Abstract: The present disclosure provides protection of customer data traveling across a network. A reverse cryptographic map (also referred to herein as a reverse crypto map) can be defined for a customer, where the reverse crypto map indicates how customer data should be protected. A reverse crypto map for a customer is applied to an interface of an edge device that is coupled to that customer's private subnet (or customer-facing interface). A reverse crypto map can be configured by a network administrator on a provider edge device, or can be pushed from a key server as part of group policy. A provider edge device can protect customer data by encrypting and decrypting the customer data according to the reverse crypto map. A provider edge device can also be configured with virtual routing and forwarding (VRF) tables that can be used to forward the VPN traffic flow across a provider network.

Abstract: An information processing apparatus has an authentication and key exchange processing unit, a packet selector, a content key generator, a content decryption unit to decrypt, based on the content key, the encrypted content which is included in the content packet and received following the CCI packet, a CCI set identifier management unit to manage a CCI identifier corresponding to recognizable copy control information, a CCI selector, a CCI analyzer to analyze copy control information corresponding to the CCI identifier selected by the CCI selector, a content processing unit to perform, based on an analysis result of the CCI analyzer, the receiving process on the content data corresponding to the content packet received following the CCI packet, a first communication connection unit to perform the authentication and key exchange process, and a second communication connection unit to transmit the content packet and the CCI packet.

Abstract: Example embodiments of the present invention provide authenticated file system that provides integrity and freshness of both data and metadata more efficiently than existing systems. The architecture of example embodiments of the present invention is natural to cloud settings involving a cloud service provider and enterprise-class tenants, thereby addressing key practical considerations, including garbage collection, multiple storage tiers, multi-layer caching, and checkpointing. Example embodiments of the present invention support a combination of strong integrity protection and practicality for large (e.g., petabyte-scale), high-throughput file systems. Further, example embodiments of the present invention support proofs of retrievability (PoRs) that let the cloud prove to the tenant efficiently at any time and for arbitrary workloads that the full file system (i.e.

Abstract: The present invention discloses a method for implementing a real-time data service, a real-time data service system and a mobile terminal. Said method for implementing a real-time data service includes the following steps: before encapsulating a Media Access Control Protocol Data Unit (MPDU), a Wireless Local Area Network Privacy Infrastructure (WPI) module in an Access Point (AP) needs to determine the type of the data to be encapsulated in the MPDU; if the data is a control signalling message of a real-time data service, the WPI module encrypts said data, then encapsulates the encrypted data in a data (e.g. PDU) field of the MPDU, and transmits the encapsulated data to the mobile terminal; if the data is an audio/video data message of a real-time data service, the data is not to be encrypted, but is encapsulated directly into the data (e.g. PDU) field of the MPDU in plaintext, and then transmitted to the mobile terminal.

Abstract: A method and apparatus for adaptive packet ciphering is disclosed. The apparatus can include a transceiver capable of communicating in a wireless network and specifying a packet number (PN) and an integrity check value (ICV) as separate packet data units (PDUs) in a stream of a PDUs. The data between a PN-PDU and an ICV-PDU can be enciphered as a single payload of concentrated PDUs.

Abstract: A system and method for generating a non-repudiatable record of a communications data stream is provided, which is applicable to real-time and quasi-real-time data streams. A binary communication data stream is captured and segmented into defined frames. A key frame is generated for each of a number of data frames containing integrity and authentication information. The key frame is inserted into the data stream to provide an authenticated data stream.

Abstract: Embodiments of the invention reduce the probability of success of a DOS attack on a node receiving packets by decreasing the probability of random collisions of packets sent by a malicious user with those sent by honest users. The probability of random collisions may be reduced in one class of embodiments of the invention by supplementing the identification field of the IP header of each transmitted packet with at least one bit from another field of the header. The probability of random collisions may be reduced in another class of embodiments of the invention by ensuring that packets sent from a transmitting IPsec node to a receiving IPsec node are not fragmented.

