Abstract: A reach back secure communications terminal includes a digital PBX adapter that offers immediate and secure voice, data and video connectivity over any of various commercially available PBX systems. In addition to use with a PBX system, integrated components simplify access to varied networks allowing deployed users to select and connect quickly to a network that best supports their present mission. Commercial or optional NSA Type 1 encryption may be implemented. Networking options include any of PSTN, PBX, GSM (or CDMA or other cell telephone standard), SAT, IP and WiFi. The digital PBX adapter includes an audio mixer that converts a 4-wire input from a handset jack of a PBX handset base, into a 2-wire output destined for an encryption unit (FNBDT). The user determines a necessary gain of the audio mixer for the particular PBX system by trial and error using a multi-position switch.

Abstract: Methods and apparatus are provided for securing two-party computations against malicious adversaries. A method is provided for secure function evaluation. The disclosed method is performed by a garbled circuit evaluator for the transfer of private information, and comprises receiving from a constructor (i) s garbled circuits (GCs), wherein each of the GCs having a plurality of input wires; and (ii) commitments for each of the input wires, wherein the commitments comprise s2 pair-wise cryptographic bindings of wire garblings of each given wire in the s GCs; requesting the constructor to reveal a selected check-set of s/2 of the s GCs; and verifying that the check-set was properly constructed using less than all of the commitments. In addition, the disclosed method optionally comprises the step of evaluating the remaining GCs that were not in the check-set.

Abstract: A method of cipher communication for management frame performed by station in wireless local area network system is provided. The method includes obtaining a first pseudonoise code sequence (PN) for a plaintext Medium Access Control (MAC) protocol data unit (MPDU), constructing an additional authentication data (AAD) by using fields in a header of the plaintext MPDU, constructing a Nonce value from the PN, an Address 2 and a Priority field in the header of the plaintext MPDU, generating a encrypted MPDU from the plaintext MPDU by using a temporal key, the AAD, and the Nonce value, and transmitting the encrypted MPDU to a peer station, wherein the plaintext MPDU is a management frame including a sequence number field, the sequence number field including access category field indicating category of data included in the plaintext MPDU, and the Nonce value includes a priority field matched with the access category field.

Abstract: There is disclosed a Java applet that causes a computer to execute plural predetermined Java applet programs. The Java applet is attached with an electronic signature for certifying an origin. The Java applet causes the computer to execute: an alteration detection step that detects alteration to deployment information, based on the identification information for detecting alteration to the deployment information defining respective locations of the plural predetermined Java applet programs; a load program startup step that starts a load program for loading the plural predetermined Java applet programs; and a load step that makes the started load program load the plural predetermined Java applet programs on the basis of the deployment information unless alteration is detected by the alteration detection step.

Abstract: An improved method, apparatus, and computer instructions for processing outbound traffic passing through a port. This port is for a server and receives a request from a client. The request includes a universal resource identifier to a destination. A determination is made as to whether the request requires encryption using the universal resource identifier in the request. The request is sent through the port to the destination in an encrypted form, in response to a determination that the request requires encryption.

Abstract: A system and method for non-real-time validation of an electronically signed message transmitted via an asynchronous communications link is provided. The method includes creating an electronic message comprising an electronically signed data entry created by executing a secure data application first portion (SDA1) module hosted by a mobile system. The method additionally includes passing the message to a communications management function first portion (CMF1) module via a synchronous interface. The CMF1 module is hosted by the mobile system. The method further includes transmitting the message from the CMF1 module to a communications management function second portion (CMF2) module in a temporally delayed manner using an asynchronous communications link. The CMF2 module is hosted by a central computer system (CCS) located remotely from the mobile system. The method further yet includes validating the electronically signed entry in a temporally delayed manner utilizing a user database.

Abstract: A method and apparatus are disclosed herein for paper-based document logging. In one embodiment, the method comprises scanning bits of a document, generating a cryptographic hash, converting the cryptographic hash into a machine readable code, and rewriting the document with the code contained thereon.

