Abstract: A system and method of automating the management of public and private key pairs of a sender and recipient of electronic messages over a network and for retrieving public keys of senders or recipients from secured servers, local key rings, PKI server, or Certificate Authority without requiring client-side software or user maintenance.

Abstract: A data processing apparatus for managing an information file to be utilized when contents are used is provided. The data processing system includes an update information file creator for creating an update information file on the basis of an information file including multiple kinds of data stored in a predetermined file storage area to be stored in the predetermined file storage area, a first digest calculator for calculating a digest value from the update information file created by the update information file creator, a digest updater for updating a digest value stored in a predetermined digest value storage area to the digest value calculated by the first digest calculator, a file eraser for erasing the information file used to create the update information file, and a first file setter for setting the update information file as an information file.

Abstract: Further increases in the difficulty of importing to a secure domain digital content including watermarks which impose a degree of difficulty on illicit importing to the secure domain of the digital content is disclosed. Further increases in the degree of difficulty are necessary because the degree of difficulty associated with the watermarks is capable of being illicitly overcome by dividing the digital content being imported into segments that are so short that the watermarks cannot be reliably detected. In a recorder, recording is prevented by determining that adjacent activations of start and stop keys are such that the digital content has been so divided. In a playback unit, playback is prevented by determining that recorded sections are so short that the watermarks therein cannot be reliably detected.

Abstract: Methods and apparatus, including computer program products, for transmitting content from a content collection site to a content monitoring site, including inserting a first digital signature into a first content segment collected by the content collection device, inserting a second digital signature, different form the first digital signature, into a second content segment collected by the content collection device sequentially after the first content segment, and transmitting the first content segment including the first digital signature and the second content segment including the second digital signature to the content monitoring site.

Abstract: Provided are a method and apparatus for creating and applying a secure file identifier of a rights object by using random numbers. The apparatus includes a secure-file-identifier generating unit which creates the secure file identifier by generating a random number and combining the random number with a hash value corresponding to a rights object identifier of the file identifier list; a transmitting unit which transmits the secure file identifier to the storage device; and a receiving unit which receives a secure file identifier list for identifying the rights object from a storage device.

Abstract: Frame transmission source authentication is performed among terminals involved in delivery in a wireless adhoc communication system. A first terminal generates a keyed hashed value by using an authentication header key determined with respect to a second terminal, and gives it to an authentication header of a frame. The second terminal generates a keyed hashed value by using the authentication header key determined with respect to the first terminal, and compares it with the authentication header given to the frame. If the keyed hashed value generated at the second terminal matches the authentication header, it is confirmed that the frame has been transmitted from the first authenticated valid terminal. The first terminal encrypts a payload part by using a unicast encryption key determined with respect to a third terminal. This encrypted payload part can be decrypted only by the third terminal having the unicast encryption key.

Abstract: Methods, systems and computer program products are provided for authenticating a message from a client using a first authentication protocol and a resource manager using a second authentication protocol different from the first authentication protocol by generating a second message from the message from the client. The second message may include information from the client which has been authenticated using the first authentication protocol. The second message is authenticated using the second authentication protocol and the authenticated second message is provided to the resource manager.

Abstract: Documents and other items can be delivered electronically from sender to recipient with a level of trustedness approaching or exceeding that provided by a personal document courier. A trusted electronic go-between can validate, witness and/or archive transactions while, in some cases, actively participating in or directing the transaction. Printed or imaged documents can be marked using handwritten signature images, seal images, electronic fingerprinting, watermarking, and/or steganography. Electronic commercial transactions and transmissions take place in a reliable, “trusted” virtual distribution environment that provides significant efficiency and cost savings benefits to users in addition to providing an extremely high degree of confidence and trustedness. The systems and techniques have many uses including but not limited to secure document delivery, execution of legal documents, and electronic data interchange (EDI).

Abstract: There is provided a communication system in which a network device and an information processing device are communicatably connected to each other through a network. The network device comprises a certificate providing unit to transmit an electronic certificate to the information processing device through the network; and a printing unit configured to print an image of a public key corresponding to the electronic certificate. The information processing device comprises: a certificate reception unit to receive the electronic certificate from the certificate providing unit through the network; an image output unit to generate and output an image of the public key described in the received electronic certificate; and an installation unit configured to install the electronic certificate onto the information processing device in response to a fact that the generated image of the public key is output by the image output unit and a command for installation of an electronic certificate is received.

