Abstract: A system may include a memory having a unique identifier that uniquely identifies the memory. A package may be communicatively coupled to the memory. The package may include a processor, an identifier storage, and a boot storage. The identifier storage may store the unique identifier from the memory. The boot storage may include instructions to control booting of the processor based on the unique identifier in the identifier storage.

Abstract: In one embodiment, a picture signature password system may use a picture signature password to determine access to a computing device or service. A display screen 172 may display a personalized digital image 310. A user input device 160 may receive a user drawing set executed by a user over the personalized digital image 310. A processor 120 may authenticate access to the user session if the user drawing set matches a library drawing set associated with the user.

Abstract: Methods and apparatus are provided for implementing a system such as a programmable chip system having hardware and software usage limitations and restrictions. Usage limitation circuitry is integrated onto a device. A usage limitation function is integrated into software, such as an operating system for the device. The usage limitation function can be configured to interact with the usage limitation circuitry. The usage limitation circuitry and the usage limitation function are operable to disable the device and the associated software.

Abstract: A branch target address cache (BTAC) caches history information associated with branch and switch key instructions previously executed by a microprocessor. The history information includes a target address and an identifier (index into a register file) for identifying key values associated with each of the previous branch and switch key instructions. A fetch unit receives from the BTAC a prediction that the fetch unit fetched a previous branch and switch key instruction and receives the target address and identifier associated with the fetched branch and switch key instruction. The fetch unit also fetches encrypted instruction data at the associated target address and decrypts (via XOR) the fetched encrypted instruction data based on the key values identified by the identifier, in response to receiving the prediction. If the BTAC predicts correctly, a pipeline flush normally associated with the branch and switch key instruction is avoided.

Abstract: Mobile network services are performed in a mobile data network in a way that is transparent to most of the existing equipment in the mobile data network. The mobile data network includes a radio access network and a core network. A breakout appliance in the radio access network breaks out data coming from a basestation, and performs one or more mobile network services at the edge of the mobile data network based on the broken out data. The breakout appliance includes multiple states that support manufacturing, testing, production, tamper detection and end of life, and the functions of the breakout appliance vary according to its state.

Abstract: Embodiments of information processing systems and associated components can include logic operable to perform operations in a virtualized system including a plurality of guest operating systems using descriptors. The descriptors specify a set of commands defining the operations in a plurality of security domains and specify permission to a plurality of resources selectively for the plurality of guest operating systems.

Abstract: Methods and systems for operation upon one or more data processors for biasing a reputation score. A communication having data that identifies a plurality of biasing characteristics related to a messaging entity associated with the communication is received. The identified plurality of biasing characteristics related to the messaging entity associated with the communication based upon a plurality of criteria are analyzed, and a reputation score associated with the messaging entity is biased based upon the analysis of the identified plurality of biasing characteristics related to the messaging entity associated with the communication.

Abstract: An apparatus and method for preventing an anomaly of an application program are provided. More particularly, an apparatus and method for preventing an anomaly of an application program that detect and stop an anomaly on the basis of a behavior profile for an application program are provided. The apparatus includes a behavior monitor that detects behavior of an application program in operation, an anomaly detector that determines whether the detected behavior of the application program is an anomaly on the basis of a behavior profile of the application program in operation, and an anomaly stopper that stops the behavior of the application program determined as an anomaly by the anomaly detector.

Abstract: A system is provided for detecting, analyzing and quarantining unwanted files in a network environment. A host agent residing on a computing device in the network environment detects a new file introduced to the computing device and sends the new file to a network service for analysis. The network service is accessible to computing devices in the network environment. An architecture for the network service may include: a request dispatcher configured to receive a candidate file for inspection from a given computing device in the network environment and distribute the candidate file to one or more of a plurality of detection engines, where the detection engines operate in parallel to analyze the candidate file and output a report regarding the candidate file; and a result aggregator configured to receive reports from each of the detection engines regarding the candidate file and aggregates the reports in accordance with an aggregation algorithm.

Abstract: A portable apparatus is capable of switching between a plurality of smart cards and associated circuits to provide a user various independent electronic wallet functions via a single portable apparatus, thereby increasing utilization flexibility and convenience. The portable apparatus includes at least a first smart card and a second smart cart, a near-field communication (NFC) unit, and a control circuit. The first smart card and the second smart card respectively include a first interface and a second interface. The NFC unit is coupled to the first smart card and the second smart card via the first interface and the second interface, respectively. The NFC unit is capable of performing NFC with external apparatuses. The control circuit controls the NFC unit to communicate with either the first smart card or the second smart card using control signals.

