Abstract: An approach for managing IP telephony devices in a network generally involves associating physical and logical data with an IP telephony device using identification data that identifies the IP telephony device. The physical data specifies one or more attributes of how the IP telephony device is connected to the network, for example, as a switch address, port, or both. The logical data specifies one or more logical attributes of the IP telephony device on the network, for example, an extension number or IP address. Correlating physical and logical data with an IP telephony device using identification data aids in identifying suspect IP telephony devices in a network by identifying IP telephony devices that have physical data, but no logical data and also IP telephony devices that have the same identification data, such as the same media access control layer address.

Abstract: Digital content is released to a rendering application for forwarding by such rendering application to an ultimate destination by way of a path therebetween. The path is defined by at least one module, and the digital content is initially in an encrypted form. An authentication of at least a portion of the path is performed to determine whether each defining module thereof is to be trusted to appropriately handle the digital content passing therethrough. The encrypted digital content is decrypted if in fact each such defining module is to be trusted, and the decrypted digital content is forwarded to the rendering application for further forwarding to the ultimate destination by way of the authenticated path.

Abstract: According to certain embodiments consistent with the present invention, a method of processing digital video content, wherein the digital video content comprises intra-coded frames and inter-coded frames, involves selecting a plurality of the intra-coded frames for encryption to produce selected frames; encrypting the selected frames under a first encryption algorithm to produce first encrypted frames; storing the inter-coded frames in a first file; and storing the intra-coded frames, whether encrypted under the first encryption algorithm or unencrypted, in a second file. For a multiple encryption embodiment consistent with the present invention, the method further involves duplicating the intra-coded frames; encrypting duplicates of the selected frames under a second encryption algorithm to produce second encrypted frames; storing the intra-coded frames, whether encrypted under the second encryption algorithm or unencrypted, in a third file.

Abstract: According to the present invention there is provided a datacast distribution system which allows for the distribution of movies, music, games, application software, and the like using a new or existing terrestrial digital video broadcast (DVB-T) network.

Abstract: A data packet is conveyed between servers connected to a packet network. A first server securely distributes a list of distinct numbers to one or more authorized receiving servers. Subsequently, upon receiving a packet to be transferred, the first server selects an unused number from the number list and writes the number into the packet before routing the packet to one or more of the authorized receiving servers. Upon receipt of the packet, an authorized receiving server checks that the number included in the packet is valid in that it is both contained in the latest number list and has not already been used in another packet. If valid, the receiving server determines a sequence number representative of the position of the number in the latest number list and sends an acknowledgement message to the originating server, including the determined sequence number.

Abstract: Network data files are secure through the operation of an infrastructure gateway-based network file access appliance. Network file data, corresponding to network pocket payload data, are further reduced to a sequence of data blocks that are secured through any combination of block encryption, compression, and digital signatures. File meta-data, including encryption, compression and block-level digital signatures are persistently stored with the file data, either in-band in the file as stored or out-of-band key as a separately stored file or file policy record. File meta-data is recovered with accesses of the file data to support bidirectional encryption and compression and to detect tampering with the file data by comparison against block-level digital signatures.

Abstract: The present invention relates to a method for encrypting digital information using communication devices, which have an interface for a replaceable or writable storage medium, whose content may be read out and duplicated, having a storage medium which is connected to the interface, a supply of symbols for encryption being stored on the digital storage medium, which may be read out on the basis of an address, having an encryption unit which employs the supply of symbols for encrypting and/or decrypting the digital data stream of the communication device on the basis of at least one address.

Abstract: A bridge-based RAS backbone network system and a signal processing method therefor are provided. In the bridge-based RAS backbone network system, a plurality of BSBs with Layer 2 (L2) switches are connected to a plurality of RASs, anda plurality of SCBs with L2 switches are connected to part of the BSBs in a lower layer, forming a core network. An HLR manages configuration information of network entities by storing the IP addresses and MAC addresses of MNs within the network and the addresses of SCBs to which the MNs belong in a table. Each of the SCBs statically preserves the MAC address of an external default router, for relaying an egress frame, statically registers its individual MAC address in other SCBs in the core network beforehand, detects a destination MN through the HLR, and sends a frame to the SCB of the destination MN or the MAC address of the external default router.

Abstract: Methods and apparatuses for obfuscating computer instruction streams. In one aspect of the invention, an exemplary method includes breaking each of at least two operative instruction streams into a plurality of parts and interleaving the parts into a new instruction stream. In another aspect of the invention, an exemplary method includes breaking each of at least two operative instruction streams into a plurality of parts and interleaving the parts with obfuscation codes into a new instruction stream. The obfuscation codes interrelate the parts from different instruction streams to prevent reversal of interleaving.

