated to collaborating systems. The alert correlator utilizes data structures to correlate alert detections and provide a mechanism through which threat information can be revealed to other collaborating systems. The alert distributor uses an efficient technique to group collaborating systems and then pass data between certain members of those groups according to a schedule. In this way data can be routinely distributed without generating excess traffic loads.

Abstract: A system, method and program product for associating a biometric reference template with a RFID tag embedded in or attached to a physical object. The method includes coupling a RFID tag having a unique tag identifier to a physical object to be associated with an individual, providing a reference template having a unique reference template identifier that uniquely identifies biometric data pertaining to the individual and forming an association between the reference template and the tag, where the association provides a relationship, including a relationship type, between the object and the individual. In an embodiment, the forming step includes creating a biometric attribute in the tag for identifying the template identifier for the reference template or creating a tag attribute in the reference template, where the biometric attribute created in the tag and the tag attribute in the biometric application form an association between the object and the reference template.

Abstract: Systems and methods that enable execution of applications at appropriate trust levels are described. These systems and methods can determine appropriate trust levels by comparing applications' permitted trust levels with their requested trust levels. These systems and methods can determine applications' permitted trust levels by comparing applications' execution locations with their published locations. Applications can also be executed at a restricted trust level at which potentially dangerous operations are prohibited.

Abstract: Coded message clothing and a system thereof wherein theme-based, numerical coding is displayed on a wearable article, and wherein associated theme-based code books are offered therewith, such that only a purchaser of a coded article within a particular theme may receive the related translation book for that theme, and therefore decode a message related to that theme, wherein only purchasers of commonly themed articles may translate each other's messages.

Abstract: A method of determining a location for a watermark on an image having an array of pixels, each pixel having image information associated therewith includes determining a size for the watermark. The size has a pixel height and a pixel width. The method also includes calculating a region brightness value for each of a plurality of regions of the image. Each of the plurality of regions has a pixel height and a pixel width equal to the pixel height and the pixel width of the watermark. Each of the plurality of regions includes a plurality of pixels and the brightness value is representative of the image information associated with the plurality of pixels comprised by the region. The method also includes selecting one of the plurality of regions as the location for the watermark. The selection is based, at least in part, on the brightness value for the region.

Abstract: A method is disclosed wherein a first piece of digital information and copy control information of the first piece of digital information is received. The copy control information is for controlling the recording of the first piece of digital information on a recording medium. When the received copy control information is Copy One Generation indicating that only one generation copy of digital information is allowed, then a plurality of the first pieces of digital information are recorded on a first recording medium as the first piece of digital information and a second piece of digital information, wherein the first piece of digital information is different in format or in bit rate from the second piece of digital information.