Inventors list

Assignees list

Classification tree browser

Top 100 Inventors

Top 100 Assignees


Particular node (e.g., gateway, bridge, router, etc.) for directing data and applying cryptography

Subclass of:

713 - Electrical computers and digital processing systems: support

713150000 - MULTIPLE COMPUTER COMMUNICATION USING CRYPTOGRAPHY

Patent class list (only not empty are listed)

Deeper subclasses:

Class / Patent application numberDescriptionNumber of patent applications / Date published
713154000 Including filtering based on content or address 13
Entries
DocumentTitleDate
20110185169Agile Network Protocol For Secure Communications With Assured System Availability. - A plurality of computer nodes communicate using seemingly random Internet Protocol source and destination addresses. Data packets matching criteria defined by a moving window of valid addresses are accepted for further processing, while those that do not meet the criteria are quickly rejected. Improvements to the basic design include (1) a load balancer that distributes packets across different transmission paths according to transmission path quality; (2) a DNS proxy server that transparently creates a virtual private network in response to a domain name inquiry; (3) a large-to-small link bandwidth management feature that prevents denial-of-service attacks at system chokepoints; (4) a traffic limiter that regulates incoming packets by limiting the rate at which a transmitter can be synchronized with a receiver; and (5) a signaling synchronizer that allows a large number of nodes to communicate with a central node by partitioning the communication function between two separate entities.07-28-2011
20130031358WIRELESS NETWORK SECURITY - A method includes identifying a suspect node of a network that includes multiple nodes in wireless communication. The method also includes initiating formation of a sub-network of the network in response to identifying the suspect node. The suspect node is not a member of the sub-network. After formation of the sub-network, first communications between the suspect node and a device of the network are routed to or through at least one of the members of the sub-network. The sub-network is configured to enable second communications between members of the sub-network, where the second communications are communicated in a manner that is secured against access by the suspect node.01-31-2013
20090204805Method for secure signal transmission in a telecommunication network, in particular in a local area network - In a telecommunication network, a modular expandable gateway connects a local area network to a wide area network and includes a base module and a plurality of add-on modules arranged in one or more stacks, the base module and the add-modules including respective encryption/decryption engines to exchange secure information with each other, thus frustrating any possible fraudulent interception of the information at the module interconnections.08-13-2009
20120173871SYSTEM FOR SECURING VIRTUAL MACHINE DISKS ON A REMOTE SHARED STORAGE SUBSYSTEM - Embodiments of the present invention provide a method, data processing system and computer program product for secure distribution of virtualized storage. In an embodiment of the invention, a method for secure distribution of virtualized storage in a host in a cloud computing can include composing at least one virtual machine (VM) disk in a secure container and configured to deploy VM images into a cloud computing environment, encrypting the composed at least one VM disk, transmitting the encrypted VM disk to a hypervisor in the cloud computing environment receiving a request to activate a VM instance and generating a bootloader in the secure container, transmitting the bootloader to the hypervisor in the cloud computing environment and providing a key to the bootloader to unlock the at least one VM disk.07-05-2012
20110202757AUTHENTICATION APPARATUS, AUTHENTICATION SYSTEM, AUTHENTICATION METHOD, AND AUTHENTICATION PROGRAM - An authentication system receives encrypted terminal identification information and terminal identification information, from a transmission terminal, and determines whether decrypted identification information decrypted using a terminal public key obtained by the authenctaion system matches the terminal identification information received from the transmission terminal.08-18-2011
20100077206DIGITAL RIGHTS MANAGEMENT PROVISION APPARATUS, SYSTEM, AND METHOD - Provided is digital rights management (DRM) provision technology, and more particularly, are an apparatus, system, and method which can easily provide content using one or more DRM systems. A DRM provision apparatus includes a content download unit which downloads encrypted real content and dummy content from a download server and which manages the downloaded real content and dummy content; a license management unit which manages a license issued by a license server; and a processing unit which manages the downloaded real content and dummy content and the issued license.03-25-2010
20100077205System and Method for Cipher E-Mail Protection - The preferred embodiments of the present invention disclose a security transformation system which includes an e-mail client, a cipher proxy, a dictionary database and an Internet e-mail system. The system is capable of generating and receiving messages and performing a cipher substitution and encryption of key fields of messages when they are stored at a user's Internet e-mail system. When the messages are received or accessed the system permits deciphering and decrypting the message using a reverse security transformation The preferred embodiments of the method of the present invention comprises steps of generating and receiving messages at an Internet e-mail system, performing a security transformation on said messages, encrypting said messages, updating a cipher dictionary at a cipher proxy, and decoding and decrypting the messages when accessed by a user.03-25-2010
20100077204INFORMATION PROCESSING APPARATUS, MANAGEMENT APPARATUS, COMMUNICATION SYSTEM AND COMPUTER READABLE MEDIUM - An information processing apparatus connected to a management apparatus via a communication line, includes: an other-apparatuses information acquisition unit that acquires information concerning a plurality of other information processing apparatuses from the management apparatus; a key registration unit that registers first keys to be used in encrypted communication between the information processing apparatus and each of the plurality of other information processing apparatuses, into a storage unit; a key transmitting unit that collectively transmits the first keys to the management apparatus; and a key acquisition unit that acquires from the management apparatus second keys that each has been transmitted to the management apparatus from the respective one of plurality of other information processing apparatuses. The key registration unit further registers the second keys acquired by the key acquisition unit into the storage unit.03-25-2010
20100077203RELAY DEVICE - “Leakage”, “falsifying”, “masquerading”, “approach”, or “attack” of data on the Internet are prevented in a communication between a personal computer and the outside thereof without installing software or hardware in the personal computer. An intermediary apparatus includes NIC (Network Interface Card) drivers connected to networks respectively and a network layer and a transport layer which include “TCP/IP” defining a communication method for communicating while carrying out routing (ROUTING) between any two nodes and is provided for a physical layer and a data-link layer including the NIC drivers. Between the data-link layer and network layer, the function of “TCP2” can be provided.03-25-2010
20130086375PERSONAL POINT OF SALE - Embodiments provided herein include techniques for enabling a mobile device to communicate with smart media in a manner that can sidestep the secure element of the mobile device—and the costs associated with it. The mobile device can communicate with the smart media using near-field communication (NFC) by creating an encrypted connection with a remote computer while bypassing a secure element of the mobile device. This allows the mobile device to provide point-of-sale (POS) functionality by reading and/or writing to the smart media, without compromising the security of the smart media.04-04-2013
20090119504INTERCEPTING AND SPLIT-TERMINATING AUTHENTICATED COMMUNICATION CONNECTIONS - Systems and methods are provided for enabling optimization of communications within a networked computing environment requiring secure, authenticated client-server communication connections. Optimization is performed by a pair of intermediary network devices installed in a path of communications between the client and the server. A secure, authenticated communication connection between the client and server is split-terminated at a pair of intermediary network devices by intercepting a request from the client for a client-server connection, authenticating the client at the intermediaries, establishing a first secure, authenticated connection to the client, authenticating the client or an intermediary to the server, and establishing a second secure, authenticate connection to the server. Depending on the operative authentication protocol (e.g., NTLM, Kerberos), an intermediary may interface with a domain controller, key distribution center or other entity.05-07-2009
20100042829System and Method for Processing Data and Communicating Encrypted Data - Systems and methods for processing data and communicating encrypted data are provided. A method of processing data and communicating encrypted data may include receiving input traffic data at a first interface of a channel service unit/data service unit (CSU/DSU). The method may also include encrypting management data associated with the input traffic data at the CSU/DSU to produce encrypted management data. The method may further include sending the encrypted management data via a second interface of the CSU/DSU to a remote terminal of a local area network via a data router coupled to the CSU/DSU.02-18-2010
20100042828DOCUMENT DATA ENCRYPTION METHOD AND DOCUMENT DATA ENCRYPTION SYSTEM - An encrypting device encrypts original document data by use of a password of an addressee, thereby generating encrypted document data. A decryption authority changing device, of which operating authority is held by the addressee, generates authority changing information M structured by encrypting the password of the addressee with a password of a proxy, and notifies a decrypting device of the information, of which the operating authority is held by the proxy. The decrypting device decrypts the password of the addressee by employing the password of the proxy, and decrypts the encrypted document data by use of the decrypted password of the addressee.02-18-2010
20100106962METHOD, APPARATUS, AND SYSTEM FOR MANAGING MULTIMEDIA SERVICES - A method for managing multimedia services includes the following steps: A session receiver sends Real-time Transport Control Protocol (RTCP) packets to a distribution aggregation point, and each distribution aggregation point is connected to at least one session receiver and aggregates the received RTCP packets into the first aggregated packet whose format is different from the format of the RTCP packets; the distribution aggregation point sends the first aggregated packet to a distribution source over a transmission network, and the distribution source aggregates the aggregated packet into a second aggregated packet, and then processes the second aggregated packet and transmits it to a session sender, or transmits the second aggregated packet to the session sender directly. The present invention implements feedback of mass packets from the session receiver to the sender in large-scale multicast applications, and avoids the unicast bottleneck.04-29-2010
20100106961METHODS AND APPARATUS FOR ENABLING UNIFIED (INTERNET PROTOCOL VERSION) IPV6/IPV4 ROUTING SERVICES OVER IPv4-ONLY INTERFACES - Some embodiments of the present invention provide an apparatus that provides routing services between a red network and a black network. The apparatus includes a red router within the red network, a black router within the black network, and an IP encryptor having a red side IPv4-only interface and a black side interface, with the red side interface operatively coupled to the red router and the black side interface operatively coupled to the black network. The apparatus is configured to provide unified IPv6/IPv4 OSPFv3 routing over IPv4-only interfaces using cross-layer extensions.04-29-2010
20120216034METHOD AND SYSTEM FOR SECURING COMMUNICATION ON A HOME GATEWAY IN AN IP CONTENT STREAMING SYSTEM - A home gateway, which enables communication with a plurality of devices, recovers a root-content key from a key server of a service provider for secure delivery of content requested by a client device. The recovered root-content key is utilized to generate a content key for corresponding content scrambling. The home gateway communicates the scrambled content to the client device. The home gateway utilizes the RSA protocol to request the root-content key from the key server. The root-content key is recovered from the received key index. The content key is encrypted utilizing a public key and delivered to the client device. The key server distributes the public key to the gateway through authentication messages. The client device utilizes its own private key to recover the content key by decrypting the encrypted content key. The scrambled content from the home gateway is descrambled using the recovered content key for content consumption.08-23-2012
20090307485METHOD FOR MITIGATING DENIAL OF SERVICE ATTACKS AGAINST A HOME AGAINST - The invention relates to a method for mitigating the effects of a DoS attack against a home agent supporting mobility for a plurality of mobile nodes. Furthermore the invention also relates to a home agent, a mobile node and a communication system implementing the method for mitigating the effects of a DoS attack against a home agent supporting mobility for a plurality of mobile nodes. To consider the problem of DoS attacks in the design of a mechanism for improving communication systems enabling mobility of mobile nodes, the invention proposes to configure a plurality of addresses at which the home agent is reachable in a communications network and to assign to each of the mobile nodes at least one of the plurality of home agent addresses. If a denial of service attack is detected by the home agent, the home agent de-configures the home agent address to which data packets of the denial of service attack are destined. 12-10-2009
20090307484WIRELESS ACCESS POINT SECURITY FOR MULTI-HOP NETWORKS - Security in wireless communication networks that employ relay stations to facilitate communications between base stations and mobile stations is enhanced. In one embodiment, resource information provided to one or more relay stations from a base station or another relay station is encrypted prior to being delivered to the one or more relay stations. Only authorized relay stations are allocated an appropriate key necessary to decrypt the resource information. As such, only appropriate relay stations are able to access and use the resource information to effect communications directly or indirectly between the base stations and the mobile stations. In certain embodiments, the resource information is delivered between the various base and relay stations using either unicast or multicast delivery techniques.12-10-2009
20090307482Method and Apparatus for Encryption and Pass-Through Handling of Confidential Information in Software Applications - Methods and apparatus for securely transmitting sensitive information to a remote device at the request of an application program are provided. The application program generates a request to a secure channel provider to make a transmission to a remote device. A first message is passed from the from the application program to the secure channel provider containing insertion point codes indicating locations within the first message where the sensitive information should be inserted. Sensitive information is obtained from a source outside of the application program and the sensitive information is inserted into the first message at the locations in the first message indicated by the insertion point codes to form a second message containing the sensitive information. The second message is encrypted and this encrypted message is transmitted to the remote device. The sensitive information is unaccessed by the application program during the execution of the method.12-10-2009
20120191970Sending Protected Data in a Communication Network - A method of sending protected data from a sender unit to a receiver unit via an intermediate unit. The intermediate unit stores information associated with a certificate belonging to the receiver unit, and information associated with a certificate belonging to the intermediate unit, which has previously been signed by the receiver unit. The intermediate unit receives a request from the sender unit to send protected data to the receiver unit, and so it sends a response to the sender unit. The response includes the information associated with the certificate belonging to the receiver unit, which allows the sender unit to verify that the intermediate unit is authorised to receive data on behalf of the receiver unit. The intermediate unit then receives data from the sender unit that is protected using the information associated with the certificate belonging to the receiver unit for subsequent forwarding to the receiver unit. Having the receiver unit sign the intermediate unit's certificate allows the exchange of credentials to allow a sender unit to send protected data to a receiver unit via an intermediate unit.07-26-2012
20090271616Method for transferring encoded messages - Disclosed is a method for transferring encoded messages between at least two users, particularly cryptographic protocol, the message transaction taking place by inserting an authentication device which decodes the messages received from the users and sends especially encoded messages to the users. Said method comprises the following steps: a1) the user (A) sends a message (NA10-29-2009
20090271615BRIDGING SYSTEM, BRIDGE, AND BRIDGING METHOD10-29-2009
20120226902APPARATUS AND METHOD FOR ACCESS CONTROL OF CONTENT IN DISTRIBUTED ENVIRONMENT NETWORK - An apparatus for generating a key for access control of content in a distributed environment network is provided. The apparatus includes a first key distributor configured to generate first encrypted keys by encrypting a first key corresponding to a key for write authorization using each public key of members having write authorization among members included in an access control list including information of at least one user and distribute the access control list and information about access authorization and the first encrypted keys to the members having write authorization, and a second key distributor configured to generate second encrypted keys by encrypting a second key corresponding to a key for read authorization using the first key using each public key of members having read authorization among members included in the access control list and distribute the access control list and second encrypted keys to the members having read authorization.09-06-2012
20130067215System for Enabling a Virtual Private Network ("VPN") Over an Unsecured Network - A system for enabling a virtual private network over an unsecured network includes a local network coupled to an internet server configured with a firewall. Coupled to both is an appliance that includes a cryptographic module. A remote modem, for example, a cellular modem, is coupled to a counterpart appliance that includes a compatible cryptographic module. The two modules are keyed to be exclusively, mutually responsive to each other and enable the transmission of encrypted data between the local network and the remote modem. The appliance coupled to the remote modem may further be coupled to either of a remote computer device or a remote network.03-14-2013
20120117378Multi-Network Cryptographic Device - A Personal Computer Memory Card International Association (PCMCIA) card is disclosed. The PCMCIA card may include a cryptographic module, a communications interface, and a processor. The cryptographic module may perform Type 1 encryption of data received from a computer into which the card is inserted. The cryptographic module may support High Assurance Internet Protocol Encryption (HAIPE). The communications interface may provide connectivity to a network adapter. The communications interface may include a Universal Serial Bus (USB) interface. The processor may detect whether a network adapter is coupled to the communications interface, identify a device driver that corresponds to the network adapter, and employ the device driver to provide operative communication between the cryptographic module and the network adapter. The PCMCIA card may contain a datastore that maintains a plurality device drivers. For example, the plurality of device drivers support any one of IEEE 802.x, Ethernet, V.90, or RS-232 network protocols.05-10-2012
20120117377Mobile security protocol negotiation - A security gateway/home agent controller HAC is used to assign one home agent HA from a plurality of HAs and to identify at least one security protocol that is common between a mobile node MN and the assigned HA. Establishment of a security association between the MN and the assigned HA is enabled according to the identified security protocol and utilizing bootstrapping parameters provided over a secure connection between the security gateway/HAC and the MN. The bootstrapping parameters include at least a home address for the MN, an address of the assigned HA and security credentials and security parameters for the identified at least one security protocol. In an exemplary embodiment the home address for the MN may be an IPv6 home address and the MN may have certain capabilities with respect to security protocols and ciphering suites which the MN sends to the security gateway.05-10-2012
