Abstract: A cryptographic device may include a cryptographic module and a communications module removably coupled thereto. The cryptographic module may include a first housing, a user network interface carried by the first housing, a cryptographic processor carried by the first housing and coupled to the user network interface, and a first connector carried by the first housing and coupled to the cryptographic processor. Furthermore, the communications module may include a second housing, a second connector carried by the second housing and being removably mateable with the first connector of the cryptographic module, and a network communications interface carried by the second housing and coupled to the second connector.

Abstract: In an array of groups of cryptographic processors, the processors in each group operate together but are securely connected through an external shared memory. The processors in each group include cryptographic engines capable of operating in a pipelined fashion. Instructions in the form of request blocks are supplied to the array in a balanced fashion to assure that the processors are occupied processing instructions.

Abstract: Database management and security is implemented in a variety of embodiments. In one such embodiment, data sets containing sensitive data elements are analyzed using aliases representing sensitive data elements. In another embodiment, the sensitive data elements are stored in an encrypted form for use from a secure access, while the alias is available for standard access.

Abstract: A processor-based system, including systems without keyboards, may receive user inputs prior to booting. This may done using the graphics controller to generate a window which allows the user to input information. The system firmware may then compare any user inputs, such as passwords, and may determine whether or not to actually initiate system booting.

Abstract: The present invention provides systems and methods for secure transaction management and electronic rights protection. Electronic appliances such as computers equipped in accordance with the present invention help to ensure that information is accessed and used only in authorized ways, and maintain the integrity, availability, and/or confidentiality of the information. Such electronic appliances provide a distributed virtual distribution environment (VDE) that may enforce a secure chain of handling and control, for example, to control and/or meter or otherwise monitor use of electronically stored or disseminated information. Such a virtual distribution environment may be used to protect rights of various participants in electronic commerce and other electronic or electronic-facilitated transactions. Distributed and other operating systems, environments and architectures, such as, for example, those using tamper-resistant hardware-based processors, may establish security at each node.

Abstract: An apparatus, method and a computer program for processing multimedia data is described, where the apparatus may include an input switch which may receive a plurality of transport stream packets corresponding to a plurality of digital multimedia data signals input thereto, and a packet identification (PID) filter unit which may selectively output a given set of TS packets to be demultiplexed from the received plurality of TS packets. A buffer and/or an external memory device may store at least some of the TS packets of the output given set. A conditional access/content protection (CA/CP) unit may read and decrypt the TS packets stored in the buffer, and may encrypt at least some of the decrypted TS packets for storage in the external memory device if the buffer becomes full, to prevent the TS packets to be stored in the external memory device from being copied.

Abstract: In order to detect the exchange of a module, identified by a serial number, in a microprocessor system, a code number, which is obtained from the serial number by using an encryption method, as well as information required for calculating the serial number from the code number, are stored in the microprocessor system; the code number is read and an unencrypted serial number is calculated from the code number with the aid of the information; and the decrypted serial number thus obtained is compared to the serial number of the module and the module is detected as exchanged if its serial number does not match the decrypted serial number.

Abstract: A method and a circuit for extracting a secret datum from an integrated circuit taking part in an authentication procedure that uses an external device that takes this secret datum into account, the secret datum being generated on request and made ephemeral.

Abstract: An electronic system comprises a processor, a diagnostic port, and a switching circuit, including a switch connected between the diagnostic port and the processor, for enabling and disabling the diagnostic port and for restricting access to contents of the electronic system prior to enabling the diagnostic port. A method for operating the electronic system is also included.

Abstract: Methods for creating an interactive gaming environment are provided. In various embodiments, methods of the present invention may include initializing an interactive game application at a game server which is then characterized as having an active status, notifying a lobby server concerning the active status of the game server, registering the application with a universe management server via the lobby server, and allowing users to join the interactive gaming environment. The users joining the interactive gaming environment may be identified by a server key obtained from the game server.

