Abstract: A method for authenticating an operator of an AP includes: registering the operator's identity with a CA, by providing the operator's identification information and public key; creating a certificate including the foregoing; signing the certificate with the CA's private key; provisioning the AP with the signed certificate; provisioning a client with the CA's public key; sending a request from the client to the AP; generating a signature with the operator's private key; returning a reply to the client, including the AP provisioned certificate signed with the generated signature; using the client provisioned CA's public key to obtain the operator's public key from the certificate received in the reply; and, using the operator's public key obtained from the certificate received in the reply to verify the signature generated with the operator's private key and used by the AP to sign the certificate received in the reply.

Abstract: If playback devices are prohibited from playing back contents recorded in R media, there occurs a problem that it takes more time to manufacture commercial ROM media. Conversely, if playback devices are permitted to play back contents recorded in R media, there occurs a problem that copyrights might be infringed. In view of these, the aim of the present invention is to provide a content protection data processing system and a playback device capable of determine whether to permit playback of a content recorded in a recording medium, based on a medium type of the recording medium and a signature type of a signature attached to a program. This enables both the protection of the copyright of the content and the efficient manufacturing of commercial ROM media.

Abstract: Secure access to a database of upgrade data is provided by storing an encryption key value in a cable used to interconnect a first device and a second device that is associated with the database of upgrade data. The second device allows access to the database of upgrade data via the cable only when the cable is first positively authenticated by the second device through use of the encryption key value stored in the cable.

Abstract: This disclosure relates to interference management for a security and tracking system of an electronic device. In one embodiment, during a startup process, an electronic device executes a security program and automatically attempts to access a first web server to ascertain whether the electronic devices has been reported as stolen. In response to an unsuccessful attempt to access the first web server, the electronic device may automatically attempt to access a second web server for data regarding operational status of the first web server. In response to unsuccessful attempts to access the first and second web servers, the electronic device may automatically present an interference alert to provide notification that the electronic device will be disabled if the electronic device continues to experience interference. The electronic device may be automatically disabled in response to a predetermined number of startup sequences with interference. Other embodiments are described and claimed.

Abstract: According to one embodiment of the invention, an original dump file is received from a client machine to be forwarded to a dump file recipient. The original dump file is parsed to identify certain content of the original dump file that matches certain data patterns/categories. The original dump file is anonymized by modifying the identified content according to a predetermined algorithm, such that the identified content of the original dump file is no longer exposed, generating an anonymized dump file. The anonymized dump file is then transmitted to the dump file recipient. Technical content and infrastructure of the original dump file is maintained within the anonymized dump file after the anonymization, such that a utility application designed to process the original dump file can still process the anonymized dump file without exposing the identified content of the original dump file to the dump file recipient. Other methods and apparatuses are also described.

Abstract: A storage device provides a file system to a host based on the access rights of a user determined during authentication. If the authentication does not succeed, the storage device provides to the user a file system restricted to files authorized by public access rights. If the authentication does succeed, and the user is a device owner, the storage device provides to the user the native file system. If the authentication succeeds, and the user is not a device owner, the storage device provides a file system that is restricted to files that the given user is authorized to access. Due to the internal nature of the mechanism for safeguarding files, this security measure cannot be circumvented by simply connecting the storage device to another host that does not respect the permission rules of the file system.

Abstract: Systems and methods for obtaining information from a wireless modem are provided. An information requesting device can send an information request to the wireless modem. The wireless modem authenticates the information request, obtains the requested information and provides the obtained information to the information requesting device. The information can be a current location of the wireless modem, a received signal strength, whether the wireless modem is transmitting or receiving data, whether an external device is coupled to the wireless modem, and/or the like.

