Abstract: A method for masking a digital quantity used by a calculation executed by an electronic circuit and including several iterations, each including at least one operation which is a function of at least one value depending on the digital quantity, the method including at least one first step of displacement of at least one operand of the operation in a storage element selected independently from the value.

Abstract: A system and associated method for verifying an attribute in records for a procurement application. The procurement application employs a database having a company profile record, a user profile record, and a requisition object record, among which share a company_code attribute as a target attribute that is desired to be valid. The company profile record has a validity attribute, and the requisition object record has a validity flag, to indicate validities of the value for the target attribute in respective record. A company profile configuration module configures the company profile record. A user profile verification module prohibits a user without a valid user profile from accessing the procurement application. A user profile cleanup program removes invalid user profile records from the database. A requisition object verification module checks out valid values for the company_code attribute from the company profile records and blocks modification to invalid requisition objects.

Abstract: A method of embedding information in a computer program code, including a plurality of program statements. The method comprises: parsing the computer program code to identify at least one program statement that includes a first mathematical expression, wherein said first mathematical expression includes at least a first algebraic expression adapted to produce at least one numeric result; generating a modified mathematical expression by performing a predetermined transformation of the first mathematical expression, wherein the modified mathematical expression includes a transformed algebraic expression instead of the first algebraic expression, such that the modified mathematical expression is adapted to produce the same result as the first mathematical expression, and wherein the modified mathematical expression is indicative of at least a part of said information; replacing said first mathematical expression in the identified program statement by the modified mathematical expression.

Abstract: A system according to an example embodiment may include an identifier unit and a modifier unit. The identifier unit may be configured to identify an assignment type of an assignment of a variable in a part of a program code. The assignment type of the assignment may be different from an assignment type of a further assignment of the variable in a further part of the program code. The modifier unit may be configured to add to the further part of the program code an assignment of a dummy variable having the assignment type of the assignment of the variable.

Abstract: The invention relates to an electronic circuit comprising: a first random-access data storage element, a processing module designed to delete the first storage element, and an access terminal which is connected to the processing module and receives a first power signal supplied by a first power source external to the electronic circuit. The circuit also includes a second random-access storage element in which a key is stored, said key being used to encrypt the data and a second power source which is built into the electronic circuit and supplies a second power signal to the processing module. The processing module is designed to detect an unauthorized access attempt by comparing the first and second power signals and to delete the key when the processing module is powered by the second power source.

Abstract: This invention relates to creating a verifiable timestamp for a data object, such as a digital photograph. The verifiable timestamp includes a first and second timestamp and a data object. The verifiable timestamp enveloped with several different tiers of digital signatures that together authenticate that the data object was created at a time after the first timestamp, but before the second timestamp.

Abstract: A program obfuscating device for generating obfuscated program from which unauthorized analyzer cannot obtain confidential information easily.

Abstract: A container security device includes a housing, electronic circuitry, and cabling. The electronic circuitry is disposed within the housing, and includes first and second microprocessor functions and an interface for accepting and providing data. The cabling is removably coupled to the housing, provides the only communicative coupling between the first microprocessor function and the second microprocessor function, and is adapted to be attached to a container latch so as to break the communicative coupling if the latch is opened. The housing includes a port for the electronic circuitry interface. A method of providing container security includes closing a container using a latch device and removably coupling the cabling to the housing so that the communicative coupling is broken if the latch is opened., providing the only communicative coupling between the first microprocessor function and the second microprocessor function.

Abstract: A method for validating a cryptographic token includes (a) operating the cryptographic token to generate a pseudo-random number for authentication purposes by using a cryptographic seed uniquely associated with the cryptographic token, the cryptographic seed having been cryptographically generated using a precursor value, (b) receiving a first value from the cryptographic token, the first value being the pseudo-random number generated by the cryptographic token, (c) inputting the first value and the precursor value into a trusted computing platform, and (d) operating the trusted computing platform to generate a validation signal if the first value can be derived using a specified algorithm from the precursor value, but to generate a failure signal if the first value cannot be derived using the specified algorithm from the precursor value. Accompanying methods and apparatus are also provided.

