Abstract: The invention relates to a system and method of re-programming memory, and in particular, to wirelessly re-programming software, such as the application code, residing in memory of a trainable transceiver. The wireless re-programming of memory allows for software in the trainable transceiver to be updated or replaced from a remote location, where a direct or wired connection to the product is not otherwise available.

Abstract: In a compression processing storage system, using a pool of encryption processing cores, the encryption processing cores are assigned to process either encryption operations, decryption operations, and decryption and encryption operations, that are scheduled for processing. A maximum number of the encryption processing cores are set for processing only the decryption operations, thereby lowering a decryption latency. A minimal number of the encryption processing cores are allocated for processing the encryption operations, thereby increasing encryption latency. The encryption operations, the decryption operations, and the decryption and encryption operations are scheduled between the pool of the plurality of processing cores according to a thread weight value (TWV) that is assigned to each one of the plurality of processing cores having a difference in processing power.

Abstract: Systems and methods are disclosed for assigning a quality of service to a data packet in a communications network by mapping a Wi-Fi access layer identifier such as an SSID to a value in a datagram header, and subsequently using the datagram header to assign an appropriate data bearer for the datagram, the data bearer having a quality of service class identifier appropriate for the type of traffic expected to be sent over the particular Wi-Fi access layer.

Abstract: Managing Security Parameter Information (SPIs) to prevent race condition failures begins where a system negotiates SPIs along with associated expiration times, and re-negotiates new SPIs as necessary. The system prevents race conditions that would otherwise occur when both an old SPI and a new SPI are active at the same time. The system accomplishes this by managing the storage and deletion of old SPIs such that only active SPIs are stored on the system for use by a User Equipment (UE) or Proxy Call Session Control Function (P-CSCF).

Abstract: A system and methods are provided for establishing an authenticated and encrypted communication connection between two devices with at most two round-trip communications. During establishment of an initial authenticated, encrypted communication connection (or afterward), a first device (e.g., a server) provides the second device (e.g., a client) with a token (e.g., a challenge) that lives or persists beyond the current connection. After that connection is terminated and the second device initiates a new connection, it uses the token as part of the handshaking process to reduce the necessary round-trip communications to one.

Abstract: An apparatus, method, system, and computer-readable medium are provided for maintaining contact information associated with a contact. In some embodiments a request associated with a contact may be received. Contact information may be obtained from one or more external or internal sources. One or more confidence scores may be generated for the obtained contact information and for one or more values received with the request. Based on the confidence score(s), one or more values associated with the contact may be incorporated in one or more data stores. In some embodiments, suggestions for contact related information may be generated. Responses to the suggestions may be used to update the generated confidence score(s).

Abstract: One embodiment provides a system for efficiently and securely encrypting, transmitting, and decrypting video data, including selective encryption of image frames. During operation, the system obtains by a content-transmitting device, an image frame which is used to form a video stream. In response to determining that the image frame satisfies a predetermined condition for encryption, the system encrypts the image frame based on an encryption algorithm. The system encapsulates the encrypted image frame based on encapsulation information. The system includes encryption identification information for the image frame in the encapsulation information.

Abstract: Techniques for code block (CB) segmentation and rate matching in wireless deployments that may use CB-level feedback may provide that a transport block group (TBG) may include one or more CBs from multiple transport blocks (TBs). Such TBGs may support retransmissions of one or more CBs from different TBs within a TBG transmission. In certain examples, a TBG size may be determined, and a retransmission size associated with any CBs to be retransmitted are determined. Based at least in part on the TBG size and retransmission size, it may be determined whether a new TB may be included in the TBG.

Abstract: Disclosed are systems and methods for improving interactions with and between computers in content communicating, rendering, generating, hosting and/or providing systems supported by or configured with personal computing devices, servers and/or platforms. The systems interact to identify and retrieve data within or across platforms, which can be used to improve the quality of data used in processing interactions between or among processors in such systems. The disclosed systems and methods The disclosed systems and methods enable the seamless, and adaptable implementation of digital rights management technology on a client device despite variations in the version, languages, programs executing on differing linked devices. The disclosed systems and methods enable the rendering of content via encryption and decryption of the content, which protects the digital media content on the client end.

