Abstract: Methods and apparatus for providing remote access to two or more application sessions in which authentication information associated with a user is received, a plurality of application sessions already associated with the user are identified in response to the information, and a client computer operated by the user is connected to the plurality of application sessions.

Abstract: Cryptographic systems and methods are provided in which authentication operations, digital signature operations, and encryption operations may be performed. Authentication operations may be performed using authentication information. The authentication information may be constructed using a symmetric authentication key or a public/private pair of authentication keys. Users may digitally sign data using private signing keys. Corresponding public signing keys may be used to verify user signatures. Identity-based-encryption (IBE) arrangements may be used for encrypting messages using the identity of a recipient. IBE-encrypted messages may be decrypted using appropriate IBE private keys. A smart card, universal serial bus key, or other security device having a tamper-proof enclosure may use the authentication information to obtain secret key information. Information such as IBE private key information, private signature key information, and authentication information may be stored in the tamper-proof enclosure.

Abstract: The present invention provides an image forming apparatus that includes a first system and a second system, wherein the permission/prohibition of access to a storage unit provided in the first system is controlled appropriately based on a signal transmitted from the second system, and a control method thereof. To accomplish this, the image forming apparatus of the present invention includes the first system and the second system, and permits access to the storage unit only when executing a program that includes a predetermined process to activate the apparatus using an external storage apparatus.

Abstract: A system and method for authenticating a user with a wireless data processing device.

Abstract: Wireless security is enforced at L1, in addition to or in lieu of other layers. AP's can switch dynamically from serving to scanning. Scanners listen for authorized frame headers. Scanners either receive, or allow authorized frames to be received, at their destination. Scanners kill unauthorized frames while they are still transmitting; scanners continue listening for and killing unauthorized frame headers until frame ending time demands their return to serving, multiplying their effectiveness. AP's include dual-mode multi-frequency omni-directional antennae, used to prevent third parties from snooping messages received at those AP's.

Abstract: A system for managing information requests a header data library accessible by a processor. The system also comprises a security module accessible by the processor. The security module is adapted to receive a request for information from a client where the request comprises header data and direct the request to a server if the request header data corresponds to the library header data.

Abstract: A wireless network security system including a system data store capable of storing network default and configuration data, a wireless transmitter and a system processor. The system processor performs a network security method. An active defense request signal is received, typically from an intrusion detection system. The received request signal includes an indicator of an access point within the wireless computer network that is potentially compromised. In response to the received an active defense of the wireless network is triggered. The triggered active defense may be on or more of transmitting a jamming signal, transmitting a signal to introduce CRC errors, transmitting a signal to increase the difficulty associated with breaking the network encryption (typically by including in the signal packet appearing legitimate but containing randomized payloads, or transmitting a channel change request to the potentially compromised access point.

Abstract: Technologies to transfer responsibility and control over security from player makers to content authors by enabling integration of security logic and content. An exemplary optical disk (200) carries an encrypted digital video title combined with data processing operations that implement the title's security policies and decryption processes. Player devices include a processing environment (e.g., a real-time virtual machine), which plays content by interpreting its processing operations. Players also provide procedure calls to enable content code to load data from media, perform network communications, determine playback environment configurations (225), access secure non-volatile storage, submit data to CODECs for output (250), and/or perform cryptographic operations. Content can insert forensic watermarks in decoded output for tracing pirate copies.

Abstract: The present invention presents security and user account integration with remote authentication servers, (e.g., repositories not owned by the server). Integration may occur with Lightweight Directory Access Protocol (LDAP), an operating system (e.g., Microsoft Windows™ NT™) authentication, custom account repositories and others. For example, the server may synchronize associated user lists with a remote repository. In another example, the server may also make external calls to remote authentication servers to validate a user's username and password. Other information may be validated.

Abstract: In connection with network elements in a network, enhancing security by measuring proximity between elements, that are communicating with each other, by using facilities of secure devices and secure elements in the network. In some embodiments, secured information stored in a device certificate comprises a device processing delay, and the device processing delay is used in calculating a net response time which is compared to a threshold.

