Abstract: A mechanism for mutual authorization of a secondary resource in a grid of resource computers is provided. When a primary resource attempts to offload a grid computing job to a secondary resource, the primary resource sends a proxy certificate request to the user machine. Responsive to a proxy certificate request, the user machine performs authorization with the secondary resource. If authorization with the secondary resource is successful, the user machine generates and returns a valid proxy certificate. The primary resource then performs mutual authentication with the secondary resource. If the authorization with the secondary resource fails, the user machine generates and returns an invalid proxy certificate. Mutual authentication between the primary resource and the secondary resource will fail due to the invalid proxy certificate. The primary resource then selects another secondary resource and repeats the process until a resource is found that passes the mutual authorization with the user machine.

Abstract: An information processing system in which information transfers between communication devices through a network is limited within a prescribed range by registering unique information obtainable within the prescribed range into each device and permitting information transfer between devices which share common unique information, where the unique information is formed by a pair of public and secret unique information, a bridge device is controlled such that, upon receiving a proxy check request from a reception device, whether a transmission device is another bridge device or not is judged when the public unique information registered by the reception device is registered in the bridge device and one public unique information registered in the bridge device is registered by the transmission device. Then, the secret unique information registered by the reception device is transmitted to the transmission device when the transmission device is not another bridge device.

Abstract: Standardized transmission of digital data with trusted and untrusted connections by translating non-native requests and or non-native responses to and from a normalized format or to a format needed for processing the request and or response configured in hub and spoke, star, direct, peer to peer or hybrid connections. Encryption is provided at multiple layers to establish non-repudiation for a security service that integrates external security applications into a single service.

Abstract: A verification device stores verification information and first random information in a storage. The verification information depends upon contents of comparative information, and not upon an information volume of the comparative information. The verification device generates an authentication information generation factor using the first random information and transmits the factor to a proving device, which generates authentication information using the authentication information generation factor and held information and transmits the authentication information to the verification device. The authentication information depends upon contents of the authentication information generation factor and the held information, and not upon the information volume of the held information. A decision section of the verification device decides whether a predetermined relationship is established between the authentication information and the verification information and the first random information.

Abstract: Techniques are described herein for securely prompting a user to confirm sensitive operations, input sensitive information or the like. The techniques include receiving or intercepting calls from applications to prompting routines. When a call to a prompting routine is received or intercepted a hint may be provided to the user to switch to a secure desktop. When the user switches from the user desktop to the secure desktop the particular prompt is displayed. The input to the prompt is received on the secure desktop and verified to have been provided by the user. The user input or a representation of the input is then returned to the application running on the user desktop. Using these techniques, interception of prompting messages by malware does not result in sensitive information being revealed. Furthermore, spoofing of new messages by malware does not lead to the dismissal of critical prompting.

Abstract: Various technologies and techniques are disclosed that provide a centralized model to assign, monitor, and manage security on home electronic devices. A three-dimensional security matrix uses a role-based model that allows users to map security into groupings. Users can be assigned security levels based on application role (what activity is involved), user role (what each family member or guest is allowed to do), and device role (what this device is allowed to do while preserving system integrity). An authorization service determines whether a particular activity requested by the user should be granted or denied based upon whether the user has authorization to access the particular activity and whether the particular device can support the particular activity without comprising the security of the network.

Abstract: The invention described herein is generally directed to a method and apparatus for creating and retrieving audio data. In one implementation the invention comprises an annotation system configured to record, store, and retrieve media. The annotation system contains a set of client-processing devices configured to capture media for subsequent playback. Each client-processing device typically contains a record button to initiate the capture and is configured upon performing the capture operation to trigger an association of a unique ID with the media. The client-processing devices are further configured to upload the media and a unique ID to a server for purposes of storage. The server obtains the media and unique ID for subsequent retrieval and provides the media and the unique ID to at least one client-processing device from the set of client processing devices.

Abstract: A subscription-based computing device has hardware and a subscription enforcer implemented in the hardware. The enforcer has an accumulator that accumulates a usage value as the computing device is being used and an expiration value register that stores an expiration value. The enforcer allows the computing device to operate in a subscription mode without hindrance and with full use when the usage value is less than the stored expiration value, and allows the computing device to operate in an expiration mode with hindrance and without full use when the usage value reaches the stored expiration value to signal that the subscription for the computing device has expired.