Abstract: In general, techniques for sharing of network session data are described. The techniques may enable security devices to leverage application classification information in a federated manner. An example security device includes a memory and one or more processors. The processor(s) are configured to receive data representative of an application classification for a first packet flow from a second security device, to receive data of a second packet flow, and, when the second packet flow corresponds to the first packet flow, to monitor the data of the second packet flow based on the application classification for the first packet flow without determining an application classification for the second packet flow.

Abstract: Generally, this disclosure describes a method and system for authenticating to a network via a device-specific one-time password. A method in an embodiment may include generating a first one-time password (OTP) based at least in part on a plurality of client device attributes; and providing the first OTP to an authenticator associated with a private network during a first session, wherein the authenticator is configured to authenticate the client device to at least one of the private network and protected content included in the private network for a second session following the first session based on the provided first OTP.

Abstract: Identity management, user authentication, and/or user access to services on a network may be provided in a secure and/or trustworthy manner, as described herein. For example, trustworthy claims may be used to indicate security and/or trustworthiness of a user or user device on a network. Security and/or trustworthiness of a user or a user device on a network may also be established using OpenID and/or local OpenID, a secure channel between a service and the user device, and/or by including a network layer authentication challenge in an application layer authentication challenge on the user device for example.

Abstract: Provided is a wireless communication device for packet communication. When power is applied, in a case where a packet data is received before receiving a message notifying that packet communication starts, the other party is urged to transmit a message saying that the packet communication starts and a packet number is initialized in accordance with transmission and reception of the message that the packet communication starts.

Abstract: A method and system are provided for securely storing and retrieving live off-disk media programs. Events delineate media segments, each of which are encrypted with a different key so as to be streamable to a remote device via digital living network alliance (DLNA) or HTTP live streaming protocols. Media segments and identifiers for managing the storage and retrieval of such media segments are compatible with live streaming data structures, obviating the need to re-encrypt data streams.

Abstract: A method includes affiliating an authentication token with user information of a user. The method further includes generating a private/public key pairing associated with the user information. The method further includes applying a share encoding function on a private key of the private/public key pairing to produce a set of encoded shares. The method further includes generating a set of random numbers and generating a set of hidden passwords based on the user information. The method further includes generating a set of encryption keys based on the set of hidden passwords and the set of random numbers. The method further includes encrypting the set of encoded shares utilizing the set of encryption keys to produce a set of encrypted shares. The method further includes outputting the set of encrypted shares to the authentication token for storage therein and outputting the set of random numbers to a set of authenticating units.

Abstract: Certain aspects and features of the present disclosure relate to providing access control using groups that can be dynamically controlled by group owners, such access control hereinafter referred to as group access control. Group access control can be used to control the transmission of packets on a network layer, or for other access control. A network administrator can provide users with permissions, such as using user roles. Users can then establish groups to share permissions with other users. A group is established by a group owner, who can modify the member list of that group and modify what permissions will be passed on to group members all without the involvement of a network administrator. Members of a group can include users, devices, and network resources. Additionally, data path entities (e.g. routers and access points) can facilitate delivery of packets between group members across multiple logical networks.

Abstract: Methods of securing a cryptographic device against implementation attacks, are described. A disclosed method comprises the steps of obtaining a key (230) from memory of the cryptographic device; providing the key and a constant input (210) to an encryption module (240); deriving an output (250) of encrypted data bits using the encryption module (240); providing the output (250), the key (230) and an input vector (270) to a key update module (260); and using said key update module (260) to modify the key based on at least a part (270a) of the input vector (270) to derive an updated key (230a). This prevents the value of the key from being derived using the updated key or by using side-channel attacks because the input is constant for all keys. Additionally, by altering the input vector, the updated key is also altered.

