Abstract: Unit for secure processing access controlled audio/video data capable of receiving control messages (ECM) comprising at least one first control word (CW1) and first right execution parameters (C1), at least one second control word (CW2) and second right execution parameters (C2), said processing unit being connected to a first access control device (CA1), said processing unit is characterized in that it comprises: —means for verifying and applying the first right execution parameters (C1) in relation to the contents of a memory (M1) of said first access control device (CA1) and means for obtaining the first control word CW1, —a second access control device (CA2) integrated into the processing unit UT including means for verifying and applying the second right execution parameters (C2) in relation to the contents of a memory (M2) associated to said second access control device (CA2) and means for obtaining the second control word (CW2), —a deciphering module (MD) capable of deciphering, sequentially with the f

Abstract: An information processing system including multiple apparatuses capable of executing one or more applications and an information processor connected to the apparatuses through a first network is disclosed. The information processing system includes a license status information obtaining part configured to obtain the license status information of the applications installed in each of the apparatuses from the corresponding apparatuses through the first network, a license data obtaining part configured to obtain license data authorizing usage of the applications from a computer connected through a second network based on the license status information, and a license data delivery part configured to deliver the license data to each of the apparatuses.

Abstract: A method for alerting Internet content providers of the age or other personal information of a computer user, which includes receiving a reverse DNS lookup query from an Internet content provider; and providing the age information of the computer user, in addition to a host name, from a reverse map zone file in response to the request. The personal information may be used by the content provider to select appropriate content for the requesting host, for example for complying with content restrictions. A system of alerting an Internet content provider of the age or other personal information of a computer user is also provided.

Abstract: Computer-implemented methods and apparatus to perform a valid transfer of an electronic mobile ticket on a mobile device by a ticketing application system of a ticket processing center. One method includes: receiving a first electronic message from a first user, where the first message includes an encrypted electronic mobile ticket and a mobile device number of a second user, and where the electronic mobile ticket is encrypted with a key shared between the first user and the ticketing application system; decrypting the encrypted electronic mobile ticket; generating an electronic mobile ticket encrypted with a key shared by the ticketing application system and the second user; and transmitting a second electronic message that includes the electronic mobile ticket encrypted with the key shared between the ticketing application system and the second user to a mobile device of the second user.

Abstract: To provide a copyright protection storage medium in which copyright protected contents are recorded by an information recording apparatus connected to a content server providing copyright protected contents and a license server handling licenses concerning recording/playback of the copyright protected contents through a network, in which the copyright protected contents are written by a simple copy-and-paste when the information recording apparatus is possessed by a prescribed user, and the copyright protected contents are written by combining a domain model which assures playback in the apparatus and a media-bind model when the information recording apparatus is possessed by another user.

Abstract: A flexible network security system and method is provided for permitting a trusted process. The system includes a port monitoring unit for extracting information about a server port being used through a network communication program, an internal permitted program storage for extracting information about a program for which communication is permitted by the firewall and registering the extracted information, an internal permitted port storage registering the extracted information if the network communication program is registered in the internal permitted program storage; and a device for making the firewall flexible, determining whether a destination port of a packet of inbound traffic has been registered in the internal permitted port storage, and if the destination port has not been registered, transmitting the corresponding packet to the firewall, and if the destination port has been registered, allowing the corresponding packet to bypass the firewall.

Abstract: In a system for providing access control management to electronic data, techniques to secure the electronic data and keep the electronic data secured at all times are disclosed. According to one embodiment, a secured file or secured document includes two parts: an attachment, referred to as a header, and an encrypted document or data portion. The header includes security information that points to or includes the access rules and a file key. The access rules facilitate restrictive access to the secured document and essentially determine who/when/how/where the secured document can be accessed. The file key is used to encrypt/decrypt the encrypted data portion. Only those who have the proper access privileges are permitted to retrieve the file key to encrypt/decrypt the encrypted data portion.

Abstract: Systems and methods for controlling accuracy of transmitted information are described. A package is assembled based on a numerical value, such as a measurement, and one or more policies associated with the sender. When the package is received by a receiver, it is unpacked to yield a second value representing the numerical value and having a reduced accuracy with respect to the first value. The accuracy reduction depends on policies associated with the receiver and/or the sender. Examples of numerical values in different applications include geo-location data, medical data, and financial data.

