Abstract: A method is provided for securely transmitting multicast data across an unsecured public network. Such a method includes receiving a join message identifying at least one private multicast group; mapping the private multicast group to a public multicast group; generating a membership report specifying the public multicast group; and sending the membership report to the unsecured network. Additionally, the method may further comprise creating a secure tunnel through the unsecured network to a network element coupled; generating an encrypted control message specifying the private multicast group; and sending the encrypted control message through the secure tunnel to the network element.

Abstract: A system verifies configuration of a device within a network via an exchange of verification credentials, which are requested, received and authenticated. The verification credentials indicate that a configuration of the device was acceptable at the time of creation of the verification credentials for that device. The verification credentials of the device are obtained through a certifying process. During the certifying process, the credential certifier receives a current device configuration of the device in the network, and evaluates the current device configuration of a device with respect to its role within a network. The verification credentials are issued to the requesting device and stored within a database. The device submits its verification credentials if being requested by the other peer it's communicating with when it enters the network. It also monitors the current device configuration and if there are changes, it invalidates the existing certification credentials and requests new one.

Abstract: A computer system configured to authenticate a user and to power-up in response to a single action by the user is described. In particular, the computer system includes a user verification device which interacts with the user. In an embodiment, the user verification device includes a biometric sensor which captures biometric data from the user. The biometric data can be of any type. The user verification device is configured to capture biometric data in response to an action by the user desiring access to the computer system. The user verification device can have a button-shape for receiving the finger, thumb, or any other part of the user.

Abstract: A data transmission and reception method for ensuring privacy and security and a method for identifying a Mobile Station (MS), while ensuring the location privacy of the MS in a wireless access system are disclosed. The MS identification method includes transmitting a ranging request message including a hashed Medium Access Control (MAC) address to a Base Station (BS), for initial ranging, and receiving a ranging response message including a temporary station Identifier (ID) from the BS. The temporary station ID is used to provide security to a MAC address or station ID by which the BS uniquely identifies the MS.

Abstract: A system for contributing to a concatenation of a first string and a second string may include a communication unit to receive an encrypted representation of a second share of the second string, the second string being identical to the second share of the second string combined with a first share of the second string and to send a rearranged representation of the encrypted representation of the second share of the second string to a second system. The system may further include a processing unit to rearrange a representation of the encrypted representation of the second share of the second string using a length value of a first share of the first string, the first string being identical to the first share of the first string combined with a second share of the first string.

Abstract: Provided is an architecture for a cryptography accelerator chip that allows significant performance improvements over previous prior art designs. In various embodiments, the architecture enables parallel processing of packets through a plurality of cryptography engines and includes a classification engine configured to efficiently process encryption/decryption of data packets. Cryptography acceleration chips in accordance may be incorporated on network line cards or service modules and used in applications as diverse as connecting a single computer to a WAN, to large corporate networks, to networks servicing wide geographic areas (e.g., cities). The present invention provides improved performance over the prior art designs, with much reduced local memory requirements, in some cases requiring no additional external memory. In some embodiments, the present invention enables sustained full duplex Gigabit rate security processing of IPSec protocol data packets.

Abstract: In one embodiment, a method includes initiating an interactive voice response (IVR) session with a user over an IP network, identifying an imminent secure session event, and initiating an encrypted mode for the IVR session.

Abstract: A system to contribute to creating a substring of a string may include a communication unit and a processing unit. The communication unit may be configured to receive an encrypted representation of a second share of the string. The string may be identical to the second share of the string combined with a first share of the string. The communication unit may be configured to send a rearranged representation of the encrypted representation of the second share of the string to a further system. The processing unit may be configured to rearrange a representation of the encrypted representation of the second share of the string using a first share of a start value of the substring. The start value may be identical to the first share of the start value added to a second share of the start value.

Abstract: A Personal Computer Memory Card International Association (PCMCIA) card may establish, via a non-secure network, a secure communications channel between a computer and a secure network. The non-secure network may define a first address space. The secure network may define a second address space. The PCMCIA card may include a cryptography module, a network adapter, and/or a processor. The cryptography module may provide Type 1 cryptography of data communicated between the computer and the secure network. The network adapter may be in communication with the non-secure network and may be associated with a first network address from the first address space. The processor may be in communication with the secure network via the cryptography module and the network adapter. The processor may identify a second network address for the computer from the second address space and may communicate the second network address to the computer, for example via dynamic host control protocol (DHCP).