Abstract: A computer receives a user authentication request from a client. The computer accesses a password associated with the user name, stored locally on the computer, and attempts to authenticate the password using an authentication server. If the password authentication succeeds, the computer hashes the password and compares the hashes. If the hashes match, the user authentication succeeds.

Abstract: An apparatus and method use the built-in authentication and authorization functions of a directory service to perform authentication and authorization for resources that are external to the directory service. A Lightweight Directory Access Protocol (LDAP) service is used in the preferred embodiments. The LDAP directory includes built-in functions for authenticating a user that requests access to an entry. Each resource that needs to be protected is mapped to an entry in the LDAP directory. These entries that correspond to protected resources external to the LDAP directory are called proxy entries. Proxy entries contain the authorization information for the corresponding protected resource in the form of an access control list for each entry that specifies the authorized users of the entry.

Abstract: An apparatus and method for securing media access control (MAC) addresses in a wireless local area network (LAN) environment are provided. In the method of securing MAC addresses, a cryptographically generated address (CGA) is generated using a predetermined cipher algorithm, a ciphered MAC address is extracted from the CGA, and communication is performed using the ciphered MAC address. Accordingly, it is possible to strengthen the security of MAC addresses.

Abstract: A communication processing system which allows a secure communication with a mobile terminal via a network. The communication processing system includes a server which provides a common key used to encrypt and decrypt data transmitted between communication terminals, and provides information about locations of communication terminals on the network. The server generates a session key and provides it to communication terminals. The server has a database in which location information of mobile terminals is stored. If the server receives, from a calling terminal, data designating a destination terminal, the server searches the database using an IP address of the destination terminal as a search key to acquire the latest location information of the destination terminal, and the server transmits encrypted data including a session key and address data of the destination terminal to the calling terminal.

Abstract: The authenticity of a website is tested with software that runs on a personal computing device and a service that is provided via the Internet. The software on the personal computing device is in the form of a proxy, or transparent component in the Internet Protocol implementation. The proxy receives all outbound messages, analyzes them and forwards or modifies them without the user's intervention. The service tests the IP address and/or the behavior of the target website.

Abstract: Firewall system for interconnecting a first IP network (10) to a second IP network (16), these networks belonging to two different entities having each a different administration wherein any data packet transmitted/received by the first IP network is filtered by using a first firewall function and any data packet transmitted/received by the second IP network is filtered by using a second firewall function. The system comprises essentially a single firewall device (20) including filtering means (41, 43) performing both first firewall function and second firewall function, a console port (37) enabling the administrator in charge of each IP network to enter filtering rules for updating the associated firewall function and control means (39, 47, 49) interconnecting the console port and the filtering means for transmitting thereto the filtering rules so that each administrator may independently manage the system from the console port.

Abstract: A specific client computer acquires content that has been stored in a content server. To accomplish this, the ID of the client computer is registered with the content server. The IP address, etc., of the content server is encrypted to obtain a check code and the check code is transmitted to the client computer and to a center server. The check code, etc., is transmitted from the client computer to the center server. The center server decrypts the check code transmitted from the client computer and the check code transmitted from the content server. The IP address, etc., of the content server is obtained by the decryption. If the IP address, etc., obtained from the check code transmitted from the client computer and the IP address obtained from the check code transmitted from the content server agree, the center server decides that the client computer is an authorized computer and transmits the IP address of the content server to the client computer.

Abstract: A storage device formed of a hard disk stores a search table including an index object, a start time stamp, an end time stamp, a decryption start point correlated with index object, and a GOP location offset correlated with index object. Decryption start point indicates a decryption start point for a block including audio and video data broadcast in synchronization with an object and GOP location offset indicates an amount offset between a decryption start point and GOP's random access point.

Abstract: Various systems, methods, and programs are provided that facilitate access to a secure application. In one embodiment, a method is provided that includes encrypting at least one authentication sequence in a computer system using a network identifier as an encryption key, and storing the encrypted at least one authentication sequence in a memory accessible to the computer system. Next, the encrypted at least one authentication sequence is decrypted using a second network identifier as a decryption key, the second network identifier is procured after storing the encrypted at least one authentication sequence. Thereafter, an expedited login task is performed to access the application with the at least one authentication sequence if the decryption of the at least one authentication sequence is successful.

