Abstract: A print system which are capable of inhibiting simultaneous use of the encrypted print and the box storage to thereby increase the security of print data. A host computer has an encryption function of encrypting print data, and issues a print job for the print data encrypted by the encryption function. A print server receives the issued print job, and has a decryption function of decrypting the encrypted print data of the received print job. A printer has a storage function of storing the print data decrypted by the decryption function, and outputs the stored print data. At least one of the host computer and the print server inhibits simultaneous use of the encryption function and the storage function.

Abstract: There is provided a system and method for distributors to use an interoperable key chest. There is provided a method for use by a distributor to obtain content access authorizations from a key chest or central key repository (CKR), the method comprising receiving a user request from a user device for access to an encrypted content identified by a content identification, transmitting a key request to the CKR including the content identification, receiving an encrypted first key from the CKR, decrypting the encrypted first key using a second key to retrieve the first key, and providing a DRM license for the encrypted content to the user device using the first key for use by the user device to decrypt the encrypted content using the first key. By generating such DRM licenses, distributors can unlock protected content even sourced from distributors using different DRM schemas.

Abstract: A method and a system for transmitting confidential and non-confidential data blocks between intake units (1, 1?) and output units (3, 3?) of a communication system. The communication system has intake units (1) for confidential data blocks, intake units (1?) for non-confidential data blocks, output units (3) for confidential data blocks, and output units (3?) for non-confidential data blocks. A data distribution unit (2) transmits data blocks with confidential information from the intake units (1) for confidential information to the output units (3) for confidential information and data blocks with non-confidential information from the intake units (1?) for non-confidential information to the output units (3?) for non-confidential information.

Abstract: A system and method for performing a security check may include using at least one processor to periodically check a status of a flag, generate and store a baseline representation of modules stored on the device where the flag is determined to be set to a first state, and, where the flag is determined to be set to a second state, generate an active representation of modules stored on the first device, compare the active representation of modules to the baseline representation of modules, and, responsive to a determination in the comparing step of a difference between the baseline and active representations of modules, output an alert. The flag status may depend on an association of the device with one of a plurality of authorization policies, each mapped to one of the two states. Results of the comparison may be appended to an activity log of the device.

Abstract: Presented is a method for determining the maximum number of key selection vectors (KSVs) supported by an HDCP source. The method includes providing a number of KSVs to the HDCP source, determining whether the HDCP source has entered a failure mode in response to the provided number of KSVs, increasing or decreasing the number of KSVs in response to the HDCP source not entering or entering the failure mode, providing the increased or decreased number of KSVs to the HDCP source, determining whether the HDCP source has entered the failure mode in response to the provided increased or decreased number of KSVs, and repeating the increasing, decreasing, and determining steps until the difference between a lowest number of provided KSVs resulting in the HDCP source entering the failure mode and a highest number of provided KSVs resulting in the HDCP source not entering the failure mode is one.

Abstract: A request to receive multicast data, associated with a multicast group, may be transmitted. The request may be transmitted via a tunnel. Group keys may be received in response to the request. The group keys may be based on the multicast group. An encapsulated packet may be received via another tunnel. The encapsulated packet may be processed, using the group keys, to obtain a multicast packet associated with the multicast data. The multicast packet may be forwarded to at least one multicast recipient.

Abstract: A server protected by a firewall uses an obfuscation algorithm to periodically generate a source port number and a destination port number. The server periodically sends an outbound packet from the source port to the destination port of an arbitrary destination network address. The outbound packet passes through the firewall and configures the state table of the firewall to temporarily pass inbound packets from the destination port of the arbitrary network address to the source port of the server. A client uses the obfuscation algorithm to send a packet from the destination port of the client to the source port of the server. The packet from the client indicates that it was sent from the arbitrary destination network address and includes the real port and network address of the client within it. The server communicates with the client at the real port and network address.

Abstract: A plurality of computer nodes communicates using seemingly random IP source and destination addresses and (optionally) a seemingly random discriminator field. Data packets matching criteria defined by a moving window of valid addresses are accepted for further processing, while those that do not meet the criteria are rejected. In addition to “hopping” of IP addresses and discriminator fields, hardware addresses such as Media Access Control addresses can be hopped. The hopped addresses are generated by random number generators having non-repeating sequence lengths that are easily determined a-priori, which can quickly jump ahead in sequence by an arbitrary number of random steps and which have the property that future random numbers are difficult to guess without knowing the random number generator's parameters. Synchronization techniques can be used to re-establish synchronization between sending and receiving nodes.

