Abstract: Apparatus, systems, and methods may operate to establish a secure communications tunnel between a server node and a client node, and to receive user requests from the client node at the server node via the secure communications tunnel. The user requests may be received in conjunction with a device verification token derived from nonces generated by the server node and transmitted to the client node as part of keep-alive response messages. The nonces may change according to a period of time established by the server node. Additional apparatus, systems, and methods are disclosed.

Abstract: A communication method for transmitting TT Ethernet messages is a distributed real-time system, including a plurality of node computers. Each node computer has an Ethernet controller, which by way of a data line is directly connected to a port of a TTE star coupler, said port being uniquely associated with the node computer. A plurality of TTE star couplers are connected among each other by way of one or more data lines to form a TTE network. A TTE message scheduler dynamically calculates the conflict-free schedules for a number of time-controlled messages and signs the schedule provided for each node with a secret part of a public-key signature before it transmits said schedule to the corresponding node computer. Each node computer integrates the signed periodic schedule, which is transmitted to the node computer in the form of a TTE message header of an ETE message, into each dynamically calculated TTE message.

Abstract: Aspects include a mechanism of entitling users to transacted-for digital content access, indicating download authorization with discrete authentication URLs, and validating download attempts using each such URL. The authentication mechanism comprises producing an encrypted string included in a URL provided to a user. The encrypted string comprises transaction identifier information, and information about the transacted-for entitlement. When a user wishes to exercise the transacted-for entitlement, the user activates the URL, which is resolved to a location that has/can obtain access to the key(s) used in producing the encrypted string, decrypt the string, and use the information in it to validate the URL and the entitlement. The validation can use data retrieved from a database, using the transaction identifier as a key. The entitlement information included in the now-decrypted string can be compared with the prior download information.

Abstract: An image container file has at least first and second multimedia streams (MSs). The first MS includes first image data representing an image. The second MS includes arbitrary data, which can for example, correspond to: a different representation of the same image; annotations to the first image data; second image data that together with the first image data form a new image with greater dynamic range, resolution, field of view or other attributes that can be derived from processing two or more independent images; or an executable file related to the first MS. The image container file can also include an extensible metadata to hold information describing one or more multimedia streams of the image container file. Further, the image container file may include DRM information to provide information related to obtaining a license to access encrypted data or verifying the authenticity of encrypted or unencrypted data.

Abstract: Systems, methods, and media for retransmitting data using the SRTP are provided. In some embodiments, methods for retransmitting data using the SRTP are provided. The methods include: receiving at least one data unit associated with a media session; determining the index of the at least one data unit; determining the session key of the media session using the index; authenticating the at least one data unit using the session key; and retransmitting the at least one data unit.

Abstract: Application message payload data elements are transformed within a network infrastructure element such as a packet data router or switch. The network element has application message transformation logic for receiving one or more packets representing an input application message logically associated with OSI network model Layer 5 or above; extracting an application message payload from the input application message; identifying one or more first content elements in the application message payload; transforming the first content elements into one or more second content elements of an output application message; and forwarding the output application message to a destination that is identified in the input application message. Transformations performed in the network element can include field reordering, field enrichment, field filtering, and presentation transformation.

Abstract: A process for testing an integrated circuit includes collecting a set of points of a physical property while the integrated circuit is executing a multiplication, dividing the set of points into a plurality subsets of lateral points, calculating an estimation of the value of the physical property for each subset, and applying to the subset of lateral points a step of horizontal transversal statistical processing by using the estimations of the value of the physical property, to verify a hypothesis about the variables manipulated by the integrated circuit.

Abstract: A system and method of providing secure communications between two or more hosts connected to a public network, where a secure virtual network (SVN) is established among the two or more hosts.

Abstract: A method and a system for transmitting confidential and non-confidential data blocks between intake units (1, 1?) and output units (3, 3?) of a communication system. The communication system has intake units (1) for confidential data blocks, intake units (1?) for non-confidential data blocks, output units (3) for confidential data blocks, and output units (3?) for non-confidential data blocks. A data distribution unit (2) transmits data blocks with confidential information from the intake units (1) for confidential information to the output units (3) for confidential information and data blocks with non-confidential information from the intake units (1?) for non-confidential information to the output units (3?) for non-confidential information.