20120117376METHOD AND APPARATUS FOR ANONYMOUS IP DATAGRAM EXCHANGE USING DYNAMIC NEWTORK ADDRESS TRANSLATION - Methods, apparatus, system and computer program are provided for concealing the identity of a network device transmitting a datagram having a network layer header. A unique local identifier and broadcast address are determined in accordance with a next-hop address. A partially encrypted network layer header is determined by encrypting a plurality of identifying portions of the network layer header, where one portion of the network layer header is the unique local identifier. The datagram is encapsulated with another network layer header whose address is set to the broadcast address. The encapsulated datagram can be received and detunneled, and an address of a recipient can be extracted from the network layer header. The datagram is then admitted into a network domain.05-10-2012
20110022835Secure Communication Using Asymmetric Cryptography and Light-Weight Certificates - Encrypted communications between servers and client devices over an unsecured channel, such as the Internet, without using a public key infrastructure are disclosed. Messages to a client device are encrypted using an encryption key of an authorized individual, regardless of the identity of the user of the client device. Encryption is performed by a system that does not expose encryption keys to the client device or the server, thereby preventing man-in-the-middle attacks against the encryption key. Secure communications are combined with a two-factor protocol for authenticating the identity of an individual. An individual authenticates by generating a cipher using a light-weight certificate that has a shared secret but no other information identifying the individual. Separately, a server generates the same cipher using the shared secret, thereby authenticating the individual's identity to a relying party.01-27-2011
20090187757METHOD AND SYSTEM FOR MEDIATED SECURE COMPUTATION - Techniques are described for mediated secure computation. A unique identifier value may be assigned to each one of a plurality of nodes included in a network. An encrypted portion of a logical circuit may be received at a server from each of the nodes, the logical circuit including one or more gates, each gate associated with one or more logical input wires and one or more logical output wires, the logical circuit associated with a function, wherein each encrypted portion is encrypted based on a random number value that is common to the plurality of nodes and unknown at the server. A result may be obtained based on executing the logical circuit, based on combining the encrypted portions of the logical circuit received at the server.07-23-2009
20080294890METHOD AND APPARATUS FOR CONTROLLING OUTPUT OF CONTENT DEVICE - Provided are a method and apparatus for controlling an output of a content device. The method includes: receiving a request signal that requests the use of encrypted content; executing software for decrypting the encrypted content in response to the received request signal; and controlling the decrypted content to be output through an output port that is allowed by the executed software.11-27-2008
20090113204Secure Messaging - A method for secure communication of a message. The method includes providing a message including a plurality of message packets, providing a nodal network including a plurality of nodes, where nodal operations are capable of execution on the message packets at the nodes, gaining, by a first node of the network, a first message packet, processing the first message packet by the first node, relinquishing the first message packet as processed by the first node, gaining, by any other node of the network, at least one other message packet, processing the other message packet by the other node, relinquishing the other message packet as processed by the other node, receiving, by a message destination node of the network, a first message packet, receiving, by the message destination node, at least a second message packet, and processing the first message packet and the second message packet to provide a reproduced message.04-30-2009
20110231655PROXY SSL HANDOFF VIA MID-STREAM RENEGOTIATION - A traffic management device (TMD), system, and processor-readable storage medium directed towards re-establishing an encrypted connection of an encrypted session, the encrypted connection having initially been established between a client device and a first server device, causing the encrypted connection to terminate at a second server device. As described, a traffic management device (TMD) is interposed between the client device and the first server device. In some embodiments, the TMD may request that the client device renegotiate the encrypted connection. The TMD may redirect the response to the renegotiation request towards a second server device, such that the renegotiated encrypted connection is established between the client device and the second server device. In this way, a single existing end-to-end encrypted connection can be used to serve content from more than one server device.09-22-2011
20110283102METHOD AND SYSTEM FOR SUPPORTING WATERMARK EMBEDDING IN MULTIMEDIA SYSTEM-ON-CHIPS - A secure server may be utilized to support watermark embedding in multimedia system-on-chips, by generating an encrypted and signed watermarking signal for use in each particular system-on-chip. The encrypted and signed watermarking signal is generated based on a unique per-chip ID associated with the particular system-on-chip. The watermarking signal may be signed by the secure server utilizing a random number generated in and/or provided by the particular system-on-chip. The watermarking signal may be encrypted by the secure server based on a secret encryption key associated with the particular system-on-chip. The secret encryption key may be determined based on the unique per-chip ID associated with the particular system-on-chip. The secure server may store information, received from various system-on-chips, for use during generation of watermarking signals. The information received from each system-on-chip may comprise corresponding unique per-chip ID and/or a random number associated with each particular system-on-chip.11-17-2011
20100125730BLOCK-LEVEL DATA STORAGE SECURITY SYSTEM - A secure storage appliance is disclosed, along with methods of storing and reading data in a secure storage network. The secure storage appliance is configured to present to a client a virtual disk, the virtual disk mapped to the plurality of physical storage devices. The secure storage appliance is capable of executing program instructions configured to generate a plurality of secondary blocks of data by performing splitting and encrypting operations on a block of data received from the client for storage on the virtual disk and reconstitute the block of data from at least a portion of the plurality of secondary blocks of data stored in shares on corresponding physical storage devices in response to a request from the client.05-20-2010
20110302409METHOD AND SYSTEM FOR VERIFICATION OF AN ENDPOINT SECURITY SCAN - A method of granting access to resources includes the step of receiving a request from a node to access a resource. A scanning agent is generated to gather information about the node. A key is generated and embedded in the scanning agent. The scanning agent is transmitted to the node and gathers information regarding the node. The scanning agent encrypts the gathered information using the at least one generated key. The encrypted gathered information is received from the scanning agent and decrypted.12-08-2011
20110302408Secure Communication Systems, Methods, and Devices - In par, the invention relates to a secure communication system. The system includes a voice call processing server; a user database in communication with the server; and a security gateway in communication with the server and the database, wherein the gateway transmits an encrypted signaling key and at least one encrypted media key in response to validating a mobile device using configuration data stored in the database, wherein the server tracks call traffic encrypted using the at least one media key, the call traffic routed using the Internet.12-08-2011
20110289312TCP COMMUNICATION SCHEME - A TCP communication scheme which ensures safe communication up to the communication path near a terminal and eliminates direct attacks from hackers, etc. A terminal (A) and terminal (B) are connected to a relay apparatus (X) and relay apparatus (Y), where the terminal (A) and the terminal (B) are the endpoint terminals positioned at the two ends of a TCP communication connection. The relay apparatuses (X, Y) are each connected to a network (NET). The relay apparatuses (X and Y) are provided so as to be between the terminals (A and B) which had been performing conventional TCP communication, and neither of the relay apparatuses (X and Y) have IP addresses. The relay apparatuses (X and Y) take over the TCP connection between the terminal (A) and the terminal (B), divide the connection into three TCP connections, and establish TCP communication.11-24-2011
20090187758Data communication system and data transmitting apparatus - An LDAP server stores security levels individually assigned to a plurality of destinations and a plurality of users in advance. When a user is authenticated successfully by the LDAP server, a control section of a multi-functional machine obtains the security level of the authenticated user from the LDAP server via a communication section, and then restricts/relaxes display contents necessary in transmission processing, in accordance with the high/low of the security level. Further, when the security level is not lower than a predetermined threshold value, the control section obtains from the LDAP server a destination in which the user is adopted as the addressee.07-23-2009
20110296169FACILITATING SECURE COMMUNICATION BETWEEN UTILITY DEVICES - Communication is facilitated between a plurality of servers (12-01-2011
20090319774IDENTIFICATION INFORMATION PROTECTION METHOD IN WLAN INTER-WORKING - By introducing a hierarchical encryption scheme and the use of asymmetric cryptography, the critical information in message exchanges is concealed from unauthorized entities. This helps greatly in preventing man-in-the-middle attacks faced by inter-working. In addition, access control is conducted by introducing a network structure having a rule interpreter that is capable of mapping general rules to WLAN specific commands. It obviates the needs for mobile user's home network to understand information about every WLAN it is inter-worked with. A common interface independent of WLAN technologies could be used by the home network for all the WLANs. The above conception provides a solution to the problems of the protection of user identification information and access control in the inter-working of WLAN.12-24-2009
20100153705ENCRYPTION DEVICE, DECRYPTION DEVICE, ENCRYPTION METHOD, AND DECRYPTION METHOD - It is possible to provide an encryption device, a decryption device, an encryption method, and a decryption method capable of effectively performing encryption and decryption by using the packet type judgment result. An encryption/decryption device (06-17-2010
20120089829Accelerating stream cipher operations using single and grid systems - Systems and methods for accelerating stream cipher encryption operations are described. In one aspect, a computer-implemented method receives data. The method separates the data into multiple file chunks for compression. A respective compression-encryption instructions header is provided for each compressed file chunk. Each compressed file chunk then is encrypted according to corresponding encryption instructions in the file-chunk's compression-encryption instructions. In one implementation, the compressed file chunks are encrypted by respective worker nodes in a peer-to-peer computing environment. The compressed and encrypted file chunks are merged into a single encrypted-compressed-merged file.04-12-2012
20100169639METHOD FOR MANAGING A GLOBALLY ACCESSIBLE OPERATIONAL DATA WAREHOUSE SYSTEM WITH IMPROVED SECURITY AND CONSUMER RESPONSE - A secure data exchange and access system, method, and architecture for allow web-based data transfer with improved security and scalability. The system incorporates and enables serialized pedigree systems while allowing security for storing, authenticating, and tracking a change of custody of a serialized item along a transfer chain. A plurality of independent databases, respectively blind to each other but for a global construct, retains pieces of information along a product supply chain. Specific encryption/decryption protocols enable secure information transfer in a number of modes including a post point of sale anti-counterfeiting system that includes a process for consumer involvement as a triggering mechanism.07-01-2010
20100169638COMMUNICATION SYSTEM HAVING MESSAGE ENCRYPTION - A system includes a communication device configured to transmit a message to an unsecured server. A secured server is in communication with the communication device, and is configured to receive the message from the communication device before the message is transmitted to the unsecured server, encrypt the message, and transmit the encrypted message to the unsecured server.07-01-2010
20100268937KEY MANAGEMENT FOR SECURE COMMUNICATION - A method and arrangement is disclosed for managing session keys for secure communication between a first and at least a second user device in a communications network. The method is characterized being independent of what type of credential each user device implements for security operations. A first user receives from a first key management server keying information and a voucher and generates a first session key. The voucher is forwarded to at least a responding user device that, with support from a second key management server communicating with the first key management server, resolves the voucher and determines a second session keys. First and second session keys are, thereafter, used for secure communication. In one embodiment the communication traverses an intermediary whereby first and second session keys protect communication with respective leg to intermediary.10-21-2010
20100268935METHODS, SYSTEMS, AND COMPUTER READABLE MEDIA FOR MAINTAINING FLOW AFFINITY TO INTERNET PROTOCOL SECURITY (IPSEC) SESSIONS IN A LOAD-SHARING SECURITY GATEWAY - Methods, systems, and computer readable media for maintaining flow affinity to IPSec sessions in a load-sharing security gateway are disclosed. According to one embodiment, the method includes receiving packets at a security gateway that provides communications of packet flows between source and destination entities using IPSec sessions. For each packet, it is determined whether the packet is assigned to an existing packet flow between a source and a destination entity that is being processed by the SG. In response to determining that the packet belongs to an existing flow, the packet is forwarded to a processing element associated with that flow and IPSec processing is performed at the processing element. In response to determining that the packet does not belong to an existing flow, a new flow is defined and assigned to a next available processing element. IPSec processing is performed for the flow at the next available processing element.10-21-2010
20120239924SYSTEM AND METHOD FOR SEQUENTIALLY PROCESSING A BIOMETRIC SAMPLE - This invention provides for progressive processing of biometric samples to facilitate user verification. A security token performs initial processing. Due to storage and processing limitations, false rejections may occur. To overcome this, the biometric sample is routed to a stateless server with greater processing power and data enhancement capabilities. The stateless server processes and returns an enhanced biometric sample to the security token for another attempt at verification. In another embodiment, the security token may have a second failure when verifying the enhanced biometric sample. It can then send the enhanced or raw biometric sample to a stateful server. The stateful server processes the biometric sample and performs a one to many search of a biometric database having a master set of enrolled authorized user biometric templates. The security token uses signals from the stateful server to grant or deny access. In both embodiments, heuristics remain with the security token.09-20-2012
20080250239METHOD AND SYSTEM FOR CONTROLLED MEDIA SHARING IN A NETWORK - A method for controlling media sharing among a plurality of nodes in a network. The present method is comprised of availing to the network an instance of media content for sharing among the plurality of nodes by a source node communicatively coupled to the network. The present method further includes decrypting the instance of media content from an encryption local to the source node. The present method further includes encrypting the instance of media content into an intermediate encryption. The present method further includes transferring the instance of media content to a node while the instance of media content is in the intermediate encryption. The node is associated with the network. The decrypting and the encrypting and the transferring are in response to receiving a request for the instance of media content from the node.10-09-2008
20080282081MUTUALLY AUTHENTICATED SECURE CHANNEL - A system and methods for establishing a mutually authenticated secure channel between a client device and remote device through a remote access gateway server. The remote access gateway server forwards secure connection requests and acknowledgements between the client and the remote device such that the remote access gateway does not possess any or all session keys necessary to decrypt communication between the client device and remote device.11-13-2008
20080209205Zero knowledge attribute storage and retrieval - Some embodiments of zero knowledge attribute storage and retrieval have been presented. In one embodiment, the content of a piece of data is encrypted at a client machine. Further, an identifier of the piece of data is hashed at the client machine. The encrypted content and the hashed identifier may be stored in a database maintained by a server without disclosing the content of the data to the server.08-28-2008
20120036352Anonymization of Personal Data - A method for anonymization of personal data is provided for protecting the privacy of a user while sharing user information with a third party. The method includes receiving from a user a domain name address associated with an intended website and an Internet Protocol (IP) address associated with the user and determining that the domain name address is an invalid domain name. The method may further include encrypting the IP address associated with the user by translating the IP address into a unique identifier, with the encryption being a one-way hashing process, and then sending the unique identifier and the invalid domain name address to the third party. The method may further include receiving, from the third party, the unique identifier and a third party content, with the third party content being based on the invalid domain name; decrypting the unique identifier by translating the unique identifier back into the IP address, associating the third party content with the IP address, and based on the IP address, providing the third party content to the user.02-09-2012
20090094453Interoperable systems and methods for peer-to-peer service orchestration - Systems and methods are described for performing policy-managed, peer-to-peer service orchestration in a manner that supports the formation of self-organizing service networks that enable rich media experiences. In one embodiment, services are distributed across peer-to-peer communicating nodes, and each node provides message routing and orchestration using a message pump and workflow collator. Distributed policy management of service interfaces helps to provide trust and security, supporting commercial exchange of value. Peer-to-peer messaging and workflow collation allow services to be dynamically created from a heterogeneous set of primitive services. The shared resources are services of many different types, using different service interface bindings beyond those typically supported in a web service deployments built on UDDI, SOAP, and WSDL. In a preferred embodiment, a media services framework is provided that enables nodes to find one another, interact, exchange value, and cooperate across tiers of networks from WANs to PANs.04-09-2009
20110138171GLOBAL PROFILE MANAGEMENT METHOD AND SYSTEM - A profile management method and system. The method includes retrieving by a computer processor from a user of social network, a user request for generating a profile. The computer processor retrieves user data and an encrypted master security token comprising an identifier associated with the user. The computer processor generates the profile with the user data and associates the profile with the encrypted master security token. The computer processor receives from the social network a request associated with a membership to the social network. The computer system adds communication data to the encrypted master security token and enables access to the profile based on the encrypted master security token. The computer processor transmits to said first social network, a copy of the profile.06-09-2011
20090210697Digital Rights Protection in BitTorrent-like P2P Systems - To leverage the efficiency and the scalability of BitTorrent (BT) systems for Internet content distribution, the present invention discloses enhancing BT peer-to-peer systems to enable digital rights management without infrastructure changes. The technique involves runtime re-encryption of each file piece, which may already be encrypted, before a peer uploads it to any other peer. To access the re-encrypted pieces, a tracker site generates decryption keys that are unique for each peer and for each file piece. While any user can take part in the content distribution, only legitimate users with the unique decryption keys can access the plaintext of the encrypted distributed content.08-20-2009