Abstract: A network communication system has terminal devices belonging to a group, the terminal devices generating, if there is a leaving terminal device leaving from the group, an updated group encryption key corresponding to a new group encryption key, from a deletion key corresponding to the leaving terminal device and a group encryption key, and, after the leaving terminal device leaves the group, communicating by using the updated group encryption key; and a group management server generating the updated group encryption key corresponding to the new group encryption key from the deletion key corresponding to the leaving terminal device and the group encryption key, and, after the leaving terminal device leaves the group, communicating by using the updated group encryption key.

Abstract: A method, a system, and a computer program product for access control using resource filters for a strict separation of application and security logic are described. The computer-implemented method for access control may include receiving at least one access request to at least one resource from an application; providing a resource hierarchy for the at least one resource, the resource having at least one resource class, wherein the resource hierarchy is defined in a single resource; providing a policy comprising at least one access control rule for accessing at least one element of the at least one resource class; verifying the at least one access request based on the policy through an authorization service; and processing the at least one access request through a service interface.

Abstract: A method of enabling host devices having an IPsec policy to communicate with one another via an IPv6 communication network, which includes the following steps: extracting a Media Access Control identifier (MAC ID) for a target host from a security policy for an IPv6 address for the target host; searching for the MAC ID of the target host in an Address Resolution Protocol (ARP) table on a source host; upon locating the MAC ID of the target host, creating a temporal neighbor cache entry in a neighbor cache table for the target host; and enabling a security association between the source host and the target host based on the temporal neighbor entry in the neighbor cache table, which allows IPv6 communications to be exchanged between the target host and the source host.

Abstract: Methods and apparatus are described which provide secure interactive communication of text and image information between a central server computer and one or more client computers located at remote sites for the purpose of storing and retrieving files describing and identifying unique products, services, or individuals. A feature of the system is the ability to associate an identification image with a plurality of accounts, transactions, or records and identify a user not physically present at the client computer. Textual information and image data from one or more of the remote sites are stored separately at the location of the central server computer, requests for information are entered from remote terminals, the system being able to respond to multiple user requests simultaneously, and the information requested is recalled and downloaded for review to be displayed at the remote site.

Abstract: Simplifying any cumbersome URLs that are made public. The function of converting to simplify cumbersome URLs is performed by Web service providers for appropriate fees. Accordingly, the converted URL will have a new domain portion, i.e. the Web service provider's domain along with a simplified path portion defining the path with the Web service provider's domain that will point to the original URL, stored within the service provider. Within the service provider, URLs of said accessed Web documents are converted to include a domain section specifying the service provider's domain and a path portion within said service provider's domain that is simpler than the original URL path portion. The path portion in the converted URL is usually shorter than the path portion in the original URL.

Abstract: Various embodiments of the disclosed subject matter provide methods and systems for improved efficiency and security in spoke-to-spoke network communication. Embodiments provide systems and methods for registering a spoke with a hub, updating a hub registration table with spoke registration information, sending the updated hub registration table to a plurality of registered spokes, using the updated hub registration table at a sending spoke to encrypt traffic to be sent to another spoke, and using the updated hub registration table at a receiving spoke to decrypt traffic received from another spoke.

Abstract: A system and method securely establishes a shared secret among nodes of a security appliance. The shared secret is established by distributing private keys among the nodes in accordance with a node ring protocol that uses a predetermined encryption algorithm to generate messages containing the keys. Briefly, each node is initially notified as to the number of nodes participating in the shared secret establishment. Each node generates a public-private key-pair, as well as a first message that includes the generated public key and an indication of the source of the generated public key (hereinafter “source generated public key”). The node then sends the first message to an adjacent node of the appliance. Upon receiving the first message, each node extracts the source generated public key from the message and stores the extracted information into a data structure of “partner” public keys.

Abstract: A method and apparatus for providing network security using role-based access control is disclosed. A network device implementing such a method can include, for example, an access control list. Such an access control list includes an access control list entry, which, in turn, includes a user group field. Alternatively, a network device implementing such a method can include, for example, a forwarding table that includes a plurality of forwarding table entries. In such a case, at least one of the forwarding table entries includes a user group field.