Abstract: This invention takes advantage of the capability to keep secured physical and logical addresses of the internal subscribers of the local network using a special network screen for the packets exchanged between the network segments and using a special program to control the packets communication processes between the network interfaces. The program of control resolves the task of information delivery using special codes in the packet headers that are different from their logical and physical addresses. The network screen has a special interface to change, control and tune filter parameters.

Abstract: When transferring elements APE forming an application program between SAM units 9a and 9b, management data which specifies identification data of elements, presence of mutual authentication, mode of reference (usage), and a mutual authentication key of each element is prepared and the elements transferred between the SAM units A and 9b based on the management data.

Abstract: A method and apparatus for distributing keys in a multicast domain is provided. In a secure multicast domain, a request to join a multicast group for a time period occurs. A key distributor which controls access to the multicast data group determines if the request will be accepted. If the request is accepted the key distributor assigns the member to a virtual channel, wherein each virtual channel is defined by a time period. A data group key is forwarded to the member as is a virtual channel key. The member can then receive and decode events from the data group on the assigned virtual channel.

Abstract: A packet quarantine device receives a data packet over a secure connection having a connection-specific set of security parameters such as an IPsec connection in a virtual private network (VPN) using security associations. The packet quarantine device tests the data packet and if the data packet fails to validate, the packet quarantine device saves the data packet to a storage area along with the set of security parameters used to transmit the data packet. The stored information of the failed packet along with the set of security parameters enables later analysis of the failed packet in order to determine the network condition that produced the failed data packet. The packet quarantine device also generates alerts in response to receiving data packets that fail to validate. The alerts include information obtained from packet analysis.

Abstract: An approach for managing addition or deletion of nodes in a multicast or broadcast group, which avoids introducing a single point of failure at a group controller, certificate authority, or key distribution center, is disclosed. A central group controller utilizes a binary tree structure to generate and distribute session keys for the establishment of a secure multicast group among multiple user nodes. The central group controller is replicated in a plurality of other group controllers, interconnected in a network having a secure communication channel and connected to a load balancer. The secure communication channel is established using a public key exchange protocol. The load balancer distributes incoming join/leave requests to a master group controller. The master group controller processes the join or leave, generates a new group session key, and distributes the new group session key to all other group controller replicas.

Abstract: In a network, a router uses some secret information combined with a cryptographic process in determination of a subnet's routing prefix.

Abstract: The invention concerns a method solving security problems resulting from the addition of a security circuit to a smart card reading terminal by providing said security circuit with means for counting the number of times the security circuit is activated for certain sensitive operations. When the total of said operations reaches a fixed value, the security circuit is prevented from operating until it is re-initialized again. Optionally, the circuit may have to be replaced by another.

Abstract: A communications system and method is provided to reliably protect communication systems, such as mobile phone systems, from unauthorized use, as well as to make the interception of wireless communication more difficult. Specifically, the static wireless phone number or other similar identifiers are not used for identification and authorization during communication between the mobile unit and a base station. Instead, a set of private identifiers is determined and is known only to the phone company and the base stations controlling the mobile phone calls. These private identifiers allow dynamic and continual updating of the mobile phone and base station directories with current valid identifiers that are used for communication between the devices.

Abstract: Session Inter-Device (SID) mobility networks (50, 100, 150) are described in which a seamless transfer of a communication session from a first device (56,106, 116) to a second device (66, 116, 166) can be achieved without interrupting the active session. According to the SID mobility network (50), the transfer can be accomplished by transferring away from the Transferring Node or first device (56) the IP address associated with the active session (58) so that the network (50) will route the session to the desired Target Node or second device (66). The Transferring Node (56) transfers its IP address (58) to the Agent (60) and stops requesting data packets addressed to its IP address (58). The Agent (60) then begins to request and eventually receive the packets addressed to the Transferring Node's IP address (58). The Agent (60) then transfers the packets to the Target Node (66).

Abstract: Session Inter-Device (SID) mobility networks (50, 100, 150) are described in which a seamless transfer of a communication session from a first device (56, 106, 116) to a second device (66, 116, 166) can be achieved without interrupting the active session. According to the SID mobility network (50), the transfer can be accomplished by transferring away from the Transferring Node or first device (56) the IP address associated with the active session (58) so that the network (50) will route the session to the desired Target Node or second device (66). The Transferring Node (56) transfers its IP address (58) to the Agent (60) and stops requesting data packets addressed to its IP address (58). The Agent (60) then begins to request and eventually receive the packets addressed to the Transferring Node's IP address (58). The Agent (60) then transfers the packets to the Target Node (66).