Abstract: The present invention provides an information processing device, an authentication system, etc. that save a server the trouble of updating a database, etc., even when a software module in a client device is updated, and that are capable of verifying whether software modules that have been started in the client device are valid. The terminal device A100 holds private keys 1 and 2, and performs authentication processing with the terminal device B101 using the private key 2. The private key 1 has been encrypted such that the private key 1 is decryptable only when secure boot is completed. The private key 2 has been encrypted such that the private key 2 is decryptable using the private key 1 only when the application module X that has been started is valid. When the authentication processing is successful, the terminal device B101 verifies that the terminal device A100 has completed secure boot and the application module X that has been started in the terminal device A100 is valid.

Abstract: A new approach for a transport protocol for sensor data collection, such as a smart grid is described. In one embodiment of the invention, each server avoids keeping security and communication state per client through the notion of a secure “state-token”. The state token is issued with each server message and is subsequently attached to corresponding client messages delivered to the server. An implementation is provided in which the server encrypts and authenticates the associated session state, and then gives the resulting encryption for the client to temporarily store and return to the server with a next message. In this way, a server does not keep session state after sending the encryption back to a client and can quickly restore session state when the next message from the client arrives.

Abstract: A system and method for securing wireless transmissions is provided. A method for transmitting secure messages includes selecting a bin of codewords from a plurality of bins. The bin of codewords containing a plurality of sub-bins of codewords, and the selecting is based on a first message. The method also includes selecting a sub-bin of codewords from the plurality of sub-bins of codewords based on a second message, selecting a codeword from the sub-bin of codewords, and transmitting the selected codeword to a legitimate receiver.

Abstract: A mechanism for making increased amounts of firmware available to a computer pre-boot is discussed. To increase the amount of firmware available pre-boot, a design decision is made during the build process as to which segments of the firmware need to be placed on the ROM part and which segments of the firmware can be located elsewhere. The segments of the firmware that are stored remotely from the ROM are referred to as “virtual ROM modules”. Each of the virtual ROM modules is assigned a generated unique identifier, and a “message digest” is constructed for each module using an algorithm such as MD5 or SHA-1. In the software build of the ROM image, the message digest-unique identifier pair created for each Virtual ROM module is used as a logical pointer for the virtual module. Additionally, a search path variable is placed into the ROM image in non-volatile storage. The search path provides for one or more locations in which to look for the Virtual ROM modules, and may be updated at a later point in time.

Abstract: A method and system for authenticating messages is provided. A message authentication system generates an encrypted message by encrypting with a key a combination of a message and a nonce. The message authentication system generates a message authentication code based on a combination of the message and the nonce modulo a divisor. To decrypt and authenticate the message, the message authentication system generates a decrypted message by decrypting with the key the encrypted message and extracts the message and the nonce. The message authentication system then regenerates a message authentication code based on a combination of the extracted message and the extracted nonce modulo the divisor. The message authentication system then determines whether the regenerated message authentication code matches the original message authentication code. If the codes match, then the integrity and authenticity of the message are verified.

Abstract: A method for reducing overhead when transmitting and receiving an Internet Protocol (IP) packet by a device begins with receiving of the IP packet by the device. In the packet, an IP address of the packet has been removed and replaced with a watermarking signature based on the IP address. The IP address is obtained using the watermarking signature. The IP address is attached to the packet and the packet is forwarded by the device to a destination over a network using the IP address.

Abstract: Systems, methods, apparatus and computer-executable instructions stored on computer-readable media for communicating a modified hash message authentication code (HMAC) signed message between two endpoints are provided. The HMAC signature of the message may include a plurality of components. In some cases, the HMAC signature is a Server Message Block (SMB) signature. The first and/or second endpoint may be a client, server, or host. Some embodiments of the present application utilize a proxy, such as a CIFS proxy. In one embodiment, HMAC signature information sent from the first endpoint to the second endpoint may be intercepted. A value for a component of the HMAC signature may be determined by, for example, using the intercepted HMAC signature information. The intercepted message may be modified, resigned using the intercepted HMAC signature information, and transmitted to a receiving endpoint.

Abstract: A method and apparatus that simulates a workflow and analyzes the behavior of information assurance attributes through a data providence architecture is disclosed. The method may include injecting one or more faults into a simulated workflow, receiving a message in the simulated workflow having a data provenance wrapper, examining each data provenance record of the message and any attachments for discrepancies, identifying any discrepancies in the examination of each data provenance record of the message and any attachments; calculating a degree of trust based on any discrepancies identified in the examination of each data provenance record of the message and any attachments, analyzing the calculated degree of trust with respect to the one or more injected faults and the information assurance attributes, and outputting the analysis to a user.