Abstract: In one embodiment, cryptographic transformation of a message is performed by first performing a table initiation phase. This may be accomplished by creating a permutation of an order of powers and then performing a table initiation phase using a part of a key and the permuted order of powers to populate a data structure.

Abstract: Systems and methods that can facilitate securing data associated with a memory from tampering are presented. A counter tamper component can detect tamper attacks or tamper attempts associated with a memory and/or data stored therein or associated therewith and reacts to such tamper attacks/attempts, as the counter tamper component can provide evidence of, provide a response to, and/or resist tamper attacks/attempts. The counter tamper component can be associated with a memory module that includes a memory device(s) module and is contained in an electronic device and the memory module can change a color state to provide evidence of tampering. A window component is positioned on the casing of the electronic device so that the memory module is visible to the user so the user can perceive that a tamper attack associated with the module has occurred.

Abstract: The present invention provides a method that facilitates secure cross domain mashups in an efficient fashion. The invention allows a first entity, the Masher, to establish at a second entity, the User, a secure mashup by obtaining information from, or taking actions at, a third entity, the Mashee, by using a novel twist to the SSL protocol. The invention is further extended to secure a hub and widget architecture, which allows one Masher to establish at a User, communication with several Mashees. Mutual authentication of all entities, key distribution for authentication, privacy and code verification and dynamic authorization based on the certificate information are provided by the invention.

Abstract: The present invention provides a method that allows three parties to mutually authenticate each other and share an encrypted channel. The invention is based on a novel twist to the widely used two party transport level SSL protocol. One party, typically a user at a browser, acts as a man in the middle between the other two parties, typically two web servers with regular SSL credentials. The two web servers establish a standard mutually authenticated SSL connection via the user's browser, using a novel variation of the SSL handshake that guarantees that a legitimate user is in the middle.

Abstract: A token device that generates and displays one-time passwords and couples to a computer for inputting or receiving data for generating and outputting one-time passwords and performing other functions is provided. The token includes an interface for coupling to a computer. The token may also be coupled to any network that the computer may be connected to, when coupled to the computer. Data and information may be transmitted between the computer and token, and between the network and token, via the computer and interface. The data and information may include one-time password seeding, file transfer, authentication, configuration and programming of the token. The token must be seeded to generate and display one-time passwords. An original, or seed, value is loaded into the token. One-time passwords are subsequently generated or calculated, or both, from the seed value. Seeding of the token involving a counter, time, or time-related functions, may allow synchronization of the token with such functions.

Abstract: For the determination of a result of a modular exponentiation, a randomization auxiliary number is employed for the randomization of the exponent on the basis of the product of the public key and the private key less “1”. This randomization auxiliary number may be derived from the private RSA dataset without special functionalities. Thus, low-overhead exponent randomization may be performed for each security protocol universally, to perform a digital signature secure against side-channel attacks.

Abstract: An extension of the serial/parallel Montgomery modular multiplication method with simultaneous reduction as previously implemented by the applicants, adapted innovatively to perform both in the prime number and in the GF(2q) polynomial based number field, in such a way as to simplify the flow of operands, by performing a multiple anticipatory function to enhance the previous modular multiplication procedures.

Abstract: System and method for providing secure resource management. The system includes a first device that creates a secure, shared resource space and a corresponding root certificate for the shared space. The first device associates one or more resources that it can access with the shared space. The first device invites one or more other devices to join as members of the space, and establishes secure communication channels with the devices that accept this invitation. The first device generates a member certificate for each accepting device, and sends the root certificate and the generated member certificate to the device through the secure channel. These devices may then access resources associated with the shared space by presenting their member certificates. Further, members of the shared space may invite other device to join the space, and may create member certificates in the same manner as the first device.

Abstract: The present invention discloses a system and methods for biometric security using hand geometry recognition biometrics in a transponder-reader system. The biometric security system also includes a hand geometry scan sensor that detects biometric samples and a device for verifying biometric samples. In one embodiment, the biometric security system includes a transponder configured with a hand geometry scan sensor. In another embodiment, the system includes a reader configured with a hand geometry scan sensor. In yet another embodiment, the present invention discloses methods for proffering and processing hand geometry scan samples to facilitate authorization of transactions.