Abstract: A network switch automatically detects undesired network traffic and mirrors the undesired traffic to a security management device. The security management device determines the source of the undesired traffic and redirects traffic from the source to itself. The security management device also automatically sends a policy to a switch to block traffic from the source.

Abstract: In one embodiment of the invention, a server may send encrypted material to a client. The client processor may decrypt and process the material, encrypt the results, and send the results back to the server. This sequence of events may occur while the execution or processing of the material is restricted to the client processor. Any material outside the client processor, such as material located in system memory, will be encrypted.

Abstract: A network based installation management system that dynamically manages secure software installation on a client. The server is configured to determine the software required and prepare an appropriated response containing the list of software and an information file containing the respective attributes of the list of software. The server encoded this response and the encoded response is transmitted to the client. The client on receiving the response is configured to authenticate the response and install the encoded response after authentication. Highly accurate and reliable software installation using the network based installation management system may be achieved using a respective hardware element on the client and the server, which is configured to encode and decode a request and/or response suitably thereby providing a high level of security and trust in an un-trusted network environment.

Abstract: A removable drive such as a USB drive or key is provided for connecting to computer devices to provide secure and portable data storage. The drive includes a drive manager adapted to be run by an operating system of the computer device. The drive manager receives a password, generates a random key based on the password, encrypts a user-selected data file in memory of the computer device using the key, and stores the encrypted file in the memory of the removable drive. The drive manager performs the encryption of the data file without corresponding encryption applications being previously loaded on the computer system. The drive manager may include an Advanced Encryption Standard (AES) cryptography algorithm The drive manager generates a user interface that allows a user to enter passwords, select files for encryption and decryption, and create folders for storing the encrypted files on the removable drive.

Abstract: A method of coding a secret, a numerical value d, subdivided into a number N of secret elements [di]n1, a composition law () applied to the elements di giving the value d. The following are calculated: (A) a first image (TN) of the secret by iterative calculation and application of the law () between the first image Ti-1 of rank i?1 and of the product according to this law of the element (di) of next rank and of a random value (Ri) of a first set, (B) a first numerical value (S1) by application of the law () to the N random values (Ri), (C) a second numerical value (S2) by application of the law to the N?1 random values (Aj) of a second set, (D) a second image T? of the secret by application of the inverse law () to the first image (TN) and to the second numerical value (S2) so as to generate an intermediate image (Tx) and then application of the inverse law to the intermediate image (Tx) and to the second numerical value (S2).

Abstract: In some applications, it may be more convenient to the user to be able to log in the memory system using one application, and then be able to use different applications to access protected content without having to log in again. In such event, all of the content that the user wishes to access in this manner may be associated with a first account, so that all such content can be accessed via different applications (e.g. music player, email, cellular communication etc.) without having to log in multiple times. Then a different set of authentication information may then be used for logging in to access protected content that is in an account different from the first account, even where the different accounts are for the same user or entity.

Abstract: An encoding/decoding apparatus comprises a central processing unit and an encryption/decryption accelerator coupled to the central processing unit. The accelerator comprises an input for input data to be encrypted/decrypted, an arithmetic logic unit coupled to said input for performing selectable operations on data obtained from said input data and an output for encrypted/decrypted data coupled to said arithmetic logic unit.

Abstract: A networked Conditional Access Module provided on an IEEE 1394 network, by defining a Conditional Access Module as a Conditional Access Subunit of the IEEE 1394 network. There is provided an AV/C Conditional Access Commands to allow communication between the Conditional Access Subunit and other Subunits on the network. The Conditional Access Subunit is configured to receive AV/C Conditional Access Commands over the IEEE 1394 network from another subunit, and means to is also configured to transmit AV/C responses over the IEEE 1394 network in response to the received AV/C Conditional Access Commands.

Abstract: Computer-implemented systems and methods for identifying illegitimate messaging activity on a system using a network of sensors.

Abstract: A device is provided which includes: a processor that outputs a command signal or an address signal and includes a bus module which inputs or outputs a data signal; and an encryption circuit that encrypts or decrypts the data signal in an encryption method using a common key and the address signal, wherein the processor and the encryption circuit are provided in a chip.

