Abstract: Methods are provided for processing a packet received by a mesh-enabled access point (MAP). When a first MAP receives a packet it can determine whether the packet is destined for a mesh portal based on the destination address. If so, the first MAP can retrieve an encryption key corresponding to the mesh portal, use the encryption key to encrypt the packet and set a mesh forwarding flag in the packet to indicate that the packet is destined for a mesh portal, and is encrypted with an encryption key corresponding to the mesh portal, and then forward the packet to the next hop MAP towards the a mesh portal. The mesh forwarding flag indicates that the packet is destined for a mesh portal, is encrypted with an encryption key corresponding to the mesh portal, and is to be forwarded to the next hop MAP without performing decryption/re-encryption processing on the packet. When a MAP receives a packet, the first MAP it determines whether a mesh forwarding flag is set in the packet.

Abstract: A system and method provides secure channels for communication in a virtual universe by employing a packet interception layer for incoming and outgoing data packets. A data path is defined and is sequentially encrypted with the public keys of servers in the path. Decryption and identification of the next server occurs in a sequential manner in which the path is known only to the sender.

Abstract: In a network, a router uses some secret information combined with a cryptographic process in determination of a subnet's routing prefix. Several methods are disclosed, including using an IP suffix for prefix generation and for decryption, maintaining a pool of pseudo prefixes at the router, using public key encryption and symmetric key encryption.

Abstract: This disclosure presents a system that uses masking to safely execute native code. This system includes a processing element that executes the native code and a memory which stores code and data for the processing element. The processing element includes a masking mechanism that masks one or more bits of a target address during a control flow transfer to transfer control to a restricted set of aligned byte boundaries in the native code.

Abstract: A system and method connect a first network device and a second network device by initiating a secure communication link. The system includes one or more servers configured to: receive, from the first network device, a request to look up a network address of the second network device based on an identifier associated with the second network device; determine, in response to the request, whether the second network device is available for a secure communications service; and initiate a secure communication link between the first network device and the second network device based on a determination that the second network device is available for the secure communications service; wherein the secure communications service uses the secure communication link to communicate at least one of video data and audio data between the first network device and the second network device.

Abstract: Systems and methods for broadcast and multicast retransmissions within a protected wireless communications system are described. Retransmitted broadcast or multicast frames are designated by modification of fields or subfields in the MAC header of the frame which are constituent parts of the additional authentication data used to generate encryption keys. Such modifications cause legacy receivers to disregard the retransmitted frames or render legacy receivers to be unable to decrypt the retransmitted frame, avoiding the generation of duplicate frames. Non-legacy receivers recognizing the modification conventions can restore the MAC header to the original state and can reconstruct the original encryption keys and decrypt the retransmitted frames. A non-legacy transmitter can retransmit a frame without the need to re-encrypt the frame.

Abstract: A digital content protection apparatus and method for digital rights management (DRM) are provided in which a content file including a plurality of content parts is imported such that a header is included which stores location information required for decoding each of the content parts. Therefore, the number of content parts constituting the content file can be recognized, and a license that is required for the use of each of the content parts can be acquired by analyzing header information without necessitating the parsing of the transport packets of the content file. Accordingly, preparation time for using content can be reduced.

Abstract: A system and method for secure communications in a communication system, wherein the system programs a computer to perform the method, which includes: receiving at least one authentication key, without an encryption key, from a key-management server; receiving a packet, which is encrypted, from a source device; authenticating the packet, using the at least one authentication key, without cryptographically altering the packet; and forwarding the authenticated packet to a destination device of the packet.

Abstract: A self-synchronizing cryptographic device can be shared among a plurality of communications links. Blocks of data can be transferred to the cryptographic device, wherein each block of data includes a head portion which is the tail portion of a previous block of data for the same communication link. The head/tail portion is sufficient to reestablish cryptographic synchronization of the cryptographic device.

Abstract: A broadcast receiving apparatus comprises a broadcast receiving unit (1, 4˜13) for receiving a digital broadcast; a communication unit (1˜3) for performing two-way communication through a network; an operation unit 15 for performing an acquisition operation of a key for decrypting an encrypted broadcast program received by the broadcast receiving unit; and an address generating unit 16 for generating an address of an acquisition location of the key which is accessible with the communication unit, by using program arrangement information corresponding to the broadcast program based on the acquisition operation of a key by the operation unit.