Abstract: A method of communicating in a secure communication system, comprises the steps of assembling a message at a sender, then determining a frame type, and including an indication of the frame type in a header of the message. The message is then sent to a recipient and the frame type used to perform a policy check.

Abstract: An information processing apparatus provided with a first information processing unit and a second information processing unit, wherein the first information processing unit infected by a virus is cleared and normal communication restored quickly without human operation. The virus infection is quickly detected by an external virus management function device through a first communication system, a communication suspension instruction is transferred through a different second communication system having a high security level to the first information processing unit, and communication by the first communication system is disconnected. Further, anti-virus solution information is transferred to the first processing unit through the second communication system, and virus removal in the first processing unit is carried out. Further, after removal, the disconnected communication is restarted.

Abstract: Techniques for using a network analyzer device connected to a network include (a) sniffing packets traversing the network between a web-based application server and a user machine, the user machine being operated by a user, (b) analyzing the sniffed packets to extract event information relating to interaction events between the user machine and the web-based application server, and (c) sending the extracted event information to an authentication server for risk-based authentication of the user.

Abstract: A method and apparatus for transmitting a subset voice stream associated with a subset talk group. A voice communication device receives a session identifier from an associated data communication device engaged. The voice communication device transforms the session identifier into a session key identifier, obtains an encryption algorithm implementing a subset talk group filtering feature and a voice encryption key identifier, and combines the session key identifier with the voice encryption key identifier to generate a signaling key identifier. The voice communication device associates the signaling key identifier and an encryption algorithm identifier with the subset voice stream during transmission of the subset voice stream to a receiving voice communication device.

Abstract: A fraud detection and protection method and system are disclosed. The method and system utilize a fraud detection and protection server to monitor online commercial transactions between a webserver and a client computer, and generate a risk assessment of a user associated with the client computer. The system and method further utilize a number of beacon servers geographically dispersed in an area. Each beacon server is configured to receive packet header information associated with the online commercial transactions, analyze the packet header information for authenticating information, and send the authenticating information to the fraud detection and protection server for the risk assessment.

Abstract: There is provided an encryption apparatus including an idle data inserting unit that takes input of a frame including a fixed-length header and a variable-length payload and an encrypting unit that receives an output of the idle data inserting unit. If the length of a block to be processed, included in the payload, is less than a predetermined value, the idle data inserting unit appends idle data following the block and transmits the frame including the block padded with the idle data to the encrypting unit.

Abstract: A method for improving the performance of data storage and transmission systems involves applying a transformation to one or a plurality of aligned data segment(s) prior to or subsequent to the execution of data management operations. The transformation effectively reduces the number of bits in the data segment that must be employed by the data management operation processing. Data management operations performed on a data segment may include but are not limited to cryptographic security operations and data comparison operations. Since the computation requirements of data management operations can decrease as the bit lengths of input data decrease, the transformation can reduce the latencies of data management operations in hardware or software. Furthermore, performing the transformation on a data segment does not reduce the number of bits needed to encode the data segment, thus maintaining the alignment of a plurality of data segments.

Abstract: A client-server communication protocol permits the server to authenticate the client without requiring the client to authenticate the server. After establishing the half-authenticated connection, the client transmits a request and the server performs or responds accordingly. A network management system and environment where this protocol can be used is also described and claimed.

Abstract: A method and apparatus utilizes Layered IPSEC (LES) protocol as an alternative to IPSEC for network-layer security including a modification to the Internet Key Exchange protocol. For application-level security of web browsing with acceptable end-to-end delay, the Dual-mode SSL protocol (DSSL) is used instead of SSL. The LES and DSSL protocols achieve desired end-to-end communication security while allowing the TCP and HTTP proxy servers to function correctly.

Abstract: A method and system for resolving addresses of a message including looking up, from a source directory, a group name associated with a message address of the message, looking up through a cache of user names mapped to user addresses, a user address for each of the looked up user names and returning an associated user address, and addressing the message to each looked up user addresses. Expanding group address by looking up user name in for group from source directory, looking up user address for each user name from user cache, addressing message to looked up user, address, and transmitting message to looked up user address.