20110173441HIGHLY SCALABLE ARCHITECTURE FOR APPLICATION NETWORK APPLIANCES - A highly scalable application network appliance is described herein. According to one embodiment, a network element includes a switch fabric, a first service module coupled to the switch fabric, and a second service module coupled to the first service module over the switch fabric. In response to packets of a network transaction received from a client over a first network to access a server of a data center having multiple servers over a second network, the first service module is configured to perform a first portion of OSI (open system interconnection) compatible layers of network processes on the packets while the second service module is configured to perform a second portion of the OSI compatible layers of network processes on the packets. The first portion includes at least one OSI compatible layer that is not included in the second portion. Other methods and apparatuses are also described.07-14-2011
20120297183TECHNIQUES FOR NON REPUDIATION OF STORAGE IN CLOUD OR SHARED STORAGE ENVIRONMENTS - Techniques for non-repudiation of storage in cloud or shared storage environments are provided. A unique signature is generated within a cloud or shared storage environment for each file of the storage tenant that accesses the cloud or shared storage environment. Each signature is stored as part of the file system and every time a file is accessed that signature is verified. When a file is updated, the signature is updated as well to reflect the file update.11-22-2012
20090276619PARALLEL DISTRIBUTION AND FINGERPRINTING OF DIGITAL CONTENT - Distributing information, including the steps of watermarking the digital content, distributing the digital content using a multi-source system, and partially fingerprinting digital content at each stage of moving information from a point of origin to the viewer. “Adaptation” of the digital content to the recipient includes maintaining the digital content in encrypted form at each such intermediate device, including decrypting the digital content with a key unique to both the device and the specific movie, selecting a portion of the watermark locations into which to embed information, embedding fingerprinting information into those locations sufficient to identify the recipient, and encrypting the fingerprinted digital content with a new such key.11-05-2009
20090282237HITLESS MANUAL CRYTOGRAPHIC KEY REFRESH IN SECURE PACKET NETWORKS - In a hitless manual cryptographic key refresh scheme, a state machine is independently maintained at each network node. The state machine includes a first state, a second state, and a third state. In the first state, which is the steady state, a current cryptographic key is used both for generating signatures for outgoing packets and for authenticating signatures of incoming packets. In the second state, which is entered when a new cryptographic key is provisioned, the old (i.e. formerly current) key is still used for generating signatures for outgoing packets, however one or, if necessary, both of the old key and the newly provisioned key is used for authenticating signatures of incoming packets. In the third state, the new key is used for generating signatures for outgoing packets and either one or both of the old key and new key are used for authenticating signatures of incoming packets.11-12-2009
20110271098SYSTEM AND METHOD FOR SECURING DATA THROUGH A PDA PORTAL - Consumers may utilize computing devices to assist in the purchase and/or loyalty process, and in particular, the consumer may utilize a PDA to facilitate the purchase and/or loyalty process. During the purchase and/or loyalty process, the consumer may need to insure that any content downloaded or used in association with the PDA is secure in how it is collected, assembled, and delivered to the PDA device. This system and method secures the data from its source to when it is actually viewed or used by the authorized user. The exemplary system and method may establish a PDA portal link to the web site for collecting specified information for a user and transmitting the information to the remote device. To receive the information, the PDA contacts the portal and establishes a connection, authenticates itself to the network and allows the user to complete secured transactions or transmissions over the network.11-03-2011
20110271097Loosely-Coupled Encryption Functionality for Operating Systems - Described are computer-based methods and apparatuses, including computer program products, for loosely-coupled encryption functionality for operating systems. A data packet is processed through one or more internet protocol stack layers to generate a processed data packet. Modified encryption information is determined that does not comprise a desired security policy for the data packet and comprises null parameter(s) and is based on encryption information that comprises the desired security policy. A message comprising data indicative of the encryption information is transmitted. An operating system is unaware of a security nature of the transmission. A null-encryption routine is executed to generate an unencrypted data packet, wherein the null-encryption routine does not encrypt the processed data packet. The unencrypted data packet is transmitted to the second computing device. The unencrypted data packet is encrypted based on the message transmitted from the first computing device to generate an encrypted data packet.11-03-2011
20110271096Loosely-Coupled Encryption Functionality for Operating Systems - Described are computer-based methods and apparatuses, including computer program products, for loosely-coupled encryption functionality for operating systems. A data packet is processed through one or more internet protocol stack layers to generate a processed data packet. Encryption information is determined that includes parameters for encrypting and decrypting data packets transmitted between the first computing device and the remote computer. A message comprising data indicative of the encryption information is transmitted to a second computing device, wherein an operating system being executed is unaware of a security nature of the transmission. A bypass encryption routine is executed to generate a unencrypted data packet, wherein the bypass encryption routine does not encrypt the processed data packet. The unencrypted data packet is transmitted to the second computing device. The unencrypted data packet is encrypted based on the message transmitted from the first computing device to generate an encrypted data packet.11-03-2011
20090313465METHODS AND APPARATUS FOR SECURING OPTICAL BURST SWITCHING (OBS) NETWORKS - An optical network, having an optical communication link and first and second routers. The first router receives and classifies data, then forms a data burst based on destination. The first router sends an encrypted header and the data burst via the optical link. The second router, at least one hop from the first router, receives, decrypts and authenticates the header. Then, the second router extracts data burst information from the header and determines whether the address of the second router is the destination address for the data burst. If so, the second router receives the data burst and sends data to an appropriate line interface. If not, the second router selects and reserves a wavelength on a second optical link for the data burst. The second router selects an encryption key for the header, encrypts and sends the header, and then routes the data burst to the selected wavelength.12-17-2009
20080244260SYSTEM AND METHOD FOR MANAGING INTEROPERABILITY OF INTERNET TELEPHONY NETWORKS AND LEGACY TELEPHONY NETWORKS - A system and method for providing interoperability between Internet telephony networks and legacy telephony networks includes conveying an address of an Internet telephony endpoint in a legacy telephony protocol. A globally unique Uniform Resource Identifier, referred to as a Universal Global Title, may be assigned as the address of the Internet telephony endpoint. The URI-based address of the Internet telephony endpoint can be conveyed to a legacy telephony network as an Internet Address Parameter, implemented as an extension to the ANSI ISDN User Part legacy telephony protocol. As such, a Universal Teletraffic EXchange may be provided where Internet telephony networks and legacy telephony networks can exchange addressing and signaling information while interoperating at a peer-to-peer level.10-02-2008
20080282083METHOD AND SYSTEM FOR CONTROLLED MEDIA SHARING IN A NETWORK - A method for controlling media sharing among a plurality of nodes in a network. The present method is comprised of availing to the network an instance of media content for sharing among the plurality of nodes by a source node communicatively coupled to the network. The present method further includes decrypting the instance of media content from an encryption local to the source node. The present method further includes encrypting the instance of media content into an intermediate encryption. The present method further includes transferring the instance of media content to a node while the instance of media content is in the intermediate encryption. The node is associated with the network. The decrypting and the encrypting and the transferring are in response to receiving a request for the instance of media content from the node.11-13-2008
20080313455KEY SUPPORT FOR PASSWORD-BASED AUTHENTICATION MECHANISMS - According to an example embodiment, a session key (e.g., MSK/EMSK) may be determined for a password-based authentication method based on a secret and one or more security parameters used for peer authentication of the method. For example, a session key (e.g., EMSK) may be determined for a EAP-MSCHAP (Extensible Authentication Protocol-Microsoft PPP CHAP Extension) protocol family method between a peer node and an EAP server, the determining being based on a secret and one or more security parameters used for the EAP-MSCHAP protocol family peer authentication.12-18-2008
20090319773ENCRYPTION-BASED CONTROL OF NETWORK TRAFFIC - A computer-implemented method for protecting a computer network (12-24-2009
20080282082NETWORK COMMUNICATION DEVICE - A disclosed network communication device corresponds to IP communications and is capable of performing IPsec communication. The network communication device includes a setting unit configured to obtain and set an operation mode specified by an administrator user; a detecting unit configured to detect a communication error caused by an incorrect portion in an IPsec setting; and a changing unit configured to change the IPsec setting, based on the operation mode set by the setting unit, to correct the incorrect portion or to cancel the IPsec communication, in the event that the communication error is detected.11-13-2008
20090150664COMPUTER MANAGEMENT SYSTEM - A computer management system is provided. In addition to a console and a computer, the computer management system comprises an encryption device and a decryption device. The console outputs a control signal. The encryption device encrypts the control signal to output an encryption signal. The decryption device then decrypts the encryption signal into the control signal, such that the computer is controller.06-11-2009
20110208960System and Method for Secure Communications - Encryption of electronic messages may be automatically processed by a messaging system based on keywords or other attributes of the messages. In one example, if the message includes a predefined keyword, the messaging system may automatically encrypt the message for all recipients outside of a private network. In another example, the messaging system may automatically encrypt messages based on recipient address. Thus, if a recipient is on a list of addresses to which encryption applies, the message being sent to that particular recipient may be encrypted while a copy of the message being sent to other recipients not on the list might remain unencrypted.08-25-2011
20120272055METHOD AND APPARATUS FOR ESTABLISHING SECURED LINK BETWEEN DEVICES - A method and apparatus for establishing a secured link between devices. In the establishing of the secured link, a coordinator respectively receives from the first and second devices first pairing information indicating that a first device is to establish a secured link and second pairing information indicating that a second device is to establish a secured link. The coordinator further receives via a first secured link established between the first device and the coordinator shared secured information. The shared secured information is shared between the first and second devices. The coordinator establishes a second secured link with the second device based on the shared secured information; and broadcasts partner notice information indicating that the first and second devices are partner devices. The broadcast partner notice information is then used to establish a third secured link.10-25-2012
20100138650SECURE COMMUNICATION SYSTEM, GATEWAY APPARATUS AND ITS OPERATING METHOD - A secure communication system includes: an external peer terminal for generating a security group and participating in the security group by connecting to a peer-to-peer (P2P) network; and a legacy terminal connected to a local area network. The system further includes a gateway apparatus, connected to both of the P2P network and the local area network, for enabling the legacy terminal to participate in the security group.06-03-2010
20100268938SECURING DATA IN A DISPERSED STORAGE NETWORK USING SECURITY SENTINAL VALUE - A sentinel value is combined with a data segment, and encrypted. A digest of the encrypted combined data segment is calculated, and used in conjunction with an encryption key to generate a masked key. This masked key is then appended to the encrypted combined data segment and transmitted to an encoder. When the data segment is retrieved, the original encryption key can be recovered and used to decrypt the data segment. The sentinel value can then be extracted from the data segment and checked for integrity. The data segment can then be delivered, discarded, flagged, or otherwise handled based on the integrity of the sentinel value.10-21-2010
20090177880TRANSMISSION OF SECURE ELECTRONIC MAIL FORMATS - A method and system for providing e-mail messages to a receiving e-mail application. The e-mail messages as sent from a sending e-mail application being secure and in opaque signed format. The opaque signed e-mail messages being converted to clear signed e-mail messages by decoding extracting message content and digital signatures. The clear signed e-mails being sent to a receiving e-mail application.07-09-2009
20130219171NETWORK NODE WITH NETWORK-ATTACHED STATELESS SECURITY OFFLOAD DEVICE EMPLOYING IN-BAND PROCESSING - A network node for communicating data packets secured with a security protocol over a communications network includes a host information handling system (IHS) and one or more external security offload devices coupled by a secure data link. The host IHS communicates state information about data packets, and the external offload security device provides stateless secure data encapsulation and decapsulation of packets using a security protocol. An external network interface controller or internal network interface controller communicates encapsulated data packets over the communications network to a final destination. Encapsulation and decapsulation of packets by the external security offload device reduces network latency and reduces the computational load on the processor in the host IHS. Maintaining state information in the host IHS allows hot-swapping of external security offload devices without information loss. The external security offload device may be included in a firewall, or intrusion detection device, and may implement IPsec protocol.08-22-2013
20130219168NETWORK NODE WITH NETWORK-ATTACHED STATELESS SECURITY OFFLOAD DEVICE EMPLOYING OUT-OF-BAND PROCESSING - A network node for communicating data packets secured with a security protocol over a communications network includes a host information handling system (IHS) and one or more external security offload devices coupled by a secure data link. The host IHS communicates state information about data packets, and the external offload security device provides stateless secure data encapsulation and decapsulation of packets using a security protocol. An external network interface controller or internal network interface controller communicates encapsulated data packets over the communications network to a final destination. Encapsulation and decapsulation of packets by the external security offload device reduces network latency and reduces the computational load on the processor in the host IHS. Maintaining state information in the host IHS allows hot-swapping of external security offload devices without information loss. The external security offload device may be included in a firewall, or intrusion detection device, and may implement IPsec protocol.08-22-2013
20090177879SECURITY COMMUNICATION APPARATUS AND SECURITY COMMUNICATION METHOD - A negotiation unit, of a logical network control apparatus connected to a LAN, judges settings of processing to be performed on communication data by a network connection apparatus, from properties of an application to be used in communication, and decides parameters to be used for a VPN connection. The VPN connection is performed using the determined parameters.07-09-2009
20090198995System and method for providing security via a top level domain - A system and method is disclosed for providing end-to-end security for communications between registered clients of a top level domain without the need for further encryption/decryption protocols than those provided by said at least one of said plurality of secure communication links and said at least one secure message server. Clients registered with the top level domain are assigned at least one email and IM account and to ensure message security, are required to communicate with other registered others strictly via the assigned email and IM accounts. In this manner, non-registered users are denied secure access to the top level domain. In one embodiment, registered clients of the top-level domain may communicate with non-registered users via a gateway server in a secure or non-secure manner, as is the option of the registered client (sender).08-06-2009
20090083538REDUCING LATENCY OF SPLIT-TERMINATED SECURE COMMUNICATION PROTOCOL SESSIONS - A method is provided for establishing a split-terminated secure communication connection between a client and a server. A first network intermediary intercepts a secure communication connection request directed from the client to the server. A second intermediary having a digital certificate in the name of the server (and a corresponding private key) acts in place of the server to establish a first secure communication session with the client, during which it receives a secret from the client for generating the session key. The second intermediary supplies the secret and/or the session key to the first intermediary, which allows the first intermediary to establish follow-on secure communication sessions in which the secret is reused. The second intermediary may also supply the first intermediary with a copy of its certificate so that it can respond to new secure communication requests and, yet further, may also supply a copy of the private key.03-26-2009
20090083536Method and apparatus for distributing group data in a tunneled encrypted virtual private network - A packet forwarding process, on a data communications device, forwards a packet to a plurality of destinations within a network from that data communications device using an “encrypt then replicate” method. The packet forwarding process receives a packet that is to be transmitted to the plurality of destinations, and applies a security association to the packet using security information shared between the data communications device, and the plurality of destinations, to create a secured packet. The secured packet contains a header that has a source address and a destination address. The source address is inserted into the header, and then the packet forwarding process replicates the secured packet, once for each of the plurality of destinations. After replication, the destination address is inserted into the header, and the packet forwarding process transmits each replicated secured packet to each of the plurality of destinations authorized to maintain the security association.03-26-2009
20120144188METHOD FOR CONNECTING A FIRST COMPUTER NETWORK TO AT LEAST A SECOND EXTENDED COMPUTER NETWORK - Method for connecting a first computer network and at least a second extended computer network wherein the at least second extended computer network is not connected to the Internet and does not have a routing path to the first computer network, the method comprising: installing a concentration router within an intermediate network and associating the concentration router to a public IP address; interconnecting the intermediate network to the at least second extended computer network through a CPE router, and interconnecting the intermediate network to the first computer network via the Internet passing through the concentration router; implementing an IP tunnel between the at least second extended computer network and the first computer network across the direct intermediate network and the Internet, wherein the IP tunnel is implemented as a first external and encrypted IP tunnel, across the Internet, and a second internal non-encrypted IP tunnel across the intermediate network.06-07-2012
