Abstract: A dynamic network security system and a control method thereof in a router where an Intrusion Detection System (IDS) and a Voice over Internet Protocol Application Level Gateway (VoIP ALG) are integrated, system including: a VoIP ALG module for acquiring VoIP IP/port information of a counterpart unit in use for determining whether or not to perform intrusion detection on a packet received via VoIP signaling with the counterpart unit; an intrusion detection module for comparing the received packet with a preset intrusion detection log entry to perform intrusion detection on the received packet, and based on a result of the intrusion detection, determining whether or not to allow passage of the received packet; and an IP/port check module for checking VoIP IP/port information of the received packet according to the VoIP IP/port information of the counterpart unit provided from the VoIP ALG module to determine whether or not to perform the intrusion detection, and providing result information on the determinatio

Abstract: A chip card needs to be allocated in a secured manner to a network operator via a personalization center in order to determine a final authentication key which is attributed to a subscriber of the operator without its being transmitted via a network. The following is loaded into a card by a module: an algorithm and an allocation key; an algorithm for determination of the authentication key and at least one intermediate authentication key. A module transmits an allocation message which includes a final identity number, a random number and an allocation signature from the center to the card. The card authenticates the message by means of the allocation algorithm as a function of the allocation key and the allocation signature, and determines the final authentication key as a function of the intermediate key and the random number.

Abstract: The method of verifying the integrity of an encryption key (K) obtained by combining at least two key portions (KM, M) in a protected zone (3) by using a commutative operator, comprises the steps of: using the commutative operator to perform a first combination between a key portion (KM) and a verification encryption key (Kv); using the commutative operator to perform in succession a combination between a key portion that has not yet been combined and a result obtained by an immediately preceding combination, until a last combination (Mv) is performed that includes all of the key portions; performing a combination in the protected zone (3) between the encryption key (K) to be verified and the last combination (Mv) of the verification encryption key (Kv) and the key portions (KM, M) in order to obtain a final verification key (Kf); encrypting verification data (Dv) by means of a symmetrical encryption algorithm (DES) using the final verification key (Kf); and making a comparison with a verification encryption

Abstract: It is possible to control electronic documents for partial disclosures and non-disclosures and prove to the third party that information other than non-disclosure part thereof has not been altered and the originality of decrypted information is assured.

Abstract: A transmitting apparatus generates a first bit stream from a second bit stream by encoding at least a portion of the bits from the second bit stream, generates a code for the second bit stream, and attaches the code to the first bit stream for transmission to a receiving apparatus. A receiving apparatus receive from a transmitting apparatus a first bit stream with a code, generates a second bit stream from the first bit stream by decoding at least a portion of the bits from the first bit stream, computes the code for the second bit stream, and compares the computed code with the code from the first bit stream.

Abstract: A system verifies configuration of a device within a network via an exchange of verification credentials, which are requested, received and authenticated. The verification credentials indicate that a configuration of the device was acceptable at the time of creation of the verification credentials for that device. The verification credentials of the device are obtained through a certifying process. During the certifying process, the credential certifier receives a current device configuration of the device in the network, and evaluates the current device configuration of a device with respect to its role within a network. The verification credentials are issued to the requesting device and stored within a database. The device submits its verification credentials if being requested by the other peer it's communicating with when it enters the network. It also monitors the current device configuration and if there are changes, it invalidates the existing certification credentials and requests new one.

Abstract: A system and method are provided for identifying inappropriate content in websites on a network. Unrecognized uniform resource locators (URLs) or other web content are accessed by workstations and are identified as possibly having malicious content. The URLs or web content may be preprocessed within a gateway server module or some other software module to collect additional information related to the URLs. The URLs may be scanned for known attack signatures, and if any are found, they may be tagged as candidate URLs in need of further analysis by a classification module.

Abstract: Issuing and disseminating a data about a credential includes having an entity issue authenticated data indicating that the credential has been revoked, causing the authenticated data to be stored in a first card of a first user, utilizing the first card for transferring the authenticated data to a first door, having the first door store information about the authenticated data, and having the first door rely on information about the authenticated data to deny access to the credential. The authenticated data may be authenticated by a digital signature and the first door may verify the digital signature. The digital signature may be a public-key digital signature. The public key for the digital signature may be associated with the credential. The digital signature may be a private-key digital signature. The credential and the first card may both belong to the first user.