Abstract: A system, method and computer program that administers access and security on a network having more than one computer system connected thereto. This system, method and computer program has a local password file (1500) which is one-way encrypted and contains user identifications, associated one-way encrypted passwords and associated privileges for each authorized user allowed access to the wide area network (10). A user login module (1200) is used to receive a user identification or role and password from a user and login the user when a match is found in the local password file (1500). A channel monitoring and filtering module (1000) is provided to monitor and receive broadcast or multicast messages within the wide area network (10) and display the message to the user when the user's associated privileges permit the viewing of the message.

Abstract: Before accepting a setting request from a predetermined manager in a plurality of date-and-time managers capable of issuing a date-and-time setting request, a setting request from any manager can be accepted. After accepting a setting request from a predetermined manager, only the setting request from the predetermined manager can be accepted. A date and time can be set in response to an accepted date-and-time setting request.

Abstract: Systems and methods for performing electronic postmarking of data, without directly utilizing a regular electronic postmark (EPM) server (110), including receiving data from a data acquisition device (102), generating a MicroEPM data structure (106) comprising a time stamp, a digital signature, and the received data and transferring the MicroEPM data structure (106) to a regular EPM server (110).

Abstract: An efficient multicast key management is achieved by using seals. A security server generates a seal. In one embodiment, the seal contains a key. In another embodiment, the seal contains information for generating a key. An application server requests the seal from the security server and broadcasts the seal to a plurality of recipients. A recipient wishing to encrypt or decrypt a data stream transmits the received seal to the security server to be opened. If the recipient is authorized, the security server transmits a permit to the authorized recipient. In one embodiment, the recipient generates a key from the permit. In another embodiment, the permit is the key. If the recipient is a sender, the recipient encrypts data using the key and broadcasts the same encrypted data stream to all receivers. If the recipient is a receiver, the recipient decrypts an encrypted data stream using the key. In one embodiment, a seal with a corresponding offset value is sent periodically in a data stream.

Abstract: One embodiment of the present invention provides a system that facilitates uploading content from a client to a server. Upon receiving content, the client divides the content into smaller data-blocks of a predetermined size. Once the content has been divided, the client computes a codeword for each data-bock. Next, the client computes a composite codeword for the set of codewords by computing a function of the set of codewords. The client also computes a content identifier for the content to differentiate the content from other content. Once this is done, the client sends the composite codeword and the content identifier to the server, and receives a response from the server indicating whether or not the content is present on the server. If the content is not present on the server, the client sends the content to the server.

Abstract: A hash processing system and method for reducing the number of clock cycles required to implement the SHA1 and MD5 hash algorithms by using a common hash memory having multiple storage areas each coupled to one of two or more hash channels. The system further provides implicit padding on-the-fly as data is read from the common hash memory. The system shares register and other circuit resources for MD5 and SHA1 hash circuits that are implemented in each hash channel, and uses pipelined, two-channel SHA1 and pipelined, single-channel MD5 hash architectures to reduce the effective time required to implement the SHA1 and MD5 algorithms.

Abstract: The invention is directed to a method for checking the integrity of messages between a mobile station and the cellular network. Two time-varying parameters are used in MAC calculation, one of which is generated by the mobile station, and the other by the network. The parameter specified by the network is used in one session only, and is transmitted to the mobile station in the beginning of the connection. The parameter specified by the mobile station is stored in the mobile station between connections in order to allow the mobile station to use a different parameter in the next connection. The parameter specified by the mobile station is transmitted to the network in the beginning of the connection.

Abstract: A device for facilitating verification of an electronic signature in an exchange of instructions between an in-house server and an outside server. Each server which is to execute a partial process of a cooperative service has, in a key storage unit (206), secret keys corresponding to public key certificates issued by an in-house CA and by an outside public CA. A signature key selection unit 216 judges whether a server which is to execute a process next is a device within or outside the company and selects an in-house secret key when the next server is an in-house device and an outside secret key when the next server is an outside device. A signature creation unit (218) calculates a value of an electronic signature for an job flow instruction to the next server using the selected secret key. An instruction division/integration unit (204) transmits to the next server the job flow instruction with the electronic signature value attached.

Abstract: Between a data recording/playback device and a data storage device, CBC-mode encryption processing is executed which encrypts a plurality of encryption keys of content which correspond to sectors. The encrypted data is stored in a header corresponding to the content. The CBC-mode encryption processing is executed by using a storage key unique to media in which the content is stored. For using the content, only by decrypting the key data in media in which mutual authentication is established, the content can be used, so that highly-secure key storage is implemented.