Abstract: A system and method for performing a security check may include using at least one processor to periodically check a status of a flag, generate and store a baseline representation of modules stored on the device where the flag is determined to be set to a first state, and, where the flag is determined to be set to a second state, generate an active representation of modules stored on the first device, compare the active representation of modules to the baseline representation of modules, and, responsive to a determination in the comparing step of a difference between the baseline and active representations of modules, output an alert. The flag status may depend on an association of the device with one of a plurality of authorization policies, each mapped to one of the two states. Results of the comparison may be appended to an activity log of the device.

Abstract: A packet security method and apparatus adjusts a security level of the packet according to a feature of the packet. The packet security method includes detecting a feature of a packet to be transmitted, determining a security level of the packet according to the detected feature, and generating a security packet according to the determined security level. The feature of the packet is at least one of a destination address of the packet, a transfer protocol of the packet, a packet size, an application for the packet, and a designated security level for the packet. According to the method, the security function is adoptively applied according to the feature of the packet being transmitted, and thus flexibility can be provided in the application of the security function to achieve an efficient use of resources.

Abstract: An access point in a wireless network is traced by sending an internet protocol (IP) packet from a detector to the access point through the wireless network. The detector and the access point are connected through a private wired network. The IP packet is sent with the source IP address field and the destination IP address of the IP packet set to the wireless IP address and wired IP address, respectively, of the detector. The IP packet is routed back to the detector through a switch in the private wired network. When the IP packet is received at the detector, a source IP address, which corresponds to the port on the switch used to send the IP packet, is determined from the received IP packet.

Abstract: A request to receive multicast data, associated with a multicast group, may be transmitted. The request may be transmitted via a tunnel. Group keys may be received in response to the request. The group keys may be based on the multicast group. An encapsulated packet may be received via another tunnel. The encapsulated packet may be processed, using the group keys, to obtain a multicast packet associated with the multicast data. The multicast packet may be forwarded to at least one multicast recipient.

Abstract: Methods, systems, and computer readable media for accelerating stateless IPsec traffic generation by performing ESP rehashing of ESP packets are disclosed. A first ESP packet is generated by encrypting a portion of the packet and adding ESP headers and trailers to the encrypted portion, hashing the encrypted portion and the ESP header to compute a first ESP integrity check value (ICV), and adding the ESP ICV as a trailer to the ESP packet. At least one second ESP packet is generated by modifying parameters in the first ESP packet. The first and second ESP packets are transmitted to a device under test.

Abstract: A method and apparatus is provided for detecting the start of a secure mode by a user terminal (12) without explicit signaling. After the network (30) commands the user terminal to switch to secure mode and receives a data packet from the user terminal, the receiving network node (22) determines the security mode of the user terminal by determining whether valid security has been applied to the received data packet by the user terminal.

Abstract: A secure communication channel between an access point (AP) device associated with a wireless network and a mobile gateway (GW) device of a packet core network is established. Data is exchanged between the wireless network and the packet core network through the secure channel. A client device (UE) is authenticated through the secure communication channel. Device identity information is received from the AP device. A session request is sent to the packet core network. An IP address for the device is received from the packet core network. The communication between the AP device and the packet core network becomes secure without need to run an IP secure protocol on the UE that saves the battery power on the UE. Establishing the fully secure communication between the UE and the packet core network while saving the UE power provides a significant advantage for the mobile technology world.

Abstract: A method, system, and computer usable program product for securing a data communication against attacks are provided in the illustrative embodiments. A segment in the data communication is received at a first application executing in a first data processing system. The segment is formed according to a data communication protocol and includes an option. The option includes a current clue and a next clue. The current clue is compared with a saved next clue, the saved next clue being a next clue in a previous segment. The segment is accepted as being a valid segment in the data communication if the current clue matches the saved next clue. A part of the segment is sent to a consumer application.

Abstract: A plurality of computer nodes communicates using seemingly random IP source and destination addresses and (optionally) a seemingly random discriminator field. Data packets matching criteria defined by a moving window of valid addresses are accepted for further processing, while those that do not meet the criteria are rejected. In addition to “hopping” of IP addresses and discriminator fields, hardware addresses such as Media Access Control addresses can be hopped. The hopped addresses are generated by random number generators having non-repeating sequence lengths that are easily determined a-priori, which can quickly jump ahead in sequence by an arbitrary number of random steps and which have the property that future random numbers are difficult to guess without knowing the random number generator's parameters. Synchronization techniques can be used to re-establish synchronization between sending and receiving nodes.

