Abstract: A computer system including a bus bridge for bridging transactions between a secure execution mode-capable processor and a security services processor. The bus bridge may include a transaction source detector, a configuration header and control logic. The transaction source detector may receive a security initialization transaction performed as a result of execution of a security initialization instruction. Further, the transaction source detector may determine whether the secure execution mode-capable processor is a source of the security initialization transaction. The configuration header may provide storage of information associated with the security services processor. The control logic may determine whether the security services processor is coupled to the bus bridge via a non-enumerable, peripheral bus.

Abstract: A system (126-129) detects transmission of potentially malicious packets. The system (126-129) receives packets and generates hash values corresponding to each of the packets. The system (126-129) may then compare the generated hash values to hash values corresponding to prior packets. The system (126-129) determines that one of the packets is a potentially malicious packet when the generated hash value corresponding to the one packet matches one of the hash values corresponding to one of the prior packets and the one prior packet was received within a predetermined amount of time of the one packet. The system (126-129) may also facilitate the tracing of the path taken by a potentially malicious packet. In this case, the system (126-129) may receive a message that identifies a potentially malicious packet, generate hash values from the potentially malicious packet, and determine whether one or more of the generated hash values match hash values corresponding to previously-received packets.

Abstract: A packet data string is provided to a device under test (DUT), which preprocesses the packet data string, based on static inputs, to provide packet segment data strings, which are placed in a queue in a memory structure. Separate therefrom, a packet segment data string is applied to an encryption engine of the DUT, which encryption engine has an initialization vector applied thereto, and an encryption algorithm of the encryption engine is applied to this packet segment data string to provide an encrypted packet segment data string.

Abstract: A system which allows each server in a network to verify the signature of a party issuing a service instruction in a system for providing a cooperative service by allowing servers to send and receive instruction data indicating instructions to each server and to execute the instruction written in the instruction data. An instruction input device receiving an instruction from a service requestor attaches an electronic signature (initiator signature (74)) of the requestor or the instruction input device to an instruction which indicates process content of each server, to create a signed individual instruction (72). The instruction input device further attaches an initiator signature (76) to data in which the signed individual instructions (72) for all servers involved in the service are merged, to create a collective instruction (70). The collective instruction (70) is transmitted to a flow controller controlling the servers.

Abstract: An authentication system providing a safety authentication process of electronic values with the use of mobile terminals which do not have a tamper-resistant function. The electronic value including encrypted value authentication information (F(VPW)), wherein an authentication information (VPW) corresponding to an electronic value specified by a user is acquired by the hash calculation, is stored in user's mobile terminal.

Abstract: A secure network is disclosed. The secure network includes a residential gateway to communicate with a remote network and a local network. At least one trusted local device is configured to send communications including data packets with authentication information to the residential gateway to request access to resources of the remote network. The residential gateway inhibits a request received from the local network to access resources on the remote network until the residential gateway uses authentication information to authenticate data packets associated with the request as originating from the at least one trusted local device.

Abstract: A truncated message digest of length L bits is generated from a message by preprocessing the message dependent upon the value L to obtain a modified message. As part of the preprocessing, the message is lengthened by insertion of additional values. A full length message digest is generated from the modified message and the truncated message digest is obtained by truncating the full length message digest to L bits. This approach results in truncated message digests that are secure and provide a large range of truncation options.

Abstract: This invention provides a means for insuring data security and confidence in a recorded sequence of data that includes video, audio and meta-data through the use of digital signatures. The digital signatures are calculated through the use of publicly available hash algorithms and chained in a new and novel manner to provide for confidence in the data integrity and security of the recorded data upon replay.

Abstract: A programmable processor calculates a hash value of a memory region, then monitors program operation to detect a security monitoring system initialization. The hash value is added to extend a security measurement sequence if the security monitoring system initialization clears a security state. Processors that implement similar methods, and systems using such processors, are also described and claimed.