Abstract: A device is provided which includes: a processor that outputs a command signal or an address signal and includes a bus module which inputs or outputs a data signal; and an encryption circuit that encrypts or decrypts the data signal in an encryption method using a common key and the address signal, wherein the processor and the encryption circuit are provided in a chip.

Abstract: A measurement and authentication engine in a nonvolatile memory computes an original hash value on data read from the nonvolatile memory. A measurement and authentication engine in a host processor recomputes the hash value on the data received from nonvolatile memory and checks that the computed hash value matches the hash value generated and transferred from the nonvolatile memory.

Abstract: A method, system and computer program product for providing a secure connection between a client and a remote server to run a Virtual Environment (VE), including (a) establishing a repository for VE content on the remote server; (b) creating a data necessary for the VE to function; (c) generating a two key pairs that includes a VE key pair and a client key pair, wherein the VE key pair includes encryption and decryption keys, the client key pair includes decryption and encryption keys corresponding to encryption and decryption keys of the corresponding VE key pair and the two key pairs are used to provide a full duplex secure network channel between the client and the repository; (d) storing the data necessary for the VE to function as the VE content using data from the VE key pair in the repository; (e) receiving the address for accessing the stored data; and (f) from the client side, using the VE address and the client key pair to start the VE from the data necessary for the VE to function.

Abstract: This disclosure provides a system and method for client authentication that allows a service provider to implement multiple authentication challenges to verify a user/client. The system includes an extractor, a comparer, and an attributer. The extractor receives an Internet protocol source address from a client and extracts a media access control address. The extractor also determines a source identifier of the client from the media access control address. The comparer compares the extracted media access control address with a client media access control address associated with the client, and signals execution of one or more client authentication challenges when the extracted media access control address fails to match the at least one client media access control address associated with the client. The attributer associates the source identifier with the client after successful execution of a client authentication challenge.

Abstract: Multiple service servers can store identification tags, which identify each user, after associating the identification tags with the identification tags of other users; and can also store identification data, which uniquely identifies users across multiple service servers, after associating the identification data with an encryption key for each identification datum. A management server device stores as identification data the user address data encrypted by means of an encryption key that has been generated for each identification datum. A gateway server device receives the identification tags from a first service server, receives the other identification tags associated with the first identification tags, receives the encryption keys associated with the other identification tags, and obtains the encrypted data from the management server. The gateway server device then decodes the encrypted information, and commands delivery that uses the obtained address data.

Abstract: A method, apparatus, and system for processing a Dynamic Host Configuration Protocol (DHCP) message are disclosed. The method includes: receiving a DHCP message, where the source address of the DHCP message is a Cryptographically Generated Address (CGA) and a signature of a DHCP message sender is carried in the DHCP message; verifying the CGA and the signature; and processing a payload of the DHCP message after the verification of the CGA and the signature succeeds. The CGA and the signature are verified in the embodiment of the present invention, thus improving the security of DHCPv6, and bringing convenience for key management due to publicity of the public key. In addition, because the life of the public key is long, configuration on the DHCP server and/or the network client is convenient.

Abstract: A translator is provided for translating predetermined portions of packet header information including an address of a data packet according to a cipher algorithm keyed by a cipher key derived by a key exchanger. A mapping device is also provided for mapping the address to a host table stored in memory. If the address does not match an entry in the host table, a security device is triggered.

Abstract: A communication apparatus includes: a first storage unit registering a plurality of addresses of a plurality of communication apparatuses; a command sending unit sending a first command for requesting a first public key, which corresponds to a first secret key of the first communication apparatus, to the address of the first communication apparatus; a response receiving unit receiving from the first communication apparatus a first response including the first public key; a storage control unit associating the first public key the address of the first communication apparatus and registering the first public key; an encrypted data generating unit encrypting first data, which is to be sent to the first communication apparatus, using the first public key registered in association with the address of the first communication apparatus to generate first encrypted data; and a data sending unit sending the first encrypted data to the address of the first communication apparatus.

