Abstract: A method for transmitting an encrypted message from a messaging server (106) to a handset (104) comprising the steps of receiving, at the messaging server (106) and from a sender computer (102), a message to be sent to the handset (104) and a handset identifier associated with the handset and determining that the handset is not registered with the messaging server (106) by determining that the handset identifier does not have an associated handset encryption key stored at the messaging server. The handset (104) is registered by sending a notification to the handset requesting registration, receiving back a handset encryption key associated with the handset identifier; and storing the handset encryption key against the handset identifier at the messaging server which is to be used to encrypt the received message before sending. Prior to registering the handset (104), intermediate encryption of the message may be employed to create an intermediate encrypted message to be stored at the messaging server.

Abstract: A network system and method capable of implementing network initiated packet data protocol (“PDP”) context to enhance security of network communications are disclosed. An activation and/or modification request message containing security information element is generated and forwarded from a gateway general packet radio service support node (“GGSN”) to a serving general packet radio service support node (“SGSN”) requesting traffic security for a particular Internet Protocol (“IP”) session. After sending the activation/modification request message from SGSN to user equipment (“UE”), an IP session with PDP context encryption between the UE and a destination is initiated according to the security information element.

Abstract: A method of communicating in a secure communication system, comprises the steps of assembling a message at a sender, then determining a security level, and including an indication of the security level in a header of the message. The message is then sent to a recipient.

Abstract: The present disclosure is directed towards systems and methods for performing multi-level tagging of encrypted items for additional security and efficient encrypted item determination. A device intercepts a message from a server to a client, parses the message and identifies a cookie. The device processes and encrypts the cookie. The device adds a flag to the cookie indicating the device encrypted the cookie. The device re-inserts the modified cookie into the message and transmits the message. The device intercepts a message from a client and determines whether the cookie in the message was encrypted by the device. If the message was not encrypted by the device, the device transmits the message to its destination. If the message was encrypted by the device, the device removes the flag, decrypts the cookie, removes the tag from the cookie, re-inserts the cookie into the message and transmits the message to its final destination.

Abstract: An encryption based method of enabling a plurality of parties to share, create, hide, or reveal message or token information over a network includes a commutative group cipher (CGC), where the underlying CGC is secure against ciphertext-only attack (COA) and plaintext attacks (KPA), and is deterministic. The protocols do not require a trusted third party (TTP), and execute rapidly enough on ordinary consumer computers as to be effective for realtime play among more than two players. Protocols are defined which include VSM-L-OL, VSM-VL, VSM-VPUM, and VSM-VL-VUM, wherein the letters V, O, SM, P, and UM represent, respectively, Verified, Locking Round, Open, Shuffle-Masking Round, Partial, and Unmasking Round.

Abstract: According to one embodiment, a computer system executing a computer program is coupled to multiple secure network domains configured in a multi-level security architecture. The computer program simultaneously establishes a voice connection with a first terminal configured on a first secure network domain and a second terminal configured on a second secure network domain. The computer program may then selectively couple an electroacoustical transducer to the first terminal or the second terminal, and generate an indicator on a user interface indicating the security level of the selected terminal.

Abstract: A method comprising generating an updated security key upon expiration of a key exchange timer, transferring the updated security key to a Coaxial Network Unit (CNU), retaining an original key, wherein the updated security key comprises a different key identification number than the original key, accepting and decrypting upstream traffic that employs either the original key or the updated key, after transferring the updated security key to the CNU, creating a key switchover timer, before the key switchover timer expires, verify that upstream traffic transferred from the CNU on a logical link uses the updated security key, and when upstream traffic is encrypted using the updated security key, begin using the updated security key to encrypt downstream traffic and clear the key switchover timer.

Abstract: The present invention offers a new and improved method and system to establish a trusted and decentralized peer-to-peer network for: the sharing of computer files between and among computing devices; trusted chat sessions; and for other applications of trusted peer-to-peer networks.