Abstract: A method for transmitting operating data of machines in the graphics industry is performed via a communications network that is accessible to the public and the operating data is transmitted to at least one management computer that can be reached via the public communications network. The operating data from the machine in the graphics industry is stored in encrypted form in at least one computer assigned to the machine, and the encrypted operating data is transmitted to the management computer via the communications network that is accessible to the public and is stored on the management computer.

Abstract: A method for identifying conference media traffic includes receiving a plurality of dummy packets and matching a series of the plurality of dummy packets to a signature key. The method also includes extracting a first identification from one or more of the plurality of dummy packets in response to matching a series of the plurality of dummy packets to a signature key and determining that a second identification associated with one or more encrypted media packets matches the first identification. The method also includes associating one or more encrypted media packets with a conference in response to determining that the first identification matches the second identification.

Abstract: A method, apparatus and system enable offloading of encryption on partitioned platforms. More specifically, a partitioned platform may include a user partition for user applications, including a Virtual Private Network (“VPN”) application capable to creating a VPN connection for secure packet transmission. The partitioned platform may additionally comprise a dedicated partition including security agents to examine packets transmitted to/received by the dedicated partition. The dedicated partition may be assigned the Network Interface Card (“NIC”) on the host, i.e., all network traffic coming into or leaving the platform may be routed via the dedicated partition. In one embodiment of the invention, a driver in the user partition may offload cryptographic tasks to the dedicated partition, where clear packets may be examined by security agents, then encrypted prior to transmission.

Abstract: Lookaside-type communication apparatus and reception and transmission control methods make high-rate communication of a packet including encrypted data. Receive data including encrypted data are supplied to an encryption data processing part, and supplied to a security part through a second bus when the packet is received. The encrypted data becomes plain-text data in the security part, and supplied to the control part through the system bus. Transmit data including a data body including a plain-text data to be encrypted are supplied to the security part when the packet is transmitted. The plain-text data become the encrypted data in the security part, and the transmit data having the data body including the encrypted data are supplied to the encryption data processing part through the second bus. The transmit data are transmitted in the form of the packet in the transmission and reception part.

Abstract: Embodiments of the present invention provide a method, apparatus and system for selecting a wireless communication device for establishing a connection. The method according to some exemplary embodiments of the invention may include selecting a communication device for establishing a connection by determining whether one or more security-related characteristics of the communication device satisfy a security policy corresponding to a selected security class. Other embodiments are described and claimed.

Abstract: Systems and methods provide for controlling download and playback of media content. A system includes a client, which can play content, and a server. The server includes a permission system that can determine whether a client request to download or play content should be granted. All purchase, download, and playback requests require permission from the permission system. The server also includes a DD module system that transfers a DD module to the client. The DD module includes a content key decryption module, a content decryption module, and a content decompression module. The content key decryption module decrypts an encrypted content key that was received from the server. The decryption uses a unique DD module key that has been hard-coded into the content key decryption module. The content decryption module uses the content key to decrypt encrypted content. The content decompression module decompresses compressed content so that it can be played.

Abstract: Techniques for processing filter rules are disclosed. To this end, filter rules having one or more attributes where each attribute indicates a condition to qualify whether a filter rule applies to a subsequent event are received. Summary rules are generated where each summary rule has a number of summary conditions. Some filter rules become associated with the generated summary rules. The summary conditions are extended to span the attributes of the associated filter rules.

Abstract: The technology provides, in some aspects, methods and systems for securely transmitting data using a machine vision system (e.g., within a pharmaceutical facility). Thus, for example, in one aspect, the technology provides a method that includes the steps of establishing a communications link between a machine vision processor and a remote digital data processor (e.g., a database server, personal computer, etc.); encrypting, on the machine vision processor, (i) at least one network packet containing machine vision data, and (ii) at least one network packet containing non-machine vision data; and sending to the remote digital data processor the encrypted network packets from the machine vision processor.

