Abstract: The objects of an archive may be verified with a cryptographic signature stored in the archive. However, when an object is extracted, the authentication involves re-authenticating the entire archive, re-extracting the object, and comparing the extracted object with the current object, which is inefficient or unachievable if the archive is unavailable. Instead, the archive may include a block map signed with the signature and comprising hashcodes for respective blocks of the objects of the archive. When an object is extracted, the signature and block map may also be extracted and stored as objects outside of the archive. The extracted signature and block map may later be verified by authenticating the signature, verifying the block map with the signature, and matching the hashcodes of the block map with those of the blocks of the extracted objects, thus enabling a more efficient and portable verification of extracted object with extracted authentication credentials.

Abstract: The present invention provides a dynamic, easily configurable system, which can be used to encrypt or otherwise hide the internal structure of a network. The present invention protects access to computing systems via a URL by encrypting all or a portion of the URL during the transmission of information over a network. Prior to the actual transmission of the information, fields in the URL can be encrypted using conventional encryption techniques. The encryption will occur after the destination has been determined such that the encryption will not cause the information to be misdirected to a wrong destination. At the destination location, there is first a determination that this URL is an encrypted URL. At this point, a decryption technique is employed based on the predetermined encryption scheme to decrypt the URL. The full URL is now accessed only by the destination location and is not accessible during travel over the network between the originating and destination locations.

Abstract: Methods and apparatuses for private electronic information exchange are described herein. In one embodiment, when electronic information is received to be delivered to a recipient, the electronic information is transmitted over an electronic network with a private routing address. The private routing address is routable within a private domain, which is a subset of the electronic network. Other methods and apparatuses are also described.

Abstract: Embodiments of the present invention provide a method and system, including a client and security token, for reducing a size of a security-related object stored in the token. The object is stored in a storage structure that is indexed according to an identity reference to a certificate associated with the object and a private key identifier identifying a private key assigned to an owner of the token. A request to access an encrypted data object results in accessing the private key identifier in the storage structure using only the identity reference as an index.

Abstract: To improve a communication system including two communication apparatuses in order to reduce a possibility of having communication thereof decrypted by a third party. The communication system includes a first communication apparatus and a second communication apparatus, where one of the communication apparatuses encrypts transmission subject data to generate encrypted data and transmits it to the other communication apparatus which then decrypts received encrypted data. Before performing encryption, each of the communication apparatuses cuts the transmission subject data by a predetermined number of bits to generate transmission subject cut data. In this case, each of the communication apparatuses varies the number of bits of the transmission subject cut data, and mixes dummy data of a size of which number of bits matches with the largest number of bits out of the numbers of bits of the transmission subject cut data into the transmission subject cut data other than that of the largest number of bits.

Abstract: Embodiments of the present invention provide verification and/or authentication service engines that provide a customizable solution that can be “dialed” based on the risk level assigned to individual or grouped applications. The systems can also incorporate internal and external sources of data used to verify information provided by the user. It is dynamic and can pull information from a myriad of sources during the verification process, enabling credit reporting agencies (e.g., Equifax and others), FSPs, and other service providers to facilitate real-time approval and access to products and services.

Abstract: Computer-based systems and method for automating the workflow for generating and sending e-mails with attached reports to external recipients in order to reduce security breaches in certain business reporting processes. The system may utilize a first computer system that may import data eligible for attachment to be sent with the e-mail based on user-entered search criteria. The attachments may be strongly encrypted using an encryption program on the user's computer. In some embodiments, a password for decrypting the attachment may be unique to combination of third party (e.g., trading name) and the role of the external recipient with respect to the attachment.

Abstract: In certain embodiments, a first network device stores a security key associated with a second network device. The first network device computes access information according to the security key and a time value. The access information may be a network address or a port/socket. The first network device sends a packet to the second network device using the access information. The first network device then computes next access information according to the security key and a next time value and sends a packet to the second network device using the next access information.

Abstract: Systems, methods and apparatus for a distributed security that detects embedded resource request identifiers. The system can identify requests, such as HTTP requests, and can identify encoded prefix data corresponding to URI prefixes, such as Base64 or Base16 encoded URI prefixes “www.” and “http:”.