Abstract: Secure communication between a keyboard and a component, such as a piece of software running on a computer. A first initial value is known to both the keyboard and the component. The keyboard and the component exchange nonces. The keyboard and the component each compute a second initial value and a third initial value based on the nonces and the first initial value. Both the keyboard and the component perform the same computation, so that the keyboard and the component each have the same second and third initial values. The keyboard encrypts keystrokes destined for the component using CBC-3DES based on the key and the second initial value, and also creates a message authentication code for each keystroke using CBC-3DESMAC based on the key and the third initial value. The component decrypts and verifies the keystrokes using the key and the second and third initial values.

Abstract: Described herein is a technology for facilitating the recognition of the content of digital signals. This abstract itself is not intended to limit the scope of this patent. The scope of the present invention is pointed out in the appending claims.

Abstract: The disclosed embodiments relate to method and apparatus for providing computer security system. The method may include calculating a hash value of an operation at an administrative system. The signed hash of the operation may be created in the administrative system. The signed hash may be received at the managed system. The managed system may validate the signed hash by using a stored reference hash. Upon determining if the signed hash is valid, the managed system may execute the operation that corresponds to the signed hash.

Abstract: A method for authenticating appliance messages sent between an appliance and an appliance communication center over an appliance communications network includes maintaining a shared message counter at both the appliance communication center. A shared message counter at both the appliance communication center and the remotely located appliance. An authentication algorithm is applied to the appliance message and the shared message counter to generate an authentication word. The appliance message is then transmitted to the appliance or the communication center along with the authentication word. Upon receiving the appliance message, the appliance or the communication center will apply an authentication algorithm to the appliance message and the shared counter to generate an authentication word. The generated authentication word may be compared to the word received with the appliance message to determine authenticity of the message.

Abstract: A method of performing electronic communications between members of a group wherein the communications are authenticated as being from a member of the group and have not been altered, comprising: generating a plurality of random numbers; distributing in a digital medium the plurality of random numbers to the members of the group; publishing a hash value of contents of the digital medium; distributing to the members of the group public-key-encrypted messages each containing a same token comprising a random number; and encrypting a message with a key generated from the token and the plurality of random numbers.

Abstract: A method of authentification of data sent in a digital transmission characterized by the organization and authentification of the data prior to transmission into a hierarchy of at least one root directory unit (75), subdirectory unit (76) and file unit (77), data in a file (77) being acted upon by an authentification algorithm and an associated file authentification value (82) stored in the referring subdirectory unit (77), this file authentification value (82) being in turn acted upon by an authentification algorithm and an associated subdirectory authentification value (79) stored in the referring root directory. Other aspects of the invention relate to the authentification of a second root directory (78) by generation of a second authentification value (83) and the authentification of data before encapsulation in tables or sections of a transport stream.

Abstract: One embodiment of the present invention provides a method for facilitating secure extension of an application. The method operates by first establishing an agreement between an owner of the application and a third party to allow the third party to incorporate an extension into the application. Once an agreement has been established, the system causes the extension to be digitally signed with a private key associated with the owner of the application, whereby the resulting digital signature can be verified with a corresponding public key to confirm that the extension is authorized to be used by the application. The system also configures the application to operate with extensions signed with the private key. In a variation on this embodiment, causing the extension to be digitally signed involves receiving the extension from the third party and signing the extension with the private key belonging to the owner of the application.

Abstract: A method and apparatus for managing access to a signal representative of an event of a service provider, including receiving said signal in a smart card, said signal being scrambled using a scrambling key, receiving, in said smart card, data representative of a first share; constructing said scrambling key using said first share and at least one additional share, said additional share being stored in said smart card; and descrambling said signal using said constructed scrambling key to provide a descrambled signal, wherein the step of constructing said scrambling key comprises calculating the Y-intercept of the line formed on said Euclidean plane by said first, and said at least one additional share.

Abstract: Provided are a method, system, and program for synchronizing data. A client data record is received from a client and a determination is made of a server data record corresponding to the client data record and a stored digest generated from a previously received version of the received client data record. A current digest is computed from the received client data record. A determination is then made as to whether the computed current digest matches the stored digest. The server data record is updated with modified data from the received client data record if the computed digest and stored digest do not match.

Abstract: A method for inserting a digital signature into digital data is provided. The digital data has bits and the method includes the steps of: assigning predetermined bits of the digital data for receiving the digital signature; signing the digital data excluding the predetermined bits resulting in the digital signature; and inserting the digital signature into the predetermined bits of the digital data for subsequent authentication of the digital data.

Abstract: A hash processing system and method for reducing the number of clock cycles required to implement the SHA1 and MD5 hash algorithms by using a common hash memory having multiple storage areas each coupled to one of two or more hash channels. The system further provides implicit padding on-the-fly as data is read from the common hash memory. The system shares register and other circuit resources for MD5 and SHA1 hash circuits that are implemented in each hash channel, and uses pipelined, two-channel SHA1 and pipelined, single-channel MD5 hash architectures to reduce the effective time required to implement the SHA1 and MD5 algorithms.