Abstract: A system and method which protects a data processing system against encryption key errors by providing redundant encryption keys stored in different locations, and providing the software with the ability to select an alternate redundant key if there is any possibility that the encryption key being used may be corrupted. In the preferred embodiment, a memory control module in the data processing device is configured to accommodate the storage of multiple (for example up to four or more) independent password/key pairs, and the control module duplicates a password key at the time of creation. The redundant passwords and encryption keys are forced into different memory slots for later retrieval if necessary. The probability of redundant keys being corrupted simultaneously is infinitesimal, so the system and method of the invention ensures that there is always an uncorrupted encryption key available.

Abstract: In a multi-processor system including a plurality of processors capable of being operatively coupled to the main memory and each processor including an associated local memory, and at least one main processor operable to control access by the processors to data within the main memory and within the processors, methods and apparatus provide for: entering a secure mode of operation within at least one of the processors in which no requests initiated by others of the processors for data transfers into or out of the at least one processor are serviced, but such transfers initiated by the at least one processor are serviced subject to the access controlled by the main processing unit; and using the main processing unit to exclude access to data associated with at least one further processor by others of the processors except for the at least one processor.

Abstract: In certain implementations, systems and methods for predicting technology vulnerabilities in a network of computer devices are based on software characteristics of processes executing at the computer devices. In one preferred implementation, the system identifies processes at various computing devices within an organization, identifies software characteristics associated with the processes, applies technology controls to the software characteristics, determines risk indexes based on the modified technology control, applies administrative controls to the risk indexes, aggregates the indexes to create risk model, determines alternative risk models, and presents the risk models for consideration and analysis by a user.

Abstract: A method includes storing at least one user datum received from a user in a secure storage portion of a memory within a mobile communication device. Authentication information is received into the mobile communication device. The at least one user datum is transmitted from the mobile communication device to a recipient in response to entry of the authentication information, while preventing the user of the mobile communication device from reading the at least one user datum.

Abstract: A method comprising distributing digital data encoding content and arranged into messages from a server to one or more client terminals through a network, each message being decodable by a decoder application on a client terminal, said method including transmitting a plurality of data packets from the server through a network through a network interface of the server, each packet including at least one header and a payload, each payload including at least part of a message, and providing each message to a first of a series of at least one service interface between two layers in a protocol stack, installed on the server, each service interface configured to add at least one packet header to the packet encoding information enabling the client to process the remainder of the packet.

Abstract: Method and apparatus for managing digital certificates are described herein. In one embodiment, an encryption certificate is extracted from an email received from an owner of the encryption certificate, where the encryption certificate being issued from a trusted party other than the owner. Then the encryption certificate is associated with an entry of a directory based on an identity (ID) of the owner, where the directory provides directory services to one or more email servers. Other methods and apparatuses are also described.

Abstract: Instruction set architecture (ISA) extension support is described for control-flow integrity (CFI) and for XFI memory protection. ISA replaces CFI guard code with single instructions. ISA support is provided for XFI in the form of bounds-check instructions. Compared to software guards, hardware support for CFI and XFI increases the efficiency and simplicity of enforcement. In addition, the semantics for CFI instructions allows more precise static control-flow graph encodings than were possible with a prior software CFI implementation.

Abstract: Systems and methods for binding a smartcard and a smartcard reader are provided. A smartcard is provision to store a first set of credentials for use in traditional transactions such as at a brick and mortar retail store and a second set of credentials for use when performing a transaction using a smartcard reader associated with a user such as an on-line transaction. The user smartcard reader registers with a smartcard issuer server by cryptographically authenticating a secure processor associated with the smartcard reader. As a result of the registration, the secure processor obtains a set of private keys associated with the second set of credentials. When a request for a authorizing a transaction via the user's smartcard reader is received, the smartcard reader cryptographically authenticates itself to the smartcard using a private key associated with a credential to be used to authorize the transaction.