Abstract: A node in a first network domain and a method performed thereby for transmitting a data packet to a VPN client in a second network domain, the node and the VPN client being part of a VPN, wherein the first and second network domain are connected by means of a third network domain are provided. The method comprises receiving, from an application server, a first packet comprising a first IP header and a payload; and determining a DCSP. The method further comprises adding a second header comprising the determined DCSP and an IP address of a VPN client resulting in a second packet and encrypting the second packet. Further the method comprises adding a third header to the encrypted second packet resulting in a third packet, the third header comprising a destination address of a node in the second network domain, and transmitting the third packet in an IP tunnel terminating at the node in the second network domain.

Abstract: A method of relicensing digital encrypted radio media content transmitted via a network and received by a user electronic device includes receiving a request to relicense an encrypted digital media data file included within digital encrypted radio media content. The encrypted digital media data file is retrieved from the digital encrypted radio media content stored in a memory of the user electronic device. The encrypted digital media data file is decrypted using a radio encryption key to generate an unbound digital media data file. The unbound digital media data file is bound with the user electronic device to generate, a bound encrypted digital media data file. The bound encrypted digital media data file is stored in the memory of the user electronic device.

Abstract: Media content is delivered to a variety of mobile devices in a protected manner based on client-server architecture with a symmetric (private-key) encryption scheme. A media preparation server (MPS) encrypts media content and publishes and stores it on a content delivery server (CDS), such as a server in a content distribution network (CDN). Client devices can freely obtain the media content from the CDS and can also freely distribute the media content further. They cannot, however, play the content without first obtaining a decryption key and license. Access to decryption keys is via a centralized rights manager, providing a desired level of DRM control.

Abstract: A technique for enabling a client to provide a server entity is disclosed. In method aspects, a first method is performed in the client and comprises the steps of providing the client with a secure trusted environment, the environment being trusted by the client and by at least one third party, and accommodating, in the secure trusted environment, at least a local portion of the server entity, the server entity being configured to handle one or more server requests from the client, and data required by the server entity so as to handle the server request. A second method is performed in a server and comprises the steps of providing, for the secure trusted environment of the client, the environment being trusted by the client and by the at least one third party the at least local portion of the server entity, and the data.

Abstract: Techniques for securing name resolution technologies and for ensuring that name resolution technologies can function in modern networks that have a plurality of overlay networks accessible via a single network interface. In accordance with some of the principles described herein, a set of resolution parameters may be implemented by a user to be used during a name resolution process. In some implementations, when an identifier is obtained for a network resource, the identifier may be stored in a cache with resolution parameters that were used in obtaining the identifier. When a new name resolution request is received, the cache may be examined to determine whether a corresponding second identifier is in the cache, and whether resolution parameters used to retrieve the second identifier in the cache match the resolution parameters for the new resolution request. If so, the second identifier may be returned from the cache.

Abstract: A network-based appliance includes a mechanism to enable the appliance to extract itself from man-in-the-middle (MITM) processing during a client-server handshake and without interrupting that connection. The mechanism enables the appliance to decide (e.g., based on a rule match against a received server certificate) to stop performing MITM during the handshake and thus to de-insert itself transparently, i.e., without interfering or signaling to either end of the session that this operation is occurring. Once the connection is abandoned in the manner, the appliance ignores additional traffic flow and thus can free up processing resources (CPU, memory, and the like) that would otherwise be required to decrypt the connection (even if no further inspection or rewrite processing would be expected to occur).

Abstract: Methods and systems for selectively blocking, allowing and/or reformatting IPv6 headers by traversing devices are provided. According to one embodiment, reputation information regarding observed senders of Internet Protocol (IP) version 6 (IPv6) packets and packet fragments is maintained by a traversing device based on conformity or nonconformity of extension headers contained within the IPv6 packets with respect to a set of security checks performed by the traversing device. When an IPv6 packet or packet fragment is received from a particular source IP address indicated by the reputation information to be associated with one or more nonconformity issues, then dropping, rate limiting or quarantining, by the traversing device, the IPv6 packet or the packet fragment.

Abstract: A management server (110) encrypts storage target data and transmits the encrypted storage target data to mobile terminals (120a, 120b). Thereafter, the management server (110) receives and decrypts the encrypted storage target data stored in the mobile terminals (120a, 120b).

