Abstract: Systems and methods for processing encoded messages within a wireless communications system are disclosed. A server within the wireless communications system performs signature verification of an encoded message and provides, together with the message, an indication to the mobile device that the message has been verified. In addition, the server provides supplemental information, such as, for example, a hash of the certificate or certificate chain used to verify the message, to the device, to enable the device to perform additional checks on the certificate, such as, for example, validity checks, trust checks, strength checks, or the like.

Abstract: A method and apparatus which ensures that static data entered into a communications device or apparatus is accurate, or at least consistent with data provided to an authentication service.

Abstract: A system and method of operating a device to securely update the control firmware controlling the device. Downloading a firmware update package to a first microcontroller of the device. Determining a firmware update portion and an encrypted hash portion of the firmware update package wherein the encrypted hash portion is cryptographically signed by a signatory. Confirm that the encrypted hash portion conforms to the firmware update by independently computing the hash of the encrypted firmware update portion on the first microcontroller and comparing that value to the signed hash. Other systems and methods are disclosed.

Abstract: Example methods and apparatus associated with a messaging policy controlled email deduplication are provided. In one example a messaging policy is accessed. It is determined whether a received message complies with the policy based on rules of the messaging policy. If a message complies with the messaging policy, the message is displayed. If the message does not comply with the messaging policy, it is determined whether the message is duplicative. If the message is deemed duplicative it is not displayed. Conversely, if the message is not deemed duplicative it is displayed.

Abstract: A system and method are provided for pre-processing encrypted and/or signed messages at a host system before the message is transmitted to a wireless mobile communication device. The message is received at the host system from a message sender. There is a determination as to whether any of the message receivers has a corresponding wireless mobile communication device. For each message receiver that has a corresponding wireless mobile communication device: the message is processed so as to modify the message with respect to encryption and/or authentication aspect. The processed message is transmitted to a wireless mobile communication device that corresponds to the first message receiver. The system and method may include post-processing messages sent from a wireless mobile communications device to a remote system. Authentication and/or encryption message processing is performed upon the message. The processed message may then be sent through the remote system to one or more receivers.

Abstract: A method of operating an access point (AP) configured to support multiple pre-shared keys at a given time to authenticate its associated client devices. Each client device associated with the AP is provisioned with a key. To authenticate the client device that attempts to connect to the AP, the AP determines which pre-shared key (PSK) of the multiple supported pre-shared keys (PSKs), if any, matches information including the key received from the client device. When the information matches, the client device is allowed to connect to the AP. Provisioning the AP with multiple PSKs allows selectively disconnecting associated client devices from the AP. The AP may be configured to support PSKs of different lifetime and complexity. Removing a PSK of the multiple PSKs supported by the AP and disconnecting a client device that uses this PSK does not disconnect other client devices using different keys to access the AP.

Abstract: Techniques are provided for securely upgrading a field programmable circuit, e.g., a Field Programmable Gate Array (FPGA), in a device that has been deployed to a customer site. A plurality of keys is stored in the device, e.g., public, private, and/or symmetric keys. The keys are used to authenticate and decrypt a newly received FPGA software image upgrade. The image upgrade is re-encrypted using one of the stored keys and stored in the computing device. The device is booted and the encrypted image upgrade is loaded into the field programmable circuit. The encrypted image upgrade is decrypted to obtain the image upgrade for execution on the field programmable circuit.

Abstract: The data storage portion stores an encrypted medium device key Enc (Kcu, Kmd_i) generated by encrypting a medium device key (Kmd_i), a medium device key certificate (Certmedia), and encrypted content data generated by encrypting content data, the controller stores a controller key (Kc) and first controller identification information (IDcu), the information recording device being configured to execute, after being connected to an external host device, an one-way function calculation based on the controller key (Kc) and the first controller identification information (IDcu) to generate a controller unique key (Kcu) used when decrypting the encrypted medium device key Enc (Kcu, Kmd_i), and second controller identification information (IDcntr) used when decrypting the encrypted content data.