Abstract: One embodiment is a system adapted to encrypt one or more packets of plaintext data in cipher-block chaining (CBC) mode. The system includes a plurality of digital logic components connected in series, where respective components are operative to process one or more rounds of a block cipher algorithm. A plurality of N bit registers are respectively coupled to the plurality of digital logic components. An XOR component receives blocks of plaintext data and blocks of ciphertext data, and XORs blocks of plaintext data for respective plaintext packets with previously encrypted blocks of ciphertext data for those plaintext packets. The XOR component iteratively feeds the XOR'd blocks of data into a first of the plurality of the digital logic components. In addition, a circuit component is operative to selectively pass blocks of ciphertext data fed back from an output of a final logic component to the XOR component.

Abstract: An apparatus and method for extracting signature candidates and optimizing a corresponding signature are provided. The apparatus includes a packet separator, a header parser, a traffic information generator, a substring extractor, and a signature candidate extractor. The packet separator separates a packet into a header and a payload. The header information parser parses the header information, and the traffic information generator generates traffic information. The substring extractor measures a frequency of appearing of a substring with a predetermined length in the separated payload for a constant observation period, and extracts a substring having a frequency higher than a predetermined setup value by updating the measured frequency information to a substring frequency table.

Abstract: Provided is a network system using diameter authentication, authorization and accounting (AAA) infrastructure to support the bootstrapping of a Mobile Internet Protocol version 6 (IPv6) mobile node. The network system includes a mobile node equipped with Mobile IPv6, an attendant which is accessed by the mobile node when the mobile node moves toward a new network, an AAA local server which supports AAA processes for the mobile node in a local network, an AAA home server which supports AAA processes for the mobile node in a home network, and supports initial settings during the bootstrapping of the mobile node, and a home agent which handles binding update (BU) and binding acknowledgement (BA) regarding the mobile node. The AAA home server can configure initial settings for the mobile node that is authenticated by the AAA local server so that the mobile node can be effectively bootstrapped.

Abstract: A system and method for securely authenticating a data exchange session with an implantable medical device is presented. A crypto key uniquely associated with an implantable medical device is defined to authenticate data during a data exchange session. A secure connection is established from an external source with a secure key repository securely maintaining the crypto key. Authorization to access data on the implantable medical device is authenticated by securely retrieving the crypto key from the secure key repository.

Abstract: Method of cryptography in a smart card comprising a central processing unit, said method implementing precomputation operations, characterized in that said precomputation operations are performed by the smart card and in that the precomputation operations are carried out at a session during the waiting periods of the inputs/outputs of the central processing unit.

Abstract: An embodiment of the present invention includes a technique to register a client to a server for communication. A message containing an identification (ID) code is transmitted to a server. If the key is stored in the server, the key encrypted with the ID code is received from the server via a network. The encrypted key is decrypted using the identification code. Otherwise, the key is encrypted using the ID code. The encrypted key is transmitted to the server via the network. Information is exchanged with the server via the network. The information is encrypted and decrypted by the key.

Abstract: Embodiments of methods and apparatus for providing an access profile system associated with a broadband wireless access network are generally described herein. Other embodiments may be described and claimed.

Abstract: A method of confirming the identity of a user includes processing biometric credentials, generating a user configurable policy including identities of a plurality of authenticating entities, storing the user configurable policy in a device, presenting the device to an authenticating entity at an authentication station, and requesting biometric and personal data of the user from the device data. The biometric data corresponds to at least one biometric feature desired for authenticating the user and the requesting operation is performed by a workstation of the authenticating entity.

Abstract: An information processing apparatus has an authentication/key exchange unit, a round trip time measuring unit, a common key transmitter, a contents key transmitter and a contents transmitter. The round trip time measuring unit sends a round trip time measuring request generated to the communication apparatus through the first communication connection to measure the round trip time, and check whether the measured round trip time is within a predetermined time and whether a transmitting source of the round trip request response is the communication apparatus sharing the first key. The common key transmitter encrypts a second key used for contents transmission by using the first key and transmits the encrypted second key through the first communication connection when the round trip time measuring unit succeeds in the checking.

