Abstract: A plurality of logical nodes are identified from a plurality of elements on a network, where the plurality of elements include security devices. One or more path entries may be determined for at least some of the logical nodes. Each path entry is associated with one of the logical nodes and specifies a set of communication packets, as well as a next node to receive the communication packets from the associated node. The path entries are used to characterize at least a substantial portion of a network path that is to carry communication packets in the set of communication packets.

Abstract: A URL processing system and associated communication protocol enables network compatible applications to be securely integrated into any process involving concurrent operation of applications. A system employed by an application for encoding URL link data for use in detecting unauthorized URL modification includes a link processor for processing URL data. The link processor adaptively identifies and encrypts an address portion of a URL and incorporates the encrypted address portion of the URL together with the non-encrypted portion of the URL into a single processed URL data string. The system also includes a communication processor for incorporating the processed URL data string into formatted data for communication to a request device. The link processor compresses the identified URL address portion (e.g., with a hash function) prior to encryption.

Abstract: A system processes and communicates URL data to enable network (including Internet) compatible applications to be securely integrated into any process involving concurrent operation of applications. A first application employs a system for encoding URL link data for use in detecting unauthorized URL modification. The system includes an input processor for receiving an encryption key and a URL processor for processing a URL link to a second application using the received encryption key. The URL processor identifies URL type and adaptively encrypts a URL link address portion based on the identified type to produce a processed URL. A communication processor includes the processed URL in data representing a web page and communicates the web page representative data including the processed URL to a requesting application.

Abstract: An e-mail alias registration system is provided. According to one embodiment, users may register an e-mail address and a password at an alias relay server (102). Then, when a third party attempts to reply to the registered user, the third party will be presented with a sign on screen. Only if the sender is himself or herself a registered user will e-mail be allowed to be sent directly. To ensure that spammers do not abuse the registration system, only a limited number of e-mails will be allowed to be sent by registered users per day. Also, in order to register, a credit card number or other affirmative identification may need to be provided.

Abstract: In general, data exchanged between users is protected using any of various encoding approaches. An example of encoding is encryption, but any kind of encoding may be used. The data used to encrypt the data exchanged between the users, referred to as a “key”, is maintained only in a key repository. Users must obtain a key from the key repository to either encode or decode, encrypt or decrypt data, after which the user's copy of the key is destroyed or otherwise rendered inoperable. A key management policy is employed to control access to the keys maintained by the key repository. Encoding algorithms may be dynamically changed over time. Users may negotiate different algorithms to be used with specific users or messages. Thus, different algorithms may be used between different sets of users depending upon what the member users of those sets negotiate among themselves. The frequency at which algorithms are changed may also be separately negotiated between users.

Abstract: A network mediator corresponding to a computing device uses packet filters to restrict network communications. The network mediator includes a set of one or more filters, each filter having parameters that are compared to corresponding parameters of a data packet to be passed through the network mediator. The network mediator determines whether to allow the data packet through based on whether the data packet parameters match any filter parameters. The set of filters can be modified by a remote device, but cannot be modified by the computing device whose communications are being restricted. When a data packet is sent from the computing device, the data packet will include the virtual address which is changed to the network address by the network mediator prior to forwarding the packet on the network, and vice versa. By virtualizing the addresses, the computing device is restricted in accessing other devices over the network.

Abstract: It is intended, in the mobile information terminal, to achieve compactization, cost reduction and reduction in the burden of information processing, while taking the enciphering process for the information into consideration. The cipher signal process unit for enciphering the transmission information and the cipher process selection unit for selecting whether or not to use the cipher signal process unit are provided to select whether or not to execute the enciphering of the transmission information, according to the necessity in executing the communication of information, thereby dispensing the enciphering process as far as possible and alleviating the burden of the process involved in the enciphering.

Abstract: A method of providing cryptographic information and flow control includes first determining a target domain from an IP address. An organization policy is looked up from a credential store, and an algorithm and credentials specified for the target domain are looked up in a domain-credential map. Any further credentials that are provided and that are permitted by the organizational policy are added. A working key is then generated, and information is received in the form of a receive packet. Any packet header is stripped from the receive packet and the remaining data is encrypted. Key splits are retrieved from the credential store, and are combined to form a key-encrypting key. The working key is the encrypted with the key-encrypting key, and a CKM header is encrypted. The encrypted CKM header is concatenated to the beginning of the encrypted data to form transmit data, and the packet header and the transmit data are concatenated to form a transmit packet.