Abstract: According to one embodiment, a node that is a root node of a network forming a directed acyclic graph topology, which is composed of plural nodes including the node serving as the root node and having a parent-child relationship among nodes of adjacent hierarchies, includes a generating unit, an encrypting unit, and a transmitting unit. The generating unit generates a group key, and a list indicating a first node to which a distribution of the group key is inhibited. The encrypting unit encrypts the group key so as to be capable of being decrypted by a first child node other than the first node out of the child nodes of the root node. The transmitting unit transmits a first message, including an encrypted group key, which is the group key that is encrypted with respect to the first child node, and the list.

Abstract: A method for joining a user domain based on digital right management (DRM), a method for exchanging information between a user device and a domain enforcement agent, and a method for exchanging information between user devices belonging to the same user domain include sharing a domain session key between the user device and the domain enforcement agent or between the user devices belonging to the same user domain. Information is exchanged through a secure session set up between the user device and domain enforcement agent or between the user devices, and information exchange occurs through encryption/decryption using the domain session key.

Abstract: Recommending a security policy to a firewall, includes receiving a request from a firewall for a recommendation as to whether the firewall should allow or block a detected present communication for which the firewall does not have an existing security policy. Information about past blocked and allowed communications at other firewalls on a network is searched to identify past communications that are similar to the present communication. The identified past communications are assigned a respective positive or negative vote. A positive vote indicates a past communication was allowed and a negative vote indicates a past communication was not allowed. A positive recommendation is sent to the requesting firewall to allow the present communication if the positive votes outnumber the negative votes, and a negative recommendation is sent to the requesting firewall to block the present communication if the negative votes outnumber the positive votes.

Abstract: The invention presented herein consists of systems and methods of secure storage for sensitive and confidential data, such as personal identity data, along with methods of securely accessing that data, and transferring information from that data, as necessary.

Abstract: A system and method are provided for supporting storage and analysis by law enforcement agency premises equipment of intercepted network traffic. The system and method provide integrity of the intercepted network traffic stored in an archive in accordance with lawful intercept requirements by storing all of the intercepted traffic, both benign and malicious, in the archive in its original form. The system and method furthermore provide for security from any malicious data packets of the archive by separating the malicious packets from the benign packets and forwarding only the benign packets to analysis applications of the law enforcement agency premises equipment.

Abstract: A system and method for managing and analyzing security requirements in reusable models. At least one functional model, at least one security implementation model, at least one requirement model, and meta models of the models are read by a reader. A correspondence between the functional model, security implementation model, and the requirements model is analyzed, whereby the correspondence indicates that compliance/security/accreditation requirements defined in the requirement model match with security objectives implemented by controls defined by the security implementation model. Next, it is determined whether correspondence is or is not given based on the analysis of the correspondence and then evidence is generated based on the analysis of the correspondence and the determination and the impact of changes is analyzed.

Abstract: Described herein are an apparatus and method for Skein hashing. The apparatus comprises a block cipher operable to receive an input data and to generate a hashed output data by applying Unique Block Iteration (UBI) modes, the block cipher comprising at least two mix and permute logic units which are pipelined by registers; and a counter, coupled to the block cipher, to determine a sequence of the UBI modes and to cause the block cipher to process at least two input data simultaneously for generating the hashed output data.

Abstract: The disclosure relates to a method and a system for authorising a connection between a computer terminal and a source server, including an initialization phase wherein: the terminal connects to a gateway server, the gateway server sends a secret key to the terminal, the terminal hides the password in a data file by applying an encryption algorithm bootstrapped by the secret key, then deletes the secret key and the password, and a connection phase wherein: the terminal sends the data file containing the password to the gateway server, the gateway server extracts the files password by executing a reverse encryption algorithm bootstrapped by the secret key, and sends the password to the source server without saving it, the source server analysis the received password and authorizes the connection with the terminal if the password is authenticated.