Abstract: A method and system for detecting manipulation when control data are transmitted from a first control unit to a second control unit via a network, which includes generating integrity check information data for the control data transmitted by the first control unit via an integrity check generating unit on the transmitter side, calculating a cryptographic checksum for the integrity check information data generated on the transmitter side via the integrity check generating unit, transmitting the integrity check information data and the cryptographic checksum to an integrity check verifying unit that verifies the cryptographic checksum on the receiver side, generating integrity check information data on the receiver side for the control data received by the second control unit using the integrity check verifying unit, and comparing the integrity check information data and the integrity check information data with the cryptographic checksum to detect the manipulation of the transmitted control data.

Abstract: A method and apparatus for maintaining a tamper proof device log are described. In one embodiment, the method comprises maintaining an embedded log in the device, the embedded log being a chain of log entries. In one embodiment, the method may also comprise publishing at least one log entry to a location external to the device.

Abstract: A technique to ensure watermarking a highest selected layer for decoding when receiving a scalable coded bitstream having a plurality of bitstream layers. In one technique, the watermark is associated only with the highest layer that is selected from the hierarchically arranged layers and not in any of the lower layers of the hierarchy. In another technique, the watermarks are present in all the layers, but each lower layer watermark is compensated in a next higher layer to remove effects of the presence of the lower layer watermark in the next higher layer.

Abstract: A system for authenticating data of interest includes a digest locator engine capable to locate a first and a second digest result in a data file, including a set of data; a first digest creator capable to create, using a first digest function, a first digest of the set of data, the first digest function being identical to a digest function used to create the first digest result; a second digest creator capable to create, using a second digest function that is incompatible with the first digest function, a second digest of the set of data, the second digest function being identical to a second digest function used to create the second digest result; and a digest comparator engine, communicatively coupled to the digest locator, first digest creator and the second digest creator, capable to compare the first and second created digests with the first and second located digest results respectively.

Abstract: A method of generating prevention and control data to verify validity of data to be transmitted, and an apparatus to perform the method, the method including generating the prevention and control data according to composing information of the data to be transmitted, and transmitting the prevention and control data along with the data to be transmitted to verify the validity of the data to be transmitted.

Abstract: An authentication method of an electronic device is disclosed. A plurality of key inputs is received from a user via activation of input keys. At least one key input from the key inputs is validated based on a predefined criterion to obtain a password. The password is compared to a registered password to obtain an authenticated password.

Abstract: The present invention discloses an apparatus, a system and a method for short-range sound wave communication. The system realizes non-contact secure transmission by using the sound wave as the data transmission medium, and also can realize a reliable and secure data link directly through an audio connection. The invention systematically constructs multiple end-to-end transmission verification mechanisms for the process of data transmission: transmission data integrity verification, valid time verification, password verification, service data verification and data encryption; and according to the security level of the data, the sending end specifies the requirements for encryption and data verification in the transmission data so as to notify the reception end which verifications should be performed to the data packets, how to perform the verifications, etc. By using the same verification processing manner, operations can be performed to the data (e.g. the payment and settlement function of an account).

Abstract: According to certain embodiments of the present invention, cryptosynchronization values are calculated on an initiating and/or responding device in a communications system such that cryptosynchronization-based procedures might succeed even when the discrepancy between the system times of the initiating and responding devices exceeds the cryptosync constraints imposed by the communications system. In one embodiment, the initiating device add/subtracts a cryptosynchronization adjustment value x to/from the initiating device's system time to yield an adjusted initiator cryptosynchronization value. In another embodiment, the receiving device adjusts the receiving device's system time to yield an adjusted receiver cryptosynchronization value.

Abstract: An apparatus and method are provided for reducing time taken for generating a digital signature and generating the digital signature using a minimum number of operations using at least two secret keys. One secret key among at least two secret keys may be set from a value resulting from hashing a message to be transmitted. A number of times for hashing the secret key is determined, and a value resulting from hashing the determined secret key by the determined hashing number of times is set as the digital signature.

