Abstract: Methods and apparatuses for performing secure incremental backup and restore operations are disclosed.

Abstract: A piece of software code, as well as a series of semi-random character strings are embedded into a copy of a software application. The application executes the embedded code on activation and may also invoke the embedded code periodically thereafter. The embedded code generates a knowledge string from a seed string and then generates an activation code from the seed string and the knowledge string. The activation code is checked against an externally-supplied code to ensure that the codes match, indicating a non-pirated copy of the software application.

Abstract: A system and method for issuing electronic vouchers representing value. An issuing server generates an eVoucher that a recipient may use to purchase goods and services from a merchant's e-commerce Web site. The eVoucher includes an image, such as a corporate logo, that identifies the issuing merchant. Nonimage data, such as a unique identifier for the eVoucher and encrypted arbitrary text, is embedded in the eVoucher image and is used to track the use of the eVoucher and to verify its authenticity.

Abstract: The present invention provides methods and systems to protect an organization's secure image information from unauthorized disclosure. In one embodiment, methods and systems to generate image fingerprints are provided. The fingerprints are generated for each feature point of an image data. Because the fingerprints take into account the neighborhood features around each feature point, the image fingerprints are robust against derivative images where the original image may have been altered. Methods and systems to maintain a fingerprint database for an organization's secure image data is also provided. In one embodiment, client fingerprints are generated for image data that a user intends to transmit outside of the organization. In some embodiments, suitable security actions are initiated if any of the client fingerprints match any of the fingerprints in the fingerprint database.

Abstract: A computer system is used to create an application. An application is created using an authoring environment. The application is converted into a master application template by creating an application representation and creating associated metadata that define at least one allowable modification that may be made to the application representation. An application is created from the master application template, and the application and master application template are submitted to a certification body for certification. The certification process affirms that the application, with any modification to the application specified by the master application template metadata, meets all requirements for certification. The certified master application template is used to create a certified application.

Abstract: Embodiments of electronic circuits enable security of sensitive data in a design and manufacturing process that includes multiple parties. An embodiment of an electronic circuit can include a private key embedded within the electronic circuit that is derived from a plurality of components including at least one component known only to the electronic circuit and at least one immutable value cryptographically bound into messages and residing on the electronic circuit, public key generation logic that generates a public key to match the private key, and message signing logic that signs messages with the private key.

Abstract: A system and method for sending encrypted messages to a distribution list. In one embodiment, the method comprises: identifying a distribution list address in a message; determining one or more member addresses associated with the distribution list address; for each member address, determining if a public key for a member identified by the member address is available on the computing device; and if so, encrypting the message to the member; sending the encrypted message to the distribution list address only if each of the one or more member addresses associated with the distribution list identifies a member for which a public key is available on the computing device.

Abstract: Privacy-preserving metering with low overhead is described. In an embodiment consumption of a resource such as electricity, car insurance, cloud computing resources is monitored by a meter and bills are created in a manner which preserves privacy of a customer but at the same reduces bandwidth use between a meter and a provider of the resource. For example, fine grained meter readings which describe customer behavior are kept confidential without needing to send large cryptographic commitments to meter readings from a meter to a provider. In an example, meter readings are encrypted and sent from a meter to a provider who is unable to decrypt the readings. In examples a cryptographic signature is generated to commitments to the meter readings and only the signature is sent to a provider thus reducing bandwidth. For example, a customer device is able to regenerate the commitments using the signature.

Abstract: A data processing device for playing back a digital work reduces the processing load involved in verification by using only a predetermined number of encrypted units selected randomly from multiple encrypted units constituting encrypted contents recorded on a DVD. In addition, the data processing device improves the accuracy of detecting unauthorized contents by randomly selecting a predetermined number of encrypted units every time the verification is performed.

Abstract: Described herein is a technique of protecting users against certain types of Internet attacks. The technique involves obtaining certificates from visited web sites and qualifying communications with those web sites based on the content of the certificates.