Abstract: A method and a circuit for protecting a numerical quantity contained in an integrated circuit on a first number of bits, in a modular exponentiation computing of a data by the numerical quantity, including: selecting at least one second number included between the unit and said first number minus two; dividing the numerical quantity into at least two parts, a first part including, from the bit of rank null, a number of bits equal to the second number, a second part including the remaining bits; for each part of the quantity, computing a first modular exponentiation of said data by the part concerned and a second modular exponentiation of the result of the first by the FIG. 2 exponentiated to the power of the rank of the first bit of the part concerned; and computing the product of the results of the first and second modular exponentiations.

Abstract: A system, apparatus and method for transparently authenticating continuous data streams. A continuous data stream is divided into data blocks. Block authentication code(s) are determined using the data in the data blocks, a hash function and a key. The block authentication code(s) are embedded into the data block(s) by adjusting the timing between the packets in the data block(s). Timing delays may be used to separate the blocks. The continuous data stream may be received and authenticated by comparing an extracted block authentication code with a new calculated content-based block authentication code.

Abstract: A software object is positioned in structures, such as a functional structure, location structure and order structure, where each structure consists of a hierarchy of software objects. In each structure the software object inherits security from other software objects in the hierarchy. Since the software object is inserted into multiple hierarchical structures the security of the software object is inherited from software objects in multiple hierarchical structures. The user authority to interact with a software object is, in addition to the identity of the user logged in, dependent on the inherited security of the software object. As a software object is inserted, deleted and moved in a hierarchical structure the security of the software object changes.

Abstract: One example embodiment of the present invention discloses a method for processing an application packet for transmission, includes breaking the application packet into a plurality of segments, creating first pseudorandom bits, and generating partial tags based on each of the plurality of segments and portions of the first pseudorandom bits associated with each of the plurality of segments. The method further including combining the partial tags including a last partial tag associated with a last segment of the application packet to create an accumulated tag, generating an authentication tag based on the accumulated tag and second pseudorandom bits, storing the authentication tag, and transmitting the plurality of segments including the authentication tag.

Abstract: The object of the present invention is to provide an authentication system capable of achieving suitable authentication processing while guaranteeing the maximum convenience for the customer. A first communication terminal PD1 is built into a television TV that can be connected to the Internet, and communications with an authentication control company BS are possible via the first communication terminal PD1. The authentication control company BS is, for example, a telecommunications company, and performs authentication control for a plurality of product supplier companies SP1 to SP3 according to the product purchase status on the television TV. Furthermore, the present invention simplifies the appropriate procedures by setting authentication levels for authentication control.

Abstract: A system and method for virtual folder sharing, including utilization of static and dynamic lists. Static and dynamic lists may be created as types of virtual folders. Virtual folders expose regular files and folders to users in different views based on their metadata instead of the actual physical underlying file system structure on the disk. A static list consists of a folder of items that are in a specific order, while a dynamic list gathers a set of items based on a scope and a set of criteria. When a list is shared, the actual list is left in place on the sharer's machine or server, while permission is granted to the sharee to remotely access the list and the referenced items. If the list is changed by adding or removing items, these items are also automatically re-permissioned to allow or disallow the sharee to have access to the items.

Abstract: A data processor is connected to and communicating with an external device having at least one predetermined communication/authentication method. A first assigning unit assigns a first level of priority to each combination having a plurality of first type methods including a communication and authentication method. A first selecting unit selects a combination in order from the highest grade to the lowest grade of the first level. A second determining unit determines whether at least one of the plurality of the first type methods corresponds to a prescribed method. A canceling unit cancels the selection of the combination selected by the first selecting unit when the second determining unit determines that at least one of the plurality of the first type methods corresponds to the prescribed method.

Abstract: In a gaming environment, a method of periodically downloading dynamically generated executable modules at random intervals that perform system configuration integrity checks in a secure and verifiable manner is disclosed. The dynamically generated executable modules are created on a server machine and are themselves signed using industry standard PKI techniques, and contain randomly chosen subset from a repertoire of proven hashing and encryption algorithms that are executed on the system to be checked to create a unique signature of the state of that system. The dynamically generated executable module returns the signature to the server machine from which it was downloaded and deletes itself from the system being checked. The next time such an executable module is downloaded, it will contain a different randomly chosen subset of hashing and encryption algorithms.

