Abstract: The present invention is directed to a system for providing a trusted environment for untrusted computing systems. The system may include a HAC subsystem managing shared resources and a trusted bus switch for controlling a COTS processor to access the shared resources. The shared resources such as memory and several I/O resources reside on the trusted side of the trusted bus switch. Alternatively, the system may include a SCM as an add-on module to an untrusted host environment. Only authenticated applications including COTS OS execute on the SCM while untrusted applications execute on the untrusted host environment. The SCM may control secure resource access from the untrusted host through a plug-in module interface. All secure resources may be maintained on the trusted side of the plug-in module interface.

Abstract: A network-communication method includes detecting network activity between a local area network and a wide area network, decoding the network activity, responsive to the decoding step, obtaining at least a source network address, and using the source network address to establish a transparent networking bridge between the local area network and the wide area network.

Abstract: A method for a access point device having first network identity information to automatically establish a security link with a peer access point device in a wireless communication system includes searching and receiving a beacon corresponding to the peer access point device by radio frequency scan, obtaining second network identity information corresponding to the peer access point device from the beacon, determining a primary-secondary relationship for the access point device and the peer access point device according to the first and second network identity information, generating or receiving security data according to the primary-secondary relationship, and then establishing the security link with the peer access point device according to the security data.

Abstract: Methods are provided for processing a packet received by a mesh-enabled access point (MAP). When a first MAP receives a packet it can determine whether the packet is destined for a mesh portal based on the destination address. If so, the first MAP can retrieve an encryption key corresponding to the mesh portal, use the encryption key to encrypt the packet and set a mesh forwarding flag in the packet to indicate that the packet is destined for a mesh portal, and is encrypted with an encryption key corresponding to the mesh portal, and then forward the packet to the next hop MAP towards the a mesh portal. The mesh forwarding flag indicates that the packet is destined for a mesh portal, is encrypted with an encryption key corresponding to the mesh portal, and is to be forwarded to the next hop MAP without performing decryption/re-encryption processing on the packet. When a MAP receives a packet, the first MAP it determines whether a mesh forwarding flag is set in the packet.

Abstract: A descrambler adapted as an integrated circuit (IC) according to one embodiment. The descrambler comprises a control word ladder logic to produce, among other data, a control word to descramble incoming scrambled content. The descrambler further comprises copy protection key ladder logic to recover a copy protection key for encrypting descrambled content before subsequent transmission to a digital device.

Abstract: A quantum-cryptographic communication system for quantum-cryptographic communication in an optical network, including a transmitter for transmitting a packet signal having a light pulse train representing an address and a single photon pulse train for quantum cryptography, and a router including a header analyzer for extracting the address information from the light pulse train of the packet signal and a gate switch for selecting one of the optical fibers. The router routes the packet signal by selecting an optical fiber used for the next transmission path according to the extracted address information by the header analyzer and by switching the path to the selected optical fiber by the gate switch.

Abstract: Embodiments disclosed herein are directed to systems and methods for enabling the matching of third party data with access providers' subscriber data in a privacy compliant manner, and then connecting an internet user to that third party data for use by marketers, content providers, or other interested parties in a manner that protects consumer privacy at all times. In one embodiment, an access provider such as an ISP sends its subscriber data to a double blind processor that generates an encrypted key for each subscriber. The key is then used to find matching consumer data, for example, consumer segments that represent previously collected or modeled consumer attitudinal, habit, or financial data. The key may be forwarded to a real time marketing bureau, which may use the matched data in subsequent real-time or substantially real-time operations to provide consumer or business data to advertisers, content providers, and other interested parties.

Abstract: A method for securing the transmission of information in a communication network comprising a plurality of nodes, characterized in that it includes the steps of: an information transmitting node encodes the information with a given code; an error of given weight is added to the encrypted information; the encrypted information and the error are divided into a number of portions that is substantially equal to a chosen number r of possible routes for transmitting the information in the network; the destination address is encrypted; and for each portion, a control information item is associated, making it possible to reconstruct the message at the destination and the encrypted address of the destination node. For the various sets, each including a portion of encrypted information, a control information item and the encrypted address of the recipient node are sent in parallel over the r chosen routes.

