Abstract: Techniques for dynamically configuring security mechanisms in a network can construct security perimeters that satisfy security needs at any given time while also efficiently spreading security functions among network elements and systems. In one technique, a network element comprises security function modules. Systems toward which the network element forwards data packets also comprise security function modules. A particular security function module on the network element begins in a state of deactivation. The network element determines whether a corresponding security function module on one of the systems is functioning in a satisfactory manner. If not, then the network element activates the particular security function module. While activated, the particular security function module may perform at least some of the security function operations that the corresponding security function module would have performed if the corresponding security function module was satisfactory.

Abstract: A method for secure data communications in fax transmissions and computer network communications comprising a. Allowing the sender to receive confirmation that the receiver received the message without having to rely on the receiver accessing a web site; b. Enabling the sender to prove a message was sent to the intended receiver at the specified time/date; c. Enabling the sender to prove the content of the sent message; d. Enabling the receiver to know that the message originates from the purported sender without need to rely on encryption and digital signatures; e. Preventing the theft of digital signatures based on hardware that contains encryption keys and a surrounding processing in isolation so that malicious software cannot cheat the users by accessing said hardware; f. Preventing forgeries of source addresses of the senders which is applied to the sender's phone number, the sender's email addresses, and/or the sender's IP addresses.

Abstract: A distributed computer system is disclosed in which computers co-operate with one another by sending messages over a network such as the Internet in order to perform a distributed application. In order to improve the security of such system, each web service involved in the distributed application runs in a separate virtual machine. Furthermore, the virtual machines on a web server dedicated to respective web service instances utilise the same policy enforcement point—running in another virtual machine on the web-server—in order to handle messages for or from the web server. To increase security still further, each virtual machine provides virtual cryptoprocessor functionality which is used in the processing of messages sent in the performance of the distributed application.

Abstract: An Access Point receives an encrypted data frame from a client device, and determines whether the encrypted data frame is a guest frame. If it determined that the frame is a guest frame, the Access Point transmits the encrypted data frame to a server for decryption by the server, and determines whether to transmit an ACK to the client device based on the encrypted data frame. Otherwise, the Access Point decrypts the encrypted data frame, and determines whether to transmit an ACK to the client device.

Abstract: Systems, methods, and other embodiments associated with aggregation of cryptography engines are described. One example method includes receiving an outbound data packet on an outbound side of a data connection. The example method may also include analyzing the outbound data packet to determine a distribution value. The example method may also include selectively distributing the outbound data packet to one of a plurality of outbound processors based, at least in part, on the distribution value. The example method may also include receiving an inbound data packet on an inbound side of the data connection. The example method may also include examining the inbound data packet for an identifier. The example method may also include selectively distributing the inbound data packet to one of a plurality of inbound processors based, at least in part, on the identifier.

Abstract: A method, computer program product, and data storage system for associating an encryption key with each of a plurality of storage objects within a data storage system, thus defining a plurality of encryption keys. Each of the plurality of encryption keys is appended to include a key identifier tag, thus defining a plurality of tagged encryption keys. The key identifier tag included within each tagged encryption key identifies the storage object with which the tagged encryption key is associated.

Abstract: A wide area network using the internet as a backbone utilizing specially selected ISX/ISP providers whose routers route packets of said wide area network along private tunnels through the internet comprised of high bandwidth, low hop-count data paths. Firewalls are provided at each end of each private tunnel which recognize IP packets addressed to devices at the other end of the tunnel and encapsulate these packets in other IP packets which have a header which includes as the destination address, the IP address of the untrusted side of the firewall at the other end of the tunnel. The payload sections of these packets are the original IP packets and are encrypted and decrypted at both ends of the private tunnel using the same encryption algorithm using the same key or keys.

Abstract: A scanned image transmitting device has an instruction-creating section that creates an instruction describing a process instruction in relation to a scanned image; an electronic mail creating section that creates an electronic mail including the scanned image and the instruction; an encrypting section that encrypts at least a portion of the electronic mail using a public key of a transmission destination; and a transmitting section that transmits the encrypted electronic mail to the transmission destination.