Abstract: A method and apparatus for dynamically allocating a mobile network prefix to a mobile terminal, in which the mobile terminal is associated with a user equipment. The method includes sending a message from the user equipment to a home agent to establish a security association between the user equipment and the home agent. The message includes a request for a mobile network prefix to be assigned to the mobile terminal equipment. The method further includes the home agent allocating a mobile network prefix to be assigned to the mobile terminal equipment, and assigning the allocated mobile network prefix to the mobile terminal equipment.

Abstract: Encryption of electronic messages may be automatically processed by a messaging system based on keywords or other attributes of the messages. In one example, if the message includes a predefined keyword, the messaging system may automatically encrypt the message for all recipients outside of a private network. In another example, the messaging system may automatically encrypt messages based on recipient address. Thus, if a recipient is on a list of addresses to which encryption applies, the message being sent to that particular recipient may be encrypted while a copy of the message being sent to other recipients not on the list might remain unencrypted.

Abstract: A phishing detecting method includes: a web-page accessing request for accessing a target web page at a target address is received; the target web page from the target address is obtained; the target web page is snapshotted to obtain a present page snapshot; the present page snapshot is compared with several pre-stored page snapshots stored in a database, wherein each of the pre-stored page snapshots corresponds to a pre-stored address; if the present page snapshot matches one of the pre-stored page snapshots, the target address is compared with the pre-stored address, corresponding pre-stored page snapshot of which matches the present page snapshot; if the target address does not match the pre-stored address, the corresponding pre-stored page snapshot of which matches the present page snapshot, it is determined that the target web page is a phishing web page.

Abstract: A method and apparatus for verifying anti-counterfeiting information are provided so as to improve an anti-counterfeiting effect, to lower an anti-counterfeiting cost, to extend the scope of population to which anti-counterfeiting effect is applicable and to guarantee the stability of anti-counterfeiting means. The method includes: a terminal obtains and parses encrypted address information of an object; the terminal connects to a network address corresponding to the parsed encrypted address information; the terminal determines that the encrypted address information is valid upon successful connection and sending verification information of the object to the network address corresponding to the encrypted address information; and the terminal receives feedback information about whether the verification information is valid.

Abstract: The invention relates to a computer implemented method for performing cloud computing on data of a first user employing cloud components, the cloud components comprising a first database and a data processing component, wherein an asymmetric cryptographic key pair is associated with the first user, said asymmetric cryptographic key pair comprising a public key and a private key, the data being stored pseudonymously non-encrypted in the first database with the data being assigned to an identifier, wherein the identifier comprises the public key, the method comprising retrieving the data from the first database by the data processing component, wherein retrieving the data from the first database comprises receiving the identifier and retrieving the data assigned to the identifier from the first database, wherein the method further comprises processing the retrieved data by the data processing component and providing a result of the analysis.

Abstract: According to an embodiment, a communication device includes a cryptographic communication unit, a first communicating unit, and a control unit. The cryptographic communication unit is configured to perform cryptographic communication with an external device via a first network. The first communicating unit is configured to perform communication with a key generating device via a second network, the key generating device being configured to generate a cryptographic key to be used in the cryptographic communication. The control unit is configured to perform control to transmit an address registration request containing address information to the key generating device via the first communicating unit when a predetermined specific request is issued from among requests used in the cryptographic communication.

Abstract: Approaches for combining different information to be transmitted into different slices of a data packet and/or encrypting the slices using different cryptographic schemes for secure transmission of the information are disclosed. In some implementations, first information and second information may be received. A first data slice representing a portion of the first information may be generated based on a first cryptographic scheme. A second data slice representing a portion of the second information may be generated based on a second cryptographic scheme different than the first cryptographic scheme. A first header may be generated such that the first header may specify the first cryptographic scheme for the first data slice and the second cryptographic scheme for the second data slice. A first data packet may be generated such that the first data packet may include the first header, the first data slice, and the second data slice.

Abstract: A method and apparatus for use in a Proxy Mobile IP communications network. An anchor point function serves at least one mobile host. The anchor point function generates an IP address for use by the mobile host, the address being generated using cryptographic materials owned by the anchor point function. The anchor point function can then perform signalling on behalf of the mobile host, using the IP address generated for the mobile host and at least part of the cryptographic materials used to generate the IP address.