Abstract: A system for communication of a message in which the message intended for a third computer is first encrypted by a first computer and is sent to a second computer. The second computer, acting as an intermediary, + decrypts the message and re-encrypts the message before sending the message to the third computer which again decrypts the message.

Abstract: A service is provided to allow a user, such as an API or web service, Internet input, or software or hardware client to perform a search on any one or multiple Uniform Resource Identifier (URI) and/or other protocol addresses accessible via a public or private network to establish a report in a summary and/or detailed format on the trustworthiness of the address.

Abstract: In an example embodiment, a system for providing a Virtual Local Area Network (VLAN) by use of encryption states or encryption keys for identifying a VLAN. A table of data including a VLAN and an associated encryption state or key is provided for assignment of encryption states or keys, for devices in a wireless local area network.

Abstract: Briefly, a method and apparatus to authenticate messages according to a message authentication code provided with a frame over a transport layer of a communication channel.

Abstract: Encrypted communications to a secure server. A user at a terminal, communicatively coupled to the secure server by a secure link, can obtain web pages from web sites in a network, in encrypted form, via the secure link. Addresses associated with the web pages are altered to make it appear as if the web pages come from the secure server rather than from the web sites. Spoofing units may be used as alternative access points to the secure server, with the secure server sending the requested web pages directly to the terminal.

Abstract: A system and method for sending a secure multicast transmission. The system includes a computer system coupled to a public network and configured to generate a multicast broadcast, and encrypt the generated multicast broadcast. The system also includes a router coupled to the public network, and a user system configured to request to join a multicast broadcast, wherein the user system is associated with the router. The router is configured to retrieve the encrypted multicast broadcast from the computer system over the public network, decrypt the sent multicast broadcast, and send the decrypted multicast broadcast to the user system requesting to join.

Abstract: An information management system is described comprising one or more workstations running applications to allow a user of the workstation to connect to a network, such as the Internet. Each application has an analyzer, which monitors transmission data that the application is about to transmit to the network or about to receive from the network and which determines an appropriate action to take regarding that transmission data. Such actions may be extracting data from the transmission data, such as passwords and usernames, digital certificates or eCommerce transaction details for storage in a database; ensuring that the transmission data is transmitted at an encryption strength appropriate to the contents of the transmission data; determining whether a check needs to be made as to whether a digital certificate received in transmission data is in force, and determining whether a transaction about to be made by a user of one of the workstations needs third party approval before it is made.

Abstract: Profiling a user is disclosed. The user's behavior with respect to specially designed content comprised of one or more units of content is monitored. The specially designed content is designed such that one or more characteristics of the user may be inferred based at least in part on the user's behavior with respect to the content. One or more characteristics of the user is/are inferred based at least in part on the user's behavior with respect to the specially designed content.

Abstract: Described is a method of assigning a network address to a trap, the network address being a dark address of a virtual private network. The network traffic destined for the network address is monitored and a classification of the network traffic is determined. After the classification, a predetermined response is executed based on the classification of the traffic.

Abstract: All nodes within a communication system (100) will create an IP address based on a shared-secret key. The shared-secret key is unique for every node within the communication system and is known only to the node (102) and a server (103). The router (101) can validate that the node (102) owns the IP address.

Abstract: A cryptographic device may include a cryptographic module and a communications module coupled thereto. The cryptographic module may include a user network interface, a host network processor coupled to the user network interface, and a cryptographic processor coupled to the host network processor. Additionally, the communications module may include a network communications interface coupled to the cryptographic processor. The host processor may generate cryptographic processor command packets for the cryptographic processor each having an address portion and a data portion, and it may also encapsulate command packets for the communications module in the data portions of the cryptographic processor command packets. The cryptographic processor may pass the communications module command packets to the without performing cryptographic processing thereon.

