Abstract: In accordance with embodiments of the present disclosure, systems and methods for facilitating network transactions include user authentication over a network by providing strong mutual authentication of client web application to server side application server, providing session encryption key negotiation after authentication to continue encryption during communication, and providing a high-level encryption technique referred to as an effective zero knowledge proof of identity (eZKPI) algorithm. In various implementations, the eZKPI algorithm is adapted to couple something the user Knows (e.g., a password or personal identification number) with something the user Has (e.g., a secure identification card) to create a stronger identity authentication proof for access to a mobile device and applications running on the mobile device.

Abstract: A system and method for transmitting data via a transmission path between a tachograph arranged in a vehicle, and a data processing device which is remote from the vehicle. To improve data protection, the transmission takes place via a first path section of the transmission path, which path section is arranged between the tachograph and a communication controller arranged in the vehicle, and a second wireless path section of the transmission path, which path section is arranged between the communication controller and the data processing device. The tachograph in response to an encryption request signal sent from the data processing device to the tachograph encrypts data sent from the tachograph to the data processing device. The data is transmitted in encrypted form from the tachograph to the data processing device both via the first path section and via the second path section.

Abstract: A system-on-a-chip including a first one-time-programmable memory, a second memory, a test interface, an input circuit, and a processor. The input circuit is configured to receive data transmitted from a third memory to the system-on-a-chip. The processor is configured to, while booting up the system-on-a-chip, determine whether a first one-time-programmable memory has been previously programmed. The processor is also configured to (i) in response to the first one-time-programmable memory not having been previously programmed, enable the test interface for debugging of the system-on-a-chip, (ii) based on the first one-time-programmable memory having been previously programmed, disable the test interface, and (iii) subsequent to one of the enabling of the test interface and the disabling of the test interface, load the data from the third memory into the second memory.

Abstract: The exchange of documents for execution can be performed efficiently using an automated system that routes and stores documents based on routing information. Routing may be accomplished with reminders for individuals of deadline for responding. After execution is confirmed, an executed copy may be forwarded to all parties and desired non-parties. If execution or approval is desired from a plurality of individuals, documents received from each of the plurality of individuals can be merged into a single, fully executed document if the approval/signatures are obtained simultaneously. Search capability for identifying data regarding the document, text within the document, or both may also be provided.

Abstract: A wireless device includes a nonvolatile memory that handles the task of securely performing integrity checks that do not expose the authentication private key externally. The system security architecture installs and associates private keys with the nonvolatile memory to create a secure execution environment resistant to virus attack. The nonvolatile memory provides integrity checks of nonvolatile memory data and generates signatures for data provided by the memory.

Abstract: The invention discloses a system for enhancing trust in transactions, most particularly in remote transactions between a plurality of transactional parties, for instance a seller and buyer(s) of goods and/or services over a public computer network such as the internet. Trust is disclosed to be a multivalent commodity, in that the trust that is to be enhanced relates to information about the subject matter of the transactions (e.g., the suitability of the goods and services sold), the bona fides of the supplier of the goods and services, the appropriateness of a pricing structure for a particular transaction or series of transactions, a quantum of additional transactional value that may be imparted to the transactional relationship, security of information exchange, etc.

Abstract: In a content delivery system, delivery of content and charging the fee of the content are performed and managed in a highly secure and effective fashion. If a content-purchasing request is transmitted from a user device to a shop server, a charging process is performed. A user device authentication server, which manages content delivery, converts an encrypted content key KpDAS(Kc) encrypted using a public key of the user device authentication server (DAS) into an encrypted content key KpDEV(Kc) encrypted using a public key KpDEV of the user device. If the charging process is successfully completed, the shop server transmits, to the user device, the encrypted content key KpDEV(Kc).

Abstract: A method of providing a service from a service provider to users is described. The method comprises: a step of generating an electronic signature on a first information provided by a user with a secret key of the service provider and providing the electronic signature to the user, a step of receiving a request for the service together with information identifying the first information item from a user and accepting this request if it is justifiable; a step of receiving, if the request is accepted, a second information item from the user; a step of determining whether or not there is a predetermined relationship between the first information item and the second information item; and a step of performing, if there is the predetermined relationship, a necessary procedure for providing the service by the use of an information processing device; and a step of saving the second information item even after providing the service as an evidence that the service has been provided.