Abstract: A method and apparatus for encrypted universal resource identifier (URI) based messaging is described. In one embodiment of the method, a computing system receives an encrypted message from a first client computing system over a network, stores the received message in a message data store, generates a shortened uniform resource locator (URL) for subsequent retrieval of the stored message, and sends the shortened URL to the first client computing system. Subsequently, the computing system receives a request, including the shortened URL, from a second client computing system to retrieve the stored message. The computing system encrypts the stored message in a URI and sends the URI to the second client computing system.

Abstract: An encoding/decoding operation portion includes an encoding/decoding operation circuit and an avoiding path for detouring the encoding decoding operation circuit and can select between encoding or decoding input data in the encoding/decoding operation circuit and detouring the encoding/decoding operation circuit to output the input data without change. Only one wire has to be provided from a selector to a key storage portion and an initialization-vector storage portion. With this construction, it is possible to realize an encoding/decoding circuit which can suppress an increase in the number of wires used to transmit a content of key data to the key storage portion and the initialization-vector storage portion and does not cause complication of circuit layout.

Abstract: A secure secret sharing system is implemented. Shares SH(?, h(?)) are generated by secret sharing of secret information separately for each subset SUB(?); each of share management apparatuses PA(?, h(?)) generates a shared secret value DSH(?, h(?)) by performing a common operation to a corresponding share SH(?, h(?)) and common information containing a common value ?(?) shared in each subset SUB(?); and an acquisition apparatus generates a reconstructed secret value SUBSK(?) by reconstruction processing for each subset SUB(?), using a plurality of shared secret values DSH(?, h(?)) corresponding to the same subset SUB(?), and generates generation information SK by using the reconstructed secret values SUBSK(?).

Abstract: Methods, apparatus, system and computer program are provided for concealing the identity of a network device transmitting a datagram having a network layer header. A unique local identifier and broadcast address are determined in accordance with a next-hop address. A partially encrypted network layer header is determined by encrypting a plurality of identifying portions of the network layer header, where one portion of the network layer header is the unique local identifier. The datagram is encapsulated with another network layer header whose address is set to the broadcast address. The encapsulated datagram can be received and detunneled, and an address of a recipient can be extracted from the network layer header. The datagram is then admitted into a network domain.

Abstract: In the field of communications technology, a method and a system for forwarding data between private networks are provided, which can enable terminals in different private networks to securely communicate with each other by using private network addresses. The method includes the following steps. A Secure Socket Layer (SSL) tunnel to an SSL Virtual Private Network (VPN) device in another private network is established. Address allocation information of the another private network is received through the SSL tunnel. The address allocation information and a mapping relation between the address allocation information and a public network IP address of the SSL VPN device transmitting the address allocation information and a session ID of the SSL tunnel transmitting the address allocation information are saved.

Abstract: Computer-implemented methods and apparatus to perform a valid transfer of an electronic mobile ticket on a mobile device by a ticketing application system of a ticket processing center. One method includes: receiving a first electronic message from a first user, where the first message includes an encrypted electronic mobile ticket and a mobile device number of a second user, and where the electronic mobile ticket is encrypted with a key shared between the first user and the ticketing application system; decrypting the encrypted electronic mobile ticket; generating an electronic mobile ticket encrypted with a key shared by the ticketing application system and the second user; and transmitting a second electronic message that includes the electronic mobile ticket encrypted with the key shared between the ticketing application system and the second user to a mobile device of the second user.

Abstract: In one embodiment, a method includes sending by an endpoint a request for information about available services to a network device; receiving by the endpoint a message from the network device, the message including information associated with a first service provider; determining by the endpoint whether the first address is certified by a trusted third party as being associated with the first service provider; if the first address is certified by the trusted third party, communicating by the endpoint with the first service provider using the information; and, in response to communicating with the first service provider using the information, receiving by the endpoint access to a service from the first service provider through the network device.

Abstract: An apparatus for establishing a virtual private network with an internet protocol multimedia subsystem (IMS) device that includes a key derivation module, a tunneling protocol module, a tunnel management module, and a security policies module. The apparatus includes a non-volatile memory configured to store a first routing table that maps host addresses and IMS addresses of security devices allowing access to those hosts, such that when an application running in the IMS device requests communication to a host address, the apparatus initiates a session with the IMS address to which the host address is mapped. The session is initiated by a message that includes a body that contains, for each tunneling protocol supported by the tunneling protocol module, data about the local tunnel endpoint (e.g.

