Abstract: Embodiments are directed towards establishing an encrypted session between a client device and a target server device when the client device initiates network connections through a proxy device. In one embodiment, the client device initiates an encrypted session with the proxy device. Once the encrypted session is established, the client device communicates the address of the target server device to the proxy device. Then, the proxy device sends an encrypted session renegotiation message to the client device. The client device responds to the encrypted session renegotiation message by transmitting an encrypted session handshake message to the proxy device.

Abstract: A traffic management device (TMD), system, and processor-readable storage medium are directed to securely transferring session credentials from a client-side traffic management device (TMD) to a second server-side TMD that replaces a first server-side TMD. In one embodiment, a client-side TMD and the first server-side TMD have copies of secret data associated with an encrypted session between a client device and a server device, including a session key. For any of a variety of reasons, the first server-side TMD is replaced with the second server-side TMD, which may not have the secret data. In response to a request to create an encrypted connection associated with the encrypted session, the client-side TMD encrypts the secret data using the server device's public key and transmits the encrypted secret data to the second server-side TMD.

Abstract: A traffic management device (TMD), system, and processor-readable storage medium are directed to determining that an end-to-end encrypted session has been established between a client and an authentication server, intercepting and decrypting subsequent task traffic from the client, and forwarding the intercepted traffic toward a server. In some embodiments, a second connection between the TMD and server may be employed to forward the intercepted traffic, and the second connection may be unencrypted or encrypted with a different mechanism than the encrypted connection to the authentication server. The encrypted connection to the authentication server may be maintained following authentication to enable termination of the second connection if the client becomes untrusted, and/or to enable logging of client requests, connection information, and the like. In some embodiments, the TMD may act as a proxy to provide client access to a number of servers and/or resources.

Abstract: A method, apparatus and system enable a secure location-aware platform. Specifically, embodiments of the present invention may utilize a secure processing partition on the platform to determine a location of the platform and dynamically apply and/or change security controls accordingly.

Abstract: Aspects of the invention provide a method and system for coding information in a communication channel. More particularly, aspects of the invention provide an method and system for synchronous running encryption and/or encoding and corresponding decryption and decoding in a communication channel or link. Aspects of the method may include encoding and/or encrypting a first data using a first or second encoding table and/or a first or second encryption table. The method may indicate which one of the first or second encoding tables or which one of the first or second encryption tables were utilized for encoding and/or encrypting the said first data. The encoded and/or encrypted first data may subsequently be transferred downstream and decoded by synchronous decoder/decryptor using a corresponding decoding and/or decryption table.

Abstract: In remote direct memory access transfers in a multinode data processing system in which the nodes communicate with one another through communication adapters coupled to a switch or network, failures in the nodes or in the communication adapters can produce the phenomenon known as trickle traffic, which is data that has been received from the switch or from the network that is stale but which may have all the signatures of a valid packet data. The present invention addresses the trickle traffic problem in two situations: node failure and adapter failure. In the node failure situation randomly generated keys are used to reestablish connections to the adapter while providing a mechanism for the recognition of stale packets. In the adapter failure situation, a round robin context allocation approach is used with adapter state contexts being provided with state information which helps to identify stale packets.

Abstract: A method and system for allowing a user to access a peer from a remote system are described. The method and system include authenticating the user for the peer using an authentication server and providing a token for the peer and the user based on the authenticating. The user is authenticated from the remote system. The method and system also include allowing the user to access the peer from the remote system through a proxy server and using the token, if the user is authenticated.

Abstract: A broadband network device is configured, in a broadband network, for dynamically controlling an upstream link bandwidth of a user node configured for downloading content via a downstream link having a prescribed bandwidth and uploading content through the broadband network via an upstream link according to the upstream link bandwidth. The broadband network device sets the upstream link bandwidth to a bandwidth value optimized for minimal-size data (e.g., message-based) transfers and that substantially restricts transfers of media-based (e.g., digital video or audio) data transfers to substantially long time intervals. The broadband network device is configured for dynamically increasing the upstream link bandwidth to an increased bandwidth value optimized for media-based data transfers, based on an identified authorization.