Abstract: A method and apparatus is described for processing of network data packets by a network processor having cipher processing cores and authentication processing cores which operate on data within the network data packets, in order to provide a one-pass ciphering and authentication processing of the network data packets.

Abstract: A portable data storage device has a non-volatile memory 3 for storing user data, an interface section 7 for receiving and transmitting data to a host, and a master control unit 1 for transferring data to and from the non-volatile memory 3. The portable data storage device further includes an integrated circuit 13 for generating a public/private key pair. The portable data storage device is arranged to transmit at least one of the keys out of the device. In different embodiments, the host can verify that the data it receives is correct, and the device can verify that the host has received the correct data.

Abstract: A system and method for guard point licensing is provided. Licensed software executing on a storage system is modified to include one or more guard points to ensure that appropriate licenses have been obtained by a customer. During initialization of a guard point, a management system obtains a first random number (R1) from the first system and passes R1 and an application specific context command to the second system. The second system returns to the management system a pass phrase and a second random number (R2), which are then forwarded to the first system. The pass phrase is a data structure identifying the system that generated the pass phrase as well as containing the application specific context command. The above steps are then repeated with the first and second systems inverted.

Abstract: Various example embodiments are disclosed relating to efficient techniques for error detection and authentication in wireless networks. For example, according to an example embodiment, an apparatus adapted for wireless communication in a wireless network may include a processor. The processor may be configured to transmit a message including a field to provide both authentication and error detection for the message. The field may include an authenticated checksum sequence.

Abstract: A dynamic network security system and a control method thereof in a router where an Intrusion Detection System (IDS) and a Voice over Internet Protocol Application Level Gateway (VoIP ALG) are integrated, system including: a VoIP ALG module for acquiring VoIP IP/port information of a counterpart unit in use for determining whether or not to perform intrusion detection on a packet received via VoIP signaling with the counterpart unit; an intrusion detection module for comparing the received packet with a preset intrusion detection log entry to perform intrusion detection on the received packet, and based on a result of the intrusion detection, determining whether or not to allow passage of the received packet; and an IP/port check module for checking VoIP IP/port information of the received packet according to the VoIP IP/port information of the counterpart unit provided from the VoIP ALG module to determine whether or not to perform the intrusion detection, and providing result information on the determinatio

Abstract: An electronic ticket providing system capable of distributing and browsing the information relating to a ticket can be realized while maintaining the security and transferability of an IC card. The electronic ticket information is divided into formal ticket data and provisional ticket data. The formal ticket data includes authentication information for admission, ticket notation information, and authentication information for acquisition of information for a ticket owner. The provisional ticket data includes the ticket notation information, and authentication information for acquisition of information for a ticket purchase requester. The electronic ticket information is distributed from an electronic ticket vending server to a mobile telephone over a communications network. In the mobile telephone, the formal ticket data is stored in a removable storage medium such as an IC card, etc. having high security and transferability, and the provisional ticket data is stored in the internal memory.

Abstract: The method of verifying the integrity of an encryption key (K) obtained by combining at least two key portions (KM, M) in a protected zone (3) by using a commutative operator, comprises the steps of: using the commutative operator to perform a first combination between a key portion (KM) and a verification encryption key (Kv); using the commutative operator to perform in succession a combination between a key portion that has not yet been combined and a result obtained by an immediately preceding combination, until a last combination (Mv) is performed that includes all of the key portions; performing a combination in the protected zone (3) between the encryption key (K) to be verified and the last combination (Mv) of the verification encryption key (Kv) and the key portions (KM, M) in order to obtain a final verification key (Kf); encrypting verification data (Dv) by means of a symmetrical encryption algorithm (DES) using the final verification key (Kf); and making a comparison with a verification encryption

Abstract: A chip card needs to be allocated in a secured manner to a network operator via a personalization center in order to determine a final authentication key which is attributed to a subscriber of the operator without its being transmitted via a network. The following is loaded into a card by a module: an algorithm and an allocation key; an algorithm for determination of the authentication key and at least one intermediate authentication key. A module transmits an allocation message which includes a final identity number, a random number and an allocation signature from the center to the card. The card authenticates the message by means of the allocation algorithm as a function of the allocation key and the allocation signature, and determines the final authentication key as a function of the intermediate key and the random number.