Abstract: An elliptic curve cryptography method which generates a public key for use in a communication encryption using an elliptic curve, including: changing a number of a secret key (d) of (k) bits to an odd number; encoding the secret key to yield an encoded secret key (d) in which a most significant bit (MSB) is (1) and a rest positional number is (1) or (?1); and computing the public key (Q=Dp) by multiplying the encoded secret key (d) by a predetermined point (P) on the elliptic curve by a scalar multiplication.

Abstract: A wireless communication authentication program whereby a slave station in a small-scale wireless LAN system can be authenticated by a simple procedure. A wireless communication authentication device periodically increments a first system timer value (Step S1) for which an optional numerical value is set beforehand. A wireless communication device sets therein a second system timer value (Step S2) so as to coincide with the first system timer value and periodically increments the second system timer value (Step S3). The wireless communication device transmits an authentication request command including a third system timer value (Step S4), and the wireless communication authentication device compares the third system timer value included in the authentication request command with the first system timer value thereof assumed at the time of reception of the command (Step S6).

Abstract: Techniques are described that facilitate cryptographic operations, such as data encryption, signing and others, encryption using a computerized method for multiplying a scalar by a point. In one implementation, a set of random integers is selected, wherein the set comprises at least one integer selected randomly. A string is configured, based in part on the set of random integers. Output in the form of a product of the scalar and the point is then calculated, based on the string.

Abstract: A secure solution is provided to the problem of secret key agreement. In particular, a method of reliable forward secret key sharing is disclosed between two legitimate correspondents whose profiles match sufficiently. The invention relies on a physical random function, sometimes referred to as a physical unclonable function (PUF) to provide a secure solution to the problem of secret key agreement. In one embodiment, a one-pass protocol is introduced based on Reed-Solomon codes leading to an unconditionally secure solution. In a further embodiment, the solution of the first embodiment is improved upon by providing a conditionally secure solution based on a pseudo random family of functions. In a still further embodiment, a two-pass protocol is introduced which is used exclusively for purposes of identification and authentication. In accordance with the principles of the two-pass protocol, two communications are required and unlike the one-pass protocol, the second correspondent selects the secret key K.

Abstract: A cryptographic system, method, and device for implementing cryptographic functions designed to protect data is provided. The method includes (a) providing an algorithm processing unit, (b) executing a cryptographic algorithm at the algorithm processing unit using a first cryptographic datum and input data to form output data, (c) determining if a context switch command is received from a controller, (d) receiving a second cryptographic datum from a memory if the context switch command is received, (e) replacing the second cryptographic datum with the first cryptographic datum if the context switch command is received, and (f) repeating (b)-(e). The controller switches the processing state of the algorithm processing unit from one channel to another channel without leaking data between channels through execution of the operations each time a channel switch is selected. As a result, a single algorithm processing unit used with a controller can provide multiple independent levels of security.

Abstract: According to an aspect of the invention, Montgomery arithmetic can be achieved while omitting division in an input stage. That is, the aspect of the invention is configured to obtain a Montgomery transform result m? (=mR mod p) of n-bit from an input m of 2n-bit without using the division, with using Montgomery reduction and Montgomery multiplication instead of conventional mod arithmetic and the Montgomery transform. Accordingly, Montgomery arithmetic can be achieved while omitting the division in the input stage.

Abstract: Improved security processing circuits are discussed which may be used alone or as part of a network interface device of a host system using a DES engine to accomplish 3DES processing. The security processing circuit is adapted for selectively encrypting outgoing data and decrypting incoming data, where the network interface device may be fabricated as a single integrated circuit chip. The improved circuit makes use of a unique circuit component arrangement to provide shortened path timings within the DES engine processing. To accomplish this overall timing performance improvement, the permutation and inverse permutation blocks are removed from these critical path timings of the three individual DES processing operations, and moved to the beginning and end of the 3DES process.

Abstract: Embodiments of the system may utilize a Knowledge Broadcasting System for specifying content metadata and locating Internet documents. In this instance embodiments of the invention comprise an improved manner of specifying the content of an Internet document in such a way that the users of the system are able to retrieve relevant Internet documents. This is accomplished using a three-tiered search engine where the first-tier is denoted as a category search, the second tier is denoted as a context search, and the third-tier is denoted as a keyword search. At each step relevant information is filtered out and the focus of the search is narrowed. In the general search, the user narrows the focus of the search by selecting a hierarchical definition.