Abstract: A system and method of encrypting digital content in a digital container and securely locking the encrypted content to a particular user and/or computer or other computing device is provided. The system uses a token-based authentication and authorization procedure and involves the use of an authentication/authorization server. This system provides a high level of encryption security equivalent to that provided by public key/asymmetric cryptography without the complexity and expense of the associated PKI infrastructure. The system enjoys the simplicity and ease of use of single key/symmetric cryptography without the risk inherent in passing unsecured hidden keys. The secured digital container when locked to a user or user's device may not open or permit access to the contents if the digital container is transferred to another user's device. The digital container provides a secure technique of distributing electronic content such as videos, text, data, photos, financial data, sales solicitations, or the like.

Abstract: Systems, methods, software, and apparatus are described for facilitating the distribution and management of fragmented content. In one embodiment, a packager packages content into fragments and generates a manifest including policies and metadata associated with the content. A downloader obtains the manifest, and uses it to obtain the content from one or more uploaders. For example, a downloader might forward a search request to one or more trackers, which, in turn, are operable to locate one or more uploaders that can meet the request, subject to any relevant policy limitations. The uploaders forward fragments to the downloader, subject to any relevant policy. The downloader assembles the content from the fragments. The operations and interactions of the entities can be subject to policy limitations associated with the fragments, the content as a whole, or the like.

Abstract: A content transmission device for transmitting content, whose copying is controlled, includes an authentication section for performing an authentication procedure between the content transmission device and a content receiving device, a first copy-control-information processing section for processing first copy control information describing copy control information concerning the content, a second copy-control-information processing section for processing second copy control information including content information different from the first copy control information, and a content transmission section for generating and transmitting, to the content receiving device, a packet including a header including the first copy control information and the second copy control information, and a payload obtained by encrypting the content with a predetermined content key.

Abstract: A plurality of computer nodes communicates using seemingly random IP source and destination addresses and (optionally) a seemingly random discriminator field. Data packets matching criteria defined by a moving window of valid addresses are accepted for further processing, while those that do not meet the criteria are rejected. In addition to “hopping” of IP addresses and discriminator fields, hardware addresses such as Media Access Control addresses can be hopped. The hopped addresses are generated by random number generators having non-repeating sequence lengths that are easily determined a-priori, which can quickly jump ahead in sequence by an arbitrary number of random steps and which have the property that future random numbers are difficult to guess without knowing the random number generator's parameters. Synchronization techniques can be used to re-establish synchronization between sending and receiving nodes.

Abstract: A computer-implemented method and system for embedding ancillary information into the header of a digitally signed executable are disclosed. The method and system include identifying a digital signature block and a digital signature size block in a digitally signed file header, modifying a digital signature size value in the digital signature size block, the modified value corresponding to the size of the digital signature block plus the length of an ancillary data block plus a pre-determined pad, storing the modified digital signature size in the digital signature size block, and appending the ancillary data block to the end of the digital signature block.

Abstract: A method and system is provided for securing communication on an EPON. Particularly different types of encrypted messages, each with a respective short MAC SegTAG, may be sent from the OLT to an ONU and from an ONU to the OLT without need for a full SecTAG with an explicit SCI. Discovery and control messages may be encrypted and a security offset may be less than 30 bytes. A packet header including its MAC address may be encrypted.

Abstract: Methods and systems for information dissemination in mobile ad hoc networks founded on Content Based Routing. The method comprises encoding, via an encoding logic within the source node, a plurality of information categories associated with the content in a header of the packet, encrypting the packet with an encryption key unique to the plurality of information categories, with the encrypted packet having a unique dissemination group identity in its header, and disseminating the encrypted packet to nodes that have subscribed to the data based on the dissemination group identity. The system comprises a host within the source node, an identity generator to generate the dissemination group identity for the content, an encryption unit for encrypting the content, and a routing unit to disseminate the content to the dissemination mesh based on established subscriptions.

Abstract: A system and method efficiently deletes a file from secure storage, i.e., a cryptainer, served by a storage system. The cryptainer is configured to store a plurality of files, each of which stores an associated file key within a special metadata portion of the file. Notably, special metadata is created by a security appliance coupled to the storage system and attached to each file to thereby create two portions of the file: the special metadata portion and the main, “file data” portion. The security appliance then stores the file key within the specially-created metadata portion of the file. A cryptainer key is associated with the cryptainer. Each file key is used to encrypt the file data portion within its associated file and the cryptainer key is used to encrypt the part of the special metadata portion of each file. To delete the file from the cryptainer, the file key of the file is deleted and the special metadata portions of all other files stored in the cryptainer are re-keyed using a new cryptainer key.