Abstract: A method apparatus for storing and forwarding media data in a communication network. An intermediate node disposed between a media data source node and a client node receives encrypted media data packets from the media data source node. The intermediate node stores the received media data packets in a memory for later sending to the client node, and adjusts fields in the original header of each stored media data packet to create modified media data packets having a modified header, and sends adjustment information to the client node. The adjustment information allows the client node to recreate the original headers from the modified headers, before decrypting the encrypted media packets with keying materials already sent between the media data source node and the client node. The modified media data packets are then sent to the client node for decryption. This allows the intermediate node to “store and forward” SRTP data without being able to access the encrypted data content.

Abstract: A Headend system including a encoder to encode input data yielding a plurality of data packets, each of the packets having a header and a payload, a post encoding processor to identify ones of the data packets having a payload with a suspected known plaintext, and modify at least some of the identified packets, and an encryption processor to encrypt at least some of the data packets yielding encrypted data packets. Related apparatus and methods are also described.

Abstract: A secure boot processing may be accomplished on the basis of a non-volatile memory that is an integral part of the CPU and which may not be modified once a pre-boot information may be programmed into the non-volatile memory. During a reset event or a power-on event, execution may be started from the internal non-volatile memory, which may also include public decryption keys for verifying a signature of a portion of a boot routine. The verification of the respective portion of the boot routine may be accomplished by using internal random access memories, thereby avoiding external access during verification of the boot routine. Hence, a high degree of tamper resistance may be obtained, for instance, with respect to BIOS modification by exchanging BIOS chips.

Abstract: The invention relates to a method for generating a session key between two communicating electronic devices not requiring any prerecorded information in one of the two devices and enabling the authentication of one of said devices. The method uses a close collaboration between a symmetrical algorithm and an asymmetrical algorithm.

Abstract: An interface detection device in electronic communication with a network tester to receive network packets includes a plurality of local area network (LAN) interfaces, a signal control unit and a path distribution unit. The LAN interfaces are in electronic communication with the network tester and are electrically connected in pairs. The signal control unit provides preset test data for the LAN interfaces and controls the LAN interfaces to generate corresponding verification data. The signal control unit compares the verification data with the test data, and controls the path distribution unit to automatically figure out corresponding transmission paths. The LAN interfaces are electronically communicating with each other through the connected LAN interfaces and the transmission paths to transfer the network packets.

Abstract: Described are computer-based methods and apparatuses, including computer program products, for adaptive document redaction. A container is generated comprising a set of redacted documents corresponding to an original document, each redacted document having a level of redaction corresponding to a viewing location, and a header comprising encryption information for each redacted document in the set of redacted documents. A request to view the original document is received from a requesting device. The container is transmitted to the requesting device. A request for additional encryption information for a redacted document from the set of redacted documents is received from the requesting device, wherein the redacted document comprises a level of redaction for a viewing location that is equal to a location of the requesting device. The additional encryption information is transmitted to the requesting device.

Abstract: A translator is provided for translating predetermined portions of packet header information including an address of a data packet according to a cipher algorithm keyed by a cipher key derived by a key exchanger. A mapping device is also provided for mapping the address to a host table stored in memory. If the address does not match an entry in the host table, a security device is triggered.

Abstract: Embodiments of a system and method for local generation of streaming content with a hint track are described. Embodiments may include receiving a first version of encrypted content comprising encrypted content samples that each include media content and non-content information. Embodiments may also include receiving a hint track including packet header information for a stream of media packets from which the media content was sourced, and offset information identifying locations of encrypted media content within the encrypted content samples. Embodiments may include generating a second version of the encrypted content for streaming, which may include, based on the information of the hint track, identifying the location of media content within the encrypted content samples.