Abstract: A system and a method for real-time encryption of input data are described. A character numerical value associated with the input data is encrypted. The encoded character numerical value is then associated with a glyph corresponding to the input data. The encoded character numerical value and the glyph are then stored in a database. The encoded character numerical value is further encrypted using an encryption key to obtain an encrypted encoded character numerical value.

Abstract: The system relates to a method for collecting signatures from pre-validated signers. In one aspect of the method, a pre-validated signer's signature is affixed to an electronic document in an appropriate location after the pre-validated signer authorizes the use of his or her signature.

Abstract: Method, apparatus, and media for embedding a watermark in digital content. An exemplary method comprises receiving digital content in an encrypted form, receiving a decryption key associated with the digital content, receiving permitted use information specifying conditions under which the digital content is permitted to be rendered and indicating that a watermark is to be embedded in a rendered copy of the digital content, determining whether the conditions are satisfied, and rendering the digital content if the conditions are satisfied based on the determining, the rendering including generating a watermark based on the permitted use information and creating a rendered copy of the digital content having the watermark embedded therein.

Abstract: Content is encoded with a watermark that associates it with a particular consumer. When presented for playback, the rendering equipment examines the watermark to confirm that the consumer with whom the content is associated, is also the consumer with whom the equipment is associated. If there is no watermark—or if the watermark is associated with a different consumer, then playback is refused. The equipment also desirably checks whether the content has a second watermark (or even a very feeble remnant thereof), indicating that the content has been derived from content earlier provided to a different consumer. If so, playback is again refused. Thus, this embodiment will refuse to play if there is no watermark; if there is one watermark not associated with the proprietor of the equipment; or if there are two or more watermarks.

Abstract: Systems and methods for searching secure electronic messages. An input search is received for use in searching content of electronic messages. The search includes searching content of secure electronic messages. The results of the search are provided.

Abstract: In a network device, a method for verified communication includes generating a network communication message using a selection of predetermined message elements having digital signatures generated with a private key. The network device generates a signature for the message by applying a homomorphic operation to the digital signatures of the selected predetermined message elements and to a one-time signature corresponding to a random number. The network device transmits the message in association with the signature for the message and the random number to at least one other network device.

Abstract: A module building system, hosted by a server, receives a user script to be run to monitor software on a client using an introspection tool. The server adds safety constraints to the user script and generates a client kernel module using the user script which includes the safety constraints. The server signs the client kernel module and sends the signed client kernel module to the client. The signed client kernel module allows a user to use the introspection tool to load and execute the client module on the client for monitoring the software on the client.

Abstract: Authentication of an unknown party in a secure computer communication may be performed even without consulting a public whitelist of trusted parties. A digital certificate from an unknown party not authenticated by a trusted certificate authority may be locally processed to determine if the digital certificate is a trusted, non-trusted, or unknown digital certificate. For example, a model may be created by training a support vector machine to classify a digital certificate. The model may be provided to a computer involved in secure computer communication. The computer may receive an incoming digital certificate, extract fields from the incoming digital certificate, and take a hash of the extracted fields perform input data that may be employed by the model to determine if the incoming digital certificate is a trusted, non-trusted, or unknown digital certificate.

Abstract: Systems and methods for requesting transmission of a document from a sender device to a signer device, for purposes of obtaining an e-signature from the signer device, are disclosed. In some example embodiments, the systems and methods establish and/or determine a physical proximity between a signer device and a sender device, such as via a handshake between the devices, and a document to be signed is provided to the signer device in response to the established physical proximity.

Abstract: Scalable session management is achieved by generating a cookie that includes an encrypted session key and encrypted cookie data. The cookie data is encrypted using the session key. The session key is then signed and encrypted using one or more public/private key pairs. The encrypted session key can be decrypted and verified using the same private/public key pair(s). Once verified, the decrypted session key can then be used to decrypt and verify the encrypted cookie data. A first server having the private/public key pair(s) may generate the cookie using a randomly generated session key. A second server having the same private/public key pair(s) may decrypt and verify the cookie even if the session key is not initially installed on the second server. A session key cache may be used to provide session key lookup to save public/private key operations on the servers.