Abstract: A wireless communication device comprises first processing circuitry configured to execute an RF operating system and second processing circuitry configured to execute an open operating system, wherein the first processing circuitry is linked to a secure memory device inaccessible to the second processing circuitry. The RF operating system is configured to receive protected data and store the protected data in the secure memory device. The open operating system is configured to receive a request for the protected data from one of a plurality of user applications and transfer the request to the RF operating system. In response to the request for the protected data, the RF operating system is configured to retrieve the protected data from the secure memory device, encrypt the protected data, and transfer the encrypted protected data to the open operating system for delivery to the one of the user applications associated with the request.

Abstract: A plurality of computer nodes communicate using seemingly random Internet Protocol source and destination addresses. Data packets matching criteria defined by a moving window of valid addresses are accepted for further processing, while those that do not meet the criteria are quickly rejected. Improvements to the basic design include (1) a load balancer that distributes packets across different transmission paths according to transmission path quality; (2) a DNS proxy server that transparently creates a virtual private network in response to a domain name inquiry; (3) a large-to-small link bandwidth management feature that prevents denial-of-service attacks at system chokepoints; (4) a traffic limiter that regulates incoming packets by limiting the rate at which a transmitter can be synchronized with a receiver; and (5) a signaling synchronizer that allows a large number of nodes to communicate with a central node by partitioning the communication function between two separate entities.

Abstract: A system and method for providing distributed security of a network. Several device profilers are placed at different locations of a network to assess vulnerabilities from different perspectives. The device profiler identifies the hosts on the network, and characteristics such as operating system and applications running on the hosts. The device profiler traverses a vulnerability tree having nodes representative of characteristics of the hosts, each node having an associated set of potential vulnerabilities. Verification rules can verify the potential vulnerabilities. A centralized correlation server, at a centrally accessible location in the network, stores the determined vulnerabilities of the network and associates the determined vulnerabilities with attack signatures. Traffic monitors access the attack signatures and monitor network traffic for attacks against the determined vulnerabilities.

Abstract: A DHCP/authentication server transmits an IP address and authentication information acquired from the IP address to a home gateway. The home gateway creates authentication data from the authentication information and adds the authentication data to an IP packet received from a terminal, and transfers the IP packet to a false-address checking server. The false-address checking server extracts a source IP address and the authentication data from the IP packet, and creates provisional authentication data based on the source IP address. The false-address checking server checks the provisional authentication data against the original authentication data. If these two pieces of the authentication data coincide with each other, the false-address checking server transfers the IP packet to a communication counter part. If the authentication data do not coincide with each other, the false-address checking server discards the IP packet.

Abstract: A method of authenticating data transmitted in a digital transmission system, in which the method comprises the steps, prior to transmission, of determining at least two encrypted values for at least some of the data, each encrypted value being determined using a key of a respective encryption algorithm, and outputting said at least two encrypted values with said data.

Abstract: In accordance with a particular embodiment of the present invention, a method for providing security information associated with a prospective communication session to a user includes providing at least one communication network for the establishment of a prospective communication session between a first network device and a second network device. A security rating is assigned to the prospective communication session, and security information is provided to a user associated with the first network device that includes the security rating.

Abstract: Aspects of the present invention provide a mechanism to utilize IMS media security mechanisms in a CS network and, thereby, provide end-to-end media security in the case where the media traffic travels across both a CS network and a PS network.

Abstract: A method is provided for securely delivering identity data units over a communications network to a client device. The method includes receiving a selection from a customer identifying a final zipped package to be unpacked. The final zipped package is unpacked to obtain a common package and a digital signature file signed by an entity generating identity data requested by the customer. The digital signature in the digital signature file is verified and the common package is unpacked to obtain a plurality of outer packages and an encrypted symmetric key. The symmetric key is decrypted with a private key associated with the customer and each of the outer packages is decrypted with the symmetric key to obtain a plurality of identity data units.

Abstract: A system and method for determining export requirements for a content file may include examining a content file to identify content used by or included in the content file that is subject to export control, determining, in response to the identified content, export requirements that are applicable to the content file, and providing an indication of the determined export requirements.