Abstract: An audio-video display device can download from a third party server a licensable component on which a royalty is to be paid. Various methods are disclosed for accounting for royalties associated with downloading the licensable component to the client device between the third party server and a client device manufacturer server.

Abstract: In a gaming environment, a method of periodically downloading dynamically generated executable modules at random intervals that perform system configuration integrity checks in a secure and verifiable manner is disclosed. The dynamically generated executable module returns the signature to a server from which it was downloaded and deletes itself from the system being checked. The next time such an executable module is downloaded, it will contain a different randomly chosen subset of hashing and encryption algorithms. The server that is performing the system configuration integrity check maintains a database of expected system configurations and performs subset of hashing and encryption algorithms as contained in the dynamically generated executable module. The result returned by the downloaded executable module is compared to that computed locally, and an error condition is raised if they do not match.

Abstract: Database management and security is implemented in a variety of embodiments. In one such embodiment, data sets containing sensitive data elements are analyzed using aliases representing sensitive data elements. In another embodiment, the sensitive data elements are stored in an encrypted form for use from a secure access, while the alias is available for standard access.

Abstract: A system and method for configuring devices for wireless communication are disclosed. A method may include transmitting an activation key from an activation broker to a wireless agent. The method may also include transmitting the activation key from the activation broker to a wireless registrar. At least one of the transmission of the activation key to the wireless agent and the transmission of the activation key to the wireless registrar may include transmitting the activation key via a short-range wireless communication technology. In addition, the activation key may include information for authenticating wireless communication between the wireless agent and a wireless access point.

Abstract: A strategy is described for controlling access to a resource which is shared between a trusted environment and an untrusted environment. The resource can represent a clipboard module. The trusted environment can include trusted client functionality, while the untrusted environment can include potentially untrusted network-accessible entities (e.g., websites) which seek to access the clipboard module. The strategy provides a security presentation which notifies a user when a network-accessible entity is attempting to access the clipboard module, identifying the entity which is making the attempt, together with the nature of the information being read or added to the clipboard module. The security presentation invites the user to approve or deny the particular attempt (or all such attempts from the network-accessible entity), and/or clear the clipboard module. The security presentation does not block the user's interaction with other parts of a user interface presentation.

Abstract: Techniques which allow definition and enforcement of connectivity-based action and execution authorization policies. On a computer, an action or execution attempt is intercepted in real-time. The connectivity state of the computer, the subject process, the program file of the subject process, the attempted action and the object of the attempted action are determined. An authorization policy considering the connectivity state indicates whether the attempted action is authorized or not. In a tracking mode, the attempted action and its authorization are logged and the attempted action is allowed to proceed. In an enforcement mode, unauthorized attempts are blocked and logged, thereby enforcing the authorization policy.

Abstract: This application discloses methods, systems, and servers for digital right management. One such method may include the steps of: combining content of multiple digital files selected by a user into a new digital file; encrypting the new digital file and generating authorization information according to a key used in the encryption and information of a client where the user logs in; and transmitting the authorization information to the client to instruct the client to use the new digital file based on the authorization information. In some embodiments, contents of multiple digital files selected by a user may be combined into a new digital file, and authorization information for the new digital file may be transmitted to the client, thus achieving authorization for digital works from multiple sources.

Abstract: A data encryption device is connected between an HDD and an HDD controller that controls the HDD. The data encryption device encrypts data that is stored from the HDD controller to the HDD, and decrypts data that is read from the HDD. A CPU of the data encryption device receives a command issued from the HDD controller to the HDD, and determines whether the command is executable at the HDD. When it is determined that the command is executable, the command is issued to the HDD. On the other hand, when it is determined that the command is unexecutable, the CPU prohibits issuance of the command to the HDD. Furthermore, when a command issued to the HDD is a specific command, the CPU bypasses data transferred between the HDD controller and the HDD without encryption or decryption.

Abstract: Provided personal information from a user may be determined, the provided personal information being associated with network publication thereof. A comparison of the provided personal information with password-related information may be performed. Based on the comparison, it may be determined that a risk level associated with the network publication relative to password security of at least one password associated with the password-related information exceeds a predetermined risk level. The user may be notified that the network publication of the provided personal information is associated with potential compromise of the password security of the at least one password.

