Abstract: Described embodiments provide a network processor that includes a security protocol processor for staged security processing of a packet having a security association (SA). An SA request module computes an address for the SA. The SA is fetched to a local memory. An SA prefetch control word (SPCW) is read from the SA in the local memory. The SPCW identifies one or more regions of the SA and the associated stages for the one or more regions. An SPCW parser generates one or more stage SPCWs (SSPCWs) from the SPCW. Each of the SSPCWs is stored in a corresponding SSPCW register. A prefetch module services each SSPCW register in accordance with a predefined algorithm. The prefetch module fetches a requested SA region and provides the requested SA region to a corresponding stage for the staged security processing of an associated portion of the packet.

Abstract: A system and method provides secure channels for communication in a virtual universe by employing a packet interception layer for incoming and outgoing data packets. A data path is defined and is sequentially encrypted with the public keys of servers in the path. Decryption and identification of the next server occurs in a sequential manner in which the path is known only to the sender.

Abstract: According to various embodiments, a computer-implemented method is disclosed that includes receiving, at a wireless adaptor of a device, a wireless data packet from an access point (AP), wherein the wireless data packet includes a Basic Service Set Identifier (BSSID) of the AP; changing the BSSID of the received data packet by a processor or hardware to produce a modified wireless data packet; and transmitting the modified wireless data packet to an application on the device.

Abstract: To improve a communication system including two communication apparatuses so as to reduce a possibility of having communication decrypted by a third party. The communication system includes a first communication apparatus and a second communication apparatus, where one of the communication apparatuses encrypts transmission subject data and transmits generated encrypted data to the other communication apparatus which decrypts received encrypted data. Each of the communication apparatuses generates an algorithm used for encryption each time it performs the encryption or decryption. In this case, each of the communication apparatuses generates the algorithm by assigning past solutions to a solution generating algorithm capable of having the past solutions assigned thereto and thereby generating a new algorithm. The past solutions are erased when they are no longer used.

Abstract: This invention relates to a transmission method for conditional access content, in which said content is broadcast in the form of data packets (DP). These data packets contain at least one marker having a known value and a useful part (PL). This method includes the following steps: extraction of said marker (Mc) from the data packet (DP) and replacement of this marker with an encryption key identification information (PAR); encryption of said useful part (PL) by an encryption key (K1) that can be identified by said encryption key identification information (PAR); formation of an encrypted data packet containing at least said encryption key identification information (PAR) and the encrypted useful part (PLK1); transmission of said encrypted data packet to at least one receiver.

Abstract: Disclosed is a computer implemented method and apparatus to secure a routing path. A local node receives a request for secure route identification from an upstream node. Responsive to receiving a request for secure route identification, the local node transmits a local node security level and an authentication key to the upstream node. The local node determines whether at least one downstream node is authentic and has sufficient security level from a second-level downstream node. The local node may then establish a socket to the upstream node.

Abstract: A communications system may include an application server and at least one communications device for processing requests from one another. The communications device may process requests using an HTTP client application, for example. Furthermore, the system may also include an HTTP server for interfacing the HTTP client application with the application server. The HTTP server and the HTTP client application may format requests to be communicated therebetween via the Internet in an HTTP format, and each may provide additional state information with the HTTP formatted requests recognizable by the other for authenticating the application server and the HTTP client application to one another. Furthermore, the HTTP client application may request a first universal resource locator (URL) from the HTTP server for accepting work requests from the application server, and a second URL different from the first URL for responding to work requests from the application server.

Abstract: A token or other storage device uses Internet identities to set file access attribute rights. Subsequently, requests to access a file can be controlled by confirming the Internet identity of the requester by either validating the request with a known public key or retrieving the public key from an Internet identity provider. Files may be stored encrypted and may be re-encrypted with the public key associated with Internet identity making the request.

Abstract: Advanced solutions for encrypting multi-layer audio data are required, ie. audio data that comprise a base layer and one or more enhancement layers. A method for encrypting such an encoded audio signal comprises separating the base layer into two sections, encrypting the side information within frames of the second section of the base layer, and encrypting at least a part of the data of the enhancement layer, wherein the encrypted section of the base layer and the encrypted enhancement layer require different decryption keys for decryption. Thus, free preview zones are possible to implement.

