Abstract: A system that incorporates teachings of the present disclosure may include, for example, a set-top-box having a controller to transmit a request to a remote management server for status information associated with a x.509 certificate intended for the STB, and receive the status information associated with the x.509 certificate from the remote management server, where events associated with the status information are received by the remote management server from at least one of the STB, a certificates proxy, an external certificate web service, and a certificate authority, and where the status information comprises at least a portion of the received events. Other embodiments are disclosed.

Abstract: Tampering monitoring system can detect whether protection control module is tampered with even if some of detection modules are tampered with. Tampering monitoring system includes protection control module detection modules, and management device. Protection control module includes: generation unit generating d pieces of distribution data from computer program, n and d being positive integers, d smaller than n; selection unit selecting d detection modules; and distribution unit distributing d pieces of distribution data to d detection modules. Each detection module judges whether received piece of distribution data is authentic to detect whether protection control module is tampered with, and transmits judgment result indicating whether protection control module is tampered with. Management device receives judgment results from d detection modules and manages protection control module with regard to tampering by using received judgment results.

Abstract: An image processing device includes a plurality of printers (Pr1, Pr2, Pr3, Pr4, . . . ) and a plurality of client machines (PC1, PC2, PC3, PC4, PC5, . . . ). When requesting an image data processing to a printer other than the printer to which an image data processing has been requested firstly, the client machine checks the security level of the other printer to which the image data processing is to be requested before requesting the image data distribution processing to the other printer. When selecting another printer to which the image data distribution processing is to be requested, the security level in each printer is sufficiently considered.

Abstract: A digital content authentication system, an image display apparatus applied to the system, and a digital content authentication controlling method of the system are provided. The image display apparatus includes an interface section which demands authentication results from a plurality of source providing apparatuses through a bus and receiving responses to the demanding for the authentication result and an output section outputting the authentication results by the received response. Accordingly, the image display apparatus can recognize the authentication states of the source providing apparatuses.

Abstract: A method for preventing unauthorized use of software may be achieved by executing computer-readable code with instructions for recording an indication of at least one selected file of a software application in a memory location accessible to a security component of the software application, in which software application the security component is configured to cause a hash signature of the at least one selected file to be generated in response to a signal arising from use of the software application, hashing the at least one selected file to generate a first file signature, transmitting the first file signature to a secure network-accessible computer memory for storage and subsequent comparison to at least one subsequent file signature generated via operation of the security component on a client device, comparing the first file signature to a second file signature generated by the security component in response to a signal arising from use of the software application on the client device, and disabling the so

Abstract: Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for providing confidential structured data. In one aspect, a method includes creating a first data structure instance according to a protocol for creating structured and extensible data structures. The first data structure instance is serialized. The serialized first data structure instance is encrypted. A second data structure instance is created according to the protocol. The second data structure instance contains the encrypted and serialized first data structure instance. The second data structure instance is serialized.

Abstract: Methods and systems consistent with the invention provide a hash process for use in password authentication. For instance, in one embodiment, a method may include receiving password data and combining the password data with a salt value. The salt value may, for example, be a random number. The method may also include calculating a first hash value based on the combined password data and salt value. The method may further include calculating, in a second iteration, a second hash value based on the first hash value and the password. In exemplary implementations, the method may also iteratively calculate a new hash value by applying the output hash value of a previous iteration, in combination with the password data, to the hash function. The number of iterations may be determined by an iteration count.

Abstract: A user accessing a protected resource is authenticated using multiple channels, including a mobile device of the user. A user attempting to access a protected resource is authenticated by receiving a request from a mobile device of the user to access the protected resource; receiving a public key from the mobile device of the user; providing a provision token to the mobile device, wherein the provision token is used by the user to access the protected resource using a second device; and confirming the provision token to a provider of the protected resource to authorize the user to access the protected resource. The user then communicates with the provider using a second device to authorize the provisioning token. A transaction signing protocol is also provided.

Abstract: The invention relates to a method for decoding a watermark embedded in a video comprising blocks of samples representative of the video comprising the steps of determining in the video a location of a watermarked block; determining a location for each reference block among a plurality of reference blocks wherein a reference block is associated to a watermark value among a plurality of watermark values; comparing the watermarked block with each reference block; and identifying watermark value for the watermarked block from the results of the plurality of comparison. The method is remarkable in that each reference block is equally located in the video, for instance the pirated video, so that the plurality of comparisons between the watermarked block and each reference block is performed among the same video.