Abstract: A DHCP/authentication server transmits an IP address and authentication information acquired from the IP address to a home gateway. The home gateway creates authentication data from the authentication information and adds the authentication data to an IP packet received from a terminal, and transfers the IP packet to a false-address checking server. The false-address checking server extracts a source IP address and the authentication data from the IP packet, and creates provisional authentication data based on the source IP address. The false-address checking server checks the provisional authentication data against the original authentication data. If these two pieces of the authentication data coincide with each other, the false-address checking server transfers the IP packet to a communication counter part. If the authentication data do not coincide with each other, the false-address checking server discards the IP packet.

Abstract: The present invention provides a data recognition apparatus for copy protection which recognizes software distributed through a disc in physically different ways through RFID and a USB memory, a method thereof, and storage mediums therefor. The apparatus comprises a disc insertion section for recognizing a first storage medium in the form of a disc with an RFID tag attached; an RFID reading section for reading the RFID tag; a USB port section for recognizing a second storage medium having the shape of a USB memory; a decoding section for decoding data stored in the first storage medium or the second storage medium; and a transmission section for transmitting the decoded data to the system.

Abstract: A generic access card is paired with a data destination device by insertion into its card slot, and the public portion of a public/private key is stored in the card. The card authenticates the destination device. The paired card is transported to a data source device which includes a card slot and a removable mass storage medium. The card, when inserted into the card slot of the data source and authenticated, transfers the public key to the source device. The source device generates content encoding keys, and encodes the data on the storage medium. The content encoding keys are encoded using the public key, and loaded onto the card. The card and the storage medium are transported to the destination device, where the card provides the encoded encryption keys. The destination device decodes the encrypted content encryption key(s) and decodes the encrypted data for playback or display.

Abstract: A device and method for detecting and preventing sensitive information leakage from a portable terminal is provided. A device for detecting and preventing leakage of sensitive information from a portable terminal includes a data storage unit that stores data containing sensitive information, an external interface that interfaces the portable terminal with the external, a sensitive information manager that detects and prevents leakage of the sensitive information stored in the data storage unit through the external interface, and a sensitive information leakage detecting and preventing unit that is disposed between the data storage unit and the external interface to detect and prevent the leakage of the sensitive information.

Abstract: A receiving apparatus includes a receiving unit which receives image data acquired through image capturing by a capsule endoscope introduced inside a subject; a reader to which a portable recording medium on which identification information identifying the subject is recorded in an erasable manner is detachably connected, the reader reading out the identification information of the subject in the recording medium; a display unit which displays the identification information of the subject read out by the reader; and a control unit which controls registration of the identification information of the subject displayed by the display unit and erasure of the registered identification information of the subject remaining in the recording medium.

Abstract: Multiple cipher hardware algorithms are run in parallel over an input stream. For example, one algorithm can process the input stream using an old cipher key while a parallel algorithm processes the input stream using the current cipher key. Alternatively, multiple cipher operations can be performed in parallel enabling a receiver to determine which cipher algorithm was employed in encrypting a data packet.

Abstract: An electronic device including a memory area that stores a program to be executed by the computer and data, the electronic device connecting a computer and a server device in a communicable state. The program includes a first processing portion that retrieves connection information from the computer and writes the connection information in the memory area when the electronic device is connected to the computer, the connection information being necessary for obtaining a connection with the server device, and a second processing portion that causes the computer to carry out a procedure for obtaining a connection with the server device, using connection information necessary for a connection written in the memory area and transmitted from the server device to the computer.

Abstract: The invention allows a reliable and efficient identity management that can, with full interoperability, accommodate to various requirements of participants. For that a method and system are presented for providing an identity-related information about a user to a requesting entity. The method comprises a location-request step initiated by the requesting entity for requesting from a client application a location information that corresponds to a location entity possessing the identity-related information, a redirecting step for connecting the client application to the location entity in order to instruct the location entity to transfer the identity-related information to the requesting entity, and an acquiring step for obtaining the identity-related information.