Abstract: Disclosed are systems and methods for providing transport layer encryption with an intermediate electronic message managing service interposed in a message path of an electronic message to be sent from a sending server to an intended receiving server across a computer network. To implement TLS in such a managed e-mail services context, given that a managed e-mail service is inserted into the message delivery path, the transport layer security protocols are simultaneously established along both the link from the sending server to the managed e-mail service and from the receiving server to the managed e-mail service, with the managed e-mail service providing a “proxy” connection for communication between the sending server and the receiving server.

Abstract: A system (101) for implementing redaction rules in compliance with an organization's privacy policy, where the system intercepts messages between an information source (103) and an information destination (102), modifies the message contents based on redaction rules (106) and forwards the redacted contents over to the client. The system also maintains a record of the redacted information and updates the contents of any message submitted by the client (102) in order to maintain database integrity.

Abstract: A method for establishing communication via a VoIP network bypasses the IP PBX component conventionally used to obtain address information. Instead of obtaining the IP address from a location register of the IP PBX, the method involves use of a server configured to assign and provide to the caller's communication device a unique address (IP address/port) of a proxy. The caller then sends a Short Message Service (SMS) text message to the callee with the assigned address of the proxy. Thereafter, the caller and the callee connect at the assigned address of the proxy, thereby forming a communication path. Preferably, the devices operated by the parties are conventional smart phones. According to the preferred embodiment of the present invention, the method further comprises the steps of: determining whether to encrypt the communication; and encrypting the communication, if it is determined that the communication is to be encrypted.

Abstract: In one embodiment, a system processes access decisions for individuals where the system includes a portable handheld housing for the processor, display, internal memory, and card reader of the system.

Abstract: A computer system includes multiple computer modules each including at least a calculator and a storing unit. A first computer module of the computer modules includes: a storing unit that stores authentication information for connection with a second computer module of the computer modules; an authenticator that authenticates an information processing device accessing the first computer module, and allows the information processing device to access thereto based on an authentication result; and a relay connector that connects the information processing device allowed to access the first computer module to the second computer module based on the authentication information.

Abstract: Access control methods include receiving an access authorization message from an authentication server computer at a blocking device that connects a first network to a second network, modifying access criteria of a transparent firewall at the blocking device responsive to the received access authorization message and operating the transparent firewall according to the modified access criteria to control transfer of messages between the first and second networks. The invention may also be implemented as apparatus and computer readable media.

Abstract: In one embodiment, a method can include: receiving rules in an interoperability server, the rules being related to access control for an endpoint coupled to a variable source content stream via a multicast network; and sending to the endpoint using in-band controls of the variable source content stream via the multicast network: a description of content streams available for selection by the endpoint; a procedure for selecting an available content stream; and permission for accessing the selected content stream, the permission being based on the rules.

Abstract: Various embodiments provide a method and apparatus of providing accelerated encrypted connections in a cloud network supporting transmission of data including per-user encrypted data. Transmission of encrypted data from an application server uses an encryption scheme that encrypts static data using a first encryption scheme that derives keys from the content itself and encrypts dynamic data, such as dynamic website content with personalized user data, using a second encryption scheme.

Abstract: A cloud storage system supporting user agnostic encryption and deduplication of encrypted files is described. Further the cloud storage system enables users to share a file, a group of files, or an entire file system with other users without a user sending each file to the other users. The cloud storage system further allows a client device to minimize the utilization of bandwidth by determining whether the encrypted data to transfer is already present in the cloud storage system. Further the cloud storage system comprises mechanisms for a client device to inform the cloud storage system of which data is likely to be required in the future so that the cloud storage system can make that data available with less latency one the client device requests the data.

Abstract: A self-synchronizing cryptographic device can be shared among a plurality of communications links. Blocks of data can be transferred to the cryptographic device, wherein each block of data includes a head portion which is the tail portion of a previous block of data for the same communication link. The head/tail portion is sufficient to reestablish cryptographic synchronization of the cryptographic device.