Abstract: Presented is a method for determining the maximum number of key selection vectors (KSVs) supported by an HDCP source. The method includes transmitting a number of KSVs to the HDCP source, determining whether the HDCP source has entered a failure mode in response to the transmitted number of KSVs, increasing or decreasing the number of KSVs in response to the HDCP source not entering or entering the failure mode, transmitting the increased or decreased number of KSVs to the HDCP source, determining whether the HDCP source has entered the failure mode in response to the transmitted increased or decreased number of KSVs, and repeating the increasing, decreasing, and determining steps until the difference between a lowest number of transmitted KSVs resulting in the HDCP source entering the failure mode and a highest number of transmitted KSVs resulting in the HDCP source not entering the failure mode is one.

Abstract: A method is used to transparently create an encrypted communications channel between a client device and a target device. Each device is configured to allow audio/video communications between the client and target devices over the encrypted communications channel once the encrypted communications channel is created. The method comprises receiving from the client device a request for a network address associated with the target device, determining whether the request is requesting access to a device that accepts an encrypted channel connection with the client device, and in response to determining that the request is requesting access to a device that accepts an encrypted communications channel connection with the client device, providing provisioning information required to initiate the creation of the encrypted communications channel between the client device and the target device such that the encrypted communications channel supports secure audio/video communications transmitted between the two devices.

Abstract: A system and method efficiently deletes a file from secure storage, i.e., a cryptainer, served by a storage system. The cryptainer is configured to store a plurality of files, each of which stores an associated file key within a special metadata portion of the file. Notably, special metadata is created by a security appliance coupled to the storage system and attached to each file to thereby create two portions of the file: the special metadata portion and the main, “file data” portion. The security appliance then stores the file key within the specially-created metadata portion of the file. A cryptainer key is associated with the cryptainer. Each file key is used to encrypt the file data portion within its associated file and the cryptainer key is used to encrypt the part of the special metadata portion of each file. To delete the file from the cryptainer, the file key of the file is deleted and the special metadata portions of all other files stored in the cryptainer are re-keyed using a new cryptainer key.

Abstract: Methods and systems for information dissemination in mobile ad hoc networks founded on Content Based Routing. The method comprises encoding, via an encoding logic within the source node, a plurality of information categories associated with the content in a header of the packet, encrypting the packet with an encryption key unique to the plurality of information categories, with the encrypted packet having a unique dissemination group identity in its header, and disseminating the encrypted packet to nodes that have subscribed to the data based on the dissemination group identity. The system comprises a host within the source node, an identity generator to generate the dissemination group identity for the content, an encryption unit for encrypting the content, and a routing unit to disseminate the content to the dissemination mesh based on established subscriptions.

Abstract: Stateless application notifications are described that enable third parties to provide messages to client applications. A communication channel can be established between a notification service and an application. Upon request, the notification service can generate obfuscated routing data for the channel, which can be in the form of a channel handle or token. The routing data can be encrypted and digitally signed to obscure the content and format of the routing data from third parties. An application service possessing the obfuscated routing data can package a notification with the data and send the package to the notification service for delivery. The application service does so without knowing the channel particulars encoded by the obfuscated routing data. The notification service that produces the obfuscated routing data can decrypt and interpret the data, and deliver the notification on the channel to an appropriate endpoint application on behalf of the application service.

Abstract: Techniques for efficient and secure implementation of network policies in a network interface controller (NIC) in a host computing device operating a virtualized computing environment. In some embodiments, the NIC may process and forward packets directly to their destinations, bypassing a parent partition of the host computing device. In particular, in some embodiments, the NIC may store network policy information to process and forward packets directly to a virtual machine (VM). If the NIC is unable to process a packet, then the NIC may forward the packet to the parent partition. In some embodiments, the NIC may use an encapsulation protocol to transmit address information in packet headers. In some embodiments, this address information may be communicated by the MC to the parent partition via a secure channel. The NIC may also obtain, and decrypt, encrypted addresses from the VMs for routing packets, bypassing the parent partition.