Abstract: The invention relates to the authentication of users for a multi-function peripheral (MFP) device using handwritten signatures. Systems and methods are disclosed which relate to a MFP that conditions access to MFP operations based on an authenticating process that compares a prospective user's signature to previously saved signatures. The signatures are communicated to the MFP using the MFP's native scanning function.

Abstract: Methods and apparatus, including computer program products, implementing and using techniques for establishing trust in an electronic document. An electronic document is received. State dependent content in the electronic document is identified. The state dependent content is content that is renderable to have a several appearances. The electronic document is presented to a user, which includes disclosing the presence of any identified state dependent content in the electronic document.

Abstract: A method, system and apparatus for performing user identification, digital signatures and other secure communication functions in which keys are chosen essentially at random from a large set of vectors and key lengths are comparable to the key lengths in other common identification and digital signature schemes at comparable security levels. The signing technique of an embodiment of the identification/digital signature scheme hereof uses a mixing system based on multiplication in a ring and reduction modulo an ideal q in that ring; while the verification technique uses special properties of products of elements whose validity depends on elementary probability theory. The security of the identification/digital signature scheme comes from the interaction of reduction modulo q and the difficulty of forming products with special properties.

Abstract: A method, apparatus, and computer implemented instructions for processing a request in a data processing system. The request is received. In response to a first hash value being present within the request, the first hash value is compared to a second hash value that was computed locally, wherein the second hash value represents a current policy configuration for assigning a quality of service. In response to a match between the first hash value and the second hash value, other information in the request is used to establish a quality of service for packets associated with the request.

Abstract: A method, apparatus, and computer instructions for authorizing execution of an application on the data processing system. A request is received to execute the application, wherein the request originates from a remote data processing system and wherein the request includes a digital certificate and the application. The digital certificate is verified in response to receiving the request. Responsive to verifying the digital certificate, a digital digest is calculated for the application to form a calculated digital digest. The calculated digital digest is compared with a set of digital digests from a trusted source. The application is executed if a match between the calculated digital digest and set of digital digests occurs.

Abstract: An image verification system includes an image generation apparatus and a first verification apparatus. The image generation apparatus (a) generates image data, (b) generates a hash value from the image data, and (c) generates first verification data from the hash value using a common key cryptography and not using a public key cryptography. The first verification apparatus (a) receives the hash value and the first verification data, (b) verifies, using the received hash value, the received first verification data and the common key cryptography, whether the image data is altered, and (c) generates second verification data from the hash value using the public key cryptography, if the first verification apparatus verifies that the image data is not altered.

Abstract: A system and method of automating the management of public and private key pairs of a sender and recipient of electronic messages over a network and for retrieving public keys of senders or recipients from secured servers, local key rings, PKI server, or Certificate Authority without requiring client-side software or user maintenance.

Abstract: A system is described for uniquely mating components of a communication network such as a smartcard and a set-top box. When mated, the smartcard and set-top box are tied together and have a single identity. Further, the smartcard operates properly only when inserted into an authorized set-top box. Exchanges of information between both components are secured by encryption and authentication to guard against piracy of the exchanged information. The system provides the same authentication key to the set-top box and the smartcard. This key is used for authenticating communication between the set-top box and the smartcard. First, the authentication key is encrypted by a set-top box mating key. The set-top box employs this mating key to decrypt the authentication key. After it is derived, the authentication key is stored in the set-top box's memory. Further, the same authentication key is encrypted by a smartcard mating key.

Abstract: A data processing apparatus for managing an information file to be utilized when contents are used is provided. The data processing system includes an update information file creator for creating an update information file on the basis of an information file including multiple kinds of data stored in a predetermined file storage area to be stored in the predetermined file storage area, a first digest calculator for calculating a digest value from the update information file created by the update information file creator, a digest updater for updating a digest value stored in a predetermined digest value storage area to the digest value calculated by the first digest calculator, a file eraser for erasing the information file used to create the update information file, and a first file setter for setting the update information file as an information file.