Abstract: In one embodiment of the invention, a system and method for error tolerant delivery of data is provided. A data file is received for transmission which includes metadata and data. The metadata includes mandatory portions and optional portions, which are grouped together, respectively. The mandatory portions of the metadata include file control data. The file is parsed into packets and transmitted as a data stream to a plurality of receiver devices. In some cases this data stream may be transmitted multiple times for redundancy. Once the data stream is received, the receiver device may look for transmission errors in the control data of the data stream. If such an error is present the data stream is discarded; otherwise, the receiver device converts the data stream back into the native file format and stored for later playback or queued processing.

Abstract: A method and apparatus for authenticating to a third party service provider from a personal computer. The method includes authenticating, with a mobile terminal, to the service provider with a universal subscriber identity module associated with the mobile terminal to obtain credentials specific to the service provider, transferring the credentials specific to the service provider from the mobile terminal to the personal computer, and accessing the service provider with the personal computer using the credentials transferred from the mobile terminal. The apparatus includes a mobile terminal, a computing device, a bootstrapping security module, and a network application function that cooperatively work to allow the computing device to access the network application function using a security credential from the mobile terminal.

Abstract: A problem is to provide a connection support apparatus and a gateway apparatus in which management of information is easy and remote access from a user terminal to the gateway apparatus can be performed easily and securely, and the problem is solved by including a control unit configured to perform control on a gateway apparatus to which a user apparatus connects so as to permit connection from the user apparatus for which authentication succeeds; and a communication unit configured to provide the user terminal with connection information used for connecting to the gateway apparatus.

Abstract: A method is provided for sending a data packet from a client through a network and to a server. The data packet is a data structure having an originating address portion and destination address portion. The network includes a first mix router and a second mix router. The client has a client address, whereas the first mix router has a first mix router address, the second mix router has a second mix router address and the server has a server address. The method includes encrypting the originating address portion of the data packet and encrypting the destination portion of the data packet, transmitting the encrypted data packet, decrypting the originating address portion of the encrypted data packet and the destination portion of the encrypted data packet, providing a first data packet and providing a second data packet.

Abstract: Methods, devices, and systems that may be used to secure networked devices are provided. One method includes receiving, at a security device, encrypted configuration data from a management server connected to a data network, from packets addressed to a networked device. The method further includes managing, by the security device, packets between the networked device and other devices accessible through a network based upon the configuration data. The method further includes sending, by the security device, a plurality of encrypted heartbeat messages to the management server utilizing an address associated with the networked device as the originating address for packets in which the encrypted heartbeat messages are transmitted.

Abstract: The present intention permits a user to conduct remote transactions without a network while using an untrusted computing device, such as a hand held personal digital assistant or a laptop computer. The computing device is augmented with a smartcard reader, and the user obtains a smartcard and connects it to the device. This design can be used by an untrusted user to perform financial transactions, such as placing bets on the outcome of a probabilistic computation. Protocols are presented for adding (purchasing) or removing (selling) value on the smartcard, again without requiring a network connection. Using the instant protocols, neither the user nor the entity issuing the smartcards can benefit from cheating.

Abstract: A security panel includes a processor, memory, and a network interface having a unique MAC address, and is configured to communicate over a network with a server. A method for registering the security panel with the server includes contacting the server utilizing a network address stored in the memory. A dealer ID, a line number, and a unique account number is sent to the server. The dealer ID, the line number, and the unique account number are stored in the memory. An encryption key is received for encryption of additional communication between the security panel and the server. The unique MAC address is sent to the server in an encrypted session to verify the security panel to the server.

Abstract: A communication apparatus includes: a first storage unit configured to store a plurality of addresses of a plurality of first communication apparatuses; an acquiring unit configured to acquire a self-public key; a specifying unit configured to specify an address of at least one of the plurality of first communication apparatuses stored in the first storage unit when the self-public key is acquired; and a first public key sending unit configured to send the self-public key to the address of the at least one of the plurality of first communication apparatuses specified by the specifying unit.