Abstract: Techniques are described for managing virtual machines using input/output (I/O) device logging. For example, a system bus or other interface to a device may be monitored for traffic data elements. The traffic data elements may include, for example, transaction layer packets (TLPs) for communication across a PCI Express interface, or TCP/IP packets for communication over a network. These traffic data elements may be logged in an I/O device logging buffer. The I/O device logging buffer can then be used to ensure that all memory relating to a virtual machine is copied when transferring the virtual machine to another computing device. In addition, the I/O device logging buffer can be used to stop a virtual machine without waiting for the virtual machine to complete I/O processing.

Abstract: Managing Security Parameter Information (SPIs) to prevent race condition failures begins where a system negotiates SPIs along with associated expiration times, and re-negotiates new SPIs as necessary. The system prevents race conditions that would otherwise occur when both an old SPI and a new SPI are active at the same time. The system accomplishes this by managing the storage and deletion of old SPIs such that only active SPIs are stored on the system for use by a User Equipment (UE) or Proxy Call Session Control Function (P-CSCF).

Abstract: Disclosed is a method for protecting message data. In the method, the message data is padded with padding bits generated based on a deterministic function performed on the message data. The padded message data is compressed to generate compressed data. A length of the compressed data is dependent on the padding bits. The compressed data is encrypted to generate encrypted message data.

Abstract: A method and system for testing the cryptographic integrity of data m comprises at least the following elements: a module transmitting a message M, said module comprising a memory for storing the parameters used to execute the steps of the method, such as the key, the public data, a transmission medium, a receiver module also comprising storage means for storing at least the same parameters as in transmission. The system may comprise storage means for storing confidential data such as the secret keys, a processor suitable for executing the steps.

Abstract: Disclosed is a method for protecting message data. In the method, the message data is padded with padding bits generated based on a deterministic function performed on the message data. The padded message data is compressed to generate compressed data. A length of the compressed data is dependent on the padding bits. The compressed data is encrypted to generate encrypted message data.

Abstract: A first electronic device transmits first configuration information of the first electronic device collected by a tamper-resistant chip mounted thereon and approved by a third-party device to a second electronic device over a short-distance network. The second electronic device transmits second configuration information of the second electronic device collected by a tamper-resistant chip mounted thereon and approved by the third-party device to the first electronic device over the short-distance network. The first electronic device transmits the first configuration information and the second configuration information to the second electronic device over a network. The second electronic device controls connection between the first electronic device and the second electronic device over the network based on the first configuration information and the second configuration information received from the first electronic device.

Abstract: A method and system for distributing digital content to customers at a plurality of points of transaction that allows each content provider to use its own method of digital rights management. A master digital catalog is used to load product data from a plurality of different content providers. The catalog contents are provided to retailers and other points of transaction. A digital activation broker processes customer orders from the points of transaction and provides information that allows the customer access to the content. The content may be provided by the digital activation broker or through a third-party website. In some embodiments, a payment processor is used to process payments submitted by the customers. The digital activation broker may also void transactions and look up lost authorization codes.

Abstract: A method for routing IP packets with IPSec AH authentication is disclosed. The method includes locating overlay edge routers between private domains and their associated NAT routers. Outbound packets from a source private domain are modified by its overlay edge router to include IPSec AH authorization data computed using IP source and destination addresses that match a packet's final source and destination IP address upon final NAT translation immediately prior to delivery to a host of a destination private domain.

Abstract: A method and an apparatus for transmitting and receiving packets in a broadcasting system are provided. The present disclosure allocates a padding size field by using padding octets, and thus can increase transmission efficiency. Also, the present disclosure does not restrict the number of padding octets while maintaining compatibility with existing disclosures, and thus can carry out as much padding as desired and as necessary. In addition, the present disclosure variably allocates the padding size field depending on the number P of padding octets, and thus can increase header efficiency. Furthermore, since the number of padded octets in a header is immediately known, the size of an actual payload is known in advance, and thus rapid transmission is possible.