Abstract: A wireless communication network (20) including mobile applications (56-62) includes a security approach that uses a combination of at least two techniques (42, 50, 54, 72). One disclosed example includes a combination of all four techniques. The combined, layered approach greatly reduces the probability that an unauthorized individual will be able to masquerade as a valid application within the network so that network security is improved. Disclosed techniques include obfuscating software code of a mobile application, providing a mobile application with a plurality of code signatures for generating a corresponding plurality of unique control values, limiting the useful lifetime of a mobile application and determining that a control value of a mobile application corresponds to the control value of another application before the two applications are allowed to interact in a manner that could compromise either application or the network.

Abstract: A method of verifying programming of an integrated circuit card includes transferring program data to a page buffer of a non-volatile memory, copying the program data to a buffer memory, calculating a first checksum value with respect to program data in the buffer memory, updating the program data in the buffer memory by copying the program data of the page buffer to the buffer memory, calculating a second checksum value with respect to updated program data in the buffer memory, comparing the first checksum value and the second checksum value, and determining, based on the comparison result, whether the program data of the page buffer is tampered.

Abstract: In an information communication system, information communication devices exchange an IP packet over IP networks. When performing a predetermined packet exchanging procedure in which the number of router hops is limited to a predetermined control value or less, each of the information communication devices monitors Time-To-Live values designated in the headers of IP packets received over a period of time from the start of the predetermined packet exchanging procedure to immediately before the end of the predetermined packet exchanging procedure to continuously update the maximum Time-To-Live value of the monitored Time-To-Live values, and checks whether the maximum Time-To-Live value does not exceed the control value.

Abstract: A method for managing the access to a memory space shareable by several users, by using passwords, comprises: defining a maximum number of passwords, providing a password storage zone, dividing the shareable memory space into a plurality of blocks greater in number than the maximum number of passwords, providing in each block a parameterization field for parameterizing the protection of the block, providing in each parameterization field a binary index smaller in size than a password and designating a password assigned to the protection of the block, and allocating, to each block, access rights requiring a password to be presented corresponding to the password designated by the index present in the block parameterization field. Application is provided particularly but not exclusively to multi-user integrated circuits.

Abstract: A system for binding a subscription-based computer to an internet service provider (ISP) may include a binding module and a security module residing on the computer. The binding module may identify and authenticate configuration data from peripheral devices that attempt to connect to the computer, encrypt any requests for data from the computer to the ISP, and decrypt responses from the ISP. If the binding module is able to authenticate the configuration data and the response to the request for data from the ISP, then the security module may allow the communication between the computer and the ISP. However, if either the configuration cycle or the response cannot be properly verified, then the security module may degrade operation of the computer.

Abstract: Circuits, methods, and apparatus that prevent detection and erasure of a configuration bitstream or other data for an FPGA or other device. An exemplary embodiment of the present invention masks a user key in order to prevent its detection. In a specific embodiment, the user key is masked by software that performs a function on it a first number of times. The result is used to encrypt a configuration bitstream. The user key is also provided to an FPGA or other device, where the function is performed a second number of times and the result stored. When the device is configured, the result is retrieved, the function is performed on it the first number of times less the second number of times and then it is used to decrypt the configuration bitstream. A further embodiment uses a one-time programmable fuse (OTP) array to prevent erasure or modification.

Abstract: The present invention encrypts authentication information into an image, document or recording. Briefly described, in architecture, one embodiment is a method comprising generating the original work; generating authentication data when the original work is generated, the authentication data comprising at least location information identifying the location where the original work is generated, the location information provided by a received signal from a remote device, date and time information identifying when the original work is generated, the date and time information provided by a received signal from a remote device, and biometric information identifying an originator of the original work; and encrypting the original work with the authentication data using a secret private key when original work is generated.

Abstract: Embodiments of the present invention relate to a system and method for providing processing capacity on demand. According to the embodiments, a processor package has a plurality of processing elements. One or more of the processing elements may be made active in response to increased demand for processing capacity based on modifiable authorization information.

Abstract: Embodiments in accordance with the invention install a primary security browser extension first in the browser event notification order list and a secondary security browser extension last in the event notification order list. On receipt of a user data event including user confidential data at the primary security browser extension, the user confidential data is obfuscated by the primary security browser extension and the user data event including the obfuscated data is released to a next browser extension in the browser event notification order list. Upon receipt of the user data event at the secondary security browser extension, the obfuscated data is restored with the original user confidential data and the user data event is released for further processing.