Abstract: It is a technological object of the present invention to provide an information processing device, a card and a card system that have a high level of security. In order to achieve the object described above, the present invention provides a data processing apparatus comprising at least a first information processing device and a second information processing device connected to the first information processing device by a signal line, the data processing apparatus having a means for changing power consumption on the signal line during transmission of a signal through the signal line in accordance with an actual state of the power consumption that would be observed when the means were not used.

Abstract: A data receiving method and unit extracts required data from among received digital signal data, and uses a predetermined decoding key to decode the extracted data. In the method and unit, it is determined whether the decoded data is normal. If it is determined that decoding has not been normally performed, corresponding data is deleted.

Abstract: Data is sent to one or more processing devices which have corresponding addresses. At least a portion of the data is encoded, and a control address is attached to the portion of the data. The control address is associated with the corresponding address of a respective one of the processing devices when the portion of the data is intended solely for the respective processing device. At least a segment of the control address is associated with a group of the processing devices when the portion of the data is intended for each processing device in the group. The portion of the data is transmitted and received, and a control address is read from the received portion of the data. The received portion of the data is decoded to form decoded data when the portion is intended for a group of the processing devices that includes the respective processing device or when the data is intended solely for the respective processing device.

Abstract: The present invention provides a multicast communication system having a multicast server and a plurality of clients belonging to a multicast group. The multicast server transmits data encrypted by using a first encryption key to the clients by multicasting, and transmits the result of encrypting the first encryption key by using a second encryption key by unicasting to a client subscribed to a data distribution service, among the plurality of clients. The client subscribed to the data distribution service receives the encrypted data and the result. The client decrypts the result to obtain the first encryption key and decrypts the encrypted data using the first encryption key.

Abstract: A method and system for facilitating file access in a peer-to-peer network. The peer-to-peer network includes a plurality of nodes, where a portion of the nodes are separated from the network by a firewall device. The method and system include designating a first node on the network that is not firewall protected to act as a proxy server. In response to determining that a second node is protected by a firewall, the second node is instructed to establish a connection with the proxy server. An open connection request is then sent from the second node to the proxy server. In response to receiving a request from a third node to access a file on the second node, the method and system further include instructing the third node to send the request to the proxy server. The proxy server is then used to forward the request to the second node as a response to the open connection request, thereby allowing other nodes to access files on the second node despite the presence of the firewall.

Abstract: A communication device is provided for a local enclave. The communication device processes packets to be transferred from the local enclave to a wide area network. The communication device intercepts packets originating from a host on the local enclave, the packets being destined for transmission over the wide area network, extracts predetermined portions from each packet header to form one or more blocks for translation, applies a predetermined encryption algorithm to translate the one or more blocks after masking; and reinserts bits from the translated block back into the packet header. The purpose of the invention is to obfuscate network machine identities to TCP/IP packets traversing the public Internet to prevent traffic mapping.

Abstract: The invention is related to optimization of data transmission in TCP/IP networks, particularly to problems created by transmission of encrypted traffic. According to the invention, an indication of a TCP ACK being carried in the encrypted payload of a IP datagram is added in the IP header of the datagram. The indication may simply be a flag indicating the presence of a TCP acknowledgment. The indication may also contain the acknowledgment number, which allows processing of the encrypted traffic based on the acknowledgment number. In IPv4 datagrams, the indication may be inserted as an extra option field. In IPv6 datagrams, the indication may be inserted as an extension header.

Abstract: A virtual wireless local area network system and method utilizing impulse radio wherein transmission rates (bit rates) can vary according to the impulse radio transmission quality (signal to noise ratio) and wherein the position of the user can be determined and said user can be directed to an area of greater transmission rates and wherein a plurality of impulse radio portals can be utilized and switched between to maintain high levels of transmission rates while a user is moving within a predetermined area.