Abstract: A data encryption system implemented by running on a cache-equipped computer an encryption program including transformation tables each of which contains a predetermined number of entries. All or necessary ones of the transformation tables are loaded into the cache memory before encryption/decryption process. This causes encryption/decryption time to be made substantially equal independently of the number of operation entries for the transformation table. It is very difficult to extract plain texts used to determine a key differential, resulting in difficulties in cryptanalysis.

Abstract: A method and system that enables cross-border compliance with export restrictions of particular computer technology, including software loaded on a computing device. The computing device is loaded with software, and has a country location device, such as a low-end GPS device. The country location device (country locator) stores the present geographic location of the device in a location register. When the computing device is turned on or the software is activated for operation on the computing device, a security utility of the software compares the value in the register against a list of pre-established locations that are export-restricted. When the value matches (or falls within a range) of one of pre-established locations, the features of the software that are export restricted are automatically disabled.

Abstract: A component (10) of a device, such as a keypad mechanism (10) of a cash dispenser, is provided with a mechanism for detecting separation of the component from another part (16) of the device, for example a front panel (16) of the cash dispenser. The mechanism includes a member (64) moveable between first and second positions, and biasing means (34) to bias the member resiliently in the first position. In use, the member (64) is forced into the second position by contact with the part (16). If the component (10) and the part (16) are separated, the member (64) moves from the second position to the first position. The mechanism also includes a signal means to provide a warning signal when the member (64) moves to the first position. A tube (50) of ceramic material or other hard material is provided to resist ingress of a drill bit to the member (64).

Abstract: Processor arrangement having a first processor, a second processor, and at least one memory configured to be shared by the first processor and the second processor. The second processor has a memory interface configured to provide access to the at least one memory, and a processor communication interface configured to provide a memory access service to the first processor. The first processor has a processor communication interface configured to use the memory access service from the second processor. The first processor and the second processor use at least one cryptographic mechanism in the context of the memory access service.

Abstract: In a method for the transition from a first masked representation of a value to be kept secret to a second masked representation of the value, according to a first aspect of the invention at least one previously calculated table with a plurality of entries is used, and the calculation is carried out depending on at least one veiling parameter, in order to prevent the value to be kept secret from being spied out. According to a second aspect of the invention, at least one comparison table is used, which, for each table index, provides the result of a comparison between a value dependent on the table index and a value dependent on at least one masking value. A computer program product and a device have corresponding features. The invention provides a technique for protecting the transition between masked representations of a value from being spied out, wherein the masked representations are based on different masking rules.

Abstract: The present invention provides systems and methods for electronic commerce including secure transaction management and electronic rights protection. Electronic appliances such as computers employed in accordance with the present invention help to ensure that information is accessed and used only in authorized ways, and maintain the integrity, availability, and/or confidentiality of the information. Secure subsystems used with such electronic appliances provide a distributed virtual distribution environment (VDE) that may enforce a secure chain of handling and control, for example, to control and/or meter or otherwise monitor use of electronically stored or disseminated information. Such a virtual distribution environment may be used to protect rights of various participants in electronic commerce and other electronic or electronic-facilitated transactions.

Abstract: A tamper resistant apparatus 101 is mounted inside of a PC 900 and stores confidential information A through C. The tamper resistant apparatus 101 receives data from an application 118 which operates on the PC 900, processes the data using the confidential information A through C, and returns processed data to the application 118. To the tamper resistant apparatus 101, plural external sensors 110 provided to the PC 900 are connected. The plural external sensors 110 detect opening/closing of a case of the PC 900 or movement of the body of the PC 900 and send a detection signal to the tamper resistant apparatus 101. On inputting the detection signal from the plural external sensors 110, the tamper resistant apparatus 101 selects and erases confidential information to be erased from the confidential information A through C according to the tamper resistant policy stored previously.

Abstract: Regularity information such as time codes embedded preliminarily through an electronic watermark is detected from a predetermined number of pieces of continuous frame data of video content through the electronic watermark. In the case where the electronic watermark is not detected from the predetermined number of pieces of continuous frame data, a non-detection count is calculated, and falsification of the predetermined number of pieces of frame data is determined on the basis of the detected regularity information and the non-detection count. Accordingly, falsification such as deletion, addition, and replacement of video content is detected with high accuracy using the electronic watermark.

