Abstract: A client-server communication protocol permits the server to authenticate the client without requiring the client to authenticate the server. After establishing the half-authenticated connection, the client transmits a request and the server performs or responds accordingly. A network management system and environment where this protocol can be used is also described and claimed.

Abstract: Systems and methods for providing additional security for data being transmitted across a wireless connection that has been established using a known wireless protocol (e.g. Bluetooth) are described. An encryption key is exchanged between a computing device (e.g. a mobile device) and a wireless peripheral output device (e.g. a printer, a headset). In some embodiments, the encryption key is generated at the peripheral output device. Data associated with the encryption key is output at the peripheral output device, which can be input by the user at the computing device. The encryption key is then recovered at the computing device from the input, thereby completing the key exchange. The encryption key can then be used to encrypt and decrypt data transmitted over the established wireless connection, providing additional security.

Abstract: This method of receiving a multimedia signal scrambled by means of a control word uses a first cryptographic entity that can be connected to any one of P second cryptographic entities to form part of a device for receiving the scrambled multimedia signal. Only second cryptographic entities of a group of N second cryptographic entities selected from a wider set of P second cryptographic entities use a session key obtained by diversifying a root key identical to the root key used to obtain the session key of the first cryptographic entity.

Abstract: A computer system is provided comprising a non-volatile storage medium and a processor. The processor acquires authentication information from a first removable storage device, stores the authentication information into the non-volatile storage medium, and forbids data access of the computer system when detecting that a second removable storage device has been inserted and identification data of the second removable storage device is different from the authentication information.

Abstract: Web-based authentication includes receiving a packet in a network switch having at least one associative store configured to forward packet traffic to a first one or more processors of the switch that are dedicated to cryptographic processing if a destination port of the packet indicates a secure transport protocol, and to a second one or more processors of the switch that are not dedicated to cryptographic processing if the destination port does not indicate a secure transport protocol. If a source of the packet is an authenticated user, the packet is forwarded via an output port of the switch, based on the associative store. If the source is an unauthenticated user, the packet is forwarded to the first one or more processors if the destination port indicates a secure transport protocol, and to the second one or more processors if the destination port does not indicate a secure transport protocol.

Abstract: A method described herein includes acts of executing a cryptographic function over input data utilizing a processor on a computing device and generating a data packet that indicates how the cryptographic function interacts with hardware of the computing device, wherein the hardware of the computing device comprises the processor. The method also includes acts of analyzing the data packet, and generating an indication of security of the cryptographic function with respect to at least one side channel attack based at least in part upon the analyzing of the data packet.

Abstract: An implementation method and system of a virtual private network (VPN) are provided in the invention, wherein, the VPN dedicated mapping table of the VPN is stored in the mapping plane in the identity and location separation network, and it is determined whether to achieve the communication between the VPN end host users in the VPN or not according to the VPN dedicated mapping table, thereby the VPN is efficiently achieved in the identity and location separation network, meeting the user requirements for the VPN, eliminating the influence of the identity and location separation technical solution on the traditional VPN service, and reducing the changes on the existing devices and software tools due to the implementation of VPN.

Abstract: A method and apparatus for providing network security using role-based access control is disclosed. A network device implementing such a method can include, for example, an access control list. Such an access control list includes an access control list entry, which, in turn, includes a user group field. Alternatively, a network device implementing such a method can include, for example, a forwarding table that includes a plurality of forwarding table entries. In such a case, at least one of the forwarding table entries includes a user group field.

Abstract: Data is transmitted between a first user and a second user via an information technology communications network, in a method comprising the steps of: generating a first hash value for a selected one of the data items; digitally signing and encrypting the first hash value with a secret identifier associated with the first user; transmitting to a second user the encrypted first hash value; receiving and storing the transmitted encrypted first hash value for audit purposes and generating a second hash value for the received encrypted first hash value; encrypting the second hash value with a private identifier associated with a second user and a public identifier associated with the first user; and returning the encrypted second hash value to the first user.