Abstract: The present invention provides systems and methods for secure transaction management and electronic rights protection. Electronic appliances such as computers equipped in accordance with the present invention help to ensure that information is accessed and used only in authorized ways, and maintain the integrity, availability, and/or confidentiality of the information. Such electronic appliances provide a distributed virtual distribution environment (VDE) that may enforce a secure chain of handling and control, for example, to control and/or meter or otherwise monitor use of electronically stored or disseminated information. Such a virtual distribution environment may be used to protect rights of various participants in electronic commerce and other electronic or electronic-facilitated transactions. Distributed and other operating systems, environments and architectures, such as, for example, those using tamper-resistant hardware-based processors, may establish security at each node.

Abstract: A facsimile system and method provides authentication of transmitted image information, which authentication may be in the form of a signature page. An authentication device computes authentication information at a sending device, a receiving device, both, or at a remote location during transmission. The signature page may also be transmitted with the document. The sending and receiving devices may each generate signature pages or acknowledgement of receipt in response to receiving a signature page. The authentication information may be encrypted with a public/private key pair. The authentication information may be in the form of a checksum, and may be prepared based on separate regions of the document. A previously generated signature page is compared to a newly generated signature page to verify the document content or authenticity. Document authentication signatures may include machine-readable symbols to represent the authentication information.

Abstract: In accordance with an embodiment of the invention, a method of writing and reading redundant data is provided. Data is written by storing a copy of the data along with a timestamp and a signature at each of a set of storage devices. The data is read by retrieving the copy of the data, the timestamp and the signature from each of a plurality of the set of data storage devices. One of the copies of the data is selected to be provided to a requestor of the data. Each of the storage devices of the set is requested to certify the selected copy of the data. Provided that a proof of certification of the selected copy of the data is valid, the storage devices of the set are instructed to store the selected copy of the data along with a new timestamp.

Abstract: Methods and apparatus, including computer program products, implementing and using techniques for document authentication. An electronic document is presented to a user. The electronic document has data representing a signed state and a current state. A disallowed difference between the signed state and the current state is detected, based on one or more rules that are associated with the electronic document. A digital signature associated with the electronic document is invalidated in response to the detecting.

Abstract: A watermark is inserted or overwritten into a packetized voice stream in a VoIP environment to characterize the voice data stream for various functions, such as providing certain in-band audible information or markers for detection. A visual type of marker can be inserted to measure delay for various applications, such as the round trip delay associated with providing directory assistance services, including measuring the delay from providing a prompt to a caller to the their response. The visual marker facilitates use of processes to detect measuring points for measuring delays. Audible markers can be used to provide various types of audible signals, including informational tones to agents, as well as announcements to callers.

Abstract: According to one embodiment, computer system is disclosed. The computer system includes a central processing unit (CPU) to simultaneously operate a trusted environment and an untrusted environment and a chipset coupled to the CPU. The chipset includes an interface to couple to a management agent, and protected registers having a bit to indicate if the management agent is provided access to resources within the trusted environment.

Abstract: Methods, devices and computer program products facilitate the extraction of embedded watermarks in the presence of content distortions. Subsequent to the detection of a tentative watermark, particular sections of the content are examined to form one or more extrapolated watermarks or watermark segments. Weights are assigned to the extrapolated watermarks or watermark segments, and used in combination with the detected tentative watermark to collectively assess if a desired probability of false detection is satisfied.

Abstract: A system and method for communicating a document between multiple locations is disclosed. A computing device receives, via a network, multiple portions of a document signed and/or encrypted at a first location in accordance with a first signing and encryption methodology along with a trailer manifest specifying an order the portions need to be assembled to reconstruct the document. Each of the portions and the manifest is individually decrypted and validated using the first signing and/or encrypting methodology. The portions and manifest are re-signed and/or re-encrypted with a second signing and encryption methodology such that the information can be decrypted, the signatures can be validated and the document can be reassembled at a second location.