Abstract: An image processing apparatus associates application information to connect to a server device and a client certificate to transmit to the server device with each other and stores therein the associated application information and client certificate. An application managing part activates a browser with designating transmission of the client certificate which is associated with the application information. The browser transmits the client certificate identified by the application managing part to the server device when a request for transmission of the client certificate is received from the server device. As the result, the image processing apparatus reduces operation load placed on a user to transmit the client certificate to the server device. Moreover, the appropriate client certificate may be transmitted to the server device without lowering efficiency in processing. So, data communication between the image processing apparatus and the server device may be established rapidly.

Abstract: A storage device in which file data is divided into multiple blocks for storage on a recording medium. The storage device includes an additional data storing section for storing additional data to be recorded on the recording medium in association with the data to be written, a position determining section for determining recording positions on the recording medium where the blocks should be respectively written, based on the additional data, and a block writing section for writing the respective blocks on the recording positions on the recording medium determined by the recording position determining section. The additional data thus defines a gap length between blocks of recorded data. During a read operation, if the gap length does not comport with the additional data, then an error is assumed.

Abstract: The present invention discloses a method for validating user equipment, a device identity register and an access control system. Wherein the method for validating user equipment comprises: setting a central device identity register shared by different networks, wherein illegal user equipment identities are stored in the central device identity register; the central device identity register receiving an ID validation request from a mobility management entity, wherein the ID validation request carries ID parameters of a user equipment; the central device identity register validating the validity of the user equipment according to the ID parameters, and returning a validation result to the mobility management entity. In virtue of the present invention, the accessing of the illegal non-3GPP network user equipment which is capable of accessing 3GPP network to the 3GPP network is able to be controlled.

Abstract: An information processing apparatus in which a part of a plurality of different programs included in an application package is validated includes an invalidation command input unit configured to input a command to invalidate a license of the application package, a generation unit configured to generate invalidation verification data by invalidating the license of the program which is included in the application package, is already installed in the information processing apparatus, and has a validated license, and to generate invalidation verification data of the license of the program without installing the program which is included in the application package and is not installed in the information processing apparatus, and an output unit configured to output the invalidation verification data generated by the generation unit.

Abstract: A method for hindering detection of information unintentionally leaked from a secret held in a memory unit is described, the method including receiving a triggering event waiting for at least a first amount of time to pass after the receipt of the triggering event, the memory unit being in a non-operational state during the at least a first amount of time after the at least a first amount of time has passed, changing at least one first condition under which the memory unit operates, thereby causing the memory unit to enter an operational state, waiting for a second amount of time to pass after the changing at least one first condition, and changing, after the second amount of time, at least one second condition under which the memory unit operates, thereby causing the memory unit to enter the non-operational state, wherein access to the secret information is enabled only during the second amount of time, and detection of secret information unintentionally leaked is limited during the first amount of time.

Abstract: An information access apparatus has an activation state permitting an information access to a recording medium, and a non-activation state permitting a change to the activation state. The apparatus comprises: a medium access section that permits, in the activation state, information access and ejection of the recording medium out of the information access apparatus; an instruction operating section that receives instruction operation for instructing the ejection of the recording medium; and an activation control section that controls change from the non-activation state to the activation state of the information access apparatus in such a manner that when the recording medium is loaded, change from the non-activation state to the activation state is permitted in response to reception of the instruction operation by the instruction operating section, and when the recording medium is not loaded, change from the non-activation state to the activation state is inhibited.

Abstract: Methods and systems for providing an enterprise license registrar anchor point are provided. More particularly, an enterprise license registrar is established within an enterprise system using license files and a certificate provided by an external license authority. The enterprise license registrar operates within the enterprise system to maintain a record of allocations of license rights by license manager servers to application instances. The enterprise license registrar logs the report data. The log files are digitally signed or encrypted to prevent tampering by the enterprise system, and are delivered to the external license authority, without requiring a persistent connection between the external license authority and the enterprise system. The enterprise system can comprise a virtualized environment.

