Abstract: One embodiment of a method of authenticating data comprises: receiving, at a device, data in a plurality of indexed packets transmitted by a data server, the data of the indexed packets being at least a portion of a larger data stream; receiving, at the device, from a data authentication server connected to the device by a network, a server-computed authentication value based on a subset of the data transmitted by the data server, the data authentication server having access to the data that was transmitted from the data server to the device; and comparing a device-computed authentication value based on a subset of the received data, corresponding to the subset of the data transmitted by the data server, with the server-computed authentication value in order to determine whether the subset of the data received at the device is authentic.

Abstract: Financial transaction data comprising payment on any one of multiple financial transaction types are processed with an adapter layer that receives an incoming data message relating to a financial transaction initiated by a payer and operates on the incoming data message to produce adapted data relating to the financial transaction, and a processor that receives the adapted data and determines transaction routing to direct the adapted data to a processing network module that requests authorization by an issuer, responds to authorization by initiating request for settlement and payment on the financial transaction to a transaction payee, and responds to payee query requests by providing non-payment data to an external payee.

Abstract: A ubiquitous audio reproducing and servicing method and apparatus for streaming or downloading a lossless audio source from a Content Provider (CP) using a lossy audio source card as an authentication key. The ubiquitous audio reproducing method includes determining whether a memory card storing lossy audio sources and their authentication codes is inserted, if it is determined that the memory card is inserted, transmitting an authentication code of a lossy audio source in the memory card and a system unique Identifier (ID) to a content server by connecting to the content server via a network, and if the content server allows the use of a lossless audio source corresponding to the lossy audio source using the authentication code, streaming or downloading the lossless audio source from the content server.

Abstract: An image processing apparatus that is capable of preventing an unauthorized connection from a host apparatus which is not permitted to use a device by restricting a host apparatus that performs an association process by a method other than password authentication. A processing unit performs an association process with the host apparatus in order to perform the wireless communication. A storage unit stores a permitted host ID indicating the host apparatus that is permitted to perform the association process by the processing unit. A control unit compares a host ID transmitted from the host apparatus with the permitted host ID stored in the storage unit when the processing unit performs the association process, and determines whether the processing unit performs the association process based on a result of the comparison.

Abstract: Various technologies and techniques are disclosed for providing host control of partial trust accessibility. A framework allows libraries to be identified as partial trust callers allowed to indicate that the libraries are allowed to be called from partially trusted code by default. The framework allows libraries to be identified as partial trust callers enabled to indicate the libraries could be called from partially trusted code, but not by default. A hosting application is notified that a particular library has been loaded. If the particular library has been identified as partial trust callers allowed, then a determination is received from the hosting application on whether to remove or keep partial trust accessibility for the particular library. If the particular library has been identified as partial trust callers enabled, then a determination is received from the hosting application on whether or not to enable partial trust accessibility for the particular library.

Abstract: A system and method for managing communication. The system and method applying to but not limited to settop boxes (STBs) and other devices used to interface services. The management including any number of features and processes associated with achieving Quality of Service (QoS) across different domains and according to network limitations associated with the same.

Abstract: A method and system which provides communication between a first portable device and a second portable device. The first portable device stores a first sequence number and a first key, and the second portable device stores a second sequence number and a second key. Verification is performed using the first and second keys. The first sequence number is compared to the second sequence number. If the second sequence number is newer than the first sequence number, the first sequence number is set to have a value of the second sequence number if the verification succeeds. If the first sequence number is newer than the second sequence number, the second sequence number is set to have a value of the first sequence number if verification succeeds.

Abstract: A system and method efficiently deletes a file from secure storage, i.e., a cryptainer, served by a storage system. The cryptainer is configured to store a plurality of files, each of which stores an associated file key within a special metadata portion of the file. Notably, special metadata is created by a security appliance coupled to the storage system and attached to each file to thereby create two portions of the file: the special metadata portion and the main, “file data” portion. The security appliance then stores the file key within the specially-created metadata portion of the file. A cryptainer key is associated with the cryptainer. Each file key is used to encrypt the file data portion within its associated file and the cryptainer key is used to encrypt the part of the special metadata portion of each file. To delete the file from the cryptainer, the file key of the file is deleted and the special metadata portions of all other files stored in the cryptainer are re-keyed using a new cryptainer key.