Abstract: Disclosed are systems, methods and computer program products for protecting cloud security services from unauthorized access and malware attacks. In one example, a cloud server receives one or more queries from security software of the user device. The server analyzes a system state and configuration of the user device to determine the level of trust associated with the user device. The server also analyzes the one or more queries received from the security software to determine whether to update the level of trust associated with the user device. The server determines, based on the level of trust, how to process the one or more queries. Finally, the server provides responses to the one or more queries from the security software based on the determination of how to process the one or more queries.

Abstract: A method described herein includes acts of executing a cryptographic function over input data utilizing a processor on a computing device and generating a data packet that indicates how the cryptographic function interacts with hardware of the computing device, wherein the hardware of the computing device comprises the processor. The method also includes acts of analyzing the data packet, and generating an indication of security of the cryptographic function with respect to at least one side channel attack based at least in part upon the analyzing of the data packet.

Abstract: A system and method for efficiently creating deduplicated and encrypted data across a plurality of computers allows local encryption and remote storage of deduplicated segments. Large data blocks may be divided into segments of data, and encrypted using a two-step process. A standard hash of the encrypted segment is used as an index into a remote deduplicated database so that only unique data segments are stored, and are stored only in encrypted form. When retrieving data, a data owner uses the stored digest to retrieve the data from the deduplicated database and the stored IV and second key to decrypt the data. Only the data owner has the second key and IV, so the encrypted data segment stored data in the deduplicated database is highly secure from information bleed during the storage process.

Abstract: A device is configured to perform a method that detects a trigger marker for an action corresponding to a segment of a multimedia signal. A fingerprint is generated based on the segment of the multimedia signal at a trigger time point. The generated fingerprint is stored in a database and communicated to the device. During playback of the multimedia signal, fingerprints of segments of the multimedia signal are generated and matched against fingerprints in the database. When a match is found, one or more associated actions for the segment are retrieved by the device. The trigger time point may be determined as a time point near or at the segment of the multimedia signal with the matched fingerprint. In this way, trigger markers for actions may be enabled without modifying the multimedia signal.

Abstract: The present invention relates to a mobile terminal and a method for preventing illegitimate change of an identification number of the mobile terminal.

Abstract: A method for creating a group signature of a message to be implemented by a member of a group in a system, the system including a trust authority, the group including at least the member provided with a secure portable electronic entity including storage elements and computing elements wherein are implanted a cryptographic algorithm. The method includes the following steps: generating via the computing elements a signature of the message using a private key common to the members of the group and integrating a data identifying the group member and a temporal data representing a temporal information of the member's membership to the group and of the date of the signature of the message, the private key common to the members of the group, the identifying data and the temporal data being stored in the storage elements.

Abstract: A user authentication system includes a profile generation unit at the side of a user terminal, and a profile storage unit and a confirmation/replication verification unit at the side of an authentication verification device. When authentication processing is executed in the user terminal, the profile generation unit aggregates input biometric information, registered biometric information, and information which duplicates collation processing contents, and sets a profile being an aggregation of data. The profile storage unit stores the profile at the outside of the user terminal with identification information of authentication processing. The confirmation/replication verification unit confirms the stored contents, and replicates collation processing. Accordingly, when verification is necessary, the validity of authentication processing in the user terminal is verified, and a service provider device is notified of this.

Abstract: Embodiments of the present invention enable a message recipient or messaging system to indicate the trustworthiness of a message, especially messages that comprise content that has been digitally signed. In addition, embodiments may alter or control the message to change user behavior by preventing the user from doing things that the message would induce the user into doing. In some embodiments, various characteristics and indicia of the message are determined. For example, for e-mail messages having digitally signed content, certain embodiments may determine the entity or entities asserting a basis for trust, the status or role of the sender, the name of the sender, the affiliation of the sender, the messaging address the location, and the most recent status of the trust relationship. Based on the determined indicia, a plain language notification is composed and the message is displayed with the notification.