Abstract: A method of enabling host devices having an IPsec policy to communicate with one another via an IPv6 communication network, which includes the following steps: extracting a Media Access Control identifier (MAC ID) for a target host from a security policy for an IPv6 address for the target host; searching for the MAC ID of the target host in an Address Resolution Protocol (ARP) table on a source host; upon locating the MAC ID of the target host, creating a temporal neighbor cache entry in a neighbor cache table for the target host; and enabling a security association between the source host and the target host based on the temporal neighbor entry in the neighbor cache table, which allows IPv6 communications to be exchanged between the target host and the source host.

Abstract: Plaintext/cyphertext pairs are generated for use in authenticating a device. The device performs a secure authentication algorithm on a secure authentication image file and a received plaintext challenge, and outputs a cyphertext response. If the cyphertext response matches a pre-stored cyphertext string associated with the plaintext challenge, then the device is authenticated. A master processor manages the generation of the plaintext/cyphertext pairs. Plaintext challenges are generated in the master processor using a binary counter and an n-bit key. Each plaintext challenge is transmitted to a first processor and a second processor. The first processor executes the secure authentication algorithm on each plaintext challenge and outputs a cyphertext response associated with each plaintext challenge. The second processor executes the secure authentication algorithm on each plaintext challenge and outputs a second cyphertext response associated with each plaintext challenge.

Abstract: A method and system for authenticating an item by using a security marking. The security marking is provided on the item with an OVD ink capable of absorbing light in a visible wavelength range to appear visibly black and producing a red fluorescent emission under ultraviolet excitation. Under visible light illumination and ultraviolet excitation, a visible image and a fluorescent image are obtained from the security marking using image scanners. The images are compared to find a substantial match with each other. The security marking can be a postage indicium, a barcode, a symbol, a message or an image. The item to be authenticated can be a mailpiece, a banknote, a tag, a ticket, a document, an identification card, or the like.

Abstract: A system and method for logon access management that includes capturing a logon id and associated user data, the logon id allowing access to at least one of an application or data outside of a entity, automatically searching for a match of at least a portion of the user data with id data inside the entity, and transforming the logon id into a network id when a match is found. The entity may be a company, business, organization, system, or network.

Abstract: With each embodiment of the present invention, a content providing system comprises a content encrypting section which encrypts content by use of a session key and a header generating section which encrypts the session key by use of an encryption key in such a manner that the session key can be obtained by use of a decryption key assigned to a user system and generates header information including the encrypted session key and one or more values based on user identification information of each of the user systems that are permitted to obtain the session key. The content providing system transmits the encrypted content and the header information to each user system. Since the header information does not explicitly include user identification information of the user systems, information about whose decryption keys have been revoked is not leaked out in the block box tracing.

Abstract: A cryptographic method and equipment decrypting a cryptographic key by generating an auxiliary code based on a randomly determined numeric key and including a result of encryption into a cryptogram. Upon decryption, the cryptographic key is restored using the numeric key restored according to the entire cryptogram. A cryptographic method and equipment scrambles and encrypts physical characteristic information, and descrambles a result of a decryption, thereby enabling any alteration to a cryptogram to be detected because even a minor alteration thereto changes the result of the decryption. A remote identification system encrypts physical characteristic information using a password as a cryptographic key, and fluctuation of the physical characteristic information, authenticating information represented as a different bit pattern at each identifying processing is generated and sent to a transmission medium.

Abstract: A sending apparatus includes an encryption unit and a sending unit. The encryption unit encrypts each of data packets on the basis of a frame number of a frame and a determined cryptographic key. The sending unit transmits a frame including the data packets encrypted. A receiving apparatus includes a receiving unit and a decoding unit. The receiving unit receives the frame. The decoding unit decodes each of the data packets on the basis of the frame number of the frame and a determined decoding key.

Abstract: Methods, signals, devices, and systems are provided for using proxy servers to transparently forward messages between clients and origin servers if, and only if doing so does not violate network policies. In some systems, a transparent proxy uses a combination of standard-format HTTP commands, embedding auxiliary information in URLs and other tools and techniques to redirect an initial client request to one or more policy modules, such as a login server or an identity broker or an access control server. The policy module authenticates the request, and uses HTTP redirection to have the client transmit authorization data to the proxy. The proxy extracts the authorization data, directs the client to use a corresponding cookie, and subsequently provides the implicitly requested proxy services to the client in response to the client's subsequently providing the authorization data in a cookie.