Abstract: A system (706, 714) is provided for a network signaling protocol bypass around a cryptographic device (1008, 1108). The system is comprised of a first bypass device (1004-1, 1004-2) configured to parse a GIST signaling transport protocol identifier (960) from a transport layer protocol header (906) of a packet (900). The first bypass device is also configured to communicate the packet to a second bypass device (1006-1, 1006-2) if the GIST signaling transport protocol identifier is a NTLP or NSIS signaling transport protocol identifier. The second bypass device is configured to parse a NSLP protocol identifier (970) from a NSLP layer protocol header (910). The second bypass device is also configured to determine whether the NSLP protocol identifier is equal to a predetermined NSLP protocol identifier. If the NSLP protocol identifier is not equal to the predetermined NSLP protocol identifier, then the packet may be bypassed around the cryptographic device.

Abstract: Apparatus, systems, and methods may operate to provide, to a memory device, an obfuscated clear-page address derived from a clear-page address that is not the same as a key-page address and/or providing, to the memory device, an obfuscated key-page address derived from the key-page address when the obfuscated clear-page address is the same as the key-page address. Additional apparatus, systems, and methods are disclosed.

Abstract: According to one embodiment, a content recording apparatus is connected with a permission server that permits recording of content through a network. The content recording apparatus reads content encrypted based on a first encryption scheme and binding information from a disposed second recording medium, and uses the binding information to decode the read content encrypted based on the first encryption scheme. The content recording apparatus uses the permission server to authenticate permission of recording of the content, encrypts the decoded content based on a second encryption scheme when recording of the content is permitted, and records the content encrypted based on the second encryption scheme and the biding information in the first recording medium.

Abstract: A data structure with endpoint address and security information. The data structure includes an address field that includes one or more endpoint addresses for an entity. The data structure further includes a security field that includes one or more keys for facilitating secure communications with the entity. The data structure may also be such that the contents of the address field and the security field are serialized in the data structure. The data structure may be extensible such that new address fields and security fields may be added.

Abstract: A method of authenticating candidate members 1 wishing to participate in an IP multicast via a communication network, where data sent as part of the multicast is to be encrypted using a Logical Key Hierarchy based scheme requiring that each candidate member submit a public key to a group controller. The method comprises, at the group controller 1, verifying that the public key received from each candidate member 1 is owned by that member and that it is associated with the IP address of that candidate member 1 by inspecting an interface ID part of the IP address.

Abstract: An extensible cryptographically generated network address may be generated by forming at least a portion of the network address as a portion of a first hash value. The first hash value may be formed by generating a plurality of hash values by hashing a concatenation of a public key and a modifier using a second hash function until a stop condition. The stop condition may include computing the plurality of hash values for a period of time specified by a time parameter. A second hash value may be selected from the plurality of hash values, and the modifier used to compute that hash value may be stored. A hash indicator may be generated which indicates the selected second hash value. The first hash value may be generated as a hash of a concatenation of at least the public key and the modifier. At least a portion of the node-selectable portion of the network address may include at least a portion of the first hash value.

Abstract: The invention relates to an apparatus and a method for securely distributing contents in a telecommunication network, where an inventory management unit (1) manages terminals (3) with at least one functional unit (4) on the basis of use rights metadata (NMD) associated with an encrypted content (VN) and a terminal actuation unit (2) actuates the terminals (3) as appropriate. In this case, the inventory management unit (1) compares the use rights metadata (NMD) with a functional unit inventory list, the terminal actuation unit (2) selectively actuating the respective terminal for a respective encrypted content if the comparison ascertains a functional unit (4) which is not enabled for the content.

Abstract: A prioritized address decoder has been disclosed. One embodiment of the prioritized address decoder includes a first comparator to compare a destination device address of data with a first address range associated with a first device and a second comparator coupled to the first comparator to compare the destination device address with a second address range associated with a second device, wherein the data is sent to the second device in response to a first output of the first comparator and a second output of the second comparator.