Abstract: An architecture and methodology for implementing Montgomery multiplication on a computer system that supports SIMD instructions is described.

Abstract: A token device that generates and displays one-time passwords and couples to a computer for inputting or receiving data for generating and outputting one-time passwords and performing other functions is provided. The token includes an interface for coupling to a computer. The token may also be coupled to any network that the computer may be connected to, when coupled to the computer. Data and information may be transmitted between the computer and token, and between the network and token, via the computer and interface. The data and information may include one-time password seeding, file transfer, authentication, configuration and programming of the token. The token must be seeded to generate and display one-time passwords. An original, or seed, value is loaded into the token. One-time passwords are subsequently generated or calculated, or both, from the seed value. Seeding of the token involving a counter, time, or time-related functions, may allow synchronization of the token with such functions.

Abstract: A system and method to validate security credentials using hardware is provided. The system includes a credential validation module to recalculate security credentials received in a datagram and to determine if the security credentials are valid. The system also includes a parser to extract the security credentials from the payload data of the received datagram, and a memory to store validated credentials for further use.

Abstract: An initial sequence number generator is provided that prevents the local server from being attacked while maintaining reliable data transfer. A random intermediate value is created that is unique to each connection identifier and is combined with a random value created from a global counter to generate the initial sequence number. The counter capable of monotonically increasing by both a fixed and variable amount for ensuring that the same connection identifier does not have data collisions from competing sequence numbers within a predetermined period of time, and also to ensures randomness of the initial sequence number on a per connection basis for preventing attacks on the local server.

Abstract: In scalar multiplication method using a Montgomery-type elliptic curve, a high-speed elliptic curve calculation device effectively uses a table that stores coordinates of certain scalar multiple points like points multiplied by exponentiation of two to a certain point G and so forth. The elliptic curve calculation device receives an arbitrary integer k of n bits and outputs scalar-multiplied points against a point G on a Montgomery-type elliptic curve E on a finite field F that is given in advance. The elliptic curve calculation device includes a calculation procedure generation unit that generates a calculation procedure that addition on the elliptic curve E with either of G, 2 *G, 22*G., . . .

Abstract: A method for mutual authorization of a secondary resource in a grid of resource computers is provided. When a primary resource attempts to offload a grid computing job to a secondary resource, the primary resource sends a proxy certificate request to the user machine. Responsive to a proxy certificate request, the user machine performs authorization with the secondary resource. If authorization with the secondary resource is successful, the user machine generates and returns a valid proxy certificate. The primary resource then performs mutual authentication with the secondary resource. If the authorization with the secondary resource fails, the user machine generates and returns an invalid proxy certificate. Mutual authentication between the primary resource and the secondary resource will fail due to the invalid proxy certificate. The primary resource then selects another secondary resource and repeats the process until a resource is found that passes the mutual authorization with the user machine.

Abstract: An object of the present invention is to a provide tamper resistant information processing unit that is used as an IC card with a high level of security. To achieve the above-mentioned object, the information unit of the present invention comprises: a program container part for storing a program; a memory for storing data; an arithmetic unit for performing specified processing according to the program; a data bus for connecting the memory to the arithmetic unit; and a transform function for transforming a logical address and a physical address of the memory, said logical address being used for arithmetic operation by the arithmetic unit, said physical address being set at random corresponding to the logical address at each arithmetic operation or every time the information processing unit is started up.

Abstract: An online transaction system configured to implement authentication methods that allow for strong multi-factor authentication in online environments. The authentication methods can be combined with strong security methods to further ensure that the authentication process is secure. Further, the strong multi-factor authentication can be implemented with zero adoption dependencies through the implementation of automated enrollment methods.

Abstract: Methods and apparatus for reducing the impact of latency associated with decrypting encrypted data are provided. Rather than wait until an entire packet of encrypted data is validated (e.g., by checking for data transfer errors), the encrypted data may be pipelined to a decryption engine as it is received, thus allowing decryption to begin prior to validation. In some cases, the decryption engine may be notified of data transfer errors detected during the validation process, in order to prevent reporting false security violations.