Abstract: The method described here provides for high-speed, Quality of Service (QoS) driven, and secure transport of voice, video and data packets for facilitating the convergence of multiple networking facilities into one. The method involves replacing one or more bits in the IP header address fields and replacing them with or adding to them unique virtual connection or virtual circuit (VC) identifiers for node-to-node, that is device-to-device, connectivity as well as for representing values or parameters for packet type, QoS, security, network management and node/link resources. Identifiers for the above parameters are developed and saved at each node as a switching table. The values representing the identifiers from a switching table are used to assign virtual connections as well as control the flows of packets.

Abstract: Plural program information and a BCA (Burst Cutting Area) number of the optical disc 100 is previously recorded in the optical disc 100. A drive ID is stored in the nonvolatile memory 104a of the reproduction apparatus 104. A user of the reproduction apparatus 104 notifies the BCA number, the drive ID, and a number of preferred program information to the software house (software supplier) 110 on the condition that the user pays for the reproduction of the preferred program information recorded in the optical disc 100. The software house 110 notifies a cipher key to the reproduction apparatus 104 or the user. A title key is calculated in the reproduction apparatus 104 in accordance with the BCA number, the drive ID, and the cipher key. The preferred information recorded in the optical disc 100 is permitted to be reproduced by using the title key.

Abstract: To encrypt a digital object, a key ID is selected for the digital object, and a function ƒ( ) having an input and an output is selected. The selected key ID is then employed as the input to the function ƒ( ), and the output of such function ƒ( ) is employed as the key (KD) for the digital object: ƒ(key ID) key (KD). The digital object is then according to such key (KD), and the encrypted digital object is distributed.

Abstract: Session data is encoded in a tag-length-value format and encrypted using a modified encryption key. A session cookie is then formed by concatenating the length of the length of the secret, the length of the secret, the secret itself, and the encoded and encrypted configuration data. The session cookie is transmitted from a server computer to a client computer, where it is stored.

Abstract: A trusted agent for enabling the check of the access of a user operating a first computer system controlled by a first security system to software and/or data on a second computer system controlled by a second security system. The trusted agent includes several functions, including: (a) reception of a user-id for the second computer system and transmission of the user-id to the second security system; (b) retrieval of a shared secret, which is registered in the fist security system and in the second security system, from the second security system; and (3) transmission of the shared secret from the trusted agent to the second computer system.

Abstract: The invention concerns a server for management of authentication (S) and devices interconnected between each computer equipment needing to be made secure and the communication network. It enables to make secure said network in a distributed and dynamic manner. The device intercepts communications between a computer equipment (A) whereto it is connected and the network and enables to obtain, by means of an authenticating module, data concerning a user (U) and to define a security level for said device. The authentication management server (S), connected to the network, processes said data and said security level and authenticates the user (U). The server (S) manages the authentication and transmits to the network devices security parameters. Said parameters are stored and processed by the network devices.

Abstract: Methods and systems are provided for sequence number checking. Sequence numbers of data packets are compared to a “sliding” window. The sliding window indicates a range of sequence numbers considered valid (or invalid). The size of the sliding window may be a particular value or varied. If a sequence number is “below” the sliding window, then it may be considered invalid. If a sequence number is within the sliding window, then it may be further checked to determine if a duplicate sequence number has been received. If a sequence number is “above” the sliding window, then it may be considered valid and the sliding window is advanced. The sliding window and sequence numbers are processed using multiple level bitmaps, which indicate a historical state of sequence numbers received. Furthermore, the multiple level bitmaps may comprise summary bits to summarize a state of subsequent bits.

Abstract: A browser 21 of a mark user client 3 obtains Web page 11 from a mark provider server 2 and displays it. Then control is transferred to a mark reference program 22 when a mark is detected, and the program extracts digital watermark information from a mark image. This digital watermark information comprises referred data, and an action definition that includes an action class and an index of the referred data as a parameter. The mark reference program 22 refers to this action definition, refers to required data through the index included in the action definition, and then performs processing defined by the action class.

Abstract: Information that must remain secure is often stored on untrusted storage devices. To increase security, this information is encrypted by an encryption value prior to storing on the untrusted storage device. The encryption value itself is then encrypted. The encryption value is decrypted by correctly solving an access formula describing a function of groups. Each group includes a list of at least one consumer client. A requesting consumer client is granted access to the information if the requesting consumer client is a member of at least one group which correctly solves the access formula.