Abstract: A system, method, and computer-usable medium for an isolated process to control address translation. According to a preferred embodiment of the present invention, an isolation region that is accessible only to a first processing unit in a data processing system is created. A loader is executed to load a secure process in the isolation region. If the secure process is determined to be allowed to issue real mode direct memory access commands, real mode direct memory access commands are enabled to allow the secure process to issue non-translated direct memory access commands.

Abstract: A translator is provided for translating predetermined portions of packet header information including an address of a data packet according to a cipher algorithm keyed by a cipher key derived by a key exchanger. A mapping device is also provided for mapping the address to a host table stored in memory. If the address does not match an entry in the host table, a security device is triggered.

Abstract: A collaborative data transferring process can combine segments from all known servers and peer-to-peer (P2P) sources simultaneously, regardless of their native protocols. The process uses variable data block size that can be dynamically selected according to sizes provided by sources, e.g., according to the protocol of the source, and can generate hash values or validation codes on the fly so that compliance with validation techniques (if any) of other protocols is not required. The process may be classified as a P2P protocol, although it also contains centralized elements. Machine language implementations and low syntax overhead allow file exchanges over a homogeneous network with high throughput and low bandwidth consumption.

Abstract: According to some embodiments, systems, apparatus, methods, and articles of manufacture may provide for improved health care compliance. Embodiments may comprise, for example, identifying an occurrence of an event associated with the taking of a substance by a patient, determining output information associated with a game, and providing the output information to the patient. Some embodiments may comprise receiving a code associated with a patient, wherein the code includes encoded information that is indicative of an occurrence of an event associated with the taking of a substance by a patient, decoding the code to determine the information, determining whether the occurrence of the event is compliant with a condition associated with the taking of the substance, and providing, in the case that compliance with the condition is determined, one or more rewards to the patient.

Abstract: The present disclosure relates generally to content identification with so-called fingerprinting. One claim recites a method comprising: deriving fingerprint information corresponding to audio or video using a mobile user device; obtaining geographical location information associated with the mobile user device; communicating the fingerprint information and the geographical location information to a remotely located network service; and receiving a response from the remotely located service, the response being dependent on both the fingerprint information and the geographical location information. Of course, other claims and combinations are provided.

Abstract: According to an aspect of an embodiment, a method for controlling an apparatus for transferring data from a plurality of first devices to a second device via a network, the data being transferred by using a packet, the method comprises the steps of: extracting encryption information identifying method of encryption conveyed by a packet and destination information identifying destination of the packet transmitted from one of the first devices; counting the number of kinds of the destination information extracted from packets associated with the same encryption information, respectively; and determining an unauthorized communication when the number of kinds of the encryption information is less than a predetermined value.

Abstract: In a computer system in which information represented by digital data is output to plural pages of recording medium, and then information on the plural pages of recording medium is read to use digital data representing the read information, authentication information is embedded in information of a start page selected by the computer system; a page number of the start page embedded the authentication information is notified to a user; information on the plural pages of recording medium is read, wherein the start page is positioned so as to be read first; digital data read from the plural pages of recording medium is authenticated based on the authentication information embedded in the start page; and a process for the digital data read from the plural pages of recording medium is controlled in accordance with a result of the authentication.

Abstract: A system processes packets in a network device and includes a memory for buffering the packets. The memory may store the packets in memory in data cells. To expedite packet processing, portions of the packet are extracted and placed in a notification, which is then used for packet processing operations, such as route lookup, policing, and accounting. The notification may also include address elements, such as address offsets, that define the locations of the data cells in memory. The address elements can be used to read the data cells from the memory when packet processing is done. If the notification cannot hold all the address elements, additional cells, indirect cells, are created for holding the remaining address elements. The indirect cells are formed in a linked list. The notification contains an address element. To prevent reading incorrect indirect cells, each indirect cell is written with a signature that is created based on the notification.