Abstract: A mobile node and its home system generate synchronized time-based codes at periodic time intervals. Each time-based code is valid for a predetermined time period. To facilitate anonymous operation when roaming, the mobile node identifies itself with a coded identifier instead of a public identifier. The coded identifier used at a given time includes the time-based code that is valid for that given time. To authenticate the mobile node, a serving system receives authentication information from the mobile node and forwards the authentication information to a home system. The authentication information includes the current time-based code and a timestamp. The home system identifies the mobile node from the current time-based code and the timestamp. The home system then uses the authentication information to authenticate the mobile node.

Abstract: An interface detection device in electronic communication with a network tester to receive network packets includes a plurality of local area network (LAN) interfaces, a signal control unit and a path distribution unit. The LAN interfaces are in electronic communication with the network tester and are electrically connected in pairs. The signal control unit provides preset test data for the LAN interfaces and controls the LAN interfaces to generate corresponding verification data. The signal control unit compares the verification data with the test data, and controls the path distribution unit to automatically figure out corresponding transmission paths. The LAN interfaces are electronically communicating with each other through the connected LAN interfaces and the transmission paths to transfer the network packets.

Abstract: A technique for maintaining network integrity is disclosed. A system according to the technique may include a wired network, a switch, and a wireless access point. The switch can be coupled to the wired network and the wireless access point can be coupled to the switch. The system may further include a forwarding database that stores a mac address for a plurality of devices seen by the switch on the wired network. A method according to the technique may involve detecting identifying information of a device by a wireless access point. The identifying information can be compared with the mac addresses in a forwarding database. If the device is unknown, the unknown device can be classified as rogue and countermeasures can be taken against the rogue device.

Abstract: Some embodiments provide a verification system for automated verification of entities. The verification system automatedly verifies entities using a two part verification campaign. One part verifies that the entity is the true owner of the entity account to be verified. This verification step involves (1) the entity receiving a verification code at the entity account and returning the verification code to the verification system, (2) the entity associating an account that it has registered at a service provider to an account that the verification system has registered at the service provider, (3) both. Another part verifies the entity can respond to communications that are sent to methods of contact that have been previously verified as belonging to the entity. The verification system submits a first communication with a code using a verified method of contact. The verification system then monitors for a second communication to be returned with the code.

Abstract: The present solution described herein is directed towards systems and methods to prevent cross-site request forgeries based on web form verification using unique identifiers. The present solution tags each form from a server that is served out in the response with a unique and unpredictable identifier. When the form is posted, the present solution enforces that the identifier being returned is the same as the one that was served out to the user. This prevents malicious unauthorized third party users from submitting a form on a user's behalf since they cannot guess the value of this unique identifier that was inserted.

Abstract: A method for enabling access to digital rights managed (DRM) content from a server to a portable playback device using a device that functions as a proxy for enabling communication between the server and the portable playback device. The method provides for establishing a connection with a device capable of operating as a gateway device for passing data between the portable playback device and the server, requesting that the device establish a connection with the server and operate as a proxy for enabling data exchange between the portable playback device and the server, sending to the server, upon establishing the connection with the server via the device operating as a proxy, data indicating DRM solutions supported by the portable playback device, and a list comprising requested DRM content to be downloaded to the portable playback device, and receiving from the server, via the device operating as a proxy, the requested DRM content and DRM rules associated with the received content.

Abstract: A method for symmetric receive-side scaling (RSS) in a network device having an ingress side RRS router and an egress side RSS router and a plurality of queues for handling packets. The method comprises identifying an internet protocol (IP) version being used for the network. The transport layer headers (TLHs) existence status is identified. A secret key by each of the egress side RSS router and the ingress side RSS router is identified. The key is based on the identification of the IP version and the TLHs existence status. The secret key ensures that packets sent from a source to a destination and packets sent from the destination to the source are routed by the egress side RSS router and the ingress side RSS router to a common queue among the plurality of queues. The secret key is stored at a storage in the network device. The secret key is used by the ingress side RSS router and the egress side RSS router for routing packets.

Abstract: A method for generating a network address in a communication network includes at least one user equipment and a network equipment. The method includes: a) providing a same shared secret key both at the at least one user equipment and at the network equipment; and b) generating at least a portion of the network address at the at least one user equipment and at the network equipment based upon at least the shared secret key.

