Abstract: A virtual PCR (VPCR) construct is provided that can be cryptographically tagged as optionally resettable or as enduring for the life of a client (process, virtual machine, and the like) and that can be loaded into a resettable hardware PCR to make use of the functionality of a Trusted Platform Module (TPM). The VPCRs may cryptographically reflect their characteristics (resettable or not) in their stored values. Also, since the PCRs are virtualized, they are (effectively) unlimited in number and may be given general names (UUIDs) that are less likely to collide. The VPCRs can be loaded into a physical PCR as needed, but in a way that stops one piece of software from impersonating another piece of software. The VPCRs thus enable all software using the TPM to be given access to TPM functionality (sealing, quoting, etc.) without security concerns.

Abstract: A method and apparatus for use in a Proxy Mobile IP communications network. An anchor point function serves at least one mobile host. The anchor point function generates an IP address for use by the mobile host, the address being generated using cryptographic materials owned by the anchor point function. The anchor point function can then perform signalling on behalf of the mobile host, using the IP address generated for the mobile host with IP addresses of other mobile hosts S2 host and at least part of the cryptographic materials used to generate the IP address.

Abstract: The disclosed technology provides a system and method of securely communicating data. An encryptor located at a transmitter can provide encrypted data to the transmitter. The transmitter can maintain a packet number indicating a particular packet for carrying the encrypted data and a sub-packet number indicating a position within the packet where the encrypted data is to be stored. The encryptor can produce the encrypted data using an encryptor seed generated based on the packet number and sub-packet number. A receiver can maintain a receiver packet number indicating a number of previously received packets and can compute a receiver sub-packet number. The receiver can receive a packet containing encrypted data and can decrypt the encrypted data using a decryptor seed generated based on the receiver packet number and sub-packet number.

Abstract: A real-time stateful packet inspection method and apparatus is provided, which uses a session table processing method that can efficiently generate state information. In the apparatus, a session table stores session data of a packet received from an external network. A hash key generator hashes a parameter extracted from the received packet and generates a hash pointer of the session table corresponding to the packet. A session detection module searches the session table for a session corresponding to the received packet. A session management module performs management of the session table such as addition, deletion, and change of sessions of the session table. A packet inspection module generates state information corresponding to the received packet from both directionality information of the packet and entry header information of the packet stored in the session table and then inspects the packet based on the generated state information.

Abstract: An apparatus for establishing a virtual private network with an internet protocol multimedia subsystem (IMS) device that includes a key derivation module, a tunneling protocol module, a tunnel management module, and a security policies module. The apparatus includes a non-volatile memory configured to store a first routing table that maps host addresses and IMS addresses of security devices allowing access to those hosts, such that when an application running in the IMS device requests communication to a host address, the apparatus initiates a session with the IMS address to which the host address is mapped. The session is initiated by a message that includes a body that contains, for each tunneling protocol supported by the tunneling protocol module, data about the local tunnel endpoint (e.g.

Abstract: By asking the recipient of an encrypted received file to read aloud a check text, retrieved from a network server, that address, or URL, is encoded within the file name of the encrypted received file, the system of the invention automatically verifies the identity of the recipient, confirms that the file has been received by the intended recipient, and then decrypts the file. The utterances of text spoken by the recipient are processed by means of an automatic speech recognition component. The system determines whether the spoken text corresponds to the check text presented to the reader, in which case the system applies an automatic speaker recognition algorithm to determine whether the person reciting the check text has voice characteristics matching those of the intended recipient based on a previous enrollment of the intended recipient's voice to the system.

Abstract: A system and method for exchanging a transformed message with enhanced privacy is presented. A set of input messages is defined. A set of output messages is defined. A message is selected from the input messages set. One or more words in the selected message are efficiently transformed directly into a transformed message different from the selected message, wherein the transformed message belongs to the set of output messages, at least one component of the selected message is recoverable from the transformed message, and the cost of determining whether the transformed message belongs to the input messages set or the output messages set exceeds a defined threshold.

