Abstract: Systems, methods, and other embodiments associated with layer two (L2) encryption for data center interconnectivity are described. One example system includes a receive logic to receive an unencrypted L2 switched frame (UL2SF). The UL2SF may include a payload and an L2 header. The example system may also include an encryption logic to selectively encrypt the UL2SF into an encrypted frame if the UL2SF is to be sent through an L2 virtual private network (L2VPN) requiring encryption. The example system may also include a delivery logic that adds a header to the encrypted frame. The header may include data to identify a decryption function to decrypt the encrypted frame and routing information for the encrypted frame. The delivery logic may also provide the encrypted frame to the L2VPN, where the providing includes selectively sending the encrypted frame as one of, a point to point packet, and a multipoint packet.

Abstract: In one embodiment, a method comprises receiving by an agent a request from a network node for generation of a secure IPv6 address for use by the network node, the request including a selected subset of parameters selected by the network node and required for generation of the secure IPv6 address according to a prescribed secure address generation procedure, the selected subset including at least a public key owned by the network node; dynamically generating by the agent at least a second of the parameters required for generation of the secure IPv6 address; generating by the agent the secure IPv6 address based on the selected subset and the second of the parameters required for generation of the secure IPv6 address; and outputting, to the network node, an acknowledgment to the request and that includes the secure IPv6 address, and the parameters required for generation of the secure IPv6 address.

Abstract: Methods and apparatuses for private electronic information exchange are described herein. In one embodiment, when electronic information is received to be delivered to a recipient, the electronic information is transmitted over an electronic network with a private routing address. The private routing address is routable within a private domain, which is a subset of the electronic network. Other methods and apparatuses are also described.

Abstract: Disclosed is a method for restricting access of a first code of a plurality of codes and data of a first function from a second function. Thee method comprises calling the second function by the first function, addresses of the plurality of data may be stored in a stack page and colored in a first color (102). The method comprises performing access control check in a transition page for verifying whether the first function has permission to call the second function (104). Further the method comprises protecting the first code from the second function by coloring the data and/or addresses in a second color (106). Furthermore, the method comprises executing the second function by pushing addresses of the second function on the stack page, the addresses of the second function colored in a third color (108) and unprotecting the first code by coloring the addresses of the first code in the first color (110).

Abstract: Embodiments are directed towards providing protection to DNS servers against DNS flood attacks by causing a requesting device to perform multiple DNS lookup requests for resolving a resource record. A request from a network device for a resolution of a domain name may be received by a device interposed between the requesting network device and a DNS server. Upon receiving the request to resolve the domain name, the interposed device may respond with a CNAME that includes a cookie. The requesting device may then send another request that includes the cookie preceded CNAME. The interposed device may then validate the returned cookie returned in the CNAME and if valid, forward the domain name resolution request on to a DNS server. The response may then be forwarded to the requesting device.

Abstract: A first information processing apparatus encrypts data that it receives from a second information processing apparatus, and transmits the data thus encrypted to an external device. The second information processing apparatus transmits the data to the first information processing apparatus according to a data size that results after a data size being necessary for communication of the encrypted data is subtracted from a specified data size.

Abstract: To allow down-level devices to participate in a network controlled by a protocol including CGAS or ECGAs, the CGA or ECGA authentication may be made optional to allow the down-level devices to execute non-CGA or non-ECGA versions of network protocols, while at the same time allowing the use of CGA- and/or ECGA-authenticated versions of the same protocols. To identify non-cryptographic addresses (e.g., non-CGA and non-ECGA), the address bits of a non-CGA or non-ECGA such that the address cannot be or is probably not an encoding of the hash of a public key. In this manner, a receiving node may properly identify the capabilities of the sending node, perform an appropriate authentication of the message containing the non-cryptographic address, and/or prioritize processing of information contained in the message with the non-cryptographic address.

Abstract: By arranging a redundancy means and a control means upstream from an encryption means which encrypts and decrypts the data to be stored in an external memory, the integrity of data may be ensured when the generation of redundancy information is realized by the redundancy means, and when the generation of a syndrome bit vector indicating any alteration of the data is implemented by the control means. What is preferred is a control matrix constructed from idempotent, thinly populated, circulant square sub-matrices only. By arranging redundancy and control means upstream from the encryption/decryption means, what is achieved is that both errors in the encrypted data and errors of the non-encrypted data may be proven, provided that they have occurred in the data path between the redundancy/control means and the encryption/decryption means.

