Abstract: A method and apparatus for processing a Rights Object (RO) are provided. A method for upgrading the RO includes: acquiring, by a Digital Rights Management (DRM) Agent, RO related information of the RO that requires updating from a Secure Removable Media (SRM) Agent; providing, by the DRM Agent, the RO related information to a Rights Issuer (RI), and obtaining a new RO from the RI; and interacting, by the DRM Agent, with the SRM Agent to upgrade the RO that requires updating on the SRM by means of the new RO. According to the embodiments of the present invention, the DRM Agent acquires RO related information which is stored on the SRM and does not have Move rights, and interacts with the RI to move the RO out from the SRM, so as to move the RO without the Move rights out from the SRM, thus extending an application of the RO without the Move rights.

Abstract: Access to secured services may be controlled based on the proximity of a wireless token to a computing device through which access to the secured services is obtained. An authorized user may be provided access to a service only when a wireless token assigned to the user is in the proximity of the computing device. A user's credential may be stored on an RFID token and an RFID reader may be implemented within a security boundary on the computing device. Thus, the credential may be passed to the security boundary without passing through the computing device via software messages or applications. The security boundary may be provided, in part, by incorporating the RFID reader onto the same chip as a cryptographic processing component. Once the information is received by the RFID reader it may be encrypted within the chip. As a result, the information may never be presented in the clear outside of the chip.

Abstract: In one example, a Cable Modem Termination System (CMTS) combines a value identifying itself with a cable modem Media Access Control (MAC) address stored in a provisioning request. The CMTS then relays the modified provisioning request to a provisioning server, which analyzes the value to identify a CMTS associated with the cable modem MAC address. Then, to regulate cable modem cloning or for other reasons, the provisioning server selects provisioning information for the cable modem according to the identified CMTS-MAC address association.

Abstract: A medium access control (MAC) frame provision method establishes security in an IEEE 802.15.4 network. A MAC frame is generated, which includes a MAC header, a payload field, and a frame check sequence (FCS) field, the payload field including relevant main data according to a frame type defined in the MAC header. A disguised decoy data sequence number (DSN) is generated and inserted into the MAC header. A real DSN, which is a corresponding transmission sequence number of the MAC frame, is generated and inserted into the payload field. The MAC frame is transmitted, including the encrypted payload field, to a counterpart node. A MAC ACK frame acknowledges reception of the transmitted MAC frame; and a DSN is compared in the received MAC ACK frame with the real DSN. An authentication of the counterpart node is performed when the received MAC ACK frame is equal to the real DSN.

Abstract: A test pattern containing plurality of patches recorded using small dot patterns and large dot patterns is printed. The dot sizes arranged in the patches are different between patches. Then the test patterns are read. The detection rate and average density of additional information embedded in each large dot pattern are obtained. A large dot pattern whose detection rate and average density fall within a reference range and are closest to ideal values is determined. The average density of each small dot pattern is obtained. A small dot pattern whose average density falls within a reference range and is closest to the average density of the determined large dot pattern is determined. A copy-forgery-inhibited pattern image is generated using these dot patterns and combined with a print target image.

Abstract: A software based wireless infrastructure system is provided. The system has a driver that communicates with the network stack and a network interface card (NIC), a station server in communication with the station driver and an 802.1X supplicant or an 802.1X authenticator. Each NIC provides station and/or access point functionality support. The driver drops packets that have been received if the packet has not been authenticated and associated. Packets that have been fragmented or encrypted are unfragmented and decrypted. An association manager is used in conjunction with a configuration table manager to associate stations and access points via management packets. A manager receives 802.1X data packets from the packet processor and sends them up to a station server that communicates with user mode applications and an 802.1X supplicant or an 802.1X authenticator that are used to authenticate and deauthenticate stations and access points. APIs are provided to enable communication between the components.

Abstract: The first terminal apparatus includes a key information acquiring unit that acquires key information from a connection authentication server, a key information notifying unit that notifies the first user of the key information, and a connection information acquiring unit that acquires connection information from the connection authentication server. The second terminal apparatus includes a key information input unit that receives the key information transmitted to the second user and an information providing unit that provides the key information and the connection information to the connection authentication server.

