Abstract: A process for testing an integrated circuit includes collecting a set of points of a physical property while the integrated circuit is executing a multiplication, dividing the set of points into a plurality subsets of lateral points, calculating an estimation of the value of the physical property for each subset, and applying to the subset of lateral points a step of horizontal transversal statistical processing by using the estimations of the value of the physical property, to verify a hypothesis about the variables manipulated by the integrated circuit.

Abstract: A system and method for online content licensing and distribution is provided. A central website is accessible by content providers and content licensees via the Internet, and allows content providers to upload content to the central website. Licenses can be associated with uploaded content, and one or more licensees for the content can be designated. Royalty distributions can be defined and distributed to one or more recipients, and can be expressed as percentages of collected royalties or dollar amounts. An e-mail is automatically transmitted to a designated licensee which allows the licensee to access the uploaded content, pay for the content, and download the content. Collected payments are automatically distributed to one or more recipients in accordance with the royalty distributions. Suggested license fees for uploaded content can be generated and provided to the content provider, and uploaded content can be published to a third-party publication website or service.

Abstract: A system and method of providing secure communications between two or more hosts connected to a public network, where a secure virtual network (SVN) is established among the two or more hosts.

Abstract: A system for detecting network intrusions and other conditions in a network is described. The system includes a plurality of collector devices that are disposed to collect data and statistical information on packets that are sent between nodes on a network. An aggregator device is disposed to receive data and statistical information from the plurality of collector devices. The aggregator device produces a connection table that maps each node on the network to a record that stores information about traffic to or from the node. The aggregator runs processes that determine network events from aggregating of anomalies into network events.

Abstract: A computerized aggregation system, the system including: a master server system programmed to receive data from a user computer, to store the received data, and to process the received data to produce information including credentials, and to provide the information to a client-side application piece at the user computer system, the user computer system adapted to receive said provided information and to communicate said credentials received from the master server system respectively to each of a plurality of third party server systems to facilitate obtaining information from the third party server systems, whereby the user computer system is enabled to aggregate at least some information from the third party server systems on an aggregation template.

Abstract: A method and a system are provided for generating information that relates to services being utilized by a user, by which: at a user device, retrieving usage information that relates to services consumed by the user of the user device; forwarding by the user device the retrieved usage information towards a central processing unit; at the central processing unit, determining based on the received usage information and based on at least one pre-determined criterion associated with the services being consumed by the user, whether a message should be sent to that user; and if in the affirmative, sending a message to the user that relates to the received usage information, without logging any information that relates to the message being sent to the user, at the central processing unit.

Abstract: A key setting method executed by a node transmitting and receiving a packet through multi-hop communication in an ad-hoc network among ad-hoc networks, includes receiving a packet encrypted using a key specific to a gateway and simultaneously reported from the gateway in the ad-hoc network; detecting a connection with a mobile terminal capable of communicating with a server retaining a key specific to a gateway in each ad-hoc network among the ad-hoc networks; transmitting to the server, via the mobile terminal and when a connection with the mobile terminal is detected, the encrypted packet received; receiving from the server and via the mobile terminal, a key specific to a gateway in the ad-hoc network and for decrypting the encrypted packet transmitted; and setting the received key specific to the gateway in the ad-hoc network as the key for encrypting the packet.

Abstract: A key setting method executed by a node transmitting and receiving data through multi-hop communication in an ad-hoc network among multiple ad-hoc networks, includes detecting connection with a mobile terminal communicating with a server connected to a gateway in each ad-hoc network among the ad-hoc networks; transmitting by simultaneously reporting to the ad-hoc network, an acquisition request for a key for encrypting the data when the connection with the mobile terminal is detected at the detecting; receiving from the server via the mobile terminal, a key specific to a gateway and transmitted from the gateway to the server consequent to transfer of the simultaneously reported acquisition request to the gateway in the ad-hoc network; and setting the key specific to the gateway received at the receiving as the key for encrypting the data.

Abstract: A method for handling an encrypted message received on an electronic device that has not been encrypted using a current public key. The portable electronic device automatically generates a reply message to the sender in response to determining that the message has not been encrypted with the current public key. The reply message may contain the current public key of the recipient device, and may request the sender to resend the message encrypted with the current public key.