Abstract: One embodiment of the present invention provides a system that facilitates secure messaging. The system starts by creating a message at an origin. Next, the system computes a digest of the message. This digest is signed using an origin private encryption key. The message and the signed digest are forwarded to a queue for delivery to a recipient. Upon receiving the message and the signed digest at the queue, the system verifies that the digest was signed at the origin by using an origin public encryption key. If the signature is valid, the origin cannot deny creating the message. Valid messages and digests are placed on the queue and the recipient is notified that the message is available.

Abstract: In a data distribution system, data is divided into a number of application data units. A sequence of keys is generated systematically, and a different key is used to encrypt each data unit at the source. At the receivers, corresponding keys are generated and used to decrypt the data units to gain access to the data. The constructions used to generate the keys are such that an intrinsically limited subset of the entire sequence of keys is made available to the user by communicating a selected combination of one or more seed values.

Abstract: A method for validating untrusted authentication chip, the method includes the steps of: generating a secret random number and calculating a signature for the random number using a signature function, in a trusted authentication chip; encrypting the random number and the signature using a symmetric encryption function using a first secret key, in the trusted authentication chip; passing the encrypted random number and signature from the trusted authentication chip to an untrusted authentication chip; decrypting the encrypted random number and signature with a symmetric decryption function using the first secret key, in the untrusted authentication chip; calculating a signature for the decrypted random number using the signature function in the untrusted authentication chip; comparing the signature calculated in the untrusted authentication chip with the signature decrypted; in the event that the two signatures match, encrypting the decrypted random number together with a data message read from the untrusted c

Abstract: A reliably safe storage system is provided which makes provable the status of a file stored in a storage server at a time specified by a user and creates evidence information that will be effective in future. In response to a file status fixing request from the user over a network, a storage server generates file fixing guarantee data, including data publicized by a publication server, and saves the generated data with the file associated with the generated data.

Abstract: The present invention is directed to a system and method for protecting a network appliance against a security breach. The network appliance is protected by an appliance protector component that resides within the network appliance. The appliance protector protects the network appliance by monitoring processes for a valid signature and terminating processes with an invalid signature.

Abstract: A method and apparatus for authenticating a message, said method including receiving, at a device, data representative of a first share, constructing a key using said first share and at least two additional shares, said at least two additional shares being stored at said device; and authenticating a message using said constructed key.

Abstract: A secure document processing system for receiving an original document and for printing a secure hardcopy version of the original document, wherein the secure hardcopy version includes a machine-readable encoded image signature which represents an image segment of the original document. Such hardcopy secure documents can be validated by inputting them to an secure document validation system operable to identify and process the machine readable encoded representation and in response to determine whether the recovered image signature indicates that the document is counterfeit or has been altered.

Abstract: This invention concerns a consumable authentication protocol for validating the existence of an untrusted authentication chip, as well as ensuring that the authentication chip lasts only as long as the consumable. In a further aspect it concerns a consumable authentication system for the protocol. A trusted authentication chip has a test function; and the untrusted authentication chip has a read function to test data from the trusted chip, including a random number and its signature, encrypted using a first key, by comparing the decrypted signature with a signature calculated from the decrypted random number. In the event that the two signatures match, it returns a data message and an encrypted version of the data message in combination with the random number, encrypted using the second key.

Abstract: A method and system for providing anti-piracy protection to a software application on a server connected to a target machine over a network is described. The method includes providing a server with a server application for modifying the application software based on a machine fingerprint of the target machine, and for receiving and storing the application software. The server application receives the target machine fingerprint in conjunction with a license transaction between the server and the target machine. The server then modifies the application software using the received machine fingerprint, and provides the resulting modified software to the target machine, wherein the supplied software will only operate correctly on the target machine.

Abstract: A novel network architecture that integrates the functions of an internet protocol (IP) router into a network processing unit (NPU) that resides in a host computer's chipset such that the host computer's resources are perceived as separate network appliances. The NPU appears logically separate from the host computer even though, in one embodiment, it is sharing the same chip.