Abstract: A system may include a sender computing system to transmit first authentication data in association with a message, the first authentication data conforming to a first authentication mechanism, and to transmit second authentication data in association with the message, the second authentication data conforming to a second authentication mechanism. The system may also include a component to receive the first authentication data in association with the message from the sender computing system, and to receive the second authentication data in association with the message from the sender computing system.

Abstract: A first communication device (“FCD”) is adapted to communicate with a second communication device. The FCD obtains a first key, encodes an attribute in the FCD with the first key to produce a first encoded value, and transmits the first encoded value to the second communication device. The FCD also receives a second encoded value from the second communication device. The second encoded value comprises an attribute stored in the second communication device that has been encoded with a second key. Further, the FCD encodes the second encoded value with the first key to produce a third encoded value, transmits the third encoded value to the second communication device, and receives a fourth encoded value from the second communication device. The fourth encoded value comprises the first encoded value after being encoded by the second key. The FCD determines whether the third encoded value matches the fourth encoded value.

Abstract: A method of performing IPsec processing of an incoming communication packet is disclosed. The method comprises determining, from a received portion of the incoming packet, if sufficient information has been received to enable the IPsec processing to be commenced, obtaining the necessary information from the received portion of the packet, and commencing IPsec processing of said packet before the entire packet has been received depending upon the obtained information.

Abstract: An information processing apparatus includes a use restriction unit that restricts use of the information processing apparatus based on identification information stored in an identification information storage unit, and a controller. The controller is operable to update the identification information stored in the identification information storage unit, send the updated identification information to a preset mail address, by an E-mail, receive an E-mail, determine whether the received E-mail is an E-mail replying to the sent E-mail, and control the identification information storage unit to store identification information included in the received E-mail as new identification information if the received E-mail is determined to be the E-mail replying to the sent E-mail.

Abstract: A microcomputer includes a CPU, a protection information storage configured to store memory protection information specifying an access permission or prohibited state to a memory space by a program executed by the CPU, a memory access control apparatus configured to determine whether or not to allow a memory access request from the CPU according to the memory protection information and a reset apparatus configured to invalidate the memory protection information stored in the protection information storage according to a reset request signal output from the CPU.

Abstract: Disclosed is a system and a method for maintaining broadcasting chip information regardless of device replacement in a USIM unlock environment where broadcast information can be automatically modified in response to device replacement.

Abstract: A computer extracts the header information from an electronic mail, including an originality guarantee. The computer generates a header characterization for the header information subject to originality guarantee, and extracts message body information from the electronic mail and generates a body characterization for the message body information as well. The generated characterization set applies the header characterization and the body characterization, combined. The verification information is added to the generated characterization set for applying a signature, and characterization set is linked to electronic mail.

Abstract: A method (100) and a system (300) for applying digital signatures (206, 216, and 222) to translated content (and other content) can include a presentation (309) and a user interface presented on the presentation device. The system can further include at least one processor (307) that operates to create (102) the user interface in a first language as part of an application, enables (104) the entering of data into the user interface and the digital signing of the data by a first user, translates (106) the user interface to at least a second language, and presents (108) the data to at least a second user using the application. A recipient device can verify (110) the digital signatures where a verification of the digital signatures independently verifies a data signature (222), a user interface signature (206), and a translated user interface signature (216).

Abstract: A system and method for providing Personal Cloud computing and for hosting applications and/or content may employ a network attached storage device on which virtual machine monitors (T-cups) and logical devices (Ts) are instantiated in memory. Each T may include hosted content, application modules, a server module configured to host the modules and/or content, and an interface module configured to provide access to the modules and/or content in response to detecting an authorized key. Detecting an authorized key may include communicating with a name server to determine if a T instantiated on a storage device coupled to the system is associated with a device identifier on a list of device identifiers authorized to access the module(s). The storage device may be a computer, camera, frame, phone, audio/video player, or portable storage device. The name server may be configured to authenticate Ts, define T ownership, and/or establish friend-to-friend networks between Ts.