Abstract: A method for detecting at least one traitor computer system among a plurality of receiver computer systems including: assigning a version of protected content to each of the plurality of receiver computer systems that are currently identified as innocent by a content protection system that monitors distribution of protected content to the plurality of receiver computer systems; recovering at least one unauthorized rebroadcast of the content; generating a score for each of the plurality of receiver computer systems with respect to the recovered unauthorized rebroadcast; calculating a threshold independent of an estimation of maximum traitor computer systems; checking a highest score against the threshold; incriminating a receiver computer system having the highest score above the threshold as a traitor computer system; and removing any unauthorized rebroadcasts overlapping with the traitor computer system. The process may be repeated from generating scores until all traitors are identified.

Abstract: An authentication agent may cryptographically identify a remote endpoint that sent a media initialization message even though intermediate devices may modify certain fields in the message after a signature is inserted. The originating endpoint's agent may create the signature over some fields of the message using an enterprise network's private key. The agent may insert the signature into the message and send the message to a recipient endpoint's authentication agent. The recipient agent may verify the signature, receive a certificate including a second public key, and challenge the identity of the originating endpoint in order to confirm that identity. This challenge may request a confirmation that the originating endpoint knows the private key corresponding to the second public key and may occur while running encrypted media at the endpoints. After the originating endpoint is authenticated, the endpoints may exchange encrypted and/or unencrypted media.

Abstract: A watermark generator for providing a watermark signal in dependence on binary message data, the watermark generator has an information spreader configured to spread an information unit to a plurality of time-frequency-domain values, to obtain a spread information representation. The watermark generator also has a synchronization inserter configured to multiplicatively combine the spread information representation with a synchronization sequence to obtain a combined information-synchronization representation. The watermark generator also has a watermark signal provider configured to provide the watermark signal on the basis of the combined information-synchronization representation. A watermark decoder, methods and computer programs are also described.

Abstract: A security device of this invention includes a nonvolatile storage unit 22 for storing a validity check unit including a counter updated every time signature function means 30 is called up, a volatile storage unit 24 for reading and storing a counter array out of an external nonvolatile storage unit storing the counter array, in which the counter array is obtained by coupling a hash value generated for each signature key with a signature number counter for counting the number of signatures performed by use of the signature key, and a hash function unit 28 for reading the counter array out of the volatile storage unit 24, generating the hash value, and transferring the hash value to the validity check unit for a validity check.

Abstract: Systems and methods for authenticating the identity of a user prior to giving access to confidential data at a user interface via a network are described. In an exemplary implementation in an Internet environment, a server hosts an application providing selective access by the user to confidential data related to the user. The user provides initial data to the application as part of a request to access the confidential data. At least one database having the confidential data stored therein is accessed by the server to retrieve confidential data relating to the user located in the database based on the initial data received from the client interface. An authentication function causes the server to transmit to the client interface and present to the user an incomplete portion of the confidential data relating to the user, which is not identical to the initial data, along with at least one other portion of data having a substantially identical format to the incomplete portion of the confidential data.

Abstract: Efficient secure password protocols are constructed that remain secure against offline dictionary attacks even when a large, but bounded, part of the storage of a server responsible for password verification is retrieved by an adversary through a remote or local connection. A registration algorithm and a verification algorithm accomplish the goal of defeating a dictionary attack. A password protocol where a server, on input of a login and a password, carefully selects several locations from the password files, properly combines their content according to some special function, and stores the result of this function as a tag that can be associated with this password and used in a verification phase to verify access by users.

Abstract: Mechanisms are disclosed that allow for execution of unsigned content and the securing of resources in a closed system when such unsigned content is executing on the system. For example, an application programming interface is used between an access layer implementing unsigned content and an operating system of the closed system. The application programming interface may have sub-interfaces that correspond to sub-layers of the access layer, including a graphics sub-interface, an audio sub-interface, an input sub-interface, and a storage sub-interface. These sub-interfaces present access calls made by the sub-layers to the protected resources of the closed system. By providing the application programming interface, unsigned content, e.g., video games can run on a closed system that is typically designed to run only signed content.

Abstract: Provided are an apparatus and method for preventing falsification of black box data. The apparatus for preventing falsification of black box data includes a driving information storage module and a falsification prevention module. The driving information storage module stores a driving information data which is collected by a black box. The falsification prevention module encrypts the driving information data to generate a falsification determination data through a predetermined encryption mechanism, and stores the falsification determination data.