Abstract: A storage device includes a storage unit that stores key information. The storage device also includes an input/output unit that inputs a converted command. Further, the storage device includes an extractor that extracts attached information from the converted command inputted, reads out, from an address according to the attached information, the key information from the storage unit, and performs an inverse data conversion corresponding to a data conversion on the converted command, using the key information, to extract command information and address information. In addition, the storage device includes an output controller that, only when the command information is equivalent to predetermined information, reads out and outputs storage data from an address of the storage unit through the input/output unit, the address of the storage data indicated by the address information extracted by the extractor.

Abstract: A source endpoint includes a security association database; a processing device and an interface operatively coupled to: receive a first packet requiring security processing; retrieve from the first packet a destination endpoint data address for a destination endpoint that is to receive the first packet; determine an address translation; apply the address translation to the retrieved destination endpoint data address to generate a destination endpoint security address, and create an entry in a storage device, wherein the entry corresponds only to the destination endpoint and comprises the generated destination endpoint security address and a set of security parameters. The source endpoint further indexes the storage device to obtain the security parameters for security processing of the first packet to generate a secured first packet; and sends the secured first packet to the destination endpoint.

Abstract: Establishing peer-to-peer tunnels between clients in a mobility domain. In normal operation, clients attached to a network having access nodes connected to a central controller transfer all traffic through the central controller. This traffic is passed using tunnels between the access node and the central controller. Tunnels may be encrypted, and GRE tunnels may be used. A mobility manager operating in the controller tracks access nodes connected to the controller, and clients connected to those access nodes. When the mobility controller recognizes traffic passing between clients in its mobility domain that is eligible for peer-to-peer forwarding, it instructs the access nodes supporting the clients to establish a peer-to-peer tunnel between the nodes, and direct the client traffic through this peer-to-peer tunnel. The peer-to-peer tunnel may be session based, or may be aged.

Abstract: A system for eliminating unauthorized email sent to a user on a network analyzes the sender address of incoming email and determines whether it is to be rejected by returning a standard “no such user” error code or accepted depending upon executing processing rules and analyzing managed lists of authorized senders. This provides an advantage over existing anti-spam filtering systems by intercepting unauthorized email before it reaches an existing email server or client. The system rejects all email unless authorized by using a standard “no such user” error code, and by redirecting the unauthorized email back to the sender or to a sender evaluation site. An ASL module captures authorized sender addresses from the user's outgoing email and other sources in order to update “authorized senders” lists.

Abstract: Embodiments of the invention provide a method and an apparatus for automatic, secure, and confidential distribution of a symmetric key security credential in a utility computing environment. In one method embodiment, the present invention establishes a symmetric key at a management server, the symmetric key automatically associated with a logical device identifier of a provisionable resource. Additionally, an isolated virtual network is established between the management server and the provisionable resource for providing the symmetric key to the provisionable resource. Then, after the symmetric key is provided to the provisionable resource the isolated virtual network between the management server and the provisionable resource is dissolved.

Abstract: A secure flash-card reader reads a user ID from a secure card and finds a matching entry with a hashed password in a user table on the reader. An encrypted key is received from a secure host that hashes and encrypts a password the user types into the host and the user's ID. A card decryption engine uses a random number to decrypt the encrypted key and recover the hashed password and user ID from the secure host, which is compared by a comparator to the hashed password and user ID from the user table. A mismatch causes an access controller to block access to encrypted data on the secure card. Flash data is transferred over a flash-serial buffer bus between flash-card controllers and a RAM buffer. An encryption engine on the flash-serial buffer bus encrypts and decrypts data and connects to a serial engine to the host.

Abstract: An improved network architecture employs a super authority having an identity catalog to direct login authentication tasks to appropriate authorities. Authentication tasks may be performed by authorities across namespace boundaries if so directed by the super authority, such that a principal account may be moved without alteration of the account ID. In an embodiment of the invention, the identity catalog comprises a listing associating account IDs with appropriate authenticating authorities.