Abstract: An output job in an image forming apparatus not connected to a network is managed. To accomplish this, an image forming apparatus in an image forming system includes an input unit which inputs document data stored in a recording medium, a verification unit which verifies the validity of the document data on the basis of verification information associated with the input document data, an output unit which forms and outputs an image on a print medium on the basis of the document data, and an output log storing control unit which, when it is determined that the document data is valid, stores, in the recording medium, output log information containing no output image, and when it is determined that the document data is invalid, stores output log information containing the output image in the recording medium.

Abstract: A method of authentication and an image display apparatus incorporating the method are provided. The method of authentication includes determining whether or not an error is generated in an authentication with an externally-connected multimedia source, and upon determination that the authentication error is generated, changing a reset signal to re-attempt the authentication and output to the multimedia source. As a result, successful High Bandwidth Digital Content Protection (HDCP) authentication can be provided at all times.

Abstract: Methods and systems for managing data communications are described. The method includes receiving a data communication; analyzing the data communication to determine a particular type of sender or recipient activity associated with the data communication based at least in part on an application of a plurality of tests to the data communication; assigning a total risk level to the data communication based at least in part on one or more risks associated with the particular type of sender or recipient activity and a tolerance for each of the one or more risks; comparing the total risk level assigned to the data communication with a maximum total acceptable level of risk; and allowing the data communication to be delivered to a recipient in response to the comparison indicating that the total risk level assigned to the data communication does not exceed the maximum total acceptable level of risk.

Abstract: A method and apparatus for performing a multiple Pre-Shared Key (PSK) based authentication in a single procedure is described, where the multiple PSK based authentication generates a combined credential in a terminal by using a plurality of credentials including a user identifier and the PSK, and authenticates the terminal in an authentication server by using the combined credential.

Abstract: Methods including the steps of: upon sending an IP packet, obtaining, by a sender, a sender identity for a sender of the packet; securely tagging, by a sender, the packet with the sender identity, the packet having a plurality of fixed-length fields concatenated into a single fixed-length virtual field shared between a cryptographic hash and an identity index for supporting multiple distinct identities residing on an IP endpoint; determining, by a receiver, the sender identity by extracting it from the packet; checking, by the receiver, the packet to ensure the packet has been appropriately tagged; and enforcing a security policy, by the receiver, according to the sender identity. Preferably, the step of obtaining includes: accessing, by the sender, a server for obtaining the sender identity; and associating, by the server, the sender identity with the endpoint. Most preferably, the associating is performed using a prefix code for encoding the identities.

Abstract: A web site can be authenticated by a third party authentication service. A user designates an authentication device that is a shared secret between the user and the authentication service. A web site page includes a URL that points to the authentication service. The URL includes a digital signature by the web site. When the user receives the page, the user's browser issues a request to the authentication service, which attempts to authenticate the digital signature. If the authentication is successful, it sends the authentication device to the user computer.

Abstract: Utilizing the AAA infrastructure to dynamically allocate the various parameters needed to establish the security association between the Foreign Agent and the Home Agent. The present invention uses the AAA server as a central entity to dynamically generate and distribute the chosen security association parameters needed to support the Foreign Agent and Home Agent security association based on a request from the Foreign Agent. The AAA server can also dynamically assigns a unique SPI value to the Foreign Agent and Home Agent pairs. The various parameters that can be allocated in the present invention include a FA-HA shared secret key or a public/private key pair, an authentication algorithm and mode, a FA-HA secret key lifetime, and security parameter index or security index values. The present invention also can assist in making sure that the Foreign Agent and the Home Agent stay synchronized with respect to their security association.

Abstract: This invention relates to a method and a system for generating user passcodes for each of a plurality of transaction providers from a mobile user device. A method and system for activating a plurality of passcode generators on a user device configured with a passcode application installed on the user device is provided. Each of the passcode generators may correspond to a different user account or transaction provider, such that each passcode generator provides a user passcode configured for the corresponding account or transaction provider. One or more of the passcode generators may include a passcode generating algorithm and a passcode key. Access to one or more of the passcode generators may require providing a PIN or a challenge.

