Abstract: An electronic device takes the form of a programmable logic device, including logic resources whose functions and interconnections are dependent on the configuration information applied to the device. Each such electronic device is provided with a unique identifier. In order to implement a design of an electronic circuit on an electronic device, the configuration information that is required to cause the device to perform its desired function is encrypted before being applied to the device, and is decrypted on the device itself. The encryption process, and hence the required decryption, are based on the identifier, and hence are effectively unique to the particular device, so that the intended design can be implemented only by means of configuration information that is related to the unique identifier, and the configuration information cannot be applied to other devices to make unauthorized configured devices.

Abstract: Mobile network services are performed in a mobile data network in a way that is transparent to most of the existing equipment in the mobile data network. The mobile data network includes a radio access network and a core network. A breakout appliance in the radio access network breaks out data coming from a basestation, and performs one or more mobile network services at the edge of the mobile data network based on the broken out data. The breakout appliance includes multiple states that support manufacturing, testing, production, tamper detection and end of life, and the functions of the breakout appliance vary according to its state.

Abstract: A user authenticates a mobile device (MD) to a network-based service (NBS) for initial authentication. Policy is pushed from the NBS to the MD and the MD automatically obtains details about devices and attributes that are near or accessible to the MD in accordance with the policy. The details are pushed as a packet from the MD to the NBS and multifactor authentication is performed based on the details and the policy. If the multifactor authentication is successful, access privileges are set for the MD for accessing the NBS and perhaps for accessing local resources of the MD.

Abstract: In some embodiments, a method and apparatus for distributing private keys to an entity with minimal secret, unique information are described. In one embodiment, the method includes the storage of a chip secret key within a manufactured chip. Once the chip secret key is stored or programmed within the chip, the chip is sent to a system original equipment manufacturer (OEM) in order to integrate the chip within a system or device. Subsequently, a private key is generated for the chip by a key distribution facility (KDF) according to a key request received from the system OEM. In one embodiment, the KDF is the chip manufacturer. Other embodiments are described and claimed.

Abstract: An integrated circuit comprises logic circuitry, organized in a multi-level hierarchy of modules. The integrated circuit comprises multiple sensing circuits. In operation, each sensing circuit senses an instantaneous current consumption IC of a respective one of the modules that draws current entirely through that sensing circuit. The integrated circuit comprises a concealing circuit for each of the sensing circuits. In operation, the concealing circuit receives as input a voltage VC corresponding to the sensed instantaneous current consumption IC of its respective module, and the concealing circuit dissipates an instantaneous power PL such that an instantaneous power sum PTOTAL of the instantaneous power PL and the instantaneous power PC to be dissipated by its respective module is substantially independent of activity of its respective module.

Abstract: In an embodiment, regarding an addition of a kb-bit number A and a b-bit random number r, element data of a pre-calculated table C? is set based on a sum AH+rH of a value AH of upper b/2 bits of a number A2, which is lower b bits of the number A, and a value rH of upper b/2 bits of the random number r and the sum AL+rL of a value AL of lower b/2 bits of the number A2 and a value rL of lower b/2 bits of the random number r in such a way that presence/absence of carrying-over of A2+r is indicated. Accordingly, the size of the pre-calculated table needed to be reduced for obtaining an addition result of upper (k?1)b bits by mutually adding the kb-bit number A and the b-bit number r.

Abstract: Systems and methods for geographically mapping a threat into a network having one or more network points include receiving threat information identifying a threat to a point of the network, correlating the threat information with location information for the identified network point, and network identification information for the identified network point, and generating a map displaying a geographical location of the threat.

Abstract: A system or computer usable program product for managing keys in a computer memory including receiving a request to store a first key to a first key repository, storing the first key to a second key repository in response to the request, and storing the first key from the second key repository to the first key repository within said computer memory based on a predetermined periodicity.