Abstract: A system and method for securely streaming encrypted digital media content out of a digital container to a user's media player. This streaming occurs after the digital container has been delivered to the user's machine and after the user has been authorized to access the encrypted content. The user's operating system and media player treat the data stream as if it were a being delivered over the Internet (or other network) from a streaming web server. However, no Internet connection is required after the container has been delivered to the user and the data stream suffers no quality loss due to network traffic or web server access problems. In this process of the invention, the encrypted content files are decrypted and fed to the user's media player in real time and are never written to the user's hard drive or storage device. This process makes unauthorized copying of the digital content contained in the digital container virtually impossible.

Abstract: A method of scanning data for viruses in a computer device, the device having a browser for rendering the data for use. The method comprises storing the data in a buffer memory accessible to said browser and creating an instance of a browser plugin, said plugin providing a virus scanning function or providing a route to a virus scanning function. The data is scanned for viruses using the instance of the plugin and, if no viruses are detected in the data, it is returned to the browser for rendering. If a virus is detected in the data, rendering of the data is inhibited.

Abstract: A portable storage device contains a real time clock, an onboard power source and secure storage. These components enable the device to securely store data and control access thereto. A secret key can be maintained in secure storage, such that access to the device can be denied to external systems that do not have a matching key. A log detailing connections can also be maintained in secure storage, such that device activity can be accurately documented, and made available in a trusted manner to a management system. Furthermore, the onboard real time clock allows stored data to be encrypted and decrypted in conjunction with specified time periods, such that a session key is destroyed after a time out, or is not made available until a given period of time has transpired.

Abstract: Devices, systems, and methods are disclosed for identifying a driver versus a passenger within a smart vehicle. This involves a determination of the relative positions of the wireless communication devices within the smart vehicle using near-field communication (NFC) or GPS, AGPS, etc. The wireless communication device detected closest to the driver seat is assumed to be the device owned by the driver. Once identified, the driver can be billed for tolls and other road services, based on the location of the smart vehicle. For instance, as the smart vehicle approaches a toll, a notification can be sent to all of the wireless communication devices. A response from a particular wireless communication device will result in the corresponding user's account being billed for the toll. Further, the smart vehicle can communicate with near-field transceivers placed, for instance, alongside a High-Occupancy Vehicle (HOV) lane.

Abstract: A decryption processor for calculating a plaintext through decryption of a ciphertext c includes, a first part that calculates m?p through modular exponentiation modulo a first prime number p wherein an exponent is a shifted value of d(mod(p?1)), and a base is a value of c(mod p); a second modular exponentiation part that calculates m?q through modular exponentiation modulo a second prime number q, wherein an exponent is a value of d(mod(q?1)) and a base is a value of c(mod q); a composition part that calculates ms through calculation of ((u×(m?q?m?p)(mod q))×p+m?p by using the values m?p and m?q and a private key u corresponding to p?1(mod q); and a shift release part that calculates the plaintext m through calculation of ms×(cs(mod n))(mod n) by using the value ms.

Abstract: Structured document files, such as those utilized by standard productivity applications or for portable documents can have malicious computer executable instructions embedded within them. Modifications to such files can prevent the execution of such malware. Modifications can operate at a file sector level, such as either fragmenting or defragmenting the file, or they can operate at a file record level, such as removing records, adding records, or rearranging the order of records. Other modifications include writing random data into records deemed likely to have malware, removing unaccounted for space, or removing records that are not known to be good and are inordinately large. A scan of the structured document file can identify relevant information and inform the selection of the modifications to be applied.

Abstract: An improved method and apparatus for client-side web application analysis is provided. Client-side web application analysis involves determining and testing, using client-side application interfaces and the like, data input points and analyzing client requests and server responses. A security vulnerability analyzer can analyze web page content for client-side application files, such as Flash files and Java applets, extract web addresses and data parameters embedded in the client-side application file, and modify the data parameters according to user-defined test criteria. The modified data parameters are transmitted as part of a request to a respective web server used to service the client-side application files. The security vulnerability analyzer analyzes the response from the server to ascertain if there are any security vulnerabilities associated with the interface between the client-side application file and the web server.