Abstract: A document accessible over a network can be registered. A registered document, and the content contained therein, cannot be transmitted undetected over and off of the network. In one embodiment, the invention includes maintaining a plurality of stored signatures, each signature being associated with one of a plurality of registered documents, intercepting an object being transmitted over a network, calculating a set of signatures associated with the intercepted object, and comparing the set of signatures with the plurality of stored signatures. In one embodiment, the invention can further include detecting registered content from the registered document being contained in the intercepted object, if the comparison results in a match of at least one of the signatures in the set of signatures with one or more of the plurality of stored signatures.

Abstract: The execution of software may be controlled by a security policy expressed in a manifest. The software vendor or distributor specifies requirements for the use of software (e.g., which modules may be loaded into the software's address space, which module-signing keys are trustworthy, etc.), using a manifest specification language. A generation tool reads the specification and creates a manifest based on the specification. The tool may handle such details as retrieving keys from key files, computing software hashes, and the like. The manifest is distributed with the software and used by the environment in which the software executes to enforce the security policy.

Abstract: A method and apparatus provides for trusted point-to-point communication over an open bus. An embodiment of a computer includes a first software environment, with the first software environment being a trusted environment. The first software environment includes one or more trusted applications, and provides for the generation of trusted data packets in an open bus. The computer also includes a second software environment, with the second software environment being an un-trusted environment. The computer includes a trusted interface for an open bus, the trusted interface being accessible only to the first software environment. Other embodiments are described and claimed.

Abstract: A security enhancing system for creating temporary identification information used to mask actual identification in a wireless communication device. The temporary identification information conforms to a standard usable by at least one wireless communication medium, and may be used by other devices in communicating with the wireless communication device, however, only other devices possessing secret address component information may determine the actual identity of the masked wireless communication device. The temporary identification information may further be recompiled when a threshold condition is satisfied.

Abstract: A communication apparatus includes: a first storage unit configured to store a plurality of addresses of a plurality of first communication apparatuses; an acquiring unit configured to acquire a self-public key; a specifying unit configured to specify an address of at least one of the plurality of first communication apparatuses stored in the first storage unit when the self-public key is acquired; and a first public key sending unit configured to send the self-public key to the address of the at least one of the plurality of first communication apparatuses specified by the specifying unit.

Abstract: A communication apparatus includes: a first storage unit registering a plurality of addresses of a plurality of communication apparatuses; a command sending unit sending a first command for requesting a first public key, which corresponds to a first secret key of the first communication apparatus, to the address of the first communication apparatus; a response receiving unit receiving from the first communication apparatus a first response including the first public key; a storage control unit associating the first public key the address of the first communication apparatus and registering the first public key; an encrypted data generating unit encrypting first data, which is to be sent to the first communication apparatus, using the first public key registered in association with the address of the first communication apparatus to generate first encrypted data; and a data sending unit sending the first encrypted data to the address of the first communication apparatus.

Abstract: The present invention is directed towards providing a partial dual-encrypted stream in a conditional access overlay system. The headend equipment includes an aligner, identifier, and remapper (AIR) device (615) that receives a clear stream and one or two encrypted streams, where the two encrypted streams have been encrypted by two different encryption schemes. The AIR device (615) identifies critical packets associated with the clear stream and subsequently allows two encrypted streams to pass and drops the critical packets of the clear stream. A multiplexer (640) then combines a percentage of the non-critical packets of the clear stream and the critical packets of the two encrypted streams to provide the partial dual-encrypted stream.

Abstract: System and method for providing cloud computing services are described. In one embodiment, the system comprises a cloud computing environment comprising resources for supporting cloud workloads, each cloud workload having associated therewith an internal cloud address; and a routing system disposed between external workloads of an external computing environment and the cloud workloads, the routing system for directing traffic from an external address to the internal cloud addresses of the cloud workloads. A designated one of the cloud workloads obtains one key of a first pair of cryptographic keys, the first pair of cryptographic keys for decrypting encrypted storage hosted within the cloud computing environment.