Abstract: It is possible to control electronic documents for partial disclosures and non-disclosures and prove to the third party that information other than non-disclosure part thereof has not been altered and the originality of decrypted information is assured.

Abstract: A transmitting apparatus generates a first bit stream from a second bit stream by encoding at least a portion of the bits from the second bit stream, generates a code for the second bit stream, and attaches the code to the first bit stream for transmission to a receiving apparatus. A receiving apparatus receive from a transmitting apparatus a first bit stream with a code, generates a second bit stream from the first bit stream by decoding at least a portion of the bits from the first bit stream, computes the code for the second bit stream, and compares the computed code with the code from the first bit stream.

Abstract: A system verifies configuration of a device within a network via an exchange of verification credentials, which are requested, received and authenticated. The verification credentials indicate that a configuration of the device was acceptable at the time of creation of the verification credentials for that device. The verification credentials of the device are obtained through a certifying process. During the certifying process, the credential certifier receives a current device configuration of the device in the network, and evaluates the current device configuration of a device with respect to its role within a network. The verification credentials are issued to the requesting device and stored within a database. The device submits its verification credentials if being requested by the other peer it's communicating with when it enters the network. It also monitors the current device configuration and if there are changes, it invalidates the existing certification credentials and requests new one.

Abstract: A system and method are provided for identifying inappropriate content in websites on a network. Unrecognized uniform resource locators (URLs) or other web content are accessed by workstations and are identified as possibly having malicious content. The URLs or web content may be preprocessed within a gateway server module or some other software module to collect additional information related to the URLs. The URLs may be scanned for known attack signatures, and if any are found, they may be tagged as candidate URLs in need of further analysis by a classification module.

Abstract: A DHCP/authentication server transmits an IP address and authentication information acquired from the IP address to a home gateway. The home gateway creates authentication data from the authentication information and adds the authentication data to an IP packet received from a terminal, and transfers the IP packet to a false-address checking server. The false-address checking server extracts a source IP address and the authentication data from the IP packet, and creates provisional authentication data based on the source IP address. The false-address checking server checks the provisional authentication data against the original authentication data. If these two pieces of the authentication data coincide with each other, the false-address checking server transfers the IP packet to a communication counter part. If the authentication data do not coincide with each other, the false-address checking server discards the IP packet.

Abstract: Issuing and disseminating a data about a credential includes having an entity issue authenticated data indicating that the credential has been revoked, causing the authenticated data to be stored in a first card of a first user, utilizing the first card for transferring the authenticated data to a first door, having the first door store information about the authenticated data, and having the first door rely on information about the authenticated data to deny access to the credential. The authenticated data may be authenticated by a digital signature and the first door may verify the digital signature. The digital signature may be a public-key digital signature. The public key for the digital signature may be associated with the credential. The digital signature may be a private-key digital signature. The credential and the first card may both belong to the first user.

Abstract: A generic access card is paired with a data destination device by insertion into its card slot, and the public portion of a public/private key is stored in the card. The card authenticates the destination device. The paired card is transported to a data source device which includes a card slot and a removable mass storage medium. The card, when inserted into the card slot of the data source and authenticated, transfers the public key to the source device. The source device generates content encoding keys, and encodes the data on the storage medium. The content encoding keys are encoded using the public key, and loaded onto the card. The card and the storage medium are transported to the destination device, where the card provides the encoded encryption keys. The destination device decodes the encrypted content encryption key(s) and decodes the encrypted data for playback or display.

Abstract: The present invention provides a data recognition apparatus for copy protection which recognizes software distributed through a disc in physically different ways through RFID and a USB memory, a method thereof, and storage mediums therefor. The apparatus comprises a disc insertion section for recognizing a first storage medium in the form of a disc with an RFID tag attached; an RFID reading section for reading the RFID tag; a USB port section for recognizing a second storage medium having the shape of a USB memory; a decoding section for decoding data stored in the first storage medium or the second storage medium; and a transmission section for transmitting the decoded data to the system.

