Abstract: When exchanging communication parameter setting information on a wireless network, a communications apparatus selects between a first operation mode in which communications parameter information is exchanged with a specific communications apparatus and a second operation mode in which communications parameter information is exchanged with an unspecified number of communications apparatus. Depending on the selected operation mode, the communications apparatus control security upon holding the communications parameter information exchanged with the specific communications apparatus and the communications parameter information exchanged with the unspecified number of communications apparatus.

Abstract: In an encrypted storage system employing data deduplication, encrypted data units are stored with the respective keyed data digests. A secure equivalence process is performed to determine whether an encrypted data unit on one storage unit is a duplicate of an encrypted data unit on another storage unit. The process includes an exchange phase and a testing phase in which no sensitive information is exposed outside the storage units. If duplication is detected then the duplicate data unit is deleted from one of the storage units and replaced with a mapping to the encrypted data unit as stored on the other storage unit. The mapping is used at the one storage unit when the corresponding logical data unit is accessed there.

Abstract: A secure signing method, a secure authentication method, and an IPTV system are disclosed. The secure signing method includes preparing digital signature header fields and setting an attribute, calculating a hash digest of content using a hashing algorithm, storing the calculated hash value in a message digest field of the digital signature header, encrypting the message digest using a secret key and inserting the encrypted message digest in a signature field of the digital signature header, and associating the digital signature header with the content by prefixing the digital signature header to the content.

Abstract: A method of cipher communication for management frame performed by station in wireless local area network system is provided. The method includes obtaining a first pseudonoise code sequence (PN) for a plaintext Medium Access Control (MAC) protocol data unit (MPDU), constructing an additional authentication data (AAD) by using fields in a header of the plaintext MPDU, constructing a Nonce value from the PN, an Address 2 and a Priority field in the header of the plaintext MPDU, generating a encrypted MPDU from the plaintext MPDU by using a temporal key, the AAD, and the Nonce value, and transmitting the encrypted MPDU to a peer station, wherein the plaintext MPDU is a management frame including a sequence number field, the sequence number field including access category field indicating category of data included in the plaintext MPDU, and the Nonce value includes a priority field matched with the access category field.

Abstract: A method begins with a processing module issuing a retrieval request, receiving secret shares of a set of secret shares to produce received secret shares, and receiving encoded data slices of a set of encoded data slices. The method continues with the processing module decoding the received secret shares to recapture a message authentication key when a threshold number of the secret shares is received. The method continues with the processing module identifying a received encoded data slice of the received encoded data slices having an authentication code associated therewith when a threshold number of the encoded data slices is received. The method continues with the processing module verifying the authentication code based on the message authentication key and the received encoded data slice. The method continues with the processing module decoding the received encoded data slices to recapture a data segment when the authentication code is verified.

Abstract: The instant disclosure describes various exemplary systems and methods for exonerating an untrusted software component based solely on a trusted software component's non-optional or “hard” dependency on the untrusted software component. In one example, a method for exonerating untrusted software components in this manner may include: 1) identifying a dependent software component, 2) determining that the dependent software component is a non-optional dependent component of at least one trusted software component, and then 3) classifying the dependent software component as a trusted software component. As detailed herein, such a method may enable security software to quickly and efficiently exonerate untrusted components by association without having to scan or perform other intrusive and/or resource-intensive security operations on such untrusted software components.

Abstract: Methods, systems, and apparatuses are disclosed for signing and verifying data using multiple hash algorithms and digests in PKCS including, for example, retrieving, at the originating computing device, a message for signing at the originating computing device to yield a signature for the message; identifying multiple hashing algorithms to be supported by the signature; for each of the multiple hashing algorithms identified to be supported by the signature, hashing the message to yield multiple hashes of the message corresponding to the multiple hashing algorithms identified; constructing a single digest having therein each of the multiple hashes of the messages corresponding to the multiple hashing algorithms identified and further specifying the multiple hashing algorithms to be supported by the signature; applying a signing algorithm to the single digest using a private key of the originating computing device to yield the signature for the message; and distributing the message and the signature to receivin

Abstract: The invention concerns a cryptographic key distribution system comprising a server node, a repeater network connected to the server node through a quantum channel, and a client node connected to the repeater network through a quantum channel; wherein in use: the repeater network and the client node cooperatively generate a transfer quantum key which is supplied to a system subscriber by the client node; the server node and the repeater network cooperatively generate a link quantum key; the repeater network encrypts the link quantum key based on the transfer quantum key and sends the encrypted link quantum key to the system subscriber through a public communication channel; the server node encrypts a traffic cryptographic key based on the link quantum key and a service authentication key and sends the encrypted traffic cryptographic key to the system subscriber through a public communication channel.