Abstract: A system, method, and computer program for text-based encryption, involves accessing a text file with a plurality of lines of text characters; re-sequencing each of the text characters in the plurality of lines; translating a base representation for each of the text characters by an offset of a base value so that a resulting translated character is printable; inserting a plurality of other characters between each of the translated text characters on each of the lines to form a random character string; inserting a plurality of random numbers of random characters before and after the random character string to output to a resultant file; and including a translated seed with the resultant file.

Abstract: Secret random data is distributed to a plurality of devices to provision them with new one-time pad data for use in interacting with apparatus holding the same one-time pad data. This distribution is effected by provisioning a first device with a block of secret random data that is, or will become, available to the apparatus. Part of the secret random data is then distributed from the first device to one or more other devices in a hierarchical distribution pattern headed by the first device. Each device, other than those at the bottom of the distribution hierarchy, retains part of the secret random data it receives and passes on the remainder. Each device uses that part of the secret random data it has retained to provide the device with new one-time pad data. A method is also provided for tracking service usage based on the distributed one-time pad data.

Abstract: A device (200, 2200) for improved security includes a processor (200) and a secure writeable memory (2245) coupled to said processor (200) and including code (2240) to download a loadable security kernel to the processor (200), authenticate the loadable security kernel, and transfer the kernel so that the kernel begins at a predetermined address inside the secure writeable memory (2245) only if the authentication is successful. A process (2400) of manufacturing a target communication device (2310) having a memory space having a secure writable portion (2245) of the memory space, the manufacturing process (2400) using a host machine (2330). The manufacturing process (2400) includes downloading (2540) the loadable security kernel from the host machine (2330) to the memory space at the target (2310). The loadable security kernel has a flashing entry point.

Abstract: A source device is initially enabled to maintain data synchronization with a host server over a wireless communication network via a first wireless transceiver for user data of an application program associated with a user account. To enable a target device, the source device is operative to establish a programming session with the target device via a second wireless transceiver. During the programming session, the source device causes user account data (e.g. an encryption/decryption key for the data-synchronized communications) for the user account to be transmitted to the target device via the second wireless transceiver. The user data associated with the application program may be transferred from the source device to the target device via a removable memory card such as a secure digital (SD) card.

Abstract: In one embodiment, a method can include: (i) receiving an outbound packet in a network device, where the outbound packet includes a packet header; (ii) modifying the outbound packet by adding a service identifier to a cleartext portion of the packet header; (iii) when the outbound packet represents an event boundary, adding an event delimiter to the packet header; and (iv) passing the outbound packet to an encryption process for packaging and transmitting across a tunnel.

Abstract: Techniques for seeding data among client machines, also referred to as boxes herein, are disclosed. To prevent the data distributed among the boxes from being illegitimately accessed or possessed, according to one aspect of the present invention, each box is configured to perform what is referred to herein as a transcription process. In other words, when encrypted data is received, the data is decrypted and then re-encrypted with a key agreeable with a next box configured to receive the data.

Abstract: Systems and methods are provided for delivering e-mail, typically with time relevant content, to users, whose e-mail addresses are encrypted. Specifically, the e-mails are administered by a host or home server that is transparent to the e-mail addresses of the computers and e-mail clients, that electronic communications are being sent to and received from.

Abstract: A wireless system realizes a WOL by including layers for switching security systems with a security level enhanced. The wireless system for activating a terminal through a radio base station from a remote area includes: a monitor device for monitoring the status of power supply of the terminal; and a security switch device for switching the security system of the terminal based on the status by switching to a fixed key security system when the status is changed to power-off and switching to a dynamic key security system when the status is changed to power-on.