Abstract: A communications system in which a sending computer encrypts a message using a key associated with the computer which is to receive the message; and the receiving computer uses a key associated with the sending computer in the decryption process. The sending computer is equipped with a set of keys and each key within the set may be used for the encryption process, depending on the destination of the message; and the receiving computer chooses its key based on who the sending computer is.

Abstract: A host computer adds a keycode to e-mail and a terminal unit leads an information gathering candidate to add reply information to the e-mail. When the host computer receives the e-mail to which reply information has been added, the host computer stores the reply information in one of data storage areas having a memory address corresponding to a memory address associated the keycode of the e-mail.

Abstract: It is intended, in the mobile information terminal, to achieve compactization, cost reduction and reduction in the burden of information processing, while taking the enciphering process for the information into consideration. The cipher signal process unit for enciphering the transmission information and the cipher process selection unit for selecting whether or not to use the cipher signal process unit are provided to select whether or not to execute the enciphering of the transmission information, according to the necessity in executing the communication of information, thereby dispensing the enciphering process as far as possible and alleviating the burden of the process involved in the enciphering.

Abstract: An improved network architecture employs a super authority having an identity catalog to direct login authentication tasks to appropriate authorities. Authentication tasks may be performed by authorities across namespace boundaries if so directed by the super authority, such that a principal account may be moved without alteration of the account ID. In an embodiment of the invention, the identity catalog comprises a listing associating account IDs with appropriate authenticating authorities.

Abstract: A method and system for distributing images for display by client systems. A distribution system includes an image server system that is connected to image client systems via a communications link, such as the Internet. The image server system is responsible for providing image packages to the image client systems and for collecting information from the image client systems. Each image client system periodically sends a heartbeat communication to the image server system. Upon receiving a heartbeat communication, the image server system determines the state of the image client system that sent the heartbeat communication and responds appropriately. The response may include instructions for the image client system to retrieve new images, to retrieve software updates, to send usage data, and so on.

Abstract: A system and method that provides for protection of a CPU of a router, by establishing a management port on a router. Hosts which are connected to a non-management ports of the router are denied access to management functions of a CPU of the router. The system and method can utilize an application specific integrated circuit, in conjunction with a CAM-ACL, which analyzes data packets received on the ports of router, and the ASIC operates to drop data packets which are directed to the CPU of the router. This system and method operates to filter data packets which may be generated in attempts to hack in to control functions of a network device, and the operation does not require that the CPU analyze all received data packets in connection with determining access to the control functions of the router.

Abstract: A method of managing a key of a user for a broadcast encryption. The method includes forming a tree comprising m hierarchies by repeating a process of setting a ith level comprising groups into which at least one node is grouped in a unit of ni, and setting a i+1th level comprising the groups of the ith level that are re-grouped in a unit of ni+1 until i is from “1” to “m”. The method further includes mapping users on at least one node of the tree and message providers on the mth hierarchy, going down from the mth hierarchy to the first hierarchy to map key encryption keys with respect to the i+1th level connected to the ith level, and transmitting the message using the key encryption keys.

Abstract: Methods and systems are provided for sharing images over a network. A first user selects an image for sharing and designates an image recipient. Metadata for the first image is transmitted from the first user's terminal to the image recipient's terminal. At least partly in response to receiving the metadata, the image recipient's terminal transmits a request for the first image at a first resolution to the first user's terminal. In response to the request, the first user's terminal transmits the first image at the requested first resolution to the image recipient's terminal.

Abstract: A system and method verify a user's identity in an Internet-related transaction. One system and method use a personal computer having identification information, a card reader, and a personal identification card having access information, to verify a user's identity using the access information and the identification information. Another system and method use a personal computer, a card reader, and a personal identification card having access information, wherein the card reader is included as part of a mouse coupled to the personal computer and wherein a user's identity is verified using the access information. Another system and method use a personal computer, a device coupled to the personal computer having identification information, a card reader, and a personal identification card having access information to verify a user's identity using the access information and the identification information.