Abstract: In an embodiment, communication is controlled between a service provider web application executed in a first web browser instance on a device platform of the device and a partner web application executed in a second web browser instance on the device platform. A signal is received, at a control module at the device, from the partner web application, the signal for initiating communication between the partner web application and the service provider web application. The control module, provided by the service provider and installed on the device, uses technology that is native to the device platform. The control module uses a list of partners approved by the service provider to determine whether the partner web application is approved for communication with the service provider web application. If the control module determines the partner web application is approved, the control module allows communication to proceed.

Abstract: There is provided a system and method for distributors to use an interoperable key chest. There is provided a method for use by a distributor to obtain content access authorizations from a key chest or central key repository (CKR), the method comprising receiving a user request from a user device for access to an encrypted content identified by a content identification, transmitting a key request to the CKR including the content identification, receiving an encrypted first key from the CKR, decrypting the encrypted first key using a second key to retrieve the first key, and providing a DRM license for the encrypted content to the user device using the first key for use by the user device to decrypt the encrypted content using the first key. By generating such DRM licenses, distributors can unlock protected content even sourced from distributors using different DRM schemas.

Abstract: The present invention provides systems and methods for electronic commerce including secure transaction management and electronic rights protection. Electronic appliances such as computers employed in accordance with the present invention help to ensure that information is accessed and used only in authorized ways, and maintain the integrity, availability, and/or confidentiality of the information. Secure subsystems used with such electronic appliances provide a distributed virtual distribution environment (VDE) that may enforce a secure chain of handling and control, for example, to control and/or meter or otherwise monitor use of electronically stored or disseminated information. Such a virtual distribution environment may be used to protect rights of various participants in electronic commerce and other electronic or electronic-facilitated transactions.

Abstract: The various embodiments of the present invention provide a secure software distribution and execution method. According to the method, a server receives software from service provider for downloading to a client and identifies the sections for encoding. APIs are inserted in the identified sections. A unique ID is created based on the identity of the each client to generate an encryption algorithm, decryption key and decryption algorithm. The identified sections are encrypted with the generated encryption algorithm. The encrypted application along with encryption algorithm, decryption key and decryption algorithm are downloaded to the driver of the client machine. The API makes call to the driver by sending the encrypted segment when the encrypted portion is reached during the execution of software in the client machine so that the driver decrypts the encoded portion using the received key and the decryption algorithm to enable the continuous execution of the downloaded software.

Abstract: Methods and apparatus are provided, such as a memory card with a processor and nonvolatile memory coupled thereto. The nonvolatile memory has a secure area configured to store a user password and a serial number in encrypted form. The card is configured to grant access to the secure area when the card receives a password that matches the stored user password and the card is coupled to a system having the serial number.

Abstract: The invention is an apparatus that facilitates access to a data source to accept verification and authentication from an enabler using at least one token and at least one reference. The at least one reference could be a device serial number, a networking MAC address, or a membership ID reference from a web service. Access to the data source is also managed with a plurality of secondary enablers.

Abstract: Methods for evaluating data packets addressed to a wireless communication device are disclosed herein. When in a dormant state, a wireless communication device receives page messages indicating a source of data packets addressed to the wireless communication device and determines whether the data packets represent unwanted traffic. When in an active state, the wireless communication device examines data packets to determine if the received packets represent unwanted traffic, and in response to determining that the traffic is unwanted, the wireless communication device transitions into a dormant state or enters an idle state from which the wireless communication can transition into the dormant state.

Abstract: A method for monitoring the managed devices comprises that the manage center preserves the integrality list in advance, which includes the system integrality values of the managed devices and the corresponding relations of the managed devices and the system integrality values of themselves, and the managed device gathers the current system integrality value of itself and saves it when it starts; the managed device sends the information including the current system integrality value to the manage center after receiving the monitor command from the manage center; the manage center determines whether the received current system integrality value of the managed device coincides with the integrality value of the managed device saved by itself according to the received information and said integrality list, and implements the alert process when they do not coincide with each other.

Abstract: A system and method for separating control of a network interface device. A portion of a network interface device (NID) is partitioned for utilization by a user. Permissions are established for management of the partitioned portion of the NID. The permissions including permissions that deny a service provider access to the partitioned portion. Access is granted for the service provider to manage the partitioned portion of the NID. Activities performed by the service provider in the partitioned portion of the NID are logged in response to granting access to the service provider and the permissions denying the service provider access.