Abstract: An apparatus for validating integrity of metadata in a standard file includes: a metadata acquiring unit for acquiring metadata from a protected file; an integrity evidence value acquiring unit for acquiring an integrity evidence value from a file or a database; a secret information extracting unit for extracting secret information of a file data; and a metadata integrity validating unit for checking if the metadata is correct by using the acquired metadata, the acquired integrity evidence value, and the extracted secret information.

Abstract: Digital signature generation apparatus, comprising an envelope generator operable to generate an envelope representation, of only one polarity, of a sampled data segment, and operable for each of successive portions comprising a predetermined plurality of samples to provide a portion sum value as the sum the values of the samples in the portion, thereby to provide said envelope representation; a threshold value generator operable to determine a threshold value for each portion of the envelope representation; an event detector operable to detect, as an event, a transition of a portion sum value across the threshold value for the portion concerned; and a signature generator operable in response a detected event to generate a digital signature characteristic of the sampled data segment.

Abstract: A system and method of providing authenticity to a radio frequency identification (RFID) tag are provided. The method comprises generating a plurality of digital signatures, wherein each digital signature is generated using an index value unique to that digital signature and using information associated with the RFID tag; and storing the plurality of digital signatures on the RFID tag in association with respective index values to enable a desired digital signature to be selected according to a provided index value. Also provided are a system and method of enabling an RFID reader to authenticate an RFID tag, which utilize a challenge comprising an index value to request one of the stored signature and authenticating same. Also provided is an RFID tag that is configured to participate in the challenge-response protocol.

Abstract: A method and apparatus for determining a digital signature from an article. A coherent light source directs a beam to illuminate the article and a detector arrangement collects data points from light scattered from many different parts of the article to collect a large number of independent data points, typically 500 or more. By collecting a large number of independent signal contributions specific to many different parts of the article, a digital signature can be computed that is unique to the area of the article that has been scanned. This measurement can be repeated whenever required to test authenticity of the article. Using this method, it has been discovered that it is essentially pointless to go to the effort and expense of making specially prepared tokens, since unique characteristics are measurable a in a straightforward manner from a wide variety of every day articles.

Abstract: A secure protocol for transactions, such as electronic commerce transactions, is described that provides improved security through exploiting an independent (where this independence is logical and/or physical) communication path (e.g., between a customer and a back-end financial institution), ensuring that key financial information remains within the back-end financial institutions themselves. Hence, this protocol directly reduces cyber-crime risks through improvements to transaction security. In addition, various implementations of the secure protocol provide non-repudiation for one or more of the entities involved in the transaction.

Abstract: Methods and systems are provided for bypassing an authenticity check for a secure control module. In one embodiment, a method includes: receiving authenticity data from a secure source, wherein the authenticity data includes a signature and an identifier that is unique to the control module; programming the control module with the authenticity data; and bypassing the authenticity check of a control program of the control module based on the authenticity data.

Abstract: This disclosure relates generally to methods and systems for determining when a file has changed. According to one aspect of the present disclosure, a method of determining if contents of a file have changed can include determining if a digital signature created as a function of contents of the file has changed, and when the digital signature has changed, overlaying the contents of the file with a first mark that indicates the contents have changed and blocks a view of the contents of the file.

Abstract: Disclosed herein are techniques for secure communications through unsecure sockets. It is determined whether an executable file contains a signature from a trustworthy source. If the executable file contains the trustworthy signature, communication from a process is permitted.

Abstract: A system, including a processor to define opportunities for encoding a watermark into an audio stream having sections, each section, when represented in the frequency domain, including a signal of amplitude against frequency, the processor being operative to, for each one of the sections, identify a fundamental frequency, f being the frequency with the largest amplitude of the signal in the one section, the fundamental frequency f defining harmonic frequencies, each harmonic frequency being at a frequency f/2n or 2fn, n being a positive integer, and define the one section as an opportunity for encoding at least part of the watermark if the amplitude of the signal of the one section is less than a value v for all frequencies in one or more different frequency ranges, each of the different frequency ranges being centered around different ones of the harmonic frequencies. Related apparatus and methods are also described.