Abstract: The present invention is an authentication method for disclosing identification data of an object and authenticating when referring to data of the object corresponding to the identification data based on the identification data and can associate a tag device and data of a referring entity and authenticate that data of the tag device is referred by a proper referring entity by generating a third value by conducting a predetermined calculation with a temporary first value indicating a most recent referral to the identification data of the object and a temporary reference second value issued to a referring entity of the identification data for each referral, and authenticating a relationship between the object and the referring entity by verifying the third value.

Abstract: A method for providing a time stamp by using a tamper-proof time signal via a telecommunications network includes the steps of: receiving, at a central system, a request from a network user for a time signal. The time signal is encrypted by the central system with at least one key. The encrypted time signal is transmitted to the network user via the telecommunications network. The network user is provided with the same at least one key. At the central system and the network user, the at least one key is synchronously generated.

Abstract: A system for scrambling/descrambling packets of a stream of content, each packet having a must stay clear (MSC) section, the system including an input handler including a receiving module to receive the stream, a characteristic analyzer to analyze the stream in order to determine a data independent characteristic of each packet, and a scrambling /descrambling device operationally associated with the input handler, the scrambling/descrambling device including a receiving module to receive the data independent characteristic for each packet from the input handler, and an Initial Value module to determine an Initial Value for each packet as a function of the data independent characteristic of one of the packets being processed, wherein the scrambling/descrambling device is adapted to scramble and/or descramble the packets based on the Initial Value and a Control Word. Related apparatus and methods are included.

Abstract: A method, apparatus, and system for processing a Dynamic Host Configuration Protocol (DHCP) message are disclosed. The method includes: receiving a DHCP message, where the source address of the DHCP message is a Cryptographically Generated Address (CGA) and a signature of a DHCP message sender is carried in the DHCP message; verifying the CGA and the signature; and processing a payload of the DHCP message after the verification of the CGA and the signature succeeds. The CGA and the signature are verified in the embodiment of the present invention, thus improving the security of DHCPv6, and bringing convenience for key management due to publicity of the public key. In addition, because the life of the public key is long, configuration on the DHCP server and/or the network client is convenient.

Abstract: A method of generating a call sign. A method of generating a call sign comprising determining a distinguished qualifier, finding a distinguished salt, and hashing the distinguished salt with the distinguished qualifier.

Abstract: Methods and systems for detection and/or prevention of network attacks can include the use of multiple and/or time-dependent addresses coupled with filtering by the directory or naming service. The directory service can respond to requests for the address of a resource by returning an address that can be relocated over time by coordinating the directory service entry with the host and network address configuration data and/or by returning an address specific to the requestor. Thus, the directory service can track and build profiles of matches between requestors and accesses. The methods and systems can use the time dependent addresses and profiles to distinguish legitimate accesses from unauthorized or malicious ones. Requests for non-valid addresses can be misdirected to “empty” addresses or to detection devices.

Abstract: A method for preventing unauthorized connection in a network system mainly includes adding an authentication key in the LLDP (link layer discovery protocol) transmitted in accordance with the 802.1ab communication protocol so as to proceed with security mechanism under the structure of 802.1ab communication protocol. The method for preventing unauthorized connection includes receiving a LLDP packet satisfying the 802.1ab communication protocol transmitted from a second network device by a first network device in a network system; analyzing the LLDP packet and checking whether the LLDP packet contains a legitimate authentication key; and if the authentication key does not exist or is illegitimate, then block all packets transmitted from the second network device so as to prevent the unauthorized second network device from using the network transmission service provided by the first network device.

Abstract: Systems and methods for providing autonomous security are configured to modify an original header associated with an original data packet wherein key information is added; encrypt original data associated with the original data packet in response to the key information; and form an encrypted data packet including the modified header and the encrypted data, wherein the encrypted data packet is a same size as the original data packet.

Abstract: A tree is used to partition stateless receivers in a broadcast content encryption system into subsets. Two different methods of partitioning are disclosed. When a set of revoked receivers is identified, the revoked receivers define a relatively small cover of the non-revoked receivers by disjoint subsets. Subset keys associated with the subsets are then used to encrypt a session key that in turn is used to encrypt the broadcast content. Only non-revoked receivers can decrypt the session key and, hence, the content.