Abstract: The method for the transmission of media data from a multicast service by a first apparatus to a plurality of second apparatuses is suitable for preventing reception of the media data by an unauthorized second apparatus using a security process. A first apparatus is provided which can be used to provide the media data protected by a security process. A third apparatus is provided which can be used to perform the security process with the first apparatus, performance of the security process between the first apparatus and the third apparatus and, on the basis of this, interchange of at least security data between the first apparatus and the third apparatus in order to provide the media data. A second apparatus is selected which can be used to perform at least one reception process for receiving the media data. A first data transmission link is selected which can be used to couple the first apparatus and the second apparatus at least for the purpose of transmitting the media data.

Abstract: A data transmission and reception method for ensuring privacy and security and a method for identifying a Mobile Station (MS), while ensuring the location privacy of the MS in a wireless access system are disclosed. The MS identification method includes transmitting a ranging request message including a hashed Medium Access Control (MAC) address to a Base Station (BS), for initial ranging, and receiving a ranging response message including a temporary station Identifier (ID) from the BS. The temporary station ID is used to provide security to a MAC address or station ID by which the BS uniquely identifies the MS.

Abstract: According to this disclosure, a user is identified (and selectively granted access to protected resources) by using information that describes the user's interpersonal relationships. This information typically is stored in a datastore, such as a digital address book, an online profile page, or the like. The user's digital address book carries an “acquaintance pattern” that changes dynamically in time. This pattern comprises the information in the user's contact list entries. In this approach, the entropy inherent in this information is distilled into a unique acquaintance digest (or “fingerprint”) by normalizing the contact list data, and then applying a cryptographic function to the result.

Abstract: Methods and systems for detection and/or prevention of network attacks can include the use of multiple and/or time-dependent addresses coupled with filtering by the directory or naming service. The directory service can respond to requests for the address of a resource by returning an address that can be relocated over time by coordinating the directory service entry with the host and network address configuration data and/or by returning an address specific to the requestor. Thus, the directory service can track and build profiles of matches between requestors and accesses. The methods and systems can use the time dependent addresses and profiles to distinguish legitimate accesses from unauthorized or malicious ones. Requests for non-valid addresses can be misdirected to “empty” addresses or to detection devices.

Abstract: Systems and methods for deciphering Internet Protocol (IP) security in an IP Multimedia Subsystem (IMS) using a monitoring system are described. In some embodiments, a method may include identifying a Security Association (SA) between a User Equipment (UE) and a Proxy Call Session Control Function (P-CSCF) of an Internet Protocol (IP) Multimedia Subsystem (IMS) over a Gm interface during a registration procedure, correlating the SA with a ciphering key (CK) exchanged between the P-CSCF and a Serving CSCF (S-CSCF) of the IMS over an Mw interface during the registration procedure, and storing an indication of the correlated SA and CK in a deciphering record.

Abstract: A method and apparatus for detecting data modification in a layered operating system is disclosed. Outbound content indicators at different layers are compared to detect potential outbound data modifications. Likewise, inbound content indicators at different layers are compared to detect potential inbound data modifications. Content indicators include checksum, cryptographic hash, signature, and fingerprint indicators. Embodiments of the present invention enable detection of data modifications across an operating system's kernel and user mode spaces, prevention of modified outbound data from reaching a network, prevention of modified input data from reaching a user application, and detection of malware and faults within an operating system.

Abstract: Security in a mobile ad hoc network is maintained by using various forms of encryption, various encryption schemes, and various multi-phase keying techniques. In one configuration, an over the air, three-phase, re-keying technique is utilized to ensure that no authorized nodes are lost during re-keying and that nodes that are intended to be excluded from re-keying are excluded. In another configuration, an over the air, two-phase keying technique, is utilized to maintain backwards secrecy.