Abstract: A network management system may detect a network condition corresponding to a network and evaluate the network condition to identify types of network performance information corresponding to the network condition. The network management system may prioritize the types of network performance information and communicate priority information to a network device. The priority information may include the types of network performance information identified by the network management system and/or the priority associated with each type of network performance information. The network device may receive the priority information, evaluate the availability of device resources, collect network performance information based on the priority information and the availability of device resources, and communicate the network performance information to the network management system.

Abstract: Systems, methods and computer-readable media for facilitating the presentation of content associated with a financial transaction are disclosed. The content may be identified by a requestor or a party to the financial transaction on whose behalf a request associated with the financial transaction is received. A content location identifier that identifies a location where the content is stored may be identified or generated and may be included in or otherwise provided in association with a debit or credit instruction. The content location identifier may be presented by a user interface associated with a financial institution in conjunction with other transaction information and may facilitate access to the content and presentation of the content to a user.

Abstract: A system is provided for detecting, analyzing and quarantining unwanted files in a network environment. A host agent residing on a computing device in the network environment detects a new file introduced to the computing device and sends the new file to a network service for analysis. The network service is accessible to computing devices in the network environment. An architecture for the network service may include: a request dispatcher configured to receive a candidate file for inspection from a given computing device in the network environment and distribute the candidate file to one or more of a plurality of detection engines, where the detection engines operate in parallel to analyze the candidate file and output a report regarding the candidate file; and a result aggregator configured to receive reports from each of the detection engines regarding the candidate file and aggregates the reports in accordance with an aggregation algorithm.

Abstract: An apparatus and method for preventing an anomaly of an application program are provided. More particularly, an apparatus and method for preventing an anomaly of an application program that detect and stop an anomaly on the basis of a behavior profile for an application program are provided. The apparatus includes a behavior monitor that detects behavior of an application program in operation, an anomaly detector that determines whether the detected behavior of the application program is an anomaly on the basis of a behavior profile of the application program in operation, and an anomaly stopper that stops the behavior of the application program determined as an anomaly by the anomaly detector.

Abstract: The present invention relates to a method and system for providing a digital content service that provides packaging content consisting of digital rights management (DRM) content and advertisement content, and is able to use the DRM content for free by watching or listening to the advertisement content, including: generating packaging content consisting of pilot content and target content, which has been encrypted using an encryption key of the pilot content, and providing the packaging content to a portable terminal; and obtaining a decryption key for the target content through playing the pilot content of the packaging content, and playing the target content by the decryption key, by the portable terminal.

Abstract: Various embodiments include a method of detecting shell code in an arbitrary file comprising determining where one or more candidate areas exist within an arbitrary file, searching at least one nearby area surrounding each of the one or more candidate areas within the arbitrary file for an instruction candidate, and calculating for any such instruction candidate a statistical probability based on a disassembly of instructions starting at a found offset for the instruction candidate that the disassembled instructions are shellcode.

Abstract: A network switch automatically detects undesired network traffic and mirrors the undesired traffic to a security management device. The security management device determines the source of the undesired traffic and redirects traffic from the source to itself. The security management device also automatically sends a policy to a switch to block traffic from the source.

Abstract: A method is provided to process data so that the data can be externally stored with minimized risk of information leakage. A framework (virtual execution framework) based on virtual machines (VMs) is utilized as a substitute for a trusted institution. Encryption of consolidated data can reduce risk of information leakage and enhance security. Since the virtual execution framework can control connection and direction of communication, financial institutions are allowed to apply encryption to data on their own, which makes the data further appropriate for external storage. By allowing financial institutions to apply their own decryption, it is possible to prevent one of two financial institutions from retrieving externally stored data into the external execution framework without intervention of the other. Additionally, associated acting subjects can be provided with freedom depending on the degree of information leakage risk.

Abstract: This invention relates to a method and a system for generating user passcodes for each of a plurality of transaction providers from a mobile user device. A method and system for activating a plurality of passcode generators on a user device configured with a passcode application installed on the user device is provided. Each of the passcode generators may correspond to a different user account or transaction provider, such that each passcode generator provides a user passcode configured for the corresponding account or transaction provider. One or more of the passcode generators may include a passcode generating algorithm and a passcode key. Access to one or more of the passcode generators may require providing a PIN or a challenge.