Abstract: A method, system, computer program product and/or a computer readable medium of instructions for detecting one or more entities which are able to reinfect a processing system with malicious software. The method includes: monitoring, in the processing system, activity indicative of the malicious software reinfecting the processing system; in response to detecting the activity, storing a record of the activity and one or more entities associated with the activity; determining if the malicious software has reinfected the processing system; and in response to determining that the malicious software has reinfected the processing system, analysing the record to detect the one or more entities which were associated with the activity that caused and/or assisted in reinfecting the processing system with the malicious software. There is also disclosed a method, system, computer program product and/or a computer readable medium of instructions for detecting a variant of malicious software in a processing system.

Abstract: The present invention relates to a method and arrangements in a mobile telecommunications network including a plurality of access points (203), a plurality of 5 network gateway devices (204). The method comprising the steps of: deciding a security setting needed for a dedicated bearer signal by a network component, communicating said decision to a node needed for establishing communication, configuring or selecting by said access point (203) a secure protocol (205) as needed between said access point and said gateway devices (204), and said decision being based on one or several of the network deployment being used and/or network operator policies.

Abstract: The invention provides a method, system, device and computer program product for setting up a secure session among three or more devices or parties of a communication group, including authenticating a key agreement between the devices or parties of the communication group, wherein the devices of the group start, preferably after a key is computed or agreed, a protocol, preferably a multi-party data integrity protocol, for authenticating the key agreement.

Abstract: In the field of computer data security, a hash process which is typically keyless and embodied in a computing apparatus is highly secure in terms of being resistant to attack. The hash process uses computer code (software) polymorphism, wherein computation of the hash value for a given message is partly dependent on the content (data) of the message. Hence the computer code changes dynamically while computing each hash value.

Abstract: In one embodiment, the method performed by mobile equipment to authenticate communication with a network includes generating keys using cellular authentication and voice encryption, and then generating an authentication key based on these keys. The authentication key is used to generate an expected message authentication code used in authenticating the network according to authentication and key agreement security protocol.

Abstract: Method, program, network system and client device each has a structure of being given encryption information different from given present encryption information by use of the given present encryption information and being given different encryption information in incremental steps, to one or a plurality of the connection destinations (client device CLm), for security setting of wireless communication network (wireless LAN device 2) to one or a plurality of connection destinations.

Abstract: Packet sequence number checking through a VPN tunnel may be performed by assigning sequence numbers on a per-priority class basis to packets traversing the VPN tunnel. In one implementation, a network device may receive a packet that is to be transmitted over a VPN tunnel, the packet including control information that includes at least a QoS priority class of the packet. The network device may extract the priority class of the packet from the control information and generate a sequence value that describes an arrival sequence of the packet relative to other received packets of the same priority class as the packet. The network device may additionally generate an IPsec header for the packet, the IPsec header including the sequence value and the priority class of the packet; attach the IPsec header to the packet; and transmit the packet through the VPN tunnel.

Abstract: It is an object of the present invention to solve a problem included in the onion routing which is used as a confidential communication method, that if a system down occurs in a computer within a communication route, connection is not made to further components at all, or a problem that the system and the traffic become slow by using multiplexed encryption. It is a communication method in which a client of an information providing source encrypts random numbers and calculates its hash value using respective public keys of an information server to which it connects, a function server of a destination to be sent, and an information server to which the function server connects, respective servers decrypt the encrypted random number using their own secret keys to compare the random number with the hash value, and thus, the client determines whether or not the route is related to the client.

Abstract: A multicast host for communicating information published about any one of a set of topics to one or more authorised subscribers to those topics, the set of topics being partitioned into one or more partition elements, each partition element having a partition element encryption key associated therewith, wherein each of the one or more partition elements is a disjoint proper subset of the set of topics, the host comprising: means for receiving information relating to a topic; means for determining a partition element for the topic; means for retrieving a partition element encryption key associated with the partition element; means for encrypting the information with the retrieved partition element encryption key; and means for communicating the information to the one or more authorised subscribers.