Abstract: A method and apparatus which ensures that static data entered into a communications device or apparatus is accurate, or at least consistent with data provided to an authentication service.

Abstract: A system for providing a secure video display using a one-way data link. An input interface for receives a video stream signal. The one-way data link has an input node coupled to receive the input video stream signal and an output node. A processing system is coupled to the output node of the one-way data link and is configured to run a predetermined operating system. In an embodiment, a video display software program operates within the predetermined operating system to process the video stream signal received from the output node of the one-way data link and to provide an output signal for viewing on a display coupled to the processing system. Optionally, the video display program operates within a virtual operating system running within the predetermined operating system. In other embodiments, the video display program may process a video stream signal containing a plurality of different video programs.

Abstract: Electronic data is input. The electronic data is divided into N (N is an integer satisfying N?2) segments. Examination data is generated by repeating, up to the Nth segment, the computation processing of using the computation result obtained by performing predetermined computation on the data of the Mth (M is an integer satisfying 1?M?N?1) segment as an input for predetermined computation of the data of the (M+1)th segment. Verification data for the electronic data is generated so as to contain, as intermediate data, the examination data and a computation result in the middle of generating the examination data.

Abstract: The present document relates to techniques for authentication of data streams. Specifically, the present document relates to the insertion of identifiers into a data stream, such as a Dolby Pulse, AAC or HE AAC bitstream, and the authentication and verification of the data stream based on such identifiers. A method and system for encoding a data stream comprising a plurality of data frames is described. The method comprises the step of generating a cryptographic value of a number N of successive data frames and configuration information, wherein the configuration information comprises information for rendering the data stream. The method then inserts the cryptographic value into the data stream subsequent to the N successive data frames.

Abstract: The present invention provides a method, system, and computer program product for transferring authorization rights to access a file. A method in accordance with an embodiment of the present invention includes: designating a location to store the file; creating a file-transfer-reference for the file based on the location; creating an authorization protocol for the file; selecting at least one recipient of the file-transfer-reference; and forwarding the file-transfer-reference to the at least one recipient according to the authorization protocol. The method may optionally include defining a validity period for which for access to the file.

Abstract: A device receives capability information associated with a next hop device of a wireless local area network (WLAN). The device also determines, based on the capability information, whether the next hop device is capable of implementing security for traffic, where the security includes a media access control (MAC) security standard and a layer 2 link security standard. The device further creates, via the MAC security standard, a secure channel with the next hop device when the next hop device is capable of providing security for traffic.

Abstract: Devices generate security vectors based on their own attributes. A device's security vectors compose its transformation matrix. The devices securely share copies of their transformation matrices with other devices. A transmitting device adds its unique MAC to packets, encrypts those packets using its own transformation matrix, and transmits those packets. A receiving device uses its copy of the transmitting device's transformation matrix to decrypt the data in a packet, determining whether a MAC extracted from that packet matches the transmitting device's MAC. The receiving device can permit or prevent further processing of the packet's data depending on whether the MACs match. Each device can store a copy of a same program that can be used to derive derivative security vectors from existing security vectors. Each device in the network can derive the same set of derivative vectors for any selected other device in the network, thereby “evolving” the transformation matrices.

Abstract: According to one embodiment, a storage system includes a host device and a secure storage. The host device and the secure storage produce a bus key which is shared only by the host device and the secure storage by authentication processing, and which is used for encoding processing. The host device produces a message authentication code including a message which can be stored in the secure storage based on the bus key, and sends the produced message authentication code to the secure storage. The secure storage stores the message included in the message authentication code in accordance with instructions of the host device. The host device verifies whether the message stored in the secure storage is intended contents.