Abstract: Network device testing equipment capable of testing network devices using small size packets and for a transferring ability and a filtering ability at a media speed is described. A configuration is adopted in which a Field Programmable Gate Array (FPGA) included in a transmitter or receiver on one or both of transmitting and receiving sides is connected directly to a physical layer chip of a network and computers on both the transmitting and receiving sides are connected thereto. Each of the FPGAs of the transmitter and receiver has a circuit which has an integrated function of transmitting a packet pattern generation function and a packet-receiving function, thereby enabling a test and an inspection in real time. When inspecting the filtering function, a hash table storing therein a hash value and a list of occurrence frequencies for hash values is utilized.

Abstract: A method and apparatus for providing network security using role-based access control is disclosed. A network device implementing such a method can include, for example, an access control list. Such an access control list includes an access control list entry, which, in turn, includes a user group field. Alternatively, a network device implementing such a method can include, for example, a forwarding table that includes a plurality of forwarding table entries. In such a case, at least one of the forwarding table entries includes a user group field.

Abstract: There are disclosed processes and systems for establishing secure, communication channels between computing devices. The computing devices include respective agents which verify the relative identity of one another and thereby authenticate the communication channel. The agents continue to play a role in the communications to ensure that the communication channel is secure.

Abstract: There are disclosed a method, computing device, and storage medium for establishing relative identity between a first agent on a first computing device and a second agent on a second computing device. An absolute key and a partial relative key may be generated for the first agent, wherein the absolute key and the partial relative key define a relative identity of the first agent, wherein the relative identity is unique for a relationship between the first agent and the second agent.

Abstract: A removable drive such as a USB drive or key is provided for connecting to computer devices to provide secure and portable data storage. The drive includes a drive manager adapted to be run by an operating system of the computer device. The drive manager receives a password, generates a random key based on the password, encrypts a user-selected data file in memory of the computer device using the key, and stores the encrypted file in the memory of the removable drive. The drive manager performs the encryption of the data file without corresponding encryption applications being previously loaded on the computer system. The drive manager may include an Advanced Encryption Standard (AES) cryptography algorithm. The drive manager generates a user interface that allows a user to enter passwords, select files for encryption and decryption, and create folders for storing the encrypted files on the removable drive.

Abstract: A method, apparatus and program product initiate generation of a metafile at a client computer. The metafile is evaluated at a network server for a potential viral risk. Program code executing at the server may correlate the evaluated potential risk to a risk level stored in a database. The program code may attach a color designator or other assignment indicative of the assessed risk level to the data. A user at the client computer may act on the data based on the attached risk level.

Abstract: A technique for integrating message authentication with encryption and decryption is disclosed. Intermediate internal states of the decryption operation are used to generate a validation code that can be used to detect manipulation of the encrypted data. The technique is optimized with respect to processing time, execution space for code and runtime data, and buffer usage. The technique is generally applicable to a variety of block ciphers, including TEA, Rijndael, DES, RC5, and RC6.

Abstract: An FPGA includes a plurality of configurable logic elements, a configuration circuit, a decryption circuit, and a fingerprint element. The fingerprint element generates a fingerprint that is indicative of inherent manufacturing process variations unique to the FPGA. The fingerprint is used as a key for an encryption system that protects against illegal use and/or copying of configuration data. In some embodiments, the propagation delay of various circuit elements formed on the FPGA are used to generate the fingerprint. In one embodiment, the specific frequency of an oscillator is used to generate the fingerprint. In some embodiments, a ratio of measurable values may be used to generate the fingerprint. In other embodiments, differences in transistor threshold voltages are used to generate the fingerprint. In still other embodiments, variations in line widths are used to generate the fingerprint.

Abstract: A search-instruction-data creating unit issues a search request command to a peripheral device, and creates search instruction data including a predetermined field that stores supplementary information. A search-instruction-data transmitting unit transmits the search instruction data to the peripheral device. A security-reference-information transmitting unit transmits, to the peripheral device, security reference information serving as the supplementary information. A search-report-data generating unit generates a search report data upon receiving the search instruction data. A search-report-data transmitting unit transmits the search report data to a host device. A supplementary-information extracting unit extracts the supplementary information from the predetermined field of the search instruction data.