Abstract: The present invention is a system and method of software control flow watermarking including the steps of obtaining a program for protection, generating at least one watermark value using a formula or process from an external file, and placing the at least one watermark value in CASE values of the program. The system and method may further include determining the at least one watermark value by a formula with at least one variable. The formula may also contain a variable from outside of the program. The system may also stop the program if the variable from outside of the program is incorrect.

Abstract: Methods and systems for watermarking of digital images are presented. In one aspect, a method of embedding information in a digital image includes transforming the digital image to a set of coefficient blocks having coefficients in a frequency domain, embedding a watermark-indicator in one or more of the coefficient blocks, and embedding a watermark in one or more watermark blocks that have a predetermined number of coefficient blocks. The embedded watermark is substantially invisible in the output watermarked digital image. Another aspect is a method of extracting a watermark from a digital image that includes transforming a digital image to a coefficient matrix, determining if the digital image is watermarked based on a predetermined watermark-indicator, and retrieving a watermark from a projected watermark block of a projected watermark block distribution.

Abstract: This invention uses a cloud-based architecture to sign objects by dynamically creating a cloud-based virtual machine with the ability to sign objects, perform network and object isolation, and encrypt and store keys generated by an object signing agent. Multi-user authentication is supported along with mobile access.

Abstract: A secure boot processing may be accomplished on the basis of a non-volatile memory that is an integral part of the CPU and which may not be modified once a pre-boot information may be programmed into the non-volatile memory. During a reset event or a power-on event, execution may be started from the internal non-volatile memory, which may also include public decryption keys for verifying a signature of a portion of a boot routine. The verification of the respective portion of the boot routine may be accomplished by using internal random access memories, thereby avoiding external access during verification of the boot routine. Hence, a high degree of tamper resistance may be obtained, for instance, with respect to BIOS modification by exchanging BIOS chips.

Abstract: The invention provides a method of recovering from de-synchronization attacks includes registering original and altered digital content using nonlinear transformations to iteratively attempt to provide better-approximated registration. Approximation occurs at more than one level of granularity, by selecting among a greater number of possible transformation functions at each step. Transformations and comparisons might be conducted directly on pixel values, on coefficients for a set of basis wavelets, or on some transformation of the original and altered digital content. A human operator might assist this process, such as by suggesting transformations or providing evaluation of the degree of registration. Upon resynchronization, embedded identifying information in the original digital content is recovered.

Abstract: Verifying the integrity of a received binary object by calculating a first displayable authenticator derived from an input binary object. The first authenticator is then attached to the input binary object, producing a first composite binary object, which is sent to a remote receiver. A second composite binary object is received back from the remote receiver, wherein the second composite binary object includes a received binary object, a received first displayable authenticator, and a second displayable authenticator. A third displayable authenticator is calculated, derived from the second composite binary object, then a display of the first displayable authenticator is compared to a display of the third displayable authenticator, and verification of the integrity of the received binary object is indicated by an exact match between displays of the first and third displayable authenticators.

Abstract: When performing secure processing using confidential information that needs to be confidential, the secure processing device according to the present invention prevents the confidential information from being exposed by an unauthorized analysis such as a memory dump.

Abstract: An authentication framework is provided which enables dynamic user authentication that combines multiple authentication objects using a shared context and that permits customizable interaction design to suit varying user preferences and transaction/application requirements. For example, an automated technique for user authentication comprises the following steps/operations. First, user input is obtained. At least a portion of the user input is associated with two or more verification objects. Then, the user is verified based on the two or more verification objects in accordance with at least one verification policy operating on a context shared across the two or more verification objects. The user authentication technique of the invention may preferably be implemented in a flexible, distributed architecture comprising at least one client device coupled to at least one verification server.