Abstract: A secure insert comprises a shell including a lid and a container configured to receive and encase one or more circuit cards, wherein the shell is further configured to be inserted into and engage a card slot area of a chassis. A bridge connector is disposed inside the shell and configured to couple the one or more circuit cards to a chassis connector. A tamper sensor is disposed inside the shell and configured to detect unauthorized tamper events.

Abstract: A key distribution system distributes key data for using content to a second encryption device that has been legitimately outsourced processing by a first encryption device. The first encryption device acquires permission information indicating that the first encryption device has permission to use the content, generates certification information by making an irreversible alteration the to permission information, and transmits the permission information and the certification information to the second encryption device. The second encryption device receives the permission information and the certification information, sends them to a key distribution device, and acquires the key data from the key distribution device. The key distribution device receives the permission information and the certification information, judges whether or not the certification information was generated by the by the first encryption device, and if judging in the affirmative, transmits the key data to the second encryption device.

Abstract: Digital media content-on-demand hosting/delivery system for using an n-tier, multi dimension dynamic data technology to distribute digital content and manage information and comprising separate delivery and end-user systems with separate but compatible software, the hosting/delivery system being sub-divided into distributed hosting clusters serving small groups of users, ensuring local balance and overcoming diversity of connection/streaming speeds of end users.

Abstract: A method for evaluating access rules violations, the method includes: receiving, a model of a computer network; and determining security metrics associated with a violation of an access rule in response to: the model of the computer network, multiple network nodes of the computer network accessible according to at least one violated access rule or according to the network model, at least one vulnerability associated with the multiple network nodes, and damage associated with an exploitation of the at least one vulnerability.

Abstract: The present invention provides a secure buffer for use in data storage and encryption processing. Blocks or packets of data are passed to a secure buffer within a processor. The processor may be one of many coprocessors, and the secure buffer may be inaccessible to some or all of the coprocessors. Data may be partially or fully encrypted and stored within the secure buffer. Encryption may occur before or after storage in the buffer, or it may take place within the buffer itself. Optionally, the encrypted data may be sent to and retrieved from a shared memory that is accessible by other coprocessors.

Abstract: An information processing device creates a hash value from an event log every time the event occurs. The information processing device generates a digital signature by encrypting the hash value with its own private key. The device transmits the signature-bound event log obtained by binding the digital signature with the event log to a log management apparatus. The log management apparatus decrypts the hash value from the event log of the received signature-bound log information using a device public key. The apparatus also generates a new hash value from the event log verifies the coincidence of the decrypted hash value and the new hash value, and authenticates signature-bound event logs for which this coincidence has been verified. The apparatus stores signature-bound event logs that have been authenticated. Every time an event occurs, the device transmits an event log bound with a digital signature that is created using its private key.

Abstract: A security circuit includes an electrical fuse read only memory (ROM) including a plurality of electrical fuse units. The electrical fuse units are arranged to correspond to bit values of an initial security key before the electrical fuse ROM is programmed.

Abstract: A data recording apparatus and a data reproducing apparatus which ensure security of a portable recording medium, such as an optical disk. The apparatus has a security mode and a normal mode as operation modes. In the security mode, a system controller of the apparatus records a security identification signal in an area other than a user data area of the optical disk. At the time of copying of the optical disk, the security identification signal disappears, and a limitation is imposed on reproduction, thereby preventing copying operation. In the security mode, the system controller records the security identification signal in the area other than the user data area of the optical disk, as well as recording user data by means of converting an address through use of a password. At the time of reproduction of data, absence or presence of the security identification signal is ascertained. When the security identification signal is present, the address is inversely converted, thereby reproducing data.

Abstract: Data, stored in MRAM-cells should be protected against misuse or read-out by unauthorized persons. The present invention provides an array of MRAM-cells provided with a security device for destroying data stored in the MRAM-cells when they are tampered with. This is achieved by placing a permanent magnet adjacent the MRAM-array in combination with a soft-magnetic flux-closing layer. As long as the soft-magnetic layer is present, the magnetic field lines from the permanent magnet are deviated and flow through this soft-magnetic layer. When somebody is tampering with the MRAM-array, e.g. by means of reverse engineering, and the flux-closing layer is removed, the flux is no longer deviated and affects the nearby MRAM-array, thus destroying the data stored in the MRAM-cells.