Abstract: Techniques are described for mediated secure computation. A unique identifier value may be assigned to each one of a plurality of nodes included in a network. An encrypted portion of a logical circuit may be received at a server from each of the nodes, the logical circuit including one or more gates, each gate associated with one or more logical input wires and one or more logical output wires, the logical circuit associated with a function, wherein each encrypted portion is encrypted based on a random number value that is common to the plurality of nodes and unknown at the server. A result may be obtained based on executing the logical circuit, based on combining the encrypted portions of the logical circuit received at the server.

Abstract: An architecture and associated methods and devices are described in which a first selectable data path may be associated with a first port operating at a first data rate, a second selectable data path may be associated with a second port operating at a second data rate, and a third selectable data path may be associated with a third port operating at a third data rate that is higher than the first data rate and the second data rate. A plurality of security engines may be included which may be configurable to provide cipher key-based security for data associated with the first port and the second port using the first selectable path and the second selectable path, respectively, and configurable to provide cipher key-based security of data associated with the third port using the third selectable data path.

Abstract: A user-configurable firewall and method in which a user-changeable security setting for a client computer is maintained by an access server through which a user accesses the public network. The user-changeable security setting can be used to specify which outside computers or network devices may access the client computer and what type of access to the client computer is allowed. If an attempt to access the client computer is made, the user-configurable security setting is checked to determine if the attempted access is allowed by the current security setting. If the attempted access is allowed by the current security setting, access is allowed to the client computer; otherwise, access is not allowed. If the user changes the user-configurable security setting, the changes to the user-configurable security setting are provided to the access server.

Abstract: Encryption of electronic messages may be automatically processed by a messaging system based on keywords or other attributes of the messages. In one example, if the message includes a predefined keyword, the messaging system may automatically encrypt the message for all recipients outside of a private network. In another example, the messaging system may automatically encrypt messages based on recipient address. Thus, if a recipient is on a list of addresses to which encryption applies, the message being sent to that particular recipient may be encrypted while a copy of the message being sent to other recipients not on the list might remain unencrypted.

Abstract: A network interface card (NIC) includes a security association database (SADB) comprising a plurality of security associations (SAs), a cryptographic offload engine configured to decrypt a packet using one of the plurality of SAs, a security policy database (SPD) comprising a plurality of security policies (SPs) and a plurality of filter policies, and a policy engine configured to determine an admittance of the packet using one of the plurality of SPs from the SPD and apply one of the plurality of filter policies to the packet.

Abstract: An authentication system receives encrypted terminal identification information and terminal identification information, from a transmission terminal, and determines whether decrypted identification information decrypted using a terminal public key obtained by the authenctaion system matches the terminal identification information received from the transmission terminal.

Abstract: A system and method for secure communication for power over Ethernet (PoE) between a computing device and a switch. Various power management information can be used as inputs in a process for determining a power request/priority. This power management information can be communicated in Layer 2, Layer 3, or higher messaging during initial power allocation and ongoing power reallocation. Encryption of such messaging enables confidentiality, secure allocation processes, and prevention of denial of service attacks.

Abstract: A system for encrypting and decrypting messages using a browser in either a web or wireless device or secure message client software for transmission to or from a web server on the Internet connected to an email server or message server for the situation where the sender does not possess the credentials and public key of the recipients. The encryption and decryption is conducted using a standard web browser on a personal computer or a mini browser on a wireless device, or message client software on either a personal computer or wireless devices such that messages transmitted to the web or wireless browser or message client software can be completed and encrypted and signed by the user such that encrypted and signed data does not require credentials and public key of the recipients. A method for delivering and using private keys to ensure that such keys are destroyed after use is also provided.

Abstract: Systems, methods and computer program products for generating anonymous assertions. Exemplary embodiments include a method for generating anonymous assertions, the method comprising engaging anonymous role authentication via one or more authenticator services, generating an assertion token on a trusted assertion device that is booted into a trusted configuration, and processing the assertion and validating a right of the user to make the assertion for the event.