Abstract: A method is presented for selecting an HTTP authentication scheme at a client computer. A request message is sent from the client computer to a server computer to access information on the server computer. In response, the client computer receives a response message from the server computer. The response message includes an HTTP header that includes a first scheme identifier, indicating a first HTTP authentication scheme and a second scheme identifier, indicating a second HTTP authentication scheme. If the client computer does not support the second HTTP authentication scheme, the client computer uses the first HTTP authentication scheme when sending another HTTP message to the server computer. If the client computer supports the second HTTP authentication scheme, the client computer uses the second HTTP authentication scheme when sending another HTTP message to the server computer.

Abstract: A method and apparatus including units configured to send a request from a first network entity to a user equipment for an identifier and receive a message indicating that a public key is required from the user equipment by the first network entity. The method and apparatus also includes units configured to send, by the first network entity, the public key to the user equipment and receive an encrypted identifier by the first network entity, wherein upon authenticating the public key, the user equipment encrypts at least part of the identifier using the public key, thereby enabling further processing between the network entity and the user equipment.

Abstract: In a job processing system, usage restriction information is managed for restricting user usage of functions of a job processing apparatus. An information processing apparatus acquires usage restriction information corresponding to a first operator instructing generation of job data, and writes the usage restriction information into job data to be transmitted to the job processing apparatus. The job processing apparatus checks whether or not the usage restriction information is written in the job data received from the information processing apparatus, and when the usage restriction information is confirmed, processes the job data in accordance with the usage restriction information, and when the usage restriction information is not confirmed, processes the job data in accordance with usage restriction information of a second operator instructing execution of a job in the job processing apparatus.

Abstract: With files secured by encryption techniques, keys are often required to gain access to the secured files. Techniques for providing and using multiple levels of keystores for securing the keys are disclosed. The keystores store keys that are needed by users in order to access secured files. The different levels of keystores offer compromises between security and flexibility/ease of use.

Abstract: Even with proper access privilege, when a secured file is classified, at least security clearance (e.g. a clearance key) is needed to ensure those who have the right security clearance can ultimately access the contents in the classified secured file. According to one embodiment, referred to as a two-0pronged access scheme, a security clearance key is generated and assigned in accordance with a user's security access level. A security clearance key may range from most classified to non-classified. Depending on implementation, a security clearance key with a security level may be so configured that the key can be used to access secured files classified at or lower than the security level or multiple auxiliary keys are provided when a corresponding security clearance key is being requested. The auxiliary keys are those keys generated to facilitate access to secured files classified respectively less than the corresponding security or confidentiality level.

Abstract: The present invention discloses a method for quickly and easily authenticating large computer program. The system operates by first sealing the computer program with digital signature in an incremental manner. Specifically, the computer program is divided into a set of pages and a hash value is calculated for each page. The set of hash values is formed into a hash value array and then the hash value array is then sealed with a digital signature. The computer program is then distributed along with the hash value array and the digital signature. To authenticate the computer program, a recipient first verifies the authenticity of the hash value array with the digital signature and a public key. Once the hash value array has been authenticated, the recipient can then verify the authenticity of each page of the computer program by calculating a hash of a page to be loaded and then comparing with an associated hash value in the authenticated hash value array.

Abstract: Methods and systems are disclosed for providing secured data transmission and for managing cryptographic keys. One embodiment of the invention provides secure key management when separate devices are used for generating and utilizing the keys. One embodiment of the invention provides secure storage of keys stored in an unsecured database. One embodiment of the invention provides key security in conjunction with high speed decryption and encryption, without degrading the performance of the data network.

Abstract: A method and a system for naming-conflict-free integration of software components originating from software component manufacturers (OEM), comprising software development devices from different software component manufacturers (OEM) that manufacture and encrypt software components with the respective cryptographic key, wherein when a naming conflict occurs during the integration of encrypted software components, at least one of the encrypted software components in which the naming conflict occurred is expanded by a naming conflict resolution rule to thereby allows for the resolution of naming conflicts in encrypted software components that can originate from different software component manufacturers without the source code of the software components becoming visible to third parties.

Abstract: The present invention relates to a method of authenticating a user in a communication system comprising a user terminal and an authentication server which is capable of storing two types of nonce values, namely dedicated nonce values unique in the system and common nonce values shared between users in the system. In the method the authentication server receives (401) from the user terminal an access request. Then the authentication server uses a predefined criterion for determining the type of a first nonce value to be sent to the user terminal as a response to the access request. In case the predefined criterion is fulfilled, then a dedicated nonce value is sent, otherwise a common nonce value is sent (402). Then the authentication server receives (403) from the user terminal a response comprising a second nonce value and a response code to the first nonce value.