Abstract: Systems and/or methods of secure communication of information between multi-domain virtual private networks (VPNs) are presented. A dynamic group VPN (DGVPN) can reside in one domain and a disparate DGVPN can reside in a disparate domain. An administrative security authority (ASA) can be employed in each domain. Each ASA can generate and exchange respective keying material and crypto-policy information to be used for inter-domain communications when routing data from a member in one DGVPN to a member(s) in the disparate DGVPN, such that an ASA in one domain can facilitate encryption of data in accordance with the policy of the other domain before the data is sent to the other domain. Each ASA can establish a key server to generate the keying material and crypto-policy information associated with its local DGVPN, and such material and information can be propagated to intra-domain members.

Abstract: Methods and systems for providing confidentiality of communications sent via a network that is efficient, easy to implement, and does not require significant key management. The identity of each node of the routing path of a communication is encrypted utilizing an identity-based encryption scheme. This allows each node of the routing path to decrypt only those portions of the routing path necessary to send the communication to the next node. Thus, each node will only know the immediate previous node from which the communication came, and the next node to which the communication is to be sent. The remainder of the routing path of the communication, along with the original sender and intended recipient, remain confidential from any intermediate nodes in the routing path. Use of the identity-based encryption scheme removes the need for significant key management to maintain the encryption/decryption keys.

Abstract: Embodiments of the invention reduce the probability of success of a DOS attack on a node receiving packets by decreasing the probability of random collisions of packets sent by a malicious user with those sent by honest users. The probability of random collisions may be reduced in one class of embodiments of the invention by supplementing the identification field of the IP header of each transmitted packet with at least one bit from another field of the header. The probability of random collisions may be reduced in another class of embodiments of the invention by ensuring that packets sent from a transmitting IPsec node to a receiving IPsec node are not fragmented.

Abstract: One variation of a method for selectively filtering internet traffic includes: receiving DNS queries; determining resource access levels for the DNS queries based on an internet resource database, wherein the resource access levels comprise a first level, a second level, and a third level returning an unmodified IP address for the first level DNS queries; returning a replacement resource IP address for the second level DNS queries; returning a web proxy server IP address for the third level DNS queries; and regulating HTTP traffic directed to the web proxy server IP address.

Abstract: A mobile interface for controlling a plurality of vehicle functions in a motor vehicle using a controller connected to the vehicle, having a wireless data interchange with a controller, an input apparatus, and an energy store. By virtue of the wireless data interchange being connected to a data processing unit integrated in the mobile interface and which is designed to apply at least one cryptological method, a greater scope of functions becomes possible that can also include control of safety-relevant vehicle functions.

Abstract: There is provided a system and method for distributors to use an interoperable key chest. There is provided a method for use by a distributor to obtain content access authorizations from a key chest or central key repository (CKR), the method comprising receiving a user request from a user device for access to an encrypted content identified by a content identification, transmitting a key request to the CKR including the content identification, receiving an encrypted first key from the CKR, decrypting the encrypted first key using a second key to retrieve the first key, and providing a DRM license for the encrypted content to the user device using the first key for use by the user device to decrypt the encrypted content using the first key. By generating such DRM licenses, distributors can unlock protected content even sourced from distributors using different DRM schemas.

Abstract: In some embodiments, in a registration process where a user device is registering for access to a network, a public/private key pair may be generated based on a media access control (MAC) address of a user device. The generated public/private key pair may be transmitted to the user device for future access to the network. In some embodiments, where a user device is requesting access to a network, a MAC address embedded in a public key may be utilized to determine whether access to the network should be granted.

Abstract: A data processing device for playing back a digital work reduces the processing load involved in verification by using only a predetermined number of encrypted units selected randomly from multiple encrypted units constituting encrypted contents recorded on a DVD. In addition, the data processing device improves the accuracy of detecting unauthorized contents by randomly selecting a predetermined number of encrypted units every time the verification is performed.

Abstract: A system and methodology that facilitates management and utilization of domain-specific anonymous customer references (ACRs) for protecting subscriber privacy across different domains is disclosed herein. In one aspect, on receiving user authorization, an ACR services (ACRS) component can generate an ACR that is to be inserted in a communication or message transmitted from a user equipment to an untrusted entity. The ACR can be generated based on address data associated with the untrusted entity and/or a unique subscriber identifier associated with the user equipment. As an example, the ACR creation component can generate the ACR based on a cryptographic hash, a static encryption key, and/or a dynamic encryption key. If the ACR is forwarded to a trusted entity, the trusted entity can calculate the unique subscriber identifier based on evaluating the ACR and/or exchange the ACR for the unique subscriber identifier via a secure communication with the ACRS component.