Abstract: A system and method for use with local area networks (LANs) automatically configures a new device on a LAN by secure encrypted transmission of setup parameters. A remote control (RC) with an infrared (IR) transmitter contains a stored setup command and a security number that is used only once (a “nonce”). Setup of a new device is initiated by pressing a “setup” button on the RC which generates the security number and transmits it and the setup command to the new device via IR. The new device receives the setup command and security number and queries the network for the setup parameters. The RC also transmits the security number via IR to a network member device that contains the setup parameters. The network member uses the security number as an encryption key to encrypt the setup parameters and transmit them over the network. The new device uses the security number as the decryption key to decrypt the transmitted setup parameters.

Abstract: A digital content distribution system comprises a high definition television broadcaster and a consumer media unit. The high definition television broadcaster comprises a high definition television transmitter configured for multicasting, on a repeating periodic basis, an encrypted terrestrial high definition television signal of a plurality of encrypted digital content selections for purchase. The consumer media unit comprises a high definition television tuner, a memory, and an encryption and content manager. The high definition television tuner is configured for receiving the encrypted terrestrial high definition television signal. The memory is configured for storing the encrypted digital content selections from the signal for selective purchase at the consumer media unit.

Abstract: A method for creating a digital certificate for a user issued by a reliant party, where the reliant party relies on an established cryptographic infrastructure by a registration or certificate authority is described. The registration authority, typically a large financial or credit institution, has already performed the initial overhead steps necessary for a digital authentication system using a chip card. These steps include minting and distributing the chip card, establishing that the key pair and card are given to the right person, and creating the certificate library. The reliant party leverages this cryptographic infrastructure to issue its own digital certificate and certificate chain to a user already having a chip card from the registration authority. Consequently, a user can have additional digital certificates issued to him without having his chip card modified in any way. All additional digital certificates created for a user are stored at a user-specific memory are in a remote certificate library.

Abstract: The device tracking location adherence and route adherence technology, according to an exemplary embodiment of this invention, at least provides for secure message reception from a remote device. The present invention allows for secure data transmission between a remote device and while employing a small amount of bandwidth thereby providing a cost-effective data transmission system. This is especially advantageous where a fleet of remote devices is employed within a network.

Abstract: A process for managing encrypted group communication according to a single security association (SA) for network traffic from a sender includes receiving a request for an encrypted communication among a plurality of network devices. A common decryption key and a common security parameters index (SPI) are provided to each of the network devices participating in the communication. The common security parameters index facilitates locating, in respective databases associated with each of the network devices, security association information that is associated with the common security association. Information is encrypted based on the common security association, and unicasted to each of the network devices. In an embodiment, the common security parameters index provided to each network device is established by the sender. For example, the SPI is established by a conference server and sent to each device participating in a voice conference.

Abstract: A security panel includes a processor, memory, and a network interface having a unique MAC address, and is configured to communicate over a network with a server. A method for registering the security panel with the server includes contacting the server utilizing a network address stored in the memory. A dealer ID, a line number, and a unique account number is sent to the server. The dealer ID, the line number, and the unique account number are stored in the memory. An encryption key is received for encryption of additional communication between the security panel and the server. The unique MAC address is sent to the server in an encrypted session to verify the security panel to the server.

Abstract: Exchanging information in a multi-site authentication system. A network server receives, from an authentication server, a request by a client computing device for a service provided by the network server along with an authentication ticket. The authentication ticket includes: a session key encrypted by a public key associated with the network server, message content encrypted by the session key, and a signature for the encrypted session key and the encrypted message content. The signature includes address information of the network server. The network server identifies its own address information in the signature to validate the signature included in the authentication ticket and verifies the authentication ticket content based on the signature included in the authentication ticket. The network server decrypts the encrypted session key via a private key associated with the second network server and decrypts the encrypted message content via the decrypted session key.