Abstract: A television set is capable of receiving both broadcast program from television station and corresponding digital file of the same contents from a server station through internet. The television set keeps information of time limit for the server station to surely provide the file. The television set automatically downloads the file when the time limit comes close or the time limit information is failed to be kept. The television set keeps URL for the moving image program enjoyed upon turning-off of the television set until the next turning-on for instantly enjoying the moving image content provided at the URL. User who turning-on the television set or changing the channel with any program not in mind to feel interest in the program on display by chance can enjoy the program from the beginning by means of downloading corresponding digital file of the same contents through internet by an automatic link.

Abstract: A system and method for obtaining an authorization key to use a product utilizes a secured product identification code, which includes a serial number and at least one code that is generated based on a cryptographic algorithm.

Abstract: A secure cloud storage and synchronization system and method is described that provides, among other things: (1) local password recovery, including a mechanism by which the user of the system can recover their password without having stored it on a remote server; (2) secure, private versioning of files, including a mechanism to privately store a version history of files on one or more remote servers in such a way that it is technically infeasible for anyone other than the legitimate owner to access any component of the file history; (3) secure, private de-duplication of files stored on one or more remote servers that reduces storage requirements by allowing for the storage of a single file when there are duplicates, even across users; and (4) secure, private sharing of files between users of the system that allows one user to share a file on the “cloud” with another user without deciphering or transporting the file.

Abstract: Systems and methods of restricting access to mobile platform location information may involve receiving, via a link, location information for a mobile platform at a processor of the mobile platform, and preventing unauthorized access to the location information by an operating system associated with the mobile platform.

Abstract: A computer-implemented system and method for pool-based identity generation and use for service access is disclosed. The method in an example embodiment includes seeding an identity generator with a private key; retrieving independently verifiable data corresponding to a service consumer; using the independently verifiable data to create signed assertions corresponding to the service consumer; generating a non-portable identity document associated with the service consumer, the identity document including the signed assertions; signing the identity document with the private key; and conveying the signed identity document to the service consumer via a secure link.

Abstract: A computer-implemented system and method for embedding and authenticating ancillary information in digitally signed content are disclosed.

Abstract: A method and system are provided for counterfeit prevention for optical media. In one example, a system is provided for verifying authenticity information on an optical medium. The system receives the optical medium including a fingerprint having at least one probabilistic feature. A probabilistic feature is a physical feature having both a substantial chance to be read as a first value and a substantial chance to be read as a second value. The system receives an o-DNA signature-at-issuance. The system calculates an o-DNA signature-at-verification by reading each probabilistic feature plural times. The system calculates a vector-of-differences between the o-DNA signature-at-issuance and the o-DNA signature-at-verification. The vector-of-differences includes a maximum distance metric between the o-DNA signature-at-issuance and the o-DNA signature-at-verification. The vector-of-differences indicates the optical medium is authentic if the maximum distance metric is less than a threshold.

Abstract: Systems and methods are disclosed for embedding information in software and/or other electronic content such that the information is difficult for an unauthorized party to detect, remove, insert, forge, and/or corrupt. The embedded information can be used to protect electronic content by identifying the content's source, thus enabling unauthorized copies or derivatives to be reliably traced, and thus facilitating effective legal recourse by the content owner. Systems and methods are also disclosed for protecting, detecting, removing, and decoding information embedded in electronic content, and for using the embedded information to protect software or other media from unauthorized analysis, attack, and/or modification.

Abstract: Systems, apparatus and methods for privacy-protecting integrity attestation of a computing platform. An example method for privacy-protecting integrity attestation of a computing platform (P) has a trusted platform module (TPM}, and comprises the following steps. First, the computing platform (P) receives configuration values (PCRI . . . PCRn). Then, by means of the trusted platform module (TPM}, a configuration value (PCRp) is determined which depends on the configuration of the computing platform (P). In a further step the configuration value (PCRp) is signed by means of the trusted platform module. Finally, in the event that the configuration value (PCRp) is one of the received configuration values (PCRI . . . PCRn), the computing platform (P) proves to a verifier (V) that it knows the signature (sign(PCRp}} on one of the received configuration values (PCRI . . . PCRn).