Abstract: Disclosed are a cellular phone terminal having built-in wireless LAN, a cellular phone system and a privacy protection method therefore that enable to prevent leakage of private information (or privacy) of the user of the cellular phone terminal from the communication data when conducting a search for wireless LAN base stations. The cellular phone terminal 10 comprises, in addition to the cellular phone function section 11, a cellular phone network transmitter/receiver section 14, a wireless LAN transmitter/receiver section 13 and a wireless LAN connection control section 12, an SSID•MAC address management section 15 connected to the wireless LAN connection control section 12 and the cellular phone network transmitter receiver section 14.

Abstract: In a procedure for delivering streaming media, a Client first requests the media from an Order Server. The Order Server authenticates the Client and sends a ticket to the Client. Then, the Client sends the ticket to a Streaming Server. The Streaming Server checks the ticket for validity and if found valid encrypts the streaming data using a standardized real-time protocol such as the SRTP and transmits the encrypted data to the Client. The Client receives the data and decrypts them. Copyrighted material adapted to streaming can be securely delivered to the Client. The robust protocol used is very well suited for in particular wireless clients and similar devices having a low capacity such as cellular telephones and PDAs.

Abstract: A security policy enables security devices to forward ICE messages. The security policy may use protection tokens to prevent Denial of Service (DoS) attacks. This allows endpoints to use Interactive Connectivity Establishment (ICE) to enable multimedia communications across Network Address Translators (NATs) and other security devices.

Abstract: A method, a system, and a computer program product are provided for wireless establishment of identity via bi-directional radio-frequency identification (RFID). The method is implemented in a computer infrastructure having computer executable code tangibly embodied on a computer readable storage medium having programming instructions operable for sending device data including at least a username and a password to a transceiver. The method also includes receiving an identifier of an access point in a wireless network from the transceiver, the transceiver sending the device data to the access point via a security server. The device data is sent to the access point based on the identifier of the access point, the access point establishing a secure connection to the computer infrastructure based on the device data received from the transceiver and the computer infrastructure.

Abstract: Tables are defined to permit output masking for table look-ups to be carried out to resist power analysis attacks on cryptographic operations. A set of individually defined random values is used to mask each entry in a substitution table, defining a masked substitution table. A mask table is also defined such that the values of each entry, masked with the corresponding random value, is the value of a fixed mask. The masked substitution tables and the mask tables may be used in cryptographic operations to permit the output of table look-ups to be masked, without directly using the fixed mask value in the computations of the cryptographic operations.

Abstract: Websites and website users are subject to an increasing array of online threats and attacks. Disclosed herein are, among other things, approaches for protecting websites and website users from online threats. For example, a content server, such as a proxying content delivery network (CDN) server that is delivering content on behalf of an origin server, can modify URLs as they pass through the content server to obscured values that are given to the end-user client browser. The end-user browser can use the obscured URL to obtain content from the content server, but the URL may be valid only for a limited time, and may be invalid for obtaining content from the origin. Hence, information is hidden from the client, making attacks against the website more difficult and frustrating client-end malware that leverages knowledge of browsed URLs.

Abstract: A method and system are used to transparently create an encrypted communications channel between a client device and a target device. Audio video communications between the client device and the target device are allowed over the encrypted communications channel once the encrypted communications channel is created. The method comprises: (1) receiving from the client device a request for a network address associated with the target device; (2) determining whether the request is requesting access to a device that accepts an encrypted channel connection with the client device; and (3) depending on the determination made in step (2) providing provisioning information required to initiate the creation of the encrypted communications channel between the client device and the target device such that the encrypted communications channel supports secure audio/video communications transmitted between the two devices.

Abstract: A system and method is provided which allows multicast communications encrypted using IPSec protocol to be received by receivers in a network. In order to allow the receivers to receive the encrypted multicast communication, the address information of the received multicast communication is modified to appear as a unicast communication being transmitted directly to the address of the receiver, such that the receiver may then decrypt the received multicast communication using IPSec decryption capabilities or may, alternatively, forward the received multicast communication in its encrypted state to other devices. The system and method further provide IPSec encryption key delivery to the receiver using an encrypted markup language file. Multiple keys may also be generated for a given IP address of a receiver with each key being generated for a particular multicasting hierarchical classification.

Abstract: Enhanced cryptographically generated addresses (ECGAs) for MIPv6 incorporate a built-in backward key chain and offer support to bind multiple logically-linked CGAs together. Enhanced CGAs may be used to implement a secure and efficient route optimization (RO) for MIPv6.