Abstract: A system manages display and retrieval of image content on a network by identifying the image and linking the image to related information, such as licensing information or usage rights. The system manages the display of image content stored within a network by associating thumbnail images that link to versions of the image content stored on a network. One example is a thumbnail that acts as a bookmark linking to image signal content stored on a distributed network of computers, such as links to web pages accessible on the internet. Corresponding methods are also provided.

Abstract: A system and method are provided for pre-processing encrypted and/or signed messages at a host system before the message is transmitted to a wireless mobile communication device. The message is received at the host system from a message sender. There is a determination as to whether any of the message receivers has a corresponding wireless mobile communication device. For each message receiver that has a corresponding wireless mobile communication device, the message is processed so as to modify the message with respect to one or more encryption and/or authentication aspects. The processed message is transmitted to a wireless mobile communication device that corresponds to the first message receiver. The system and method may include post-processing messages sent from a wireless mobile communications device to a host system. Authentication and/or encryption message processing is performed upon the message. The processed message may then be sent through the host system to one or more receivers.

Abstract: A computer worm detection system orchestrates a sequence of network activities in a computer network and monitors the computer network to identify an anomalous behavior of the computer network. The computer worm detection system then determines whether the anomalous behavior is caused by the computer worm and can determine an identifier for detecting the computer worm based on the anomalous behavior. The computer worm detection system can also generate a recovery script for disabling the computer worm or repairing damage caused by the computer worm.

Abstract: A method and device of identifying payload of a data packet in a TCP stream. The method includes the steps of: calculating a payload signature according to information in header of the data packet in the TCP stream; comparing the payload signature with a pre-stored file signature; determining the payload of the data packet in the TCP stream as belonging to a file corresponding to the pre-stored file signature, in response to a match between payload signatures of multiple data packets and the pre-stored file signature. The present invention can monitor and identify TCP streams by using a more efficient and lower cost solution.

Abstract: A printing system and printer with an electronic signature capability, and a method thereof are provided. To print security documents using an electronic signature stored in a portable memory, the printing system of the invention includes a portable memory for storing an electronic signature. A memory interface connects detachably to the portable memory. A printer receives the electronic signature from the memory interface, composes the received electronic signature with print data, and executes a print operation. Accordingly, a stamping or signature process on numerous documents can be facilitated, and excessive stamping or signature execution can be prevented. Moreover, the electronic signature of the invention can be executed on various types of forms or documents.

Abstract: A method and apparatus for authenticating a key management message within a secure communication system is provided herein. During operation, a digital signature for message authentication of a Project 25 Key Management Message (KMM) is utilized. In particular, the digital signature will be used to authenticate the KMM in scenarios where there is no Message Authentication Code (MAC). The MAC will be utilized to authenticate the KMM when available. Because authentication of KMMs take place, even when no MAC is available, it becomes increasingly more difficult to tamper or spoof the delivery of encryption keys.

Abstract: Embodiments disclosed allow authentication between two entities having agreed on the use of a common modulus N. The authentication includes generating a pseudorandom string value; generating a public key value based on the modulus N and the pseudorandom string value; generating a private key value corresponding to the public key value; receiving a verifier's public key value; generating a shared secret value based on the modulus N, the private key value and the verifier's public key value; calculating an authentication signature value using the shared secret value; and transmitting the authentication signature value for authentication. When the authentication signature is received, the public key value and the shared value are generated to calculate an authentication signature value. Thereafter, the authentication signature values are compared and authenticated.

Abstract: In a virtual machine (VM) operation security method, a control computer generates an asymmetric key pair that include a private key and a public key for a client computer. The public key is stored in a first storage system of the control computer and the asymmetric key pair are stored to a second storage system of a client computer. The client computer electronically signs a specific parameter of a VM in the control computer using the private key, and generates an instruction of performing an operation to the virtual machine. The control computer receives the instruction, verifies the electronically signed specific parameter in the instruction, and performs the operation to the virtual machine according to a verification result.