Abstract: A network address includes a predefined portion that identifies a hostname, where the predefined portion is less than all of the network address. A request is received for a secure session at the network address. The hostname is identified from the predefined portion of the network address and a secure session negotiation is made including returning a digital certificate for the identified hostname.

Abstract: Methods and systems for selectively blocking, allowing and/or reformatting IPv6 headers by traversing devices are provided. According to one embodiment, reputation information regarding observed senders of Internet Protocol (IP) version 6 (IPv6) packets and packet fragments is maintained by a traversing device based on conformity or nonconformity of extension headers contained within the IPv6 packets with respect to a set of security checks performed by the traversing device. When an IPv6 packet or packet fragment is received from a particular source IP address indicated by the reputation information to be associated with one or more nonconformity issues, then dropping, rate limiting or quarantining, by the traversing device, the IPv6 packet or the packet fragment.

Abstract: Techniques are provided to append packet handling information “in the clear” ahead of security related information in a packet to be routed over a network to optimize wide area network deployments of security-configured equipment. In one form, at a network device that performs connectionless secure communication and network routing of packets, data is received from a source device to be sent through a network to a destination device. Packet handling information is inserted in a packet that is to be used to transport the data. The packet handling information is configured to enable controlled handling of the packet in the network and is inserted in an unprotected portion of the packet. Encrypted payload data is generated from the data received from the source device. The encrypted payload data and security information are inserted in a protected portion of the packet and the packet is sent to the network.

Abstract: An Ethernet packet switch configured to manage one or more packet tunnels includes one or more ports; forwarding circuitry communicatively coupled to the one or more ports; and processing circuitry communicatively coupled to the forwarding circuitry, wherein the one or more packet tunnels are configured over the one or more ports, wherein each of the one or more packet tunnels has an associated maintenance endpoint (MEP), and wherein the processing circuitry is configured to manage the one or more packet tunnels based on performance characteristics determined through one or more of the associated MEP, intermediate switches, and a Network Management System.

Abstract: An exemplary embodiment of a multi-tenant database system is provided. The system includes a multi-tenant database, an entity definition table, and a data processing engine. The database has database objects for multiple tenants, including an existing object for a designated tenant. Each entry in the existing object has a respective entity identifier. The definition table has metadata entries for the database objects, including a metadata entry for the existing object. This metadata entry has a tenant identifier for the designated tenant, an entity name for the existing object, and an old key prefix for the existing object. Each entity identifier of the existing object begins with the old key prefix. The engine performs a data truncation operation on the existing object by updating the metadata entry to replace the old key prefix with a new key prefix. This results in an updated object that is identified by the new key prefix and the tenant identifier.

Abstract: An apparatus and a method for validating compressed encrypted archive keys is described. In one embodiment, a pseudo-stream is generated for an archive. The pseudo-stream is made of a small amount of random text. The pseudo-stream is attached to a stream of the archive. The pseudo-stream and stream are compressed using the compression algorithm that includes validation data. The compressed pseudo-stream is then enciphered with an archive key.

Abstract: A method for transmitting and receiving multimedia content having cryptoperiods scrambled by a control word includes a sender using an operating key and an encryption algorithm in a first virtual mother card to encrypt the control word to obtain a cryptogram, using a syntax constructor also in the first virtual mother card to generate an ECM that incorporates the cryptogram, and transmitting it to a terminal. The terminal receives the ECM and using a syntax analyzer contained in a first virtual daughter card associated with the mother card and uses it to locate a position of the cryptogram CW*t in the ECM. Using an operating key of a decryption algorithm in the daughter card, it then decrypts the cryptogram. Then, using the decrypted control word, it proceeds to descramble the cryptoperiod. Meanwhile, the sender occasionally changes the virtual mother card into a different virtual mother card.

Abstract: A digital escrow pattern for data services can include selective access for obscured data at a remote site or in a cloud service, distributing trust across multiple entities to avoid a single point of data compromise. Based on the pattern, a “trustworthy envelope” for any kind of payload enables curtained access through a variety of decorations or seals placed on the envelope that allow for a gamut of trust ranging with guarantees such as, but not limited to, confidentiality, privacy, anonymity, tamper detection, integrity, etc. Verifiable trust is provided through families of techniques that are referred to as wrapper composition. Multiple concentric and/or lateral transform wrappers or layers can wholly or partially transform data, metadata or both to mathematical transform (e.g., encrypt, distribute across storage, obscure) or otherwise introduce lack of visibility to some or all of the data, metadata or both.