Abstract: A document accessible over a network can be registered. A registered document, and the content contained therein, cannot be transmitted undetected over and off of the network. In one embodiment, the invention includes maintaining a plurality of stored signatures, each signature being associated with one of a plurality of registered documents, intercepting an object being transmitted over a network, calculating a set of signatures associated with the intercepted object, and comparing the set of signatures with the plurality of stored signatures. In one embodiment, the invention can further include detecting registered content from the registered document being contained in the intercepted object, if the comparison results in a match of at least one of the signatures in the set of signatures with one or more of the plurality of stored signatures.

Abstract: According to one embodiment of the invention, a method for establishing multiple tunnels for each virtual local area network is described. Upon receiving information over a first tunnel associated with a first virtual local area network, a determination is made whether the information is from a network device assigned to a second virtual local area network, which differs from the first virtual local area network. If the network device is a member of the second virtual local area network, a second tunnel associated with the second virtual local area network is created.

Abstract: Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for authenticating a communications source. In one aspect, a method includes decrypting a symbol that was received over a particular communications channel. The symbol is decrypted using a decryption key that is assigned to a particular endpoint that is assigned the particular communications channel. A measure of error is computed for the decrypted symbol. In turn, a determination is made whether the measure of error exceeds a threshold error measure. If the measure of error does not exceed the threshold error measure the decrypted symbol is identified as a valid symbol transmitted by the particular endpoint, and logged as such.

Abstract: This disclosure presents a system that uses masking to safely execute native code. This system includes a processing element that executes the native code and a memory which stores code and data for the processing element. The processing element includes a masking mechanism that masks one or more bits of a target address during a control flow transfer to transfer control to a restricted set of aligned byte boundaries in the native code.

Abstract: This disclosure relates to pairing of a different cryptographic key with each pointer in a data structure to form a crypto-pointer. The cryptographic key is used to encrypt the contents of all data stored at the physical location on the storage device indicated by the pointer. Preferably the only data accessible in an unencrypted form is contained in cells that are reachable from root-set crypto-pointers. Once the crypto-pointer associated with a particular memory cell is deleted, normally by overwriting or explicitly zeroing the crypto-pointer, the contents of the memory cell become inaccessible because the data stored at that cell is in encrypted form (cipher text) and the crypto-pointer that included the cryptographic key for decrypting the cipher text has been deleted from the system.

Abstract: Secure tunneled multicast transmission and reception through a network is provided. A join request may be received from a second tunnel endpoint, the join request indicating a multicast group to be joined. Group keys may be transmitted to the second tunnel endpoint, where the group keys are based at least on the multicast group. A packet received at the first tunnel endpoint may be cryptographically processed to generate an encapsulated payload. A header may be appended to the encapsulated payload to form an encapsulated packet, wherein the header includes information associated with the second tunnel endpoint. A tunnel may be established between the first tunnel endpoint and the second tunnel endpoint based on the appended header. The encapsulated packet may be transmitted through the tunnel to the second tunnel endpoint. The second tunnel endpoint may receive the encapsulated packet. Cryptographic processing of the encapsulated packet may reveal the packet having a second header.

Abstract: A security panel includes a processor, memory, and a network interface having a unique MAC address, and is configured to communicate over a network with a server. A method for registering the security panel with the server includes contacting the server utilizing a network address stored in the memory. A dealer ID, a line number, and a unique account number is sent to the server. The dealer ID, the line number, and the unique account number are stored in the memory. An encryption key is received for encryption of additional communication between the security panel and the server. The unique MAC address is sent to the server in an encrypted session to verify the security panel to the server.

Abstract: An embodiment includes a system with a processing unit and a communication unit. The processing unit is configured: to compute a first reference point of a data point that represents a private data item and has a first distance value to the data point, wherein the first distance value is less than a threshold value, to compute a second reference point of the data point different from the first reference point with a second distance value to the data point, wherein the second distance value is less than the threshold value, and to generate hidden reference points from the reference points. The communication unit is configured to send the hidden reference points and distance values to a system.