Abstract: A method, apparatus, and computer usable code for managing confidential data. A request is received to access an application from a user, wherein the application includes logic to process the confidential data. One of a first interface or a second interface is selected based on an identification whether the user is permitted to see the confidential data to form a selected interface in response to receiving the request. A selected interface is presented to the user. The first interface presents the confidential information and second interface presents non-confidential information without presenting the confidential information. The second interface allows access to the logic in the application without accessing the confidential data.

Abstract: Provided is an architecture for a cryptography accelerator chip that allows significant performance improvements over previous prior art designs. In various embodiments, the architecture enables parallel processing of packets through a plurality of cryptography engines and includes a classification engine configured to efficiently process encryption/decryption of data packets. Cryptography acceleration chips in accordance may be incorporated on network line cards or service modules and used in applications as diverse as connecting a single computer to a WAN, to large corporate networks, to networks servicing wide geographic areas (e.g., cities). The present invention provides improved performance over the prior art designs, with much reduced local memory requirements, in some cases requiring no additional external memory. In some embodiments, the present invention enables sustained full duplex Gigabit rate security processing of IPSec protocol data packets.

Abstract: The invention allows a reliable and efficient identity management that can, with full interoperability, accommodate to various requirements of participants. For that a method and system are presented for providing an identity-related information about a user to a requesting entity. The method comprises a location-request step initiated by the requesting entity for requesting from a client application a location information that corresponds to a location entity possessing the identity-related information, a redirecting step for connecting the client application to the location entity in order to instruct the location entity to transfer the identity-related information to the requesting entity, and an acquiring step for obtaining the identity-related information.

Abstract: An estimate of a portion of network traffic that is nonconforming to a communication transmission control protocol is used to signal that a distributed denial of service attack may be occurring. Traffic flows are aggregated and packets are intentionally dropped from the flow aggregate in accordance with an assigned perturbation signature. The flow aggregates are observed to determine if the rate of arrival of packets that have a one-to-one transmission correspondence with the dropped packets are similarly responsive to the perturbation signature. By assigning orthogonal perturbation signatures to different routers, multiple routers may perform the test on the aggregate and the results of the test will be correctly ascertained at each router. Nonconforming aggregates may be redefined to finer granularity to determine the node on the network that is under attack, which may then take mitigating action.

Abstract: The invention relates to a telecommunication system including a plurality of terminals divided into groups such that within each group each terminal can send multidestination messages to the other members of the group. Each terminal of a group is associated with encryption and decryption means so that each terminal can send multidestination messages that can be decrypted only by the other terminals of the group. The system includes a central server for distributing to each encryption and decryption means keys for secure transmission of communications within each group.

Abstract: A plurality of computer nodes communicate using seemingly random Internet Protocol source and destination addresses. Data packets matching criteria defined by a moving window of valid addresses are accepted for further processing, while those that do not meet the criteria are quickly rejected. Improvements to the basic design include (1) a load balancer that distributes packets across different transmission paths according to transmission path quality; (2) a DNS proxy server that transparently creates a virtual private network in response to a domain name inquiry; (3) a large-to-small link bandwidth management feature that prevents denial-of-service attacks at system chokepoints; (4) a traffic limiter that regulates incoming packets by limiting the rate at which a transmitter can be synchronized with a receiver; and (5) a signaling synchronizer that allows a large number of nodes to communicate with a central node by partitioning the communication function between two separate entities.

Abstract: The present invention relates to a method for secure transmission using a fax server, comprising the following steps: a step of transmitting the document to be faxed, by the sender to a server, in the form of a digital file in a non-fax format, as well as information relative to the identity of the recipient, a step of calculating a Tiff format file from said digital file on the one hand, the creation date and time of said file and an informative file on the other hand and modifying said Tiff file to be transmitted to insert a signature and information allowing the recipient to access the recorded files. This file is then transmitted by the server to the telephone address of the recipient of said file, according to a fax standard. The invention also relates to a computer system and program for implementing this method.

Abstract: A method for implementing network security access control is provided, including: receiving and decrypting terminal identity information that is encrypted in a bi-directional encryption mode and forwarded by a switch, and authenticating the decrypted terminal identity information; returning an authentication result to the switch so that the switch controls access of a terminal to a network according to the authentication result; encrypting the decrypted terminal identity information in a solo-directional encryption mode and authenticating the encrypted terminal identity information; returning an authentication result to a security access control gateway so that the security access control gateway controls access of the terminal to network resources according to the authentication result; delivering a security policy to a security control module on the terminal so that the security control module controls the terminal according to the security policy.