Abstract: A method and device for performing a cryptographic operation by a device controlled by a security application executed outside thereof in which a cryptographic value (y) is produced a calculation comprising at least one multiplication between first and second factors containing a security key (s) associated with the device and a challenge number (c) provided by the security application. The first multiplication factor comprises a determined number of bits (L) in a binary representation and the second factor is constrained in such a way that it comprises, in a binary representation, several bits at 1 with a sequence of at least L?1 bits at 0 between each pair of consecutive bits to 1 while the multiplication is carried out by assembling the binary versions of the first factor shifted according to positions of the bits at 1 of the second factor, respectively.

Abstract: A method of detecting intrusions on a computer includes the step of identifying an internet protocol field range describing fields within internet protocol packets received by a computer. A connectivity range is also established which describes a distribution of network traffic received by the computer. An internet protocol field threshold and a connectivity threshold are then determined from the internet protocol field range and connectivity range, respectively. During the operation of the computer, values are calculated for the internet protocol field range and connectivity range. These values are compared to the internet protocol metric threshold and connectivity metric threshold so as to identify an intrusion on the computer.

Abstract: A method of protecting secret key integrity in a hardware cryptographic system includes first obtaining an encryption result and corresponding checksum of known data using the secret key, saving those results, then masking the secret key and storing the masked key. When the masked key is to be used in a cryptographic application, the method checks key integrity against fault attacks by decrypting the prior encryption results using the masked key. If upon comparison, the decryption result equals valid data, then the key's use in the cryptographic system can proceed. Otherwise, all data relating to the masked key is wiped from the system and fault injection is flagged.

Abstract: A method, apparatus, and system are provided for extending a trusted computing base (TCB). According to one embodiment, a first level trusted computing base (TCB) is generated having hardware components including a trusted platform module (TPM), and an extended TCB is formed by adding a second level software-based TCB to the first level TCB, and properties associated with the first level TCB are transferred to the second level TCB.

Abstract: A mechanism is provided in which access to the functionality present on an integrated circuit chip is controllable via an encrypted certificate of authority which includes time information indicating allowable periods of operation or allowable duration of operation. The chip includes at least one cryptographic engine and at least one processor. The chip also contains hard coded cryptographic keys including a chip private key, a chip public key and a third party's public key. The chip is also provided with a battery backed up volatile memory which contains information which is used to verify authority for operation. The certificate of authority is also used to control not only the temporal aspects of operation but is also usable to control access to certain functionality that may be present on the chip, such as access to some or all of the cryptographic features provided in conjunction with the presence of the cryptographic engine, such as key size.

Abstract: A method and apparatus for changing and adding activation keys for functions of digital content without having to change and recompile the digital content. The rules for validating activation keys, the code for providing instructions for executing the rules for validating the activation keys and a template for identifying possible activation keys, which keys are currently valid and validating rules associated with each currently valid activation key are separated and separately secured.

Abstract: A system comprising a personal computer configured to operate with another computer connected to a network of computers. The personal computer includes a microchip having a microprocessor with a control unit and at least two processing units, the control unit being configured to allow a user of the personal computer to control the two processing units, and the microchip including a power management component. The personal computer includes an internal firewall configured to allow and/or deny access to portions of the microchip both to the user of the personal computer and to a user of the microchip from the network of computers during a shared use of the microchip; and the internal firewall is configured to deny access to portions of the microchip from the network of computers.

Abstract: In one embodiment, a client computer is protected from phishing attacks using a sensitive state monitor and a phishing site detector. The sensitive state monitor may detect reception of a web page displayed in a web browser of the client computer. The sensitive state monitor may determine whether or not the web page is a sensitive web page, such as those used to receive user confidential information. When the sensitive state monitor determines that the web page is sensitive, the sensitive state monitor may ask the user to confirm that the web page is indeed sensitive. After user confirmation, the sensitive state monitor may invoke the phishing site detector, which may determine whether or not the website serving the web page is a phishing site.

Abstract: A device coupled to a smart card reader may request random data from a smart card inserted into the smart card reader, and the smart card reader may incorporate the random data into its randomness pool. A device having a source of random data may have a driver installed thereon for the smart card reader. The device may generate a random session key to encrypt traffic between the device and the smart card reader. The device may send an encrypted version of the random session key to the smart card reader. The smart card reader may decrypt the encrypted version and incorporate the random session key into its randomness pool. A smart card reader may incorporate random data received from a smart card inserted therein into its randomness pool.