Abstract: A method and system for the classification of software in networked systems, includes: determining a software received by a sensor is attempting to execute on a computer system of the sensor; classifying the software as authorized or unauthorized to execute, and gathering information on the software by the sensor if the software is classified as unauthorized to execute. The sensor sends the information on the software to one or more actuators, which determine whether or not to act on one or more targets based on the information. If so, then the actuator sends a directive to the target(s). The target(s) updates its responses according to the directive. The classification of the software is definitive and is not based on heuristics or rules or policies and without any need to rely on any a priori information about the software.

Abstract: The present invention relates generally to processing audio or video content. One claim recites an apparatus comprising: electronic memory for storing media representing audio or video content; and an electronic logic processor. The electronic processor is programmed for: embedding a protect watermark in the media, the protect watermark providing an indication that the media is protected; embedding a rights watermark in the media, the rights watermark providing an indication of user rights associated with rendering the audio or video content, in which the protect watermark is more difficult to remove from the media relative to the rights watermark; and reproducing the audio or video content after said embedding a protect watermark in the media and embedding a rights watermark in the media. Other claims and combinations are provided as well.

Abstract: A method of authenticating a copy of a multi-page document, which includes digitizing a said multi-page document to generate one or more digitized files that together comprise a digitized transcript. A mark that is unique to the preparer of the document, such as a signature, is prepared and digitized. The preparer of the document is allowed to deposit the digitized transcript on an online repository. The operator of the online repository immediately establishes a verification process for the deposited digitized transcript. This verification process includes associating the digitized preparer mark with the deposited digitized transcript, and freezing the transcript, by encrypting it and deriving a checksum. The verification process also include associating a repository mark with the transcript. The operator of the online repository defines, under the direction of at least the preparer of the document, security rights to limit or otherwise control access to the deposited digitized transcript.

Abstract: A method for establishing a secure connection between a first computer and a second computer, comprising the steps of (A) generating a signature authentication pair on the first computer, (B) receiving a plurality of authentication pairs that may or may not include the signature authentication pair, (C) detecting whether the signature authentication pair is received in the authentication pairs and (D) if the signature authentication pair is detected, creating a secure connection between the first computer and the second computer.

Abstract: Systems and methods are disclosed for enabling a recipient of a cryptographically-signed electronic communication to verify the authenticity of the communication on-the-fly using a signed chain of check values, the chain being constructed from the original content of the communication, and each check value in the chain being at least partially dependent on the signed root of the chain and a portion of the communication. Fault tolerance can be provided by including error-check values in the communication that enable a decoding device to maintain the chain's security in the face of communication errors. In one embodiment, systems and methods are provided for enabling secure quasi-random access to a content file by constructing a hierarchy of hash values from the file, the hierarchy deriving its security in a manner similar to that used by the above-described chain.

Abstract: This disclosure relates to message encoding. Once claim recites an apparatus comprising: electronic memory for buffering identifying data associated with an entity or client; and a multi-purpose electronic processor programmed for: modifying the identifying data with a random or pseudo-random signal; error correction encoding the modified identifying data; and transforming a plural-bit message with the error correction encoded, modified identifying data to produce a key for use with message encoding. Of course, other claims and combinations are provided as well.

Abstract: A group signature system includes: a key issuer server for generating a first parameter of a group public key, generating a corresponding master issuing key, and issuing a signature key to a user when a user device joins; an opener server for generating a second parameter of the group public key, and a corresponding master opening key and master linking key; and a linker server for checking whether two valid signatures have been linked by using the master linking key when the two signatures corresponding to a group public key are given. The group signature system further includes: a signature verifying unit for confirming a validity of the given signatures and a signer information confirming unit for confirming a validity of singer confirming information generated by the opener server.

Abstract: In accordance with aspects of the disclosure, a system and methods are provided for managing multi-system security integration by performing state change calls to one or more backend systems by combining a multi-system protection token with a message component for transporting from a user agent to the one or more backend systems for validation by generating an authentication code for proving authenticity of a combined data structure generated by combining a secret cryptographic data key with a portion of the message component and generating a hash code of the combined data structure, generating an arbitrary random number to bind the multi-system protection token to the user agent, and generating the multi-system protection token by combining the authentication code and the arbitrary random number with the message component for transporting from the user agent to the one or more backend systems for validation.