Abstract: A method for establishing an encrypted communication channel between a first apparatus and a second apparatus by using a session management apparatus. The method includes: establishing a first encrypted communication channel between the session management apparatus and the first apparatus by performing mutual authentication between the session management apparatus and the first apparatus; establishing a second encrypted communication channel between the session management apparatus and the second apparatus by performing mutual authentication between the session management apparatus and the second apparatus; and exchanging key information between the first apparatus and the second apparatus via the first encrypted communication channel and the second encrypted communication channel so as to establish an encrypted communication channel between the first apparatus and the second apparatus.

Abstract: A streaming video server generates a virtual file system that includes virtual addresses of a plurality of encrypted segments of a plurality of video programs at each of a plurality of bitrates, without storing the plurality of encrypted segments in persistent storage. A request is received from a client device to access a selected one of the plurality of video programs via a request to access the virtual file system. The plurality of encrypted segments of the selected one of the plurality of video programs are generated at a selected bitrate, in response to the request.

Abstract: A device, receives a unicast packet designating a unicast source and a unicast destination, and determines whether the received unicast packet is a Data Register message. The device extracts information relating to a multicast packet encapsulated within the unicast packet when the unicast packet is a Data Register message, and performs a security policy lookup based on the extracted multicast packet information to identify a security policy associated with the multicast packet. The device determines whether the identified security policy authorizes forwarding of the unicast packet, and establishes a multicast data session when the identified security policy authorizes forwarding of the unicast packet. The device establishes a multicast control session based on the multicast data session, where the multicast control session authorizes transmission of PIM-related control messages associated with the multicast packet.

Abstract: Disclosed are a cellular phone terminal, a cellular phone system and a privacy protection method therefor that enable to prevent leakage of private information from the communication data when conducting a search for wireless LAN base stations. The cellular phone terminal comprises, in addition to the cellular phone function section, a cellular phone network transmitter/receiver section, a wireless LAN transmitter/receiver section and a wireless LAN connection control section, an SSID•MAC address management section connected to the wireless LAN connection control section and the cellular phone network transmitter/receiver section. The SSID•MAC address management section is allocated by a MAC address management server one or more temporary MAC addresses together with their time limit by way of the cellular phone network transmitter/receiver section and a cellular phone base station and the temporary MAC addresses are used when conducting a search for wireless LAN base stations.

Abstract: A communication device receives secure communication frames on which a security transform has been performed to permit authentication. The communication device maintains an authentication history and a local time varying parameter. In multi-hop communication, the communication device provisionally verifies the freshness of a received secure communication frame by verifying that identifying information extracted from the frame is not already present in the authentication history and that a received time varying parameter extracted from the frame is not older than the local time varying parameter by more than a certain margin. If these freshness tests both pass, the frame is authenticated. If authentication succeeds, the frame is transmitted on the next hop without performance of a new security transform.

Abstract: Provided is a method of protecting a content consumer's privacy. The method includes classifying contents into content groups, encrypting the contents using different encryption keys, generating a plurality of decryption keys each of which can decrypt all contents in each of the content groups, and provides the generated decryption keys to authorized clients, wherein each client is provided with a different decryption key.

Abstract: To check a secure registration to a service provided by a web server from a communication terminal (TC), the web server (SW) saves a dynamically generated code matching the terminal (TC)'s IP address and transmits a message containing the code (CodC) to an e-mail address. This address is provided by the user in response to the terminal's connection to the web server. The server transmits to the terminal an application (App) capable of generating an automated test in order to tell computers apart from humans. The answer provided by the user is encrypted with the terminal's IP address and the code contained in the message transmitted to the e-mail address, and is directly transmitted by the application to the server, which decrypts it and compares it with an expected answer in order to enable access to the Web server if the decrypted answer matches the expected answer.

Abstract: An electronic messaging system, including: a first message transfer server for receiving a message for a party, mapping the destination address of the message to a trusted address for the party, and substituting the trusted address for the destination address; and a second message transfer server for establishing an authenticated transport session with the first message transfer server to receive the message and transfer the message to a location corresponding to the trusted address.

Abstract: An improved method, apparatus, and computer instructions for processing outbound traffic passing through a port. This port is for a server and receives a request from a client. The request includes a universal resource identifier to a destination. A determination is made as to whether the request requires encryption using the universal resource identifier in the request. The request is sent through the port to the destination in an encrypted form, in response to a determination that the request requires encryption.