Abstract: A watermark generator for providing a watermark signal in dependence on binary message data includes an information processor configured to provide, in dependence on information units of the binary message data, a first time-frequency domain representation, values of which represent the binary message data. The watermark generator also includes a differential encoder configured to derive a second time-frequency domain representation from the first time-frequency-domain representation, such that the second time-frequency-domain representation includes a plurality of values, wherein a difference between two values of the second time-frequency-domain representation represents a corresponding value of the first time-frequency-domain representation, in order to obtain a differential encoding of the values of the first time-frequency-domain representation.

Abstract: The disclosure relates to processing content with watermarks to generate watermarked versions. In some aspects, each version may be different. Groups of fragments may be combined to generate a unique stream by pulling fragments from two or more of the groups of fragments. Further, fragmenting may be performed before watermarking, and fragments may be pulled and watermarked upon request.

Abstract: The present invention enables users of a network service to register with the network as valued shoppers, thereby allowing them to receive specialized treatment when calling registered retailers. The present invention enables retailers to register with the network, thereby allowing them to set preferred service logic for handling valued customer calls by the network.

Abstract: Methods and systems are disclosed for providing secure transmissions across a network comprising a transmitting device and a receiving device. At the transmitting device, a stream of watermark bits is generated. Next, a plurality of watermarks is generated, each of the plurality of watermarks comprising an index number and a portion of the stream of watermark bits. The watermarks are inserted into each header of a plurality of outgoing packets. At the receiving device, the plurality of outgoing packets are received and it is determined if a received packet is valid based on the watermark in the header of the received packet. The stream of watermark bits may be generated using a stream cipher such as RC4, a block cipher such as 3DES in CBC mode, or other equivalent pseudo-random stream generating techniques.

Abstract: Provided is an authentication device including a key setting unit for setting s?Kn to a secret key and setting a multi-order polynomial fi(x1, . . . , xn) (i=1 to m) on a ring K and yi=fi(s) to a public key, a message transmission unit for transmitting a message c to a verifier, a verification pattern reception unit for receiving information on one verification pattern selected by the verifier from k (k?3) verification patterns for one message c, and a response transmission unit for transmitting, to the verifier, response information, among k types of response information, corresponding to the information on the verification pattern received by the verification pattern reception unit, where the response information is information that enables calculation of the secret key s in a case all of the k verification patterns for the message c performed by using the k types of response information have been successful.

Abstract: Techniques for an efficient and provably secure protocol by which two parties, each holding a share of a Cramer-Shoup private key, can jointly decrypt a ciphertext, but such that neither party can decrypt a ciphertext alone. In an illustrative embodiment, the secure protocol may use homomorphic encryptions of partial Cramer-Shoup decryption subcomputations, and three-move ?-protocols for proving consistency.

Abstract: The disclosure provides a method, an apparatus and a system for acquiring a service by a portable device, in order to solve the problem that the security of the user information saved in the portable device is affected as the portable device uses an illegal User Interface (UI) on a Personnel Computer (PC) in the related art. The method includes: the portable device receives the data information of each slice computed by the UI according to the first algorithm in the UI itself and identification information of each slice saved, matches the received data information of each slice with the corresponding data information of each slice saved in the portable device itself, and verifies whether the UI is legal according to the matching result.

Abstract: An exemplary method includes defining a CM field, representing coefficients of a Frobenius element of a hyperelliptic curve over a prime field as non-linear polynomials that are functions of an integer x and selecting a value for x whereby the product of the Frobenius element and its complex conjugate is a prime number. Such a method may further include determining the order of the Jacobian of the hyperelliptic curve, for example, where the order is an almost prime number. Various other methods, devices, systems, etc., are also disclosed, which may be optionally used for cryptography.

Abstract: A system, method and program product for defending against man in the middle (MITM) attacks directed at a target server. A system is provided that includes an activity recording system that records an incoming IP address, userid, and time of each session occurring with the target server; an activity analysis system that identifies suspect IP addresses by determining if an unacceptable number of sessions are occurring from a single incoming IP address during a predefined time period; and a countermeasure system for taking action against suspect IP addresses.

Abstract: A certificate enrollment assistant module may be provided to inject a challenge password into a certificate signing request to be sent, to a Certificate Authority, from a computing device. The certificate enrollment assistant module, thereby, acts as a trusted proxy to assist the computing device in building a valid certificate signing request without the computing device having access to the challenge password.