Abstract: An initiator shares y_ir with a responder, calculates HASH_I on the basis of y_ir, and sends HASH_I to an IKE proxy server. The initiator receives a digital signature SIG_S generated for HASH_I and the address of the initiator from the IKE proxy server and sends the digital signature SIG_S to the responder.

Abstract: The invention provides a method, system, device and computer program product for setting up a secure session among three or more devices or parties of a communication group, including authenticating a key agreement between the devices or parties of the communication group, wherein the devices of the group start, preferably after a key is computed or agreed, a protocol, preferably a multi-party data integrity protocol, for authenticating the key agreement.

Abstract: Many secure tunnels require protocols that require special handling, authorization or security certificates, such as L2TP and PPTP. This often eliminates them for use between a corporate or agency network and outside, public networks. A secure socket tunnel protocol (SSTP) adds drivers in both the kernel and user mode to route standard protocol traffic, such as PPP, over a common HTTPS port. In the event of network interruptions, an exchange of a session cookie allows fast reconnection of the underlying HTTPS connection without affecting higher level applications.

Abstract: Packet sequence number checking through a VPN tunnel may be performed by assigning sequence numbers on a per-priority class basis to packets traversing the VPN tunnel. In one implementation, a network device may receive a packet that is to be transmitted over a VPN tunnel, the packet including control information that includes at least a QoS priority class of the packet. The network device may extract the priority class of the packet from the control information and generate a sequence value that describes an arrival sequence of the packet relative to other received packets of the same priority class as the packet. The network device may additionally generate an IPsec header for the packet, the IPsec header including the sequence value and the priority class of the packet; attach the IPsec header to the packet; and transmit the packet through the VPN tunnel.

Abstract: It is an object of the present invention to solve a problem included in the onion routing which is used as a confidential communication method, that if a system down occurs in a computer within a communication route, connection is not made to further components at all, or a problem that the system and the traffic become slow by using multiplexed encryption. It is a communication method in which a client of an information providing source encrypts random numbers and calculates its hash value using respective public keys of an information server to which it connects, a function server of a destination to be sent, and an information server to which the function server connects, respective servers decrypt the encrypted random number using their own secret keys to compare the random number with the hash value, and thus, the client determines whether or not the route is related to the client.

Abstract: A multicast host for communicating information published about any one of a set of topics to one or more authorised subscribers to those topics, the set of topics being partitioned into one or more partition elements, each partition element having a partition element encryption key associated therewith, wherein each of the one or more partition elements is a disjoint proper subset of the set of topics, the host comprising: means for receiving information relating to a topic; means for determining a partition element for the topic; means for retrieving a partition element encryption key associated with the partition element; means for encrypting the information with the retrieved partition element encryption key; and means for communicating the information to the one or more authorised subscribers.

Abstract: A data processing system, a server such as a federated server, a computer system, and like devices, and associated operating methods can be configured to support fine-grained security including resource allocation and resource scheduling. A data processing system can comprise a federated server operable to access data distributed among a plurality of remote data sources upon request from a plurality of client users and applications; and logic executable on the federated server. The logic can be operable to enforce fine-grained security operations on a plurality of federated shared data sets distributed among the plurality of remote data sources.

Abstract: A configuration method of a cryptographically generated address (CGA) is disclosed. The configuration method is used to enable a generated CGA to satisfy requirements of a network configuration, and includes the following steps. A Dynamic Host Configuration Protocol (DHCP) server receives a client configuration information sent from a client. The DHCP server generates a CGA according to the client configuration and the network configuration from the DHCP server. The DHCP server delivers the CGA to the client. The network configuration is made as a reference when the CGA is generated, which overcomes a disadvantage that the CGA generated by the client cannot satisfy the requirements of the network configuration in the prior art. Thus, the generation of CGA can be intervened at a network management level, and a management capability of the network is improved.