Abstract: A first cryptographic device is configured to store a set of keys that is refreshed in each of a plurality of epochs. The first cryptographic device computes for each of at least a subset of the epochs at least one view based on at least a portion of the set of keys for that epoch, and transmits the views to a second cryptographic device in association with their respective epochs. At least one view computed for a current one of the epochs is configured for utilization in combination with one or more previous views computed for one or more previous ones of the epochs to permit the second cryptographic device to confirm authenticity of the set of keys for the current epoch. The first cryptographic device may include an authentication token and the second cryptographic device may include an authentication server.

Abstract: This disclosure describes a process for storing data on a central server with a plurality of users, each of them having their own user password used for creating a user key, being respectively assigned to some of these users, and some of the data, being divided into data blocks to be uploaded, and each data block being compared to data blocks on the server based on a unique data block ID value in order to determine whether a corresponding data block is already stored on the server and to upload to the server those data blocks which are not already present, a data block list to be uploaded being created and uploaded to the central server, so that in a data recovery step data stored on the central server which are requested by the user can be restored in their original form based on said list.

Abstract: Provided is an apparatus and method of a portable terminal authenticating another portable terminal. The portable terminal may receive a seed generated by the other portable terminal, issue an authentication certificate generated using the seed to the other portable terminal, authenticate the other portable terminal based on the authentication certificate, and provide a secure communication.

Abstract: Systems and methods for encrypting a plaintext logical data object for storage in a storage device operable with at least one storage protocol, creating, reading, writing, optimization and restoring thereof. Encrypting the plaintext logical data object comprises creating in the storage device an encrypted logical data object comprising a header and one or more allocated encrypted sections with predefined size; encrypting one or more sequentially obtained chunks of plaintext data corresponding to the plaintext logical data object thus giving rise to the encrypted data chunks; and sequentially accommodating the processed data chunks into said encrypted sections in accordance with an order said chunks received, wherein said encrypted sections serve as atomic elements of encryption/decryption operations during input/output transactions on the logical data object.

Abstract: Each of ECUs counts the number of messages transmitted for each of CAN IDs. A transmission node that has transmitted a main message produces an MAC from a data field and the CAN ID in the main message and a counter value corresponding to the CAN ID, and transmits the MAC as an MAC message. A reception node that has received the main message produces an MAC from the data field and the CAN ID contained in the main message and the counter value corresponding to the CAN ID, and determines whether the MAC matches the MAC contained in the MAC message. By so doing, verification whether the main message is valid or not can be made. According to this configuration, message authentication by the MAC can be made without changing a CAN protocol.

Abstract: The present invention provides a method, an apparatus, and a system for securely transmitting data. A method for securely transmitting data is provided, where the method includes: sending, by a user terminal, a resource access request carrying a first authentication header field to a server, where the first authentication header field includes a user identifier and a server identifier; and receiving a request response returned by the server, where the request response includes a second authentication header field and a message body, where the second authentication header field carries a third integrity digest, and the third integrity digest is obtained by the server by performing, after receiving the resource access request, calculation by using a third message-digest algorithm further according to a user password and message content; so that M2M transmission based on the CoAP protocol can be performed securely and reliably.

Abstract: A method for protecting a first secrets file. The method includes an n-bit generator generating a secrets file name for the secrets file and generating a decoy file names for decoy files. The secrets file includes a secret. Each of the decoy files includes decoy file contents, are a same size as the secrets file, and is associated with a modification time within a range of modification times. The modification time of the secrets file is within the range of modification times. The secrets file and decoy files are stored in a secrets directory.

Abstract: The examples of the present invention provide a method and device for verifying a dynamic password. In the method and device, some algorithm parameters can be exchanged in public by using a DH algorithm, and thus a same key is shared safely between two entities, so as to implement the verification of the dynamic password and further improve the security of identity verification. Moreover, the method and device can be easy to use. Further, by the above technical solution, no message exchange is needed between a mobile device and a verification server, and a user does not need to pay for additional flux, so as to decrease the burden of the user and verification costs.

Abstract: A method for erasing bootstrapping, at a device or a gateway in a Machine-to-Machine (M2M) service is provided. The method includes receiving an erase request containing a first M2M-Erase-Token from an M2M Authentication Server (MAS) or an M2M Service Bootstrapping Function (MSBF), processing the erase request based on the first M2M-Erase-Token or a local policy of the device or the gateway, and sending an erase response containing a second M2M-Erase-Token to the MAS or the MSBF.