Abstract: A network based installation management system that dynamically manages secure software installation on a client. The server is configured to determine the software required and prepare an appropriated response containing the list of software and an information file containing the respective attributes of the list of software. The server encoded this response and the encoded response is transmitted to the client. The client on receiving the response is configured to authenticate the response and install the encoded response after authentication. Highly accurate and reliable software installation using the network based installation management system may be achieved using a respective hardware element on the client and the server, which is configured to encode and decode a request and/or response suitably thereby providing a high level of security and trust in an un-trusted network environment.

Abstract: In one embodiment, a method for securely transferring entitled data from one or more devices in a customer's network to a vendor's network via a public network is described. The data is obtained from a collection module communicatively coupled to the devices. The obtained data is transformed into a format that is recognized by a backend server present in the vendor's network. The transformed data is then assorted by associating the transformed data with corresponding one or more devices. Finally, the assorted data is then encrypted and sent to the backend server securely via the public network along with entitlement attributes corresponding to the one or more devices.

Abstract: Systems, methods and computer readable media are disclosed for a trusted proxy to intercept communications between an untrusted computerized gaming system and an online multi-player gaming service that requires games to be trusted, allowing the untrusted computerized gaming system to use the multi-player gaming service. In addition to allowing the untrusted computerized gaming system to use the multi-player gaming service in general, the trusted proxy can also limit the extent of the interaction between the untrusted computerized gaming system and the multi-player gaming service.

Abstract: A digital signature system and method are disclosed. The digital signature system may include a remote certificate server for storing and maintaining at least one digital certificate of a user by a service provider and a digital signature printer driver loaded on the user's computer for communicating with the service provider via a network, such as the Internet. The digital signature printer driver may obtain verification of the user's identity from the service provider via the network and electronically place on a printable document a digital signature of the user based on the remotely stored digital certificate. The system may further include a remote storage server for storing a digital copy of the digitally signed document. The digital signature may include a unique identifier for subsequent validation of the digital signature by the service provider.

Abstract: Upon receiving an account creation request from a client, the server determines a count of new account requests, each having a respective password, received during a predefined time period, that satisfy a requirement that the respective password is a function of the password in the received account creation request, and determines a popularity value associated with the password. The server associates a spam score, based at least in part on the count and the popularity value, with the account creation request, and compares the spam score with certain predefined thresholds. If the spam score is above a first threshold, the server may refuse the account creation request. If the spam score is within a certain range, the server may limit the access to the account associated with the account creation request. If the spam score is below a second threshold, the server may enable normal use of the account.

Abstract: A computer implemented method for detecting and preventing spam account generation is disclosed. Upon receiving an account creation request from a client, the server analyzes the request and associates a spam score with the account creation request, based at least in part on a number of new account requests associated with the cookie received during a predefined time period, and compares the spam score with certain predefined thresholds. If the spam score is above a first threshold, the server may refuse the account creation request. If the spam score is within a certain range, the server may limit the access to the account associated with the account creation request. If the spam score is below a second threshold, the server may put no limit on access to (i.e., enable normal use of) the account.

Abstract: A method and system are provided to select address providers that provide mobile internet protocol devices with addresses for communication. An embodiment of the method includes obtaining an address request having a dynamic indicator. Upon obtaining an address request with a dynamic indicator, associating the dynamic indicator with one or more address providers based on the dynamic indicator. The address request is then communicated to one of the address providers associated with the dynamic indicator.

Abstract: Systems and methods for broadcast and multicast retransmissions within a protected wireless communications system are described. Retransmitted broadcast or multicast frames are designated by modification of fields or subfields in the MAC header of the frame which are constituent parts of the additional authentication data used to generate encryption keys. Such modifications cause legacy receivers to disregard the retransmitted frames or render legacy receivers to be unable to decrypt the retransmitted frame, avoiding the generation of duplicate frames. Non-legacy receivers recognizing the modification conventions can restore the MAC header to the original state and can reconstruct the original encryption keys and decrypt the retransmitted frames. A non-legacy transmitter can retransmit a frame without the need to re-encrypt the frame.

Abstract: A digital content protection apparatus and method for digital rights management (DRM) are provided in which a content file including a plurality of content parts is imported such that a header is included which stores location information required for decoding each of the content parts. Therefore, the number of content parts constituting the content file can be recognized, and a license that is required for the use of each of the content parts can be acquired by analyzing header information without necessitating the parsing of the transport packets of the content file. Accordingly, preparation time for using content can be reduced.