Abstract: The invention provides mechanisms for transferring processor control of secure Internet Protocol (IPSec) security association (SA) functions between a host and a target processing devices of a computerized system, such as processors in a host CPU and a NIC. In one aspect of the invention, the computation associated with authentication and/or encryption is offloaded while the host maintains control of when SA functions are offloaded, uploaded, invalidated, and re-keyed. The devices coordinate to maintain metrics for the SA, including support for both soft and hard limits on SA expiration. Timer requirements are minimized for the target. The offloaded SA function may be embedded in other offloaded state objects of intermediate software layers of a network stack.

Abstract: The invention describes a method for hardening a security mechanism against physical intrusion and substitution attacks. A user establishes a connection between a network peripheral device and a network via a security mechanism. The security mechanism includes read only memory (ROM) that contains code that initiates operation of the mechanism and performs authentication functions. A persistent memory contains configuration information. A volatile memory stores user and device identification information that remains valid only for a given session and is erased thereafter to prevent a future security breach. A tamper-evident enclosure surrounds the memory elements, which if breached, becomes readily apparent to the user.

Abstract: A mechanism is provided for booting a multiprocessor device based on selection of encryption keys to be provided to the processors. With the mechanism, a security key and one or more randomly generated key values are provided to a selector mechanism of each processor of the multiprocessor device. A random selection mechanism is provided in pervasive logic that randomly selects one of the processors to be a boot processor and thereby, provides a select signal to the selector of the boot processor such that the boot processor selects the security key. All other processors select one of the one or more randomly generated key values. As a result, only the randomly selected boot processor is able to use the proper security key to decrypt the boot code for execution.

Abstract: Methods and systems are disclosed for providing secured data transmission and for managing cryptographic keys. One embodiment of the invention provides secure key management when separate devices are used for generating and utilizing the keys. One embodiment of the invention provides secure storage of keys stored in an unsecured database. One embodiment of the invention provides key security in conjunction with high speed decryption and encryption, without degrading the performance of the data network.

Abstract: A mechanism is provided for masking a boot sequence by providing a dummy processor. With the mechanism, one of the processors of a multiprocessor system is chosen to be a boot processor. The other processors of the multiprocessor system execute masking code that generates electromagnetic and/or thermal signatures that mask the electromagnetic and/or thermal signatures of the actual boot processor. The execution of the masking code on the non-boot processors preferably generates electromagnetic and/or thermal signatures that approximate the signatures of the actual boot code execution on the boot processor. One of the non-boot processors is selected to execute masking code that is different from the other masking code sequence to thereby generate a electromagnetic and/or thermal signature that appears to be unique from an external monitoring perspective.

Abstract: A semiconductor memory includes a memory control section and a memory core section. A command judgment circuit in the memory control section changes the operating mode of the semiconductor memory in response to a command sent from a controller of an information processing apparatus. In a first mode, a decryption process is performed in a command decryption circuit, and data outputted from the memory core section is not scrambled. In a second mode, the decryption process is not performed in the command decryption circuit, and the command outputted from the memory core section is scrambled.

Abstract: A device is provided which includes: a processor that outputs a command signal or an address signal and includes a bus module which inputs or outputs a data signal; and an encryption circuit that encrypts or decrypts the data signal in an encryption method using a common key and the address signal, wherein the processor and the encryption circuit are provided in a chip.

Abstract: Data in a storage area to be returned from among storage areas of a storage system is deleted without fail, thereby ensuring data security. When a user's storage-on-demand management program 24 is activated in response to a return request from user A's console terminal 18, the return request is transferred via a communication network 14 to a server 16, and a provider's storage on-demand management program 30 makes a request to a storage management program 32 for volume initialization and data deletion. After the storage management program 32 issues a volume initialization command after receiving the above request, a control program 76 is activated to initialize the designated volume. Subsequently, the user A's volume access right is deleted by the processing executed by the provider's storage-on-demand management program 30, and it is reported to the console terminal 18 that the volume initialization and the volume separation have been conducted.