20080263353AUTOCONFIGURED PREFIX DELEGATION BASED ON DISTRIBUTED HASH - In one embodiment, a method comprises detecting, by a router, an unsolicited first router advertisement message from an attachment router that provides an attachment link used by the router, the first router advertisement message specifying a first IPv6 address prefix owned by the attachment router and usable for address autoconfiguration on the attachment link; detecting, by the router, an unsolicited delegated IPv6 address prefix from the attachment router and that is available for use by the router; and automatically selecting by the router a second IPv6 address prefix based on concatenating a suffix to the delegated IPv6 address prefix, including dynamically generating the suffix based on a prescribed distributed hash operation executed by the router, the second IPv6 address prefix for use on at least one ingress link of the router.10-23-2008
20100153703STORAGE SECURITY USING CRYPTOGRAPHIC SPLITTING - Methods and systems for storing data securely in a secure data storage network are disclosed. One method includes receiving at a secure storage appliance a block of data for storage on a volume, the volume associated with a plurality of shares distributed across a plurality of physical storage devices. The method also includes cryptographically splitting the block of data received by the secure storage appliance into a plurality of secondary data blocks. The method further includes encrypting each of the plurality of secondary data blocks with a different session key, each session key associated with at least one of the plurality of shares. The method also includes storing each data block and associated session key at the corresponding share, remote from the secure storage appliance.06-17-2010
20090077372PROCESS FOR TRANSMITTING AN ELECTRONIC MESSAGE IN A TRANSPORT NETWORK - In a process for transmitting an electronic message that contains protected and unprotected content, the authenticity of the header elements HE is ensured by obtaining a subsequent authenticity verification of the sender. For this purpose, a checking device which is inserted into the transmission network transforms the header elements of the original message into a new message whose contents are protected by known encryption methods. The new message is sent back to the sender which decrypts it and checks the header elements. If the sender verifies the authenticity of the transmitted data, the header elements on which the original message is based are also considered to be verified. According to the invention, the sender who sends the message, and is later requested to verify its authenticity, may be the mail server (Message Transfer Agent “MTA”) as well as the client of the MTA (and thus, the author of the message, who first forwards the message to the MTA).03-19-2009
20110231654METHOD, SYSTEM AND APPARATUS PROVIDING SECURE INFRASTRUCTURE - Methods and apparatus for automatically providing secure network infrastructure over non-secure network infrastructure such as by automatically generating IPSec tunnels through non-secure networks, terminating the IPSec tunnels at a boundary device and creating appropriate services to bridge traffic between the IPSec tunnels and a secure network. Various embodiments provide rapid provisioning of secure network infrastructure, a Secure Gateway (SEG) embodiment adapted to particular customer requirements and various business methodologies.09-22-2011
20110231653SECURE DISTRIBUTION OF SESSION CREDENTIALS FROM CLIENT-SIDE TO SERVER-SIDE TRAFFIC MANAGEMENT DEVICES - A traffic management device (TMD), system, and processor-readable storage medium are directed to securely transferring session credentials from a client-side traffic management device (TMD) to a second server-side TMD that replaces a first server-side TMD. In one embodiment, a client-side TMD and the first server-side TMD have copies of secret data associated with an encrypted session between a client device and a server device, including a session key. For any of a variety of reasons, the first server-side TMD is replaced with the second server-side TMD, which may not have the secret data. In response to a request to create an encrypted connection associated with the encrypted session, the client-side TMD encrypts the secret data using the server device's public key and transmits the encrypted secret data to the second server-side TMD. If the second server-side TMD has a copy of the server device's private key, and is therefore considered to be an authentic and trusted TMD, the second sever-side TMD decrypts the secret data and participates in the encrypted connection.09-22-2011
20110231652PROXY SSL AUTHENTICATION IN SPLIT SSL FOR CLIENT-SIDE PROXY AGENT RESOURCES WITH CONTENT INSERTION - A traffic management device (TMD), system, and processor-readable storage medium are directed to determining that an end-to-end encrypted session has been established between a client and an authentication server, intercepting and decrypting subsequent task traffic from the client, and forwarding the intercepted traffic toward a server. In some embodiments, a second connection between the TMD and server may be employed to forward the intercepted traffic, and the second connection may be unencrypted or encrypted with a different mechanism than the encrypted connection to the authentication server. The encrypted connection to the authentication server may be maintained following authentication to enable termination of the second connection if the client becomes untrusted, and/or to enable logging of client requests, connection information, and the like. In some embodiments, the TMD may act as a proxy to provide client access to a number of servers and/or resources.09-22-2011
20110225419AGILE NETWORK PROTOCOL FOR SECURE COMMUNICATIONS WITH ASSURED SYSTEM AVAILABILITY - A plurality of computer nodes communicate using seemingly random Internet Protocol source and destination addresses. Data packets matching criteria defined by a moving window of valid addresses are accepted for further processing, while those that do not meet the criteria are quickly rejected. Improvements to the basic design include (1) a load balancer that distributes packets across different transmission paths according to transmission path quality; (2) a DNS proxy server that transparently creates a virtual private network in response to a domain name inquiry; (3) a large-to-small link bandwidth management feature that prevents denial-of-service attacks at system chokepoints; (4) a traffic limiter that regulates incoming packets by limiting the rate at which a transmitter can be synchronized with a receiver; and (5) a signaling synchronizer that allows a large number of nodes to communicate with a central node by partitioning the communication function between two separate entities.09-15-2011
20110225418SECURE STORAGE OF PROTECTED DATA IN A WIRELESS COMMUNICATION DEVICE - A wireless communication device comprises first processing circuitry configured to execute an RF operating system and second processing circuitry configured to execute an open operating system, wherein the first processing circuitry is linked to a secure memory device inaccessible to the second processing circuitry. The RF operating system is configured to receive protected data and store the protected data in the secure memory device. The open operating system is configured to receive a request for the protected data from one of a plurality of user applications and transfer the request to the RF operating system. In response to the request for the protected data, the RF operating system is configured to retrieve the protected data from the secure memory device, encrypt the protected data, and transfer the encrypted protected data to the open operating system for delivery to the one of the user applications associated with the request.09-15-2011
20090210698Multiple DRM management - A DRM packager has a programmed processor for receipt of licensing information including a plurality of encryption keys for a corresponding plurality of DRM encryption algorithms and for receipt of content from a content provider. An encrypter encrypts the content under each of the plurality of DRM algorithms to produce multiple DRM selectively encrypted content, where the multiple DRM selectively encrypted content has segments of the specified content that are unencrypted, and selected segments of the content which are duplicated to produce one copy of the selected content for each of the DRM algorithms with each duplicate copy of the selected segments encrypted under a different one of the DRM algorithms, and where the unencrypted segments of content are assembled together with each of the DRM encrypted duplicate selected segments to produce a single unified content assembly that can be played on any of the player devices. This abstract is not to be considered limiting, since other embodiments may deviate from the features described in this abstract.08-20-2009
20130219172SYSTEM AND METHOD FOR PROVIDING A SECURE BOOK DEVICE USING CRYPTOGRAPHICALLY SECURE COMMUNICATIONS ACROSS SECURE NETWORKS - A gateway device is used to control the flow of data to and from a network. To ensure that a message is not transmitted beyond the edge of an intranet without authorization such as outside of a private network, or to a device within the private network without authorization, a gateway will only establish a communication session with a computing device within the private network that possess a requisite community-of-interest key. If either the gateway device or computing device does not possess a matching community-of-interest key then a communication session cannot be established between the computing device and gateway device. Other aspects include transmitting a message destined for another network by converting it into a format in which it can be received outside the private network without knowledge of the type of security measures used within the private network.08-22-2013
20120246463SYSTEMS AND METHODS FOR IMPLEMENTING TRANSPARENT ENCRYPTION - A method of providing transparent encryption for a web resource includes a key manager receiving an encryption key policy; receiving user identifiers and resource locators; defining an access control list based the user identifiers; generating an encryption key and a key identifier for a first resource locator; and establishing a secure communication channel between first and second watchdog modules. The method also includes the watchdog sending encryption information using the secure communication channel. The method also includes a transparent encryption module storing the encryption key and the access control list in protected memory; receiving an input comprising a request to access the first resource stored in the web resource; determining that the user identifier is included in the access control list; encrypting data using the encryption key; and decrypting data using the encryption key.09-27-2012
20130219170DATA COMMUNICATION AUTHENTICATION SYSTEM FOR VEHICLE GATEWAY APPARATUS FOR VEHICLE DATA COMMUNICATION SYSTEM FOR VEHICLE AND DATA COMMUNICATION APPARATUS FOR VEHICLE - A vehicular data communication system is disclosed. The vehicular data communication system includes an authentication device for authenticating an external tool connected to a bus, an authentication control device for determining whether an external tool is authenticated by the authentication device and for setting an authenticated state to permit a data communication between the external tool and an access target ECU on the bus upon determining that the external tool is authenticated by the authentication device, and an authentication maintain device for maintaining the authenticated state within a predetermined period after the authenticated state is set by the authentication control device.08-22-2013
20130219169Public Cloud Data at Rest Security - An encryption switch which is used in a cloud environment to secure data on the LUNs used by the clients. A client provides a certificate to the cloud service. The encryption switch develops a cloud crypto domain (CCD) as a secure area, with the data at rest on the LUNs encrypted. The encryption switch develops a master key for client use in the CCD, which is provided to the client encrypted by the client's public key. Data encryption keys (DEKs) are created for each LUN and provided to the client. The DEKs are stored in a key vault by the client for use if needed. The cloud service provisions a client VM to be used with the encrypted LUN and develops a nexus between the LUN and the client VM for the encryption switch to use in data operations. The client communicates through the client VM to access the LUN.08-22-2013
20130219167NETWORK NODE WITH NETWORK-ATTACHED STATELESS SECURITY OFFLOAD DEVICE EMPLOYING IN-BAND PROCESSING - A network node for communicating data packets secured with a security protocol over a communications network includes a host information handling system (IHS) and one or more external security offload devices coupled by a secure data link. The host IHS communicates state information about data packets, and the external offload security device provides stateless secure data encapsulation and decapsulation of packets using a security protocol. An external network interface controller or internal network interface controller communicates encapsulated data packets over the communications network to a final destination. Encapsulation and decapsulation of packets by the external security offload device reduces network latency and reduces the computational load on the processor in the host IHS. Maintaining state information in the host IHS allows hot-swapping of external security offload devices without information loss. The external security offload device may be included in a firewall, or intrusion detection device, and may implement IPsec protocol.08-22-2013
20100180113METHOD FOR MISBEHAVIOUR DETECTION IN SECURE WIRELESS MESH NETWORKS - In a method for secure data transmission in a wireless mesh network, a sending node sends at least one packet to at least one forwarding node which receives the packet from the sending node and forwards the packet to one or more receiving nodes. A destination node receives the packet. A challenge is transmitted from the sending node to the forwarding node causing the forwarding node to reply both to the sending and the receiving node with a response which has transformed information about one or more of the packet/packets. The response is processed to find out whether the forwarding node is misbehaving or not by verifying whether the transformed information is equal to an information which can be or has been derived from the requested packet/packets, wherein the processing is carried out both by the sending node and the receiving node.07-15-2010
20100161962SYSTEM AND METHOD OF TRANSMITTING/RECEIVING SECURITY DATA - There are provided a security server for intermediating transmission/reception of security data between a service providing server and a user terminal, a security data transmission/reception system and a method. In order to intermediate the transmission/reception of security data between the service providing server and the user terminal, the security server may generate a session key corresponding to a secret key provided from a user terminal, receive security data together with the session key from a security data transmitter, encode the security data with the secret key corresponding to the session key, store the encoded security data, provide a data encryption key to the security data transmitter, decode the encoded security data with the secret key corresponding to the session key when the session key is received together with a security data request key from a security data receiver, and provide the decoded security data to the security data receiver.06-24-2010
20100191958METHOD AND NETWORK DEVICE FOR PROCESSING NESTED INTERNET PROTOCOL SECURITY TUNNELS - A method and network device for processing nested IPSec tunnels are for processing outbound packets flowing into QC and inbound packets flowing out an IPSec tunnel via the network device. The network device (07-29-2010
20100217973SYSTEM AND METHOD FOR ENCRYPTING PROVIDER IDENTIFIERS ON MEDICAL SERVICE CLAIM TRANSACTIONS - The present invention relates to a method and a system for collecting and providing reports of activities of medical service providers, while encrypting confidential information. Specifically, the present invention provides systems and methods for collecting and providing information from medical claim transactions without information for specifically identifying the particular medical service provider. The present invention also allows for correlation of medical claim transactions with providers' information without using information that can be used to specifically identify the particular medical service provider (provider identifier).08-26-2010
20100185848SECURE EXTERNAL BUFFER FOR HARD DISK DRIVE SYSTEM ON A CHIP - A system securely buffers hard disk drive data using a host side eXlusive OR (XOR) encryption engine. A host communicates with an encryption interface interposed between the host and a client. Communicatively coupled to the encryption interface is an external buffer for the collection and processing of data. A host side XOR encryption engine, using a random seed, encrypts data originating from the host and places it on the external buffer. Once collected at the buffer and ready for transmittal to the client, the encrypted data is retrieved by the encryption interface and decrypted using the same random seed. The clear data is then encrypted once again using a robust encryption means such as Advance Encryption Standard (AES) encryption by a client side device for conveyance to the client.07-22-2010
20100161963TRUSTED AND SECURE TECHNIQUES FOR ITEM DELIVERY AND EXECUTION - Documents and other items can be delivered electronically from sender to recipient with a level of trustedness approaching or exceeding that provided by a personal document courier. A trusted electronic go-between can validate, witness and/or archive transactions while, in some cases, actively participating in or directing the transaction. Printed or imaged documents can be marked using handwritten signature images, seal images, electronic fingerprinting, watermarking, and/or steganography. Electronic commercial transactions and transmissions take place in a reliable, “trusted” virtual distribution environment that provides significant efficiency and cost savings benefits to users in addition to providing an extremely high degree of confidence and trustedness. The systems and techniques have many uses including but not limited to secure document delivery, execution of legal documents, and electronic data interchange (EDI).06-24-2010
20100153704Trusted Bypass For Secure Communication - A device having an encryption module in communication with first and second communication ports may facilitate connecting to an access network, without requiring a non-secure hard drive to initiate the network access. The encryption module may define a normal mode and a bypass mode. In normal mode, data from the first port may be sent encrypted to the second port, for communicating securely in an encrypted environment. In bypass mode, data from the first port may be sent unencrypted to the second port. The data being sent may be intercepted and presented to the user for approval in a human readable format. The user may confirm that the data is appropriate for being sent unencrypted. This data may be sent unencrypted in response to a request for information (e.g., an assent to terms and conditions) from the access network, such as at a hotel or public wireless hotspot, for example.06-17-2010
20100228965SYSTEM AND METHOD FOR USING A STREAMING PROTOCOL - An initialization vector (IV) is employed to decrypt a block of a stream that has been encrypted with Cypher Block Chaining (CBC) encryption, without requiring decryption of previous blocks within the stream. For example, a listener who accesses a distribution point to retrieve encrypted content authenticates himself to an application server that regulates access to encrypted content on the distribution point, and responsively receives a key. The listener then requests access to a reference point within the encrypted content stream somewhere after its beginning (e.g., using preview clips). The distribution point relates the reference point to a corresponding block of the encrypted stream, and identifies an IV previously used for encryption of that block. The distribution point provides the associated encrypted block of content and the IV to the listener to enable mid-stream rendering of the encrypted content, without requiring the listener to decrypt previous blocks within the encrypted stream.09-09-2010
20100217972LOCK ADMINISTRATION SYSTEM - A lock administration system for self-powered locks is provided. The system comprises an ASP (application service provider) server operationally connected to the Internet and configured to store lock system related information, at least one client module configured to control the generating of shared secrets for encrypting and decrypting, and the generating and the encrypting of lock access data packets using a token, transmit the data packets to the ASP server using public networks, receive an encrypted status packet from the ASP server using public networks, control the decrypting of the status packet and send information regarding the decrypt status packet to the ASP server using public networks and at least one lock configured to receive data packets from the ASP server via public networks, decrypt the data packets and send an encrypted status packet to the ASP server using public networks.08-26-2010
20100235621METHOD OF SECURELY PAIRING DEVICES WITH AN ACCESS POINT FOR AN IP-BASED WIRELESS NETWORK - A wireless access point and method of using a wireless access point to allow a user to use a pre-determined security key provided with the access point or a personal security key that is provided by the user. The access point is purchased with a pre-determined security key. A user of the access point may press a pairing button on the access point to automatically pair other devices with the access point using the pre-determined security key. A label with a passphrase that corresponds to the pre-determined security key is provided with the access point, allowing the user to manually enter the passphrase into devices that cannot automatically pair with the access point. The wireless access point also has a “security on/off” button. When the user presses the security on/off button, the access point may cease use of the pre-determined security key in favor of a personal security key.09-16-2010