Abstract: Disclosed is a system for detecting falsification, the system having: a confirmation information preparing unit preparing confirmation information of source data of published content published on the Internet; a confirmation information holding unit holding the confirmation information of the source data at a predetermined point in time; a source data alteration detecting unit detecting an alteration in the source data; a reflecting unit reflecting the altered source data in the confirmation information of the confirmation information holding unit and in the published content; a published content alteration detecting unit performing alteration detection on the published content; a published content alteration notifying unit notifying a predetermined terminal of information relating to altered published content; and a controlling unit controlling detection of inappropriately altered published content, based on the confirmation information of the source data and on the confirmation information of the published

Abstract: A method and apparatus for data transmission between a sending node and a receiving node is provided. The sending node has a transmission executor for sending a decrypted message as a plurality of packets. When the encrypted message includes a message authentication code (MAC), the sending node sets an indicator in the packet that the result of MAC authentication will be sent later. The packet is sent from the sending node to the receiving node in a pipeline mode. The receiving node has buffer, and a preprocessor for preprocessing the payload of the packet. If the operation requested or the preprocessing required by the payload does not require MAC authentication, the requested operation/preprocessing will be executed. Otherwise, the receiving node defers the execution until the corresponding positive notification of MAC authentication is received from the sending node. Handling of negative MAC authentication is policy based at the receiving node.

Abstract: Methods and device for digitally signing documents by using a portable device that encodes a signature string to sound. The acoustic signature string may be transmitted and then decoded back into digital data. The signature string may be further processed to verify the signature of the document and to produce a certificate of identity and integrity for the document. The certificate of identity and integrity may be used to further identify and validate the document and its signer.

Abstract: A method for secure distribution of digital content, the method including the steps of dividing a unit of digital content into at least first and second portions, storing the first portion on a first computerized apparatus, digitally watermarking the second portion, and combining the first portion and the digitally watermarked second portion, thereby forming a watermarked version of the digital content.

Abstract: Method and system are described for validating a digital signature. More particularly, a signed message and a corresponding certificate are received. The certificate is checked for validation. A validation statement is generated, and the certificate validation and the signed message provide a status. This status represents a request for validation, and is provided along with a set of validations among which such status is an element. A digest is generated using a Merkle authentication tree corresponding to the set of validations, and this digest is signed with a private key. Accordingly, a notary may provide the signed digest, status and the set of validations for subsequent confirmation of the digital signature.

Abstract: A general-purpose processor (CPU) is configured with a new mechanism facilitating an authenticated boot sequence that provides building blocks for client-side rights management when the system is online, and provides continued protection of persistent data even when the system goes offline or is rebooted. The CPU includes a cryptographic key pair, and a manufacturer certificate testifying that the manufacturer built the CPU according to a known specification. The operating system (OS) includes a unique block of code, or “boot block” that can establish OS identity by extraction from a digitally signed boot block or by computing a hash digest of the boot block. During booting, the CPU executes a single opcode, followed by the boot block, as an atomic operation to set the identity of the OS into the software identity register. The subscriber unit then can establish a chain of trust to a content provider.

Abstract: A system and method for providing trusted browser verification services. In a preferred embodiment, these services are provided within the context of a four-corner trust model comprising a subscribing customer and a relying customer, engaged in an on-line transaction. The subscribing and relying customers are preferably customers of first and second financial institutions, respectively, that issue to them hardware tokens for their respective private keys and digital certificates. The buyer is preferably provided with a Web browser to conduct electronic transactions. A distinct-trusted verifier or other entity ensures in a verifiable manner that the browser used by the subscribing customer does not contain any code that is not trusted by verifying the digital signatures on each running browser component of the subscribing customer's browser and ensuring that the signature was applied by an entity that is authorized to certify the trustworthiness of the component.

Abstract: A method and system for efficiently retrieving secured data by securely pre-processing provided access information, provides data store security based on only a single piece of access information, which is generally public, such as the proper name of a business or individual that is used to retrieve mailing address information. The access information is hashed for access to a secured data store and efficient access and low data storage for permutations of input access information are provided by verifying the presence of an entry for the hashed access information in a look-up table. If an entry is found, the data store is accessed using the hashed access information, but if an entry is not found, another look-up table corresponding to another information type may be tried or the input access information permuted and retried.

Abstract: A transmission apparatus performs a one-way operation on plaintext to generate a first value and transmits the first value, generates first additional information, performs an invertible operation on the plaintext and first additional information to generate connected information, encrypts the connected information using an encryption algorithm to generate ciphertext, and transmits the ciphertext.

Abstract: A system and method for generating a message digest comprising: receiving a block of data and processing the block of data to achieve a message digest, the processing of the block of data including evaluating the block of data at time (t) in terms of time (t?x), wherein x is greater than or equal to 2.

Abstract: Described herein is a technology for facilitating the recognition of the content of digital signals. This abstract itself is not intended to limit the scope of this patent. The scope of the present invention is pointed out in the appending claims.