Abstract: A device and method for detecting and preventing sensitive information leakage from a portable terminal is provided. A device for detecting and preventing leakage of sensitive information from a portable terminal includes a data storage unit that stores data containing sensitive information, an external interface that interfaces the portable terminal with the external, a sensitive information manager that detects and prevents leakage of the sensitive information stored in the data storage unit through the external interface, and a sensitive information leakage detecting and preventing unit that is disposed between the data storage unit and the external interface to detect and prevent the leakage of the sensitive information.

Abstract: A receiving apparatus includes a receiving unit which receives image data acquired through image capturing by a capsule endoscope introduced inside a subject; a reader to which a portable recording medium on which identification information identifying the subject is recorded in an erasable manner is detachably connected, the reader reading out the identification information of the subject in the recording medium; a display unit which displays the identification information of the subject read out by the reader; and a control unit which controls registration of the identification information of the subject displayed by the display unit and erasure of the registered identification information of the subject remaining in the recording medium.

Abstract: Multiple cipher hardware algorithms are run in parallel over an input stream. For example, one algorithm can process the input stream using an old cipher key while a parallel algorithm processes the input stream using the current cipher key. Alternatively, multiple cipher operations can be performed in parallel enabling a receiver to determine which cipher algorithm was employed in encrypting a data packet.

Abstract: A wireless communication network (20) including mobile applications (56-62) includes a security approach that uses a combination of at least two techniques (42, 50, 54, 72). One disclosed example includes a combination of all four techniques. The combined, layered approach greatly reduces the probability that an unauthorized individual will be able to masquerade as a valid application within the network so that network security is improved. Disclosed techniques include obfuscating software code of a mobile application, providing a mobile application with a plurality of code signatures for generating a corresponding plurality of unique control values, limiting the useful lifetime of a mobile application and determining that a control value of a mobile application corresponds to the control value of another application before the two applications are allowed to interact in a manner that could compromise either application or the network.

Abstract: An electronic device including a memory area that stores a program to be executed by the computer and data, the electronic device connecting a computer and a server device in a communicable state. The program includes a first processing portion that retrieves connection information from the computer and writes the connection information in the memory area when the electronic device is connected to the computer, the connection information being necessary for obtaining a connection with the server device, and a second processing portion that causes the computer to carry out a procedure for obtaining a connection with the server device, using connection information necessary for a connection written in the memory area and transmitted from the server device to the computer.

Abstract: The invention allows a reliable and efficient identity management that can, with full interoperability, accommodate to various requirements of participants. For that a method and system are presented for providing an identity-related information about a user to a requesting entity. The method comprises a location-request step initiated by the requesting entity for requesting from a client application a location information that corresponds to a location entity possessing the identity-related information, a redirecting step for connecting the client application to the location entity in order to instruct the location entity to transfer the identity-related information to the requesting entity, and an acquiring step for obtaining the identity-related information.

Abstract: A method of verifying programming of an integrated circuit card includes transferring program data to a page buffer of a non-volatile memory, copying the program data to a buffer memory, calculating a first checksum value with respect to program data in the buffer memory, updating the program data in the buffer memory by copying the program data of the page buffer to the buffer memory, calculating a second checksum value with respect to updated program data in the buffer memory, comparing the first checksum value and the second checksum value, and determining, based on the comparison result, whether the program data of the page buffer is tampered.

Abstract: In an information communication system, information communication devices exchange an IP packet over IP networks. When performing a predetermined packet exchanging procedure in which the number of router hops is limited to a predetermined control value or less, each of the information communication devices monitors Time-To-Live values designated in the headers of IP packets received over a period of time from the start of the predetermined packet exchanging procedure to immediately before the end of the predetermined packet exchanging procedure to continuously update the maximum Time-To-Live value of the monitored Time-To-Live values, and checks whether the maximum Time-To-Live value does not exceed the control value.