Abstract: A streaming system includes an authoring unit (2), a stream server (3) and a client terminal (5). The authoring unit generates a file composed of encrypted contents data and the ancillary information at least containing the packetizing control information for generating an RTP packet, a non-encrypted codec dependent header made up of the information pertinent to encoded contents data, and the encryption information for decrypting the encrypted contents data form packet to packet. The streaming server packetizes the encrypted contents data along with at least the codec dependent header and distributes the resulting data as a stream. The client terminal refers to the codec dependent header of the received packet, re-assembles the packet, and decrypts the encrypted contents data of the re-assembled packet to generate contents data.

Abstract: The present disclosure presents methods, systems and intermediaries which determine an encoding scheme of a uniform resource location (URL) from a plurality of encoding schemes for a clientless secure socket layer virtual private network (SSL VPN) via a proxy. An intermediary may receive a response from a server comprising a URL. The response from the server may be directed to a client via a SSL VPN session and via the intermediary. The intermediary may determine, responsive to an encoding policy, one of a transparent, opaque or encrypted encoding scheme for encoding the URL. The intermediary may rewrite the URL for transmission to the client in accordance with the determined encoding scheme.

Abstract: Methods, systems, and devices are disclosed for detecting encrypted Internet Protocol packet streams. The type of data within an encrypted stream of packets is inferred using an observable parameter. The observable parameter is observable despite encryption obscuring the contents of the encrypted stream of packets. A timer is established that maintains settings despite changes in the type of inferred data.

Abstract: A mechanism for creating secure storage for firmware for a computing device. A designated secure storage area holding firmware that is executable prior to a loading of an operating system for the computing device is created during a build of a ROM image. The creating marks one or more files as requiring encrypted storage and the one or marked files are combined during the build into the designated secure storage area. The designated secure storage area is located outside the ROM image and includes, during the build of the ROM image, a reference to the designated secure storage area in a build of firmware placed in the ROM image. The reference includes a flag indicating a current encrypted status of the designated secure storage area.

Abstract: A technique for maintaining network integrity is disclosed. A system according to the technique may include a wired network, a switch, and a wireless access point. The switch can be coupled to the wired network and the wireless access point can be coupled to the switch. The system may further include a forwarding database that stores a mac address for a plurality of devices seen by the switch on the wired network. A method according to the technique may involve detecting identifying information of a device by a wireless access point. The identifying information can be compared with the mac addresses in a forwarding database. If the device is unknown, the unknown device can be classified as rogue and countermeasures can be taken against the rogue device.

Abstract: Code is associated to a target based on an inspection of the code. A target may be a device or a user. A number of code components may be inspected at one time and then transferred or otherwise associated to a target based on the target's profile. A code component may be a policy of an information management system.

Abstract: Disclosed are a server and a client processing a security program by using a real-time distribution method and method of controlling the server and the client. A method of controlling a server processing a security program by using a real-time key distribution method according to an exemplary embodiment of the present invention includes: analyzing a security program for transmitting the security program to a client; decomposing a code of the analyzed security program into code blocks; encrypting the code blocks by using an encryption key; changing an original header of the security program to a first header; and transmitting a packed program including the encrypted code blocks and the changed first header to the client.

Abstract: This invention allows connection of an apparatus with a low security level without lowering the security level of a network even when such apparatus issues a connection request. This invention is directed to an access point which makes wireless communications with a station using an encryption method (AES). Upon reception of a connection request message including information indicating an encryption method (WEP) that can be used by a station, the access point checks if the encryption method (WEP) recognized based on the received connection request message is different from the encryption method (AES). When it is determined that the two encryption methods are different, the access point launches a controller which makes wireless communications with the station using that encryption method (WEP).

Abstract: When a virtual private network (VPN) connection is made, an internet protocol (IP) packet is encrypted and encapsulated within an outer IP packet. Quality-of-service information is placed in the outer packet header that includes classifiers that refer to the encrypted packet.

Abstract: Systems and methods can operate to use a deterministic finite automata module to classify data. In various implementations, a converter can be used to convert a classification list to a state machine operable to be executed by the deterministic finite automata module. In some implementations, the converter can be used to produce a state machine from template data, the state machine being operable to be executed by the deterministic finite automata module.