20110131410WIDE AREA NETWORK ACCESS MANAGEMENT COMPUTER - A system and method for connecting a classified internet protocol (IP) network to a public IP network including an unclassified computing device. The unclassified computing device is a wide area network access management computer which directly connects to a National Security Agency (NSA) High Assurance Internet Protocol Encryptor (HAIPE) device and interfaces between the IP network and the classified IP network. The wide area network access management computer includes a graphical user interface, an internal data network communications interface, an external data network communications interface and a processing unit. The processing unit operates the network interfaces and presents information to the graphical user interface and interprets user input from the graphical user interface. The processing unit also performs the processing and protocols associated with the internal and external networks, performs client processing and allows the user to interact with services on any of the attached networks.06-02-2011
20100217971AGGREGATION OF CRYPTOGRAPHY ENGINES - Systems, methods, and other embodiments associated with aggregation of cryptography engines are described. One example method includes receiving an outbound data packet on an outbound side of a data connection. The example method may also include analyzing the outbound data packet to determine a distribution value. The example method may also include selectively distributing the outbound data packet to one of a plurality of outbound processors based, at least in part, on the distribution value. The example method may also include receiving an inbound data packet on an inbound side of the data connection. The example method may also include examining the inbound data packet for an identifier. The example method may also include selectively distributing the inbound data packet to one of a plurality of inbound processors based, at least in part, on the identifier.08-26-2010
20100241849INTEROPERABLE SYSTEMS AND METHODS FOR PEER-TO-PEER SERVICE ORCHESTRATION - Systems and methods are described for performing policy-managed, peer-to-peer service orchestration in a manner that supports the formation of self-organizing service networks that enable rich media experiences. In one embodiment, services are distributed across peer-to-peer communicating nodes, and each node provides message routing and orchestration using a message pump and workflow collator. Distributed policy management of service interfaces helps to provide trust and security, supporting commercial exchange of value. Peer-to-peer messaging and workflow collation allow services to be dynamically created from a heterogeneous set of primitive services. The shared resources are services of many different types, using different service interface bindings beyond those typically supported in a web service deployments built on UDDI, SOAP, and WSDL. In a preferred embodiment, a media services framework is provided that enables nodes to find one another, interact, exchange value, and cooperate across tiers of networks from WANs to PANs.09-23-2010
20100153706Securing IP Traffic - A method of securing IP traffic sent from a first host to a second host attached respectively to first and second access points. The method comprises establishing a shared secret between said first and second hosts, and for each packet to be sent, using the next value in a pseudo-random number sequence as an interface identifier part of the source IP address.06-17-2010
20100235622TRANSFER DEVICE FOR SENSITIVE MATERIAL SUCH AS A CRYPTOGRAPHIC KEY - Mechanisms are provided for transferring sensitive information, such as cryptographic keys, between entities. Particularly, a device is provided with a user input connected directly to a secure element. The device enables a user to enter sensitive information in the user input which is then passed directly to the secure element without traversing any other element such that the secure element can encode and/or encrypt the sensitive information. Once the sensitive information has been encoded and/or encrypted by the secure element, the now secure sensitive information can be shared with other entities using familiar and popular, yet relatively unsecure, transfer methods.09-16-2010
20100211771KEY DISTRIBUTION - Methods and systems are provided for trusted key distribution. A key distribution or an identity service acts as an intermediary between participants to a secure network. The service provisions and manages the distribution of keys. The keys are used for encrypting communications occurring within the secure network.08-19-2010
20100049968COMPUTER NETWORK - A computer network is disclosed in which a group of computers co-operate to perform a distributed application. In order to ensure that only members of that group of computers are able to carry out certain operations, messages sent in the performance of the distributed application are checked by the recipient for the presence of a group membership token. The inclusion of a group membership token is controlled by one or more group membership handlers which intercept messages from local components and only include a group membership token with the message if they list the sending local component as being entitled to include the group membership token in the message. Furthermore, by operating the group membership token on a separate machine, or preferably a separate virtual machine from the local component, security is further improved. In the most preferred embodiments, the group token handler and/or the local component are hosted on virtual machines which provide virtualised cryptographic functionality.02-25-2010
20100049967METHOD AND NETWORK FOR ENSURING SECURE FORWARDING OF MESSAGES - The method and network ensure secure forwarding of a message in a telecommunication network that has at least one first terminal and another terminal. The first terminal moves from a first address to a second address. A secure connection between the first address of the first terminal and the other terminal defining at least the addresses of the two terminals is established. When the first terminal moves from the first address to a second address, the connection is changed to be between the second address and to the other terminal by means of a request from the first terminal and preferably a reply back to the first terminal.02-25-2010
20100049966SECRET INFORMATION DELIVERY SYSTEM AND SECRET INFORMATION DELIVERY METHOD - To prevent information leakage at the time of transferring secret information data stored by using secret sharing scheme to the outside.02-25-2010
20100064132METHOD AND SYSTEM FOR CLOSE RANGE COMMUNICATION USING CONCENTRIC ARCS MODEL - The present invention relates to a method and system for close range communication involving colored images preferably involving concentric circles and/or arcs as coloured image based information identifiers. More particularly, the invention is directed to a method and system to communicate information between two mobile phones using the display (Screen) and Capturing units (Camera) of the mobile devices.03-11-2010
20100199085DETERMINING COMPOSITION OF AN INITIALIZATION VECTOR FOR ENCAPSULATING SECURITY PAYLOAD PROCESSING - A method which includes receiving a request to perform encapsulating security payload (ESP) processing for data exchanged between a node and an other node over a secure network connection established via an Internet Protocol security (IPsec) security association. Information associated with the IPsec security association is obtained based on the request. The information indicates a prepend data unit size for an initialization vector, a generated data unit size for the initialization vector and an append data unit size for the initialization vector. A composition of each initialization vector included with encrypted data exchanged between the node and the other node based, at least in part, on the prepend, generated and append data unit size for the initialization vector is then determined.08-05-2010
20100082971APPLYING DIGITAL RIGHTS TO NEWLY CREATED ELECTRONIC DOCUMENTS - A routing computer is connected to one or more multi-function peripherals (MFPs) on a network. A routing manager located in the routing computer contains user information for users that operate one or more of the MFPs connected on the network. Based on a set of user preferences and or default settings, document data scanned by or received via facsimile for a particular user is sent from one of the MFPs to the routing computer. The routing manager then applies rights management and optional encryption to the destination document created from the document data and sends the destination document to a folder or to one or more individuals via electronic mail. As a result, rights management policy may be applied to newly created documents automatically and before the documents are accessible to users in network storage or by email.04-01-2010
20090327698PROCESS AND STREAMING SERVER FOR ENCRYPTING A DATA STREAM WITH BANDWIDTH BASED VARIATION - There is disclosed a process for encrypting a data stream to secure the data stream for single viewing and to protect copyrights of the data stream. Specifically, there is disclosed a process for protecting streaming multimedia, entertainment and communications in an Internet-type transmission. There is further disclosed a streaming server component operably connected with a streaming server that interacts with a client system to affect the inventive process.12-31-2009
20090327699SYSTEM AND METHOD FOR BEND-IN-THE-WIRE ADJACENCY MANAGEMENT - A method for translating network data transmissions begins with a data transmission received at a router. An interface identifier is prepended before a first field of the data transmission, forming a prepended field. The data transmission is transmitted to a translation device. The data transmission is translated without altering the prepended field. The translated data transmission is transferred back to the router. The interface identifier is removed. The translated data is transmitted while maintaining adjacency with an adjacent peer using the interface identifier.12-31-2009
20110066845TRANSMISSION OF SECURE ELECTRONIC MAIL FORMATS - A method and system for providing e-mail messages to a receiving e-mail application. The e-mail messages as sent from a sending e-mail application being secure and in opaque signed format. The opaque signed e-mail messages being converted to clear signed e-mail messages by decoding extracting message content and digital signatures. The clear signed e-mails being sent to a receiving e-mail application.03-17-2011
20110066844METHOD AND SYSTEM FOR DIGITAL RIGHTS MANAGEMENT BROKERING AND DIGITAL ASSET SECURITY TRANSCODING - A computer-implemented method and system for DRM brokering and digital asset security transcoding comprising utilizing a broker for converting content from one format into one or more alternative DRM-protected formats for distribution to end-users. The broker operates an escrow system for securing and tracking the content and information about the content and encryption keys associated with a plurality of DRM content formats. The broker further provides a common inter-DRM log format for receiving usage transaction logs and payment logs associated with transcoding and distribution the content in one or more DRM-protected content formats.03-17-2011
20110066843MOBILE MEDIA PLAY SYSTEM AND METHOD - A mobile play device rights-managed media system and method are provided herein.03-17-2011
20090319772IN-LINE CONTENT BASED SECURITY FOR DATA AT REST IN A NETWORK STORAGE SYSTEM - A network storage server receives multiple write requests from a set of clients via a network and internally buffers multiple data blocks written by the write requests. At a consistency point, the storage server commits the data blocks to a nonvolatile mass storage facility. The consistency point process includes using a storage operating system in the network storage server to compress the data blocks, encrypt selected data blocks, and store the compressed and (possibly) encrypted data blocks in the nonvolatile mass storage facility. Data blocks can also be fingerprinted in parallel with compression and/or encryption, to facilitate subsequent deduplication. Data blocks can be indexed and classified according to content or attributes of the data. Encryption can be applied at different levels of logical container granularity, where a separate, unique cryptographic key is used for each encrypted logical container.12-24-2009
20090319775Data Path Security Processing - Methods and associated systems provide secured data transmission over a data network. A security device provides security processing in the data path of a packet network. The device may include at least one network interface to send packets to and receive packets from a data network and at least one cryptographic engine for performing encryption, decryption and/or authentication operations. The device may be configured as an in-line security processor that processes packets that pass through the device as the packets are routed to/from the data network.12-24-2009
20100268936INFORMATION SECURITY DEVICE AND INFORMATION SECURITY SYSTEM - Provided is a migration system considering security authentication levels and data protection strength levels of the both security devices between which data is migrated.10-21-2010
20080250237Operating System Independent Architecture for Subscription Computing - A system for managing a subscription-based computer independent of an operating system of the computer may include a security module that accesses, decrements, and stores subscription data during operation of the subscription-based computer. Additionally, the system may include a network module in communication with the security module and comprising a network stack, a web server, and a user interface in an operating system independent format. A web browser of the computer may request the user interface from the network stack. The interface may be populated with the subscription data, and a network driver may retrieve the populated user interface from the network module. The populated interface may then be sent to the web server to be served back to the requesting web browser.10-09-2008
20080250238METHOD AND SYSTEM FOR CONTROLLED MEDIA SHARING IN A NETWORK - A method for controlling media sharing among a plurality of nodes in a network. The present method is comprised of availing to the network an instance of media content for sharing among the plurality of nodes by a source node communicatively coupled to the network. The present method further includes decrypting the instance of media content from an encryption local to the source node. The present method further includes encrypting the instance of media content into an intermediate encryption. The present method further includes transferring the instance of media content to a node while the instance of media content is in the intermediate encryption. The node is associated with the network. The decrypting and the encrypting and the transferring are in response to receiving a request for the instance of media content from the node.10-09-2008
20100306528SECURED PRESENTATION LAYER VIRTUALIZATION FOR WIRELESS HANDHELD COMMUNICATION DEVICE HAVING ENDPOINT INDEPENDENCE - The connectivity and security of wireless handheld devices (HDs) can he leveraged to provide a presentation appliance (PA) (e.g. a laptop) with an ability to securely communicate with an enterprise's private network. A split-proxy server, with part of it executing on the HD and a part executing on the PA, implements a full HTTP 1.1 compliant Internet/Web Proxy to couple the PA for communication through the HD. Support for the pragmatic keep-alive header, the CONNECT method, socket connection sharing, and thread pooling, enables a fully functional browsing environment to access web-based applications that are built on standard Internet technologies without the need for re-rendering or re-writing the user interfaces to suit the HD. In addition, Intranet web-based applications are made securely accessible without the need for additional VPN and remote access technologies. The PA may be configured to prevent residual storage of sensitive data on the PA.12-02-2010
20100306527CONTROLLING THE VALIDITY PERIOD OF A DECRYPTION KEY - The invention provides a method and a system for allowing access to a digital broadcast stream on a client device in a conditional access system, wherein the start time and end time of events in the broadcast stream are predefined. If entitled, a server system transmits for an even the start time and end time to the client device. As long as the current time, which is also transmitted from the server system to the client device, is within the range from the start time to the end time, the client device is allowed to decrypt the broadcast stream. To allow events to extend in time without requiring the generation of a new end time, the start time and end time on the one hand and the current time on the other hand are defined on different timescales.12-02-2010
20100306529SECURE MODEM GATEWAY CONCENTRATOR - The present invention provides a method and system for secure access to computer equipment. An embodiment includes a secure access controller connected to a link between a transceiver (such as a modem) and the computer equipment. Public and private keys are used by the secure access controller and a remote user. The keys are provided to the secure access controller by an authentication server. Once the transceiver establishes a communication link with the user, the access controller uses these keys to authenticate packets issued by the user to the computer equipment. If the packet is authenticated, the access controller passes the packet to the computer equipment. Otherwise, the packet is discarded. Another embodiment includes a secure access controller having a plurality of ports for connection to a plurality of different pieces of computer equipment. The secure access controller thus intermediates communications between the modem and the plurality of different pieces of computer equipment.12-02-2010
20100306526Staged Establishment of Secure Strings of Symbols - A multi-stage technique of establishing a plurality of secure strings of symbols is disclosed. In the first stage, the illustrative embodiment establishes a first-stage string of symbols with each other node. The first-stage strings are chosen from a first, small, key space, which means that they can be established more quickly than a highly secure key from a large key space. The advantage of the first-stage strings is that it enables the user to transmit secure messages more quickly than messages secured with highly secure strings. The disadvantage of the illustrative embodiment is that the first-stage strings are not as secure as strings from a larger key space. This disadvantage is mitigated, however, by the fact that the first-stage strings are only used for a short amount of time—until the second-stage strings are established in the second stage.12-02-2010
20130138948SYSTEM AND METHOD FOR RETAINING USERS' ANONYMITY - A method and a system are provided for generating information that relates to services being utilized by a user, by which: at a user device, retrieving usage information that relates to services consumed by the user of the user device; forwarding by the user device the retrieved usage information towards a central processing unit; at the central processing unit, determining based on the received usage information and based on at least one pre-determined criterion associated with the services being consumed by the user, whether a message should be sent to that user; and if in the affirmative, sending a message to the user that relates to the received usage information, without logging any information that relates to the message being sent to the user, at the central processing unit.05-30-2013
20130138949KEY SETTING METHOD, NODE, AND NETWORK SYSTEM - A key setting method executed by a node transmitting and receiving a packet through multi-hop communication in an ad-hoc network among ad-hoc networks, includes receiving a packet encrypted using a key specific to a gateway and simultaneously reported from the gateway in the ad-hoc network; detecting a connection with a mobile terminal capable of communicating with a server retaining a key specific to a gateway in each ad-hoc network among the ad-hoc networks; transmitting to the server, via the mobile terminal and when a connection with the mobile terminal is detected, the encrypted packet received; receiving from the server and via the mobile terminal, a key specific to a gateway in the ad-hoc network and for decrypting the encrypted packet transmitted; and setting the received key specific to the gateway in the ad-hoc network as the key for encrypting the packet.05-30-2013
20130138951METHOD AND DEVICE FOR AUTOMATICALLY DISTRIBUTING UPDATED KEY MATERIAL - A method for handling an encrypted message received on an electronic device that has not been encrypted using a current public key. The portable electronic device automatically generates a reply message to the sender in response to determining that the message has not been encrypted with the current public key. The reply message may contain the current public key of the recipient device, and may request the sender to resend the message encrypted with the current public key.05-30-2013