Abstract: A computer-implemented method for using reputation data to detect packed malware may include: 1) identifying a file downloaded from a portal, 2) determining that the file has been packed, 3) obtaining community-based reputation data for the file, 4) determining, by analyzing the reputation data, that instances of the file have been encountered infrequently (or have never been encountered) within the community, and then 5) performing a security operation on the file (by, for example, quarantining or deleting the file).

Abstract: A medium access control (MAC) frame provision method establishes security in an IEEE 802.15.4 network. A MAC frame is generated, which includes a MAC header, a payload field, and a frame check sequence (FCS) field, the payload field including relevant main data according to a frame type defined in the MAC header. A disguised decoy data sequence number (DSN) is generated and inserted into the MAC header. A real DSN, which is a corresponding transmission sequence number of the MAC frame, is generated and inserted into the payload field. The MAC frame is transmitted, including the encrypted payload field, to a counterpart node. A MAC ACK frame acknowledges reception of the transmitted MAC frame; and a DSN is compared in the received MAC ACK frame with the real DSN. An authentication of the counterpart node is performed when the received MAC ACK frame is equal to the real DSN.

Abstract: Methods, systems, and devices are disclosed for detecting encrypted Internet Protocol packet streams. The type of data within an encrypted stream of packets is inferred using an observable parameter. The observable parameter is observable despite encryption obscuring the contents of the encrypted stream of packets. A timer is established that maintains settings despite changes in the type of inferred data.

Abstract: A method of securing transmission of streaming media by encrypting each packet in the stream with a packet key using a fast encryption algorithm. The packet key is a hash of the packet tag value and a closed key which is unique for each stream. The closed key is itself encrypted by the sender and passed to the recipient using a public key encryption system. The encrypted closed key (open key) may conveniently be inserted into the stream header. All of the packets in the stream are encrypted, but only the data pay load of each packet is encrypted. It is computationally infeasible, without knowing the recipient's private key to calculate the closed key based upon knowledge of publicly accessible information such as the recipient's public key, the open key, the encrypted stream data or the packet tag values.

Abstract: Methods, computer program products and apparatus for processing data packets are described. Methods include receiving the data packet, examining the data packet, determining a single flow record associated with the packet and extracting flow instructions for two or more devices from the single flow record.

Abstract: A software based wireless infrastructure system is provided. The system has a driver that communicates with the network stack and a network interface card (NIC), a station server in communication with the station driver and an 802.1X supplicant or an 802.1X authenticator. Each NIC provides station and/or access point functionality support. The driver drops packets that have been received if the packet has not been authenticated and associated. Packets that have been fragmented or encrypted are unfragmented and decrypted. An association manager is used in conjunction with a configuration table manager to associate stations and access points via management packets. A manager receives 802.1X data packets from the packet processor and sends them up to a station server that communicates with user mode applications and an 802.1X supplicant or an 802.1X authenticator that are used to authenticate and deauthenticate stations and access points. APIs are provided to enable communication between the components.

Abstract: Systems and methods of securing, distribution and enforcing for-hire vehicle operating parameters are described whereby a first computer system maintaining the parameters generates a data packet that is distributed to a second computer system which acts as a meter (such as a taximeter, limousine meter or shuttle meter) for the for-hire vehicle. The first computer system may secure or encrypt the data packet according to a security protocol associated with the second computer system. Once the second computer system receives the data packet, it may validate and extract the operating parameters contained within it. The second computer system may then store the operating parameters and operate according to the parameters by, for example, calculating fares for passengers that make use of the for-hire vehicle associated with the second computer system.

Abstract: A computer-implemented method for synchronizing encryption of information is disclosed according to one aspect of the subject technology. The method comprises receiving a selection of one or more types of information by a user, wherein the one or more types of information are synchronized across a plurality of computing devices. The method also comprises generating an encryption status indicating that the one or more types of information selected by the user are to be encrypted, and sending the encryption status from a first one of the computing devices to a server, wherein the server distributes the encryption status to each of the other computing devices.

Abstract: This document discusses, among other things, applying network policy at a network device. In an example embodiment fiber channel hard zoning information may be received that indicates whether a fiber channel frame is permitted to be communicated between two fiber channel ports. Some example embodiments include identifying a media access control address associated with the fiber channel ports. An example embodiment may include generating one or more access control entries based on the fiber channel identifications of the fiber channel ports and the zoning information. The access control entries may be distributed to an Ethernet port to be inserted into an existing access control list and used to enforce a zoning policy upon fiber channel over Ethernet frames.