Abstract: An apparatus including a key mixing circuit, an input circuit, a packet number circuit, and an encryption circuit. The key mixing circuit generates a plurality of encryption seeds, wherein each encryption seed is generated based upon a predetermined key, a transmitter address, and a corresponding value for a packet number. The input circuit receives a plurality of packets of data. The packet number circuit inserts, into each packet of data received by the input circuit, a different one of the corresponding values for a packet number. The encryption circuit encrypts each packet of data using the encryption seed that was generated based on the corresponding value for the packet number inserted into the packet of data. The key mixing circuit generates each of the plurality of encryption seeds prior to the input circuit receiving the plurality of packets of data.

Abstract: In a hitless manual cryptographic key refresh scheme, a state machine is independently maintained at each network node. The state machine includes a first state, a second state, and a third state. In the first state, which is the steady state, a current cryptographic key is used both for generating signatures for outgoing packets and for authenticating signatures of incoming packets. In the second state, which is entered when a new cryptographic key is provisioned, the old (i.e. formerly current) key is still used for generating signatures for outgoing packets, however one or, if necessary, both of the old key and the newly provisioned key is used for authenticating signatures of incoming packets. In the third state, the new key is used for generating signatures for outgoing packets and either one or both of the old key and new key are used for authenticating signatures of incoming packets.

Abstract: A user's set top box (STB), or other client, executes a shell and has an application program interface (API) by which certain features of the client can be controlled. The client is in communication with a walled garden proxy server (WGPS). The client sends a request to the WGPS to access a service provided by a site in the garden. The site sends the client a message containing code calling a function in the API. The WGPS traps the message from the site and looks up the site in a table to determine the access control list (ACL) for the site. The WGPS includes the ACL in the header of the hypertext transport protocol (HTTP) message to the client. The shell receives the message and extracts the ACL. If the code lacks permission, the shell stops execution.

Abstract: Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for mapping security processing rules into a data structure that facilitates a more efficient processing of the security processing rules. In one aspect, a method includes receiving security processing rules, each of the security processing rules defining one or more security checks and security operations corresponding to the security checks and that are to be performed when the security checks occur; and generating from the security processing rules a mapping of security checks to security operations, the mapping including a security check entry for each security check that is defined in one or more of the security processing rules, and each security check entry being mapped to one or more security operations that the security processing rules define as corresponding to the security check.

Abstract: Methods, systems, and machine-readable media for disseminating security metadata from one distributed entity to another in an automated fashion are disclosed. According to one embodiment of the present invention, a computer-implemented method for distributing security metadata comprises receiving at a first service a request for security metadata, the request being received from a process associated with a second service. The method further comprises generating an identifier and security metadata for the second service, the identifier and the security metadata being unique to the second service, and storing the identifier and the security metadata in a first memory accessible to the first service. The identifier and the security metadata are then transmitted to the process associated with the second service and stored in a second memory. The second service is configured to access the security metadata stored in the second memory to encrypt a first communication and decrypt a second communication.

Abstract: Methods including the steps of: upon sending an IP packet, obtaining, by a sender, a sender identity for a sender of the packet; securely tagging, by a sender, the packet with the sender identity, the packet having a plurality of fixed-length fields concatenated into a single fixed-length virtual field shared between a cryptographic hash and an identity index for supporting multiple distinct identities residing on an IP endpoint; determining, by a receiver, the sender identity by extracting it from the packet; checking, by the receiver, the packet to ensure the packet has been appropriately tagged; and enforcing a security policy, by the receiver, according to the sender identity. Preferably, the step of obtaining includes: accessing, by the sender, a server for obtaining the sender identity; and associating, by the server, the sender identity with the endpoint. Most preferably, the associating is performed using a prefix code for encoding the identities.