Abstract: In one embodiment, a method is provided that may include encrypting, based least in part upon at least one key, one or more respective portions of input data to generate one or more respective portions of output data to be stored in one or more locations in storage. The method of this embodiment also may include generating, based at least in part upon the one or more respective portions of the output data, check data to be stored in the storage, and/or selecting the one or more locations in the storage so as to permit the one or more respective portions of the output data to be distributed among two or more storage devices comprised in the storage. Many modifications, variations, and alternatives are possible without departing from this embodiment.

Abstract: Disclosed herein are systems, methods and computer-readable media to perform data encryption and decryption using a derivation function to obtain a key per page of data in a white-box environment. The method includes sharing a master key with the sender and receiver, splitting the input data into blocks and sub-blocks, and utilizing a set of keys and a master key to derive a page key. In another aspect of this disclosure, the key validation and shuffling operations are included. This method allows for the derivation of a key instead of storing a predetermined key, thus maintaining system security in a white-box environment.

Abstract: A document file is configured to restrict, without a costly special-purpose terminal or the like, use of document data contained therein, if the document data is taken out of a predetermined location. A document file contains (i) electronic document data, (ii) usage location information indicating one or more usage locations in which use of the electronic document data is less restricted, and (ii) a data management program that causes, when a user requests use of the electronic document data, a computer to request for user location information indicating the current location of the user. Under control of the data management program, use of the electronic document data is permitted within a first usage pattern, if the user location is included in the usage locations. If not, use of the electronic document data is prohibited or permitted within a second usage pattern which is more restricted than the first usage pattern.

Abstract: The invention relates to a system and computer-implemented method for providing encrypted content to a particular recipient device of a plurality of recipient devices is disclosed. Copies of one or more content elements of the content are generated. Modified content elements are obtained by modifying one or more of the copies. The content elements, including the one or more modified copies of the content elements, are then stored in a storage. A sequence of content elements representing the content is retrieved from the storage for a particular recipient device of the plurality of recipient devices by selecting a particular modified copy for substantially each content element for which modified copies are available. The sequence of content elements is then encrypted for that particular recipient device. The encrypted sequence of content elements representing the encrypted content is sent to the particular recipient device.

Abstract: A method for encrypting electronic files includes: receiving a request signal consisting of an IP address of a receiver and information about a desired electronic file; obtaining a function and the desired electronic file from a storage unit, and starting to time; obtaining a timing length when the electronic file has been obtained completely; substituting the timing length into the function to obtain an encryption key via an encryption module; and encrypting the electronic file using the encryption key.

Abstract: A secret sharing apparatus according to the present invention is based on a (k,n)-threshold scheme with a threshold of at least 4 but is still operational with a threshold of at least 2. The secret sharing apparatus generates a generator matrix (G) of GF(2) in which any k of n column vectors are at a full rank, divides secret information into n?1 pieces to generate divided secret data (K(1), . . . , K(n?1)), generates random data (U(0,1), . . . , U(k?2,n?1)), calculates the product of matrixes of the divided secret data, the random data, and the generator matrix (G), assigns the j×(n?1)+ith column of the calculation result to sharing partial data (D(j,i)) to calculate sharing partial data (D(j,1)), generates header information (H(j)), and individually distributes n pieces of sharing information (D(0), . . . , D(n?1)) made up of the header information (H(j)) and sharing partial data (D(j,i)) to n storage apparatuses.

Abstract: A secret sharing device of (k, n) threshold scheme creates a generator matrix G, first divided secret data, and random number data, calculates shared partial data based on the product of matrices with the random number data, the divided secret data, and the generator matrix G, and delivers the shared information formed by the shared partial data and the header information individually to the storage units. The secret sharing device calculates a recovery matrix and multiplies the shared information by the recovery matrix, hence to recover the secret information.

Abstract: A communication apparatus that stores at least one address of transmission destination and at least one file to be transmitted that are obtained from an external device via an interface into a memory, determines whether a password for encrypting a transmission file is obtained by using a controller when receiving a file transmission instruction, and when obtaining the password, encrypts the transmission file by using the obtained password and transmits the encrypted transmission file to a transmission destination terminal.