Abstract: A computer-implemented method for securely managing access to data may comprise identifying a request to access data that is encrypted, the request being made within an insecure platform. The method may: determine that a requestor has a right to access the data, decrypt the data to provide decrypted data, and permit a secure platform to access the decrypted data. A computer-implemented method for securely managing access to data may comprise identifying a request to access data that is encrypted, the request being made within an insecure platform. They method may: submit the request to a policy server, receive permission from the policy server to access the data, decrypt the data to provide decrypted data, and permit a secure platform to access the decrypted data. A system for securely managing access to data may comprise: an authorization platform, an authentication module, a policy-enforcement module, and a cryptography module.

Abstract: Conventionally, an encryption key for encrypting data to be backed up in a tape cannot be allocated for each logical data management unit. To solve the problem, provided is a storage system including: a disk storage device; a tape storage device in which a tape storage medium is loaded; and a controller for controlling the disk storage device and the tape storage device, in which the controller is configured to: generate, upon reception of a request for setting a tape group including one or more tape storage media, a first encryption key used for encrypting data stored in the tape group set by the request; and hold information for correlating the generated first encryption key with the tape group.

Abstract: An architecture is presented that facilitates secure token generation and transmission capabilities in a mobile device. The system comprises at least one software application that includes a secure token assigned to a specific user and a memory module that communicates with an external processor. A security processor, non-volatile memory component and volatile memory component are integrated to form the memory module that communicates with the external processor. The memory module creates a secure execution environment for the execution of application agents associated with the software application and the secure token. The security processor of the system communicates with the software application and external processor to manage generation, authentication, confidentiality, and transmission of the secure token. And, the non-volatile memory allows the introduction of new tokens and the removal of old tokens.

Abstract: A halting key derivation function is provided. A setup process scrambles a user-supplied password and a random string in a loop. When the loop is halted by user input, the setup process may generate verification information and a cryptographic key. The key may be used to encrypt data. During a subsequent password verification and key recovery process, the verification information is retrieved, a user-supplied trial password obtained, and both are used together to recover the key using a loop computation. During the loop, the verification process repeatedly tests the results produced by the looping scrambling function against the verification information. In case of match, the trial password is correct and a cryptographic key matching the key produced by the setup process may be generated and used for data decryption. As long as there is no match, the loop may continue indefinitely until interrupted exogenously, such as by user input.

Abstract: A network switch automatically detects undesired network traffic and mirrors the undesired traffic to a security management device. The security management device determines the source of the undesired traffic and redirects traffic from the source to itself. The security management device also automatically sends a policy to a switch to block traffic from the source.

Abstract: A latch and latch handle recessed into the computer cover is provided, with the latch handle preferably presently a cam surface internally that interacts with a compatible cam surface associated with a lock bar. Preferably, a key lock is functionally integrated with the latch in such a way that when the key lock is unlocked the latch handle and latch are free to displace and to then urge the retention bar to disengage detents or hooks from slots or receptacles, by way of releasing the cover from a chassis or body of the desktop or workstation. Accordingly, in essentially one efficient movement via engaging the latch handle, a user will be able to quickly remove the cover.

Abstract: A method of securely controlling through a private network a computer protected by a hardware-based inner access barrier or firewall and optionally configured to operate as a general purpose computer connected to the Internet, comprising: two separate network connections separated by an inner hardware-based access barrier or inner hardware-based firewall protecting a private network connection configured for connection to a private network of computers but not protecting a public network connection configured for connection to a public network configured to include the Internet, the method including the step of controlling at least one operation of the computer, the control being provided through the private network and the operation involving data and/or code transmitted to the public network. Another method includes the step of controlling an operation of a second or third private protected unit of the computer, the control being provided through a second or third private network, respectively.

Abstract: Techniques of the present invention impede power consumption measurements of an encryption engine on a logic device by running the encryption engine with an independent clock. This clock produces a signal that is decoupled from and asynchronous to clock signals feeding other circuits on the device. The clock feeding the encryption engine is not accessible externally to the device. Circuits may be employed to intentionally slow down or add jitter to one or more of the clock signals.