Abstract: Systems and methods are provided for controlling access via a computer network to a subscriber server. A log-in server receives a query to connect through the computer network to the subscriber server, and the log-in server receives registrant identification data, A first session is established between the log-in server and the subscriber server to validate the registrant identification data, and to generate a session password. A second session is established between the log-in server and the subscriber server. The second session is configured to authorize, based in part on the registrant identification data, access to at least a portion of a website associated with the subscriber server.

Abstract: A method and apparatus for verifying data for use on an aircraft. A plurality of digital certificates associated with the data is received by a processor unit. The processor unit verifies the data for use on the aircraft using a selected number of the plurality of digital certificates.

Abstract: Distribution of a certificate and a private key via a network includes a certificate/private key storage unit by which a certificate and a private key prepared for distribution to one or more devices are stored; a security level storage unit by which a security level for each device belonging to a device group is stored; and a display/instruction unit by which a selection screen prompting a user to select one or more devices from the device group is displayed. An instruction for the selection made by the user is received; and a certificate/private key distribution unit by which, via the network, the certificate and the private key for each device are distributed to the one or multiple devices for which the instruction for selection was made. For each device, the selection screen displays the device security level.

Abstract: A method for storing digital data information on a data carrier and for reading the information therefrom uses a disk having an individual digital identifier. A signature is formed, and the information includes information items, which can be processed by a first electronic data processing device only if the identifier and the signature are in a predefined relation to one another. To supply a household appliance operated by an electric motor with process control data, while ensuring that only original data are used, the information components can be processed by a second electronic data processing device even if the signature and the identifier are not in the predefined relation to one another. Also, a household appliance operable by an electric motor, in particular a food processor, has an electronic data processing device. A system and an integrated semiconductor circuit also realize the features for storing digital data information.

Abstract: A wireless device may perform a local authentication to reduce the traffic on a network. The local authentication may be performed using a local web server and/or a local OpenID provider (OP) associated with the wireless device. The local web server and/or local OP may be implemented on a security module, such as a smartcard or a trusted execution environment for example. The local OP and/or local web server may be used to implement a provisioning phase to derive a session key, associated with a service provider, from an authentication between the wireless device and the network. The session key may be reusable for subsequent local authentications to locally authenticate a user of the wireless device to the service provider.

Abstract: A database system comprising: a memory containing multiple data records, wherein each of the data records has a data record asymmetric key pair for cryptographic encryption and decryption, wherein each data record asymmetric key pair comprises a data record public key and a data record private key, wherein the data contained in each of the multiple data records is encrypted by the data record public key, wherein the data record private key of each data record asymmetric key pair is encrypted with the public key of another asymmetric key pair; a set of user accounts, wherein each of the user accounts has a user asymmetric key pair for encryption and decryption, wherein each user asymmetric key pair has a user public key and a user private key; wherein data is added to a data record by encrypting it with the data record public key; wherein access to the data record is granted to a user account by encrypting the data record private key with the public key of an asymmetric cryptographic key pair whose encrypted p

Abstract: A method for authenticating a vehicle-external device in a bus system of a motor vehicle comprising control units is provided. In order to effectively and inexpensively prevent a sequence control system that is stored in a control unit from being manipulated, an authentication device is provided in the bus system. The authentication device transmits an authentication request to the vehicle-external device. The vehicle-external device signs the authentication request with a secret key of an asymmetric pair of keys, such as a pair of public keys, and transmits the signed authentication request or exclusively the signature to the authentication device. The authentication device determines a signature of the authentication request using the same algorithm as the vehicle-external device, and decodes the signature transmitted by the vehicle-external device using the public key which is complementary to the secret key, and compares the determined signature with the transmitted signature.

Abstract: Secure functions may be accessed via an authentication process utilizing a password that may be generated within a chip integrated on a device. The password may be unique per chip location, per challenge and/or per chip. The location of the chip may be determined based on GPS information and securely stored and securely communicated to an external entity. Two or more of the chip location, a generated random number sample and a key from a table of keys may be passed to a hash function that may generate a password. An external entity attempting access may be challenged to respond with a password that matches the password generated by the hash function. The response may be compared with the password generated by the hash function and access to one or more secure functions may be granted based on the comparison.