Abstract: A communication management system includes: a normal signature list which stores a list of signatures of normal communication; a search circuit which acquires communication data and searches the normal signature list to check if the signature of the communication data appears in the list; and a warning unit which issues a warning when communication data does not match any signature in the normal signature list. An operator terminal includes: a determination result acquisition unit which indicates whether or not communication data against which a warning has been issued is normal; and a normal signature list update unit which, when communication data against which a warning has been issued is found to be normal, adds the signature of the communication data to the normal signature list.

Abstract: A system and method for protecting master transport encryption keys stored on a computing device. Master transport encryption keys are used to secure data communications between computing devices. In one example embodiment, there is provided a method in which a copy of a master transport encryption key is generated and stored in a volatile store of a first computing device (e.g. a mobile device). This copy of the master transport encryption key can be used to facilitate the decryption of data received at the first computing device from a second computing device (e.g. a data server), even while the first computing device is locked. The method also comprises encrypting the master transport encryption key, with a content protection key for example, and storing the encrypted master transport encryption key in a non-volatile store of the first computing device.

Abstract: Embodiments of an electronic circuit include a cryptographic engine which includes a key derivation function and encryption logic. The key derivation function combines a master secret key with a plurality of key modifiers including at least an operating system tag specific to an operating system, and derives an encryption key from the combined master secret key and plurality of key modifiers. The encryption logic is coupled to the key derivation function and encrypts data using the derived encryption key to generate a cryptographic binary large object (blob) for virtualized protected storage that is accessible only to the operating system specified by the operating system tag.

Abstract: The present invention relates to a content protection apparatus and method using binding of additional information to an encryption key. The content protection apparatus includes an encryption unit for creating an encryption key required to encrypt data requested by a user terminal and then generating encrypted data in which the data is encrypted. An additional information management unit manages additional information including authority information about the encrypted data. A White-Box Cryptography (WBC) processing unit generates a WBC table required to bind the encryption key corresponding to the encrypted data to the additional information. A bound data generation unit generates bound data in which the encrypted key is bound to the additional information, using a cipher included in the WBC table.

Abstract: A method and apparatus for detecting potentially misleading visual representation objects to secure a computer is described. In one embodiment, the method includes monitoring visual representation object creation with respect to the browser, accessing verification information, wherein the verification information comprises commonly used user interface elements for forming legitimate system messages, examining web data associated with the created visual representation objects, wherein the web data is compared with the verification information to identify imitating content within the created visual representation objects and modifying at least one of the created visual representation objects to accentuate the imitating content.

Abstract: A recursive web crawling and analysis tool that includes conducting an initial crawl of a target to identify testable or analyzable objects. The objects are then parsed to identify vulnerabilities, as well as additional objects that can be analyzed. An attack is then launched against the analyzable objects in an effort to break or verify the vulnerabilities. During this attack, additional analyzable objects may be discovered. If such additional objects are discovered, the web crawler is invoked on the additional objects as well, and the results of the crawl are fed back into the parser and attacker functions.

Abstract: The invention described herein provides a method and system for foiling a keylogger by creating a custom keyboard driver and passing the keystrokes directly to the browser in an encrypted format. The browser (which is used to access the Internet) has a component that decrypts the keystroke before it is sent to the website. Thus the present invention enables the user to go to any website and enter sensitive information (passwords, credit card numbers, etc.) without the keystrokes being intercepted by Keyloggers. In general terms, the invention described herein provides a method and system for (1) modifying the keyboard driver, (2) encrypting the keystrokes between the keyboard driver and the browser, and (3) notifying the user if the invention has been compromised.

Abstract: In accordance with at least one presently preferred embodiment of the present invention, there is broadly contemplated herein the managing of a POP not solely in the BIOS but at least partly in a more secure location. In accordance with a particularly preferred embodiment of the present invention, this location could be in a NVRAM (non-volatile random access memory) inside a TPM (trusted platform module). Most preferably, this location will contain code that the BIOS preferably will need to access and employ in order to complete the booting of the system.

Abstract: A high-speed security device for network connected industrial controls provides hybrid processing in tandem hardware and software security components. The software security component establishes state-less data identifying each packet that requires high-speed processing and loads a data table in the hardware component. The hardware component may then allow packets matching data of the data table to bypass the software component while passing other non-matching packets to the software component for more sophisticated state analysis.

Abstract: An information processing device includes: a local memory unit for storing data including an encrypted content; a memory for storing data including key information used to reproduce the encrypted content; and a data processing unit performing a process of writing data to the local memory unit and the memory, and a process of reproducing the encrypted content, wherein the data processing unit performs a process of writing encrypted content downloaded from a server or encrypted content copied from a medium to the local memory unit, and performs a process of decoding the encrypted content or a validity authenticating process using the data stored in the local memory unit and the data stored in the memory when reproducing the encrypted content written to the local memory unit.