Abstract: Systems and methods for performing adaptive bitrate streaming using alternative streams of protected content in accordance with embodiments of the invention are described. One embodiment of the invention includes a processor, and memory containing a client application. In addition, the client application configures the processor to: request a top level index file identifying a plurality of alternative streams of protected content, where each of the alternative streams of protected content are encrypted using common cryptographic information; obtain the common cryptographic information; request portions of content from at least the plurality of alternative streams of protected content; access the protected content using the common cryptographic information; and playback the content.

Abstract: A computer system storing parameters pertaining to the regulatory restrictions placed on a for-hire vehicle compares the parameters to a current operating environment of the for-hire vehicle. In some embodiments, the computer system acts as the meter (such as a taximeter) of the for-hire vehicle. The operating parameters may include expiration or exclusion parameters that define the scope of operation of the for-hire vehicle stemming from the for-hire vehicle's medallion or certificate of public convenience and necessity. The expiration or exclusion parameters may also correspond to a driver's permit or any general regulation enacted by the regulatory agency. If the current operating environment does not comply with the expiration or exclusion parameters, the computer system shuts down, or enters a standby mode, and may not accept additional passenger fares until the current operating environment complies with the expiration and exclusion parameters.

Abstract: An electronic signature verification method implemented by SKI infrastructure adopts a secret key infrastructure (SKI) system for registering a secret key and issuing a signature key and a verification key. After a signer has completed a signature, a signature data, a verification data and a verification key encrypted by the secret key of a signature verification unit are sent to a recipient. After the recipient has received the data, a user needs to send the verification data and the encrypted verification key to a signature verification unit if the user wants to confirm the signature on the signature data. The signature verification unit uses a secret key authorized by the SKI for the decryption to obtain the verification key and uses the verification key to verify the verification data and confirm the existence of the signature of the signature data, so as to authenticate the signature of the signature data.

Abstract: Generating a virtual CD recorder by using a storage device is proposed. The storage device includes a first data sector for storing auto-run data and a second data sector for storing table of content (TOC) information data. When the storage device is connected to a host, a detecting module of the host detects whether the TOC information data exists in the second sector. When the TOC information data exists or could be accessed, a reading module can read a first disc image file based on the TOC information data. A burning module can record data into a second disc image file and update the TOC information data associated with the second disc image file in the second sector.

Abstract: The invention provides a method, system, device and computer program product for setting up a secure session among three or more devices or parties of a communication group, including authenticating a key agreement between the devices or parties of the communication group, wherein the devices of the group start, preferably after a key is computed or agreed, a protocol, preferably a multi-party data integrity protocol, for authenticating the key agreement.

Abstract: Systems and methods of secure content key distribution using multiple distinct methods are disclosed herein. Example embodiments include receiving multiple distinct control words from multiple conditional access systems and encrypting packets or a group of packets using the multiple distinct control words.

Abstract: There is described a method for transmitting synchronization messages, for example PTP messages of the IEEE 1588 standard, the PTP message being inserted into a data packet in line with the Internet Protocol, the data packet having an IP header, and the data packet having a UDP header. In this case, for the encrypted transmission on the PTP message, the data packet is addressed to a UDP port that is reserved for encrypted PTP messages, the data packet is provided with an additional S-PTP header that is provided for encryption, the PTP message is extended with a pseudo random number, and the PTP message is encrypted together with the pseudo random number.

Abstract: In a data stream individually encoded data stream (ds1 . . . n), data packets formed as key data packets (sp1 . . . n) are to be inserted, with which the data stream-individual key information (si1 . . . n) is transmitted with the associated data stream (ds1 . . . n). For analyzing and/or recording, at least one key data packet (sp1 . . . n) is searched for in the associated data stream (ds1 . . . n), and the data stream-individual key information (si1 . . . n) is determined. By means of the data stream-individual key information (si1 . . . n), the associated data stream (ds1 . . . n) is decoded. The generation and insertion of key information (si1 . . . n) can be achieved with minor administrative effort, thus considerably reducing the effort for the analysis or diagnosis (ds1 . . . n) of the simultaneously transmitted, encoded data streams (ds1 . . . n).