Abstract: The device tracking location adherence and route adherence technology, according to an exemplary embodiment of this invention, at least provides for secure message reception from a remote device. The present invention allows for secure data transmission between a remote device and while employing a small amount of bandwidth thereby providing a cost-effective data transmission system. This is especially advantageous where a fleet of remote devices is employed within a network.

Abstract: A state store having state information therein is stored on a computing device. Information at least nearly unique to the computing device is obtained, and a number of locations at which at least a portion of the state store is to be stored at is determined. Pseudo-random file names and corresponding paths are generated based at least in part on the obtained information, whereby the generated file names and corresponding paths are likewise at least nearly unique to the computing device, and the generated file names and path are paired to form the locations. Thereafter, the state store is stored according to the generated locations.

Abstract: An embodiment of the invention includes a secure server. A user at a terminal, communicatively coupled to the secure server by a secure link, can obtain web pages from web sites in a network, in encrypted form, via the secure link. Addresses associated with the web pages are altered to make it appear as if the web pages come from the secure server rather than from the web sites. Spoofing units may be used as alternative access points to the secure server, with the secure server sending the requested web pages directly to the terminal. In general, address rewriting and other manipulation can be performed on the requested web pages, such that the true sources of the web pages are disguised and such that subsequent communications from the terminal are directed to the secure server and/or spoofing unit, rather than to the true source of the web pages. Components of the user's privacy may be sold, or advertisements may be provided, in exchange for protection of the user's identity.

Abstract: A system for managing information requests a header data library accessible by a processor. The system also comprises a security module accessible by the processor. The security module is adapted to receive a request for information from a client where the request comprises header data and direct the request to a server if the request header data corresponds to the library header data.

Abstract: A method and apparatus is provided for consolidating cryptographic key updates, the consolidated update information enabling, for example, a returning member of a secure group who has been offline, to recover the current group key, at least in most cases. The unconsolidated key updates each comprise an encrypted key, corresponding to a node of a key hierarchy, that has been encrypted using a key which is a descendant of that node. The key updates are used to maintain a key tree with nodes in this tree corresponding to nodes in the key hierarchy. Each node of the key tree is used to store, for each encrypting key used in respect of the encrypted key associated with the node, the most up-to-date version of the encrypted key with any earlier versions being discarded. The key tree, or a subset of the tree, is then provided to group members.

Abstract: A system and method for granting access to a computer network. The method may include, for example, receiving at an access controller a request by a user to access the network using a computing device; providing the user with the option to retrieve a login page if authentication is required prior to network access being granted; using the access controller to verify user credentials provided by the user on the login page, the using the access controller to verify user credentials comprising: comparing a source IP address of a transmission control protocol connection request with a locally defined list of authorized user credentials stored in the access controller; and determining whether a White List associated with the access controller comprises a destination IP address; and granting the user access to the network if the user credentials are verified.

Abstract: A dynamic network security system and a control method thereof in a router where an Intrusion Detection System (IDS) and a Voice over Internet Protocol Application Level Gateway (VoIP ALG) are integrated, system including: a VoIP ALG module for acquiring VoIP IP/port information of a counterpart unit in use for determining whether or not to perform intrusion detection on a packet received via VoIP signaling with the counterpart unit; an intrusion detection module for comparing the received packet with a preset intrusion detection log entry to perform intrusion detection on the received packet, and based on a result of the intrusion detection, determining whether or not to allow passage of the received packet; and an IP/port check module for checking VoIP IP/port information of the received packet according to the VoIP IP/port information of the counterpart unit provided from the VoIP ALG module to determine whether or not to perform the intrusion detection, and providing result information on the determinatio

Abstract: The method is for ensuring secure forwarding of a message is performed in a telecommunication network that has at least one terminal from which the message is sent and at least one other terminal to which the message is sent. One or more secure connections are established between different addresses of the first terminal and address of the other terminal. The connections define at least said addresses of the two terminals. When the first terminal moves from one address to another address, a secure connection, which endpoints are the new address of the first terminal and the address of the other terminal, is registered to be at least one of the active connections.

Abstract: A translator is provided for translating predetermined portions of packet header information including an address of a data packet according to a cipher algorithm keyed by a cipher key derived by a key exchanger. A mapping device is also provided for mapping the address to a host table stored in memory. If the address does not match an entry in the host table, a security device is triggered.