Abstract: Systems, devices, and methods for outputting an alert on a mobile device to indicate the use of a weak hash function are disclosed herein. In one example embodiment, the method comprises receiving data (e.g. from a server) that identifies at least one first hash function, identifying a hash digest generated using a second hash function, determining if the second hash function is weak using the received data, and outputting an alert indicating that the second hash function is weak if it is determined that the second hash function is weak.

Abstract: A method of controlling use of a printer on a network includes providing a key to a client on the network. The key is then used to submit a print job from the client to a printer on the network.

Abstract: Described are embodiments directed to negotiating an encapsulation mode between an initiator and a responder. As part of the negotiation of the security association, an encapsulation mode is negotiated that allows packets to be sent between the initiator and responder without encapsulation. The ability to send packets without encapsulation allows intermediaries, such as a firewall, at the responder to easily inspect the packets and implement additional features such as security filtering.

Abstract: Systems and methods are disclosed for privacy-preserving flexible user-selected anonymous and pseudonymous access at a relying party (RP), mediated by an identity provider (IdP). Anonymous access is unlinkable to any previous or future accesses of the user at the RP. Pseudonymous access allows the user to associate the access to a pseudonym previously registered at the RP. A pseudonym system is disclosed. The pseudonym system allows a large number of different and unlinkable pseudonyms to be generated using only a small number of secrets held by the user. The pseudonym system can generate tokens capable of including rich semantics in both a fixed format and a free format. The tokens can be used in obtaining from the IdP, confirmation of access privilege and/or of selective partial disclosure of user characteristics required for access at the RPs. The pseudonym system and associated protocols also support user-enabled linkability between pseudonyms.

Abstract: Various embodiments are described herein for a mobile communication device that authenticates a smart battery prior to use. The mobile device includes a main processor and a device memory. The device memory stores first and second portions of security information used for authentication. The smart battery includes a battery processor and a battery memory. The battery memory stores a third portion of security information used for authentication. The main processor sends an authentication request including the first portion of security information to the battery processor, and the battery processor generates a response based on the first and third portions of security information and sends the generated response to the main processor. The smart battery is authenticated if the generated response matches the second portion of security information.

Abstract: An information processing system includes a client device and a server system. The client device executes an application program as a confidential process for performing processing based on confidential information. When a transmission request asking for transmission of confidential information is generated by the application program being executed, the client device transmits, to the server system, the transmission request and confidential process information indicating that the process in which the transmission request was generated is a confidential process. When the server system receives the transmission request and the confidential process information from the client device, the server system transmits stored confidential information in accordance with the received transmission request.

Abstract: An information processing device creates a hash value from an event log every time the event occurs. The information processing device generates a digital signature by encrypting the hash value with its own private key. The device transmits the signature-bound event log obtained by binding the digital signature with the event log to a log management apparatus. The log management apparatus decrypts the hash value from the event log of the received signature-bound log information using a device public key. The apparatus also generates a new hash value from the event log verifies the coincidence of the decrypted hash value and the new hash value, and authenticates signature-bound event logs for which this coincidence has been verified. The apparatus stores signature-bound event logs that have been authenticated. Every time an event occurs, the device transmits an event log bound with a digital signature that is created using its private key.

Abstract: An image commercial transactions system and method, an image transfersystem and method, an image distribution system and method, and a display device and method are disclosed. A reception dealer accepts the transfer of an image recorded on a recording medium in a predetermined format with a handling condition intrinsic to the image, and transfers the image with the handling condition, and an advertisement, in digital data format, and a charge accounting dealer effects an electronic charge accounting transaction for the transfer of data of the image with the handling condition and the advertisement. Accordingly, a forwarding request user is helpful in making public the advertisement by having the data of the advertisement along with the data of the image forwarded, instead of the reception dealer, whereby a transfer fee for the data of image can be made lower. Consequently, it is possible to enhance the usability for the transfer significantly.

Abstract: Methods and apparatuses for private electronic information exchange are described herein. In one embodiment, when electronic information is received to be delivered to a recipient, the electronic information is transmitted over an electronic network with a private routing address. The private routing address is routable within a private domain, which is a subset of the electronic network. Other methods and apparatuses are also described.