Abstract: Methods and apparatus, including computer program products, for transmitting content from a content collection site to a content monitoring site, including inserting a first digital signature into a first content segment collected by the content collection device, inserting a second digital signature, different form the first digital signature, into a second content segment collected by the content collection device sequentially after the first content segment, and transmitting the first content segment including the first digital signature and the second content segment including the second digital signature to the content monitoring site.

Abstract: Further increases in the difficulty of importing to a secure domain digital content including watermarks which impose a degree of difficulty on illicit importing to the secure domain of the digital content is disclosed. Further increases in the degree of difficulty are necessary because the degree of difficulty associated with the watermarks is capable of being illicitly overcome by dividing the digital content being imported into segments that are so short that the watermarks cannot be reliably detected. In a recorder, recording is prevented by determining that adjacent activations of start and stop keys are such that the digital content has been so divided. In a playback unit, playback is prevented by determining that recorded sections are so short that the watermarks therein cannot be reliably detected.

Abstract: Provided are a method and apparatus for creating and applying a secure file identifier of a rights object by using random numbers. The apparatus includes a secure-file-identifier generating unit which creates the secure file identifier by generating a random number and combining the random number with a hash value corresponding to a rights object identifier of the file identifier list; a transmitting unit which transmits the secure file identifier to the storage device; and a receiving unit which receives a secure file identifier list for identifying the rights object from a storage device.

Abstract: Frame transmission source authentication is performed among terminals involved in delivery in a wireless adhoc communication system. A first terminal generates a keyed hashed value by using an authentication header key determined with respect to a second terminal, and gives it to an authentication header of a frame. The second terminal generates a keyed hashed value by using the authentication header key determined with respect to the first terminal, and compares it with the authentication header given to the frame. If the keyed hashed value generated at the second terminal matches the authentication header, it is confirmed that the frame has been transmitted from the first authenticated valid terminal. The first terminal encrypts a payload part by using a unicast encryption key determined with respect to a third terminal. This encrypted payload part can be decrypted only by the third terminal having the unicast encryption key.

Abstract: Methods, systems and computer program products are provided for authenticating a message from a client using a first authentication protocol and a resource manager using a second authentication protocol different from the first authentication protocol by generating a second message from the message from the client. The second message may include information from the client which has been authenticated using the first authentication protocol. The second message is authenticated using the second authentication protocol and the authenticated second message is provided to the resource manager.

Abstract: Documents and other items can be delivered electronically from sender to recipient with a level of trustedness approaching or exceeding that provided by a personal document courier. A trusted electronic go-between can validate, witness and/or archive transactions while, in some cases, actively participating in or directing the transaction. Printed or imaged documents can be marked using handwritten signature images, seal images, electronic fingerprinting, watermarking, and/or steganography. Electronic commercial transactions and transmissions take place in a reliable, “trusted” virtual distribution environment that provides significant efficiency and cost savings benefits to users in addition to providing an extremely high degree of confidence and trustedness. The systems and techniques have many uses including but not limited to secure document delivery, execution of legal documents, and electronic data interchange (EDI).

Abstract: There is provided a communication system in which a network device and an information processing device are communicatably connected to each other through a network. The network device comprises a certificate providing unit to transmit an electronic certificate to the information processing device through the network; and a printing unit configured to print an image of a public key corresponding to the electronic certificate. The information processing device comprises: a certificate reception unit to receive the electronic certificate from the certificate providing unit through the network; an image output unit to generate and output an image of the public key described in the received electronic certificate; and an installation unit configured to install the electronic certificate onto the information processing device in response to a fact that the generated image of the public key is output by the image output unit and a command for installation of an electronic certificate is received.