Abstract: A method for upgrading a Rights Object (RO) includes: acquiring, by a Digital Rights Management (DRM) Agent, RO related information of the RO that requires updating from a Secure Removable Media (SRM) Agent; providing, by the DRM Agent, the RO related information to a Rights Issuer (RI), and obtaining a new RO from the RI; and interacting, by the DRM Agent, with the SRM Agent to upgrade the RO that requires updating on the SRM by means of the new RO. According to the embodiments of the present invention, the DRM Agent acquires RO related information which is stored on the SRM and does not have Move rights, and interacts with the RI to move the RO out from the SRM, so as to move the RO without the Move rights out from the SRM.

Abstract: In at least some embodiments, an electronic device comprises a processor and an encryption/decryption (E/D) engine coupled to the processor via a bus. The E/D engine selectively operates in a first mode and a second mode. For the first mode, an E/D engine output is provided to the bus. For the second mode, the E/D engine output is not provided to the bus and is accessible only to the E/D engine.

Abstract: A client device or other processing device comprises a file processing module, with the file processing module being operative to request proof from a file system that a file having a first format is stored by the file system in a second format different than the first format, to receive the proof from the file system, and to verify that the file is stored in the second format using the proof provided by the file system responsive to the request. The proof is based at least in part on application of a function to the file in the second format, and the function imposes a minimum resource requirement on generation of the proof. The file system may comprise one or more servers associated with a cloud storage provider. Advantageously, one or more illustrative embodiments allow a client device to verify that its files are stored by a cloud storage provider in encrypted form or with other appropriate protections.

Abstract: A method for securing the transmission of information in a communication network comprising a plurality of nodes, characterized in that it includes the steps of: an information transmitting node encodes the information with a given code; an error of given weight is added to the encrypted information; the encrypted information and the error are divided into a number of portions that is substantially equal to a chosen number r of possible routes for transmitting the information in the network; the destination address is encrypted; and for each portion, a control information item is associated, making it possible to reconstruct the message at the destination and the encrypted address of the destination node. For the various sets, each including a portion of encrypted information, a control information item and the encrypted address of the recipient node are sent in parallel over the r chosen routes.

Abstract: A callback component embedded on a web site determines a current location of the web site. The current location is compared to a known legitimate location of the web site to determine if the web site has been copied to a different host location. Responsive to determining that the web site has been copied to a different location, the callback component alerts a central authority that the web site may be a fraudulent web site set up to launch phishing attacks. If the central authority determines that the web site is fraudulent, the central authority alerts appropriate entities to take down the fraudulent web site. The callback component generates a visual component viewable on the web site to deter phishing attackers from removing the callback component when the web site is copied.

Abstract: A revocation examination method and apparatus for a device are provided. The method includes: storing information regarding revoked nodes; receiving from the device an identifier (ID) of the device and a revocation examination request message including an ID of a leaf node corresponding to the device; examining whether the device corresponding to the ID of the leaf node is revoked with reference to the information regarding revoked nodes; and transmitting a response to the revocation examination request message based on a result of the examining.

Abstract: A unique, strong, shared, symmetric network-wide key (or a limited number of group-wide keys) is generated by a central authority and initially provisioned to nodes in a network, which use it for ensuing traffic encryption. Nodes establish trust by sending each other authentication messages encrypted with the shared secret key, and thereupon adding each other to their respective trust lists. Also, an optional rekeying scheme whereby an existing shared secret key can be replaced by a new secret key that is introduced by the central authority and automatically propagated from node to node through the network.

Abstract: Secure bulk messaging mechanism in which, roughly described, a sender first encrypts a message once. The message can be decrypted with a message decryption key. These can be symmetric or asymmetric keys. For each recipient, the sender then encrypts the message decryption key with the recipient's public key. The sender then sends the encrypted message and the encrypted message decryption keys to a store-and-forward server. Subsequently, one or more recipients connect to the server and retrieve the encrypted message and the message encryption key that has been encrypted with the recipient's public key. Alternatively, the server can forward these items to each individual recipient. The recipient then decrypts the encrypted message decryption key with the recipient's private key, resulting in an un-encrypted message decryption key. The recipient then decrypts the message using the un-encrypted message decryption key.

Abstract: A system for broadcasting multiple public identities corresponding to the same apparatus. For example, each public identity may correspond to different operational environments, while none of the public identities disclose a private identity that uniquely and permanently identifies the apparatus. This allows apparatuses to keep their unique identity a secret while still being able to communicate with other apparatuses in various environments.