Abstract: Techniques for detecting encrypted tunneling traffic are disclosed. In some embodiments, detecting encrypted tunneling traffic includes monitoring encrypted network communications between a client and a remote server, in which the encrypted network communications are encrypted using a first protocol (e.g., Secure Shell (SSH) protocol or another protocol for encrypted network communications); and determining if the client sends a request to create a tunnel using the first protocol with the remote server. In some embodiments, detecting encrypted tunneling traffic further includes performing an action in response to determining that the client sent a request to create a tunnel using the first protocol with the remote server.

Abstract: Provided is a method of configuring a network switch. A configuration file is allowed to be edited on a server. The compatibility of the configuration file with a network switch is validated on the server. The configuration file is encrypted and applied to the network switch.

Abstract: Systems and methods for data encryption and decryption are provided. Packets of a streaming video from a video source are received. A first packet of the streaming video is encrypted with a encryption key and transmitted to a client device. The first packet is encrypted with a reference key and is designated as a reference packet. A number of packets of the encrypted media that follow the first packet are selected. For each of one or more selected packets, an XOR operation is performed on the respective selected packet with the reference packet. Result values of the XOR operation are rearranged by a shuffle key and divided into segments. Each of the segments is assigned to an even list or an odd list, which are combined to form a respective encrypted packet. The respective encrypted packet is designated as a non-reference packet and is transmitted to the client device.

Abstract: A component of an electronic device comprises a network connection processor, which comprises a physical network connection block to receive data from and transmit data to a network and a first data processor configured to process data arriving at the network connection processor, and a second data processor configured to process data received from the network connection processor.

Abstract: A transmission management apparatus includes a receiving unit that receives, from a first transmission terminal 10, a communication request for a communication with a second transmission terminal 10; a fists storage unit that stores therein terminal identification information for identifying the transmission terminals 10 and relay device identification information for identifying a relay device 30 that relays data to be transmitted and received by the first transmission terminal 10, in an associated manner; a relay device selecting unit that selects the relay device 30 associated with the terminal identification information of the first transmission terminal 10 in the first storage unit; a second storage unit that stores therein the relay device identification information and encryption necessity information in an associated manner; and an encryption necessity determining unit that determines whether encryption is needed based on the encryption necessity information associated, in the second storage unit, wit

Abstract: A method of detecting network communications includes monitoring network devices for communication data; generating an output file including the communication data correlated with a communication type; computing network metrics based on the correlated data; comparing the network metrics with a policy threshold; and determining a network violation event based on the comparing.

Abstract: Embodiments for performing service binding between a client and a target server are disclosed. In accordance with one embodiment, a clear text client service binding value is received from a client at the target server, the client service binding value is compared to a server service binding value, and a communication channel is formed between the client and the target server when the client service binding value matches the server service binding value.

Abstract: The present invention provides an interconnect device that connects a source device to a destination device, and allows the source device's non-compliant rights management (RM) interface to deliver media content with little or no restriction to the destination device's compliant RM interface.

Abstract: A method is provided for transmitting voice data in a secure communication system. The method includes: transmitting voice data using a plurality of data packets; embedding a cryptographic message indicator into each of the plurality of data packets; and correcting for bit errors in the cryptographic message indicator at a packet receiver using code-combining across two or more of the data packets.

Abstract: Example methods and apparatus to enhance security in residential networks and residential gateways are disclosed. A disclosed example apparatus includes a transceiver to receive an Internet protocol (IP) packet, a first packet processing module associated with a protected IP address, the first packet processing module to be communicatively coupled to a first network device, a second packet processing module associated with a public IP address, the second packet processing module to be communicatively coupled to a second network device, and a packet diverter to route the received IP packet to the first packet processing module when the IP packet contains the protected IP address and to route the IP packet to the second packet processing module when the IP packet does not contain the protected IP address.

Abstract: The present invention provides a system and method of managing traffic traversing an intermediary based on a result of end point auditing. An authentication virtual server of an intermediary may determine a result of an end point analysis scan of a client. Responsive to the determination, the traffic management virtual server can obtain the result from the authentication virtual server. Further, the traffic management virtual server may apply the result in one or more traffic management policies to manage network traffic of a connection of the client traversing the intermediary. In some embodiments, the authentication virtual server may receive one or more expressions evaluated by the client. The one or more expressions identifies one or more attributes of the client. The traffic management virtual server can also determine a type of compression or encryption for the connection based on applying the one or more traffic management policies using the result.