Abstract: A data transmitting/receiving method for charging the reception of pay data in units of a reception or in units of a group to which receivers belong with a high degree of freedom and its receiver. The transmission side allocates the same group identification number (IRD_Gr_ID) to receivers which receive data from the transmission side under a reception contract, have different individual identification numbers (IRD_ID), and belong to the same group, and manages the reception contract by means of the individual identification number (IRD_ID) and the group identification number (IRD_Gr_ID).

Abstract: The present invention is a method to provide maximum security to transactions and communications made on a digital network with a device comprising a card reader. The device is made of a microphone, a speaker, a dialing device, electronics circuitry, digital ports to facilitate communication with digital networks and a card reader.

Abstract: A protected communication system, wherein an information device utilizing memory device and operation device is connected via the network. Enciphering and deciphering of transmitting or receiving data is automatically processed according to unique enciphering method and deciphering method determined by the ordered pair of sender and receiver at each information device.

Abstract: A system and method for controlling the use of addresses by using address computation techniques is described. A system comprising alias address creation software generates multiple alias addresses representing a single real address of a particular recipient. Each alias address is computed from data representing a prospective sender and a recipient. A sender is provided with an alias address by a recipient for communicating back to said recipient. Messages sent by a sender, employing alias addresses are analysed to a forwarding server which validates each alias address and checks it against a blocking list. Messages which pass these checks are directed to the recipient's real address registered with said forwarding server.

Abstract: This network system includes a first device serving as a shared resource connected to a network, a second device connected to the network and including an object corresponding to the first device, and a third device for dynamically allocating first and second IP addresses of a plurality of available IP addresses to the first and second devices. The object has a static IP address, and the second device associates the first IP address allocated to the first device with the IP address of the object.

Abstract: A system for providing a Virtual Local Area Network (VLAN) by use of an encryption states or encryption keys for identifying a VLAN. A table of data including a VLAN and an associated encryption state or key is provided for assignment of encryption states or keys, for devices in a wireless local area network.

Abstract: Techniques for securing data in communications between a client and server using an unencrypted transfer protocol, which does not encrypt a payload defined by the transfer protocol, include selecting a subset from a set of data to be communicated in a particular payload. A secret integer is determined that is unique for the subset. Based on the subset and the secret integer, encrypted data is generated that is practically unintelligible to a device other than the client and the server. A sending device, of the client and the server, sends to a receiving device, in the particular payload, the encrypted data and information to determine, only at the client and the server, the secret integer for decrypting the encrypted data. The present techniques allow a lightweight encryption algorithm to provide authentication and data security for more secure transfer of selective portions of unencrypted payloads transferred by such protocols as the Hypertext Transfer Protocol (HTTP).

Abstract: An integrated circuit comprising a processor and memory, the memory storing a set of data representing program code and/or an operating value, wherein each bit of the data is stored as a bit/inverse-bit pair in corresponding pairs of physically adjacent bit cells in the memory.

Abstract: An apparatus for and method of processing a digital certificate by a legacy data base management system within its legacy security facility. The digital certificate is defined by accepted international standards and is presented to the legacy data base management system after being unpacked and stored within a temporary file. This permits the legacy data base management system to fully utilize and benefit from the digital certificate technology, even though it possesses an incompatible security facility.

Abstract: A key-caching system retrieves actively used keys from a relatively fast cache memory for fast processing of wireless communications. Additional keys are stored in relatively slow system memory that has high storage capacity. As keys become needed for active use, the keys are retrieved from the system memory and stored in the cache memory. By using active memory for keys actively being used, system performance is enhanced. By using system memory for keys not being used, a greater number of keys are available for transfer to the cache and subsequent active use.

Abstract: In a system where a central load distribution server at a publicized URL redirects requests for files to a number of content servers holding identical content on the basis of dynamically determined capacity utilization of those servers, clients are prevented from directly accessing one of the content servers without first being redirected from the central load distribution server. In the event that a client attempts to access one of the content servers without first having been redirected there from the load distribution server, the client is redirected to a page containing a notice of the error, then redirected yet again to the load distribution server. For browsers in which bookmark lists may be edited by the user, facilities are provided for correcting the bookmark entry that brought the user to the protected content server rather than to the central load distribution server.

Abstract: In a method for providing copy-protection services on a storage medium (for instance a solid state memory module), the data are arranged in sectors to which a field (S4T) is associated, where said field contains a random value Ri which is changed randomly when writing data to said sector. By encrypting the data stored on the medium using a key which depends critically on said random numbers, bit-by-bit copies (apart from said random numbers, which can not be deterministically changed by an application) to a second storage medium or recopies from some intermediate storage medium, can not be decrypted because the values of said random numbers will have changed, thus preventing unauthorized duplication and replay attacks.