Abstract: External network connectivity of an internal host can be measured by giving an external computer a payload identifying the internal host and instructions to deliver the payload to an external host. The external host may receive the payload and contact the internal host. The internal host's response and receipt of the payload may then determine the Internet connectivity of the internal host. The path from the computer through the trusted host to the internal server shows external network connectivity without exposing the internal host to the external network directly.

Abstract: The invention is a method of managing access to a plurality of data from a server by a client through a point-to-point link. Each of the data is reachable through a set of URIs that belongs to an index list. The method comprises the step of inserting a request to a control message in the index list. The control message applies to a data reachable through one URI belonging to the index list.

Abstract: A method and apparatus for device discovery and multi-mode security in a wired and/or wireless control network are described. A controlled device is configured with discovery-level instructions and application-level control instructions. The controlled device includes a user-configurable parameter for selecting between multiple security modes. In one or more security modes, the controlled device may ignore application-level messages until encrypted communications are established with a controller. In one mode, the encrypted communication is established with an encryption key exchange using a predetermined security key. In another mode, a specific key is manually entered into the controller by the user/administrator to facilitate the encryption key exchange. Additionally, for control applications where security is not important, an unencrypted security mode may be implemented. A driver ID provided by the controlled device facilitates loading of a preferred device driver by the controller.

Abstract: A networked Conditional Access Module provided on an IEEE 1394 network, by defining a Conditional Access Module as a Conditional Access Subunit of the IEEE 1394 network. There is provided an AV/C Conditional Access Commands to allow communication between the Conditional Access Subunit and other Subunits on the network. The Conditional Access Subunit is configured to receive AV/C Conditional Access Commands over the IEEE 1394 network from another subunit, and means to is also configured to transmit AV/C responses over the IEEE 1394 network in response to the received AV/C Conditional Access Commands.

Abstract: A method and system for establishing a secure over-the-air (OTA) connection between a connection owner and a server, the connection owner being associated with a wireless device connected to the server via a communications network. A secure session is instantiated on behalf of the connection owner, the secure session being maintained by the server and defining a context for the secure OTA connection. A registration key and a reset key are defined, and stored in association with the secure session on both the server and the wireless device. Access to the secure session is controlled using at least the registration key, and the secure session is maintained on the server only as long as the connection owner has a valid registration key.

Abstract: In one embodiment, a method for providing secure communications using a proxy is provided. The proxy negotiates with a client and a server to determine a session key to use with communications between the client and the proxy and between the proxy and the server. Encrypted data may then be received from the client at the proxy. The proxy can decrypt the encrypted data for processing using the session key. In one embodiment, the decrypted data is not altered. The proxy then sends the encrypted data that was received from the client to the server without re-encrypting the data that was decrypted. Because the proxy did not alter the data in its processing of the decrypted data and the same session key is used between communications for the proxy and the server, the encrypted data stream that was received from the client can be forwarded to the server.

Abstract: A firewall helps a user make a decision regarding network access for an application executing on a computing device by providing “hints” to the user about an appropriate network access policy. If at least one previously set firewall policy for the application exists in a context different from a current context, the user may be presented with information based on a previously set firewall policy. The information may be prioritized based on a source of the previously set firewall policy and other factors, to provide the user with a hint that facilitates making the decision appropriate in the current context. A programming interface to the firewall allows third party applications to specify a format in which hints are provided to the user.

Abstract: Multiple levels of wireless network resource granting. A user who has an authorized key, e.g., an encryption key or a key indicating that they have paid for service, gets a first, better level of access to the network resources. One without the key is granted lesser access, e.g., less total bandwidth, less bandwidth speed, no access to files or the like.

Abstract: A TCP communication scheme which ensures safe communication up to the communication path near a terminal and eliminates direct attacks from hackers, etc. A terminal (A) and terminal (B) are connected to a relay apparatus (X) and relay apparatus (Y), where the terminal (A) and the terminal (B) are the endpoint terminals positioned at the two ends of a TCP communication connection. The relay apparatuses (X, Y) are each connected to a network (NET). The relay apparatuses (X and Y) are provided so as to be between the terminals (A and B) which had been performing conventional TCP communication, and neither of the relay apparatuses (X and Y) have IP addresses. The relay apparatuses (X and Y) take over the TCP connection between the terminal (A) and the terminal (B), divide the connection into three TCP connections, and establish TCP communication.