Abstract: Various techniques for software license inventory and asset management are disclosed. A fingerprint may be generated and associated with various copies of software applications installed on a software licensee's computer systems. Upon generation, each fingerprint may be stored in a license information database system along with relevant license information for that copy of the software application. A software inventory tool may then be used to collect fingerprints on installed copies of software applications and provide these fingerprints to the license information database system to obtain the corresponding license information. The output of the software inventory tool may be used by a licensee to comply with software license agreements and/or efficiently allocate information technology resources. Methods and systems that provide and process secured, dynamic and persistent tagging of software deployments and usage are also disclosed.

Abstract: A host computer system is categorized according to uniform resource locator (URL) information extracted from a digital certificate purportedly associated with said host. Thereafter, a secure communication session (e.g., an SSL session) with said host may be granted or denied according to results of the categorizing. If granted, messages associated with the secure session may be tunneled through a proxy without decryption, or, in some cases, even though the secure communication session was authorized messages may be decrypted at the proxy.

Abstract: A system and method is provided to determine location information of a portable computing device and, in particular, to a secure and scalable system and method of decoupling and exposing handset originated location information to third parties. The system includes a location platform to determine location information of a remote user, and an encryption service configured to secure the location information of the remote user and send the secure location information to a content provider.

Abstract: Methods, systems, and products are disclosed for specifying a signature for an encrypted packet stream. One method receives the encrypted stream of packets, and encryption obscures the contents of a packet. A signature for insertion into the stream of packets is specified, and the signature identifies a type of data encrypted within the stream of packets. The signature identifies the contents of the packet despite the encryption obscuring the contents.

Abstract: An information processing apparatus includes a use restriction unit that restricts use of the information processing apparatus based on identification information stored in an identification information storage unit, and a controller. The controller is operable to update the identification information stored in the identification information storage unit, send the updated identification information to a preset mail address, by an E-mail, receive an E-mail, determine whether the received E-mail is an E-mail replying to the sent E-mail, and control the identification information storage unit to store identification information included in the received E-mail as new identification information if the received E-mail is determined to be the E-mail replying to the sent E-mail.

Abstract: Encrypting content included in a program or service is disclosed, wherein the encrypted content is transmitted from a transmitter to a receiver in a subscriber network. Generally, in one embodiment, the encrypted program or service is packetized, and the packets are transmitted to the receiver. When a packet having ciphertext of the encrypted program or service is received at the receiver, the ciphertext of the packet is preferably converted to a different form of ciphertext.

Abstract: Disclosed is a system and a method for maintaining broadcasting chip information regardless of device replacement in a USIM unlock environment where broadcast information can be automatically modified in response to device replacement.

Abstract: A device which transmits an ISMA media stream subjected to MPEG-4 IPMP extension. An ISMA media stream having an ISMA header and including contents as a payload is constituted, an IPMP tool list descriptor representing, as a tool required for processing of the contents, at least one tool selected from a group including an IPMP tool, an ISMA Cryp decryption tool, and a key management system (KMS) tool is buried in the media stream, and the ISMA media stream is transmitted.

Abstract: Described embodiments provide a network processor that includes a security protocol processor for staged security processing of a packet having a security association (SA). An SA request module computes an address for the SA. The SA is fetched to a local memory. An SA prefetch control word (SPCW) is read from the SA in the local memory. The SPCW identifies one or more regions of the SA and the associated stages for the one or more regions. An SPCW parser generates one or more stage SPCWs (SSPCWs) from the SPCW. Each of the SSPCWs is stored in a corresponding SSPCW register. A prefetch module services each SSPCW register in accordance with a predefined algorithm. The prefetch module fetches a requested SA region and provides the requested SA region to a corresponding stage for the staged security processing of an associated portion of the packet.

Abstract: Described herein are methods and systems for secure exchange of information related to electronic design automation. Information deemed sensitive and otherwise worthy of protection may be secured by methods such as encryption, obfuscation and other security measures. The secured information may be provided to an electronic design automation tool for processing without revealing at least some of the secured information. For instance, rule files related to integrated circuit manufacturability may be selectively annotated to indicate portions thereof deserving of protection. An encryption tool may be used to secure the information so indicated and generate a file comprising secured information related to electronic design automation. An electronic design automation tool may then unlock and use the secured information without revealing the same.

Abstract: Managing metadata in a metadata transmission server by generating a plurality of metadata fragment data by partitioning metadata to be transmitted based upon predetermined segment units, selecting predetermined metadata fragment data from among the plurality of the metadata fragment data, generating metadata-related authentication information using the selected metadata fragment data, and transmitting the selected metadata fragment data and the metadata-related authentication information including data format information indicating type of the selected metadata fragment data. A metadata receiving client uses the transmitted metadata fragment data, the metadata-related authentication information and the metadata format type information to authenticate the received metadata.