Abstract: A system, method, and computer program product for providing a encrypted email reader and responder is described.

Abstract: An architecture for implementing host-based security such that data security may be applied whenever the confidential data leaves a host computer or a networked device. The improved method and architecture may be implemented in a single integrated circuit for speed, power consumption, and space-utilization reasons. Within the integrated circuit, a combination of hardware-implemented, network processor-implemented, and software-implemented functions may be provided. The innovative host-based security architecture may offer line-rate IPSec acceleration, TCP acceleration, or both.

Abstract: System and method for optimizing communications using a communications pipe over a network. This invention provides means to locally execute an APDU script and collect APDU responses locally for batch transfer to a remote server.

Abstract: The present invention provides embodiments for producing a user equipment identification scrambling sequence (UEIDSS). The produced sequences for different user identification codes have a high separation. A base station uses the UEIDSS to scramble a high speed shared control channel (HS-SSCH) and a user equipment (UE) uses the UEIDSS to descramble the HS-SSCH. The embodiments utilize various blocks for producing the codes. These blocks include Reed-Muller encoding, concatenation, rate matching, segmentation, convolutional encoding, tail bit discarding, zero padding, repeating, CRC calculation, quadratic residue coding, parity-check bit, shortening, puncturing and BCH encoding blocks.

Abstract: A method and apparatus is provided for securely executing access control functions that may be customized by or on behalf of administrators of information access systems. Examples of such functions include changing a password of a user, determining whether or not data specifying a user and a password identifies an authentic user, and displaying a message indicating whether a login attempt was successful. An access control function is mapped to a digital signature. The digital signature is used to verify that an executable element retrieved for executing the access control function is the proper executable element. The access control functions may be invoked upon the occurrence of access control events, such as a user successfully logging onto an information access system or the modification of a user's password. A mapping contains data used to determine what events are tied to what access control functions, and whether the access control function should be executed.

Abstract: A plurality of logical nodes are identified from a plurality of elements on a network, where the plurality of elements include security devices. One or more path entries may be determined for at least some of the logical nodes. Each path entry is associated with one of the logical nodes and specifies a set of communication packets, as well as a next node to receive the communication packets from the associated node. The path entries are used to characterize at least a substantial portion of a network path that is to carry communication packets in the set of communication packets.

Abstract: A system processes and communicates URL data to enable network (including Internet) compatible applications to be securely integrated into any process involving concurrent operation of applications. A first application employs a system for encoding URL link data for use in detecting unauthorized URL modification. The system includes an input processor for receiving an encryption key and a URL processor for processing a URL link to a second application using the received encryption key. The URL processor identifies URL type and adaptively encrypts a URL link address portion based on the identified type to produce a processed URL. A communication processor includes the processed URL in data representing a web page and communicates the web page representative data including the processed URL to a requesting application.

Abstract: A URL processing system and associated communication protocol enables network compatible applications to be securely integrated into any process involving concurrent operation of applications. A system employed by an application for encoding URL link data for use in detecting unauthorized URL modification includes a link processor for processing URL data. The link processor adaptively identifies and encrypts an address portion of a URL and incorporates the encrypted address portion of the URL together with the non-encrypted portion of the URL into a single processed URL data string. The system also includes a communication processor for incorporating the processed URL data string into formatted data for communication to a request device. The link processor compresses the identified URL address portion (e.g., with a hash function) prior to encryption.

Abstract: An e-mail alias registration system is provided. According to one embodiment, users may register an e-mail address and a password at an alias relay server (102). Then, when a third party attempts to reply to the registered user, the third party will be presented with a sign on screen. Only if the sender is himself or herself a registered user will e-mail be allowed to be sent directly. To ensure that spammers do not abuse the registration system, only a limited number of e-mails will be allowed to be sent by registered users per day. Also, in order to register, a credit card number or other affirmative identification may need to be provided.

Abstract: A system for automatically encrypting and decrypting data packet sent from a source host to a destination host across a public internetwork. A tunnelling bridge is positioned at each network, and intercepts all packets transmitted to or from its associated network. The tunnelling bridge includes tables indicated pairs of hosts or pairs of networks between which packets should be encrypted. When a packet is transmitted from a first host, the tunnelling bridge of that host's network intercepts the packet, and determines from its header information whether packets from that host that are directed to the specified destination host should be encrypted; or, alternatively, whether packets from the source host's network that are directed to the destination host's network should be encrypted.