Abstract: A method for managing the access to a memory space shareable by several users, by using passwords, comprises: defining a maximum number of passwords, providing a password storage zone, dividing the shareable memory space into a plurality of blocks greater in number than the maximum number of passwords, providing in each block a parameterization field for parameterizing the protection of the block, providing in each parameterization field a binary index smaller in size than a password and designating a password assigned to the protection of the block, and allocating, to each block, access rights requiring a password to be presented corresponding to the password designated by the index present in the block parameterization field. Application is provided particularly but not exclusively to multi-user integrated circuits.

Abstract: Circuits, methods, and apparatus that prevent detection and erasure of a configuration bitstream or other data for an FPGA or other device. An exemplary embodiment of the present invention masks a user key in order to prevent its detection. In a specific embodiment, the user key is masked by software that performs a function on it a first number of times. The result is used to encrypt a configuration bitstream. The user key is also provided to an FPGA or other device, where the function is performed a second number of times and the result stored. When the device is configured, the result is retrieved, the function is performed on it the first number of times less the second number of times and then it is used to decrypt the configuration bitstream. A further embodiment uses a one-time programmable fuse (OTP) array to prevent erasure or modification.

Abstract: A system for binding a subscription-based computer to an internet service provider (ISP) may include a binding module and a security module residing on the computer. The binding module may identify and authenticate configuration data from peripheral devices that attempt to connect to the computer, encrypt any requests for data from the computer to the ISP, and decrypt responses from the ISP. If the binding module is able to authenticate the configuration data and the response to the request for data from the ISP, then the security module may allow the communication between the computer and the ISP. However, if either the configuration cycle or the response cannot be properly verified, then the security module may degrade operation of the computer.

Abstract: The present invention encrypts authentication information into an image, document or recording. Briefly described, in architecture, one embodiment is a method comprising generating the original work; generating authentication data when the original work is generated, the authentication data comprising at least location information identifying the location where the original work is generated, the location information provided by a received signal from a remote device, date and time information identifying when the original work is generated, the date and time information provided by a received signal from a remote device, and biometric information identifying an originator of the original work; and encrypting the original work with the authentication data using a secret private key when original work is generated.

Abstract: Embodiments of the present invention relate to a system and method for providing processing capacity on demand. According to the embodiments, a processor package has a plurality of processing elements. One or more of the processing elements may be made active in response to increased demand for processing capacity based on modifiable authorization information.

Abstract: Embodiments in accordance with the invention install a primary security browser extension first in the browser event notification order list and a secondary security browser extension last in the event notification order list. On receipt of a user data event including user confidential data at the primary security browser extension, the user confidential data is obfuscated by the primary security browser extension and the user data event including the obfuscated data is released to a next browser extension in the browser event notification order list. Upon receipt of the user data event at the secondary security browser extension, the obfuscated data is restored with the original user confidential data and the user data event is released for further processing.

Abstract: A method of enabling host devices having an IPsec policy to communicate with one another via an IPv6 communication network, which includes the following steps: extracting a Media Access Control identifier (MAC ID) for a target host from a security policy for an IPv6 address for the target host; searching for the MAC ID of the target host in an Address Resolution Protocol (ARP) table on a source host; upon locating the MAC ID of the target host, creating a temporal neighbor cache entry in a neighbor cache table for the target host; and enabling a security association between the source host and the target host based on the temporal neighbor entry in the neighbor cache table, which allows IPv6 communications to be exchanged between the target host and the source host.

Abstract: Plaintext/cyphertext pairs are generated for use in authenticating a device. The device performs a secure authentication algorithm on a secure authentication image file and a received plaintext challenge, and outputs a cyphertext response. If the cyphertext response matches a pre-stored cyphertext string associated with the plaintext challenge, then the device is authenticated. A master processor manages the generation of the plaintext/cyphertext pairs. Plaintext challenges are generated in the master processor using a binary counter and an n-bit key. Each plaintext challenge is transmitted to a first processor and a second processor. The first processor executes the secure authentication algorithm on each plaintext challenge and outputs a cyphertext response associated with each plaintext challenge. The second processor executes the secure authentication algorithm on each plaintext challenge and outputs a second cyphertext response associated with each plaintext challenge.