Abstract: Key data is generated that contains a decryption key that decrypts an encrypted content, and a policy that defines the usage restrictions on the content. Binder data is then generated, which contains the encrypted content, key data, and the control data, which describes the applied conditions of the key data.

Abstract: In a preferred embodiment a method of operating an intelligent disk drive is described which includes compression and/or encryption capability at the file level. The intelligent disk drive includes means for executing distributed computing tasks including a CPU and associated memory. The communication interface with the host computer or other device on the communication bus is modified to allow the device to send executable code for a task to the drive and to allow the drive to communicate the results and status information about the task to the host device. In a preferred embodiment the disk drive has a task control program, task program code, task data and status information for the distributed task. The task control program implements the basic task management functions of storing the task program, reporting results and saving progress information to allow the task to be interrupted by other drive functions.

Abstract: The invention relates to a security border node (2a) for protecting a packet-based network from attacks, comprising: an anomaly detection unit (10) for performing an anomaly detection, in particular a statistical analysis, on session control messages (11), in particular on SIP messages contained in a packet stream (5) received in the security border node (2a). The security border node further comprises a message context provisioning unit (13) for providing at least one session control message (11) to the anomaly detection unit (10) together with message context information (12, 17, 24) related to a client (22) and/or to a session (23) to which the session control message (11, 11a to 11f) is attributed. The invention also relates to a method for protecting a packet-based network from attacks, to a computer program product, and to a packet-based network.

Abstract: A system for automatically generating and filling login information to improve the security in storage and use of the login information. The system comprises a monitoring module, a registration module, and a login module; the monitoring module is coupled to the registration module and the login module; the monitoring module is adapted to check for an entry of login information corresponding to the identifier of the current page, and prompt a result to the user, and transmit a signal to the registration module and the login module to perform a registration and/or login operation; the registration module comprises a login information generation unit, a login information storage unit, and a first user confirmation unit; and the login module comprises a login information input unit and a second user confirmation unit. A method for the same is also disclosed.

Abstract: Some embodiments of the invention provide a method of verifying the integrity of digital content. At a source of the digital content, the method generates a signature for the digital content by applying a hashing function to a particular portion of the digital content, where the particular portion is less than the entire digital content. The method supplies the signature and the digital content to a device. At the device, the method applies the hashing function to the particular portion of the digital content in order to verify the supplied signature, and thereby verifies the integrity of the supplied digital content.

Abstract: A method includes: computing a first message authentication code for each of a plurality of sets of data blocks on a data storage medium, and authenticating the sets of data blocks by computing a second message authentication code for each of the sets of data blocks to be authenticated and comparing the first and second message authentication codes. An apparatus that performs the method is also provided.

Abstract: The present disclosure provides systems and methods for inserting pseudo-noise in a data stream based on an unacceptable input data sequence in an optical network thereby preventing unnecessary loss of frame in SONET/SDH or Optical Transport Network (OTN) systems. The present disclosure includes a SONET/SDH or OTN framer, a transceiver, and a method for detecting an unacceptable data sequence or pattern and inserting a keep-alive or pseudo-noise sequence in the data sequence to maintaining framing on subsequent network elements, framers, transceivers, etc. For example, the present invention, upon receiving an unacceptable pattern of zeros or low ones density caused by a loss of signal condition or the like, may insert a pseudorandom noise pattern into the transmitted frame. This allows the downstream network element to continue a frame lock on the incoming signal, and thus keep the frame overhead and data communications channels from being lost.

Abstract: A secure decentralized storage system provides scalable security by addressing the performance bottleneck of the security manager and the complexity issue of security administration in large-scale storage systems.

Abstract: This invention relates to a transmission method for conditional access content, in which said content is broadcast in the form of data packets (DP). These data packets contain at least one marker having a known value and a useful part (PL). This method includes the following steps: extraction of said marker (Mc) from the data packet (DP) and replacement of this marker with an encryption key identification information (PAR); encryption of said useful part (PL) by an encryption key (K1) that can be identified by said encryption key identification information (PAR); formation of an encrypted data packet containing at least said encryption key identification information (PAR) and the encrypted useful part (PLK1); transmission of said encrypted data packet to at least one receiver.