Abstract: Embodiments of the invention reduce the probability of success of a DOS attack on a node receiving packets by decreasing the probability of random collisions of packets sent by a malicious user with those sent by honest users. The probability of random collisions may be reduced in one class of embodiments of the invention by supplementing the identification field of the IP header of each transmitted packet with at least one bit from another field of the header. The probability of random collisions may be reduced in another class of embodiments of the invention by ensuring that packets sent from a transmitting IPsec node to a receiving IPsec node are not fragmented.

Abstract: Embodiments of the present invention provide apparatuses, methods, and systems for authenticated distributed detection and inference. In various embodiments, an apparatus comprises an interface configured to communicatively couple a node hosting the apparatus to a network, and a distributed detection and inference (DDI) agent coupled to the interface and configured to receive, via the interface, DDI collaboration parameters from an authentication node is disclosed. Other embodiments may be described and claimed.

Abstract: A method of processing data from a file includes obtaining a first portion of the file, encrypting the first portion of the file to create a first encrypted portion, obtaining a second portion of the file, encrypting the second portion of the file to create a second encrypted portion, and storing the first and second encrypted portions such that each of the first and the second encrypted portions can be individually accessed. A method of processing data from a file includes receiving a request to access a first portion of the file, wherein data in the first portion of the file is encrypted, and data in a second portion of the file is encrypted, and decrypting the data in the first portion, and not the data in the second portion.

Abstract: In a procedure for delivering streaming media, a Client first requests the media from an Order Server. The Order Server authenticates the Client and sends a ticket to the Client. Then, the Client sends the ticket to a Streaming Server. The Streaming Server checks the ticket for validity and if found valid encrypts the streaming data using a standardized real-time protocol such as the SRTP and transmits the encrypted data to the Client. The Client receives the data and decrypts them. Copyrighted material adapted to streaming can be securely delivered to the Client. The robust protocol used is very well suited for in particular wireless clients and similar devices having a low capacity such as cellular telephones and PDAs.

Abstract: A method for authenticating address ownership using a Care-of Address (CoA) binding protocol, the method includes a comparison of two hash-function-processed result values, i.e., a first hash-function-processed result value transmitted from a home agent, the first hash-function-processed result value encrypted by a public key of a correspondent node and decrypted by a secret key of the correspondent node, and a second hash-function-processed result value piggybacked in a binding update message transmitted from a mobile node. The hash-function-processed result values are obtained by applying hash functions to a care-of address of a mobile node to be used in a foreign link, a random number generated by a home agent and a secret key shared by the home agent and the mobile node.

Abstract: A system for broadcasting multiple public identities corresponding to the same apparatus. For example, each public identity may correspond to different operational environments, while none of the public identities disclose a private identity that uniquely and permanently identifies the apparatus. This allows apparatuses to keep their unique identity a secret while still being able to communicate with other apparatuses in various environments.

Abstract: Session Inter-Device (SID) mobility networks (50, 100, 150) are described in which a seamless transfer of a communication session from a first device (56, 106, 116) to a second device (66, 116, 166) can be achieved without interrupting the active session. According to the SID mobility network (50), the transfer can be accomplished by transferring away from the Transferring Node or first device (56) the IP address associated with the active session (58) so that the network (50) will route the session to the desired Target Node or second device (66). The Transferring Node (56) transfers its IP address (58) to the Agent (60) and stops requesting data packets addressed to its IP address (58). The Agent (60) then begins to request and eventually receive the packets addressed to the Transferring Node's IP address (58). The Agent (60) then transfers the packets to the Target Node (66).

Abstract: A method for generating a cryptographically generated address (CGA) comprises steps of: generating, in a network node located on a communication path between a first node and a second node, the network node having unique information of the first node, a cryptographically generated address (CGA) for the first node using the unique information of the first node; and assigning the CGA to the first node. The network node further comprises a generator of CGA for the first node using the unique information of the first node, and an output for assigning the CGA to the first node.