20100325422SYSTEM AND METHOD FOR POLICY-DRIVEN FILE SEGMENTATION AND INTER-CLOUD FILE STORAGE AND RETRIEVAL - A file storage system includes one or more document input devices and a processor communicating with both a memory and the one or more document input devices. The processor executes a software application stored on the memory to separate a sensitive portion of a document from an insensitive portion of a document. A first type of cloud storage includes one or more storage devices in operable communication with the one or more document input devices. The first type of cloud storage is configured to store one or both of the separated portions with a level of encryption agreed upon by a user. A second type of cloud storage includes one or more storage devices in operable communication with the one or more document input devices. The second type of cloud storage is configured to store the insensitive portion of a document based on a consent of the user.12-23-2010
20100325423System and Method for Securing an Electronic Communication - A system for securing an electronic communication comprises a gateway server configured to receive and store a device identifier and a network address from a first computing device. The device identifier identifies the first computing device, and the network address is associated with the first computing device. Thereafter, the gateway server receives from a second computing device the network address of the first computing device and an encryption key request. The gateway server derives from the device identifier for the first computing device an encryption key and sends the encryption key to the second computing device. A communication from the second computing device to the first computing device may thereafter be secured using the encryption key. A related method of securing an electronic communication is also disclosed.12-23-2010
20100325421APPARATUS AND METHOD FOR PROVIDING SECURITY SERVICE IN HOME NETWORK - An apparatus and method for providing a security service is provided. The apparatus includes a reception module which receives first data including a first public key and marked with a security ID, the first public key being one of a pair of public keys necessary for providing a security service to a home server and the security ID indicating that the first data needs to be encrypted; a response generation module which generates second data by encrypting part of a response message for the first data; and a transmission module which transmits the second data to a home server in a home network.12-23-2010
20110093697SYSTEM AND METHOD FOR UPGRADING THE REMOTE CONTROL FUNCTIONALITY OF A DEVICE - A system and method for upgrading remote control application resident on a device. To this end, a markup language file is created. The markup language file has a representation of information used to setup the remote control application to communicate with an appliance. The markup language file may be executed, on the device or an intermediate client with which the device is synchronized, to upload the representation of the information to a remote server. At the remote server, the uploaded information is used to automatically display user-selectable, downloadable data files relevant to the control of the appliance. Downloaded data files, which may include command codes and/or graphical user interface elements, may be used within the device to upgrade the ability of the remote control application to communicate with the appliance. The information uploaded to the server may also be used to generate demographic data regarding consumer preferences.04-21-2011
20100223458PAIR-WISE KEYING FOR TUNNELED VIRTUAL PRIVATE NETWORKS - In an embodiment, a method for generating and distributing keys retains the scalability of a group VPN, but also provides true pair-wise keying such that an attacker who compromises one of the devices in a VPN cannot use the keys gained by that compromise to decrypt the packets from the other gateways in the VPN, or spoof one of the communicating gateways. The method is resistant to collusion when co-operating attackers overtake several VPN gateways and observe the keys stored in those gateways. In an embodiment, a VPN gateway comprises a cryptographic data processor configured to encrypt and to decrypt data packets; group key management logic; and Key Generation System logic. In one approach a gateway performs, in relation to adding a group member, receiving in a security association (SA) message secret data for use in the KGS; and derives keys for secure communication with one or more peer VPN gateways using the secret data.09-02-2010
20100131754Apparatus, and an Associated Method, for Providing and Using Opaque Presence Indications in a Presence Service - An apparatus, and an associated method, enables presence information of a presentity to be retrieved by a watcher. Elements, or portions, of the presence information may be made selectively opaque (unreadable) to any but authorized watchers or other consumers of the presentity information.05-27-2010
20100131753IMAGE FORMING APPARATUS, HOST APPARATUS AND ENCRYPTION METHOD OF JOB OBJECT DOCUMENT THEREOF - An image forming apparatus, a host apparatus, and an encryption method for print data, the method of encrypting the print data of the host apparatus connected to the image forming apparatus including: displaying an encryption setting screen for the print data; selecting an encryption logic to encrypt the print data through the encryption setting screen; converting the print data according to the selected encryption logic; and transmitting the converted print data to the image forming apparatus. Accordingly, the print data is encrypted and decrypted on the basis of the selected encryption logic and corresponding decryption logic set up according to users, thereby increasing security.05-27-2010
20110179267METHOD, SYSTEM AND SERVER FOR IMPLEMENTING SECURITY ACCESS CONTROL - A method for implementing network security access control is provided, including: receiving and decrypting terminal identity information that is encrypted in a bi-directional encryption mode and forwarded by a switch, and authenticating the decrypted terminal identity information; returning an authentication result to the switch so that the switch controls access of a terminal to a network according to the authentication result; encrypting the decrypted terminal identity information in a solo-directional encryption mode and authenticating the encrypted terminal identity information; returning an authentication result to a security access control gateway so that the security access control gateway controls access of the terminal to network resources according to the authentication result; delivering a security policy to a security control module on the terminal so that the security control module controls the terminal according to the security policy. A server is provided, including a first authentication module and a second authentication module. A system for implementing network security access control is provided, including a server, a switch, a security access control gateway and a terminal.07-21-2011
20100262822CONTENT TRANSMITTING APPARATUS, CONTENT TRANSMITTING METHOD, AND CONTENT TRANSMITTING PROGRAM - A content transmitting apparatus, includes: an acquisition device configured to acquire content data distributed in streaming mode; a temporary storage device configured to store temporarily the content data acquired by the acquisition device; a data control device configured to read the content data from the temporary storage device on a first-in first-out basis; an encryption device configured to encrypt in units of a predetermined amount the content data read out by the data control device; and a transmission device configured to transmit the content data encrypted by the encryption device to a predetermined receiving apparatus via a network. If the remaining capacity of the temporary storage device becomes smaller than a predetermined threshold value depending on status of the network, then the data control device discards the content data read from the temporary storage device.10-14-2010
20090307483METHOD AND SYSTEM FOR PROVIDING A MESH KEY - Method for providing a mesh key which can be used to encrypt messages between a first node and a second node of a mesh network, wherein a session key is generated when authenticating the first node in an authentication server, the first node and the authentication server or an authentication proxy server using a predefined key derivation function to derive the mesh key from said session key, which mesh key is transmitted to the second node.12-10-2009
20100058052METHODS, SYSTEMS AND DEVICES FOR SECURING SUPERVISORY CONTROL AND DATA ACQUISITION (SCADA) COMMUNICATIONS - A secure supervisory control and data acquisition (SCADA) system includes a SCADA control host system and any number of remote terminal unit (RTU) systems. Each RTU system includes an RTU transceiver, an RTU and a remote security device (RSD) coupling the RTU to the RTU transceiver. The SCADA control host system includes a SCADA control host configured to exchange SCADA information with each of the RTUs in a SCADA format, and a host security device (HSD) coupling the SCADA control host to a host transceiver. The host transceiver is configured to establish communications with each of the plurality of RTU transceivers. The HSD communicates with the RSDs to transparently encrypt the SCADA information using a cryptographic protocol that is independent of the SCADA protocol to thereby secure the communications between the HSD and each of the RSDs.03-04-2010
20090217030ADAPTIVE SERVER PERFORMANCE ADJUSTMENT - Apparatus, systems, and methods may operate to calculate the cryptographic throughput for a gateway server, calculate the input-output throughput for the gateway server, and responsive to determining that the cryptographic throughput is less than the input-output throughput, add nodes to the gateway server cryptographic buffer queue when a projection indicates that the sum of data remaining in the cryptographic buffer queue and data available to enter the cryptographic buffer queue is greater than a preselected watermark value. Additional apparatus, systems, and methods are disclosed.08-27-2009
20090217031Electrical System of a Motor Vehicle With a Master Security Module - The invention relates to an electrical system of a motor vehicle with control apparatuses, which communicate with one another by means of a data bus. To recognise manipulations to the electrical system of a motor vehicle, in particular on the software of the control apparatuses of the electrical system, and to derive suitable measures, it is proposed that a master security module is provided in a first control apparatus and a client security module is provided in each case in a plurality of the further second control apparatuses, and the master security module of the first control apparatus, preferably a central gateway control apparatus, signs a message and sends the signed message to at least one of the second control apparatuses by means of the data bus. The client security module of the second control apparatus checks the signed message received from the master security module as to whether it comes from an authorised master security module.08-27-2009
20100070755METHOD AND DEVICE FOR CONFIRMING AUTHENTICITY OF A PUBLIC KEY INFRASTRUCTURE (PKI) TRANSACTION EVENT - A method and device for confirming authenticity of a public key infrastructure (PKI) transaction event between a relying node and a subject node in a communication network enables improved network security. According to some embodiments, the method includes establishing at a PKI event logging (PEL) server a process to achieve secure communications with the relying node (step 03-18-2010
20110083010Conditionally intercepting data indicating one or more aspects of a communique to obfuscate the one or more aspects of the communique - A computationally implemented method includes, but is not limited to: intercepting communiqué aspect data that is directed to an end user entity and that indicates one or more aspects of a communiqué directed to the end user entity and that is affiliated with a particular source entity, the intercepting of the communiqué aspect data being in accordance with one or more conditional directives of the end user entity to conditionally obfuscate the communiqué affiliated with the source entity; and transmitting to the end user entity, in response to intercepting the communiqué aspect data and in lieu of transmitting direct indication of the communiqué to the end user entity, covert indicator data that upon reception by the end user entity covertly indicates the one or more aspects of the communiqué. In addition to the foregoing, other method aspects are described in the claims, drawings, and text forming a part of the present disclosure.04-07-2011
20110252228METHOD AND APPARATUS FOR ENSURING PACKET TRANSMISSION SECURITY - An apparatus and method for ensuring distributed packet transmission security are provided. In an embodiment of the present invention, a main control board allocates SA information to multiple processing boards according to a pre-defined criterion, so that each processing board which receives and stores the SA information may implement IPSec processing. As such, the IPSec processing is shared by the multiple processing boards. Accordingly, when there are a large number of IPSec tunnels on one interface, the IPSec processing to the packets passing the IPSec tunnels will not completely rely on only the processing board where the interface is located. Instead, the IPSec processing is allocated to different processing boards. Therefore, the multiple processing boards effectively share the IPSec processing corresponding to multiple SAs. The efficiency of the IPSec processing is increased.10-13-2011
20110154021APPARATUS AND METHOD TO PREVENT MAN IN THE MIDDLE ATTACK - A system, peripheral device, and method for authenticating an encryption key before transmitting encrypted messages containing sensitive information are provided. Authentication of a client device during the coordination of data transfer among multiple computer devices is possible by providing a peripheral device that does not have a direct connection to a network, but rather, any message to be transmitted over the network must be relayed through a client device. Any sensitive information to be transferred to a remote device is inserted into a message, then the message is encrypted in the peripheral device. This prevents any process running on the client device from fooling the client device into communicating confidential information to a third party rather than the desired remote computer, because the client device never sees the sensitive information in an unencrypted form; only the peripheral device has access to the sensitive information in an unencrypted form.06-23-2011
20110154019Graceful Conversion of a Security to a Non-security Transparent Proxy - A graceful conversion of a security to a non-security transparent proxy is performed. A security transparent proxy is an intermediary between two end devices, with an established secure connection with each end device using different security keys. In response to a policy decision or other stimulus, the security transparent proxy is gracefully converted to a non-security transparent proxy such that it can forward, without decrypting and encrypting, the information received from a first endpoint on the first connection therewith to the second endpoint on the second connection therewith. This conversion is “graceful” in that it does not drop either of the two original sessions. In one embodiment, this graceful conversion is accomplished by triggering a key renegotiation on both of the two sessions such that the two connections will use the same encryption key.06-23-2011
20120303949PACKET TRANSMISSION METHOD, APPARATUS, AND NETWORK SYSTEM - Embodiment of the present invention provides a packet transmission method. The method includes: receiving an encrypted packet sent by a client by using a virtual private network (VPN) tunnel, wherein the encrypted packet is sent by the client after the client determines, according to a preset control policy, that the control policy comprises an Internet Protocol (IP) address and a port number that are the same as a destination IP address and a destination port number of a packet to be sent and encrypts the packet to be sent, and the control policy comprises information about an IP address and a port number of an intranet server that can exchange a packet with a security socket layer protocol (SSL) VPN server; decrypting the encrypted packet; and sending the decrypted packet to a corresponding intranet server, wherein a source IP address of the decrypted packet is an external network IP address.11-29-2012
20110213958SYSTEMS AND METHODS FOR UTILIZING IMS DATA SECURITY MECHANISMS IN A CIRCUIT SWITCHED NETWORK - Aspects of the present invention provide a mechanism to utilize IMS media security mechanisms in a CS network and, thereby, provide end-to-end media security in the case where the media traffic travels across both a CS network and a PS network.09-01-2011
20110016309CRYPTOGRAPHIC COMMUNICATION SYSTEM AND GATEWAY DEVICE - A GW (PDG) at the termination of remote access is installed in the 3GPP system. After an IPSec tunnel between a terminal and the GW is opened, an IPSec tunnel between a VPN client and the corporate network GW is opened, whereby the data from the terminal is transferred via two tunnels between the terminal and the GW and between the VPN client and the corporate network GW to the corporate network. Also, the GW checks if the destination network uses the global address from the destination IP address of a message received from the terminal making the remote VPN access. If the global address is required, the source IP address of the message received from the terminal is translated from the private address for use within the corporate network to which the terminal is allocated to the global address to transfer the message.01-20-2011
20100115264System and Method for Processing Encoded Messages for Exchange with a Mobile Data Communication Device - A system and method are provided for pre-processing encrypted and/or signed messages at a host system before the message is transmitted to a wireless mobile communication device. The message is received at the host system from a message sender. There is a determination as to whether any of the message receivers has a corresponding wireless mobile communication device. For each message receiver that has a corresponding wireless mobile communication device, the message is processed so as to modify the message with respect to one or more encryption and/or authentication aspects. The processed message is transmitted to a wireless mobile communication device that corresponds to the first message receiver. The system and method may include post-processing messages sent from a wireless mobile communications device to a host system. Authentication and/or encryption message processing is performed upon the message. The processed message may then be sent through the host system to one or more receivers.05-06-2010
20100070756DEVICE AND METHOD FOR DIGITAL PROCESSING MANAGEMENT OF CONTENT SO AS TO ENABLE AN IMPOSED WORK FLOW - A device receives protected content and a license for the content, unprotects the content using an input key and retrieves a rule associated with the input key. The device then processes the content to create new content, retrieves at least one output key associated with the input key in the retrieved rule, protects the content using the output key and sends the newly protected content and the corresponding license. It is thus possible to impose a work flow as it is necessary for a device to store a particular key in order to access the content and as the rule imposes a particular output key depending on the input key. In a preferred embodiment, the content is scrambled using a symmetrical key that is encrypted by an asymmetrical key in the license. An alternate embodiment uses watermarking techniques instead of encryption. The invention finds particular use in video processing.03-18-2010
20110258434ONLINE SECURE DEVICE PROVISIONING WITH UPDATED OFFLINE IDENTITY DATA GENERATION AND OFFLINE DEVICE BINDING - A system for generating new identity data for network-enabled devices includes a whitelist reader configured to extract attributes from a whitelist. The whitelist includes, for each device specified in the whitelist, a previously assigned identifier of the first type. The previously assigned identifiers of the first type are linked to identity data previously provisioned in each of the respective devices. A data retrieval module is configured to receive the identifiers of the first type from the whitelist reader and, based on each of the identifiers, retrieve each of the previously provisioned identity data records linked thereto. A new data generation module is configured to (i) obtain a cryptographic key associated with the identity data previously provisioned in the devices specified on the whitelist and the corresponding identifiers of the first type, (ii) generate new identity data records each linked to a new identifier and (iii) encrypt each of the new identity data records with one of the cryptographic keys and link each new identity data record to the identifier of the first type corresponding to each respective cryptographic key. A data output module is configured to load onto an external source the encrypted new identity data records along with their respective new identifiers and their respective previously assigned identifiers of the first type.10-20-2011
20110258433GATEWAY SUPPORTING TRANSPARENT REDUNDANCY IN PROCESS CONTROL SYSTEMS AND OTHER SYSTEMS AND RELATED METHOD - A method includes synchronizing a first gateway with information from a second gateway. The second gateway operates in a primary role with at least one primary network address. The second gateway communicates with at least one wireless device that uses at least one encryption key during at least one secure communication session. The information includes the at least one encryption key. The method also includes detecting a switchover event at the first gateway. The method further includes, in response to detecting the switchover event, switching the first gateway to the primary role, communicating using the at least one primary network address, and maintaining the at least one secure communication session at the first gateway after the first gateway switches to the primary role.10-20-2011