Abstract: A system, method and computer program that administers access and security on a network having more than one computer system connected thereto. This system, method and computer program has a local password file (1500) which is one-way encrypted and contains user identifications, associated one-way encrypted passwords and associated privileges for each authorized user allowed access to the wide area network (10). A user login module (1200) is used to receive a user identification or role and password from a user and login the user when a match is found in the local password file (1500). A channel monitoring and filtering module (1000) is provided to monitor and receive broadcast or multicast messages within the wide area network (10) and display the message to the user when the user's associated privileges permit the viewing of the message.

Abstract: Before accepting a setting request from a predetermined manager in a plurality of date-and-time managers capable of issuing a date-and-time setting request, a setting request from any manager can be accepted. After accepting a setting request from a predetermined manager, only the setting request from the predetermined manager can be accepted. A date and time can be set in response to an accepted date-and-time setting request.

Abstract: Systems and methods for performing electronic postmarking of data, without directly utilizing a regular electronic postmark (EPM) server (110), including receiving data from a data acquisition device (102), generating a MicroEPM data structure (106) comprising a time stamp, a digital signature, and the received data and transferring the MicroEPM data structure (106) to a regular EPM server (110).

Abstract: An efficient multicast key management is achieved by using seals. A security server generates a seal. In one embodiment, the seal contains a key. In another embodiment, the seal contains information for generating a key. An application server requests the seal from the security server and broadcasts the seal to a plurality of recipients. A recipient wishing to encrypt or decrypt a data stream transmits the received seal to the security server to be opened. If the recipient is authorized, the security server transmits a permit to the authorized recipient. In one embodiment, the recipient generates a key from the permit. In another embodiment, the permit is the key. If the recipient is a sender, the recipient encrypts data using the key and broadcasts the same encrypted data stream to all receivers. If the recipient is a receiver, the recipient decrypts an encrypted data stream using the key. In one embodiment, a seal with a corresponding offset value is sent periodically in a data stream.

Abstract: One embodiment of the present invention provides a system that facilitates uploading content from a client to a server. Upon receiving content, the client divides the content into smaller data-blocks of a predetermined size. Once the content has been divided, the client computes a codeword for each data-bock. Next, the client computes a composite codeword for the set of codewords by computing a function of the set of codewords. The client also computes a content identifier for the content to differentiate the content from other content. Once this is done, the client sends the composite codeword and the content identifier to the server, and receives a response from the server indicating whether or not the content is present on the server. If the content is not present on the server, the client sends the content to the server.

Abstract: A hash processing system and method for reducing the number of clock cycles required to implement the SHA1 and MD5 hash algorithms by using a common hash memory having multiple storage areas each coupled to one of two or more hash channels. The system further provides implicit padding on-the-fly as data is read from the common hash memory. The system shares register and other circuit resources for MD5 and SHA1 hash circuits that are implemented in each hash channel, and uses pipelined, two-channel SHA1 and pipelined, single-channel MD5 hash architectures to reduce the effective time required to implement the SHA1 and MD5 algorithms.

Abstract: The invention is directed to a method for checking the integrity of messages between a mobile station and the cellular network. Two time-varying parameters are used in MAC calculation, one of which is generated by the mobile station, and the other by the network. The parameter specified by the network is used in one session only, and is transmitted to the mobile station in the beginning of the connection. The parameter specified by the mobile station is stored in the mobile station between connections in order to allow the mobile station to use a different parameter in the next connection. The parameter specified by the mobile station is transmitted to the network in the beginning of the connection.

Abstract: A device for facilitating verification of an electronic signature in an exchange of instructions between an in-house server and an outside server. Each server which is to execute a partial process of a cooperative service has, in a key storage unit (206), secret keys corresponding to public key certificates issued by an in-house CA and by an outside public CA. A signature key selection unit 216 judges whether a server which is to execute a process next is a device within or outside the company and selects an in-house secret key when the next server is an in-house device and an outside secret key when the next server is an outside device. A signature creation unit (218) calculates a value of an electronic signature for an job flow instruction to the next server using the selected secret key. An instruction division/integration unit (204) transmits to the next server the job flow instruction with the electronic signature value attached.