Abstract: A system and method are provided for imaging job authorization. The method comprises: an authorization server receiving a request from a first node print subsystem to communicate an imaging job; in response to analyzing imaging job information, sending an access inquiry to a second node; the authorization server receiving an authorization, including a one-time use public encryption key, from the second node; sending a confirmation, including the public key, to the first node print subsystem; the first node encrypting the imaging job using the public key; sending the encrypted imaging job to the second node from the first node; and, the second node decrypting the imaging job using a private key corresponding to the public key. The analyzed imaging job information used for access control may include user ID, job content, first node ID, first node communication address, imaging job access control, time/date, imaging job size, or imaging job options.

Abstract: A system for binding a subscription-based computer to an internet service provider (ISP) may include a binding module and a security module residing on the computer. The binding module may identify and authenticate configuration data from peripheral devices that attempt to connect to the computer, encrypt any requests for data from the computer to the ISP, and decrypt responses from the ISP. If the binding module is able to authenticate the configuration data and the response to the request for data from the ISP, then the security module may allow the communication between the computer and the ISP. However, if either the configuration cycle or the response cannot be properly verified, then the security module may degrade operation of the computer.

Abstract: A highly scalable application network appliance is described herein. According to one embodiment, a network element includes a switch fabric, a first service module coupled to the switch fabric, and a second service module coupled to the first service module over the switch fabric. In response to packets of a network transaction received from a client over a first network to access a server of a data center having multiple servers over a second network, the first service module is configured to perform a first portion of OSI (open system interconnection) compatible layers of network processes on the packets while the second service module is configured to perform a second portion of the OSI compatible layers of network processes on the packets. The first portion includes at least one OSI compatible layer that is not included in the second portion. Other methods and apparatuses are also described.

Abstract: A computationally implemented method includes, but is not limited to: intercepting a communiqué that is determined to be affiliated with a source entity and that is addressed to an end user to prevent, at least temporarily, the communiqué from being received by a communication device associated with the end user; and releasing the communiqué to the communication device in response to at least detecting occurrence of one or more environmental aspects associated with the communication device, the releasing of the communiqué being in accordance with one or more conditional directives of the end user to conditionally obfuscate the communiqué determined to be affiliated with the source entity. In addition to the foregoing, other method aspects are described in the claims, drawings, and text forming a part of the present disclosure.

Abstract: A method for authenticating communication traffic includes intercepting a request directed over a network from a source address to open a connection to a target computer in accordance with a handshake procedure specified by a predetermined communication protocol. A reply to the request that deviates from the specified handshake procedure is sent to the source address. A response from the source address to the reply is analyzed in order to make an assessment of legitimacy of the source address. Upon determining, based on the assessment, that the source address is legitimate, the target computer is permitted to complete the handshake procedure so as to open the connection with the source address.

Abstract: Systems and methods for publishing information to a plurality of software applications are provided. The methods may comprise identifying a plurality of records based on a last sequential identification code in a high watermark table of a persistent store. The plurality of records may be generated subsequent to a previous record corresponding to the last sequential identification code. A plurality of corresponding messages each corresponding to a record of the plurality of records may be prepared. Each of those messages may then be transmit to at least one software application and may include a most recent message corresponding to a most recent record. In the high water mark table of the persistent store, an updated last sequential identification code may be stored as a pointer for subsequent reference. The updated last sequential identification code may correspond to the most recent message transmitted in the plurality of corresponding messages.

Abstract: Integration of the components of video monitoring, audio messaging, IP telephony, and video conferencing on a single infrastructure platform is provided. Data communications enable voice and video devices to communicate directly with compatible platforms at unlimited geographical locations supported by common wired and wireless networking standards and telecommunications protocols. Completely software driven encryption methods are used to ensure a portable, private, encryption-secure device-to-device and client server based video monitoring and teleconferencing system. Voice biometrics are also used as an authentication method to access the integrated system.