Abstract: Techniques for communicating information over management channels are described. An apparatus may comprise a classifier module operative to classify management information for a wireless communications network as media access control security management information or media access control management information. The apparatus may further comprise a wireless transceiver to couple to the classifier module, the wireless transceiver operative to communicate the media access control security management information over an insecure management connection and the media access control management information over a secure management connection. Other embodiments are described and claimed.

Abstract: A data processing system, recording device, data processing method and program providing medium are provided to execute authentication processing and content storing processing between apparatuses. Program localization is employed to restrict access to program content. A plurality of key blocks store key data for authentication processing. Key block designation information is set in a recorder/reproducer, which is configured for executing authentication processing with the recording device by designating a key block. The recorder/reproducer can set a key block for each product, model or the like. In addition, data stored according to a selected key block cannot be utilized in a recorder/reproducer in which a different key block is set. Furthermore, an encryption processing controlling section of a recording device executes control in accordance with a pre-defined setting sequence.

Abstract: Described herein is a context-free protocol (i.e., the COFFEE protocol) for stimulating cooperation among selfish nodes. Various embodiments have the ability to transmit a packet over the path successfully without the dependency on the information of other packets' transmissions. It is assumed that every node in the network is rational, and therefore during the packet forwarding stage, if the intermediate nodes can not clearly tell whether the packet is destined to them or not, they do not simply drop the packet. Thus, in the COFFEE protocol, by introducing several techniques, for a packet received by a node, the node thinks the packet could potentially be destined to itself and forwards the packet to find out the answer. Detailed analysis and performance evaluations have been conducted to demonstrate the effectiveness of the COFFEE protocol.

Abstract: It is an object of the present invention to solve a problem included in the onion routing which is used as a confidential communication method, that if a system down occurs in a computer within a communication route, connection is not made to further components at all, or a problem that the system and the traffic become slow by using multiplexed encryption. It is a communication method in which a client of an information providing source encrypts random numbers and calculates its hash value using respective public keys of an information server to which it connects, a function server of a destination to be sent, and an information server to which the function server connects, respective servers decrypt the encrypted random number using their own secret keys to compare the random number with the hash value, and thus, the client determines whether or not the route is related to the client.

Abstract: Packet sequence number checking through a VPN tunnel may be performed by assigning sequence numbers on a per-priority class basis to packets traversing the VPN tunnel. In one implementation, a network device may receive a packet that is to be transmitted over a VPN tunnel, the packet including control information that includes at least a QoS priority class of the packet. The network device may extract the priority class of the packet from the control information and generate a sequence value that describes an arrival sequence of the packet relative to other received packets of the same priority class as the packet. The network device may additionally generate an IPsec header for the packet, the IPsec header including the sequence value and the priority class of the packet; attach the IPsec header to the packet; and transmit the packet through the VPN tunnel.

Abstract: A multicast host for communicating information published about any one of a set of topics to one or more authorised subscribers to those topics, the set of topics being partitioned into one or more partition elements, each partition element having a partition element encryption key associated therewith, wherein each of the one or more partition elements is a disjoint proper subset of the set of topics, the host comprising: means for receiving information relating to a topic; means for determining a partition element for the topic; means for retrieving a partition element encryption key associated with the partition element; means for encrypting the information with the retrieved partition element encryption key; and means for communicating the information to the one or more authorised subscribers.

Abstract: A method and apparatus for providing a broadcast service in a communication system is provided. The method includes creating a seed key pair including a first key and a second key, transmitting the seed key pair to a terminal to which the broadcast service is to be provided, creating a certain number of encryption keys using the seed key pair, the certain number corresponding to a lifetime of the seed key pair, encrypting broadcast service data for the lifetime using the encryption keys, and broadcasting the encrypted broadcast service data.

Abstract: A content transmission device for transmitting content, whose copying is controlled, includes an authentication section for performing an authentication procedure between the content transmission device and a content receiving device, a first copy-control-information processing section for processing first copy control information describing copy control information concerning the content, a second copy-control-information processing section for processing second copy control information including content information different from the first copy control information, and a content transmission section for generating and transmitting, to the content receiving device, a packet including a header including the first copy control information and the second copy control information, and a payload obtained by encrypting the content with a predetermined content key.