Abstract: An entity authentication method by introducing an online third party includes the following steps: 1) an entity B sends a message 1 to an entity A; 2) the entity A sends a message 2 to a trusted third party TP after receiving the message 1; 3) the trusted third party TP checks the validity of the entity A after receiving the message 2; 4) the trusted third party TP returns a message 3 to the entity A after checking the validity of the entity A; 5) the entity A sends a message 4 to the entity B after receiving the message 3; 6) and the entity B performs validation after receiving the message 4. The online retrieval and authentication mechanism of the public key simplifies the operating condition of a protocol, and realizes validity identification of the network for the user through the authentication of the entity B to the entity A.

Abstract: A method for fingerprinting a video involving identifying motion within the video and using a measure of the identified motion as a fingerprint. Once videos are fingerprinted, these fingerprints can be used in a method for identifying video. This involves creating a motion fingerprint for unidentified videos; comparing the fingerprints of the known and unknown videos, and identifying whether the unknown video is a copy of the known video based on the step of comparing.

Abstract: Described herein is a technique in which the proof that an object (e.g., a document) was processed within a certain task by an entity in a workflow is chain-linked to another proof of the next task. The chain of proofs embedded within the document serves to irrefutably prove that a certain set of tasks were completed before the next task was executed on the object. It is thus difficult, if not impossible, for a user to alter the actions on previous tasks without destroying the chain of proofs.

Abstract: Input challenge based authentication techniques are described in which data regarding a user's input signature is employed for authentication of the user to access resources. Different users have distinct input signatures that are indicative of the manner in which each individual user provides input including at least typing characteristics and timing data. Data regarding input signatures may be captured from user interaction with computing devices and associated with user accounts. Once sufficient data regarding a user's input signature is captured, access to a user account may be controlled at least in part based on the input signature. To do so, an input challenge that indicates a non-secret pattern of input is presented to the user in connection with an authentication sequence. The user reproduces the non-secret pattern of input and selective access to the user account is granted depending upon whether or not the reproduction matches the input signature.

Abstract: A unique identifier is assigned to each user, and a standard for evaluating the reliability of information dispatched on the Internet using the identifier to reveal the source of the information is achieved by: using the identifier as a search term, and acquiring a corresponding public key from information publicly available on the Internet; using the public key to verify a signature added to text information that includes the identifier; and confirming whether the source of the text information links back to the public key and the identifier. Thereby, an equivalence relation on the text information is established on the basis of the public key and identifier.

Abstract: A cryptography module includes a key store having a plurality of storage locations for storing a private key as k key fragments. One or more crypto-processing segments each operate based on corresponding ones of the k key fragments to process a message in accordance with elliptic curve digital signature algorithm (ECDSA) to produce a signed message.

Abstract: A secure access system includes at least one lock, at least one electronic key with stored information assigned to a user and a system administration for administering user access privileges. A method for remotely updating the user's expired access privileges includes establishing communication between the user and the system administration from a location remote from the system administration, receiving a remote privilege code from the system administration, communicating the remote privilege code to the lock, and, if authorized, the lock validating the privilege code to renew the user's access privileges. The validated privilege code can also be made effective to access other different locks within the system.

Abstract: A method, programmed medium and system are provided for enabling a user to choose a user-preferred encryption type from among a plurality of encryption types listed in a user's Kerberos configuration file. During the ticket granting process in a Kerberos system, a user is requested to select a preferred encryption type to be used in the Kerberos communication from among encryption types contained in the user's Kerberos configuration file. The user-selected encryption type is then implemented for use in encrypting a session ticket (as well as generating the session key of user requested encryption type) for use by the user machine in communicating securely with an Kerberized application server when being communicated by that particular user. Thus, the system allows different users to simultaneously communicate with the same Kerberized application server using a supported encryption type of the user's own choice.