Abstract: External network connectivity of an internal host can be measured by giving an external computer a payload identifying the internal host and instructions to deliver the payload to an external host. The external host may receive the payload and contact the internal host. The internal host's response and receipt of the payload may then determine the Internet connectivity of the internal host. The path from the computer through the trusted host to the internal server shows external network connectivity without exposing the internal host to the external network directly.

Abstract: In an external authentication system for a multifunction printer according to the present invention, a USB device management section, according to an instruction from a USB device management section instructing section, (i) performs a virtualization process for virtually connecting an information processing device to a user information reading device which is locally connected to a multifunction printer, (ii) manages a status of the connection between the information processing device and the user information reading device; and a multifunction printer association management section associates the multifunction printer controlled by the information processing device with the user information reading device which is locally connected to the multifunction printer.

Abstract: Methods are provided for securely transmitting a packet between endpoints of a network. In one aspect, there is provided a method for establishing an end-to-end key using extant hop-by-hop security associations. In a second aspect, there is provided a method in which a packet-specific encryption key PEK is used to encrypt a packet p. A signature of the key PEK is independently computed at each of two nodes, using an integrity key shared by the two nodes. The signature is sent from one of the two nodes to the other in association with the packet p. The receiving node uses the signature to verify that the packet p was originated by an entity having possession of the PEK.

Abstract: Systems, devices, and methods for modifying a signed bundle and verifying the modified bundle are disclosed. A signed bundle may be modified by removing a file specified in a server file list from a plurality of files in the bundle. The signed bundle comprises a catalog of files in the signed bundle and their associated hashes. The modified bundle includes the remaining files of the signed bundle that are not specified in the server file list and the catalog file of the signed bundle, the catalog signature of the signed bundle. The modified bundle may be verified by verifying the catalog signature of the modified signed bundle, and checking that the files specified in the catalog are either in the modified signed bundle or specified in the server file list. The hashes of the files in the modified signed bundle may also be checked to verify the modified signed bundle.

Abstract: An apparatus generally having a first circuit and a second circuit is disclosed. The first circuit may be configured to (i) divide a plain text into at least three input blocks and (ii) generate at least three scrambled blocks by scrambling the input blocks using a first cipher process. The first cipher process may be configured such that a first of the input blocks does not affect the generation of a last scrambled block. The second circuit may be configured to (i) generate at least three output blocks by de-scrambling the scrambled blocks using a second cipher process and (ii) reconstruct the plain text from the output blocks. The second cipher process may be configured such that a first of the scrambled blocks affects the generation of all of the output blocks.

Abstract: An information processing apparatus includes: a data processing unit that acquires content codes including a data processing program recorded in an information recording medium and executes data processing according to the content codes; and a memory that stores an apparatus certificate including an apparatus identifier of the information processing apparatus. The data processing unit is configured to execute an apparatus checking process applying the apparatus certificate stored in the memory on the basis of a code for apparatus checking process included in the content codes, acquire the apparatus identifier recorded in the apparatus certificate after the apparatus checking process, and execute data processing applying content codes corresponding to the acquired apparatus identifier.

Abstract: A data delivery system is disclosed in this specification. The system implements an authentication process that verifies data recipients using anonymised geospatial references. Verifying information for each user is stored in client accounts. A server system uses the information to process data requests and generate verification tags for data deliveries. The verification tags include an irreversible encoding of a delivery reference for receipt of a data delivery. Recipient client systems implement a compatible encoding process to generate a delivery authentication tag. The encoded authentication tags are compared to corresponding verification tags to validate data deliveries based on the location of the client system.

Abstract: Users of mobile terminals in a communication network are provided controlled access to files in a file system through the steps of configuring the files as a file body containing a file content and a file header containing content profile information; providing a security identity module and a secure agent; storing in the security identity module user profile information identifying a set of content profiles allowed for access to the file system; extracting, via the secure agent, the content profile information from the headers of the files; retrieving, via the secure agent, the user profile information stored in the security identity module; checking the user profile information and the content profile information; and providing the user with access to those files in the file system for which the user profile information and the content profile information are found to match.