Abstract: An apparatus implementing a secure zone on one or more virtual machines may be provided. In one aspect, the apparatus may comprise a peripheral device, a security-enhancing chip and a computer processor. The chip may comprise a non-volatile storage for storing an encryption key and a first configuration digest, and may be configured to receive configuration data, create a second configuration digest based on the received configuration data, and allow access to the encryption key based on comparison of the first and the second configuration digests. The computer processor may be configured to initialize a hypervisor, establish one virtual machine for executing code for a secure zone, and establish a second virtual machine for executing code for a non-secure. The code for the secure zone may initiate executing a task, and assume or transfer control over the peripheral device depending whether the apparatus is operating in a secure mode.

Abstract: In one embodiment, a mobile device performs an over-the-air firmware update by writing the updated firmware to a inactive system image partition, and rebooting the device. The security of the OTA update is maintained through checking a plurality of security signatures in an OTA manifest, and the integrity of the data is maintained by checking a hash value of the downloaded system image.

Abstract: A dual-channel electronic signature system is disclosed, having a signature verification server, a signature requester device, and a hand-held device. The signature requester device calculates a characteristic value related to content of a target document, encodes the characteristic value and a destination message to generate a first graph, and outputs the first graph The hand-held device captures and decodes an image of the first graph to obtain the characteristic value, performs an electronic signature operation on the characteristic value to generate a signature data, encodes the signature data to generate a second graph, and transmits the second graph to a destination network address. If the signature data contained in the second graph passes a verification procedure of the signature verification server, the signature verification server transmits a verification graph corresponding to the second graph to the signature requester device.

Abstract: A method and an apparatus that provides a hard problem based hashing mechanism to improve security of hash functions are described. The hashing mechanism can include a custom padding and/or a post processing to a hashed value strengthened via operations specifying a hard problem. In one embodiment, a new hash function may be provided or defined directly without introducing or relying on existing hash functions to embed security features based on this hard problem. The new hash functions can be used in usual constructions implying hash functions. For example, the standard HMAC construction could be applied on these hash functions, standard signature algorithms or authentication protocol, etc.

Abstract: A source authentication method and apparatus according to the present invention are disclosed. The source authentication method is performed with respect to a transmission packet on a message transmission side, and includes generating a first hash value to which a first hash function is applied using a message to be included in a next packet and a key value, and generating the transmission packet including the first hash value, wherein the key value is one of at least one key value generated in advance by applying a second hash function. Meanwhile, according to the present invention, effective low-cost multicast authentication may be performed by reducing a variety of loads such as buffer management, key calculation costs, and the like.

Abstract: A method for providing message protection includes generating a ciphered message based upon a first counter, a message, and a ciphering key. The method further includes generating an unciphered message authentication code (MAC) based upon the first counter, an integrity protection key, and either the message or the ciphered message, and transmitting security protected data, which includes the MAC and the ciphered message, over a transmission medium.

Abstract: Blind attacks on a protocol connection, such as a TCP connection, are prevented by inserting checksums computed during protocol connection establishment handshake into data sent through the connection and invalidating data sent through the connection that lacks the protocol setup information checksums. Reset attacks are prevented by invalidating reset requests unless a master checksum computed from the protocol setup information checksums is included with the reset request. Checksums computed from protocol setup information have improved robustness by including a random number with the protocol setup information.

Abstract: A processor including instruction support for implementing hash algorithms may issue, for execution, programmer-selectable hash instructions from a defined instruction set architecture (ISA). The processor may include a cryptographic unit that may receive instructions for execution. The instructions include hash instructions defined within the ISA. In addition, the hash instructions may be executable by the cryptographic unit to implement a hash that is compliant with one or more respective hash algorithm specifications. In response to receiving a particular hash instruction defined within the ISA, the cryptographic unit may retrieve a set of input data blocks from a predetermined set of architectural registers of the processor, and generate a hash value of the set of input data blocks according to a hash algorithm that corresponds to the particular hash instruction.