Abstract: Methods for providing content session information using a content manager, streaming server, and one or more watermarking devices are disclosed. A content asset is also disclosed. The content asset may include content. In addition, the content asset may include a content data field having forensic watermark information, e.g. session or identifying information. In one aspect, the content asset is compressed and the compressed content asset has one or more pre-processed candidate watermark locations. In this aspect, the forensic watermark information may be extracted, e.g. by a watermarking device, from the content data field and included in the one or more pre-processed candidate watermark locations.

Abstract: A method and apparatus are disclosed for evaluating the security of at least one client. An executable program is executed by the client being evaluated. A result is received from the executable program, and an evaluation of the result indicates whether the client has been corrupted. The executable program is one of a plurality of possible programs. The result may be evaluated based on an elapsed time between when the executable program is provided to the client and when the result is received. The executable program may include at least one function that writes to a memory of the client. A program blinding technique is also disclosed to generate executable programs.

Abstract: Watermarks may be used to deter certain types of information leaks. In one example, leaks occur in the form of posting, in public forums, screen shots of private pages. To deter this example kind of leak, private web pages within an organization may be watermarked with an experience identifier that identifies the session in which the screen shot is captured. Other information may also be included in the watermark. The watermark may be designed to survive image compression, so that it can be recovered from either a compressed or uncompressed image of the web page. By using an experience identifier recovered from the watermark, and logs that describe activity associated with that experience identifier, it may be possible to identify the source of the information leak.

Abstract: Aspects of the subject matter described herein relate to creating and validating cryptographically secured documents. In aspects, documents are encrypted to protect them from unauthorized access. An entity having namespace ownership rights may create a document in an authorized namespace and sign the document with a private key. Other entities may validate that the document was created by an authorized namespace owner by using a public key available in security data associated with a parent document of the document. For a root document, the public key may be available from a directory service. A namespace owner may change the namespace owner(s) that are allowed to create children of a document.

Abstract: Anti-piracy measures for stereoscopic 3D content media displayed in dual lens projection systems are achieved by the forensic marking of each image in a stereoscopic image pair with separate component forensic marks or dots associated with each image of an image pair. In one example, the component mark used for marking one image of the pair is identical to the component forensic mark used for marking the other image of the pair. In another example, the component marks are different from each other. When superimposed over each other in proper alignment, the two component marks form a composite forensic mark. In this latter example, they each lack one or more of the forensic dots or shapes existing in the composite mark, and the component marks may or may not have one or more corresponding forensic dots or shapes in common.

Abstract: Some embodiments of the invention provide a method of verifying the integrity of digital content. At a source of the digital content, the method generates a signature for the digital content by applying a hashing function to a particular portion of the digital content, where the particular portion is less than the entire digital content. The method supplies the signature and the digital content to a device. At the device, the method applies the hashing function to the particular portion of the digital content in order to verify the supplied signature, and thereby verifies the integrity of the supplied digital content.

Abstract: In the computer data security field, a cryptographic hash function process embodied in a computer system and which is typically keyless, but is highly secure. The process is based on the type of chaos introduction exhibited by a game process such as the well known shuffling of a deck of playing cards. Computation of the hash value (digest) is the result of executing in a model (such as computer code or logic circuitry) a game algorithm that models the actual game such as a playing card shuffling algorithm using the message as an input to the algorithm, then executing the card shuffling algorithm on the input. A state (order) of the modeled deck of cards after a shuffle (or multiple shuffles) gives the hash digest value.

Abstract: The present invention provides a method and apparatus for the production and labeling of objects in a manner suitable for the prevention and detection of counterfeiting. Thus, the system incorporates a variety of features that make unauthorized reproduction difficult. In addition, the present invention provides a system and method for providing a dynamically reconfigurable watermark, and the use of the watermark to encode a stochastically variable property of the carrier medium for self-authentication purposes.

Abstract: An information processing system comprising interface circuitry configured to receive message-independent information, the message-independent information having been generated by another apparatus and transferred to the interface in advance of a digital signature being generated, send message-dependent information to an external device, and receive a digital signature from the external device; and processing circuitry configured to generate the message-dependent information from a message and at least a part of the message-independent information, and associate the digital signature with the message.