Abstract: A system obtains assurance by a content provider that a content control key is securely stored in a remote security module for further secure communications between the content provider and the security module. A security module manufacturer, which has a pre-established trustful relation with the security module, imports a symmetric transport key into the security module. The symmetric transport key is unique to the security module. The content provider shares the symmetric transport key with the security module manufacturer. The content provider exchanging messages with the security module through a security module communication manager in order to get the proof that the security module stores the content control key. At least a portion of the messages exchanged between the content provider and the security module are protected using the symmetric transport key. The symmetric transport key is independent of said content control key.

Abstract: The invention relates to a computer implemented method for performing a user authentication, wherein an asymmetric cryptographic key pair is associated with the user, said key pair comprising a public key and a private key, wherein the method comprises selecting the user to be authenticated using a pseudonym of said user, wherein said pseudonym comprises the public key of the user, the method further comprising performing a cryptographic authentication of the user using the asymmetric cryptographic key pair.

Abstract: A system to prevent audio watermark detection includes content having a video portion and an audio portion, the audio portion having a watermark, an audio/video separator configured to separate the video portion and the audio portion, and a random number generator configured to generate a random number corresponding to a shifted frequency. The system also includes a frequency shift element configured to apply the shifted frequency to the audio portion to alter a spectrum of the watermark so as to prevent detection of the watermark by a device seeking to recover the watermark. The system also includes an audio resampler configured to resample the audio portion to restore the audio portion to an original length, and an audio/video combiner configured to combine the video portion and the audio portion.

Abstract: A media stream is delineated into multiple fragments. Different watermark variants of individual fragments are generated. Particular sequences of watermark variants are selected for particular clients and maintained in a user access database. Analyzing media streams allows determination of the sequences of watermark variants and identification of particular clients intended to receive the media streams. Fragments can continue to be cached efficiently and unique watermarks need not be generated for each individual client.

Abstract: Software validation is provided for a breakout system having multiple subsystems at the edge of a mobile data network. The software validation utilizes one or more trusted platform modules (TPM) to secure multiple subsystems including virtual machines in the breakout system. Hash values for the software in the various subsystems are placed in Platform Configuration Registers (PCRs) of the TPM. The TPM cryptographically signs quotes, which are a collection of hash values from the PCRs. The breakout system produces an extensible markup language (XML) file with the signed quotes related to the subsystems and sends them to a network management system for verification. The network management system validates the software configured on the breakout system using a public key to access the quotes and compares the values to known good values stored in an inventory record associated with the specific breakout system being validated.

Abstract: A method for providing authentication credentials to a server over a communications network includes initiating communication with a server over a communications network. The communication is to be established using a secure connection. A message is received from the server over the communications network as well as a request for a digital certificate associated with a first user account accessible to the server. An encrypted private key is decrypted in a secure hardware module to obtain a decrypted private key. The decrypted private key is associated with the first user account. The message received from the server is passed to the secure hardware module. The message is digitally signed in the secure hardware module using the decrypted private key. The digital certificate and the digitally signed message are sent to the server over the communication network.

Abstract: Disclosed is a method for secure electronically signing a document, which comprises: reading the document to be signed by an application; presenting a graphical representation of said document to a user; and accepting the document to be signed by the user. The method also comprises: at a server, computing a hash function, an extended validation function for the hash and a readable summary function of the to-be-signed document; from the server, sending the hash function and the extended validation function for the hash to the application and to a signing device; from said the server, sending said hash function and the readable summary function of the to-be-signed document to a secondary device.

Abstract: Provided is an authentication device including a key setting unit for setting a multi-order polynomial ui(t) (i=1 to n?1) to a secret key and setting a multi-order polynomial f that satisfies f(u1(t), . . . , un-1(t),t)=0 to a public key, a message transmission unit for transmitting a message c to a verifier, a verification pattern reception unit for receiving information on one verification pattern selected by the verifier from k (k?3) verification patterns for one message c, and a response transmission unit for transmitting, to the verifier, response information, among k types of response information, corresponding to the information on the verification pattern received by the verification pattern reception unit. The response information is information that enables calculation of the secret key ui in a case all of the k verification patterns for the message c performed by using the k types of response information have been successful.