Abstract: In a method and system for transmitting and receiving data, specified data can be transmitted only to a specific receiving terminal by assigning unique terminal information to the receiving terminal. When transmitted with data, the unique terminal information identifies the specific receiving terminal as the destination of transmission from among a plurality of receiving terminals. An update program for changing the processing of the receiving terminal may be transmitted to the specific receiving terminal along with the unique terminal information. The unique terminal information and the update program are stored in a prescribed storage location in the specific receiving terminal. Thus, a one-to-one broadcasting system is achieved.

Abstract: An embodiment of the invention includes a secure server. A user at a terminal, communicatively coupled to the secure server by a secure link, can obtain web pages from web sites in a network, in encrypted form, via the secure link. Addresses associated with the web pages are altered to make it appear as if the web pages come from the secure server rather than from the web sites. Spoofing units may be used as alternative access points to the secure server, with the secure server sending the requested web pages directly to the terminal. In general, address rewriting and other manipulation can be performed on the requested web pages, such that the true sources of the web pages are disguised and such that subsequent communications from the terminal are directed to the secure server and/or spoofing unit, rather than to the true source of the web pages. Components of the user's privacy may be sold, or advertisements may be provided, in exchange for protection of the user's identity.

Abstract: When an alias mail having an alias address X as a destination is received from an originator terminal, an alias mail relay server restores a recipient address R and an alias address generation argument C, generates a reply destination address Y including the generation argument C restores and an originator address S, and replaces the destination and a transmission source with the recipient address R and Y to transfer the alias mail to a recipient terminal. On the other hand, when a reply mail is received from the recipient terminal, a remailer restored the originator address S and the generation argument C from Y, regenerates X from the generation argument C restored and the recipient address R, and replaces a destination and a transmission source with the originator address S and X to transfer the reply mail to the originator terminal.

Abstract: Hashes are short summaries or signatures of data files which can be used to identify the file. Hashing multimedia content (audio, video, images) is difficult because the hash of original content and processed (e.g. compressed) content may differ significantly. The disclosed method generates robust hashes for multimedia content, for example, audio clips. The audio clip is divided (12) into successive (preferably overlapping) frames. For each frame, the frequency spectrum is divided (15) into bands. A robust property of each band (e.g. energy) is computed (16) and represented (17) by a respective hash bit. An audio clip is thus represented by a concatenation of binary hash words, one for each frame. To identify a possibly compressed audio signal, a block of hash words derived therefrom is matched by a computer (20) with a large database (21). Such matching strategies are also disclosed.

Abstract: A method and system for proving ownership of an IPv6 address of a node in an IP based communication system. The node generates or has a private key corresponding to a public key, computes an address using the public key. The node verifies owning the address by generating answer to at least one question presented by another node, the answer being generated using the private key corresponding to the public key. According to another embodiment, for proving ownership of the IP address, the node generates the IP address based on passwords used only once, and the another node receiving the IP address verifies that the node owns the IP address by checking the password.

Abstract: In a mobile communication system, upon multicasting a service data through a common channel in a radio communication area, a user not subscribing is disabled a multicasted service data, and charge can be applied only for the subscribing user. As a generating method of a security key for applying security for the multicoated service data, in SGSN, the security key is generated corresponding to the multicasting service for security process. The multicasted service data applied security process can be transmitted through the common channel in the radio communication area between RAN and UE (terminal), and the service data cannot be decoded by the user who is not subscribing.

Abstract: A method for managing encryption keys in a communication system having a plurality of communication devices includes establishing a set of cryptographic keys for secure communication. Each of the cryptographic keys is associated with a geographic region. A geographic region is determined for a communication device and at least one cryptographic key is distributed to the communication device based on the geographic region of the communication device. At least one cryptographic key may be used to derive further cryptographic keys associated with a set of sub-regions of the geographic region associated with the communication device.