Abstract: In particular embodiments, a method includes receiving a request for a signature verification. In response to the request, signature data is encrypted. A first data size associated with the signature data is determined. A second data size associated with data of a data packet is determined. The method includes comparing the sum of the first data size and the second data size to a pre-determined data size. When the sum is less than or equal to the pre-determined data size, the encrypted signature data is included in the data packet; and the data packet is transmitted over a network.

Abstract: A first executable program on a computer system is enabled to exchange communications with a second executable program on the computer system by determining that the first executable program requests to exchange information with the second executable program, using the second executable program to challenge the first executable program for a digital certificate, and using the second executable program to exchange information with the first executable program when the digital certificate is verified.

Abstract: According to this disclosure, a proxy server is enhanced to be able to interpret instructions that specify how to modify an input object to create an output object to serve to a requesting client. Typically the instructions operate on binary data. For example, the instructions can be interpreted in a byte-based interpreter that directs the proxy as to what order, and from which source, to fill an output buffer that is served to the client. The instructions specify what changes to make to a generic input file. This functionality extends the capability of the proxy server in an open-ended fashion and enables it to efficiently create a wide variety of outputs for a given generic input file. The generic input file and/or the instructions may be cached at the proxy. The teachings hereof have applications in, among other things, the delivery of web content, streaming media, and the like.

Abstract: The invention relates to systems and methods for secure, remote, wireless submission of financial transactions. Authentication and authorization functionality are provided through use of proof of possession tests, a token service that provides a user device with a token that includes user entitlement data, and high assurance digital certificates.

Abstract: A method, a system, and an apparatus for establishing communication are disclosed. The method is invented to establish communication between at least two communication parties including a first communication party and a second communication party. The method includes: sending a Cryptographically Generated Address (CGA) request to the first communication party; receiving CGA parameters and a CGA signature returned by the first communication party; and authenticating the CGA parameters and the CGA signature, and establishing communication with the first communication party if the authentication succeeds. By using the method disclosed herein, in the process of establishing communication, the communication party authenticates the CGA parameters and CGA signature carried in the CGA extension header to determine authenticity of the CGA, thus preventing the IP address spoofing and preventing or mitigating the network security problems caused by the IP address spoofing.

Abstract: A system and method to control the writing on electronic paper (e-paper). An e-paper device may incorporate authentication indicia as part of informational data written on e-paper material. The informational data is protected by a security methodology that is accessible to authorized entities. A reader device may be used to help make a verification determination of whether encrypted or encoded data has been altered. In some instances an output alert operably coupled to the reader device serves as a verification status indicator.

Abstract: A system for controlling selection of filters for protecting against vulnerabilities of a computer network includes a vulnerability management system analyzes the computer network and determines network vulnerabilities for the computer network. The vulnerability management system is configured to receive real-time data on a status of filters protecting against vulnerabilities of the computer network. A database contains a pre-generated mapping of network vulnerabilities to filters for protecting against the network vulnerabilities. The vulnerability management system enables user control of filters for protecting against vulnerabilities of the computer network based upon the determined network vulnerabilities of the computer network, the pre-generated mapping of network vulnerabilities to the filters for protecting against the network vulnerabilities and the real-time data on the status of the filters.

Abstract: The present invention discloses a method for quickly and easily authenticating large computer program. The system operates by first sealing the computer program with digital signature in an incremental manner. Specifically, the computer program is divided into a set of pages and a hash value is calculated for each page. The set of hash values is formed into a hash value array and then the hash value array is then sealed with a digital signature. The computer program is then distributed along with the hash value array and the digital signature. To authenticate the computer program, a recipient first verifies the authenticity of the hash value array with the digital signature and a public key. Once the hash value array has been authenticated, the recipient can then verify the authenticity of each page of the computer program by calculating a hash of a page to be loaded and then comparing with an associated hash value in the authenticated hash value array.