Abstract: A system and method for authenticating users over a network. At least one pluggable authentication module (PAM) is used to authenticate users of network services. Each PAM includes a client-side authentication library and a server-side authentication library which may each be implemented in accordance with a specification expressed in an interface definition language (IDL), wherein the IDL is operable to define interfaces across a plurality of platforms and programming languages. The client-side authentication library is implemented for a particular client platform and deployed on the client computer system to provide a client-side interface to retrieve and encrypt a user profile. The server-side authentication library is implemented for a particular server platform and deployed on the server computer system to provide a server-side interface to receive the encrypted user profile from the client-side authentication library and decrypt the user profile to authenticate the user for network services.

Abstract: Encryption and decryption may be tied to physical location information, e.g., GPS or other position data. Decryption keys may be defined with respect to a location at which decryption is to occur. A clock may be used to ensure decryption is occurring at a desired decryption location. For security, names may be associated with GPS position data, where encrypted data and a name associated with position data may be provided to a recipient, and the recipient is required to know or have access to the position data associated with the name in order to compute a decryption key. For additional security, encryption may also be performed with respect to position data for an encryption location, where an identifier associated with the encryption location is provided to the recipient, and the recipient is required to know or have access to the position data associated with the second name. Other embodiments are disclosed.

Abstract: A method, system, and computer program product for dynamically adjusting the encryption level based on the geographic location of a software program are disclosed. The method includes an initial step of determining a geographic location associated with the software program. An encryption level is selected based upon the determined geographic location. The software program is then executed utilizing the selected encryption level. In one embodiment, determining the geographic location is achieved by determining the geographic location of a computer system on which the software program will be executed, preferably through the use of a Global Positioning System. The Global Positioning System may comprise an I/O device of the computer system on which the software executes. In one embodiment, the selected encryption level may be overridden by a Smart Card or other secure device connected to the computer system. In one embodiment, the available encryption levels include, at a minimum, a U.S.

Abstract: A method, apparatus, and computer implemented instructions in a data processing system for shipping an item. The system includes receiving an encrypted address identifying a destination for the item, associating the encrypted address with the item, and using a carrier to deliver the item to the encrypted address, wherein the carrier decrypts the encrypted address to deliver the item to the destination. The encrypted address may be encrypted in a manner to limit reusability, such as a single use or a particular carrier.

Abstract: Two-phase filtering for a firewall is disclosed. In the first, general phase, a request is filtered to verify one or more of: that the request is pursuant to a supported protocol, that a command of the request is allowed, that the length of the request does not exceed the allowed maximum for the command, and that characters of the request are of an allowable type. Upon first-phase verification, a second phase is invoked that is particular to the protocol of the request. In the second, specialized phase, the request is filtered to verify one or more of the source, the destination, and the content of the request. Upon second-phase verification, the request is allowed to pass. If either first-or second-phase verification fails, then the request is denied.

Abstract: A user support system for cryptographic communication includes a key storage for storing keys used for deciphering, a deciphering part for deciphering an enciphered communication text into a deciphered communication text using a key, and a controller for starting the deciphering part only when an input communication text is the enciphered communication text and for supplying the key that is necessary for the deciphering in the deciphering part by retrieving the key from the key storage.

Abstract: A digital signature system comprises a center computer and a first and second terminal devices which can communicate with each other. The center computer generates and outputs a signing-key for a signer and a verification-key for a verifier. The first terminal device accepts the signing-key, generates a digital signature for a digital data to be signed using the signing-key, and outputs the digital signature. The second terminal device accepts the verification-key, the signer's identification code (e.g. the unique code of the signer), an identification code of the digital data and the digital signature, and verifies the validity of the digital signature using the verification-key, the identification code of the digital data and the signer's identification code.

Abstract: A hashing-based router and method for network load balancing includes calculating a hash value from header data of incoming data packets and routing incoming packets based on the calculated hash values to permissible output links in desired loading proportions.