Abstract: A method includes registering a voice of a party in order to provide voice verification for communications with an entity. A call is received from a party at a voice response system. The party is prompted for information and verbal communication spoken by the party is captured. A voice model associated with the party is created by processing the captured verbal communication spoken by the party and is stored. The identity of the party is verified and a previously stored voice model of the party, registered during a previous call from the party, is updated. The creation of the voice model is imperceptible to the party.

Abstract: One embodiment of a method of authenticating data comprises: receiving, at a device, data in a plurality of indexed packets transmitted by a data server, the data of the indexed packets being at least a portion of a larger data stream; receiving, at the device, from a data authentication server connected to the device by a network, a server-computed authentication value based on a subset of the data transmitted by the data server, the data authentication server having access to the data that was transmitted from the data server to the device; and comparing a device-computed authentication value based on a subset of the received data, corresponding to the subset of the data transmitted by the data server, with the server-computed authentication value in order to determine whether the subset of the data received at the device is authentic.

Abstract: In one embodiment, a mechanism for securely ordered message exchange is disclosed. In one embodiment, a method includes associating sequence numbers with each of a plurality of messages that are part of a transmission from a broadcaster to an intended recipient, and for each message of the plurality of messages, calculating a unique message authentication code (MAC) using as inputs the message, a shared secret key, and the associated sequence number. The method also includes sending to the intended recipient the plurality of messages each with the associated calculated MAC attached to the message.

Abstract: A system and method for dynamically and automatically updating the appropriate fields on the message application screen of an electronic message to show which of the appropriate service book, security encoding or security properties are acceptable or allowed for the message being composed. This updating occurs automatically based on the contents of the fields that are modified during composition of the message, such as, for example, modifications to classification of the message, recipients, keywords, or the like. Thus, the properties in place for a given message is reflected in a dynamic options list provided to the user based on the contents of various fields of the electronic message and the system policies resident on the system. The dynamic updating may provide an updated list of options to the user, or may optionally automatically apply minimum level settings based on security policy and contents of the message.

Abstract: In a cryptographic module distribution system, a cryptographic management server apparatus encrypts a cryptographic module using a key shared by a cryptographic apparatus, and transmits the encrypted cryptographic module to a client apparatus. The client apparatus transmits the encrypted cryptographic module to a cryptographic apparatus. The cryptographic apparatus decrypts the encrypted cryptographic module using the key shared by the cryptographic management server apparatus, and transmits the decrypted cryptographic module to the client apparatus. The client apparatus stores the received cryptographic module.

Abstract: An authentication method is disclosed herein. The method includes: by a server, using a Trigger message nonce to generate a Trigger message, and sending the generated Trigger message to a client so that the client can extract the Trigger message nonce; after determining that the Trigger message nonce is valid, using the Trigger message nonce to generate a digest, and authenticating the Trigger message generated by using the Trigger message nonce; after the authentication succeeds, sending a session request to the server indicated by the Trigger message, where the session request carries a session ID. The corresponding system, server and client are disclosed herein. The present invention makes the authentication process more secure through the client and the server based on the DS or DM protocol.

Abstract: An initiator shares y_ir with a responder, calculates HASH_I on the basis of y_ir, and sends HASH_I to an IKE proxy server. The initiator receives a digital signature SIG_S generated for HASH_I and the address of the initiator from the IKE proxy server and sends the digital signature SIG_S to the responder.

Abstract: A source authentication method and apparatus according to the present invention are disclosed. The source authentication method is performed with respect to a transmission packet on a message transmission side, and includes generating a first hash value to which a first hash function is applied using a message to be included in a next packet and a key value, and generating the transmission packet including the first hash value, wherein the key value is one of at least one key value generated in advance by applying a second hash function. Meanwhile, according to the present invention, effective low-cost multicast authentication may be performed by reducing a variety of loads such as buffer management, key calculation costs, and the like.

Abstract: The invention provides a method, system, device and computer program product for setting up a secure session among three or more devices or parties of a communication group, including authenticating a key agreement between the devices or parties of the communication group, wherein the devices of the group start, preferably after a key is computed or agreed, a protocol, preferably a multi-party data integrity protocol, for authenticating the key agreement.