Abstract: Disclosed herein are systems, methods, and non-transitory computer-readable storage media for booting a computing device having an encrypted storage medium using full disk encryption, referred to as tamper-resistant boot. The system retrieves a kernel cache and a kernel cache digest from an unencrypted storage medium and verifies the authenticity of the kernel cache based on the credentials and the kernel cache digest. Initiation and execution of the operating system is performed if the kernel cache is authentic. In one embodiment, the system verifies the authenticity of a request to disable tamper-resistant booting by utilizing a password verifier and a password proof.

Abstract: A method and apparatus is disclosed that documents and authenticates cap removal data. According to a first aspect of the present invention, the apparatus measures a parameter indicative of the number of times that a cap has been removed by a user. The apparatus also encodes at least the parameter indicative of the cap removal data, thereby deriving encoded cap removal data. The apparatus outputs the encoded cap removal data to a user. According to a second aspect of the present invention, another apparatus receives the encoded cap removal data and decodes it to authenticate the cap removal data. According to a third aspect of the present invention, a medicine container is operable to output a result of a game based on cap removal data associated with the medicine container.

Abstract: An authentication mechanism for use in network-based services generates an authentication token. The authentication token is provided to a client device as part of the code comprising a content page. The content page code is received and loaded by a browser application at the client device. When the content page code is received and loaded by the browser application, the authentication token is loaded by the browser as well. Upon receiving subsequent input, the browser application may send a content request to the server. The content request includes the authentication token maintained by the browser application in the content page. A server may validate the authentication token provided in the request using version information and one or more master authentication tokens.

Abstract: A private stream aggregation (PSA) system contributes a user's data to a data aggregator without compromising the user's privacy. The system can begin by determining a private key for a local user in a set of users, wherein the sum of the private keys associated with the set of users and the data aggregator is equal to zero. The system also selects a set of data values associated with the local user. Then, the system encrypts individual data values in the set based in part on the private key to produce a set of encrypted data values, thereby allowing the data aggregator to decrypt an aggregate value across the set of users without decrypting individual data values associated with the set of users, and without interacting with the set of users while decrypting the aggregate value. The system also sends the set of encrypted data values to the data aggregator.

Abstract: A method and apparatus of controlling access to a system containing vital corporation software and storing confidential data assets situated in an open accessible environment is provided. The method includes calculating a signature value for at least one file usable with the system, transferring the calculated signature value to a signature file, and providing at least one signature value in the signature file and at least one associated file to a file system configured to be received by the system. At least one signature value and at least one associated file are inspected by the system to verify the associated file is a known system software application asset. The system comprises an input/output data port configured to receive the external memory storage device, and an operating system capable of reading system data from and writing system data to the memory storage device.

Abstract: A method and system of controlling access to a system in a medical environment is provided. The method includes calculating a signature value for at least one file usable with the medical system, transferring the calculated signature value to a signature file, and providing at least one signature value in the signature file and at least one associated file to a file system configured to be received by the medical system. At least one signature value and at least one associated file are inspected by the medical system to verify the associated file is a known medical software application asset. The medical system comprises an input/output data port configured to receive the external memory storage device, and an operating system capable of reading medical system data from and writing medical system data to the memory storage device.

Abstract: A secure network is disclosed. The secure network includes a residential gateway to communicate with a remote network and a local network. At least one trusted local device is configured to send communications including data packets with authentication information to the residential gateway to request access to resources of the remote network. The residential gateway inhibits a request received from the local network to access resources on the remote network until the residential gateway uses authentication information to authenticate data packets associated with the request as originating from the at least one trusted local device.

Abstract: Certain embodiments of the invention may include systems and methods for identity authentication using an social network. According to an exemplary embodiment of the invention, a method is provided for authenticating an identity of a target person. The method can include determining, from a first system graph, connections between one or more hypothetical identities and a plurality of related entities associated with the one or more hypothetical identities; determining, from a second system graph, one or more real entities associated with the target person; identifying matches comprising common real entities associated with the target person and related entities associated with the one or more hypothetical identities based at least in part on the determined connections; and providing an indication of identity authentication of the target person based at least in part on the identified matches.