Abstract: A system (50) is used for identifying a content item. The system (50) receives a received first identifier (101) of the content item, the received first identifier being based on at least part of a baseband level representation of the content item; a received second identifier (102) of the content item, the received second identifier being based on at least part of an encoded representation (103) of the content item; and the at least part of the encoded representation (103) of the content item. The system comprises a second identifier generator (53) for generating a generated second identifier based on the at least part of the encoded representation (103) of the content item; and a validation unit (54) for validating the received first identifier as a valid first identifier of the content item if the generated second identifier matches the received second identifier.

Abstract: According to one embodiment, a storage system includes a host device and a secure storage. The host device and the secure storage produce a bus key which is shared only by the host device and the secure storage by authentication processing, and which is used for encoding processing. The host device produces a message authentication code including a message which can be stored in the secure storage based on the bus key, and sends the produced message authentication code to the secure storage. The secure storage stores the message included in the message authentication code in accordance with instructions of the host device. The host device verifies whether the message stored in the secure storage is intended contents.

Abstract: Systems and methods for encrypting a plaintext logical data object for storage in a storage device operable with at least one storage protocol, creating, reading, writing, optimization and restoring thereof. Encrypting the plaintext logical data object comprises creating in the storage device an encrypted logical data object comprising a header and one or more allocated encrypted sections with predefined size; encrypting one or more sequentially obtained chunks of plaintext data corresponding to the plaintext logical data object thus giving rise to the encrypted data chunks; and sequentially accommodating the processed data chunks into said encrypted sections in accordance with an order said chunks received, wherein said encrypted sections serve as atomic elements of encryption/decryption operations during input/output transactions on the logical data object.

Abstract: In one embodiment, a mechanism for broadcast stenography of data communications is disclosed. In one embodiment, a method includes creating a plurality of messages for transmission to one or more recipients, the plurality of messages including one or more real messages intended for one or more of the recipients and one or more bogus messages intended for none of the recipients. The method further includes for each intended recipient of the one or more real message, calculating a message authentication code (MAC) based on the message and a shared secret key kept between a broadcaster of the plurality of messages and the intended recipient, and for each of the plurality of messages, creating a plurality of unique pseudo-MACs that have an identical format to a real MAC.

Abstract: Systems, methods and apparatus for a distributed security that provides authentication and authorization management. The system can include an epoch processor that is used to validate authentication and authorization data that is valid only for an epoch. The epoch processor can maintain a public key that can be used to decrypt the authentication and authorization data during the epoch that the key is valid. The epoch processor can receive a new public key during each epoch. The epoch processor can also determine if the authentication or authorization data was fraudulently generated based on the contents of the data, and verifying whether the data is valid for the epoch in which it was decrypted.

Abstract: A computer system for managing security information for an organization includes a scanner execution module configured to automatically execute at least two scanners in a predetermined interval to analyze potential vulnerabilities of a computer environment. A vulnerability is acquired from the at least two scanners and stored in a data store. A user associated with the analyzed computer environment is determined based on the vulnerability stored in the data store, the user is notified of the vulnerability.

Abstract: An authorized blocker application is installed on a user device to monitor application usage and enforce usage restrictions. A network device receives, from the user device, information identifying a list of applications installed on the user device and receives from a customer terminal, configuration settings including usage restrictions for at least one application from the list of applications. The network device receives, from the user device, application usage data for the at least one application from the list of applications and compares the configuration settings received from the customer terminal and the application usage data received from the user device. When the application usage data includes times exceeding the configurations settings, the network device sends, to the user device, a blocking instruction to prevent use of the at least one application.

Abstract: One embodiment described relates to an automated method of host discovery and path tracing by a network management server. The method includes discovery of a location in the network of a source host, discovery of a location in the network of a destination host, and discovery of a path from the source host to the destination host. Other embodiments are also described.

Abstract: A method of playing content across a network includes receiving, at a media player, an input from a user selecting media located on a network, sending a request across a network comprised of devices employing a common security protocol, the request to identify peer devices on the network, receiving a response across the network from a peer device, and accessing the media from a content memory of the peer device. A method of tracking valid peers on a secure media network, includes receiving, at a media player, an input from a user selecting media located on a peer device on the network, performing an authentication test of the peer player, determining if a latency associated with the peer player meets a criteria, and updating a latency log on the media player to include the peer player.