Abstract: Systems and methods for providing a battery module 110 with secure identity information and authentication of the identity of the battery 110 by a host 120. In one embodiment, the system for providing a battery module with secure identity information includes: (1) a tamper resistant processing environment 200 located within the battery module 110 and (2) a key generator configured to generate a key based on an identity of the battery module 110 and cause the key to be stored within the tamper resistant processing environment 200.

Abstract: Perfected cryptographic protocol making it possible to counter attacks based on the analysis of the current consumption during the execution of a DES or similar. According to the invention, a message (M) is processed by two entities (A and B) and the entity (B) subject to attack executes a chain of operations known as DES in which it is chosen to carry out a given operation (O1, O2, O3 . . . On) or the same operation complemented (?1, ?2, ?3 . . . ?n), the choice being random.

Abstract: A method and system for establishing security association mechanism between a Mobile Node (MN) and a plurality of Point of Services (PoS) are provided. The method includes sending a first request from primary PoS to secondary PoS. The primary PoS then receives a first response along with a derived first key. The first key is derived at the secondary PoS. The method further includes receiving a second request from the MN at the primary PoS. The method then derives a second key based on a MN identity and the derived first key. Thereafter, the method sends a second response along with a second key from the primary PoS to the MN. Further, the method establishes communication between the MN and secondary PoS based on the second key received by the MN and the second key generated at the secondary PoS.

Abstract: Method and apparatus for writing data to be stored to a predetermined memory area, the method comprising: reading stored data from the predetermined memory area, the stored data comprising a stored data block and an associated stored error detection value, manipulating, after reading the stored data, at least one of the stored data block and the associated stored error detection value in the predetermined memory area, and writing, after manipulating, the data to be stored to the predetermined memory area.

Abstract: Mobile network services are performed in a mobile data network in a way that is transparent to most of the existing equipment in the mobile data network. The mobile data network includes a radio access network and a core network. A breakout appliance in the radio access network breaks out data coming from a basestation, and performs one or more mobile network services at the edge of the mobile data network based on the broken out data. The breakout appliance includes multiple states that support manufacturing, testing, production, tamper detection and end of life, and the functions of the breakout appliance vary according to its state.

Abstract: The invention relates to a method for secure piecemeal execution of a program code. In the method, the program code is split to a number of pieces in a first electronic device. The pieces are provided one after another to a second electronic device, which computes a message authentication code from the pieces and returns the authenticated pieces back to the first electronic device. In order to execute the program, the authenticated pieces are provided for execution to the second electronic device, which verifies the message authentication codes in the pieces to allow the execution of the pieces in the second electronic device.

Abstract: A method of coding a secret, a numerical value d, subdivided into a number N of secret elements [di]n1, a composition law () applied to the elements di giving the value d. The following are calculated: (A) a first image (TN) of the secret by iterative calculation and application of the law () between the first image Ti-1 of rank i?1 and of the product according to this law of the element (di) of next rank and of a random value (Ri) of a first set, (B) a first numerical value (S1) by application of the law () to the N random values (Ri), (C) a second numerical value (S2) by application of the law to the N?1 random values (Aj) of a second set, (D) a second image T? of the secret by application of the inverse law () to the first image (TN) and to the second numerical value (S2) so as to generate an intermediate image (Tx) and then application of the inverse law to the intermediate image (Tx) and to the second numerical value (S2).

Abstract: In some applications, it may be more convenient to the user to be able to log in the memory system using one application, and then be able to use different applications to access protected content without having to log in again. In such event, all of the content that the user wishes to access in this manner may be associated with a first account, so that all such content can be accessed via different applications (e.g. music player, email, cellular communication etc.) without having to log in multiple times. Then a different set of authentication information may then be used for logging in to access protected content that is in an account different from the first account, even where the different accounts are for the same user or entity.