Abstract: A virtual machine computing platform uses a security virtual machine (SVM) in operational communications with a risk engine which has access to a database including stored patterns corresponding to patterns of filtered operational data that are expected to be generated during operation of the monitored virtual machine when malware is executing. The stored patterns may have been generated during preceding design and training phases. The SVM is operated to (1) receive raw operational data from a virtual machine monitor, the raw operational data obtained from file system operations and network operations of the monitored virtual machine; (2) apply rule-based filtering to the raw operational data to generate filtered operational data; and (3) in conjunction with the risk engine, perform a mathematical (e.g., Bayesian) analysis based on the filtered operational data and the stored patterns in the database to calculate a likelihood that the malware is executing in the monitored virtual machine.

Abstract: Methods and apparatus for integrating digital rights management (DRM) systems with native HTTP live streaming. Several methods for integrating a DRM system with HTTP live streaming on an operating system (OS) platform are described. In each of these methods, a manifest is delivered to an application on a device; the application then accesses a remote DRM server to obtain a license and one or more keys for the content. The DRM server enforces the rights of the client in regard to the indicated content. The application may modify the manifest to indicate a method for obtaining the key. The application delivers the manifest to the OS, which uses the indicated method (e.g., a URL) to obtain the key. While similar, the methods primarily differ in the manner in which the OS is directed to obtain the key.

Abstract: Disclosed is an authentication mechanism that enables an information recipient to ascertain that the information comes from the sender it purports to be from. This mechanism integrates a private/public key pair with selection by the sender of a portion of its address. The sender derives its address from its public key, for example, by using a hash of the key. The recipient verifies the association between the address and the sender's private key. The recipient may retrieve the key from an insecure resource and know that it has the correct key because only that key can produce the sender's address in the message. The hash may be made larger than the sender-selectable portion of the address. The recipient may cache public key/address pairs and use the cache to detect brute force attacks and to survive denial of service attacks. The mechanism may be used to optimize security negotiation algorithms.

Abstract: A key message can include a key-encryption-key (KEK) associated with a KeyDomainID and a KeyGroupID. A session description message can describe streaming media initialization parameters containing media stream information for one or more media streams. For each media stream, the media stream information can include an IP address and a data port. The session description message can further contain a linkage for binding the KEK to a corresponding one of the media streams. The linkage can include the KeyDomainID and KeyGroupID or can include an abstract representation of the KeyDomainID and KeyGroupID. During session initialization, the key-encryption-key (KEK) can be bound to the media streams using the linkage of the session description message. Each of the media streams can be secured using a traffic key conveyed to user equipment (UE) under protection of the key-encryption-key (KEK).

Abstract: A security device for SIP communications operates to inhibit the effect of malicious attacks and/or inadvertent erroneous events on the provision of SIP-based services within a private network and between private and public networks. The security device acts as a conventional Firewall, NAT and PAT to isolate SIP User Agents on the private network from SIP User Agents on the public network and to Blacklist undesired callers. Also, the security device preferably includes a virus scanner to scan attachments to sessions and/or other communications to identify and block virus contaminated data and the security device includes a hardened SIP stack to scan for and detect malformed SIP messages to prevent malicious attacks and/or inadvertent erroneous messages from adversely impacting the operation of SIP services.

Abstract: A communication method for transmitting TT Ethernet messages is a distributed real-time system, including a plurality of node computers. Each node computer has an Ethernet controller, which by way of a data line is directly connected to a port of a TTE star coupler, said port being uniquely associated with the node computer. A plurality of TTE star couplers are connected among each other by way of one or more data lines to form a TTE network. A TTE message scheduler dynamically calculates the conflict-free schedules for a number of time-controlled messages and signs the schedule provided for each node with a secret part of a public-key signature before it transmits said schedule to the corresponding node computer. Each node computer integrates the signed periodic schedule, which is transmitted to the node computer in the form of a TTE message header of an ETE message, into each dynamically calculated TTE message.

Abstract: In a memory system using a removable recording medium and data stored in the recording medium, identifying information for identifying each recording medium from others is held in the recording medium, and when data stored in the recording medium is used, the identifying information of the recording medium is required. As a result, when a flash memory card, etc. is used, a copyright is reliably protected.