Abstract: A method and apparatus for ingress filtering using security group information are disclosed. The method includes performing access control processing on a packet and sending access control information to an ingress node of the packet in response to the access control processing. The access control information includes security group information and an address of a network node. The security group information identifies a security group. The network node is a member of the security group and is a destination of the packet.

Abstract: Multi-level file digests for electronic files are disclosed. A top level digest represents a single digest for the associated electronic file. Lower level digests represent digests for portions of the associated electronic file. The top level digest is derived from the lower level digests. The top level digest is useful for facilitating rapid comparison to determine whether electronic files are the same. In one embodiment, electronic files are encrypted with a block encryption scheme, and digests are efficiently calculated and stored on a block-by-block basis. Advantageously, when modifications to an encrypted electronic file occurs, only those modified blocks need to be processed to undergo decryption and re-encryption to determine the appropriate digest.

Abstract: In a job processing system, usage restriction information is managed for restricting user usage of functions of a job processing apparatus. An information processing apparatus acquires usage restriction information corresponding to a first operator instructing generation of job data, and writes the usage restriction information into job data to be transmitted to the job processing apparatus. The job processing apparatus checks whether or not the usage restriction information is written in the job data received from the information processing apparatus, and when the usage restriction information is confirmed, processes the job data in accordance with the usage restriction information, and when the usage restriction information is not confirmed, processes the job data in accordance with usage restriction information of a second operator instructing execution of a job in the job processing apparatus.

Abstract: A method of controlling use of a printer on a network includes providing a key to a client on the network. The key is then used to submit a print job from the client to a printer on the network.

Abstract: A system and method provides secure channels for communication in a virtual universe by employing a packet interception layer for incoming and outgoing data packets. A data path is defined and is sequentially encrypted with the public keys of servers in the path. Decryption and identification of the next server occurs in a sequential manner in which the path is known only to the sender.

Abstract: UIMID of a UIM 50 owned by the owner of a portable phone 40 is stored in an owner information registration area 410b of phone 40. A CPU 405 of portable phone 40, upon receiving content, compares a UIMID of a UIM 50 inserted in phone 40 to the UIMID registered in owner information registration area 410b. The storing of the content in a nonvolatile memory 410 is permitted only when the two UIMIDs agree with each other.

Abstract: A globally unique identification system for a communications protocol and database is disclosed. A method for generating the globally unique identification code and for generating a compressed globally unique identification code is also described. The communications protocol permits multiple communications sessions to be sent through a single open port of a firewall.

Abstract: A printing apparatus to perform a printing operation by driving hardware provided thereto according to a printing command received from a user, including a firmware unit to store function information of a plurality of models of the printing apparatus, and selectively perform the function of one of the plurality of models which corresponds to a model index designated as the printing apparatus is initialized.

Abstract: Disclosed herein is a system and method for providing Over-The-Air (OTA) service. The system according to the present invention includes a mobile terminal for, when a message is received from an OTA server, dividing OTA data, included in the message, into data segments of a predetermined size depending on a size of the message, and a smart card for receiving each of the data segments, decrypting the data segment using a preset OTA key, and storing the decrypted OTA data in a preset area.

Abstract: This specification describes technologies relating to imparting cryptographic information in network communications.

Abstract: Encryption of Internet Protocol (IP) traffic using IP Security (IPSec) at the edge of the enterprise network, in such a way as to support resilient BGP/MPLS IP VPN network designs. The IP traffic is securely tunneled within IPSec tunnels from the edge to the edge of the enterprise network. The IPSec traffic is also tunneled within MPLS tunnels from the edge to the edge of the service provider network. The enterprise network thus manages its own IPSec site-to-site VPN. The service provider thus independently manages its own MPLS network. The result provides an IP VPN or Layer 3 MPLS VPN to the enterprise; the enterprise IPSec network can thus be considered as an overlay to the MPLS service provider network.

Abstract: An apparatus and method for providing data packet security in a wireless sensor network including a plurality of sensor nodes. The apparatus includes a memory unit for storing a plurality of node characteristic information and a plurality of settable security status information, each of the node characteristic information corresponding to at least one of the settable security status information; and a control unit for examining the node characteristic information of the control unit, if a data packet generation request is made, detecting the security status information corresponding to the examined node characteristic information from the memory unit, and generating data packets including the detected security status information.