Abstract: A method for securing communications in a vehicle-to-vehicle (V2V) system including an on-board computer of a broadcasting vehicle predicting a value for a vehicle parameter, generating a heavyweight signature corresponding to the predicted value, and obtaining an actual value for the vehicle parameter. The method also includes the computer comparing the predicted value to the actual value to determine if the predicted value bears a first relationship to the actual value. If the computer determines that the predicted value bears the relationship to the actual value, the on-board computer generates a lightweight authenticating signature to correspond to the predicted value and broadcasts a data message having the predicted value with the corresponding heavyweight authenticating signature and the corresponding lightweight authenticating signature.

Abstract: The present invention is related to a wireless transmit/receive unit (WTRU) for providing advanced security functions. The WTRU includes trusted platform module (TPM) for performing trusted computing operations; and a secure time component (STC) for providing a secure measurement of a current time. The STC and the TPM are integrated to provide accurate trusted time information to internal and external to the WTRU. The STC may be located on an expanded a subscriber identity module (SIM), on the WTRU platform, or two STCs may be used, one in each location. Similarly, the TPM may be located on an expanded SIM, on the WTRU platform, or two TPMs may be used, one in each location. Preferably, the STC will include a real time clock (RTC); a tamper detection and power failure unit; and a time report and sync controller.

Abstract: Techniques for sharing data between users in a manner that maintains anonymity of the users. Tokens are generated and provided to users for sharing data. A token comprises information encoding an identifier and an encryption key. A user may use a token to upload data that is to be shared. The data to be shared is encrypted using the encryption key associated with the token and the encrypted data is stored such that it can be accessed using the identifier associated with the token. A user may then use a token to access the shared data. The identifier associated with the token being used to access the shared data is used to access the data and the encryption key associated with the token is used to decrypt the data. Data is shared anonymously without revealing the identity of the users using the tokens.

Abstract: A method of encrypting a motion picture file and a method of digital rights management using the same, wherein encryption method includes: extracting information on the location of at least one video sample, which is a real-time streaming unit, from meta-data of the motion picture file; extracting the video samples based on the location information; encrypting the extracted video samples, excluding a start code within a video sample header of each extracted video sample, based on predetermined encryption information; and producing an encrypted motion picture file by recombining the encrypted video samples. Since the file is encrypted in units of video object planes (VOPs) while maintaining an MEPG-4 file format, the encryption method can be easily applied to a completed file format and streaming service is also possible.

Abstract: A system and method of guaranteeing the presence of secure and tamper-proof remote files over a distributed communication medium, such as the Internet, is provided. The system and method automatically detects, and then self-repairs corrupt, modified or non-existent remote files. The method first performs an integrity check on a remote file and then determines whether the integrity check passed. If the integrity check passed, then the user goes through the authentication process as normal. If the integrity check fails, then the present invention redirects to an install module in order to prepare to reinstall the remote file. Via the install module, the present invention then reinstalls the remote file and the user is then taken through the authentication process as normal.

Abstract: An apparatus and method for generating a key for a broadcast encryption. The apparatus includes a node secret generator for managing a user that receives broadcast data in a tree structure and for generating a unique node secret for each node in the tree structure. The apparatus also includes an instant key generator for temporarily generating an instant key used at all nodes in common in the tree structure, and a node key generator for generating a node key for each node by operating the node secret generated at the node secret generator and the instant key generated at the instant key generator. Thus, key update can be efficiently achieved.

Abstract: The invention relates to a detection system for determining whether a light contribution of a light source is present at a selected position within a 2D scene. The light contribution includes an embedded code comprising a repeating sequence of N symbols. The detection system includes a camera and a processing unit. The camera is configured to acquire a series of images of the scene via specific open/closure patterns of the shutter. Each image includes a plurality of pixels, each pixel representing an intensity of the light output of the light source at a different physical position within the scene. The processing unit is configured to process the acquired series of images to determine whether the light contribution of the first light source is present at the selected physical position within the scene by e.g. correlating a sequence of pixels of the acquired series corresponding to the selected physical position with the first sequence of N symbols.

Abstract: A method, system and non-transitory computer-readable medium product are provided for functionality watermarking and management. In the context of a method, a method is provided that includes identifying a request to perform at least one function of a user device and identifying at least one watermark template. The method further includes applying the at least one watermark template to at least one function of the user device and authorizing the request to perform the at least one function of the user device.