Abstract: Proof is established by means of the following parameters: m pairs of private values Q1 and public values G1 m>1, a public module n made of the product of f first factors pj, f>2, a public exponent v, linked to each other by relations of the type: G1.Qiv=1 mod n or G1=Q1v mod n. Said exponent v is such that v=2k where k>1 is a security parameter. Public value G1 is the square g12 of a base number gi that is lower than f first factors pj, so that the two equations: x2=gi mod n and x2=?g1 mod n do not have a solution in x in the ring of the modulo n integers and such that the equation xv=g12 mod n has solutions in x in the ring of the modulus n integers.

Abstract: The invention provides for robust efficient distributed generation of RSA keys. An efficient protocol is one which is independent of the primality test “circuit size”, while a robust protocol allows correct completion even in the presence of a minority of arbitrarily misbehaving malicious parties. The disclosed protocol is secure against any minority of malicious parties (which is optimal). The disclosed method is useful in establishing sensitive distributed cryptographic function sharing services (certification authorities, signature schemes with distributed trust, and key escrow authorities), as well as other applications besides RSA (namely: composite ElGamal, identification schemes, simultaneous bit exchange, etc.). The disclosed method can be combined with proactive function sharing techniques to establish the first efficient, optimal-resilience, robust and proactively-secure RSA-based distributed trust services where the key is never entrusted to a single entity (i.e.

Abstract: The proof is provided by means of the following parameters: a public module n formed by the product of f prime factors pi, f>2; a public superscript v; m base numbers gi, m>1. The base numbers gi are such that the two equations: x2?gi mod n and x2??gi mod n cannot de solved in x in the ring of integers modulo n, and such that the equation xv?gi2 mod n can be solved in x in the ring of integers modulo n in the case where the public superscript v is in the form v=2k, wherein k is a security parameter.

Abstract: Scalable and unified multipliers for multiplication of cryptographic parameters represented as elements of either of the prime field (GF(p)) and the binary extension field (GF(2m)) include processing elements arranged to execute in pipeline stages. The processing elements are configurable to perform operations corresponding to either the prime field or the binary extension field. In an example, the processing elements include a dual-field adder having a field-select input that permits selection of a field arithmetic. In a representative example, multipliers are implemented as integrated circuits having processing units that each receive a single bit of one operand and partial words of the remaining operand.

Abstract: An apparatus for encryption and decryption, capable of use in encryption and decryption of advanced encryption standard. Byte substitution operation and inverse byte substitution operation are to be combined. Byte substitution operation can be expressed as y=M*multiplicative_inverse(x)+c while inverse byte substitution operation can be expressed as x=multiplicative_inverse(M?1*(y+c)), wherein M and M?1 are inverse matrix of each other and c is a constant matrix. Since the two equations employ a look-up table, that is, multiplicative_inverse(x), the lookup tables for use in byte substitution and inverse byte substitution operations are to be combined according to the invention so as to lower hardware complexity of the implementation. In addition, main operations of column mixing operation and inverse column mixing operation are to be rearranged to combine the two operations in part, resulting in simplified hardware implementation.

Abstract: Techniques for implementing a digital signature algorithm in electronic computer hardware include computing the multiplicative inverse of a particular integer modulo a prime modulus by computing a first quantity modulo the prime modulus. The first quantity substantially equals, modulo the prime modulus, the particular integer raised to a power of a second quantity. The second quantity is two less than the prime modulus. The techniques allow an integrated circuit block to compute a modulo multiplicative inverse, such as for signing and verifying digital signatures, using existing blocks of circuitry that consume considerably less area on a chip, and incur fewer developmental costs, than an implementation of an algorithm conventionally used in software.

Abstract: The invention relates to a method for exchanging at least one secret initial value between a processing station and a chip card, in an initializing step for the chip card. In the initialization of chip cards in known methods an initial value, e.g. a key, is transmitted from a processing station to the chip card and stored therein. Since this key is transmitted in plaintext this involves security problems. In the present invention the described security problems are solved by only parts of the key being exchanged between processing station and chip card and the key being generated in the chip card and the processing station from the parts.