Abstract: A method and system is provided for assessing the cumulative set of access entitlements to which an entity, of an information system, may be implicitly or explicitly authorized, by virtue of the universe of authorization intent specifications that exist across that information system, or a specified subset thereof, that specify access for that entity or for any entity collectives with which that entity may be directly or transitively affiliated. The effective system-level access granted to the user based upon operating system rules or according to access check methodologies is determined and mapped to administrative tasks to arrive at the cumulative set of access entitlements authorized for the user.

Abstract: A network server is operated so as to facilitate legal eavesdropping by receiving, from the first user via a network, a session key (SK) encrypted with a second user's public key, kpubU2, and the SK encrypted with an escrow server's (ES) public key, kpubES. The kpubU2 key is the public key of the second user asymmetric private/public key pair kpriU2/kpubU2. The kpubES key is the public key of the ES asymmetric private/public key pair kpriES/kpubES. The received SK encrypted with kpubES is stored. The SK encrypted with kpubU2 is transmitted to the second user via the network. A message encrypted with the SK is received from one of the first and the second users via the network, stored, and transmitted to the other of the first and the second users via the network.

Abstract: Various embodiments of the invention achieve optimal data security by adding a security layer to data at the point of generation. Some embodiments add a security feature to data that controls or configures a device at a physical interface.

Abstract: A method for enabling a scalable public-key infrastructure (PKI) comprises invoking a process of receiving a message for a device, identifying an association ID for the device, retrieving encrypted association keys stored on the server for communicating with the device, the encrypted association keys encrypted using a wrapping key stored on a Hardware Security Module (HSM). The method further comprises sending the message and the encrypted association keys to the HSM, unwrapping, by the HSM, the encrypted association keys to create unwrapped association keys, cryptographically processing the message to generate a processed message, deleting the unwrapped association keys, sending the processed message to the device, and invoking, concurrently and by a second application, the process.

Abstract: Managing access to digital content within a particular domain, including: receiving the digital content at a first client device; decrypting the received digital content at the first client device using a first key; transcoding the digital content to another format; re-encrypting the transcoded content using a second key, wherein the second key is obtained by one of: (1) directly from a server; or (2) indirectly by deriving it locally based on information received from the server; and transmitting the re-encrypted content to a second client device, wherein the second client device obtains the second key and decrypts the re-encrypted content at the second client device.

Abstract: The present disclosure discloses a method and network device for offloading cryptographic functions to support a large number of clients. Specifically, a network device receives a packet corresponding to a client device via an interface, and determines whether a first hardware module that performs cryptographic operations on a per-client basis overflows. If first hardware module overflows, the network device retrieves a cryptographic key for the packet, and sends the received packet with the retrieved cryptographic key to a second hardware module that performs cryptographic operations on a per-packet basis to perform one or more cryptographic operations. If not, the network device sends the packet to the first hardware module to perform the one or more cryptographic operations.

Abstract: A system and a computer-based method for providing bundled services to a client application in a service call to a service system in a service provider computer system includes receiving a message defining an API service request comprising at least a parameter portion and a payload portion, determining at the gateway system an identity of an application transmitting the received message using identity information that has been established within the service provider computer system, providing, by a services platform, at least one of encryption services and decryption services for data contained in the payload portion using the parameters received in the parameter portion, managing key material for security of the data, and transmitting the encrypted data back to the calling application.

Abstract: Technologies for de-duplicating encrypted content include fragmenting a file into blocks on a computing device, encrypting each block, and storing each encrypted block on a content data server with associated keyed hashes and member identifications. The computing device additionally transmits each encrypted block with an associated member encryption key and member identification to a key server. As part of the de-duplication process, the content data server stores only one copy of the encrypted data for a particular associated keyed hash, and the key server similarly associates a single member encryption key with the keyed hash. To retrieve the file, the computing device receives the encrypted blocks with their associated keyed hashes and member identifications from the content data server and receives the corresponding member decryption key from the key server. The computing device decrypts each block using the member decryption keys and combines to blocks to generate the file.