Abstract: A data entry device including a housing formed of at least two portions, data entry circuitry located within the housing, at least one case-open switch assembly operative to sense when the housing is opened and tamper indication circuitry operative to receive an input from the at least one case-open switch assembly and to provide an output indication of possible tampering with the data entry circuitry located within the housing, the at least one case-open switch assembly including an arrangement of electrical contacts including at least first, second and third contacts and a displaceable conductive element, the tamper indication circuitry and the third contact together being operative such that when the third contact is short circuited to at least one of the first contact, the second contact and another contact, an output indication of possible tampering is provided.

Abstract: A portable electronic device includes a storage unit in which information indicating correct process contents is stored. A reception unit of the portable electronic device receives a command for requesting a process from an external device, and the portable electronic device determines whether or not process contents to be executed according to the received command are matched with process contents stored in the storage unit. When it is determined that process contents according to the received command are matched with process contents stored in the storage unit, the portable electronic device executes a process according to the command received by the reception unit.

Abstract: A security device and a method provide a cryptographic key for a field device. The security device is connected to at least one tamper sensor which is associated with the field device and which, when a physical manipulation carried out on the field device is detected, a manipulation message is emitted. The cryptographic key is only provided to the field device by the security device if the security device does not receive a manipulation message from the tamper sensors associated with the field device.

Abstract: A method, a system, and an apparatus are provided for organizing management information bases (MIB) in a network. A table, associated with an overlay MIB structure, is populated with entries. Each entry defines an object identifier (OID) of a mount point and an OID of a mount target. A selection is made between the existing OIDs and OIDs corresponding to a MIB overlay. When management communication refers to managed objects, they can be referred to in terms of OIDs defined by the MIB overlay, as an alternative to their existing OIDs. An agent infrastructure is defined to support the MIB overlay structure.

Abstract: A method of securing a telecommunication terminal that is connected to a module used to identify a user of the terminal is described. The method includes a step including executing a procedure in which the terminal is matched to the identification module, consisting in: securely loading a first software program including a data matching key onto the identification module; securely loading a second software program which can operate in conjunction with the first software program onto the telecommunication terminal; transmitting a data matching key that corresponds to that of the first software program to the second software program; storing the transmitted data matching key in the secured storage zone of the telecommunication terminal; and conditionally submitting every response from the first software program to a request from the second software program upon verification at the true value of the valid possession of the data matching key by the second program.

Abstract: Disclosed is a tamper respondent covering. The tamper respondent covering has a cover-shaped structure to cover an electronic part which is exposed. This covering protects electronic parts embedded inside or exposed outside a product, such as ICs that contains data concerning security and certification, communication connectors that transmit data, etc. from a tempering operation or an alternating operation. The tamper respondent covering protects data from a tampering operation or an altering operation by erasing the data or disabling operation of the electronic part containing the data in response to an act of attempting to remove the covering from a printed circuit board of the electronic part or to drill a hole in the covering.

Abstract: A method and apparatus for interfacing a host computer with a hard drive cartridge is disclosed in one embodiment. The virtual device interface is divided between a kernel component in a driver stack of the kernel space and a user component configured to run in user space. The kernel component passes data commands from the operating system to a cartridge dock while separating other commands that are passed to the user component. The user component authenticates the kernel component and/or the hard drive cartridge. Use of the removable hard drive cartridge is also authorized by the user component.

Abstract: A client hosted virtualization system (CHVS) includes a processor to execute code, a component, and a non-volatile memory. The non volatile memory includes BIOS code and code to implement a virtualization manager. The virtualization manager is operable to initialize the CHVS, launch a virtual machine on the CHVS, and assign the component to the virtual machine, such that the virtual machine has control of the component. The CHVS is configurable to execute the BIOS and not the virtualization manager, or to execute the virtualization manager and not the BIOS.

Abstract: According to one embodiment, an information processing apparatus includes an identifier generation module, an identifier write module, an identifier storage, and a removable media control module. The identifier generation module generates a media identifier for a removable medium connected to the information processing apparatus. The identifier write module writes the generated media identifier in a predetermined area in the removable medium. The identifier storage stores the generated media identifier in an identifier list. The removable media control module permits use of a removable medium which is newly connected to the information processing apparatus if a media identifier included in the identifier list is written in a predetermined area in the newly connected removable medium.