Abstract: Information processing apparatus 100 ensures confidentiality of encryption and reduces overhead associated with processing not directly related to the encryption. The information processing apparatus 100 includes: application program A158 that includes an instruction for encryption which uses a key; tampering detection unit 135x that detects tampering of the program; CPU 141 that operates according to instructions and outputs a direction for encryption upon detecting the instruction for encryption; data encryption/decryption function unit 160 that controls switching to the protective mode according to the direction; and protected data operation unit 155 that stores a key in correspondence with the program, outputs the key in the protective mode, and controls switching to the normal mode, and the data encryption/decryption function unit 160 executes the encryption in the normal mode using the received key.

Abstract: A security processor performs all or substantially all security and network processing to provide a secure I/O interface system to protect computing hardware from unauthorized access or attack. The security processor sends and receives all incoming and outgoing data packets for a host device and includes a packet engine, coupled to a local data bus, to process the incoming and outgoing packets. The processor further comprises a cryptographic core coupled to the packet engine to provide encryption and decryption processing for packets processed by the packet engine. The packet engine also handles classification processing for the incoming and outgoing packets. A modulo engine may be coupled to the local data bus.

Abstract: A method for interacting with a memory device is provided. In this method, a cryptographic communication application is registered to be associated with a protocol type in a web browser. A message encapsulated in the protocol type from the web browser is received and thereafter transmitted to the memory device. Here, the message is associated with a cryptographic operation.

Abstract: An encryption system includes a plurality of encryption operations including individual encryption operations and group encryption operations available for application in the encryption of data. The plurality of encryption operations are selected from the group consisting of functional variance, functional alignment, mathematical offset, wide XOR function, short logical rotation, long logical rotation, functional order, and address encryption. The system includes at least one round of encryption composed of a first encryption operation and a second encryption operation. The first encryption operation is selected from the plurality of encryption operations acting upon input data to generate a first encrypted data set. The second encryption operation is selected from the plurality of encryption operations acting upon the first encrypted data set to generate a second encrypted data set. The first encryption operation and the second encryption operation are different.

Abstract: Application factoring or partitioning is used to integrate secure features into a conventional application. An application's functionality is partitioned into two sets according to whether a given action does, or does not, involve the handling of sensitive data. Separate software objects (processors) are created to perform these two sets of actions. A trusted processor handles secure data and runs in a high-assurance environment. When another processor encounters secure data, that data is sent to the trusted processor. The data is wrapped in such a way that allows it to be routed to the trusted processor, and prevents the data from being deciphered by any entity other than the trusted processor. An infrastructure is provided that wraps objects, routes them to the correct processor, and allows their integrity to be attested through a chain of trust leading back to base component that is known to be trustworthy.

Abstract: Aspects of the invention provide a method and system for coding information in a communication channel. More particularly, aspects of the invention provide an method and system for synchronous running encryption and/or encoding and corresponding decryption and decoding in a communication channel or link. Aspects of the method may include encoding and/or encrypting a first data using a first or second encoding table and/or a first or second encryption table. The method may indicate which one of the first or second encoding tables or which one of the first or second encryption tables were utilized for encoding and/or encrypting the said first data. The encoded and/or encrypted first data may subsequently be transferred downstream and decoded by synchronous decoder/decryptor using a corresponding decoding and/or decryption table. The corresponding decoding and/or decryption table may be determined based on the indicated first and/or second encoding and/or encrypting tables.

Abstract: Secure processing systems providing host-isolated security are provided. An exemplary secure processing system includes a host processor and a virtual machine instantiated on the host processor. A virtual unified security hub (USH) is instantiated on the virtual machine to provide security services to applications executing on the host processor. The virtual USH may further include an application programming interface (API) operable to expose the security services to the applications. A further exemplary secure processing system includes a host processor running a windows operating system for example, a low power host processor, and a USH processor configured to provide secure services to both the host processor and the low power host processor isolating the secure services from the host processor and the low power processor. The USH processor may also include an API to expose the security services to applications executing on the host processor and/or the low power host processor.