Abstract: A system for increasing a tamper resistance of a digital data processing unit, comprises a first unit (901) comprising processing means (906) for processing the received digital data in dependence on values looked up in at least one look-up table (916) based on values in the received digital data. The system further comprises a second unit (902) comprising means (912) for computing at least one value for inclusion in the digital data causing the first unit (901) to look up at least one predetermined value in the look-up table (916) when processing the digital data. It comprises an inserter (910) for including the at least one value in the digital data, and an output (908) for transmitting the digital data to the first unit.

Abstract: Database management and security is implemented in a variety of embodiments. In one such embodiment, data sets containing sensitive data elements are analyzed using aliases representing sensitive data elements. In another embodiment, the sensitive data elements are stored in an encrypted form for use from a secure access, while the alias is available for standard access.

Abstract: An image input device which includes a means for inputting image data, a memory for storing secret information and an operator for carrying out an operation by using the image data and the secret information.

Abstract: The systems and methods of the present invention provide a solution that makes data provably secure and accessible—addressing data security at the bit level—thereby eliminating the need for multiple perimeter hardware and software technologies. Data security is incorporated or weaved directly into the data at the bit level. The systems and methods of the present invention enable enterprise communities of interest to leverage a common enterprise infrastructure. Because security is already woven into the data, this common infrastructure can be used without compromising data security and access control. In some applications, data is authenticated, encrypted, and parsed or split into multiple shares prior to being sent to multiple locations, e.g., a private or public cloud. The data is hidden while in transit to the storage location, and is inaccessible to users who do not have the correct credentials for access.

Abstract: A data encryption device is connected between an HDD and an HDD controller that controls the HDD. The data encryption device encrypts data that is stored from the HDD controller to the HDD, and decrypts data that is read from the HDD. A CPU of the data encryption device receives a command issued from the HDD controller to the HDD, and determines whether the command is executable at the HDD. When it is determined that the command is executable, the command is issued to the HDD. On the other hand, when it is determined that the command is unexecutable, the CPU prohibits issuance of the command to the HDD. Furthermore, when a command issued to the HDD is a specific command, the CPU bypasses data transferred between the HDD controller and the HDD without encryption or decryption.

Abstract: A system, method, and computer program product are provided for mounting an image of a computer system in a pre-boot environment for validating the computer system. In use, an image of a computer system is mounted in a pre-boot environment of the computer system, where the image includes a file system structure and initialization data of the computer system. Furthermore, at least one task is performed on the mounted image for validating the computer system.

Abstract: The invention includes a method and apparatus for notification and delivery of messages to mobile users using a secure client associated with a user device. The secure client includes a power module, a communication module, a storage module, and an alert module. The power module powers the client device independent of a power state of the user device. The communication module receives a wake-up message and responsively triggers the secure client to switch from an inactive state to an active state without changing the power state of the user device, initiates a secure connection with a secure gateway in response to the wake-up message, and requests and receives a user message from a messaging application using the secure connection. The storage module stores the received message independent of the power state of the user device. The alert module activates an alert to indicate that the message is available.

Abstract: The invention relates to a method of securing a changing scene composed of at least one element and intended to be played back on a terminal. According to the invention, such a method comprises the following steps: creation (10) of at least one security rule, defining at least one authorization to modify said scene and/or at least one element of said scene and/or an authorization to execute at least one command in a context of playing back said scene on said terminal; allocation (10) of a security policy, comprising at least one of said security rules, to said scene and/or to at least one of said elements of said scene.

Abstract: A removable drive such as a USB drive or key is provided for connecting to computer devices to provide secure and portable data storage. The drive includes a drive manager adapted to be run by an operating system of the computer device. The drive manager receives a password, generates a random key based on the password, encrypts a user-selected data file in memory of the computer device using the key, and stores the encrypted file in the memory of the removable drive. The drive manager performs the encryption of the data file without corresponding encryption applications being previously loaded on the computer system. The drive manager may include an Advanced Encryption Standard (AES) cryptography algorithm. The drive manager generates a user interface that allows a user to enter passwords, select files for encryption and decryption, and create folders for storing the encrypted files on the removable drive.