Abstract: A system, method and apparatus for securing communications between a trusted network and an untrusted network are disclosed. A perimeter client is deployed within the trusted network and communicates over a session multiplexing enabled protocol with a perimeter server deployed within a demilitarized zone network. The perimeter client presents requests to make available and communication initiation requests to the perimeter server which presents corresponding sockets to the entrusted network. The session multiplexing capabilities of the protocol used between the perimeter server and perimeter client permit a single communication session therebetween to support a plurality of communication sessions between the perimeter server and untrusted network. In the event data flows across the communication sessions are encrypted, decryption of the data flows is left to the components at the end points of the communication session, thereby restricting exposure of privileged information to areas within trusted networks.

Abstract: An end machine (connected to one end of secure connection) may reliably continue to use the security association (SA) even if the self_address (usually the address of the interface) of the end machine changes. The end machine includes the new IP address in the payload of a packet (e.g., an address update message) sent to another end machine at the other end of the connection. The payload can be encrypted and authenticated to avoid third party attacks. As a result, connectivity can restored for user applications reliably and quickly without requiring substantial computations and/or data exchanges.

Abstract: In the field of communications technology, a method and a system for forwarding data between private networks are provided, which can enable terminals in different private networks to securely communicate with each other by using private network addresses. The method includes the following steps. A Secure Socket Layer (SSL) tunnel to an SSL Virtual Private Network (VPN) device in another private network is established. Address allocation information of the another private network is received through the SSL tunnel. The address allocation information and a mapping relation between the address allocation information and a public network IP address of the SSL VPN device transmitting the address allocation information and a session ID of the SSL tunnel transmitting the address allocation information are saved.

Abstract: According to a first aspect of the present invention there is provided a method of re-establishing a session between first and second IP hosts attached to respective first and second IP access routers, the session previously having been conducted via a previous access router to which said first host was attached, and where a security association comprising a shared secret has been established between the hosts. The method comprises sending a connection request from said first host to said first access router, said request containing an IP address claimed by said second host, a new care-of-address for the first host, and a session identifier. Upon receipt of said connection request at said first access router, the router obtains a verified IP address for said second access router and sends an on link presence request to the second access router, the request containing at least an Interface Identifier part of the second host's claimed IP address, said care-of-address, and said session identifier.

Abstract: Techniques for assigning a network address to a host are based on authentication for a physical connection between the host and an intermediate device. One approach involves receiving first data at the intermediate device from an authentication and authorization server in response to a request for authentication for the physical connection. The first data indicates at least some of authentication and authorization information. A configuration request message from the host is also received at the intermediate device. The configuration request message is for discovering a logical network address for the host. A second message is generated based on the configuration request message and the first data. The second message is sent to a configuration server that provides the logical network address for the host. The configuration server is then able to provide the logical network address based on authorization and authentication information.

Abstract: A mechanism for enabling efficient encryption and integrity validation of network files. When a request to read a file stored in a local network file system is received, the local network file system examines cryptographic attributes associated with the file to determine if the file is encrypted or integrity-verified. If the cryptographic attributes indicate the file is encrypted, the local network file system omits the encryption of the file by the local network file system prior to passing the file to the remote network file system. If the cryptographic attributes indicate the file is integrity-verified, the local network file system omits the integrity-verification of the file by the local network file system prior to passing the file to the remote network file system. The local network file system then transmits the file to the remote network file system.

Abstract: A GW (PDG) at the termination of remote access is installed in the 3GPP system. After an IPSec tunnel between a terminal and the GW is opened, an IPSec tunnel between a VPN client and the corporate network GW is opened, whereby the data from the terminal is transferred via two tunnels between the terminal and the GW and between the VPN client and the corporate network GW to the corporate network. Also, the GW checks if the destination network uses the global address from the destination IP address of a message received from the terminal making the remote VPN access. If the global address is required, the source IP address of the message received from the terminal is translated from the private address for use within the corporate network to which the terminal is allocated to the global address to transfer the message.

Abstract: There is provided a system and method for distributors to use an interoperable key chest. There is provided a method for use by a distributor to obtain content access authorizations from a key chest or central key repository (CKR), the method comprising receiving a user request from a user device for access to an encrypted content identified by a content identification, transmitting a key request to the CKR including the content identification, receiving an encrypted first key from the CKR, decrypting the encrypted first key using a second key to retrieve the first key, and providing a DRM license for the encrypted content to the user device using the first key for use by the user device to decrypt the encrypted content using the first key. By generating such DRM licenses, distributors can unlock protected content even sourced from distributors using different DRM schemas.