Abstract: A vehicular communication system includes a mobile communication terminal, an in-vehicle apparatus, and a distribution center to distribute a content. The mobile communication terminal includes a terminal-side application to execute a content. The in-vehicle apparatus includes a vehicle-side application to execute a content. If the mobile communication terminal and the in-vehicle apparatus are not communicably connected, the terminal-side application of the mobile communication terminal executes a content acquired from the distribution center. If the mobile communication terminal and the in-vehicle apparatus are communicably connected, the terminal-side application and the vehicle-side application are caused to be cooperative and the vehicle-side application of the in-vehicle apparatus is enabled to execute a content acquired by the mobile communication terminal.

Abstract: A data encryption device is connected between an HDD and an HDD controller that controls the HDD. The data encryption device encrypts data that is stored from the HDD controller to the HDD, and decrypts data that is read from the HDD. A CPU of the data encryption device receives a command issued from the HDD controller to the HDD, and determines whether the command is executable at the HDD. When it is determined that the command is executable, the command is issued to the HDD. On the other hand, when it is determined that the command is unexecutable, the CPU prohibits issuance of the command to the HDD. Furthermore, when a command issued to the HDD is a specific command, the CPU bypasses data transferred between the HDD controller and the HDD without encryption or decryption.

Abstract: This document describes tools capable of securely distributing entertainment content among and using distributed hardware. These tools may do so robustly by rebinding entertainment content between distributed hardware units. The tools, for example, may distribute content protection in hardware between a policy unit, a transcryption unit, a graphics processing unit, and a playback unit. By so doing the tools enable, among other things, users to select from many graphics cards rather than rely on the graphics capabilities of an integrated (e.g., SOC) hardware solution.

Abstract: A method for using a network appliance to efficiently buffer and encrypt data for transmission includes: receiving, by an appliance via a connection, two or more SSL records comprising encrypted messages; decrypting the two or more messages; buffering, by the appliance, the two or more decrypted messages; determining, by the appliance, that a transmittal condition has been satisfied; encrypting, by the appliance in response to the determination, the first decrypted message and a portion of the second decrypted message to produce a third SSL record; and transmitting, by the appliance via a second connection, the third record. Corresponding systems are also described.

Abstract: A check in communication is received from an agent running inside a firewall via a permitted firewall communication channel. The check in communication is received via the permitted firewall communication channel without modifying a firewall configuration. The check in communication is responding to with an instruction to be performed by the agent running inside the firewall, where the response is via the permitted firewall communication channel.

Abstract: Techniques are provided to receive at an encryption device from a control device an encryption request comprising a message and an identifier for a device. The control device and the device are associated with a security provider that provides secure content to the device using the message encrypted with a device key that is securely embedded in the device and also stored on the encryption device. The encryption device is associated with a key provider and the device key is not divulged to the security provider. At the encryption device, the device key is retrieved based on the identifier. The message is encrypted with the device key using a predetermined algorithm, and the encrypted message is then sent to the control device.

Abstract: A computer-implemented method for remote monitoring and managing of network devices. The method comprises generating a list of managed devices on a user interface in a central management system, wherein raw events are transmitted from the managed devices to the central management system; marking a device for service on the user interface; and modifying the processing of events originated from the marked device so as to prevent a technical support center from generating a response to the events. Also disclosed is a system for remote monitoring and managing of network devices and a computer program product to assist remote monitoring and managing of network devices.