20090138702METHOD AND APPARATUS FOR SUPPORTING CRYPTOGRAPHIC-RELATED ACTIVITIES IN A PUBLIC KEY INFRASTRUCTURE - In a node (05-28-2009
20080307219SYSTEM AND METHOD FOR DISTRIBUTED SSL PROCESSING BETWEEN CO-OPERATING NODES - A secure communication protocol (e.g., SSL) transaction request from a client to a server is intercepted at a client-side proxy communicatively coupled to the client and logically deployed between the client and the server. The client-side proxy initiates a secure connection with the server and passes an attribute (e.g., a cryptographic key) associated with that secure connection to a server-side proxy communicatively coupled to the server and logically deployed between the client and the server. This enables the server-side proxy to engage in secure communications with the server in a transparent fashion.12-11-2008
20110179266Method for secure transmission using a fax server, system and computer program for implementing this method - The present invention relates to a method for secure transmission using a fax server, comprising the following steps: a step of transmitting the document to be faxed, by the sender to a server, in the form of a digital file in a non-fax format, as well as information relative to the identity of the recipient, a step of calculating a Tiff format file from said digital file on the one hand, the creation date and time of said file and an informative file on the other hand and modifying said Tiff file to be transmitted to insert a signature and information allowing the recipient to access the recorded files. This file is then transmitted by the server to the telephone address of the recipient of said file, according to a fax standard. The invention also relates to a computer system and program for implementing this method.07-21-2011
20110161657METHOD AND SYSTEM FOR PROVIDING TRAFFIC HASHING AND NETWORK LEVEL SECURITY - An approach is provided for enabling traffic hashing and network level security. A unit of transmission associated with a flow of network traffic is received at a routing node. The unit of transmission is encrypted. A pseudo-address to assign to the encrypted unit of transmission is determined. The pseudo-address is assigned to the encrypted unit of transmission.06-30-2011
20110161656SYSTEM AND METHOD FOR PROVIDING DATA SECURITY IN A HOSTED SERVICE SYSTEM - Aspects of the present disclosure are directed to methods and systems for protecting sensitive data in a hosted service system. The system includes a host system and the host system includes a key management system (KMS) and a metadata service system (MSS). The KMS and the MSS are communicatively coupled to each other. The system further includes a database management system (DBMS) having a database, a query pre-parser, and a results handler. The query pre-parser and the results handler are communicatively coupled to the KMS and the MSS, and the system also includes a processing application adapted to process at least some data received from a tenant system.06-30-2011
20110047371SYSTEM AND METHOD FOR SECURE DATA SHARING - A system and method for providing secure data storage and retrieval is disclosed. The system utilizes a protocol for distributing authentication tokens amongst potential recipients of information. Digital information is then disseminated via the system to authorized recipients. Various types of hardware and software authentication devices may be utilized to provide additional security during the storage and retrieval processes.02-24-2011
20110055552PRIVATE, ACCOUNTABLE, AND PERSONALIZED INFORMATION DELIVERY IN A NETWORKED SYSTEM - A client receives a notification of a user interaction with an information item and creates a record describing this interaction. The client encrypts the record using an encryption key associated with a server. The encrypted record is then communicated to at least one proxy, which in turn forwards the encrypted record to a server. Upon receiving the encrypted record from the proxy, a server decrypts the record using a decryption key and analyzes the decrypted record to identify the information item and the type of user interaction. This information may be used individually or in aggregate for tracking user interests, billing advertisers or information item providers, and/or collecting anonymous information from users.03-03-2011
20110055551METHOD AND NETWORK NODES FOR GENERATING CRYPTOGRAPHICALLY GENERATED ADDRESSES IN MOBILE IP NETWORKS - A method for generating a cryptographically generated address (CGA) comprises steps of: generating, in a network node located on a communication path between a first node and a second node, the network node having unique information of the first node, a cryptographically generated address (CGA) for the first node using the unique information of the first node; and assigning the CGA to the first node. The network node further comprises a generator of CGA for the first node using the unique information of the first node, and an output for assigning the CGA to the first node.03-03-2011
20080256355Communication Apparatus, Control Method For A Communication Apparatus, Computer Program Product, And Computer Readable Storage Medium - A communication apparatus for outputting e-mail to a network including a storing part configured to store e-mail addresses and related encryption information signifying whether e-mail directed to the addresses should be encrypted or in plain text; a displaying part configured to display the e-mail addresses stored in the storing unit as selectable destinations by a user; a receiving part configured to receive an instruction to encrypt e-mail or keep the e-mail in plain text for addresses selected as destinations via the displaying part; an e-mail control part configured to control creation of the e-mail based on the instruction received by the receiving part and the encryption information related to the selected e-mail addresses; and an output part configured to output the created e-mail through the e-mail control part to the network.10-16-2008
20080256354Systems and methods for exception handling - Systems and methods for managing digital assets in a distributed computing environment are described. Meta-data for the digital assets is stored separately from the digital assets. Meta-data for some of the digital assets is copied and stored at a central location. Meta-data for the digital assets is generated by clients of the system. A method for overriding a policy associated with a digital asset on a client computer after determining a centralized policy database is inaccessible includes: selecting, by a management computing device, a first digital asset likely to exist on a client; digitally signing, by the management computing device information corresponding to the first digital asset and information identifying a second digital asset and a policy corresponding to the second digital asset; receiving, by the client, the digitally signed information; and implementing, by the client, the policy corresponding to the second digital asset.10-16-2008
20120173869SERVICE LOCATION BASED AUTHENTICATION - A computer is configured to receive a request to access an application, the request having a header. The header includes a source address and an encrypted address generated based on the source address. The computer is further configured to generate a decrypted address from the encrypted address. The computer is further configured to determine whether the source address and the decrypted address match, transmit the source address to a data store, and determine whether a customer profile corresponding to the source address is found within the data store.07-05-2012
20110016308ENCRYPTED DOCUMENT TRANSMISSION - Apparatuses, systems and methods are provided for secure transmission of data.01-20-2011
20110264909METHOD AND SYSTEM FOR IP MULTIMEDIA BEARER PATH OPTIMIZATION THROUGH A SUCCESSION OF BORDER GATEWAYS - A method for identifying alternative end-to-end media paths through Internet protocol realms using substitute session description protocol parameters is disclosed. The method includes receiving a session description protocol offer, including a list of internet protocol realms. The list may include any number of previously traversed through internet protocol realms and/or secondary internet protocol realms. The method continues with determining the outgoing internet protocol realm for a media path based on unspecified signaling criteria. Finally, the method includes that if the outgoing internet protocol realm to be traversed through is on the list of previously traversed through and/or secondary internet protocol realms, bypassing at least one border gateway associated with the incoming and previously traversed through internet protocol realms. The system implementing a method for identifying optimal end-to-end media paths and internet protocol multimedia subsystems includes a list of internet protocol realm instances and an application level gateway configured to receive a session description protocol offer having connection information and port information, and a procedure to determine that if the outgoing internet protocol realm that the media path may traverse through is on the list of instances, the media path connection information and port information is substituted to facilitate border gateway bypassing.10-27-2011
20110264908Method and device for preventing network attacks - A method for preventing network attacks is provided, which includes: obtaining a data packet, where a source address of the data packet is a cryptographically generated address (CGA); determining that the obtained data packet includes a CGA parameter and signature information; authenticating the CGA parameter; authenticating the signature information according to the authenticated CGA parameter; and sending the data packet to a destination address when the signature information is authenticated. Accordingly, a device for preventing network attacks is also provided. A CGA parameter used by a data packet is directly used to ensure authenticity of a source address of the data packet, thus preventing network attacks performed by counterfeiting the address. In addition, by authenticating signature information, authenticity of identification of a sender of the data packet and bound address of the sender of the data packet are further ensured. Therefore, illegal data packets are filtered to prevent network attacks on servers, thus improving network security.10-27-2011
20110264907SECURING INFORMATION WITHIN A CLOUD COMPUTING ENVIRONMENT - Embodiments of the invention provide a solution for securing information within a Cloud computing environment. Specifically, an encryption service/gateway is provided to handle encryption/decryption of information for all users in the Cloud computing environment. Typically, the encryption service is implemented between Cloud portals and a storage Cloud. Through the use of a browser/portal plug-in (or the like), the configuration and processing of the security process is managed for the Cloud computing environment user by pointing all traffic for which security is desired to this encryption service so that it can perform encryption (or decryption in the case of document retrieval) as needed (e.g., on the fly) between the user and the Cloud.10-27-2011
20110093698SENDING MEDIA DATA VIA AN INTERMEDIATE NODE - A method and apparatus for sending protected media data from a data source node to a client node via an intermediate node. The data source node establishes a first hop-by-hop key to be shared with the intermediate node and an end-to-end key to be shared with the client node. A single security protocol instance is configured and used to trans-protocol form data from a media stream into transformed data using the keys. The transformed data is then sent to the intermediate node. The intermediate node uses the first hop-by-hop key to apply a security processing to the transformed data, and establishes a second hop-by-hop key with the client node. A second transformation is performed on the transformed data using the second hop-by-hop key to produce further transformed media data, which is then sent to the client node. At the client node a single security protocol instance is configured with the second hop-by-hop key and the end-to-end key, which are used to apply further security processing to the transformed media data.04-21-2011
20110087879Communication network with secure access for portable users - A communication network includes a local area network (LAN) and a wireless access point coupled to the LAN. In one embodiment, each access point includes a medium access control (MAC) stage, and a radio frequency (RF) transmitter/receiver for communicating unsecure message data via RF links with users of associated wireless devices. An optical transmitter/receiver in the access point enables the users to communicate secure message data over the LAN via free space optical (FSO) links with the users. The MAC stage operates (i) to direct unsecure data from the LAN to the wireless device users and to direct unsecure data from the users to the LAN, via the RF transmitter/receiver; and (ii) to direct secure data from the LAN to the wireless device users and to direct secure data from the users to the LAN, via the optical transmitter/receiver. An integrated VoIP/FSO portable handset is also disclosed.04-14-2011
20110093696DEVICE AND METHOD FOR DIRECTING EXCHANGE FLOWS FOR PUBLIC OR NON SENSITIVE VALUES FOR CREATING COMMON SECRET KEYS BETWEEN AREAS - A method and a system for routing exchange flows of public or non-sensitive values for creating common keys between a number of areas in a system in which the entities communicate with each other by trust group, including: each entity generates a public value and communicates this public value to a router; the router, having a mapping table correlating a virtual network number and the MAC addresses of the associated entities, recovers all the public addresses transmitted by the entities by associating them with their MAC address, and retransmits, to each of the entities, a public value of another entity belonging to the same trust group; each entity recovering the public value of another entity belonging to the same trust group then determines the value of the encryption key common to the entities of one and the same trust group; and uses this key to encrypt the data to be transmitted to another entity.04-21-2011
20090119503SECURE PROGRAMMABLE HARDWARE COMPONENT - A cryptographic device may include a programmable hardware component, such as a Field Programmable Gate Array for example, and a processor. The programmable hardware component may encrypt and decrypt data. The programmable hardware component may be securely configured via cryptographically signed and encrypted configuration package. The configuration package may contain a hardware image and executable code. The processor may load the new hardware image onto the programmable hardware device and may execute the executable code to test an operation of the programmable hardware component and the new hardware image. The processor and the programmable hardware component may be physically and/or operationally independent of one another; thus, a security compromise associated with one may not affect the other. Once the programmable hardware component and the hardware image have been tested according to the executable code, the cryptographic device may be ready to encrypt and decrypt user data.05-07-2009
20090292914NODES AND SYSTEMS AND METHODS FOR DISTRIBUTING GROUP KEY CONTROL MESSAGE - Nodes, systems and methods for distributing a group key control message are disclosed. The system mainly includes a root node and child nodes. The apparatus includes a distribution tree establishment node. The method mainly includes: establishing a distribution tree for the group key control message in the group key management system, a root node delivering the group key control message to the child nodes according to the distribution tree; the child nodes receiving the group key control message delivered from the root node, forwarding or locally processing the received group key control message. With the present disclosure, a replication/distribution mechanism for the group key control message is established within the group key management system, thereby eliminating the dependence of the group key management system on the deployed environment multicast service, and improving the availability and expansibility of the group key management system.11-26-2009
20100031020Systems and Methods for the Management and Security of Digital Idea Submissions - A system and method is described for managing and securing electronically submitted ideas to a central repository. Users can submit an idea to a central controller which stores that idea in digital form. The user is able to view and update the idea over time, and determine who may or may not have access to the stored files. Access to the stored information is regulated by a central controller. Such control may be dictated by the preferences of the user storing the information. The user may elect to allow only himself to have access to the information, or to allow access to trusted friends or to anyone who enters the central control or website. There is also a method for securing parental/guardian permission to share ideas generated and electronically stored when the idea is generated by a minor.02-04-2010
20100031019SECURE APPLICATION ROUTING - Disclosed is a computer implemented method and apparatus to secure a routing path. A local node receives a request for secure route identification from an upstream node. Responsive to receiving a request for secure route identification, the local node transmits a local node security level and an authentication key to the upstream node. The local node determines whether at least one downstream node is authentic and has sufficient security level from a second-level downstream node. The local node may then establish a socket to the upstream node.02-04-2010
20100031018INFORMATION DELIVERY SYSTEM, DELIVERY CENTER DEVICE, USER TERMINAL DEVICE AND INFORMATION DELIVERY METHOD - A user terminal device specifies presence or absence of additional recording in issuing a content request, and in the case of additional recording, the device transmits medium information and encrypted information of pre-recorded contents to a delivery center. When receiving a content additional recording request from the device, the delivery center decrypts once encrypted contents to be additionally recorded with the corresponding-content keys. The encrypted key information is decrypted by the medium information from the device to decrypt content keys of the pre-recorded contents and re-encrypts encrypted contents to be additionally recorded to deliver the re-encrypted contents to the device. When receiving contents for additional recording, the device records the received contents so as to be related to the pre-recorded contents, on a recording medium.02-04-2010
20100031017SYSTEM AND METHOD FOR ENCRYPTING SECONDARY COPIES OF DATA - A system and method for encrypting secondary copies of data is described. In some examples, the system encrypts a secondary copy of data after the secondary copy is created. In some examples, the system looks to information about a data storage system, and determines when and where to encrypt data based on the information.02-04-2010
20100023753SYSTEM AND METHOD OF GENERATING SUBTITLING FOR MEDIA - A method for media subtitling is described, wherein subtitles and/or captions for media are first created on a web interface in a first language along with the appropriate synchronization information with respect to the media. The document content may be created via the web interface, or it may be created locally and uploaded to the interface. Subsequent to creation and/or upload of at least a portion of the subtitling, personnel in different locations (e.g., different terminals or different countries) then access the web interface, which includes the first language and the synchronization information, to create foreign/alternative subtitling.01-28-2010
20100023752METHOD AND DEVICE FOR TRANSMITTING GROUPCAST DATA IN A WIRELESS MESH COMMUNICATION NETWORK - A method for transmitting groupcast data in a wireless mesh communication network as provided improves security of groupcast data. The method comprises processing, at a supplicant node, authentication handshake data received from an authenticator node, wherein the supplicant node is a next-hop neighbor of the authenticator node away from a root node. The supplicant node then stores a group transient key (GTK) received from the authenticator node. Next, the supplicant node processes authentication handshake data received from a third node, wherein the third node is a next-hop neighbor of the supplicant node away from the root node. The GTK is then transmitted from the supplicant node to the third node. Encrypted groupcast data are then generated at the supplicant node by using the GTK to encrypt groupcast data received from the authenticator node. Finally, the encrypted groupcast data are transmitted from the supplicant node to the third node.01-28-2010
20090150665Interworking 802.1 AF Devices with 802.1X Authenticator - An apparatus comprising a supplicant proxy port authorization entity (PAE) configured to communicate with a user equipment (UE) and a network, wherein the supplicant proxy PAE causes a communication path to forward or block communications between the UE and the network. Included is a network component comprising at least one processor configured to implement a method comprising authenticating a UE with a network using an Institute of Electrical and Electronics Engineers (IEEE) 802.1X protocol, and exchanging a secure key with the UE using an IEEE 802.1 AF protocol. Also included is a method comprising authenticating a user UE configured for a first authentication protocol with a network configured for a second authentication protocol using a port entity configured for the first authentication protocol and the second authentication protocol, and securing the UE's access to the network by completing a security key agreement using the first authentication protocol.06-11-2009