Abstract: A client platform can be verified prior to being granted access to a resource or service on a network by validating individual hardware and software components of the client platform. Digests are generated for the components of the client platform. The digests can be collected into an integrity report. An authenticator entity receives the integrity report and compares the digests with digests stored in either a local signature database, a global signature database in an integrity authority, or both. Alternatively, the digests can be collected and stored on a portable digest-collector dongle. Once digests are either validated or invalidated, an overall integrity/trust score can be generated. She overall integrity/trust score can be used to determine whether the client platform should be granted access to the resource on the network using a policy.

Abstract: A multifunctional apparatus control system includes a multifunctional apparatus an authentication information input device, an I/F converter, and a control server.

Abstract: A client system and a server system use a Hypertext Transfer Protocol (HTTP) authentication mode preference header to negotiate an HTTP authentication mode. The client system sends an HTTP request to the server system. In response to the HTTP request, the server system sends an HTTP response to the client system. The HTTP response includes an HTTP authentication mode preference header. The HTTP authentication mode preference header indicates whether a preferred HTTP authentication mode is connection-based HTTP authentication or request-based HTTP authentication. In subsequent HTTP requests to the server system, the client system uses the HTTP authentication mode indicated by the HTTP authentication mode preference header.

Abstract: This invention relates to a method for broadcasting digital data to a targeted set of reception terminals in which said data are previously scrambled by a series of control words transmitted in a conditional access control message. This method comprises the following steps: on transmission, particularise said access control message using a reversible function F for which the inverse function F?1 is executable only in terminals in the targeted set, and on reception, redetermine the original access control message in each terminal in the targeted set using said inverse function.

Abstract: A mobile terminal apparatus is provided to process a copyright-protected content based on rights that permit the processing of the content. The mobile terminal apparatus includes a priority information selecting unit selecting a piece of priority information associated with one of many processing conditions for the content to be processed, from among pieces of priority information for determining a priority for each of the rights. The mobile terminal apparatus also includes a right selecting unit determining a priority of each of the rights based on the selected piece of priority information, and selecting a right having a highest priority among the rights, according to the determined priority. The mobile terminal apparatus also includes a content processing unit processing the content based on the selected right.

Abstract: A first information processing apparatus encrypts data that it receives from a second information processing apparatus, and transmits the data thus encrypted to an external device. The second information processing apparatus transmits the data to the first information processing apparatus according to a data size that results after a data size being necessary for communication of the encrypted data is subtracted from a specified data size.

Abstract: By arranging a redundancy means and a control means upstream from an encryption means which encrypts and decrypts the data to be stored in an external memory, the integrity of data may be ensured when the generation of redundancy information is realized by the redundancy means, and when the generation of a syndrome bit vector indicating any alteration of the data is implemented by the control means. What is preferred is a control matrix constructed from idempotent, thinly populated, circulant square sub-matrices only. By arranging redundancy and control means upstream from the encryption/decryption means, what is achieved is that both errors in the encrypted data and errors of the non-encrypted data may be proven, provided that they have occurred in the data path between the redundancy/control means and the encryption/decryption means.

Abstract: The invention relates to methods and apparatuses for acquiring a physical measurement, and for creating a cryptographic certification of that measurement, such that its value and time can be verified by a party that was not necessarily present at the measurement. The certified measurement may also include corroborative information for associating the actual physical measurement process with the certified measurement. Such corroborative information may reflect the internal or external state of the measurement certification device, as well as witness identifiers of any persons that may have been present at the measurement acquisition and certification. The certification may include a signal receiver to receive timing signals from a satellite or other external source. The external timing signals may be used to generate the time included in the certified measurement, or could be used to determine the location of the measurement certification device for inclusion in the certified measurement.

Abstract: A method for controlling a digital television (DTV) includes receiving independent space identification information recorded in a storage area of a compact wireless device and a wired equivalent privacy (WEP) key value of an access point (AP) card, receiving the WEP key value corresponding to the AP card of the DTV from a management server, and comparing the WEP key value received from the compact wireless device with the WEP key value received from the management server. If the WEP key values are identical to each other, receiving first checklist information associated with the use of the independent space from the management server, displaying the received first checklist information, and transmitting second checklist information, in which one or more elements of the displayed first checklist information is marked, to the management server.