Abstract: An information processing apparatus includes: a program executing unit which interprets and executes codes of a computer program created in a procedural language in an environment with a tamper resistant performance, wherein a security attribute and an authentication key are provided in units of functions in the computer program executed by the program executing unit, and wherein the program executing unit executes authentication processing with the authentication key for executing the function, which makes it possible to execute the function based on the security attribute.

Abstract: Methods and systems for binding a removable trusted platform module (TPM) subsystem module to an information handling system to provide a core root of trust for the information handling system without requiring soldering down or other hard and permanent (non-removable) attachment of a TPM device to the information handling system planar (e.g., motherboard). The removable TPM subsystem module may be a plug-in module that may be removed from the information handling system planar (e.g., motherboard), while at the same time maintaining the transitive chain of trust, and being capable of remotely attesting its trusted state. An information handling system platform may be provided that has the capability and flexibility of supporting multiple TPMs on the same system planar.

Abstract: An electronic device, prior to entering a distribution channel, is equipped with a loss prevention client which permits limited use of the device until correct authentication is provided by a legitimate purchaser. By permitting limited use before authentication, the device remains both useful to a legitimate purchaser and valuable to a thief. While allowing operation in the possession of a thief, options can be provided to permit tracking of the device or to allow proper purchase of the device.

Abstract: Systems and methods for providing a battery module 110 with secure identity information and authentication of the identity of the battery 110 by a host 120. In one embodiment, the system for providing a battery module with secure identity information includes: (1) a tamper resistant processing environment 200 located within the battery module 110 and (2) a key generator configured to generate a key based on an identity of the battery module 110 and cause the key to be stored within the tamper resistant processing environment 200.

Abstract: A method including positioning an electronic device proximate a second device, the electronic device including at least one of a semiconductor device, an integrated circuit chip, and an electronic substrate, and the second device activatable to form a conductive pattern on the electronic device. The method further includes activating the second device to form the conductive pattern and forming the conductive pattern on at least two surfaces of the electronic device. The conductive pattern includes one or more than one conductive trace. Each conductive trace includes a conductive material and is continuous between at least two surfaces of the electronic device. Each conductive trace is formed by controlling relative movement of the electronic device and the second device during activation of the second device.

Abstract: An intrusion detection system (IDS) comprises a network processor (NP) coupled to a memory unit for storing programs and data. The NP is also coupled to one or more parallel pattern detection engines (PPDE) which provide high speed parallel detection of patterns in an input data stream. Each PPDE comprises many processing units (PUs) each designed to store intrusion signatures as a sequence of data with selected operation codes. The PUs have configuration registers for selecting modes of pattern recognition. Each PU compares a byte at each clock cycle. If a sequence of bytes from the input pattern match a stored pattern, the identification of the PU detecting the pattern is outputted with any applicable comparison data. By storing intrusion signatures in many parallel PUs, the IDS can process network data at the NP processing speed. PUs may be cascaded to increase intrusion coverage or to detect long intrusion signatures.

Abstract: A device and method for a secure execution of a program. The program includes a sequence of program commands including use and checking commands. A checking value is generated according to a setup regulation when executing a checking command. A control value is generated according to the setup regulation and the checking value is compared to the control value. An insecure execution of the program is indicated when the checking value and the control value do not match.

Abstract: A program execution device capable of protecting a program against unauthorized analysis and alteration is provided. The program execution device includes an execution unit, a first protection unit, and a second protection unit. The execution unit executes a first program and a second program, and is connected with an external device that is capable of controlling the execution. The first protection unit disconnects the execution unit from the external device while the execution unit is executing the first program. The second protection unit protects the first program while the execution unit is executing the second program.

Abstract: A user private key is stored in a database of the user terminal. A user public key and user information are stored in the user management DB. The encryption/decryption unit encrypts an authority private key specific to a first authority given to a user, by using a user public key associated with user information to indicate a user. The secret sharing unit shares in secret an authority private key into two or more shared authority private keys. The encryption/decryption unit encrypts the shared authority private keys, by using an authority public key specific to each of second authorities to manage the first authority in a shared manner. The authority management DB stores the encrypted authority private key and authority public key in association with the first authority, and stores the encrypted shared authority private keys in association with the second authorities.