Abstract: A relay apparatus comprises a frame relay processing unit for relaying a frame, a plurality of ports for sending and receiving the frame to and from the outside, and a cryptographic processing module corresponding to each of the ports. Each cryptographic processing module is connected to the corresponding port and to the frame relay processing unit by means of general-purpose interfaces such as MII. The cryptographic processing module performs the encryption process and decryption process so that the frame relay processing unit can concentrate on the relay process and the relay speed is not subject to degradation. Also, the cryptographic processing module can generate a different cryptographic key for each frame without requiring dynamic exchange of key information.

Abstract: A method and system for securing data transmitted between a client device and a server by obtaining input text at an intermediate module, processing the input text to obtain processed text, and transmitting the processed text to the server. Embodiments of the invention include securing data between a client device and a server by processing the input text at the intermediate module by applying an order-preserving transformation, the order-preserving transformation comprising: generating order information based on the input text, the order information indicative of a relative order of the input text within a set of possible input texts according to a collation rule.

Abstract: In an information recording medium reproducing method, an information recording medium, a reproducing apparatus and an information recording medium managing method, a predetermined server is accessed on the basis of an address recorded in an information recording medium to issue key data from the server, and encrypted data recorded in the information recording medium are decrypted with the key data thus issued.

Abstract: To stop functions of a subscriber authentication module regardless of whether a roaming network is based on IMT-2000 or GSM. HLR of a mobile communication network based on IMT-2000 has a stop information addition part instructing a RAND field of an authentication vector used for authentication of USIM to cause part or all of functions in the subscriber authentication module to stop. The USIM mounted in a mobile terminal has a function stop part executing to cause part or all of functions of the subscriber authentication module to stop, an identification part that refers to information identifying stop information contained in received data and transmits the stop information to a function stop part, and an operation part for performing a predetermined operation using the received data.

Abstract: A method, a system, and a computer program product for access control using resource filters for a strict separation of application and security logic are described. The computer-implemented method for access control may include receiving at least one access request to at least one resource from an application; providing a resource hierarchy for the at least one resource, the resource having at least one resource class, wherein the resource hierarchy is defined in a single resource; providing a policy comprising at least one access control rule for accessing at least one element of the at least one resource class; verifying the at least one access request based on the policy through an authorization service; and processing the at least one access request through a service interface.

Abstract: A security system for scanning content within a computer, including a network interface, housed within a computer, for receiving content from the Internet on its destination to an Internet application running on the computer, a database of rules corresponding to computer exploits, stored within the computer, a rule-based content scanner that communicates with said database of rules, for scanning content to recognize the presence of potential exploits therewithin, a network traffic probe, operatively coupled to the network interface and to the rule-based content scanner, for selectively diverting content from its intended destination to the rule-based content scanner, and a rule update manager that communicates with said database of rules, for updating said database of rules periodically to incorporate new rules that are made available. A method and a computer readable storage medium are also described and claimed.

Abstract: Aspects of the present disclosure are directed to methods and systems for protecting sensitive data in a hosted service system. The system includes a host system and the host system includes a key management system (KMS) and a metadata service system (MSS). The KMS and the MSS are communicatively coupled to each other. The system further includes a database management system (DBMS) having a database, a query pre-parser, and a results handler. The query pre-parser and the results handler are communicatively coupled to the KMS and the MSS, and the system also includes a processing application adapted to process at least some data received from a tenant system.

Abstract: An approach is provided for enabling traffic hashing and network level security. A unit of transmission associated with a flow of network traffic is received at a routing node. The unit of transmission is encrypted. A pseudo-address to assign to the encrypted unit of transmission is determined. The pseudo-address is assigned to the encrypted unit of transmission.

Abstract: Methods, systems, and products are disclosed for detecting an intrusion to a communications network. One embodiment describes a system for detecting intrusions. The system has a peripheral card coupled to a host computer system. The peripheral card has a communications portion and a processor managing the communications portion. The communications portion has only a capability for receiving data packets via a communications network. The communications portion lacks capability of transmitting the data packets via the communications network. The communications portion of the peripheral card reduces intrusion of the communications network.