Abstract: An encrypted traffic test system is disclosed which tests whether or not traffic involving packets over a network is encrypted, the encrypted traffic test system including: a test data acquisition portion configured to receive each of the packets on the network so as to acquire test data from the received packet; an encrypted traffic test portion configured to evaluate the test data acquired by the test data acquisition portion for randomness using a random number testing scheme and, if the test data is evaluated to have randomness, to further determine that the traffic involving the packets including the test data is encrypted traffic; and a test result display portion configured to display a test result from the encrypted traffic test portion on a test result display screen.

Abstract: The present invention is intended to allow distribution of personal information to be managed on the basis of not only a personal information management policy defined by a personal information producer but also management policies of all apparatuses which handle personal information when the distribution of personal information is managed between apparatuses. In its configuration, personal information generation apparatus 1 encapsulates personal information together with a transmission policy to generate a personal information capsule which is transmitted to personal information utilization apparatus 2. Personal information utilization apparatus 2 receives and holds the personal information capsule for utilization. In this event, personal information generation apparatus 1 transmits a transmission policy defined by the personal information producer. Personal information utilization apparatus 2 in turn transmits a reception policy defined by a personal information user.

Abstract: An architecture for authenticating packets is provided that includes: an input 322 operable to receive a packet, the packet comprising at least one of a transport, session and presentation header portion and a transport agent 312 operable to compute a first message authentication code based on at least some of the contents of the packet and compare the first message authentication code with a second message authentication code in the at least one of a transport, session, and presentation header portion to authenticate the packet.

Abstract: An exemplary computer-implementable method (300) transforms information to reduce or eliminate risk of exploitation of a software service and includes receiving information (304) in response to a request, transforming the information (308) to produce transformed information and sending the transformed information (312). An exemplary firewall server (112) includes server software (144, 148) that allows the firewall server (112) to receive information from a resource (104, 108) via a network and to send information to a client computer (114) and a browser protection component (264, 268) for transforming the information to prevent exploitation of a vulnerability of browser software (154) on the client computer (114). Various other exemplary methods, devices, systems, etc., are also disclosed.

Abstract: Unique digital signatures of sensitive or restricted image files are calculated and stored in a database. A hook routine hooks an open or read command when an application opens an image file in order to check for a restricted digital signature of that image file. If present, a digital watermark is added to the image before the application edits that image. A user may then modify the image. A hook routine also hooks a close or write command in order to check for a digital watermark. If present, the digital watermark is removed and a new digital signature for the revised image is calculated. The digital signature for the revised image is then uploaded to a database associated with a DLP server software product, and then pushed periodically down to endpoint DLP client products.

Abstract: The present invention is related to a technology for grasping the number of a plurality of terminals of a client using a Cookie in a private network in which plural terminals are shared by redirecting a session which is to be connected to a Web by analyzing a TCP/IP packet, detecting the accurate number of a plurality of terminals of a client using an Internet, and making the accurate number as a DB, and selectively permitting or blocking a connection to Internet according to TCP/IP by using the Cookie pool information of a DB type and JOB when the users configuring and using a private network connect to the Internet at the same time.

Abstract: The method includes the steps of receiving at the PEAD first digital data representing the transaction request. The PEAD provides information to the user regarding an ability to approve the transaction request. When the transaction request is approved by the user, the PEAD receives second digital data representing the electronic service authorization token. A remote agent server may provided a bridge between the electronic transaction system and the PEAD. In another embodiment, the private key is stored on the portable device, encrypted. The decryption key is stored outside of the device, at a trusted 3rd party location. When the user attempts to make a signature the software sends a request for the decryption key, along with the user's password or pass phrase keyed in at the keyboard of the PDA, smart phone, or cell phone, to a server belonging to the trusted 3rd party.

Abstract: Provided is a method of inserting authentication code into a data packet. The method includes determining whether to insert authentication code into a data packet based on at least one of an importance of the data packet and a type of the data packet, and inserting the authentication code into the data packet based on a result of the determining.