Abstract: A method for upgrading a Rights Object (RO) includes: acquiring, by a Digital Rights Management (DRM) Agent, RO related information of the RO that requires updating from a Secure Removable Media (SRM) Agent; providing, by the DRM Agent, the RO related information to a Rights Issuer (RI), and obtaining a new RO from the RI; and interacting, by the DRM Agent, with the SRM Agent to upgrade the RO that requires updating on the SRM by means of the new RO. According to the embodiments of the present invention, the DRM Agent acquires RO related information which is stored on the SRM and does not have Move rights, and interacts with the RI to move the RO out from the SRM, so as to move the RO without the Move rights out from the SRM.

Abstract: The present invention provides methods to mitigate the problems associated with MAC address spoofing and denial of service attacks in an FTTH network system. The MAC address spoofing attack may occur when a computer hacker configures his computer to change the MAC address of a data signal to deceive the receiver of the signal's source address. The denial of service may occur when a computer hacker floods a file server with data packets. The present invention mitigates these attacks by modifying the software of certain components of the FTTH network system to enable the components to insert virtual MAC addresses, tags and codes into the data packets that identify a component of the communication related to the address of the source computer.

Abstract: A system and method of guaranteeing the presence of secure and tamper-proof remote files over a distributed communication medium, such as the Internet, is provided. The system and method automatically detects, and then self-repairs corrupt, modified or non-existent remote files. The method first performs an integrity check on a remote file and then determines whether the integrity check passed. If the integrity check passed, then the user goes through the authentication process as normal. If the integrity check fails, then the present invention redirects to an install module in order to prepare to reinstall the remote file. Via the install module, the present invention then reinstalls the remote file and the user is then taken through the authentication process as normal.

Abstract: An apparatus, system, and method are disclosed for Asynchronous Java Script and XML (AJAX) form-based authentication using Java 2 Platform Enterprise Edition (J2EE). The apparatus for AJAX form-based authentication using J2EE is provided with a plurality of modules configured to functionally execute the necessary steps for redirecting an AJAX client request to an authentication required servlet, issuing an AJAX response to the client, authenticate the user security credentials, and process the client request for secure data. In addition, a method of the present invention is also presented for programming Asynchronous Java Script and XML (AJAX) form-based authentication that avoids a page change using Java 2 Platform Enterprise Edition (J2EE).

Abstract: The present invention discloses a method for quickly and easily authenticating large computer program. The system operates by first sealing the computer program with digital signature in an incremental manner. Specifically, the computer program is divided into a set of pages and a hash value is calculated for each page. The set of hash values is formed into a hash value array and then the hash value array is then sealed with a digital signature. The computer program is then distributed along with the hash value array and the digital signature. To authenticate the computer program, a recipient first verifies the authenticity of the hash value array with the digital signature and a public key. Once the hash value array has been authenticated, the recipient can then verify the authenticity of each page of the computer program by calculating a hash of a page to be loaded and then comparing with an associated hash value in the authenticated hash value array.

Abstract: A computer implemented method, apparatus, and computer program product for creating secured file views of a protected file. The process receives a request to access the file, wherein the file is stored in a common location, and wherein the request includes a set of file viewing parameters. The process identifies a callback function associated with the file and calls the callback function with the set of file viewing parameters to form a set of virtual viewing parameters. Thereafter, the process generates a secured file view of the file using the virtual viewing parameters, wherein the secured file view is viewable by a user of an authorized partition.

Abstract: Key management and user authentication systems and methods for quantum cryptography networks that allow for users securely communicate over a traditional communication link (TC-link). The method includes securely linking a centralized quantum key certificate authority (QKCA) to each network user via respective secure quantum links or “Q-links” that encrypt and decrypt data based on quantum keys (“Q-keys”). When two users (Alice and Bob) wish to communicate, the QKCA sends a set of true random bits (R) to each user over the respective Q-links. They then use R as a key to encode and decode data they send to each other over the TC-link.