Abstract: A system and method are disclosed for session continuity in multimedia services. A system that incorporates teachings of the present disclosure may include, for example, a multimedia services system has a plurality of service centers each capable of offering one or more multimedia services to an end user, and a controller for managing operations of the service centers. The controller can be programmed to monitor the end user's use of multimedia services from said service centers, detect a change in use by the end user, and offer the end user a multimedia service adapted to the change in use.

Abstract: Methods, apparatuses, computer program products, devices and systems are described that carry out accepting from a user identifier encryption entity at least one encrypted identifier corresponding to a user having at least one instance of data for encryption; encrypting the at least one instance of data to produce level-one-encrypted data; associating the at least one encrypted identifier with the level-one-encrypted data, wherein a level-one decryption key for the level-one-encrypted data is inaccessible to the user identifier encryption entity; and transmitting the level-one-encrypted data and associated encrypted identifier.

Abstract: A key setting method executed by a node within communication ranges of multiple ad-hoc networks, includes receiving encrypted packets encrypted by respective keys specific to gateways and broadcasted from the gateways in the ad-hoc networks; detecting connection with a mobile terminal communicable with a server retaining the keys specific to the gateways in each ad-hoc network among the ad-hoc networks; transmitting to the server when connection with the mobile terminal is detected, the encrypted packets via the mobile terminal; receiving from the server via the mobile terminal, the keys that are specific to the gateways in the ad-hoc networks and that are for decrypting each encrypted packet among the encrypted packets; and setting each of the received keys as a key to encrypt data that is to be encrypted in the node and decrypt data that is to be decrypted in the node.

Abstract: According to certain aspects, a method for performing remote backup operations is provided that includes receiving a first unidirectional connection request from a media agent module to a proxy device within an enterprise network, through a firewall. The method also includes receiving a second unidirectional connection request from a remote device coupled to an untrusted network, such as through a second firewall. Secure connections are established from the media agent module to the proxy and from the remote device to the proxy. Additionally, the method can include routing with the proxy device backup data from the remote computing device to the media agent over the secured connections. The method also may include storing the backup data on a storage device within the enterprise network. In certain embodiments, during establishment of the secure connections, identification of the media agent or the storage device is not exposed to the untrusted network.

Abstract: Method, device, and computer program product are provided for differentiated treatment of incoming and outgoing emails based on a network server. A server receives a query from a gateway, and the query includes information about an email received by the gateway. The server obtains rules for processing the email of the query. The server determines an identity for the email based on the rules for processing the email. The server transmits the identity to the gateway to cause the gateway to send the email having the identity to a post office server. The email having the identity is configured to cause the post office server to process the email based on the identity.

Abstract: Users of mobile terminals in a communication network are provided controlled access to files in a file system through the steps of configuring the files as a file body containing a file content and a file header containing content profile information; providing a security identity module and a secure agent; storing in the security identity module user profile information identifying a set of content profiles allowed for access to the file system; extracting, via the secure agent, the content profile information from the headers of the files; retrieving, via the secure agent, the user profile information stored in the security identity module; checking the user profile information and the content profile information; and providing the user with access to those files in the file system for which the user profile information and the content profile information are found to match.

Abstract: The present invention contemplates a variety of improved methods and systems for providing an experience platform, as well as sentio or experience codecs, and experience agents for supporting the experience platform. The experience platform may be provided by a service provider to enable an experience provider to compose and direct a participant experience. The service provider monetizes the experience by charging the experience provider and/or the participants for services. The participant experience can involve one or more experience participants. The experience provider can create an experience with a variety of dimensions and features. As will be appreciated, the following description provides one paradigm for understanding the multi-dimensional experience available to the participants. There are many suitable ways of describing, characterizing and implementing the experience platform contemplated herein.