Abstract: Between a data recording/playback device and a data storage device, CBC-mode encryption processing is executed which encrypts a plurality of encryption keys of content which correspond to sectors. The encrypted data is stored in a header corresponding to the content. The CBC-mode encryption processing is executed by using a storage key unique to media in which the content is stored. For using the content, only by decrypting the key data in media in which mutual authentication is established, the content can be used, so that highly-secure key storage is implemented.

Abstract: Secure communication between a keyboard and a component, such as a piece of software running on a computer. A first initial value is known to both the keyboard and the component. The keyboard and the component exchange nonces. The keyboard and the component each compute a second initial value and a third initial value based on the nonces and the first initial value. Both the keyboard and the component perform the same computation, so that the keyboard and the component each have the same second and third initial values. The keyboard encrypts keystrokes destined for the component using CBC-3DES based on the key and the second initial value, and also creates a message authentication code for each keystroke using CBC-3DESMAC based on the key and the third initial value. The component decrypts and verifies the keystrokes using the key and the second and third initial values.

Abstract: Described herein is a technology for facilitating the recognition of the content of digital signals. This abstract itself is not intended to limit the scope of this patent. The scope of the present invention is pointed out in the appending claims.

Abstract: The disclosed embodiments relate to method and apparatus for providing computer security system. The method may include calculating a hash value of an operation at an administrative system. The signed hash of the operation may be created in the administrative system. The signed hash may be received at the managed system. The managed system may validate the signed hash by using a stored reference hash. Upon determining if the signed hash is valid, the managed system may execute the operation that corresponds to the signed hash.

Abstract: A method of performing electronic communications between members of a group wherein the communications are authenticated as being from a member of the group and have not been altered, comprising: generating a plurality of random numbers; distributing in a digital medium the plurality of random numbers to the members of the group; publishing a hash value of contents of the digital medium; distributing to the members of the group public-key-encrypted messages each containing a same token comprising a random number; and encrypting a message with a key generated from the token and the plurality of random numbers.

Abstract: A method for authenticating appliance messages sent between an appliance and an appliance communication center over an appliance communications network includes maintaining a shared message counter at both the appliance communication center. A shared message counter at both the appliance communication center and the remotely located appliance. An authentication algorithm is applied to the appliance message and the shared message counter to generate an authentication word. The appliance message is then transmitted to the appliance or the communication center along with the authentication word. Upon receiving the appliance message, the appliance or the communication center will apply an authentication algorithm to the appliance message and the shared counter to generate an authentication word. The generated authentication word may be compared to the word received with the appliance message to determine authenticity of the message.

Abstract: A method of authentification of data sent in a digital transmission characterized by the organization and authentification of the data prior to transmission into a hierarchy of at least one root directory unit (75), subdirectory unit (76) and file unit (77), data in a file (77) being acted upon by an authentification algorithm and an associated file authentification value (82) stored in the referring subdirectory unit (77), this file authentification value (82) being in turn acted upon by an authentification algorithm and an associated subdirectory authentification value (79) stored in the referring root directory. Other aspects of the invention relate to the authentification of a second root directory (78) by generation of a second authentification value (83) and the authentification of data before encapsulation in tables or sections of a transport stream.

Abstract: One embodiment of the present invention provides a method for facilitating secure extension of an application. The method operates by first establishing an agreement between an owner of the application and a third party to allow the third party to incorporate an extension into the application. Once an agreement has been established, the system causes the extension to be digitally signed with a private key associated with the owner of the application, whereby the resulting digital signature can be verified with a corresponding public key to confirm that the extension is authorized to be used by the application. The system also configures the application to operate with extensions signed with the private key. In a variation on this embodiment, causing the extension to be digitally signed involves receiving the extension from the third party and signing the extension with the private key belonging to the owner of the application.