Abstract: Techniques for sharing information in a wide variety of contexts allows both an explicit capture process and an implicit capture process to add information items to a staging area. An information sharing system supports both implicit and explicit consumption of information items that are stored in the staging area. A rules engine allows users to create and register rules that customize the behavior of the capture processes, the consuming processes, and propagation processes that propagate information from the staging areas to designated destinations. Exactly-once handling of sequence of items is achieved for items maintained in volatile memory. DDL operations are recorded, and operations are asynchronously performed based on the previously-performed DDL operations.

Abstract: The present invention relates to a method and system for Internet Protocol network communications and a use thereof for protecting Internet sites against denial of service attacks on insecure public networks such as the Internet. The method utilizes a multicast address hopping technique which selectively varies the chosen multicast IP address from a set of available multicast addresses according to a predetermined scheme known to the communicating end stations but not to unauthorized end stations. The packets associated with the multicast stream are then communicated on the chosen multicast address. The set of available multicast IP addresses may also be selectively varied according to a secret predetermined scheme known to the transmitter and subscriber end stations, particularly by adding to and dropping from the set of multicast IP addresses in a seemingly random fashion.

Abstract: According to one aspect of the invention, a method of creating a trial software product on a target system is provided. The method consists of intercepting file system calls from an installation process associated with a full software product and, responsive to a write request from the installation process, encrypting data associated with the write request if the write request is associated with one of a predetermined set of critical product files. The predetermined set of critical product files including those product files comprising the full software product that have been identified as files to which access is to be controlled.

Abstract: The present invention provides methods, systems, and computer program instructions for providing location-independent packet routing and secure access in a wireless networking environment (such as that encountered within a building), enabling client devices to travel seamlessly within the environment. Each client device uses a constant address. An address translation process that is transparent to the client and server is automatically performed as the device roams through the environment, enabling efficient client migration from one supporting access point to another. The secure access techniques provide user-centric authentication and allow policy-driven packet filtering, while taking advantage of encryption capabilities that are built in to the hardware at each endpoint.

Abstract: The present invention permits a user to conduct remote transactions without a network while using an untrusted computing device, such as a hand-held personal digital assistant or a laptop computer. The computing device is augmented with a smartcard reader, and the user obtains a smartcard and connects it to the device. This design can be used by an untrusted user to perform financial transactions, such as placing bets on the outcome of a probabilistic computation. Protocols are presented for adding (purchasing) or removing (selling) value on the smartcard, again without requiring a network connection. Using the instant protocols, neither the user nor the entity issuing the smartcards can benefit from cheating.

Abstract: A method and apparatus for providing verifiable digital signatures. In one embodiment, a method includes converting, on a computer system, digital data representative of a document into a predetermined format, and applying the predetermined format and a viewer program to a hash function to mathematically operate on the predetermined format and the viewer program and provide a message digest. The viewer program is used for viewing the predetermined format that is a representation of the document. The method further includes encrypting the message digest using a private key to provide a digital signature. In one embodiment, the predetermined format is a bitmap representation of the document. Moreover, in one embodiment, the method further includes incorporating a file in the digital signature, where the file includes one or more parameters specifying an environment of the computer system at the time of creation of the digital signature.

Abstract: An electronic commerce system, that electronically emulates the Mail Order/Telephone Ordering process on the Internet, including customer and merchant network address verification. Customer and merchant address verification are done electronically. Other commerce parties than the customer and merchant in the electronic commerce system, could be as easily verified using the commerce system. (PKI) The system uses a Public Key Infrastructure system to ensure secure and irrefutable electronic commerce transactions on the Internet. PKI ensures that the electronic commerce party is whom he claims to be when used in conjunction with network address verification, ensures confidentiality of the data transmitted between the commerce parties and ensures that the data has not been altered during transmission. The electronic commerce system operates in two phases: a registration phase and a transaction phase.

Abstract: An authentication server 10 executes authentication of a client 3 in an open network 1 in response to an authentication request from the client 3 at the time of the accessing of a department network 32 by the client 3. An address processing unit 3 executes, after the authentication of the client 3 by the authentication server 10 and on the basis of an instruction from the authentication server 10, an address processing of packet signal concerning packet communication between the client 3 and the department network 32.