Abstract: The present invention provides systems and methods for secure transaction management and electronic rights protection. Electronic appliances such as computers equipped in accordance with the present invention help to ensure that information is accessed and used only in authorized ways, and maintain the integrity, availability, and/or confidentiality of the information. Such electronic appliances provide a distributed virtual distribution environment (VDE) that may enforce a secure chain of handling and control, for example, to control and/or meter or otherwise monitor use of electronically stored or disseminated information. Such a virtual distribution environment may be used to protect rights of various participants in electronic commerce and other electronic or electronic-facilitated transactions. Distributed and other operating systems, environments and architectures, such as, for example, those using tamper-resistant hardware-based processors, may establish security at each node.

Abstract: Provided are domain contexts indicating user and device based domain systems for being applied to a new digital content protection/management system, and management methods thereof. A concept of “domain” is introduced in the present invention so that various business models can be obtained in accordance with content use of one home or small-sized group. The domain refers to as a group of user and device SAV and PAV indicating a context for being applied to the domain system includes: a domain identifier for specifying a domain as a region containing at least one content execution device and at least one content user; domain authentication information for guaranteeing authenticity of the domain; a user list containing information of users belonging to the domain; and a device list containing devices belonging to the domain.

Abstract: A method for dynamically associating, by a server, access rights with a resource includes the step of receiving, by the server, a request for a resource from a client. The server requests, from a policy engine, an identification of a plurality of access rights to associate with the resource, the plurality of access rights identified responsive to an application of a policy to the client. The server associates the resource with the plurality of access rights via a rights markup language. The server transmits the resource to the client with the identification of the associated plurality of access rights. An application program on the client makes an access control decision responsive to the associated plurality of access rights. The application program provides restricted access to the resource responsive to the access control decision.

Abstract: A client computer detects a user operation for transmitting data to a server or a storage device, determines whether the detected user operation is a fraudulent manipulation, and, if the determination is a positive result, performs security processing which is processing related to security of data to be transmitted. If the data is data within a group to which the user belongs and a destination of the data is a server or a storage device outside the group, the determination is a positive result.

Abstract: An Operations, Administration, and Maintenance (OA&M) 16 provides security for managed resources on a wireless client device 10 at many levels of granularity, from the entire device, to subsystems, to software and hardware components, services and applications, down to individual attributes.

Abstract: A policy store associated with a policy decision point of an access control system is updated. The policy decision point is arranged to provide, in response to received decision requests, access control decisions in dependence on one or more policies stored in the policy store, each policy specifying a predetermined access control decision to be provided in response to a particular access request made in respect of a particular attribute or combination of attributes. The policy decision point is associated with at least one policy enforcement point arranged to implement access control in accordance with access control decisions provided by the policy decision point in response to decision requests submitted by the policy enforcement point, the policy enforcement point having associated therewith an attribute store providing data relating to attributes in respect of which access requests have previously been made via the policy enforcement point.

Abstract: A computer-implemented method for securing access to kernel devices may include (1) identifying a context proxy privileged to access a secure device interface for a device, (2) receiving a request from the context proxy to allow a user-mode process to access a non-secure device interface for the device, (3) receiving a request from the user-mode process to access the non-secure device interface, and then (4) allowing the user-mode process to access the non-secure device interface directly based on the request from the context proxy. Various other methods and systems are also disclosed.

Abstract: A system for binding a subscription-based computer to an internet service provider (ISP) may include a binding module and a security module residing on the computer. The binding module may identify and authenticate configuration data from peripheral devices that attempt to connect to the computer, encrypt any requests for data from the computer to the ISP, and decrypt responses from the ISP. If the binding module is able to authenticate the configuration data and the response to the request for data from the ISP, then the security module may allow the communication between the computer and the ISP. However, if either the configuration cycle or the response cannot be properly verified, then the security module may degrade operation of the computer.

Abstract: A method for detecting at least one traitor computer system among a plurality of receiver computer systems including: assigning a version of protected content to each of the plurality of receiver computer systems that are currently identified as innocent by a content protection system that monitors distribution of protected content to the plurality of receiver computer systems; recovering at least one unauthorized rebroadcast of the content; generating a score for each of the plurality of receiver computer systems with respect to the recovered unauthorized rebroadcast; calculating a threshold independent of an estimation of maximum traitor computer systems; checking a highest score against the threshold; incriminating a receiver computer system having the highest score above the threshold as a traitor computer system; and removing any unauthorized rebroadcasts overlapping with the traitor computer system. The process may be repeated from generating scores until all traitors are identified.