Abstract: A method for protecting the execution of a ciphering or deciphering algorithm against the introduction of a disturbance in a step implementing one or several first values obtained from second values supposed to be invariant and stored in a non-volatile memory in which, during an execution of the algorithm: a current signature of the first values is calculated; this current signature is combined with a reference signature previously stored in a non-volatile memory; and the result of this combination is taken into account at least in the step of the algorithm implementing said first values.

Abstract: In one embodiment, a circuit arrangement for performing cryptographic operations is provided. The circuit includes a substitution block, a cryptographic circuit coupled to the substitution block, and a balancing circuit coupled to the substitution block. The substitution block includes a memory unit storing substitution values and ones-complement values that are corresponding ones-complements of the substitution values. The substitution block, responsive to a request to read a specified one of the substitution values, concurrently reads and outputs the specified substitution value and the corresponding ones-complement value. A power consumed in reading the specified substitution value is uniform with a power consumed in reading another one of the substitution values. The cryptographic circuit and the balancing circuit are configured to concurrently operate on each substitution value and the corresponding ones-complement value read from the memory, respectively.

Abstract: A method determines an elliptical curve, suitable for a cryptographic method. An elliptical curve to be tested is prepared. The order of a twisted elliptical curve associated with the elliptical curve to be tested is determined. It is automatically checked whether the order of the twisted elliptical curve is a strong prime number. If the order of the twisted elliptical curve is a strong prime number, the elliptical curve to be tested is selected as an elliptical curve suitable for cryptographical methods.

Abstract: A system for extending the Smart Meter's range to connect to Home Area Networks for energy monitoring and demand response in a variety of locations. The system has a data concentrator with a wireless communicating module configured to transmit and receive information at one or more first frequencies ranging up to 2.4 GHz, and a power-line module configured to transmit and receive information at one or more frequencies ranging from about 100 to 30 MHz. The data concentrator receives power information from one or more Smart Meters and convert the wireless signal to a power-line carrier signal over the existing all three phases of the AC wiring. The system also includes a wireless and power-line carrier bridge that converts the power-line carrier signal back to a wireless signal to connect to various Home Area Network (HAN) devices such as programmable communicating thermostats (PCTs), smart appliances and in-home displays (IHDs).

Abstract: A cable television system provides conditional access to services. The cable television system includes a headend from which service “instances,” or programs, are broadcast and a plurality of set top units for receiving the instances and selectively decrypting the instances for display to system subscribers. The service instances are partially-encrypted using public and/or private keys provided by service providers or central authorization agents. Keys used by the set tops for selective decryption may also be public or private in nature, and such keys may be reassigned at different times to provide a cable television system in which piracy concerns are minimized.

Abstract: A system includes a transmit unit to transmit a signal including a data key, and a receiving unit to receive the signal. The receiving unit to determine an encryption key based at least in part on the data key and to decrypt encrypted data using the encryption key.

Abstract: Techniques for execution of commands securely within a storage device are disclosed. Integrity of a command interpreter is verified before allowing it to execute commands within the storage device. The integrity of the commands can also be checked to safeguard against various threats including, for example, malicious attacks, unintentional errors and defects that can adversely affect stored content and execution. Error recovery techniques can be used to reconstruct the command interpreter and/or commands that are found to be defective. In addition, secure techniques can be used to obtain trusted versions of the command interpreter and/or commands from an authenticated external source.

Abstract: There are disclosed systems and methods for computing an exponentiatied message. In one embodiment blinding is maintained during the application of a Chinese Remainder Theorem (CRT) algorithm and then removed subsequent to the completion of the CRT algorithm. In another embodiment, fault injection attacks, such as the gcd attack, can be inhibited by applying and retaining blinding during the application of the CRT algorithm to yield a blinded exponentiation value, and then subsequently removing the blinding in a manner that causes an error injected into the CRT computation to cascade into the exponent of the value used to unblind the blinded exponentiated value.