Abstract: The invention relates to a computer implemented method for performing cloud computing on data of a first user employing cloud components, the cloud components comprising a first database and a data processing component, wherein an asymmetric cryptographic key pair is associated with the first user, said asymmetric cryptographic key pair comprising a public key and a private key, the data being stored pseudonymously non-encrypted in the first database with the data being assigned to an identifier, wherein the identifier comprises the public key, the method comprising retrieving the data from the first database by the data processing component, wherein retrieving the data from the first database comprises receiving the identifier and retrieving the data assigned to the identifier from the first database, wherein the method further comprises processing the retrieved data by the data processing component and providing a result of the analysis.

Abstract: A method and apparatus for providing network security using role-based access control is disclosed. A network device implementing such a method can include, for example, an access control list. Such an access control list includes an access control list entry, which, in turn, includes a user group field. Alternatively, a network device implementing such a method can include, for example, a forwarding table that includes a plurality of forwarding table entries. In such a case, at least one of the forwarding table entries includes a user group field.

Abstract: A mobile communication device registers for data communication through a mobile communication network with a packet-based network. The device may or may not have a mobile device number, and registers using a fully-qualified-domain-name (FQDN) uniquely identifying the device in a domain-name-system (DNS) of the packet-based network. A packet-data-network gateway assigns a packet-based address for the device, and generates a request for registering the address with the FQDN in a DNS server. Alternatively, the device generates the packet-based address based on a received portion of the address, retrieves the FQDN from an identity module, and sends a DNS-Update message to the DNS server including the address and FQDN. Again alternatively, a DNS server receives an encrypted DNS update message including a FQDN and a packet-based address, and decrypts the message prior to registering the address and FQDN in a DNS database.

Abstract: The present disclosure is directed to a method for sending and receiving an encrypted message and a system thereof. The method includes steps of encrypting a message, transforming the encrypted message into network address, sending the network address to a receiver, and accessing a server according to the network address by the receiver, and a server decrypting the message, presenting the decrypted message to the receiver, and thereafter preventing the message from being accessed. Advantages include that any mobile phone capable of connection to a wireless network can read an encrypted message without installation of a decryption software on a mobile phone of a receiver.

Abstract: A method and apparatus for securing media asset distribution for a marketing process is described. In one embodiment, the method includes generating a dynamic security component for each media asset allocation to at least one receiver, wherein the dynamic security component verifies the at least one receiver upon login, coupling the dynamic security component to at least one file having a media asset and communicating a locator reference associated with the at least one file to the at least one receiver, wherein the locator reference is created using the dynamic security component.

Abstract: A method of providing security for network access radio systems and associated access radio security systems used with the systems. The method includes connecting an access radio having a radio link to a network; communicating between the access radio and a computer over the network using a ping application having ping commands and unique encrypted codes; and enabling operation of the access radio when the access radio is receiving ping commands. Typically, the access radio and the computer are nodes on the network and the network is a local area network (LAN). The ping application sends packets of information from the computer to the access radio and receives a response from the access radio. The ping application must be functioning (i.e., sending and receiving commands between the computer and the access radio) to enable the access radio to communicate via the radio link with a remote network.

Abstract: A translator is provided for translating predetermined portions of packet header information including an address of a data packet according to a cipher algorithm keyed by a cipher key derived by a key exchanger. A mapping device is also provided for mapping the address to a host table stored in memory. If the address does not match an entry in the host table, a security device is triggered.

Abstract: Disclosed is a method for restricting access of a first code of a plurality of codes of a first function from a second function. The method comprises calling the second function by the first function, addresses of the plurality of codes are stored in a stack page and colored in a first color (102). The method comprises performing access control check in a transition page for verifying whether the first function has permission to call the second function (104). Further the method comprises protecting the first code from the second function by coloring the addresses in a second color (106). Furthermore, the method comprises executing the second function by pushing addresses of the second function on the stack page, the addresses of the second function colored in a third color (108) and unprotecting the first code by coloring the addresses of the first code in the first color (110).