Abstract: Methods and apparatus for securely transmitting sensitive information to a remote device at the request of an application program are provided. The application program generates a request to a secure channel provider to make a transmission to a remote device. A first message is passed from the from the application program to the secure channel provider containing insertion point codes indicating locations within the first message where the sensitive information should be inserted. Sensitive information is obtained from a source outside of the application program and the sensitive information is inserted into the first message at the locations in the first message indicated by the insertion point codes to form a second message containing the sensitive information. The second message is encrypted and this encrypted message is transmitted to the remote device. The sensitive information is unaccessed by the application program during the execution of the method.

Abstract: A mobile node, a gateway node and methods are provided for securely storing a content into a remote node. The mobile node, or a gateway node of a network providing access to the mobile node, applies a content key to the content prior to sending the content for storage in the remote node. The content key is generated at the mobile node, based on a random value obtained from an authentication server, or directly at the authentication server if applied by the gateway node. The content key is not preserved in the mobile node or in the gateway node, for security purposes. When the mobile node or the gateway node fetches again the content from the remote node, the same content key is generated again for decrypting the content. The remote node does not have access to the content key and can therefore no read or modify the content.

Abstract: A network authentication method, a method for a client to request authentication, a client, and a device are provided.

Abstract: A data security device for providing a network transport connection via a transparent network proxy that employs different encryption security mediums along a communications session between two endpoints by emulating one of the endpoints at an intermediate node such that the communication session appears as an atomic, secure connection to the endpoints yet provides appropriate security over the end-to-end connection. A sender node sends a connection request to establish a secure communication session with an intended receiver node. A transparent proxy on an intermediate node receives the request and establishes the link employing an encryption mechanism. The transparent proxy establishes a second link with the intended receiver, and applies a second, less expensive encryption mechanism. The transparent proxy combines the two links to form the trusted, secure connection but incurring only the mitigated expense over the second link.

Abstract: A computer-implemented process comprises receiving, at a first computer, a base cryptographic seed through a secure connection to a second computer; generating one or more protected access credential parameters; combining said base cryptographic seed with at least a portion of said generated protected access credential parameters using a hashed message authentication code function to generate a master key; encrypting at least a portion of said generated protected access credential parameters using at least a portion of said generated master key; incorporating said encrypted protected access credential parameters and at least a portion of said generated protected access credential parameters into a protected access credential. In an embodiment, a master server securely distributes the seed and the process is performed by a plurality of access servers to separately generate the same master key for use in subsequent authentication communications using an authentication protocol such as EAP-FAST.

Abstract: An application gateway server is provided for managing communication between an application executing in a runtime environment on a device and at least one backend server. The application gateway server comprises a message listener, a connector subsystem, and a messaging subsystem. The message listener receives messages from the component applications. The connector subsystem comprises a plurality of connectors, each of the plurality of connectors for communicating with one or more associated backend servers. The messaging subsystem comprises a message broker for processing messages received from the message listener and transmitting them to an associated one of the plurality of connectors and a communication mapping for identifying which of the plurality of connectors is to be used for each message in accordance with an origin of the message.

Abstract: Mechanisms are provided for transferring sensitive information, such as cryptographic keys, between entities. Particularly, a device is provided with a user input connected directly to a secure element. The device enables a user to enter sensitive information in the user input which is then passed directly to the secure element without traversing any other element such that the secure element can encode and/or encrypt the sensitive information. Once the sensitive information has been encoded and/or encrypted by the secure element, the now secure sensitive information can be shared with other entities using familiar and popular, yet relatively unsecure, transfer methods.

Abstract: In an example embodiment, a digital content distributor may transmit an unsigned license associated with a protected digital object to a digital rights management provider. The digital rights management provider may digitally sign the license and may transmit the signed license to the digital content distributor.

Abstract: A method and system for steganography and steganalytic techniques are provided for effecting embedded communications in a variety of communication environments. One aspect may include an embedded transmitter for inserting embedded data into a packet and an embedded receiver for receiving the packet via, for example, a packetized communication network such as the Internet. Various aspects of the present invention provide robust communications with optimized throughput and may include various error handlers to maximize performance and ensure transfer of incorrupt data. A method for identifying and blocking embedded communications is also provided.