Abstract: An information processing apparatus including a message generating unit that generates N sets of messages based on a multi-order multivariate polynomial set F=(f1, . . . fm) defined on a ring K and a vector s that is an element of a set Kn, a first information selecting unit that inputs a document M and the N sets of messages to a one-way function that selects one piece of first information from among k (where k?3) pieces of first information in response to a set of input information, and selects N pieces of first information, a second information generating unit that generate N pieces of second information, and a signature providing unit that provides a verifier with the N pieces of first information and the N pieces of second information as a digital signature.

Abstract: Technologies are generally described for security algorithm methods in issuing, managing, and using digital certificates in online transactions. Certificate holders can be identified based on the device ID from the equipment they are using to access online services. The equipment can be previously linked to an identity known by the equipment service provider. A consumer can then authorize the using of the digital certificate associated with their device in online transactions. Third parties can then trust the identity behind the digital certificates and accept their use in identifying a private party and performing a transaction with that party.

Abstract: Embodiments include methods for securely provisioning copies of an electronic circuit. A first entity (e.g., a chip manufacturer) embeds one or more secret values into copies of the electronic circuit. A second entity (e.g., an OEM): 1) embeds a trust anchor in a first copy of the electronic circuit; 2) causes the electronic circuit to generate a message signing key pair using the trust anchor and the embedded secret value(s); 3) signs provisioning code using a code signing private key; and 4) sends a corresponding code signing public key, the trust anchor, and the signed provisioning code to a third entity (e.g., a product manufacturer). The third entity embeds the trust anchor in a second copy of the electronic circuit and causes the electronic circuit to: 1) generate the message signing private key; 2) verify the signature of the signed provisioning code using the code signing public key; and 3) launch the provisioning code on the electronic circuit.

Abstract: A data storage architecture for networked access by clients includes a file server capable of communication with the clients via the network, physical storage organized as a plurality of logical volumes, and an encryption device in communication with both the file server and the physical storage. The encryption device is operable in response to signaling from the file server, including an indication of a range of blocks of data, to cause encryption of the range of blocks with an encryption key that is unique within the physical storage. The encryption device includes nested tables mapping block ranges to encryption keys. Consequently, undesirable key sharing across files, file systems, and other units can be avoided down to the block level.

Abstract: A method and apparatus for determining a digital signature from an article. A coherent light source directs a beam to illuminate the article and a detector arrangement collects data points from light scattered from many different parts of the article to collect a large number of independent data points, typically 500 or more. By collecting a large number of independent signal contributions specific to many different parts of the article, a digital signature can be computed that is unique to the area of the article that has been scanned. This measurement can be repeated whenever required to test authenticity of the article. Using this method, it has been discovered that it is essentially pointless to go to the effort and expense of making specially prepared tokens, since unique characteristics are measurable a in a straightforward manner from a wide variety of every day articles.

Abstract: A method of checking whether a content aggregator's content matches a content owner's content involves generating a fingerprint of the content and looking for a matching fingerprint from the content owner through a service provided by the content owner. In one aspect, the fingerprints are generated from an intermediate digest of the content instead of the original form.

Abstract: An integrated circuit includes a first memory, a second memory, a processor, and a descrambler. The first memory is configured to store a key. The first memory is a one-time-programmable memory. The processor is configured to: determine whether the first memory has been programmed; and in response to the first memory not having been programmed, (i) load firmware from a third memory into the second memory, and (ii) execute the firmware. The third memory is separate from the integrated circuit. The processor is also configured to, in response to the first memory having been programmed, load the firmware from the third memory into the second memory. The descrambler is configured to, in response to the first memory having been programmed, descramble the firmware based on the key.

Abstract: A user is able to appropriately select character data such as a watermark, and importance of the document is able to be effectively recognized by an addressee using a language which is different from that of a user who sends the document. A setting accepting portion accepts setting of a first language describing a first character indicated by the first character data, and setting of a second character which is a translation of the first character to a second language; a data generating portion generates a composite image data in which the image data is combined with the first character data indicating a first character which is a translation of the second character to the first language; and an apparatus control portion controls the image forming apparatus to cause the image forming apparatus to execute image forming processing of the composite image data.