Abstract: A system for storage of user access information is described. The user access information is used for validating a user for access data on a computer server over a network. The system may comprise an encryption module for encrypting the user access information using a function that includes data from a system from which the user has accessed the computer server as an input to generate enhanced security user access data and a storage module for storing the enhanced security user access data.

Abstract: Embodiments of methods and apparatus for providing an access profile system associated with a broadband wireless access network are generally described herein. Other embodiments may be described and claimed.

Abstract: A system for mapping and translating address information in a network is provided. The system includes a client-side address translator (120) and a server-side address translator (140). The client-side address translator (120) is configured to receive a data packet from a client (110). The data packet includes a first destination address representing the real destination address. The client-side address translator (120) maps the first destination address to another address using a mapping algorithm and transmits the data packet with the via the network (160). The server-side address translator (140) receives the data packet, translates the mapped address information back to the real destination address and forwards the data packet using the real destination address.

Abstract: In one embodiment of the present invention, a method includes verifying an initiating logical processor of a system; validating a trusted agent with the initiating logical processor if the initiating logical processor is verified; and launching the trusted agent on a plurality of processors of the system if the trusted agent is validated. After execution of such a trusted agent, a secure kernel may then be launched, in certain embodiments. The system may be a multiprocessor server system having a partially or fully connected topology with arbitrary point-to-point interconnects, for example.

Abstract: The present invention provides a method of cryptographic synchronization. The method may include providing information indicative of a first counter to a first one of a plurality of base stations. The first counter is incremented prior to each message transmitted to each of the plurality of base stations. The method may also include authenticating at least one first message received from the first one of the plurality of base stations in response to providing the information indicative of first counter.

Abstract: A system, method and media for dynamically redacting data based on the evaluation of one or more policies. In one embodiment, the method comprises receiving a request to access one or more resources, receiving responses from the one or more resources and assembling a result set which includes several portions of data, determining current access policies for the requestor to the one or more resources, and redacting from the result set a portion of the data that the requestor is not permitted to receive, based on the current access policies.

Abstract: Disclosed are a master terminal capable of registering and managing terminals that belong to a personal use scope, which will be referred to as personally used terminals or personal use terminals, hereafter, and a method and system for managing personal use terminals by using the master terminal. The method for managing a personal use group using a first master terminal to register and manage terminals belonging to a personal use scope includes: requesting a second master terminal that belongs to the personal use scope for personal use group information; receiving the personal use group information from the second master terminal; and registering a terminal that belongs to the personal use scope as the personal use group based on the received personal use group information.

Abstract: Methods, apparatus, system and computer program are provided for concealing the identity of a network device transmitting a datagram having a network layer header. A unique local identifier and broadcast address are determined in accordance with a next-hop address. A partially encrypted network layer header is determined by encrypting a plurality of identifying portions of the network layer header, where one portion of the network layer header is the unique local identifier. The datagram is encapsulated with another network layer header whose address is set to the broadcast address. The encapsulated datagram can be received and detunneled, and an address of a recipient can be extracted from the network layer header. The datagram is then admitted into a network domain.

Abstract: A cryptographic key split combiner includes a number of key split generators for generating cryptographic key splits from seed data, and a key split randomizer for randomizing the key splits to produce a cryptographic key. The key split generators can include a random split generator for generating random key splits, a token split generator for generating token key splits based on label data, a console split generator for generating console key splits based on maintenance data, a biometric split generator for generating biometric key splits based on biometric data, and a location split generator for generating location key splits based on location data. Label data can be read from storage, and can include user authorization data. A process for forming cryptographic keys includes randomizing or otherwise binding the splits to form the key.