Abstract: A method and apparatus for processing a Rights Object (RO) are provided. A method for upgrading the RO includes: acquiring, by a Digital Rights Management (DRM) Agent, RO related information of the RO that requires updating from a Secure Removable Media (SRM) Agent; providing, by the DRM Agent, the RO related information to a Rights Issuer (RI), and obtaining a new RO from the RI; and interacting, by the DRM Agent, with the SRM Agent to upgrade the RO that requires updating on the SRM by means of the new RO. According to the embodiments of the present invention, the DRM Agent acquires RO related information which is stored on the SRM and does not have Move rights, and interacts with the RI to move the RO out from the SRM, so as to move the RO without the Move rights out from the SRM, thus extending an application of the RO without the Move rights.

Abstract: A computer-implemented method for using reputation data to detect packed malware may include: 1) identifying a file downloaded from a portal, 2) determining that the file has been packed, 3) obtaining community-based reputation data for the file, 4) determining, by analyzing the reputation data, that instances of the file have been encountered infrequently (or have never been encountered) within the community, and then 5) performing a security operation on the file (by, for example, quarantining or deleting the file).

Abstract: A method of protecting digital contents includes: requesting an external device or service to perform a part of a process of decrypting encrypted contents which correspond to a leaf node among a plurality of leaf nodes in a tree used in a revocation mechanism according to whether the leaf node has been revoked; and decrypting the encrypted contents based on a response to the request. Therefore, even when the data storage capacity of a device is small or the data processing capability thereof is low, the contents encrypted according to a broadcast encryption scheme can be decrypted.

Abstract: A cryptographic system includes encryption logic that is configured to encrypt input data by performing a mask operation on the input data using an address associated with the input data.

Abstract: The present invention provides a method and system for securing sensitive data from unauthorized access or use. The method and system of the present invention is useful in a wide variety of settings, including commercial settings generally available to the public which may be extremely large or small with respect to the number of users. The method and system of the present invention is also useful in a more private setting, such as with a corporation or governmental agency, as well as between corporation, governmental agencies or any other entity.

Abstract: The present disclosure is directed to a method for sending and receiving an encrypted message and a system thereof. The method includes steps of encrypting a message, transforming the encrypted message into network address, sending the network address to a receiver, and accessing a server according to the network address by the receiver, and a server decrypting the message, presenting the decrypted message to the receiver, and thereafter preventing the message from being accessed. Advantages include that any mobile phone capable of connection to a wireless network can read an encrypted message without installation of a decryption software on a mobile phone of a receiver.

Abstract: A mobile terminal provides a personal information sharing service using a signed URL message. The terminal includes; a personal information sharing service module which receives a message that includes a first callback URL and a personal information sharing request and is signed using a private key of a server, and creates a second callback URL by adding a user response result in response to the personal information sharing request to the first callback URL; and an authentication module which verifies a signature of the message using a public key of the server, and signs the second callback URL using a user private key.

Abstract: A method for connecting a calling terminal to a called terminal includes establishing a first session to a video server and a call connection request to the called terminal, receiving ringback tone (RBT) video data from the video server using the established first session during a waiting time before a response from the called terminal for the request is received, generating a setup flag to set a connection environment with the called terminal to perform a fast setup between the calling terminal and the called terminal, and transmitting the generated setup flag to the called terminal through a second session established by the called terminal. A system to perform the method includes an establishing unit to establish the first session, an RBT video data receiving unit to receive the RBT video data, a setup flag generating unit, and a setup flag transmitting unit.

Abstract: According to one embodiment of the invention, a method is deployed for loading a user CA certificate into the trusted certificate storage of a network device. The method comprises a number of operations. A first operation involves a downloading of addressing information. Thereafter, a communication session is established using the addressing information for retrieval of a bootstrapping digital certificate that can be digitally verified by the network device using its factory settings. Keying information is extracted from the bootstrapping digital certificate and the keying information can be used to verify that the communication session is between the network device and a certificate server being different than a source for the addressing information. Upon verification that the network device is in communication with the certificate server, the user CA certificate is downloaded from the certificate server using a secure channel that is established based on the bootstrapping digital certificate.