Abstract: A way of providing seamless remote data storage and access with a universal encryption key is provided. Data may be able to be uploaded from and/or downloaded to a variety of user devices and/or types of user devices. During transfer of data, a secure communication channel may be established between a user device and a destination storage. Data may be compressed and/or encrypted before being passed to the destination storage. Such compression and/or encryption may be performed at the user device or an intermediate processing module. Likewise, when downloading data, the data may be decompressed and/or decrypted before being made available to a destination user device. Such decompression and/or decryption may be performed at the destination device or the intermediate processing module. In any case, the universal encryption key may be utilized by all user devices to generate uniformly encrypted data.

Abstract: Secure bulk messaging mechanism in which, roughly described, a sender first encrypts a message once. The message can be decrypted with a message decryption key. These can be symmetric or asymmetric keys. For each recipient, the sender then encrypts the message decryption key with the recipient's public key. The sender then sends the encrypted message and the encrypted message decryption keys to a store-and-forward server. Subsequently, one or more recipients connect to the server and retrieve the encrypted message and the message encryption key that has been encrypted with the recipient's public key. Alternatively, the server can forward these items to each individual recipient. The recipient then decrypts the encrypted message decryption key with the recipient's private key, resulting in an unencrypted message decryption key. The recipient then decrypts the message using the unencrypted message decryption key.

Abstract: A security processor performs all or substantially all security and network processing to provide a secure I/O interface system to protect computing hardware from unauthorized access or attack. The security processor sends and receives all incoming and outgoing data packets for a host device and includes a packet engine, coupled to a local data bus, to process the incoming and outgoing packets. The processor further comprises a cryptographic core coupled to the packet engine to provide encryption and decryption processing for packets processed by the packet engine. The packet engine also handles classification processing for the incoming and outgoing packets. A modulo engine may be coupled to the local data bus.

Abstract: A sanction server includes a network interface that receives proxy data from a content source that includes cryptographic parameters that are based on a scrambling control word used to scramble the media content, receives a request for the media content from a client device, transmits the proxy data to the client device and transmits notification data to a caching server. The content source generates cryptographic data and sends the cryptographic data and the scrambled media content to the caching server. The caching server forwards the cryptographic data and the scrambled media content to the client device. The client device generates the scrambling control word for descrambling the scrambled media content based on the proxy data and the cryptographic data.

Abstract: A method and system for ensuring compliance in public clouds using fine-grained encryption based on data ownership that includes a process for ensuring compliance in public clouds using fine-grained encryption based on data ownership that is implemented, at least in part, at a gateway computing system through which data passes from the enterprise, and/or one or more end users, prior to being sent to the public cloud. In one embodiment, the data is classified, the ownership of the data is determined, the associated encryption keys are obtained, and the data is encrypted, automatically at the gateway computing system before the data is transferred to the public cloud, and in a manner that is transparent to end-users.

Abstract: The invention specifies a method and a system for secure communication of a first computing device and a network. A second computing device with a hardened operating system is employed. The second computing device is different from the operating system of the first computing device. An authentication module in the second computing device authenticates a user. An encryption module in the second computing device encrypts the data received from the first computing device, so that an encrypted communication with the network is made possible. A decryption module in the second computing device decrypts the encrypted data received from the network for the first computing device.

Abstract: A method for securely distributing a profile within a dispersed storage network (DSN) that begins by encrypting a profile using a key. The method continues by encoding the encrypted profile in accordance with a dispersed storage error encoding function. The method continues by outputting the set of encoded profile slices to the DSN for storage therein. The method continues by encoding the key in accordance with an error encoding function and outputting the set of secure key portions to a set of devices of the DSN for storage therein. A device obtains the profile by retrieving secure key portions from the set of devices and recovering the key therefrom. The device then retrieves encoded profile slices from the DSN and decodes them to recover the encrypted profile. The device then decrypts the encrypted profile using the key to recover the profile.

Abstract: A caching server includes a network interface receives first sanction data from the sanction server and transmits first cryptographic data to a client device, receives second cryptographic data from the device and that transmits scrambled media content to the client device. A random number generator generates a random number. A caching processing module, in response to the first sanction data, generates the first cryptographic data based on the random number and the first sanction data, generates a scrambling control word based on the first sanction data and the second cryptographic data and that generates the scrambled media content based on the scrambling control word.