Abstract: A method and apparatus for managing access to a signal representative of an event of a service provider, including receiving said signal in a smart card, said signal being scrambled using a scrambling key, receiving, in said smart card, data representative of a first share; constructing said scrambling key using said first share and at least one additional share, said additional share being stored in said smart card; and descrambling said signal using said constructed scrambling key to provide a descrambled signal, wherein the step of constructing said scrambling key comprises calculating the Y-intercept of the line formed on said Euclidean plane by said first, and said at least one additional share.

Abstract: Provided are a method, system, and program for synchronizing data. A client data record is received from a client and a determination is made of a server data record corresponding to the client data record and a stored digest generated from a previously received version of the received client data record. A current digest is computed from the received client data record. A determination is then made as to whether the computed current digest matches the stored digest. The server data record is updated with modified data from the received client data record if the computed digest and stored digest do not match.

Abstract: A method for inserting a digital signature into digital data is provided. The digital data has bits and the method includes the steps of: assigning predetermined bits of the digital data for receiving the digital signature; signing the digital data excluding the predetermined bits resulting in the digital signature; and inserting the digital signature into the predetermined bits of the digital data for subsequent authentication of the digital data.

Abstract: A hash processing system and method for reducing the number of clock cycles required to implement the SHA1 and MD5 hash algorithms by using a common hash memory having multiple storage areas each coupled to one of two or more hash channels. The system further provides implicit padding on-the-fly as data is read from the common hash memory. The system shares register and other circuit resources for MD5 and SHA1 hash circuits that are implemented in each hash channel, and uses pipelined, two-channel SHA1 and pipelined, single-channel MD5 hash architectures to reduce the effective time required to implement the SHA1 and MD5 algorithms.

Abstract: One embodiment of the present invention provides a system that facilitates secure messaging. The system starts by creating a message at an origin. Next, the system computes a digest of the message. This digest is signed using an origin private encryption key. The message and the signed digest are forwarded to a queue for delivery to a recipient. Upon receiving the message and the signed digest at the queue, the system verifies that the digest was signed at the origin by using an origin public encryption key. If the signature is valid, the origin cannot deny creating the message. Valid messages and digests are placed on the queue and the recipient is notified that the message is available.

Abstract: In a data distribution system, data is divided into a number of application data units. A sequence of keys is generated systematically, and a different key is used to encrypt each data unit at the source. At the receivers, corresponding keys are generated and used to decrypt the data units to gain access to the data. The constructions used to generate the keys are such that an intrinsically limited subset of the entire sequence of keys is made available to the user by communicating a selected combination of one or more seed values.

Abstract: A method for validating untrusted authentication chip, the method includes the steps of: generating a secret random number and calculating a signature for the random number using a signature function, in a trusted authentication chip; encrypting the random number and the signature using a symmetric encryption function using a first secret key, in the trusted authentication chip; passing the encrypted random number and signature from the trusted authentication chip to an untrusted authentication chip; decrypting the encrypted random number and signature with a symmetric decryption function using the first secret key, in the untrusted authentication chip; calculating a signature for the decrypted random number using the signature function in the untrusted authentication chip; comparing the signature calculated in the untrusted authentication chip with the signature decrypted; in the event that the two signatures match, encrypting the decrypted random number together with a data message read from the untrusted c

Abstract: The present invention is directed to a system and method for protecting a network appliance against a security breach. The network appliance is protected by an appliance protector component that resides within the network appliance. The appliance protector protects the network appliance by monitoring processes for a valid signature and terminating processes with an invalid signature.

Abstract: A reliably safe storage system is provided which makes provable the status of a file stored in a storage server at a time specified by a user and creates evidence information that will be effective in future. In response to a file status fixing request from the user over a network, a storage server generates file fixing guarantee data, including data publicized by a publication server, and saves the generated data with the file associated with the generated data.