Abstract: An encrypted communication system is provided, in which an encryption key for use in encrypted communication and settings information for the encrypted communication are distributed to each of a plurality of communication devices performing encrypted communication within a group, and in which traffic generated by distributing the encryption key and the like can be reduced. In the encrypted communication system according to the present invention, information including a key for use in the intra-group encrypted communication or a seed which generates the key is distributed to the communication devices belonging to the group that are participating (e.g., logged in) in the intra-group encrypted communication.

Abstract: A method for electronically storing and retrieving at a later date a true copy of a document stored on a remote storage device comprises: sending a document in electronic format from a document owner's computing device to a store entity for storing the document; generating a digest of the document while the document is at the store entity by applying a hash function to the document; signing the digest electronically with a key while said document is at the store entity; generating a receipt that includes the digest and the key; sending the receipt to the document owner; and verifying, at the document owner's computing device, that the received receipt corresponds to the document sent from the owner's computing device.

Abstract: Systems, devices, and methods for modifying a signed bundle and verifying the modified bundle are disclosed. A signed bundle may be modified by removing a file specified in a server file list from a plurality of files in the bundle. The signed bundle comprises a catalog of files in the signed bundle and their associated hashes. The modified bundle includes the remaining files of the signed bundle that are not specified in the server file list and the catalog file of the signed bundle, the catalog signature of the signed bundle. The modified bundle may be verified by verifying the catalog signature of the modified signed bundle, and checking that the files specified in the catalog are either in the modified signed bundle or specified in the server file list. The hashes of the files in the modified signed bundle may also be checked to verify the modified signed bundle.

Abstract: Routing and connectivity in the Internet is largely governed by the dynamics and configuration of the Border Gateway Protocol (BGP). A configuration analysis toolkit enables network operators to discover, analyze and diagnose their BGP configuration, policies and peering relationships. Statistical variance analysis in such a toolkit exploits the recurrence of policies in large networks for analysis. In a large network, policies that have similar functions are examined, e.g. all inbound route maps associated with customer autonomous systems. For n occurrences of similar policy P, it is possible to flag k deviant configurations, and evaluate the probability that the deviant configurations are in error.

Abstract: A method for processing an application packet for transmission includes receiving a plurality of segments of the application packet in a byte stream, the byte stream including a plurality of blocks, creating a plurality of superblocks within the byte stream by grouping a number of the plurality of blocks within the byte stream, and creating first pseudorandom bits for the plurality of superblocks. The method also includes determining a block number and a superblock number for a beginning of each of the plurality of segments, determining a block number and a superblock number for an ending of each of the plurality of segments in the byte stream.

Abstract: Provided is an authentication system capable of identifying a cause of a failure when authentication fails. A data structure of data to be authenticated has a header authentication data area (D2), and an authentication data area (D4) in addition to a header area (D1) and a data area (D3). The header authentication data area (D2) authenticates validity of the header area (D1), and the authentication data area (D4) authenticates the validity of the header authentication header area (D2) and the data area (D3). Since two kinds of authentication are carried out, the cause of the failure in authentication can be identified easily when authentication is failed.

Abstract: An embodiment of the invention provides an apparatus and method for data verification by challenge. The apparatus and method perform acts including: sending a hash value of a data piece in a sender; if the hash value matches a stored hash value in a receiver, then sending a challenge from the receiver to the sender; sending a sample data set from the data piece in the sender, wherein the sample data set is determined by a window that is identified by the challenge; comparing the sample data set with a data set that is overlapped by the window for a stored data piece in the receiver; and performing a response based on the comparison of the sample data set and the stored data set that is overlapped by the window for the stored data piece.

Abstract: According to one general aspect, a method of managing a web browser extension by an apparatus may include executing, by a processor included by the apparatus, a web browser. The method may include installing on the apparatus, via the web browser, a web browser extension. In one embodiment, the web browser extension may include at least one web page configured to alter the functionality of the web browser, and a substantially unique identifier (UID) based upon a public encryption key. The method may further include launching, via the web browser, the web browser extension based upon the substantially unique identifier.