Abstract: A medium access control (MAC) frame provision method establishes security in an IEEE 802.15.4 network. A MAC frame is generated, which includes a MAC header, a payload field, and a frame check sequence (FCS) field, the payload field including relevant main data according to a frame type defined in the MAC header. A disguised decoy data sequence number (DSN) is generated and inserted into the MAC header. A real DSN, which is a corresponding transmission sequence number of the MAC frame, is generated and inserted into the payload field. The MAC frame is transmitted, including the encrypted payload field, to a counterpart node. A MAC ACK frame acknowledges reception of the transmitted MAC frame; and a DSN is compared in the received MAC ACK frame with the real DSN. An authentication of the counterpart node is performed when the received MAC ACK frame is equal to the real DSN.

Abstract: A computer-implemented method for using reputation data to detect packed malware may include: 1) identifying a file downloaded from a portal, 2) determining that the file has been packed, 3) obtaining community-based reputation data for the file, 4) determining, by analyzing the reputation data, that instances of the file have been encountered infrequently (or have never been encountered) within the community, and then 5) performing a security operation on the file (by, for example, quarantining or deleting the file).

Abstract: Access to secured services may be controlled based on the proximity of a wireless token to a computing device through which access to the secured services is obtained. An authorized user may be provided access to a service only when a wireless token assigned to the user is in the proximity of the computing device. A user's credential may be stored on an RFID token and an RFID reader may be implemented within a security boundary on the computing device. Thus, the credential may be passed to the security boundary without passing through the computing device via software messages or applications. The security boundary may be provided, in part, by incorporating the RFID reader onto the same chip as a cryptographic processing component. Once the information is received by the RFID reader it may be encrypted within the chip. As a result, the information may never be presented in the clear outside of the chip.

Abstract: A test pattern containing plurality of patches recorded using small dot patterns and large dot patterns is printed. The dot sizes arranged in the patches are different between patches. Then the test patterns are read. The detection rate and average density of additional information embedded in each large dot pattern are obtained. A large dot pattern whose detection rate and average density fall within a reference range and are closest to ideal values is determined. The average density of each small dot pattern is obtained. A small dot pattern whose average density falls within a reference range and is closest to the average density of the determined large dot pattern is determined. A copy-forgery-inhibited pattern image is generated using these dot patterns and combined with a print target image.

Abstract: A method and apparatus for processing a Rights Object (RO) are provided. A method for upgrading the RO includes: acquiring, by a Digital Rights Management (DRM) Agent, RO related information of the RO that requires updating from a Secure Removable Media (SRM) Agent; providing, by the DRM Agent, the RO related information to a Rights Issuer (RI), and obtaining a new RO from the RI; and interacting, by the DRM Agent, with the SRM Agent to upgrade the RO that requires updating on the SRM by means of the new RO. According to the embodiments of the present invention, the DRM Agent acquires RO related information which is stored on the SRM and does not have Move rights, and interacts with the RI to move the RO out from the SRM, so as to move the RO without the Move rights out from the SRM, thus extending an application of the RO without the Move rights.

Abstract: In one example, a Cable Modem Termination System (CMTS) combines a value identifying itself with a cable modem Media Access Control (MAC) address stored in a provisioning request. The CMTS then relays the modified provisioning request to a provisioning server, which analyzes the value to identify a CMTS associated with the cable modem MAC address. Then, to regulate cable modem cloning or for other reasons, the provisioning server selects provisioning information for the cable modem according to the identified CMTS-MAC address association.

Abstract: A software based wireless infrastructure system is provided. The system has a driver that communicates with the network stack and a network interface card (NIC), a station server in communication with the station driver and an 802.1X supplicant or an 802.1X authenticator. Each NIC provides station and/or access point functionality support. The driver drops packets that have been received if the packet has not been authenticated and associated. Packets that have been fragmented or encrypted are unfragmented and decrypted. An association manager is used in conjunction with a configuration table manager to associate stations and access points via management packets. A manager receives 802.1X data packets from the packet processor and sends them up to a station server that communicates with user mode applications and an 802.1X supplicant or an 802.1X authenticator that are used to authenticate and deauthenticate stations and access points. APIs are provided to enable communication between the components.

Abstract: The first terminal apparatus includes a key information acquiring unit that acquires key information from a connection authentication server, a key information notifying unit that notifies the first user of the key information, and a connection information acquiring unit that acquires connection information from the connection authentication server. The second terminal apparatus includes a key information input unit that receives the key information transmitted to the second user and an information providing unit that provides the key information and the connection information to the connection authentication server.