Abstract: A system and method provides secure channels for communication in a virtual universe by employing a packet interception layer for incoming and outgoing data packets. A data path is defined and is sequentially encrypted with the public keys of servers in the path. Decryption and identification of the next server occurs in a sequential manner in which the path is known only to the sender.

Abstract: The invention relates to a device for processing datastreams in a communications unit with two mutually-separate data-processing regions, which provide at least two separate message paths. The message paths are connected respectively to a message transmitter and a message receiver, wherein, in each message path, an encoding module is provided, which is connected both to a first data-processing region and also to a second data-processing region. Furthermore, in the second data-processing region, a distribution unit is provided, which is connected to the message paths of the first data-processing region and to all encoding modules of the corresponding message paths in order to distribute given messages in a targeted manner.

Abstract: A method, system, and media are provided for securely communicating data. One embodiment of the method includes encrypting a data stream by way of a first algorithm; creating at least two subsets of data from the data stream by extracting one or more data portions from the encrypted data stream, thereby leaving a remaining portion and an extracted portion; communicating the remaining portion to a destination by way of a first communications channel; encrypting the extracted portion utilizing a second algorithm; communicating the encrypted extracted portion to the destination by way of a second communications channel; and providing for recombining the remaining portion and the encrypted extracted portion to facilitate recovery of the encrypted data stream.

Abstract: A platform security apparatus and a method thereof are capable of protecting a mobile communication terminal from an abnormal or unintended operation of an application program installed over a platform of the mobile communication terminal. An authentication key is created with respect to each function of an application program, and the authentication key and an identifier of the application program are associated with each other and stored. An authentication process is performed by comparing an authentication key and an identifier of an application program registered as function parameters with an authentication key and an identifier of the application program which have been stored, when the application program calls the function.

Abstract: In a network, a router uses some secret information combined with a cryptographic process in determination of a subnet's routing prefix. Several methods are disclosed, including using an IP suffix for prefix generation and for decryption, maintaining a pool of pseudo prefixes at the router, using public key encryption and symmetric key encryption.

Abstract: A sentinel value is combined with a data segment, and encrypted. A digest of the encrypted combined data segment is calculated, and used in conjunction with an encryption key to generate a masked key. This masked key is then appended to the encrypted combined data segment and transmitted to an encoder. When the data segment is retrieved, the original encryption key can be recovered and used to decrypt the data segment. The sentinel value can then be extracted from the data segment and checked for integrity. The data segment can then be delivered, discarded, flagged, or otherwise handled based on the integrity of the sentinel value.

Abstract: Systems and methods for broadcast and multicast retransmissions within a protected wireless communications system are described. Retransmitted broadcast or multicast frames are designated by modification of fields or subfields in the MAC header of the frame which are constituent parts of the additional authentication data used to generate encryption keys. Such modifications cause legacy receivers to disregard the retransmitted frames or render legacy receivers to be unable to decrypt the retransmitted frame, avoiding the generation of duplicate frames. Non-legacy receivers recognizing the modification conventions can restore the MAC header to the original state and can reconstruct the original encryption keys and decrypt the retransmitted frames. A non-legacy transmitter can retransmit a frame without the need to re-encrypt the frame.

Abstract: A digital content protection apparatus and method for digital rights management (DRM) are provided in which a content file including a plurality of content parts is imported such that a header is included which stores location information required for decoding each of the content parts. Therefore, the number of content parts constituting the content file can be recognized, and a license that is required for the use of each of the content parts can be acquired by analyzing header information without necessitating the parsing of the transport packets of the content file. Accordingly, preparation time for using content can be reduced.

Abstract: A system and method for verifying and/or geolocating network nodes in a network in attenuated environments for cyber and network security applications are disclosed. The system involves an origination network node, a destination network node, and at least one router network node. The origination network node is configured for transmitting a data packet downstream to the destination network node through at least one router network node. The data packet contains a header portion and a payload data portion. At least one of the network nodes is an enabled network node. The enabled network node(s) is configured to verify any of the network nodes that are located upstream from the enabled network node(s) by analyzing the header portion and/or the payload data portion of the data packet.