Abstract: Method for operating a smart grid including a plurality of smart meters configured to monitor at least one physical measured quantity and to provide measurement results of the at least one physical measured quantity to a central entity, includes the following steps: partitioning the smart grid into groups of smart meters, such that each of the smart meters belongs to exactly one group, all smart meters of one of the groups encrypt their measured value by applying a bihomomorphic encryption scheme and send it to the central entity, one smart meter per group is designated as key aggregator to which all smart meters of that group send their key employed for the encryption, the key aggregator computes the aggregation of all received keys and sends the aggregated key to the central entity, the central entity aggregates all received encrypted measured values and decrypts the aggregation by employing the aggregated key.

Abstract: A method for establishing secure wireless communications between a mobile device and a vehicle, where a user is not required to enter a password, but instead the telematics system is used to bootstrap the trust between the mobile device and the vehicle. The user initiates the process by pressing a button on the mobile device to request pairing. The vehicle uses its secure OnStar cellular communication link to verify the mobile device with the OnStar server, which generates and sends a session key to the vehicle via the vehicle-OnStar cellular connection, and also sends the session key to the mobile device via the device's own cellular connection. The session key serves as a shared secret, such that the vehicle can issue a secrecy challenge to the mobile device. When the mobile device responds appropriately, a trusted wireless communications link can be established between the mobile device and the vehicle.

Abstract: An external security device is provided in the communication path between devices of different security levels. A higher security device needs only to trust the security of the external device, rather than relying on operating system and file system software that cannot be assured. The external security device blocks access requests that may be using covert channels, but returns status information that indicates that the request is successful. The external security device may then audit access requests to provide a higher level of accountability. The external security device also handles data duplication to prevent or significantly reduce the threat of traffic analysis.

Abstract: A method and associated systems for enhanced isolation and security hardening among multi-tenant workloads. An agent running on a processor of a networked computer system on which multicast and broadcast communications have been disabled captures an address-resolution query message from a querying tenant, converts the query message to a unicast message, and forwards the converted unicast query message to a switch. The switch forwards the converted unicast message to a redirection device and in response receives an address-resolution response message only after the redirection device verifies that the query and response messages comply with security policies. The switch forwards the address-resolution response to the querying tenant in conformance with security policies.

Abstract: A communications module for facilitating secure communications on a first network and a second network includes: a single transceiver for receiving and transmitting first network messages from and to the first network and at least transmitting second network messages to the second network; at least a first processor connected to the single transceiver for processing one or more first network messages and second network messages; the at least a first processor including first network logic for processing first network messages and second network logic for processing second network messages; and the second network logic including instructions for securing second network messages such that decryption of the second network messages is limited to a particular receiving device on the second network. The second network messages may include commodity pricing and use information.

Abstract: A network gateway coupled to a backup server on a wide area network which receives and de-duplicates binary objects. The backup server provides selected data segments of binary objects to the gateway to store into a prescient cache (p-cache) store. The network gateway optimizes network traffic by fulfilling a local client request from its local p-cache store instead of requiring further network traffic when it matches indicia of stored data segments stored in its p-cache store with indicia of a first segment of a binary object requested from and received from a remote server.

Abstract: A peer-to-peer image streaming system including a sharer computer including a transmitter for sending a message including a web address, a peer-to-peer image streamer for streaming image data over a network, an image store for storing digital images, a viewer computer including a peer-to-peer image viewer for interactively viewing image data over a network, and a receiver for receiving the message including the web address from the sharer computer, and a community server including an address translater for looking up an address of an image in the image store, based on the web address, and a peer-to-peer network connector connecting the peer-to-peer image streamer with the viewer computer, so that the viewer computer can interactively view the image in the image store. A method is also described and claimed.

Abstract: A network node for communicating data packets secured with a security protocol over a communications network includes a host information handling system (IHS) and one or more external security offload devices coupled by a secure data link. The host IHS communicates state information about data packets, and the external offload security device provides stateless secure data encapsulation and decapsulation of packets using a security protocol. An external network interface controller or internal network interface controller communicates encapsulated data packets over the communications network to a final destination. Encapsulation and decapsulation of packets by the external security offload device reduces network latency and reduces the computational load on the processor in the host IHS. Maintaining state information in the host IHS allows hot-swapping of external security offload devices without information loss.