Abstract: A token calculates a one time password by generating a HMAC-SHA-1 value based upon a key K and a counter value C, truncating the generated HMAC-SHA-1 value modulo 10^Digit, where Digit is the number of digits in the one time password. The one time password can be validated by a validation server that calculates its own version of the password using K and its own counter value C?. If there is an initial mismatch, the validation server compensate for a lack of synchronization between counters C and C? within a look-ahead window, whose size can be set by a parameter s.

Abstract: Vehicle internetworks provide for communications among diverse electronic devices within a vehicle, and for communications among these devices and networks external to the vehicle. The vehicle internetwork comprises specific devices, software, and protocols, and provides for security for essential vehicle functions and data communications, ease of integration of new devices and services to the vehicle internetwork, and ease of addition of services linking the vehicle to external networks such as the Internet.

Abstract: A system and method that facilitates the authentication of streamed data received at a device, where authentication information is not distributed over the data stream.

Abstract: Methods and apparatus for providing remote access to two or more application sessions in which authentication information associated with a user is received, a plurality of application sessions already associated with the user are identified in response to the information, and a client computer operated by the user is connected to the plurality of application sessions.

Abstract: A cryptographic communication system and method having a first plurality of stations, each of the first plurality of stations having at least one encryption key Kj, were j is a number greater than 2, a data packet D to be viewed by each of the first plurality of stations, means for encrypting the data packet by each of the first plurality of stations to form an encrypted data packet Ej for transmission to a central processor, and means for combining each of the encrypted data packets, wherein the means for encrypting is applied in parallel to allow each of the first plurality of stations to view the contents of the data packet D prior to encrypting the data packet D.

Abstract: Cryptographic systems and methods are provided in which authentication operations, digital signature operations, and encryption operations may be performed. Authentication operations may be performed using authentication information. The authentication information may be constructed using a symmetric authentication key or a public/private pair of authentication keys. Users may digitally sign data using private signing keys. Corresponding public signing keys may be used to verify user signatures. Identity-based-encryption (IBE) arrangements may be used for encrypting messages using the identity of a recipient. IBE-encrypted messages may be decrypted using appropriate IBE private keys. A smart card, universal serial bus key, or other security device having a tamper-proof enclosure may use the authentication information to obtain secret key information. Information such as IBE private key information, private signature key information, and authentication information may be stored in the tamper-proof enclosure.

Abstract: The present invention provides an image forming apparatus that includes a first system and a second system, wherein the permission/prohibition of access to a storage unit provided in the first system is controlled appropriately based on a signal transmitted from the second system, and a control method thereof. To accomplish this, the image forming apparatus of the present invention includes the first system and the second system, and permits access to the storage unit only when executing a program that includes a predetermined process to activate the apparatus using an external storage apparatus.

Abstract: A system and method for authenticating a user with a wireless data processing device.

Abstract: Wireless security is enforced at L1, in addition to or in lieu of other layers. AP's can switch dynamically from serving to scanning. Scanners listen for authorized frame headers. Scanners either receive, or allow authorized frames to be received, at their destination. Scanners kill unauthorized frames while they are still transmitting; scanners continue listening for and killing unauthorized frame headers until frame ending time demands their return to serving, multiplying their effectiveness. AP's include dual-mode multi-frequency omni-directional antennae, used to prevent third parties from snooping messages received at those AP's.

Abstract: A system for managing information requests a header data library accessible by a processor. The system also comprises a security module accessible by the processor. The security module is adapted to receive a request for information from a client where the request comprises header data and direct the request to a server if the request header data corresponds to the library header data.