Abstract: A mechanism is provided for securing cryptographic functionality within a host system such that it may only be used when a system administrator physically allows it via a hardware security token. In addition, a hardware security unit is integrated into a data processing system, and the hardware security unit acts as a hardware certificate authority. The hardware security unit may be viewed as supporting a trust hierarchy or trust framework within a distributed data processing system. The hardware security unit can sign software that is installed on the machine that contains the hardware security unit. Server processes that use the signed software that is run on the machine can establish mutual trust relationships with the hardware security unit and amongst the other server processes based on their common trust of the hardware security unit.

Abstract: A cryptographic device may include a cryptographic module and a communications module coupled thereto. The cryptographic module may include a user network interface and a cryptographic processor coupled thereto. The communications module may include a network communications interface coupled to the cryptographic processor. The cryptographic processor may communicate with the user network interface using a predetermined protocol, and the cryptographic processor may also communicate with the network communications interface using the predetermined protocol.

Abstract: Communicating between multiple application programs includes providing an adapter to a first computer application for use in accessing a second computer application that provides a function to the first computer application. The inputs and outputs of the function are defined by the first computer application. The adapter is made available to the first computer application for use in accessing the second computer application. The adapter is configured to accept from the first computer application the inputs to the function and provide to the second computer application the inputs in a form that the second computer application is able to use. The adapter is configured to receive from the second computer application outputs from the function and provide to the first computer application the outputs in a form that the first computer application is able to use.

Abstract: It is desired to share one circuit by an encryption unit 200 and a decryption unit 500. A normal data transformation unit (FL) 251 and an inverse data transformation unit (FL?1) 273 are located at point symmetry on a non-linear data transformation unit 220, and a normal data transformation unit (FL) 253 and an inverse data transformation unit (FL?1) 271 are located at point symmetry on the non-linear data transformation unit 220. Therefore, the encryption unit 200 and the decryption unit 500 can be configured using the same circuits.

Abstract: A security processor performs all or substantially all security and network processing to provide a secure I/O interface system to protect computing hardware from unauthorized access or attack. The security processor sends and receives all incoming and outgoing data packets for a host device and includes a packet engine, coupled to a local data bus, to process the incoming and outgoing packets. The processor further comprises a cryptographic core coupled to the packet engine to provide encryption and decryption processing for packets processed by the packet engine. The packet engine also handles classification processing for the incoming and outgoing packets. A modulo engine may be coupled to the local data bus.

Abstract: Automated update to the firmware of the optimum version can be performed when a system board is exchanged, etc. When a system board is exchanged, a version change unit compares the version of the firmware of the system board with the version of the firmware of the corresponding partition stored in the partition-specific version storage unit. When they do not match, the version of the firmware of the system board is updated to the same version stored in the partition-specific version storage unit.

Abstract: A processor includes an execution unit configured to execute a program, a bus coupled to the execution unit, a local memory coupled to the bus, a DMA unit coupled to the bus, and an interface to couple the bus to an exterior, wherein the DMA unit is configured to perform a DMA transfer process in response to instruction from the execution unit, to load information by the DMA transfer process from the exterior through the interface, to decrypt the loaded information, and to write the decrypted information to the local memory by the DMA transfer process.

Abstract: One chip encryption processor is disclosed, in which a password process unit for processing a data encryption and an interface for managing a password needed for an encryption are integrated into one chip. The encryption processor includes an encryption interface for connecting an externally connected apparatus and an internal data process apparatus, a password process unit for encrypting the inputted data, a memory unit for temporarily storing the data. The above elements are integrated into one chip, so that a desired data security, non-error operation and stable user verification are obtained.