Abstract: A node apparatus of an information communication system in which a content is distributed and stored by an overlay network configured by a plurality of node apparatuses and which has a center server that manages the content to be submitted to the overlay network, the node apparatus includes: a first creation unit configured to create meta-information that is used in submitting the content to the overlay network; a transmission unit configured to transmit the meta-information created by the first creation unit to the center server; a first reception unit configured to receive the meta-information and an electronic signature verifying the meta-information, which is determined to be proper by the center server, from the center server, and a permission unit configured to permit the meta-information received by the first reception unit to be acquired on the overlay network.

Abstract: A system and method for embedding a watermark into a data file and communicating the data file to a particular node from a source component is described. The system includes a particular node, a source component, a node identifier request, a query, a watermark, a permutation key, an encrypted data file, and a node decryption key. The node identifier request is communicated from the source component to the particular node. The watermark is then embedded into the data file by the source component. The permutation key is configured to permute the watermark and the permutation key is changed so the location of the watermark changes. The encrypted data is decrypted at the particular node with the node decryption key that corresponds to the particular node. The particular node recovers the watermark from the data file with the permutation key.

Abstract: Methods and apparatus for identifying media are described. An example method includes determining application identification information for a media presentation application executing on a media device, determining a first watermark for the application identification information from a lookup table, requesting media identification information for media from the media presentation application, determining a second watermark for the media identification information from the lookup table, inserting the first watermark in the media prior to output of the media by the media device, and inserting the second watermark in the media prior to the output of the media by the media device.

Abstract: In RFID systems employed for loss prevention, an item supplier or an ingress reader writes an ownership code associated with an organization or facility into a tag, indicating that an item to which the tag is attached is associated with the facility and not foreign. At checkout or point-of-sale an authorization reader or mobile device writes a computed code and/or a ticket into the tag indicating that the tagged item is allowed to leave the facility. At point-of-exit an exit reader determines if the tagged item is allowed to leave the facility by verifying the ownership code and the code or ticket. The loss-prevention system may issue an alert or sound an alarm if a facility-associated item is leaving the facility without a proper code or ticket indicating that the item is approved to leave.

Abstract: A method of generating a keyless digital multi-signature is provided. The method includes receiving multiple signature generation requests from one or more client computers, building subtrees based on the signature generation requests, and constructing a search tree including the subtrees. The method also includes assigning explicit length tags to leaf nodes of the search tree to balance the search tree and applying a hash function to each of the search tree nodes. The root hash value and the height of the search tree make up a generated aggregate signature request, followed by receiving an aggregate signature based on the aggregate signature request. The keyless digital multi-signature is generated based on the aggregate signature and contains an implicit length tag to verify that the number of signature generation requests is limited. The aggregate signature is generated if the height of the search tree does not exceed a predetermined height limitation.

Abstract: A Direct Anonymous Attestation (DAA) scheme using elliptic curve cryptography (ECC) and bilinear maps. A trusted platform module (TPM) may maintain privacy of a portion of a private membership key from an issuer while joining a group. Moreover, the TPM can outsource most of the computation involved in generating a signature to a host computer.

Abstract: In various example embodiments, a system and method for providing policy-based authentication is provided. In example embodiments, a request to access and sign a document is received from a device of an intended signer. A policy assigned to the intended signer is determined. Based on the policy, a determination is made whether an authentication mechanism is applicable to the intended signer. In response to the determining that the authentication mechanism is applicable to the intended signer, the intended user is required to perform the authentication mechanism. The intended user is provided access to view and sign the document based on the intended user satisfying the authentication mechanism.

Abstract: A method and system for instant personalization security are provided. The system includes a platform for a user to open applications and/or access web sites. When an application is integrated with the platform, the identification of the application can be combined with the ID of the user and encrypted into a hashed ID. The application does not have access to the user's fully identifying profile (e.g., UID or other public information). Instead, the application only has access to a pseudonymous profile (e.g., the hashed ID, first name, last initial, small profile pictures, and/or other non-fully identifying profile information) of the user. One or more options are then provided for the user to authorize or reject the application to access the user's fully identifying profile. Upon the user's authorization, an access token is provided to the application to access a subset of the user's fully identifying profile.