Abstract: A system and method for performing a security check may include using at least one processor to periodically check a status of a flag, generate and store a baseline representation of modules stored on the device where the flag is determined to be set to a first state, and, where the flag is determined to be set to a second state, generate an active representation of modules stored on the first device, compare the active representation of modules to the baseline representation of modules, and, responsive to a determination in the comparing step of a difference between the baseline and active representations of modules, output an alert. The flag status may depend on an association of the device with one of a plurality of authorization policies, each mapped to one of the two states. Results of the comparison may be appended to an activity log of the device.

Abstract: An encryption method and apparatus thereof is disclosed. In one embodiment the method includes (a) receiving the content data via the network, (b) changing a sequence of the received content data according to a predetermined algorithm or randomly to store in a form of a cache file, (c) generating a decryption key including information of the changed sequence of the data, and (d) encrypting the decryption key according to a predetermined encryption system, wherein if a playback or transmission of the stored content is requested, the encrypted decryption key is decrypted and the corresponding data is extracted from the cache file according to the sequence information of the decryption key to be played back or transmitted. According to one embodiment of the invention, a user is unable to illegally use content data stored in his local client and content data stored in a local client can be quickly decrypted so as not to affect playback of the content data.

Abstract: A highly scalable application network appliance is described herein. According to one embodiment, a network element includes a switch fabric, a first service module coupled to the switch fabric, and a second service module coupled to the first service module over the switch fabric. In response to packets of a network transaction received from a client over a first network to access a server of a data center having multiple servers over a second network, the first service module is configured to perform a first portion of OSI (open system interconnection) compatible layers of network processes on the packets while the second service module is configured to perform a second portion of the OSI compatible layers of network processes on the packets. The first portion includes at least one OSI compatible layer that is not included in the second portion. Other methods and apparatuses are also described.

Abstract: A system and method for the secure storage and transmission of data is provided. A data aggregate device can be configured to receive secure data from a data source, such as a sensor, and encrypt the secure data using a suitable encryption technique, such as a shared private key technique, a public key encryption technique, a Diffie-Hellman key exchange technique, or other suitable encryption technique. The encrypted secure data can be provided from the data aggregate device to different remote devices over a plurality of segregated or isolated data paths. Each of the isolated data paths can include an optoisolator that is configured to provide one-way transmission of the encrypted secure data from the data aggregate device over the isolated data path. External data can be received through a secure data filter which, by validating the external data, allows for key exchange and other various adjustments from an external source.

Abstract: A method and apparatus are provided for split-terminating a secure client-server communication connection, with client authentication. During handshaking between the client and the server, cooperating network intermediaries relay the handshaking messages, without altering the messages. At least one of the intermediaries possesses a private key of the server, and extracts a set of data fields from the handshaking messages, including a Client-Key-Exchange message that can be decrypted with the private key. The intermediary uses the extracted data to compute the client-server session key separate from the client's and the server's similar computation, and may transmit the key to the other intermediary via a secure communication channel. The client and the server thus establish the end-to-end client-server connection, and may authenticate each other, after which the network intermediaries may intercept and optimize the client-server communications transparently to the client and the server.

Abstract: A method and system for controlling access to an Internet resource is disclosed herein. When a request for an Internet resource, such as a Web site, is transmitted by an end-user of a LAN, a security appliance for the LAN analyzes a reputation index for the Internet resource before transmitting the request over the Internet. The reputation index is based on a reputation vector which includes a plurality of factors for the Internet resource such as country of domain registration, country of service hosting, country of an internet protocol address block, age of a domain registration, popularity rank, internet protocol address, number of hosts, to-level domain, a plurality of run-time behaviors, JavaScript block count, picture count, immediate redirect and response latency. If the reputation index for the Internet resource is at or above a threshold value established for the LAN, then access to the Internet resource is permitted.

Abstract: A low-cost Multi Function Peripheral (MFP) prevents a user from forgetting to cancel an authenticated state. The MFP includes a scanner unit, a printer unit, a touch screen, and a reset key for initializing various settings. When the user is authenticated, the MFP accepts various operations. Under a state in which the user is authenticated, when the reset key is operated, a control unit executes a logout process.

Abstract: A method of securing IP traffic sent from a first host to a second host attached respectively to first and second access points. The method comprises establishing a shared secret between said first and second hosts, and for each packet to be sent, using the next value in a pseudo-random number sequence as an interface identifier part of the source IP address.