Abstract: Data is transmitted between a first user and a second user via an information technology communications network, in a method comprising the steps of: generating a first hash value for a selected one of the data items; digitally signing and encrypting the first hash value with a secret identifier associated with the first user; transmitting to a second user the encrypted first hash value; receiving and storing the transmitted encrypted first hash value for audit purposes and generating a second hash value for the received encrypted first hash value; encrypting the second hash value with a private identifier associated with a second user and a public identifier associated with the first user; and returning the encrypted second hash value to the first user.

Abstract: An electronic image data verification program disclosed herein is capable of detecting presence or absence of a change, specifying a changed portion (the position of a change) if present, and making the presence or absence and the changed portion provable to third parties, by generating partial signature information separately from electronic image information to be registered, by dividing and maintaining the partial signature information, and by clearly separating functions/roles of the electronic image information (original information) and the partial signature information (verification information).

Abstract: A system is provided that uses identity-based encryption (IBE) to allow a sender to securely convey information in a message to a recipient. A service name such as a universal resource locator based at least partly on the name of an organization may be associated with a local key server at the organization and a public key server external to the organization. Users at the organization may use the service name to access the local key server to obtain IBE public parameter information for performing message encryption and to obtain IBE private keys for message decryption. External to the organization, users may obtain IBE public parameter information and IBE private keys from the public key server using the same service name. The local key generator and the public key generator may maintain identical copies of the same IBE master secret.

Abstract: A method and apparatus for authenticating a key management message within a secure communication system is provided herein. During operation, a digital signature for message authentication of a Project 25 Key Management Message (KMM) is utilized. In particular, the digital signature will be used to authenticate the KMM in scenarios where there is no Message Authentication Code (MAC). The MAC will be utilized to authenticate the KMM when available. Because authentication of KMMs take place, even when no MAC is available, it becomes increasingly more difficult to tamper or spoof the delivery of encryption keys.

Abstract: An owner of media data encrypts the media data using a session key. The session key is encrypted using a public key of a designated recipient of the media data. A key manager provides the encrypted session key to the recipient while the owner is sharing the media data with the recipient. The encrypted media data is published and accessed by the recipient over a public computer network. The encrypted session key and the encrypted media data are received in the recipient's computer, where the encrypted session key is decrypted into the session key using the recipient's private key and the encrypted media data is decrypted into the media data using the session key. When the owner is no longer sharing the media data with the recipient, the recipient is prevented from further receiving the encrypted session key from the key manager.

Abstract: A framework is provided for reducing the number of locations modified when hiding data, such as a digital watermark, in binary data. The framework complements data hiding techniques, such as digital watermarking techniques. After determining potential embedding locations according to an underlying technique, a data structure is created with values associated with those locations. A parity calculation is performed on the values in the data structure. The calculated parity is compared with hidden data to determine locations for modifications. Manipulations are then performed to reduce the total number of modifications needed to represent the hidden data. Modifications are made to the binary data according to the underlying technique. During decoding of the hidden data, the same locations can be determined, the same data structure can be created with the modified values, and a parity calculation is then performed to decode the hidden data.

Abstract: The invention relates to cryptographic method for the anonymous authentication and the identification of a user entity (Ui) respectively by a checking entity (D) and an identifying entity (O). According to this method, the checking entity (D) receives (130) from the user entity (U1) at least one first signature (?) and a first message (m), and checks (140) the first signature (?) using the first message (m) in order to authenticate the user (U), and the identifying entity (O) receives (150) from the checking entity (D) a second signature (??) connected to the first signature (?) and identifies (160) the user using the second signature and a secret key particular thereto. The invention also relates to a cryptographic system for implementing said method.