Abstract: A method and system for authenticating an item by using a security marking. The security marking is provided on the item with an OVD ink capable of absorbing light in a visible wavelength range to appear visibly black and producing a red fluorescent emission under ultraviolet excitation. Under visible light illumination and ultraviolet excitation, a visible image and a fluorescent image are obtained from the security marking using image scanners. The images are compared to find a substantial match with each other. The security marking can be a postage indicium, a barcode, a symbol, a message or an image. The item to be authenticated can be a mailpiece, a banknote, a tag, a ticket, a document, an identification card, or the like.

Abstract: With each embodiment of the present invention, a content providing system comprises a content encrypting section which encrypts content by use of a session key and a header generating section which encrypts the session key by use of an encryption key in such a manner that the session key can be obtained by use of a decryption key assigned to a user system and generates header information including the encrypted session key and one or more values based on user identification information of each of the user systems that are permitted to obtain the session key. The content providing system transmits the encrypted content and the header information to each user system. Since the header information does not explicitly include user identification information of the user systems, information about whose decryption keys have been revoked is not leaked out in the block box tracing.

Abstract: A cryptographic method and equipment decrypting a cryptographic key by generating an auxiliary code based on a randomly determined numeric key and including a result of encryption into a cryptogram. Upon decryption, the cryptographic key is restored using the numeric key restored according to the entire cryptogram. A cryptographic method and equipment scrambles and encrypts physical characteristic information, and descrambles a result of a decryption, thereby enabling any alteration to a cryptogram to be detected because even a minor alteration thereto changes the result of the decryption. A remote identification system encrypts physical characteristic information using a password as a cryptographic key, and fluctuation of the physical characteristic information, authenticating information represented as a different bit pattern at each identifying processing is generated and sent to a transmission medium.

Abstract: A system and method for logon access management that includes capturing a logon id and associated user data, the logon id allowing access to at least one of an application or data outside of a entity, automatically searching for a match of at least a portion of the user data with id data inside the entity, and transforming the logon id into a network id when a match is found. The entity may be a company, business, organization, system, or network.

Abstract: A sending apparatus includes an encryption unit and a sending unit. The encryption unit encrypts each of data packets on the basis of a frame number of a frame and a determined cryptographic key. The sending unit transmits a frame including the data packets encrypted. A receiving apparatus includes a receiving unit and a decoding unit. The receiving unit receives the frame. The decoding unit decodes each of the data packets on the basis of the frame number of the frame and a determined decoding key.

Abstract: Network device testing equipment capable of testing network devices using small size packets and for a transferring ability and a filtering ability at a media speed is described. A configuration is adopted in which a Field Programmable Gate Array (FPGA) included in a transmitter or receiver on one or both of transmitting and receiving sides is connected directly to a physical layer chip of a network and computers on both the transmitting and receiving sides are connected thereto. Each of the FPGAs of the transmitter and receiver has a circuit which has an integrated function of transmitting a packet pattern generation function and a packet-receiving function, thereby enabling a test and an inspection in real time. When inspecting the filtering function, a hash table storing therein a hash value and a list of occurrence frequencies for hash values is utilized.

Abstract: A method and apparatus for providing network security using role-based access control is disclosed. A network device implementing such a method can include, for example, an access control list. Such an access control list includes an access control list entry, which, in turn, includes a user group field. Alternatively, a network device implementing such a method can include, for example, a forwarding table that includes a plurality of forwarding table entries. In such a case, at least one of the forwarding table entries includes a user group field.

Abstract: Methods, signals, devices, and systems are provided for using proxy servers to transparently forward messages between clients and origin servers if, and only if doing so does not violate network policies. In some systems, a transparent proxy uses a combination of standard-format HTTP commands, embedding auxiliary information in URLs and other tools and techniques to redirect an initial client request to one or more policy modules, such as a login server or an identity broker or an access control server. The policy module authenticates the request, and uses HTTP redirection to have the client transmit authorization data to the proxy. The proxy extracts the authorization data, directs the client to use a corresponding cookie, and subsequently provides the implicitly requested proxy services to the client in response to the client's subsequently providing the authorization data in a cookie.