Abstract: Aggregation apparatus that comprises a computer, a display controlled by the computer, and networking hardware connecting the computer to a network. The computer is programmed so that the aggregation apparatus connects to a plurality of sites on the Internet, authenticates itself with each of the sites, and attempts to retrieve information from said sites. The information comprises different data types. If no error is detected or trapped, an aggregation of information is produced and rendered as output. If an error is detected or trapped, an attempt is made to associate the error with an error code. If the error code is associated with the error, then the aggregation apparatus communicates an instruction to a user interface to trigger presentation of a message to take an action. If the error does not match an error code, an instruction is communicated to the user interface that a particular action has occurred.

Abstract: An information processing apparatus includes a main memory unit storing while on-power; an auxiliary storage unit functionable even off-power; a control unit performing hibernation of generating operating-state data indicating a state when the power is lost, storing the data in the auxiliary storage unit, and, when restored, reading the data from the auxiliary storage unit; and a security chip that including a configuration register, encrypts data, and storing the data in the auxiliary storage unit. The control unit includes: a first registration unit performing, when the data is generated, calculation based thereon to obtain a calculated value; a second registration unit performing, when the data is read from the auxiliary storage unit at the hibernation, calculation based on the data to obtain a calculated value to write it into the configuration register; and a verification unit performing verification at boot-up from the hibernation based on the value written.

Abstract: A system and method is disclosed for implementing a data loss prevention (DLP) system capable of detecting transmission attempts involving encrypted data. In response to detecting that the data is encrypted, such a DLP system may perform any number of configurable DLP actions, such as blocking the data transmission attempt and/or sequestering the data. The DLP system may determine that the data is encrypted, based at least in part, on a value of a compressibility measure of the data, such as a compression ratio. The DLP system may leverage other operating system and/or file system capabilities, such as file extensions, magic numbers, or other utilities. The DLP system may determine if the data is compressed rather than encrypted by attempting to decompress the file.

Abstract: Improved systems and techniques for secure delivery of data. One or more data providers deliver encrypted data to a storage entity. For each of one or more authorized recipients of data delivered by a data provider, the data provider generates a re-encryption key and delivers it to the storage entity. The storage entity uses a recipient's re-encryption key to re-encrypt data to be delivered to the recipient. The recipient is able to use its own key to decrypt data that has been encrypted with the data provider's key and re-encrypted with the re-encryption key of the recipient. Delivery of data may be managed to insure that it reflects a consistent condition. Data may be homomorphically encrypted by each of a plurality of data providers and processed in aggregate at the storage entity, with a recipient being able to decrypt the aggregated data but not individual elements of the aggregated data.

Abstract: A computer-implemented method for securely managing multimedia data captured by a mobile computing device is disclosed. The method may comprise: 1) identifying multimedia data captured by the mobile computing device, 2) identifying an asymmetric public key stored on the mobile computing device that is associated with an asymmetric private key stored on a server, 3) encrypting the multimedia data using the asymmetric public key so that the encrypted multimedia data may only be decrypted using the asymmetric private key stored on the server, and 4) transmitting the encrypted multimedia data to the server. Corresponding systems and computer-readable media are also disclosed.

Abstract: Methods and systems for an intelligent network protection gateway (NPG) and network architecture are provided. According to one embodiment, a firewall provides network-layer protection to internal hosts against unauthorized access by hosts of an external network by performing network address translation (NAT) processing of Internet Protocol (IP) addresses. The firewall changes data in headers of VoIP packets and corresponding data contents of the VoIP packets, to enable bi-directional VoIP communications. An external VoIP interface of the firewall receives incoming VoIP packets having a user alias (e.g., an email address) and an indication regarding a VoIP port of external interface. The packets are directed to an appropriate internal host by the firewall performing port address forwarding based on the port indication to a Media Gateway Control Protocol (MGCP) media gateway within the internal network that maintains a mapping of user aliases to private addresses of the internal hosts.

Abstract: A method and system is provided for assessing the cumulative set of access entitlements to which an entity, of an information system, may be implicitly or explicitly authorized, by virtue of the universe of authorization intent specifications that exist across that information system, or a specified subset thereof, that specify access for that entity or for any entity collectives with which that entity may be directly or transitively affiliated. The effective system-level access granted to the user based upon operating system rules or according to access check methodologies is determined and mapped to administrative tasks to arrive at the cumulative set of access entitlements authorized for the user.