Abstract: Methods and systems for selectively encrypting and decrypting messages transmitted on a channel of a communication network, such as a broadcast channel, are provided. Group encryption keys are provided for one or more services utilizing the broadcast channel to communicate messages. A message associated with a particular service first receives an error check value, such as a cyclical redundancy check (CRC) value generated from the unencrypted message. The message is then encrypted using the group encryption key for the service and the CRC is added to the encrypted message and transmitted with a broadcast address of the communication network. A receiver then receives the message and determines that the CRC indicates an error (as it is generated from the encrypted message rather than the unencrypted message). The receiver then decrypts the message using the group encryption key for the service (assuming the receiver is authorized to receive the service, i.e.

Abstract: To determine whether digital content can be released to an element such as a computer application or module, a scaled value representative of the relative security of the element is associated therewith, and the digital content has a corresponding digital license setting forth a security requirement. The security requirement is obtained from the digital license and the scaled value is obtained from the element, and the scaled value of the element is compared to the security requirement of the digital license to determine whether the scaled value satisfies the security requirement. The digital content is not released to the element if the scaled value does not satisfy the security requirement.

Abstract: A storage area network resistant to spoofing attack has several nodes each having a port, and storage area network interconnect interconnecting the ports. Each port is provided with a hash function generator for providing and verifying an authentication code for frames transmitted over the storage area network, and a key table for providing a key to the hash function generator. The authentication code is generated by applying a hash function to the key and to at least an address portion of each frame. In each node, the key is selected from that node's key table according to address information of the frame.

Abstract: To encrypt a digital object, a key ID is selected for the digital object, and a function ƒ( ) having an input and an output is selected. The selected key ID is then employed as the input to the function ƒ( ), and the output of such function ƒ( ) is employed as the key (KD) for the digital object: ƒ(key ID)→key (KD). The digital object is then encrypted according to such key (KD), and the encrypted digital object is distributed.

Abstract: An architecture for authenticating packets is provided that includes: an input 322 operable to receive a packet, the packet comprising at least one of a transport, session and presentation header portion and a transport agent 312 operable to compute a first message authentication code based on at least some of the contents of the packet and compare the first message authentication code with a second message authentication code in the at least one of a transport, session, and presentation header portion to authenticate the packet.

Abstract: Disclosed is an authentication mechanism that provides much of the security of heavyweight authentication mechanisms, but with lower administrative and communicative overhead while at the same time not being limited to a 64-bit limit on the length of a cryptographic hash value. Removal of this limitation is achieved by increasing the cost of both address generation and brute-force attacks by the same parameterized factor while keeping the cost of address use and verification constant. The address owner computes two hash values using its public key and other parameters. The first hash value is used by the owner to derive its network address. The purpose of the second hash is to artificially increase that computational complexity of generating new addresses and, consequently, the cost of brute-force attacks. As another measure against brute-force attacks, the routing prefix (i.e., the non-node selectable portion) of the address is included in the first hash input.

Abstract: A network device (100, 300) is connected to a network (102) having also a management station (107) connected thereto. The method for configuring the network device comprises the steps of transmitting from the management station a configuration packet to the network device (201), authenticating at the network device the management station as the genuine transmitter of the configuration packet (202) and decoding the configuration parameters contained in said configuration packet and storing them as the configuration parameters of the network device (203).

Abstract: A system and method for encrypting data communications between a client and server utilizes an untrusted proxy server to perform computationally expensive encryption calculations which would otherwise be performed by the client. Prior to transmitting the data message to the proxy server, the client masks the data message such that the data message is indecipherable to the untrusted proxy. The untrusted proxy performs the computationally expensive encryption calculations prior to transmitting the data message to the intended receiver.

Abstract: A system for automatically encrypting and decrypting data packet sent from a source host to a destination host across a public internetwork. A tunnelling bridge is positioned at each network, and intercepts all packets transmitted to or from its associated network. The tunnelling bridge includes tables indicated pairs of hosts or pairs of networks between which packets should be encrypted. When a packet is transmitted from a first host, the tunnelling bridge of that host's network intercepts the packet, and determines from its header information whether packets from that host that are directed to the specified destination host should be encrypted; or, alternatively, whether packets from the source host's network that are directed to the destination host's network should be encrypted.