Abstract: A system and method for associating documents includes providing a plurality of scanned documents of different types and identifying a document type for each scanned document by comparing a determined pattern for each scanned document to known document patterns. Metadata values are extracted from each scanned document using metadata labels, and each scanned document is identified by using extracted metadata values. A stored electronic record is associated with each scanned document by employing the extracted metadata values such that a relationship between the stored electronic record and the associated scanned document is determined and stored.

Abstract: A method for verifying the authenticity and integrity of an ordered sequence of digital video frames, without having access to the original recording, by embedding therein a respective series of digital signatures based on a secret key, or keys, and on the video content of respective frames. Signatures are camouflaged by embedding in transform coefficients of a transformed representation of the video data in parts of the frame corresponding to motion. If there is sufficient motion to contain all of the signature bits, a supplementary technique embeds in high-texture areas of a frame. A final fall-back is to embed in a pre-defined default zone. A method of predicting when supplementary embedding is needed enables the process to be applied in a single pass allowing real-time operation. Verification is done during decoding by comparing, for identity, embedded signatures with signatures calculated anew using the method employed to embed.

Abstract: A method and apparatus for securing media asset distribution for a marketing process is described. In one embodiment, the method includes generating a dynamic security component for each media asset allocation to at least one receiver, wherein the dynamic security component verifies the at least one receiver upon login, coupling the dynamic security component to at least one file having a media asset and communicating a locator reference associated with the at least one file to the at least one receiver, wherein the locator reference is created using the dynamic security component.

Abstract: A system generates a randomized hash value and/or verifies data against a randomized hash value. A hashing circuit can respond to data by randomly selecting a hashing algorithm parameter among a defined set of different hashing algorithm parameters, and by applying a hashing algorithm that uses the selected hashing algorithm parameter to hash the received data to generate a randomized hash value. Another hashing circuit randomly selects a hashing algorithm among a defined set of different hashing algorithms, and applies the selected hashing algorithm to hash the received data to generate a randomized hash value. Another hashing circuit applies a hashing algorithm to hash received data to generate an intermediate hash value that occupies a defined memory space, and randomly selects a partial segment of the hash value from a segment of the defined memory space to generate a randomized hash value.

Abstract: Aspects of the invention are directed to a method and system for end-to-end proof of display. A method for according to an embodiment includes: generating a unique identifier (UID) for a triplet including an item of digital content, an identity of a playlist that includes the item of digital content, and an identity of a player on which the item of digital content is to be rendered; generating a visual identifier based on the UID and a timecode; rendering the item of digital content on a display screen; overlaying the visual identifier on the rendered item of digital content on the display screen; capturing the visual identifier on the display screen; and extracting the UID and timecode from the captured visual identifier. A match test is performed using the extracted UID to populate a match list, which is reported to a content manager to provide end-to-end proof of display.

Abstract: A vein authentication apparatus is disclosed. The apparatus may include an imaging unit having a plurality of imaging sections. Each imaging section may be configured to image light reflected from a vein plexus inside a finger and light transmitted through the vein plexus. The apparatus may also include an illumination source located on the same side as the imaging unit with respect to the vein plexus and configured to emit near-infrared light. The apparatus may further include a controller. The controller may be configured to perform authentication processing on the basis of an image imaged by the imaging unit and vein information previously stored. The controller may also be configured to control the illumination source such that the near-infrared light emitted from the illumination source is scattered behind a vein section corresponding to an imaging section being in an imaging period among the plurality of imaging sections.

Abstract: The present invention aims to address the issue of deploying costly hardware by proposing a content protection layer with an easy distribution capability to clients. The aim is achieved by an network device for descrambling an access controlled audio/video content stream, said network device being configured to be connected to a network router comprises a memory to store a unique address UA specific to the network device, an network input/output interface, a descrambler to descramble the audio/video content stream, and a watermark engine configured to watermark the descrambled audio/video content stream by applying the unique address. A further object of the invention is a method to access scrambled audio/video content stream in a local or roaming mode by a multimedia reception device connected via an IP network to a network router having an IP port connected to the network device.