Abstract: Provided are a method and apparatus for effectively fixing scrambled content. The method includes checking fixing information for a program map table (PMT) packet of packets constituting the content, the fixing information being used to fix a transformed part of the content; extracting location information of a next PMT packet containing fixing data for fixing the transformed part of the content from the fixing information of the PMT packet; and fixing the transformed part of the content by using the fixing data in the next PMT packet indicated by the extracted location information. Accordingly, it is possible to easily detect a location of the content, which stores the fixing information, thereby expediting fixing of the transformed content.

Abstract: In one embodiment, a method can include: (i) sending a request to join a group to a service broker; (ii) receiving from the service broker a list of key servers servicing the group; and (iii) sending registration information to a selected one of the key servers in the list.

Abstract: A method for data storage includes supplying data to and from a host to a storage memory via a secure data path. A first CPU is employed to control operation of the storage memory, and a second CPU is employed to control operation of the secure data path.

Abstract: A computer-implemented method is provided for updating network security policy rules when network resources are provisioned in a service landscape instance. The method includes categorizing network resources in a service landscape instance based on a service landscape model. The method further includes responding to the provisioning of a network resource by automatically generating one or more security policy rules for a newly-provisioned network resource. Additionally, the method includes updating security policy rules of pre-existing network resources in the service landscape instance that are determined to be eligible to communicate with the newly-provisioned network resource so as to include the newly-provisioned network resource as a remote resource based on the service landscape model.

Abstract: To provide a center device for accommodating a variety of situations which may occur when a home-use game machine, or the like, is used, in which a plurality of users use their own controller devices such as an input device. A center device communicates with a plurality of devices in either a wired or radio manner, receives an instruction operation from a user of each device, and carries out a process based on the instruction operation, the plurality of devices each having unique identifier, including: a unit that obtains an identifier of a device; a unit that provides information concerning the device, the identifier of the device is not associated with the identifier of the user; and a unit that associates the identifier of the device selected by the user, the identifier of the user is already associated with the identifier of another device, with the identifier of the user.

Abstract: A method and system for supporting multiple digital certificate status information providers are disclosed. An initial service request is prepared at a proxy system client module and sent to a proxy system service module operating at a proxy system. The proxy system prepares multiple service requests and sends the service requests to respective multiple digital certificate status information providers. One of the responses to the service requests received from the status information providers is selected, and a response to the initial service request is prepared and returned to the proxy system client module based on the selected response.

Abstract: A first packet is received at a network element from an E-UTRAN Node B (eNB) of an E-UTRAN access network via a secured communications tunnel of a secured connection, where the first packet encapsulates a second packet therein. It is determined whether the network element serves both a security gateway functionality and a serving gateway functionality of a core packet network based on the first packet and the second packet. The network element negotiates with the eNB to switch further communications from a tunnel mode to a transport mode of the secured connection if it is determined that the network element serves both the security gateway functionality and the serving gateway functionality. Thereafter, the network element exchanges further packets with the eNB via the transport mode of the secured connection after the eNB switches from the tunnel mode to the transport mode.

Abstract: Methods and systems are provided for proxying data between an application server and a client device. One exemplary application system includes an application server to generate a virtual application and a proxy server coupled to the application server over a network to provide the virtual application to a client device. The proxy server receives input data from the client device and provides the input data to the application server, wherein the application server encodes the input data for an action in response to authenticating the proxy server and provides the data encoded for the action to the proxy server. The proxy server performs the action on the data and provides the result to the client device.

Abstract: A method may include allocating a number of public keys, where each respective public key is allocated to a respective entity of a number of entities; storing a number of private keys, where each respective private corresponds to a respective public key; storing one or more decryption algorithms, where each respective decryption algorithm is configured to decrypt data previously encrypted using at least one encryption algorithm of the encryption algorithms. Each respective encryption algorithm may be configured to encrypt data using at least one public key. Each respective decryption algorithm may be configured to decrypt data using at least one private key. The method may include receiving encrypted data, where the encrypted data is encrypted using a first public key and a first encryption algorithm, and the encrypted data is provided over a network.