Abstract: According to one embodiment, an information processing device includes a receiving section configured to receive a trigger signal from a device connected thereto, a verifying section configured to verify the trigger signal when the receiving section receives the trigger signal, and an activating section configured to activate the system when the verification of the trigger signal is successfully made by the verifying section.

Abstract: Methods, systems, and devices are disclosed for detecting encrypted Internet Protocol packet streams. The type of data within an encrypted stream of packets is inferred using an observable parameter. The observable parameter is observable despite encryption obscuring the contents of the encrypted stream of packets. A timer is established that maintains settings despite changes in the type of inferred data.

Abstract: This invention allows connection of an apparatus with a low security level without lowering the security level of a network even when such apparatus issues a connection request. This invention is directed to an access point which makes wireless communications with a station using an encryption method (AES). Upon reception of a connection request message including information indicating an encryption method (WEP) that can be used by a station, the access point checks if the encryption method (WEP) recognized based on the received connection request message is different from the encryption method (AES). When it is determined that the two encryption methods are different, the access point launches a controller which makes wireless communications with the station using that encryption method (WEP).

Abstract: A distributed communication and data sharing system that provides anonymity and unlinkability. A group comprising a number of structures, each having a public/private key pair, is stored on a plurality of nodes in a Distributed Hash Table. Advantageous features of the group management system are provided through the use of Cryptographically Generated Addresses (CGA) for the structures, a secure capture method that enables a user to capture an address and be the only one authorized to request certain operations for the address, and an anonymous get/set mechanism in which a user signs messages, encloses the public key in the message and encrypts the message and public key using the public key of the receiver. The distributed communication and data sharing system of the invention can advantageously be used for group management of social networks.

Abstract: An apparatus includes a plurality of connection-source terminating units. Each of the plurality of connection-source terminating units constitutes an independent communication path coupled to a corresponding one of a plurality of connection-destination terminating units provided for a connection-destination apparatus. The apparatus establishes encryption information including first information used for encryption processing on communication performed via a plurality of the independent communication paths established between the apparatus and the connection-destination apparatus. The first information is used in common for all the plurality of the independent communication paths when packets are transmitted through the plurality of the independent communication paths established between the communication apparatus and the connection-destination apparatus.

Abstract: A method for generating a network address in a communication network includes at least one user equipment and a network equipment. The method includes: a) providing a same shared secret key both at the at least one user equipment and at the network equipment; and b) generating at least a portion of the network address at the at least one user equipment and at the network equipment based upon at least the shared secret key.

Abstract: A spread scrambled multiple access (SSCMA) scheme is described. A first encoded bit stream of a first terminal is scrambled according to a first scrambling signature. A second encoded bit stream of a second terminal is scrambled according to a second scrambling signature. The first scrambled bit stream is spread to match a communication channel bandwidth. The second scrambled bit stream is spread to match the communication channel bandwidth.

Abstract: A method for evaluating a deployment of a network access change request, the method includes: (a) formatting a network access change request to provide a formatted network access change request; wherein the formatted network access change request includes multiple formatted request items; wherein the multiple formatted request items includes a requested access type, an address of an access source, an address of an access destination; (b) determining multiple relationships between the multiple formatted request items and corresponding items of at least one entity out of a network model and a current network policy; and (c) responding to the network access change request in response to the multiple determined relationships.

Abstract: Methods including the steps of: upon sending an IP packet, obtaining, by a sender, a sender identity for a sender of the packet; securely tagging, by a sender, the packet with the sender identity, the packet having a plurality of fixed-length fields concatenated into a single fixed-length virtual field shared between a cryptographic hash and an identity index for supporting multiple distinct identities residing on an IP endpoint; determining, by a receiver, the sender identity by extracting it from the packet; checking, by the receiver, the packet to ensure the packet has been appropriately tagged; and enforcing a security policy, by the receiver, according to the sender identity. Preferably, the step of obtaining includes: accessing, by the sender, a server for obtaining the sender identity; and associating, by the server, the sender identity with the endpoint. Most preferably, the associating is performed using a prefix code for encoding the identities.