Abstract: A system and process for network-based, interactive, multi-media learning is presented. The learning system and process employs high quality, low latency audio/video links over a multicast network (such as Internet2), as well as an interactive slideshow that allows annotations to be added by both the presenter and lecture participants, a question management feature that allows participants to submit questions and receive answers during the lecture or afterwards, and a complete archiving of the data streams and metadata associated with the foregoing features.

Abstract: Provided are techniques for migrating data. Contents are sealed to one or more registers. In response to determining that secure backup is enabled, platform metrics are stored in a private store. An out-of-band request is received. A response to the out-of-band request is provided using the stored platform metrics. Other embodiments are described and claimed.

Abstract: The subject matter herein relates to database management systems and, more particularly, compression of encrypted data in database management systems. Various embodiments provide systems, methods, and software that compress encrypted column values stored tables. Some other embodiments include declaring tables with column encrypt and compress attributes.

Abstract: An authentication method for link protection between an OLT and an ONU newly connected thereto in an EPON, which is implemented in a data link layer to which cryptography is applied. First, an authentication key is distributed to both the OLT and an ONU. The OLT (or ONU) generates first and second random values, generates an authentication request frame containing the random values, and transmits it to the ONU (or OLT). The ONU generates a first hash value according to a hash function using the random values contained in the request frame, and transmits an authentication response frame containing the first hash value to the OLT. The OLT compares the first hash value with a second hash value calculated by it according to the has function using the two random values and an authentication key distributed to it, and transmits an authentication result frame to the ONU.

Abstract: A portable identification apparatus and an associated identification and authentication system are described. The portable apparatus can store biometric data of an authorised user of the apparatus and includes a biometric scanner for acquiring biometric data of a user of the apparatus. A processor compares acquired biometric data with the stored biometric data to identify a user of the apparatus, and generates identification information relating to the authorised user if the acquired biometric data matches the stored biometric data. A wireless communication interface transmits the identification information to a communication terminal such as a mobile telephone, for use in a transaction.

Abstract: A system comprising a server which is arranged to store encrypted addresses and encryption information associated with the addresses. The server sending the addresses and encryption information to user equipment which is able to decrypt the encrypted addresses using the encryption information; and is able to access a locations associated with the addresses.

Abstract: A method for storing electronic documents can include associating a digital seal with at least one electronic document. An image within a user interface can be displayed, wherein the image is a user selectable representation for the digital seal. At least one metadata attribute can be stored as a characteristic related to the digital seal. A storage characteristic of at least one electronic document can be modified based on one or more of the metadata attributes.

Abstract: In response to a command to start restrictions on a communication service of a computer, the communication service is restricted by a countermeasures apparatus which replaces the communication address of a second computer, which has been stored in a first computer, with the communication address of the countermeasures apparatus, and replaces a communication address of the first computer, which has been stored in the second computer, with the communication address of the countermeasures apparatus. Accordingly, the countermeasures apparatus acquires a packet from the first computer to the second computer and determines whether or not this acquired packet is to be transmitted to the second computer.

Abstract: A method of securely communicating personal health information between a user terminal and a health care server. The method includes receiving an encryption key from a security key issuing device through a local communication between a user terminal and the security key issuing device; obtaining health information of a user; encrypting the health information by using the encryption key; and transmitting the encrypted health information to a health care server through a network communication between the user terminal and the health care server.

Abstract: The present invention is directed to a system for providing a trusted environment for untrusted computing systems. The system may include a HAC subsystem managing shared resources and a trusted bus switch for controlling a COTS processor to access the shared resources. The shared resources such as memory and several I/O resources reside on the trusted side of the trusted bus switch. Alternatively, the system may include a SCM as an add-on module to an untrusted host environment. Only authenticated applications including COTS OS execute on the SCM while untrusted applications execute on the untrusted host environment. The SCM may control secure resource access from the untrusted host through a plug-in module interface. All secure resources may be maintained on the trusted side of the plug-in module interface.