Abstract: A wireless network security system including a system data store capable of storing network default and configuration data, a wireless transmitter and a system processor. The system processor performs a network security method. An active defense request signal is received, typically from an intrusion detection system. The received request signal includes an indicator of an access point within the wireless computer network that is potentially compromised. In response to the received an active defense of the wireless network is triggered. The triggered active defense may be on or more of transmitting a jamming signal, transmitting a signal to introduce CRC errors, transmitting a signal to increase the difficulty associated with breaking the network encryption (typically by including in the signal packet appearing legitimate but containing randomized payloads, or transmitting a channel change request to the potentially compromised access point.

Abstract: Technologies to transfer responsibility and control over security from player makers to content authors by enabling integration of security logic and content. An exemplary optical disk (200) carries an encrypted digital video title combined with data processing operations that implement the title's security policies and decryption processes. Player devices include a processing environment (e.g., a real-time virtual machine), which plays content by interpreting its processing operations. Players also provide procedure calls to enable content code to load data from media, perform network communications, determine playback environment configurations (225), access secure non-volatile storage, submit data to CODECs for output (250), and/or perform cryptographic operations. Content can insert forensic watermarks in decoded output for tracing pirate copies.

Abstract: The present invention presents security and user account integration with remote authentication servers, (e.g., repositories not owned by the server). Integration may occur with Lightweight Directory Access Protocol (LDAP), an operating system (e.g., Microsoft Windows™ NT™) authentication, custom account repositories and others. For example, the server may synchronize associated user lists with a remote repository. In another example, the server may also make external calls to remote authentication servers to validate a user's username and password. Other information may be validated.

Abstract: In connection with network elements in a network, enhancing security by measuring proximity between elements, that are communicating with each other, by using facilities of secure devices and secure elements in the network. In some embodiments, secured information stored in a device certificate comprises a device processing delay, and the device processing delay is used in calculating a net response time which is compared to a threshold.

Abstract: A method and apparatus is described for processing of network data packets by a network processor having cipher processing cores and authentication processing cores which operate on data within the network data packets, in order to provide a one-pass ciphering and authentication processing of the network data packets.

Abstract: A system and method for guard point licensing is provided. Licensed software executing on a storage system is modified to include one or more guard points to ensure that appropriate licenses have been obtained by a customer. During initialization of a guard point, a management system obtains a first random number (R1) from the first system and passes R1 and an application specific context command to the second system. The second system returns to the management system a pass phrase and a second random number (R2), which are then forwarded to the first system. The pass phrase is a data structure identifying the system that generated the pass phrase as well as containing the application specific context command. The above steps are then repeated with the first and second systems inverted.

Abstract: An electronic ticket providing system capable of distributing and browsing the information relating to a ticket can be realized while maintaining the security and transferability of an IC card. The electronic ticket information is divided into formal ticket data and provisional ticket data. The formal ticket data includes authentication information for admission, ticket notation information, and authentication information for acquisition of information for a ticket owner. The provisional ticket data includes the ticket notation information, and authentication information for acquisition of information for a ticket purchase requester. The electronic ticket information is distributed from an electronic ticket vending server to a mobile telephone over a communications network. In the mobile telephone, the formal ticket data is stored in a removable storage medium such as an IC card, etc. having high security and transferability, and the provisional ticket data is stored in the internal memory.

Abstract: Various example embodiments are disclosed relating to efficient techniques for error detection and authentication in wireless networks. For example, according to an example embodiment, an apparatus adapted for wireless communication in a wireless network may include a processor. The processor may be configured to transmit a message including a field to provide both authentication and error detection for the message. The field may include an authenticated checksum sequence.

Abstract: A portable data storage device has a non-volatile memory 3 for storing user data, an interface section 7 for receiving and transmitting data to a host, and a master control unit 1 for transferring data to and from the non-volatile memory 3. The portable data storage device further includes an integrated circuit 13 for generating a public/private key pair. The portable data storage device is arranged to transmit at least one of the keys out of the device. In different embodiments, the host can verify that the data it receives is correct, and the device can verify that the host has received the correct data.