Abstract: A service integration platform system includes an interface configured to receive a service request initiated by an Independent Software Vendor (ISV) and one or more processors configured to authenticate the service request and in the event that the service request is authenticated, route the service request to an Internet Service Provider (ISP) providing the service to be further processed. The service request is routed to a deployment environment provided by the ISP in the event that the service request is received on a deployment Universal Resource Identifier (URI) corresponding to the deployment environment; the service request is routed to a test environment provided by the ISP in the event that the service request is received on a test URI corresponding to the test environment.

Abstract: Methods and systems for managing access to a wireless local area network are provided. A wireless access point (AP) may use a unified approach that utilizes an out-of-band channel to communicate authentication key and network address information to a guest device, and utilizes an in-band channel to establish communications with the guest device, and also provides support for in-band setup on all devices. The ability to use out-of-band where possible provides for an increase to security and usability, and the possibility of delegating access from one device to another. The unified approach thereby also provides easy management of guest access to the WLAN.

Abstract: A server receives a consumer request pertaining to product asset management from a client. The consumer request comprises one or more product-related certificates that associates the client with one or more products. The product-related certificate comprises at least one extended attribute object identifier that has a corresponding product attribute. For each extended attribute object identifier, the server searches a data store to identify a product that corresponds to the extended attribute object identifier and generates a response to the consumer request based on the product that is identified in the data store.

Abstract: The systems, methods and apparatuses described herein permit encrypted media content to be displayed by an apparatus for a restricted time period. The apparatus may comprise a communication interface configured to couple to a controlling device to transmit a first nonce and to receive the encrypted media content and an association encryption envelope. The association encryption envelope may comprise at least a second nonce and a first time restriction expressed as a first time interval. The apparatus may further comprise a counter, a storage configured to store a value of the counter representing a time of when the first nonce is transmitted, and an engine configured to perform operations according to the first time restriction.

Abstract: A method, a secure device and a computer program product for securely managing files. The method includes providing a secure device, where the secure device is protected by design against malicious software or malware and adapted to establish a connection to a server via a host, the host connected to the server through a telecommunication network, upon receiving a request for using a file stored on the secure device, processing the request at the secure device according to an updated use permission associated to the file, where the updated use permission is obtained by instructing at the secure device to establish a connection between the secure device and the server via the host and updating at the device the use permission associated to the file, according to permission data sent from the server through the established connection.

Abstract: A system for securely downloading and playing coherent digital content such as music and preventing its play by unauthorized users. The system may include mass server/storage devices for receiving and storing digital content having predetermined gaps; and client devices communicating with the server/storage devices, and providing authorization to proceed. During playing of the digital content by the client devices, the missing gaps may be filled into the appropriate places, to allow the play of the coherent digital content.

Abstract: A device includes an authentication unit that issues disposable authentication information to a mobile device which stores a rights object; a receiver that receives a request for remote authentication from an unauthorized device; and a transmitter that transmits a data that approves the remote authentication of the unauthorized device. The data that approves the remote authentication is transmitted to the mobile device via the unauthorized device, a disposable rights object, which is converted from the rights object for a temporary use of content, is transmitted to the unauthorized device according to a result of determining the data, and the mobile device and the unauthorized device are connected via a network.

Abstract: A system providing billing support for the exchange of media is disclosed. An embodiment of the present invention may provide for the authorization of and billing for the delivery of media from a media server to local storage for consumption on a television display. The media may be audio, still pictures, video, or data. Other embodiments may provide for the authorization of and billing for the transfer of media from a media peripheral to a media server for media backup or distribution. A media peripheral may be, for example, a digital camera, digital camcorder, personal computer (PC), personal digital assistant (PDA), multi-media gateway, and MP3 player. An embodiment may support pre-payment, payment at time of use, and post-use billing for the media exchange. In an embodiment of the present invention, the storing or accessing of media may be performed without identifying the user to the media server.