Abstract: The method and network ensure secure forwarding of a message in a telecommunication network that has at least one first terminal and another terminal. The first terminal moves from a first address to a second address. A secure connection between the first address of the first terminal and the other terminal defining at least the addresses of the two terminals is established. When the first terminal moves from the first address to a second address, the connection is changed to be between the second address and to the other terminal by means of a request from the first terminal and preferably a reply back to the first terminal.

Abstract: Systems and methods that storage device content authentication are provided. A system that verfies storage device content received from a storage device may comprise, for exmple, a security processor coupled to the storage device. The security processor may be adapted to receive a partitioned storage device region from the storage device. The partitioned storage device region may comprise, for example, regional content and first hashed regional content. The security processor may generate, for example, second hashed regional content by performing a hashing function on the regional content received by the security processor. The security processor may compare, for example, the first hashed regional content to the second hashed regional content. The security processor may varify the regional content received by the security processor if the first hashed regional content is the same as the second hashed regional content.

Abstract: A data transfer device for storing data to a removable data storage item, wherein data are received as records and encrypted by the data transfer device prior to storage. The data transfer device encrypts a first portion of the records using a first encryption key and a second portion of the records using a second encryption key. The encrypted records are then stored to the removable data storage item as a plurality of data blocks, each data block comprising one or more encrypted records, wherein records in a respective data block are encrypted using only a respective one of the encryption keys.

Abstract: Systems and methods for activating a mobile device for use with a service provider are described. In one exemplary method, a mobile device having a currently inserted SIM card may be prepared for activation using a signing process in which an activation server generates a signed activation ticket that uniquely corresponds to the combination of the device and SIM card, and that is securely stored on the mobile device. In another exemplary method the mobile device may be activated in an activation process in which the device verifies an activation ticket against information specific to the device and SIM card, and initiates activation when the verification of the activation ticket is successful.

Abstract: To provide an image verification system which verifies whether image data has been altered. The image verification system has an image generation apparatus, a first verification apparatus, a second verification apparatus, etc. The image generation apparatus generates image data, a hash value of the image data, and first verification data for the image data. The first verification apparatus verifies whether the image data has been altered, by using the hash value and first verification data. The first verification apparatus generates second verification data (a digital signature) for the image data if the image data has not been altered. The second verification apparatus verifies whether the image data has been altered, by using the image data and second verification data.

Abstract: A access control mechanism is provided on a computing device to allow an application provider to set up a declarative security policy specific to an application module. When a runtime environment of the computing device receives a request from a second application instance in a second execution context to access a protected resource in a first application instance, the runtime environment invokes the access control mechanism to determine, based on a protection-domain-level domain security policy, whether the second application instance is allowed to access protected resources in the first execution context. If so, the runtime environment invokes the access control mechanism to determine, based on a declarative security policy for a first application module associated with the first application instance, whether the second application instance is allowed to access the protected resource. If so, the runtime environment allows the second application instance access to the protected resource requested.

Abstract: A method for preventing unauthorized connection in a network system mainly includes adding an authentication key in the LLDP (link layer discovery protocol) transmitted in accordance with the 802.1ab communication protocol so as to proceed with security mechanism under the structure of 802.1ab communication protocol. The method for preventing unauthorized connection includes receiving a LLDP packet satisfying the 802.1ab communication protocol transmitted from a second network device by a first network device in a network system; analyzing the LLDP packet and checking whether the LLDP packet contains a legitimate authentication key; and if the authentication key does not exist or is illegitimate, then block all packets transmitted from the second network device so as to prevent the unauthorized second network device from using the network transmission service provided by the first network device.

Abstract: A monitoring system is provided that allows owners of monitoring accounts to share web monitoring data collected under the direction of the monitoring account. Account owners are able to interact with the monitoring system to identify recipient accounts for shared web monitoring data and apply permissions at a granular level so that portions of monitored data can be shared with varying permission levels. Grouping can also be employed by an account owner to facilitate efficient sharing of monitoring data to many recipient accounts. The monitoring system also provides analysis utilities that can be used by a recipient account to aggregate shared with owned data and generate related reports as desired.