Abstract: Data in a portable electronic device is protected by using external and internal status detection means to determine if the device is misplaced, lost, or stolen. The device then takes, singly or in combination, one of several actions to protect the data on the device, including declaring its location to an owner or service provider, locking the device or specific functions of the device to disable all data retrieval functionality, erasing or overwriting all the stored data in the device or, where the data has been stored in the device in an encrypted format, destroying an internally-stored encryption key, thereby preventing unauthorized access to the encrypted data in the device.

Abstract: An access system includes a transmitter and a receiver for exchange of secure data wherein the system uses an encryption and a decryption algorithm to exchange a secure data packet. The secure data packet may include an unencrypted data packet and an encrypted data packet. The encrypted data packet may include first data encrypted by the encryption algorithm, and data decrypted by the decryption algorithm, wherein the data decrypted by the decryption algorithm includes a combination of a secure signature and second data encrypted by the encryption algorithm.

Abstract: Content stored on a server may be selected using a user device and enabled on a central device. The identity of the central device may be authenticated without transmitting user credentials corresponding to the user, user device, user account, etc. A central device identifier can be sent to the server via the user device. An encrypted version of the central device identifier may be returned to the user device and to the central device. The central device can send the encrypted and unencrypted version of the identifier to the server, and the server can transmit the desired content to the remote device based on a comparison of the encrypted and unencrypted identifier.

Abstract: Disclosed is a broadcast signal transmitting apparatus, a broadcast signal receiving apparatus, and a broadcast signal transceiving method in a broadcast signal transceiving apparatus.

Abstract: A secure tag generation service is associated with a cloud infrastructure. This service establishes a security context for a particular cloud tenant based on a tenant's security requirements, one or more cloud resource attributes, and the like. The security content is encoded into a data structure, such as a tag that uniquely identifies that security context. The tag is then encrypted. The encrypted tag is then propagated to one or more cloud management services, such as a logging service. When one or more cloud resources are then used, such use is associated with the encrypted security context tag. In this manner, the encrypted tag is used to monitor activities that are required to meet the security context. When it comes time to perform a security or compliance management task, any cloud system logs that reference the encrypted security context tag are correlated to generate a report for the security context.

Abstract: A secure tag generation service is associated with a cloud infrastructure. This service establishes a security context for a particular cloud tenant based on a tenant's security requirements, one or more cloud resource attributes, and the like. The security content is encoded into a data structure, such as a tag that uniquely identifies that security context. The tag is then encrypted. The encrypted tag is then propagated to one or more cloud management services, such as a logging service. When one or more cloud resources are then used, such use is associated with the encrypted security context tag. In this manner, the encrypted tag is used to monitor activities that are required to meet the security context. When it comes time to perform a security or compliance management task, any cloud system logs that reference the encrypted security context tag are correlated to generate a report for the security context.

Abstract: A transformation function that satisfies at least linearity and convolution can be used to encrypt data. The transformation function can, for example, be a DFT with one or more evaluation points that can be kept secret for encryption. The transformation function can effectively serve as a transform map and can be used to achieve fully homographic encryption in a system where encrypted data can be manipulated by applying one or more operations and the resulting encrypted data can be decrypted by applying the inverse of the transformation function and/or transformation map. A transformation function that satisfies at least linearity and convolution can be used for various applications, including, for example, private/public key decryption schemes, a signature schemes, database query and search schemes, as well as various applications of homomorphic operations.

Abstract: Protecting sensitivity of information in a shared collaborative space on a computer network includes associating a set of sensitivity levels to sets of users and to sets of data elements. Access by each user to the shared collaborative space may be restricted to those data elements that have the same sensitivity level as of the user. Where multiple users join a single session, only data elements having a lowest common sensitivity level are made accessible by the users of the session.