Abstract: Disclosed herein are systems, methods and computer-readable media to perform data encryption and decryption using a derivation function to obtain a key per page of data in a white-box environment. The method includes sharing a master key with the sender and receiver, splitting the input data into blocks and sub-blocks, and utilizing a set of keys and a master key to derive a page key. In another aspect of this disclosure, the key validation and shuffling operations are included. This method allows for the derivation of a key instead of storing a predetermined key, thus maintaining system security in a white-box environment.

Abstract: A method for managing a conference between two or more parties comprises an identity based authenticated key exchange between a conference management element and each of the two or more parties seeking to participate in the conference. Messages exchanged between the conference management element and the two or more parties are encrypted based on respective identities of recipients of the messages. The method comprises the conference management element receiving from each party a random group key component. The random group key component is computed by each party based on a random number used by the party during the key authentication operation and random key components computed by a subset of others of the two or more parties seeking to participate in the conference. The conference management element sends to each party the random group key components computed by the parties such that each party can compute the same group key.

Abstract: Systems and methods are provided for delivering e-mail, typically with time relevant content, to users, whose e-mail addresses are encrypted. Specifically, the e-mails are administered by a host or home server that is transparent to the e-mail addresses of the computers and e-mail clients, that electronic communications are being sent to and received from.

Abstract: To provide external access to a specification file stored in at least one memory unit, which is associated with at least one electronic control unit which may be in a vehicle, a computer is connected to a first communication bus in the vehicle. A first module in the computer is adapted to communicate with the at least one electronic control unit over the first communication bus. Provided that a user-unique key is connected to a port of the computer and a software component of this key is set to an active authorization state, the computer is enabled to communicate with the at least one electronic control unit. Thus, the computer may read out the specification file as well as update the specification file.

Abstract: A system and method provides secure channels for communication in a virtual universe by employing a packet interception layer for incoming and outgoing data packets. A data path is defined and is sequentially encrypted with the public keys of servers in the path. Decryption and identification of the next server occurs in a sequential manner in which the path is known only to the sender.

Abstract: A variable guilloche includes at least two guilloche curves, printed in a common space and having at least one point of overlap. The at least two curves are plotted from equations having variables corresponding to a specified data string of steganographic information.

Abstract: In a method for the transition from a first masked representation of a value to be kept secret to a second masked representation of the value, according to a first aspect of the invention at least one previously calculated table with a plurality of entries is used, and the calculation is carried out depending on at least one veiling parameter, in order to prevent the value to be kept secret from being spied out. According to a second aspect of the invention, at least one comparison table is used, which, for each table index, provides the result of a comparison between a value dependent on the table index and a value dependent on at least one masking value. A computer program product and a device have corresponding features. The invention provides a technique for protecting the transition between masked representations of a value from being spied out, wherein the masked representations are based on different masking rules.

Abstract: A method for distributing a shared secret key among a plurality of nodes is described. Each node establishes a secret key, the number of nodes being more than two nodes. A node distributes by a ring protocol executing over computer network connections an encrypted version of the secret key of each node to other nodes of the plurality of nodes. Each node decrypts the secret keys of other nodes so that each node has the secret key of other nodes. Each node combines the secret keys of other nodes to form a shared secret key available to other nodes.

Abstract: An address list management apparatus stores, for each user of an MFP (Multi Function Peripheral), a different address list that lists address information pieces for transmission of image data by the MFP. Upon being instructed by a logged-in user to transmit image data, the MFP transmits, to the address list management apparatus, a request for the address list that specifies the user. Upon receiving the request, the address list management apparatus transmits, to the MFP, a sending list pertaining to the user. The sending list is created by deleting secret information from address information pieces in the address list, and modifying such address information pieces so that image data is transmitted to the address list management apparatus. The address list management apparatus refers to the address list, and transfers the image data to the specified address.

Abstract: In the present disclosure, a DRM (in this case IPRM) system may be used to deliver media content keys to a player device in a live streaming environment and take advantage of all DRM related functionalities that come with it, such as proximity control, copy protection enforcement and rights verification. A playlist may be used to deliver a key identifier for encrypted live streaming content.