Abstract: An extended Secure-Digital (SD) card has a second interface that uses some of the SD-interface lines. A card-detection routine on a host can initially use the SD interface to detect extended capabilities and command the card to switch to using the second interface. The extended SD card can communicate with legacy SD hosts using just the SD interface, or extended SD cards using the second interface. Also an extended Universal-Serial Bus (EUSB) host enters a suspend mode rather than polling an EUSB device that is busy performing a memory or other operations. Power is saved since polling is avoided. The busy EUSB device sends a not-yet signal back to the EUSB host to instruct the host to enter the suspend mode. When the EUSB device is ready to continue transfer with the host, the EUSB device wakes up the host by sending a ready signal back to the host.

Abstract: An anti-virus (AV) system based on a hardware-implemented AV module for curing infected computer systems and a method for updating AV databases for effective curing of the computer system. The hardware-based AV system is located between a PC and a disk device. The hardware-based AV system can be implemented as a separate device or it can be integrated into a disk controller. An update method of the AV databases uses a two-phase approach. First, the updates are transferred to from a trusted utility to an update sector of the AV system. Then, the updates are verified within the AV system and the AV databases are updated. The AV system has its own CPU and memory and can be used in combination with AV application.

Abstract: The secret data is acquired externally by making an arithmetic operation between unique information of an apparatus and the first information managed secretly, and secretly held as key data in a key holding part. A MAC generation part generates the authentication data based on a hash value obtained from the data to be protected and the key data held in the key holding part 21. An image file generation part generates an image file to provide the unique information and the authentication data together with the data to be protected.

Abstract: A cryptographic device may include a cryptographic module and a communications module coupled thereto. The cryptographic module may include a user network interface, a host network processor coupled to the user network interface, and a cryptographic processor coupled to the host network processor. Additionally, the communications module may include a network communications interface coupled to the cryptographic processor. The host processor may generate cryptographic processor command packets for the cryptographic processor each having an address portion and a data portion, and it may also encapsulate command packets for the communications module in the data portions of the cryptographic processor command packets. The cryptographic processor may pass the communications module command packets to the without performing cryptographic processing thereon.

Abstract: A secure digital content storage device comprising a memory for storing digital data, a decoder, coupled to the memory, for generating analog output based on the digital data, and a secure enclosure, or a secure connection between the memory and the decoder, or a single monolithic integrated circuit structure for preventing unauthorized access to the digital content stored in the memory. Under the present invention, the secure digital content storage device protects the digital content stored therein from unauthorized replication or tampering by an external device or agent.

Abstract: A data processing method accepts a removable storage media, which becomes electrically engaged with a system unit within the data processing system, after which the removable storage media and the hardware security unit mutually authenticate themselves. The removable storage media stores a private key of a first asymmetric cryptographic key pair and a public key of a second asymmetric cryptographic key pair that is associated with the hardware security unit, and the hardware security unit stores a private key of the second asymmetric cryptographic key pair and a public key of the first asymmetric cryptographic key pair that is associated with the removable storage media. In response to successfully performing the mutual authentication operation between the removable storage media and the hardware security unit, the system unit is enabled to invoke cryptographic functions on the hardware security unit while the removable storage media remains engaged with the system unit.

Abstract: One embodiment of the present invention provides a system that facilitates using an external security device to secure data in a database without having to modify database applications. The system operates by receiving a request at the database to perform an encryption/decryption operation, wherein the encryption/decryption operation is performed with the assistance of the external security module in a manner that is transparent to database applications. In response to the request, the system passes a wrapped (encrypted) column key (a key used to encrypt data within the database) to an external security module, wherein the wrapped column key is a column key encrypted with a master key that exists only within the external security module. The system then unwraps (decrypts) the wrapped column key in the external security module to retrieve the column key. Next, the system returns the column key to the database.

Abstract: The present invention provides a high speed data encryption architecture in which fabric elements are communicatively coupled to one another via a hardwired interconnect. Each of the fabric elements includes a plurality of wide field programmable gate array (FPGA) blocks used for wide datapaths and a plurality of narrow FPGA blocks used for narrow datapaths. Each of the plurality of wide FPGA blocks and each of the plurality of narrow FPGA blocks are communicatively coupled to each other. A control block is communicatively coupled to each of the fabric elements via the hardwired interconnect to provide control signals to each of the fabric elements. The fabric elements are used to implement cryptographic algorithms.