Abstract: A system may include a sender computing system to transmit first authentication data in association with a message, the first authentication data conforming to a first authentication mechanism, and to transmit second authentication data in association with the message, the second authentication data conforming to a second authentication mechanism. The system may also include a component to receive the first authentication data in association with the message from the sender computing system, and to receive the second authentication data in association with the message from the sender computing system.

Abstract: A first communication device (“FCD”) is adapted to communicate with a second communication device. The FCD obtains a first key, encodes an attribute in the FCD with the first key to produce a first encoded value, and transmits the first encoded value to the second communication device. The FCD also receives a second encoded value from the second communication device. The second encoded value comprises an attribute stored in the second communication device that has been encoded with a second key. Further, the FCD encodes the second encoded value with the first key to produce a third encoded value, transmits the third encoded value to the second communication device, and receives a fourth encoded value from the second communication device. The fourth encoded value comprises the first encoded value after being encoded by the second key. The FCD determines whether the third encoded value matches the fourth encoded value.

Abstract: A method of performing IPsec processing of an incoming communication packet is disclosed. The method comprises determining, from a received portion of the incoming packet, if sufficient information has been received to enable the IPsec processing to be commenced, obtaining the necessary information from the received portion of the packet, and commencing IPsec processing of said packet before the entire packet has been received depending upon the obtained information.

Abstract: A microcomputer includes a CPU, a protection information storage configured to store memory protection information specifying an access permission or prohibited state to a memory space by a program executed by the CPU, a memory access control apparatus configured to determine whether or not to allow a memory access request from the CPU according to the memory protection information and a reset apparatus configured to invalidate the memory protection information stored in the protection information storage according to a reset request signal output from the CPU.

Abstract: An information processing apparatus includes a use restriction unit that restricts use of the information processing apparatus based on identification information stored in an identification information storage unit, and a controller. The controller is operable to update the identification information stored in the identification information storage unit, send the updated identification information to a preset mail address, by an E-mail, receive an E-mail, determine whether the received E-mail is an E-mail replying to the sent E-mail, and control the identification information storage unit to store identification information included in the received E-mail as new identification information if the received E-mail is determined to be the E-mail replying to the sent E-mail.

Abstract: Disclosed is a system and a method for maintaining broadcasting chip information regardless of device replacement in a USIM unlock environment where broadcast information can be automatically modified in response to device replacement.

Abstract: A computer extracts the header information from an electronic mail, including an originality guarantee. The computer generates a header characterization for the header information subject to originality guarantee, and extracts message body information from the electronic mail and generates a body characterization for the message body information as well. The generated characterization set applies the header characterization and the body characterization, combined. The verification information is added to the generated characterization set for applying a signature, and characterization set is linked to electronic mail.

Abstract: A method (100) and a system (300) for applying digital signatures (206, 216, and 222) to translated content (and other content) can include a presentation (309) and a user interface presented on the presentation device. The system can further include at least one processor (307) that operates to create (102) the user interface in a first language as part of an application, enables (104) the entering of data into the user interface and the digital signing of the data by a first user, translates (106) the user interface to at least a second language, and presents (108) the data to at least a second user using the application. A recipient device can verify (110) the digital signatures where a verification of the digital signatures independently verifies a data signature (222), a user interface signature (206), and a translated user interface signature (216).

Abstract: A system and method for providing Personal Cloud computing and for hosting applications and/or content may employ a network attached storage device on which virtual machine monitors (T-cups) and logical devices (Ts) are instantiated in memory. Each T may include hosted content, application modules, a server module configured to host the modules and/or content, and an interface module configured to provide access to the modules and/or content in response to detecting an authorized key. Detecting an authorized key may include communicating with a name server to determine if a T instantiated on a storage device coupled to the system is associated with a device identifier on a list of device identifiers authorized to access the module(s). The storage device may be a computer, camera, frame, phone, audio/video player, or portable storage device. The name server may be configured to authenticate Ts, define T ownership, and/or establish friend-to-friend networks between Ts.