Abstract: A system for providing encryption for the rerouting of multi-media data flow packets is disclosed. Generally, a first endpoint is connected to a second endpoint, wherein the first endpoint comprises a transceiver, encryption software stored within the first endpoint defining functions to be performed by the first endpoint, and a processor. The processor is configured by the encryption software to perform the steps of: assigning a sequence number to a first multi-media data flow packet received by a first endpoint, wherein the first multi-media data flow packet is within a series of multi-media data flow packets; pseudo-randomly shuffling the sequence number of the first multi-media data flow packet; and, transmitting the pseudo-randomly shuffled sequence number to a second endpoint. These steps may be performed by a programmed controller, or other hardware, instead of, or in addition to, being performed in accordance with software.

Abstract: An encryption device performs elliptic curve encryption using a secret key. The encryption device includes an operation unit for performing scalar multiplication of a point on an elliptic curve a storage unit having a plurality of data storing areas and a determiner unit for determining, in accordance with a bit sequence of a given value (d) and with a random value (RNG), an address of one of the plurality of data storage areas that is to be coupled to the operation means for each scalar multiplication.

Abstract: Session data is encoded in a tag-length-value format and encrypted using a modified encryption key. A session cookie, formed by concatenating the length of the length of the secret, the length of the secret, the secret itself, and the encoded and encrypted configuration data, is transmitted from a server to a client. Each time the client begins a new communications session with the server that generated the session cookie, the session cookie is transmitted from the client to the server. The server receives the session cookie from the client and extracts the secret stored in the session cookie. Periodically, the server may request the new session cookie from the client to determine if the communications session between the client and the server is still active. If no response or an invalid session cookie is received, the communications session between the client and server is terminated.

Abstract: Methods and devices for controlling access to a service over a network are described. A credential is provided to a device. The credential indicates the device is enrolled in the network. The credential is stored in non-volatile memory on the device. The credential binds the device to the network and prevents the device from accessing another network. The device presents the credential to a provider, and the provider uses the credential to authenticate and authorize the device. Upon authorization, the device is provided access to the service.

Abstract: Session data is encoded in a tag-length-value format and encrypted using a modified encryption key. A session cookie is then formed by concatenating the length of the length of the secret, the length of the secret, the secret itself, and the encoded and encrypted configuration data. The session cookie is transmitted from a server computer to a client computer, where it is stored.

Abstract: A host communicates with a gateway, a DHCP server or a PPP peer of ISP to determine an IPv6 address, also receives a public key certificate from the gateway, the DHCP server or the PPP peer of ISP, and sends a public key certificate including an IPv6 address to a communication counterpart. The host receives a new public key certificate from the gateway, the DHCP server or the PPP peer of ISP when necessary.

Abstract: A method and apparatus for providing network security using role-based access control is disclosed. A network device implementing such a method can include, for example, an access control list. Such an access control list includes an access control list entry, which, in turn, includes a user group field. Alternatively, a network device implementing such a method can include, for example, a forwarding table that includes a plurality of forwarding table entries. In such a case, at least one of the forwarding table entries includes a user group field.

Abstract: To determine whether digital content can be released to an element such as a computer application or module, a scaled value representative of the relative security of the element is associated therewith, and the digital content has a corresponding digital license setting forth a security requirement. The security requirement is obtained from the digital license and the scaled value is obtained from the element, and the scaled value of the element is compared to the security requirement of the digital license to determine whether the scaled value satisfies the security requirement. The digital content is not released to the element if the scaled value does not satisfy the security requirement.

Abstract: A logical tree structure and method for managing membership in a multicast group provides scalability and security from internal attacks. The structure defines key groups and subgroups, with each subgroup having a subgroup manager. Dual encryption allows the sender of the multicast data to manage distribution of a first set of encryption keys whereas the individual subgroup managers manage the distribution of a second set of encryption keys. The two key sets allow the sender to delegate much of the group management responsibilities without compromising security because a key from each set is required to access the multicast data. Security is further maintained via a method in which subgroup managers can be either member subgroup managers or participant subgroup managers. Access to both keys is provided to member subgroup managers whereas access to only one key is provided to participant subgroup managers.