Abstract: A method of operation for managing network security features is disclosed. A communication device such as a mobile telephone or a modem can establish a position as a communications intermediary supporting communications between a first communication device such as a personal computer and a third communication device such as a server. The intermediary can detect a security feature between these “end devices”, and disable security features on intermediate segments of the end-to-end communication link. The end-to-end communication may utilize a virtual private network as a security feature and other security features on the intermediate segments can be disabled when they provide negligible additional security for the communications.

Abstract: A content source includes a random number generator that generates scrambling control word based on at least one random number. A source processing module generates proxy data that includes cryptographic parameters that are based on the scrambling control word, generates cryptographic data and generates scrambled media content based on the scrambling control word. A network interface sends the proxy data to a sanction server, and sends the cryptographic data and the scrambled content to a caching server.

Abstract: Methods for transferring messages (30) comprising extensible markup language information from sources (104) via intermediates (105) to destinations (106) are provided with hop-by-hop encryption/decryption processes instead of end-to-end encryption/decryption processes to reduce a complexity and to make non-encrypted messages (30) available inside the intermediates (105). The encryption/decryption processes are different per hop. An encryption/decryption of the message (30) comprises an encryption/decryption of one or more fields of the message (30) and may comprise an addition/detection of a signature. The message (30) may comprise a start envelope field (32), a header field (33-35), a body field (36-38) and a stop envelope field (39). The message (30) may comprise a simple object access protocol message or SOAP message.

Abstract: A client device includes a network interface that transmits a request for the media content to the sanction server, receives second sanction data from the sanction server, transmits second cryptographic data to the caching server, receives first cryptographic data from the caching server and that receives scrambled media content from the caching server. A random number generator generates a random number. A client processing module, in response to the second sanction data, generates the second cryptographic data based on the random number and the second sanction data, generates a scrambling control word based on the second sanction data and the first cryptographic data and descrambles the scrambled media content based on the scrambling control word.

Abstract: The present invention is to ensure security of a local network, e.g., a home network from remote access while allowing remote access. In a method of the present invention, if a device on the local network is to be accessed remotely, user identifying information (and/or device identifying information) and connection information of a target device, that are accompanied by the access, are compared with information of registered allowance entries and whether to allow the access is determined based on the comparison result. According to the method, remote access to a device invoked by a user (and/or a remote device) whose remote access is not set to allowance is blocked while remote access invoked by a user (and/or a remote device) whose remote access is set to allowance is admitted.

Abstract: According to a first aspect of the present invention there is provided a method of at least partly delegating processing of data in a machine-to-machine system to reduce computational load on a broker entity 11 while maintaining security of the data to be processed, the broker entity 11 serving as a link between a node 13 of a sensor network providing the data and an application node 12 requesting the data. In the method, at the broker entity 11, following receipt of a request for processed data from the application node 12, determining the node to provide the data to be processed, generating a data key for the data-providing node 13, generating a data-processing algorithm for processing the data in dependence upon the request, sending the data key to the data-providing node 13, and sending the data key and data-processing algorithm to a remote data-processing entity 15. At the data-providing node 13, encrypting the data using the data key and sending the encrypted data to the data-processing entity 15.

Abstract: The invention relates to systems and methods for distributing and viewing electronic documents. In one embodiment, the invention provides a system for distributing electronic versions of printed documents comprising a memory device and a distribution system. The memory device is in operable communication with a content provider and stores at least one electronic document file that is based at least in part on a source electronic document provided by the content provider, wherein the source electronic document is an electronic version of a printed document.

Abstract: A sanction server includes a network interface that receives a request for media content from a client device and transmits first sanction data to a caching server and second sanction data to the client device. A sanction processing module generates the first sanction data based on a random number and generates the second sanction data based on the random number. The caching server generates first cryptographic data based on the first sanction data and sends the first cryptographic data to the client device. The client device generates second cryptographic data based on the first sanction data and sends the second cryptographic data to the caching server. The caching server generates a scrambling control word based on the first sanction data and the second cryptographic data. The client device generates the scrambling control word based on the second sanction data and the first cryptographic data.