Abstract: A system and method for verifying ownership of an electronic receipt in a communication system providing a public key infrastructure, the verification arising out of a series of messages being sent and received between a first party and a verifying party, the method comprising the steps of receiving a proof message from the first party, the proof message being derived from at least a first public key based on a secret owned by the first party and wherein the secret is associated with at least the secret of a further public key of the first party and an electronic receipt that has been issued by electronically signing a request message with a second public key, determining whether or not the proof message was derived from the second public key.

Abstract: Distinctions between resources explicitly selected by a user and resources indirectly selected may be enabled by identifying an explicitly selected web page or other resource as such in the request for the web page or other resource, which may allow the web page or resource to be differentiated from web pages or other resources that are requested as a consequence of their indirect selection. Moreover, a log of web pages or other resources explicitly selected by a user may be maintained at the client and later reference by a local processor or communicated to a host process seeking to differentiate directly and indirectly selected web pages or other resources. These techniques also may allow a proxy or other server to perform processing related to parentally controlled accounts or related to accurately tracking frequently requested resources such as web pages.

Abstract: A method for securing communication among members of a group. The method includes a first member obtaining a first secret. An n-bit generator executing on the first member generates a first message digest using the first secret. The first member extracts a first encryption solution and a second encryption solution, at least in part, from the first message digest, encrypts a first communication using the first encryption solution to obtain a first encrypted communication, and sends, to a second member of the group, the first encrypted communication. The first member further receives, from the second member, a second encrypted communication, and decrypts the second encrypted communication using the second encryption solution to obtain a second communication.

Abstract: A system and method that maintains a secure chain of trust from domain name owner to publication by extending the trust placed in existing cryptographic identity systems to the records published in the Internet's Domain Name System (DNS) and secured by its DNS Security Extensions (DNSSEC) infrastructure. Automated validation and processing occur within a secured processing environment to capture and preserve the cryptographic security from the source request.

Abstract: Systems and methods provide logic that validates a code generated by a user, and that executes a function of a programmatic interface after the user code is validated. In one implementation, a computer-implemented method performs a multifactor authentication of a user prior to executing a function of a programmatic interface. The method includes receiving, at a server, a user code through a programmatic interface. The server computes a server code in response to the user code, and compares the user code to the server code to determine that the user code corresponds to the server code. The server validates the user code and executes a function of the programmatic interface, after the user code is validated.

Abstract: Domain Name Service (DNS) requests are used as the reporting vehicle for ensuring that security-related information can be transferred from a network. As one possibility, a central facility for a security provider may maintain a data collection capability that is based upon receiving the DNS requests containing the information being reported. In an email application, if a data block is embedded within or attached to an email message, an algorithm is applied to the data block to generate an indicator that is specifically related to the contents of the data block. As one possibility, the algorithm may generate a hash that provides a “digital fingerprint” having a reasonable likelihood that the hash is unique to the data block. By embedding the hash within a DNS request, the request becomes a report that the data block has been accessed.

Abstract: An apparatus and a method for validating requests to thwart cross-site attacks is described. A user identifier token, a request identifier token, and a timestamp, are generated at a web application of a server. A Message Authentication Code (MAC) value is formed based on the user identifier token, the request identifier token, and the timestamp using a secret key of the web application. Names of the form elements are enciphered. Fake form elements can also be added to the dynamic form. The entire page also can be enciphered. The dynamic form is sent with the MAC value and the time stamp to a client. A completed form comprising a returned MAC value and a returned timestamp is received from the client. The completed form is validated at the server based on the returned MAC value and the returned timestamp.

Abstract: A flash memory storage system is provided. The flash memory storage system includes a controller having a rewritable non-volatile memory and a flash memory chip. The rewritable non-volatile memory stores a data token and the flash memory chip stores a security data and a message digest. When the security data in the flash memory chip is updated, the controller updates the data token and generates an eigenvalue, and updates the message digest according to the updated data token and the updated eigenvalue by using a one-way hash function, respectively. When the security data in the flash memory chip is processed by the controller, the controller determinates whether the security data is falsified according to the data token, the eigenvalue and the message digest. In such a way, the security data stored in the flash memory storage system can be effectively protected.