Abstract: A monitoring system includes at least one monitoring devices coupled to electrical power distribution system at selected locations for collecting data related to the operation of the monitored system. The monitoring device(s) includes a communication port and processors programmed to segment the collected data into blocks optimized for user analysis operations, encrypt the segmented blocks of data, bundle the encrypted blocks of data with unencrypted metadata that identifies the data blocks by at least the monitoring location at which the encrypted blocks of data were obtained and the type of data, and transmit the encrypted blocks of data with the unencrypted metadata. The system includes at least one client device that has a communication port that is coupled to the monitoring device(s) and the client device and that has a processor programmed to generate and transmit queries regarding selected ones of the encrypted blocks of data.

Abstract: A printing system and printer with an electronic signature capability, and a method thereof are provided. To print security documents using an electronic signature stored in a portable memory, the printing system of the invention includes a portable memory for storing an electronic signature. A memory interface connects detachably to the portable memory. A printer receives the electronic signature from the memory interface, composes the received electronic signature with print data, and executes a print operation. Accordingly, a stamping or signature process on numerous documents can be facilitated, and excessive stamping or signature execution can be prevented. Moreover, the electronic signature of the invention can be executed on various types of forms or documents.

Abstract: A system and method identifies one of several security token services that can be used to convert an identity token into one containing content, a format and having a signature corresponding to a signing key name that a software service can use. The identification of the security token service that may be used to perform the conversion is made using machine readable information about the signing key name that the software service can use.

Abstract: Code of a software product is delivered by embodying, on a computer-readable storage medium, installation code for installing the software product code on a computer and DRM code for permitting the installation only if a predetermined condition is satisfied. If the condition is violated, the installation code is erased and that part of the storage medium then is available for general use.

Abstract: A method and system for securing a handheld computing device is described. A personal encryption device may be physically connected to a handheld computing device. Responsive to the connection, a main screen user interface may be displayed on a display of the handheld computing device. The main screen user interface may include at least one cryptography option for a user of the handheld computing device. A user-defined input representative of selection of a first cryptography option of the at least one cryptography option may be received, and at least one cryptography process associated with the selected first cryptography option may be implemented by the handheld computing device and personal encryption device. The cryptography options may include encryption, decryption, digital signatures, and digital signature verification.

Abstract: A system and method of recovering encoded information contained in a device by storing and retrieving at least part of the necessary decoding data by setting and measuring the physical characteristics of the device. Storage and recovery options include, but are not limited to, measurement of electronic or optical characteristics of electrically or optically conductive portions of the device using a range of measurement techniques that include, but are not limited to, time-domain reflectometry.

Abstract: A portable storage medium adapter, which is connected to a computer to store data received from the computer in a portable storage medium, includes a holding part that detachably holds the portable storage medium, a detecting part that detects an unloading operation of the portable storage medium by a user, and a disablement executing part that executes a disabling process to disable external access to the data stored in the portable storage medium at a time when the unloading operation is detected in the detecting part.

Abstract: A device receives protected content and a license for the content, unprotects the content using an input key and retrieves a rule associated with the input key. The device then processes the content to create new content, retrieves at least one output key associated with the input key in the retrieved rule, protects the content using the output key and sends the newly protected content and the corresponding license. It is thus possible to impose a work flow as it is necessary for a device to store a particular key in order to access the content and as the rule imposes a particular output key depending on the input key. In a preferred embodiment, the content is scrambled using a symmetrical key that is encrypted by an asymmetrical key in the license. An alternate embodiment uses watermarking techniques instead of encryption. The invention finds particular use in video processing.

Abstract: There is provided a computer-implemented method for authentication, the method comprising: defining a demanded level of security in an authorization service of a server; providing at least one authentication mechanism comprising at least one instance for at least one client; providing a policy comprising a security level for the at least one instance; receiving at least one request from the client to the server; authenticating the request based on the policy and the demanded level of security by the authentication service; and permitting the request if the demanded level of security is reached.

Abstract: A secure execution environment for execution of sensitive code and data including a secure asset management unit (SAMU) is described. The SAMU provides a secure execution environment to run multiple instances of separate program code or data code associated with copy protection schemes established for content consumption. The SAMU architecture allows for hardware-based secure boot and memory protection and provides on-demand code execution for multiple instances of separate program code or data provided by a host processor. The SAMU may boot from an encrypted and signed kernel code, and execute encrypted, signed code. The hardware-based security configuration facilitates the prevention of vertical or horizontal privilege violations.

Abstract: A wireless communications validation system comprises a validation module configured to determine an identity of an antenna disposed in a computer system and an identity of a wireless module disposed in the computer system, the validation module configured to validate permissible combination of the antenna with the wireless module.