Abstract: A system and method for securely streaming encrypted digital media content out of a digital container to a user's media player. This streaming occurs after the digital container has been delivered to the user's machine and after the user has been authorized to access the encrypted content. The user's operating system and media player treat the data stream as if it were a being delivered over the Internet (or other network) from a streaming web server. However, no Internet connection is required after the container has been delivered to the user and the data stream suffers no quality loss due to network traffic or web server access problems. Encrypted content files are decrypted and fed to the user's media player in real time and are never written to the user's storage device. This process makes unauthorized copying of the digital content contained in the digital container virtually impossible.

Abstract: Computer-implemented systems and methods for identifying illegitimate messaging activity on a system using a network of sensors.

Abstract: A system, method, and computer program product are provided for selecting a wireless network based on security information. In use, a plurality of wireless networks is identified. Further, security information associated with each of the wireless networks is collected, such that one of the wireless networks is selected based on the security information.

Abstract: The present invention provides systems and methods for secure transaction management and electronic rights protection. Electronic appliances such as computers equipped in accordance with the present invention help to ensure that information is accessed and used only in authorized ways, and maintain the integrity, availability, and/or confidentiality of the information. Such electronic appliances provide a distributed virtual distribution environment (VDE) that may enforce a secure chain of handling and control, for example, to control and/or meter or otherwise monitor use of electronically stored or disseminated information. Such a virtual distribution environment may be used to protect rights of various participants in electronic commerce and other electronic or electronic-facilitated transactions. Distributed and other operating systems, environments and architectures, such as, for example, those using tamper-resistant hardware-based processors, may establish security at each node.

Abstract: The present invention relates to a content protection apparatus and method using binding of additional information to an encryption key. The content protection apparatus includes an encryption unit for creating an encryption key required to encrypt data requested by a user terminal and then generating encrypted data in which the data is encrypted. An additional information management unit manages additional information including authority information about the encrypted data. A White-Box Cryptography (WBC) processing unit generates a WBC table required to bind the encryption key corresponding to the encrypted data to the additional information. A bound data generation unit generates bound data in which the encrypted key is bound to the additional information, using a cipher included in the WBC table.

Abstract: A communication management system includes: a normal signature list which stores a list of signatures of normal communication; a search circuit which acquires communication data and searches the normal signature list to check if the signature of the communication data appears in the list; and a warning unit which issues a warning when communication data does not match any signature in the normal signature list. An operator terminal includes: a determination result acquisition unit which indicates whether or not communication data against which a warning has been issued is normal; and a normal signature list update unit which, when communication data against which a warning has been issued is found to be normal, adds the signature of the communication data to the normal signature list.

Abstract: A method of masking the end-of-life transition of a microprocessor electronic device including reprogrammable non-volatile memory containing an end-of-life state variable. On booting, the value of the variable is loaded into RAM. After executing any current command, it is verified whether the value of the variable stored in RAM is FALSE. If the response is negative, the end-of-life transition is executed. Otherwise, initialization or execution of the command is continued. On detecting an intrusive attack, it is instantiated by writing the TRUE value to the end-of-life state variable in RAM only and then deferring writing of the TRUE value to the variable in the non-volatile memory until the next write operation. The invention is applicable to any electronic device, smart card, etc.

Abstract: Systems and methods are disclosed for an appliance to authenticate access of a client to a protected directory on a server via a connection, such as a secure SSL connection, established by the appliance. A method comprises the steps of: receiving, by an appliance, a first request from a client on a first network to access a server on a second network, the appliance providing the client a virtual private network connection from the first network to the second network; determining, by the appliance, the first request comprises access to a protected directory of the server; associating, by the appliance, an authentication policy with the protected directory, the authentication policy specifying an action to authenticate the client's access to the protected directory; and transmitting, by the appliance in response to the authentication policy, a second request to the client for an authentication certificate. Corresponding systems are also disclosed.