Abstract: Methods and apparatus for converting original data into a plurality of sub-bands using wavelet decomposition; encrypting at least one of the sub-bands using a key to produce encrypted sub-band data; and transmitting the encrypted sub-band data to a recipient separately from the other sub-bands.

Abstract: A connection control apparatus includes a monitoring unit, a determining unit, a transferring unit, and a notifying unit. The monitoring unit monitors a status of a communication terminal. The determining unit determines, on a basis of a monitoring result, whether or not the communication terminal is able to respond to a connection request therefor. The transferring unit transfers the connection request to the communication terminal when the transferring unit has received a connection request for the communication terminal and the determining unit determines that the communication terminal is able to respond to the connection request. The notifying unit calls attention around the connection control apparatus when the determining unit determines that the communication terminal is unable to respond to the connection request after the transferring unit has received the connection request.

Abstract: An address-hopping method is provided to enhance security in computer networks. In embodiments, the method is carried out at a network node and includes storing an IP address that is temporarily valid as a destination address for the node; sequentially updating the stored IP address, at least at specified intervals of time, with new values that are each temporarily valid; and conditionally accepting or rejecting incoming packets according to whether there is a match between the destination IP address of the incoming packet and the temporarily valid IP address currently stored in the memory.

Abstract: Protection against spoofing is provided in a LAN having at least two service classes, where one service class includes allows access to the LAN, the internet, and the intranet containing the LAN and a more limited service class which allows access to the LAN and the internet but not the intranet databases. A user gains access to the LAN using his or her ID which identifies the user's access level. To prevent limited access users from gaining access to the intranet by changing addresses, the system continuously performs periodic checks for address changes. If there is an address change, the port assigned to, or used by the user, is disabled throwing the user off the LAN prior to his or her obtaining the requested data.

Abstract: A method of providing security for network access radio systems and associated access radio security systems used with the systems. The method includes connecting an access radio having a radio link to a network; communicating between the access radio and a computer over the network using a ping application having ping commands and unique encrypted codes; and enabling operation of the access radio when the access radio is receiving ping commands. Typically, the access radio and the computer are nodes on the network and the network is a local area network (LAN). The ping application sends packets of information from the computer to the access radio and receives a response from the access radio. The ping application must be functioning (i.e., sending and receiving commands between the computer and the access radio) to enable the access radio to communicate via the radio link with a remote network.

Abstract: Tables are defined to permit output masking for table look-ups to be carried out to resist power analysis attacks on cryptographic operations. A set of individually defined random values is used to mask each entry in a substitution table, defining a masked substitution table. A mask table is also defined such that the values of each entry, masked with the corresponding random value, is the value of a fixed mask. The masked substitution tables and the mask tables may be used in cryptographic operations to permit the output of table look-ups to be masked, without directly using the fixed mask value in the computations of the cryptographic operations.

Abstract: A system (706, 714) is provided for a network signaling bypass around a cryptographic device (1008, 1108). The system is comprised of an interface (1002, 1102) configured to receive a plurality of packets and communicate the packets that are of a non-GIST type to a non-GIST bypass circuit (1004-1, 1004-2) and the packets that are of a GIST type to a GIST bypass circuit (1006-1, 1006-2). The non-GIST bypass circuit is configured to selectively bypass a first packet around the cryptographic device to an output device (1010, 1110, 1012, 1112) if the first packet comprises signaling protocol data for a network (710) over which the first packet is communicated. The GIST bypass circuit is configured to selectively bypass a second packet around the cryptographic device to the output device if the second packet comprises GIST signaling transport protocol data for the network over which the second packet is communicated.

Abstract: The invention relates to a method of reactivating a safe communication connection between client computers and a server after restarting the server, wherein safe communication connections are provided between the server and the client computers for the transmission of data. After restarting, or rebooting the server, a data packet is therefore transmitted (3) to the addresses of the client computers, wherein the server recognizes from the addresses of the client computers that a safe communication connection is provided (4, 5) for the transmission of data to these client computers. This safe communication connection, however, has been interrupted by the restarting of the server. By means of the transmission of the data packet to the addresses of the client computers, the processes for reactivation of the safe communication connection between the server and the client computers is triggered (6, 8).