Abstract: A communication system 100 includes a group of user devices 110, a first satellite 106 and a content delivery network 120 in communication with the group of user devices 110. The content delivery network 120 communicates encryption-decryption information to the plurality of user devices using the first satellite 106 and encrypts the content in response to the encryption-decryption information. The content delivery network 120 communicates the content to the plurality of user devices separately from the encryption-decryption information. The plurality of user devices 110 decrypts the content in response to the encryption-decryption information. A control word packet may also be used to convey security information to the user devices so that decryption may be performed.

Abstract: The invention relates to a system for processing data that can be exchanged between at least a first domain having a security level A and a second domain having a security level B, A being different from B, characterized in that it comprises at least one elementary entity EEi including a routing module URi and a device UTi for processing data, the routing module URi including at least one input Ii into the domain having the A security level for the data to be processed, and at least one first output Pi for the data that has not been processed and remains in the domain with the A security level, and a second output Li connected to the processing device UTi for the data processed and transferred into the domain with the B security level via the output Oi.

Abstract: A system, apparatus, and method are directed to managing access to a resource using rule-based deep packet extractions of a credential. A network device, such as a traffic management device, is situated between a client device and a server device. When the client device sends a request for a resource, the request is intercepted by the network device. The network device may employ a multi-layer deep packet extraction of the credential from the request. The network device may then use the credential to determine whether the request enabled to access the resource. Based, in part, on a variety of rules, the network device may deny access, enable access, route the request to a different server, or the like. In one embodiment, the network device may receive a rule from another device that directs the network device to request a different credential.

Abstract: A system, peripheral device, and method for authenticating an encryption key before transmitting encrypted messages containing sensitive information are provided. Authentication of a client device during the coordination of data transfer among multiple computer devices is possible by providing a peripheral device that does not have a direct connection to a network, but rather, any message to be transmitted over the network must be relayed through a client device. Any sensitive information to be transferred to a remote device is inserted into a message, then the message is encrypted in the peripheral device. This prevents any process running on the client device from fooling the client device into communicating confidential information to a third party rather than the desired remote computer, because the client device never sees the sensitive information in an unencrypted form; only the peripheral device has access to the sensitive information in an unencrypted form.

Abstract: Techniques are provided for securing instant communications, such as text, audio, and video. A tunnel management module is included in an instant communication suite that comprises one or more instant communication applications. Any communication between a user of the instant communicate suite and a contact passes through the tunnel management module, which may use TLS (or IPSec) technologies to ensure security of the instant communications. Each contact of a user may be associated with a different set of security mappings, which may be specified by the user. A tunnel configuration file is generated from a security mapping and is used to create a tunnel through which secure instant communications may pass.

Abstract: An actor node according to the present invention includes a dynamic change unit for temporarily changing a coverage block in which data are obtained from a sensor node and temporarily causing another actor node to obtain, on behalf of the actor node, data from the sensor node arranged in a partial region of at least a portion of the coverage blocks. The dynamic change unit obtains identification information unique to the another actor node from the another actor node. The dynamic change unit notifies, to the sensor node arranged in the partial region, the obtained identification information. The dynamic change unit notifies, to the another actor node, a portion of the hash chain and a temporary key generated using the obtained identification information and the key used for communication with the sensor node arranged in the partial region.

Abstract: Embodiments provided herein include techniques for enabling a mobile device to communicate with smart media in a manner that can sidestep the secure element of the mobile device—and the costs associated with it. The mobile device can communicate with the smart media using near-field communication (NFC) by creating an encrypted connection with a remote computer while bypassing a secure element of the mobile device. This allows the mobile device to provide point-of-sale (POS) functionality by reading and/or writing to the smart media, without compromising the security of the smart media.

Abstract: Using an identifier generation algorithm, a device coupled to a communication network generates an SSID and associated encryption key for a mobile device using its unique identifier. The encryption key and SSID are stored to a configuration database server coupled to the network. A wireless-capable device that provides access to the network receives the SSID and encryption key from the configuration database and sends a broadcast message that includes the SSID and unencrypted original information. The mobile user device receives the broadcast message when it enters the presence of the wireless access device. Using the identifier generation algorithm the mobile device generates an SSID and key from its unique identifier and encrypts the original information and sends a return message including the SSID and the encrypted original information. The mobile device is granted access if unencrypted original information from the return message matches that sent in the broadcast message.