Abstract: An apparatus and method for protecting radio frequency identification (RFID) data in a communication between a RFID tag and a RFID reader are provided. In the apparatus and method for protecting RFID data, message header information transmitted while communicating the RFID tag and the RFID reader is used to perform an encryption operation for important data, thereby protecting the important data included in the RFID tag. In the present invention, information of the RFID tag can be protected from an illegitimate eavesdropper and an ill-intentioned and unusual message can be detected, thereby ensuring the security of a RFID system.

Abstract: A logging system and method based on a one-way hash function are described. The system includes a user system, a trusted third party, and a verifier. The method includes the following steps. The user system records a log file and initializes a message authentication code key and an image code. When the verifier requests the user system for a logging unit corresponding to an operation history, the user system uses a one-way hash function to calculate a check value and returns the check value and an image code sequence. The verifier then verifies the integrity of the check value and the image code sequence through the trusted third party. The trusted third party checks if the image code sequence obtained by the hash calculation equals to the check value through the one-way hash function, so as to verify that the log file of the user system has not been modified.

Abstract: A method provided herein includes the following steps: storing seal data of an electronic seal, a digital certificate, electronic signature program and a private key of a sealer in an external portable apparatus; performing a Hash conversion to a file to be sealed and the seal data of the electronic seal to generate a data digest, wherein the file to be sealed is a layout file; sealing, in the portable apparatus, the data digest using the private key of the sealer and the electronic signature program to generate an electronic signature result; and combining the file to be sealed, the seal data of the electronic seal, the digital certificate and the electronic signature result to generate a seal combination file.

Abstract: An information processing apparatus includes a chip implemented therein to independently perform a predetermined process. The chip includes a storage unit that stores therein user signature information in which biometric information of a user and a user electronic signature key that is a key for generating an electronic signature of the user for information created by the user are associated with each other and an encryption key that is a key for encrypting information, an electronic signature adding unit that, if the biometric information is obtained from the user, searches the storage unit for the user signature information corresponding to the biometric information, and adds the electronic signature of the user to user created information with a user electronic signature key in the user signature information, and an encrypt processing unit that encrypts with the encryption key the user created information processed by the electronic signature adding unit.

Abstract: In the field of computer data security, a hash process which is typically keyless and embodied in a computing apparatus is highly secure in terms of being resistant to attack. The hash process uses computer code (software) polymorphism, wherein computation of the hash value for a given message is partly dependent on the content (data) of the message. Hence the computer code changes dynamically while computing each hash value.

Abstract: The present invention relates to the packet-oriented transmission of security-relevant data. One task of the invention is the provision of a way for the packet-oriented transmission of security-relevant data ensuring —under the guarantee of a considerably enhanced user data rate —a high level of protection against statistical and systematic errors with an insecure transmission medium. The invention provides, particularly for the use of at least one parallel and/or serial network and/or bus system, a process and devices for the packet-oriented transmission of security-relevant data allowing the transmission of security-relevant data and a redundant information that is based on the data in different packets.

Abstract: A computer implemented method, data processing system and computer program product are disclosed for password expiration based on vulnerability detection. A request for a password is received during re-activation of a first account that belongs to a particular user. A test password is compared to a previously created password that belongs to the particular user to determine if a match occurred. Responsive to determining that there is a match, a second account that belongs to the particular user with respect to the match is expired.

Abstract: A training model for malware detection is developed using common substrings extracted from known malware samples. The probability of each substring occurring within a malware family is determined and a decision tree is constructed using the substrings. An enterprise server receives indications from client machines that a particular file is suspected of being malware. The suspect file is retrieved and the decision tree is walked using the suspect file. A leaf node is reached that identifies a particular common substring, a byte offset within the suspect file at which it is likely that the common substring begins, and a probability distribution that the common substring appears in a number of malware families. A hash value of the common substring is compared (exact or approximate) against the corresponding substring in the suspect file. If positive, a result is returned to the enterprise server indicating the probability that the suspect file is a member of a particular malware family.

Abstract: Embodiments are directed to securing mixed-mode applications in a semi-trusted environment. In an embodiment, a computer system securely loads native data files associated with a mixed-mode application. The secure loading ensures that the native components upon which the managed component depends are authentic. The computer system implements a securely stored handle associated with the loaded native data files to provide secure communications between the managed component and the loaded native data files. The handle provides a trusted function pointer to an associated mixed-mode application function. The computer system also initiates a security permission request for each resource that is passed to the native components during execution of the mixed-mode application, so that each resource is verified before execution.

Abstract: Electronic circuitry includes an input/output (I/O) interface, memory which stores a set of database fingerprints generated from records of a database, and an analyzing circuit coupled to the I/O interface and the memory. The analyzing circuit is constructed and arranged to derive a set of sample tokens from electronic data under test (e.g., an email, an electronic document, etc.), and form a set of sample fingerprints from the set of sample tokens. Each sample fingerprint is based on a sample token of the set of sample tokens. The analyzing circuit is further constructed and arranged to output a result signal based on a comparison between the set of sample fingerprints and the set of database fingerprints. The result signal provides an indication of whether the electronic data under test includes particular information from the database.

Abstract: The present invention provides a system and a method for generating digital signatures. The system comprises a first formula which generates the signature as selected series from at least two, but preferably more digitized biometric features of a user. The signature comprises a different selected series per unit of time of for instance 10 seconds. The invention comprises a second formula which assigns a numerical value to a data file. The second formula can also use the numerical value to define another time interval, on the basis of which another signature can be generated. The invention further provides a number of examples for application of the generated signature during the sending of data files.

Abstract: A sending device prepares a key for each electronic message sent by the device by applying an algorithm to specified data in the message and then incorporates the key in the message. A receiving device, upon receipt of an electronic message, locates the incorporated key and the data from which a sending device practicing the invention would have prepared it. The receiving device communicates a confirmation request to the purported sending device which contains the key and the data for its preparation. The sending device receives the confirmation messages and prepares a comparison key by applying the algorithm to the data in the confirmation request. The sending device replies to the confirmation request confirming that the sending device sent the message if the comparison key matches the key in the confirmation request and otherwise responds with a denial.

Abstract: An electronic mail transmission/reception system is provided, capable of maintaining the confidentiality of restricted attachments desired to be limited in destination, thereby ensuring the security of the restricted attachments.

Abstract: The present invention discloses a method for quickly and easily authenticating large computer program. The system operates by first sealing the computer program with digital signature in an incremental manner. Specifically, the computer program is divided into a set of pages and a hash value is calculated for each page. The set of hash values is formed into a hash value array and then the hash value array is then sealed with a digital signature. The computer program is then distributed along with the hash value array and the digital signature. To authenticate the computer program, a recipient first verifies the authenticity of the hash value array with the digital signature and a public key. Once the hash value array has been authenticated, the recipient can then verify the authenticity of each page of the computer program by calculating a hash of a page to be loaded and then comparing with an associated hash value in the authenticated hash value array.

Abstract: Data storage and message processing using an encoded hash message authentication code is described. In one embodiment, a data processing apparatus comprises one or more processors; logic coupled to the one or more processors for execution and which, when executed by the one or more processors, causes receiving a data set at the one or more processors; creating and storing a hash output value by applying the data set to a collision-resistant hash operation that provides the hash output value as output; encoding the hash output value using a uniquely invertible keyed pseudo-random permutation operation based on a first shared key, to result in creating an encoded authentication code; and associating the encoded authentication code with the data set.

Abstract: Methods and systems are disclosed for providing secured data transmission and for managing cryptographic keys. One embodiment of the invention provides secure key management when separate devices are used for generating and utilizing the keys. One embodiment of the invention provides secure storage of keys stored in an unsecured database. One embodiment of the invention provides key security in conjunction with high speed decryption and encryption, without degrading the performance of the data network.

Abstract: A computer-implemented method for using reputation data to detect packed malware may include: 1) identifying a file downloaded from a portal, 2) determining that the file has been packed, 3) obtaining community-based reputation data for the file, 4) determining, by analyzing the reputation data, that instances of the file have been encountered infrequently (or have never been encountered) within the community, and then 5) performing a security operation on the file (by, for example, quarantining or deleting the file).