20110154020Conditionally releasing a communique determined to be affiliated with a particular source entity in response to detecting occurrence of one or more environmental aspects - A computationally implemented method includes, but is not limited to: intercepting a communiqué that is determined to be affiliated with a source entity and that is addressed to an end user to prevent, at least temporarily, the communiqué from being received by a communication device associated with the end user; and releasing the communiqué to the communication device in response to at least detecting occurrence of one or more environmental aspects associated with the communication device, the releasing of the communiqué being in accordance with one or more conditional directives of the end user to conditionally obfuscate the communiqué determined to be affiliated with the source entity. In addition to the foregoing, other method aspects are described in the claims, drawings, and text forming a part of the present disclosure.06-23-2011
20110307693Agile Network Protocol For Secure Communications With Assured System Availability - A plurality of computer nodes communicates using seemingly random IP source and destination addresses and (optionally) a seemingly random discriminator field. Data packets matching criteria defined by a moving window of valid addresses are accepted for further processing, while those that do not meet the criteria are rejected. In addition to “hopping” of IP addresses and discriminator fields, hardware addresses such as Media Access Control addresses can be hopped. The hopped addresses are generated by random number generators having non-repeating sequence lengths that are easily determined a-priori, which can quickly jump ahead in sequence by an arbitrary number of random steps and which have the property that future random numbers are difficult to guess without knowing the random number generator's parameters. Synchronization techniques can be used to re-establish synchronization between sending and receiving nodes.12-15-2011
20090172390PACKET-PARALLEL HIGH PERFORMANCE CRYPTOGRAPHY SYSTEMS AND METHODS - A cryptographic system (07-02-2009
20110173440Conditionally releasing a communique determined to be affiliated with a particular source entity in response to detecting occurrence of one or more environmental aspects - A computationally implemented method includes, but is not limited to: intercepting a communiqué that is determined to be affiliated with a source entity and that is addressed to an end user to prevent, at least temporarily, the communiqué from being received by a communication device associated with the end user; and releasing the communiqué to the communication device in response to at least detecting occurrence of one or more environmental aspects associated with the communication device, the releasing of the communiqué being in accordance with one or more conditional directives of the end user to conditionally obfuscate the communiqué determined to be affiliated with the source entity. In addition to the foregoing, other method aspects are described in the claims, drawings, and text forming a part of the present disclosure.07-14-2011
20120047362PORTABLE ELECTRONIC FULL SCREEN SYSTEM EQUIPPED WITH COMPUTER PROCESSING FUNCTION - A portable electronic full screen system equipped with comprehensive computer processing function includes a portable electronic full screen module and a remote host. The portable electronic full screen module is linked to the remote host through a public network to get comprehensive processing power to perform application processing. Processed data is presented in a multimedia fashion on the portable electronic full screen module. Compared with conventional mobile devices such as E-book, iPAD, SmartBook, Netbook and the like, the portable electronic full screen module has a powerful computer processing capability and has a screen of the same size of the conventional mobile devices without changing too much of hardware structure, and maintains features of the mobile devices of thin and light, energy-saving, lower cost and longer power life.02-23-2012
20120005477MULTI-SERVICE VPN NETWORK CLIENT FOR MOBILE DEVICE HAVING DYNAMIC FAILOVER - An integrated, multi-service network client for cellular mobile devices is described. The multi-service network client can be deployed as a single software package on cellular mobile network devices to provide integrated services including secure enterprise virtual private network (VPN) connectivity, acceleration, security management including monitored and enforced endpoint compliance, and collaboration services. Once installed on the cellular mobile device, the multi-service client establishes the VPN connection to concurrently include both a layer three (L3) tunnel that uses a first type of transport layer protocol of the operating system and a layer four (L4) tunnel that uses a second type of transport layer protocol of the operating system. The VPN handler determines whether network ports associated with the L3 tunnel are unblocked by an operating system and, when the network ports are unblocked, automatically transitions from the L4 tunnel to the L3 tunnel without terminating the VPN connection.01-05-2012
20120005476MULTI-SERVICE VPN NETWORK CLIENT FOR MOBILE DEVICE HAVING INTEGRATED ACCELERATION - An integrated, multi-service virtual private network (VPN) network client for cellular mobile devices is described. The multi-service network client can be deployed as a single software package on cellular mobile network devices to provide integrated services including secure enterprise VPN connectivity, acceleration, security management including monitored and enforced endpoint compliance, and collaboration services. The multi-service client integrates with an operating system of the device to provide a VPN handler to establish a VPN connection with a remote VPN security device. The VPN network client includes to data acceleration module exchange network packets with the VPN handler and apply at least one acceleration service to the network packets, and a VPN control application that provides a unified user interface that allows a user to configure both the VPN handler and the data acceleration module.01-05-2012
20090125713Wireless mesh network with secure automatic key loads to wireless devices - A wireless mesh network provides secure communication by encrypting data using one or more encryption keys. A configuration device in communication with a security manager of the network provides a temporary secure communication path between the security manager and a new field device to be added to the mesh network. Cryptographic material and other configuration data can then be transferred between the security manager of the network and the new field device securely via the configuration device.05-14-2009
20110167255SYSTEM, APPARATUS AND METHOD FOR ENCRYPTION AND DECRYPTION OF DATA TRANSMITTED OVER A NETWORK - A method and system for securing data transmitted between a client device and a server by obtaining input text at an intermediate module, processing the input text to obtain processed text, and transmitting the processed text to the server. Embodiments of the invention include securing data between a client device and a server by processing the input text at the intermediate module by applying an order-preserving transformation, the order-preserving transformation comprising: generating order information based on the input text, the order information indicative of a relative order of the input text within a set of possible input texts according to a collation rule.07-07-2011
20120011358REMOTE ADMINISTRATION AND DELEGATION RIGHTS IN A CLOUD-BASED COMPUTING DEVICE - Methods and apparatus for providing remote administration and delegation rights for a computing system are disclosed. An example method for facilitating remote administration of a first computing device includes receiving, by a second computing device, an administrator name and a username for a user account for a cloud-based computing service, where the user account is assigned to a user of the first computing device. The example method further includes transmitting, from the second computing device to a server, the username for the user account and the administrator name and receiving, by the second computing device, a control panel transmitted from the server, where the control panel accepting inputs to change user preferences for the user account and system settings for the first computing device. The example method also includes receiving, by the second computing device, an input from the control panel to change at least a user preference for the user account and transmitting, from the second computing device to the server, the changed user preference.01-12-2012
20120017078PERIMETER ENCRYPTION METHOD AND SYSTEM - A method and system for consistent format preserving encryption (C-FPE) are provided to protect sensitive data while the sensitive data is in a domain while allowing encrypted sensitive data to be treated inside the domain as if it were the unencrypted sensitive data. The method includes inserting a transparent coupling into a data flow at a perimeter of the domain, and translating a sensitive data element from an unprotected data element to a protected data element using the transparent coupling such that the sensitive data element is a protected data element within the domain.01-19-2012
20120017079Secure Acknowledgment Device For One-Way Data Transfer System - An apparatus for relaying a hashed message from a first node to a second node, comprising an inlet interface for receiving a message from the first node, a hash number calculator for hashing the message from the inlet interface, an outlet interface for sending the hashed message to the second node, a first one-way data link for unidirectional transfer from the inlet interface to the hash number calculator, and a second one-way data link for unidirectional transfer from the hash number calculator to the outlet interface, is provided. While the apparatus is capable of bidirectional communications with either or both of the first and second nodes through the respective interfaces, the unidirectionality of data flow through the apparatus is strictly enforced by the hardware of the apparatus. The apparatus provides a secure mechanism and communication channel for relaying hashed acknowledgment messages from a receive node to a send node to inform the status of data transfer from the send node to the receive node across a one-way data link. The apparatus may be further implemented with the capability of comparing hashed messages from the two nodes.01-19-2012
20120159151Evolved Packet System Non Access Stratum Deciphering Using Real-Time LTE Monitoring - A monitoring system is coupled to interfaces in an LTE network and passively captures packets from the network interfaces. First data packets associated with an authentication and key agreement procedure are captured on a first interface. Second data packets associated with the authentication and key agreement procedure are captured on a second interface. Individual ones of the first data packets are correlated to individual ones of the second data packets based upon a same parameter. An authentication vector table is created comprising information from the correlated first data packets and second data packets, wherein entries in the table comprise authentication data for a plurality of security contexts. A cipher key is identified to decipher additional packets for the user. The cipher key can also be identified in case of Inter Radio Access Technology Handover by the user equipment.06-21-2012
20120110323METHODS FOR PROCESSING PRIVATE METADATA - According to one aspect of the invention, a file received from a first user is stored in a storage device, where the file includes private metadata encrypted by a secret key associated with a second user. A private metadata identifier is stored in a predetermined storage location, indicating that private metadata of the file has not been decrypted and indexed. In response to an inquiry subsequently received from the second user, the predetermined storage location is scanned to identify the private metadata identifier based on the inquiry. The encrypted metadata identified by the private metadata identifier is transmitted to the second user for decryption. In response to the metadata that has been decrypted by the second user, the decrypted metadata is indexed for the purpose of subsequent searches of at least one of the metadata and the file.05-03-2012
20110107084SYSTEM FOR AND METHOD FOR RELAYING MESSAGES - A system for and method of relaying messages is presented. In an exemplary embodiment, the system and method may include receiving a request from a user to transmit a message to an intended recipient, processing the message for transmission, wherein processing the message comprises assigning metadata to the message, and transmitting the message with the metadata to the intended recipient, where transmitting the message with metadata comprises searching for at least one proximate ad hoc relay device in the event that a communication link cannot be established with a communication network.05-05-2011
20100095112DATA ENCRYPTION USING A KEY AND MONIKER FOR MOBILE STORAGE MEDIA ADAPTED FOR LIBRARY STORAGE - Disclosed are a method and apparatus for a data storage library comprising a plurality of drives and a combination bridge controller device adapted to direct and make compatible communication traffic between a client and the plurality of drives. The combination bridge controller device is further adapted to encrypt a first data package received from the client. The combination bridge controller device is further adapted to transmit the encrypted first data package, a first moniker and a first message authentication code to one of the plurality of drives for storage to a cooperating mobile storage medium. The combination bridge controller device is further adapted to decrypt the first data package when used in combination with a first key associated with the first moniker and guarantee the decryption of the first data package was successfully accomplished with authentication of the first message authentication code.04-15-2010
20100095111Gateway Registry Methods and Systems - A gateway device for managing a set of two or more local management devices at a location. A system for networks at a plurality of locations. A method of operating a gateway device in a control network. A method for storing information to operate a gateway device in a control network. A method for storing information to operate a replacement gateway device in a control network.04-15-2010
20100095110OUT OF BAND ENCRYPTION - Embodiments of the invention relate to systems and methods for securing data transmission in networks. Embodiments of the invention further relate to encryption methods that dynamically adjust during the course of data transmission. Further, the encryption methods can adapt dynamically without user intervention. In one embodiment, an encryption scheme can be established, controlled, and monitored via out-of-band communication between transceiver modules.04-15-2010
20110099366Secure Transfer of Information - Disclosed is a method for secure transfer of information through a centralized system. The method comprising: maintaining user account information, a user account of a certain user comprising at least a user id and associated public and private keys, the private key being retrievable by means of a password of said certain user; receiving (04-28-2011
20120124367System and Method for Securely Communicating Across Multiple Networks Using a Single Radio - A communications module for facilitating secure communications on a first network and a second network includes: a single transceiver for receiving and transmitting first network messages from and to the first network and at least transmitting second network messages to the second network; at least a first processor connected to the single transceiver for processing one or more first network messages and second network messages; the at least a first processor including first network logic for processing first network messages and second network logic for processing second network messages; and the second network logic including instructions for securing second network messages such that decryption of the second network messages is limited to a particular receiving device on the second network. The second network messages may include commodity pricing and use information.05-17-2012
20090132809Method and Apparatus for the Provision of Unified Systems and Network Management of Aggregates of Separate Systems - A method and apparatus for the provision of unified systems and network management of aggregates of separate systems is described herein.05-21-2009
20120124368Digital Rights Convergence Place Chaser - The present invention is an apparatus and method for the money transactions required in the selling of merchandise or media content on the Internet or other public or private network. It can then track and maintain digital rights to merchandise or media. Methods of access to digitally protected content are disclosed. License metadata and credentials from multiple types of digital rights management systems may be used to grant access through a home based or other end-user custodial digital rights “place-chaser” to content protected by different types of serial copy management systems. Content security using a non-audible or invisible code signal sequence(s) can provide traceability as well as absolute anonymity for the purchaser. This apparatus can be used to conduct transactions off the web so that business can be done on the web.05-17-2012
20120317410PROTECTING DATA FROM DATA LEAKAGE OR MISUSE WHILE SUPPORTING MULTIPLE CHANNELS AND PHYSICAL INTERFACES - A system and method for two devices that communicate via a network, wherein at least one of the devices is a touch sensitive device, the two devices storing a common cryptographic key that enables all communications via the network to be encrypted.12-13-2012
20120317411SYSTEM AND METHOD FOR ESTABLISHING A VIRTUAL PRIVATE NETWORK - A system and method for establishing a virtual private network (VPN) between a client and a private data communication network. An encrypted data communication session, such as a-Secure Sockets Layer (SSL) data communication session, is established between a gateway and the client over a public data communication network. The gateway then sends a programming component to the client for automatic installation and execution thereon. The programming component operates to intercept communications from client applications destined for resources on the private data communication network and to send the intercepted communications to the gateway via the encrypted data communication session instead of to the resources on the private data communication network.12-13-2012
20120221848SANCTIONING CONTENT SOURCE AND METHODS FOR USE THEREWITH - A content source includes a random number generator that generates scrambling control word based on at least one random number. A source processing module generates proxy data that includes cryptographic parameters that are based on the scrambling control word, generates cryptographic data and generates scrambled media content based on the scrambling control word. A network interface sends the proxy data to a sanction server, and sends the cryptographic data and the scrambled content to a caching server.08-30-2012
20100088505CONTENT DELIVERY NETWORK ENCRYPTION - A system and method for delivering content to end users encrypted within a content delivery network (CDN) for content originators is disclosed. CDNs transport content for content originators to end user systems in a largely opaque manner. Caches and origin servers in the CDN are used to store content. Some or all of the content is encrypted within the CDN. When universal resource indicators (URIs) are received from an end user system, the CDN can determine the key used to decrypt the content object within the CDN before delivery. Where there is a cache miss, an origin server can be queried for the content object, which is encrypted in the CDN.04-08-2010
20120131330System and Method for Processing Secure Transmissions - Secured transmissions between a client and a server are detected, a policy formulated whether encrypted material needs to be decrypted, and if content is to be decrypted it is, using decrypting information obtained from the client and server. Resulting plain test is then deployed to an entity such as a processor, store or interface. The plain text can be checked or modified. The transmission between client and server could be blocked, delivered without being decrypted, decrypted and then re-encrypted with or without modification. Each transmission is given an ID and a policy tag.05-24-2012
20100241848SYSTEM AND METHOD FOR SECURELY COMMUNICATING WITH ELECTRONIC METERS - An infrastructure for securely communicating with electronic meters is described, which enables secure communication between a utility and a meter located at a customer, over a communication link or connection such as via a network. This enables messages to be sent from the utility to the meter and vice versa in a secure manner. The network provides a communication medium for communicating via the C12.22 protocol for secure metering. A cryptographic backend is used to cryptographically process messages to be sent to the meter and to similarly cryptographically process messages sent from the meter. By providing appropriate cryptographic measures such as key management, confidentiality and authentication, the meter can only interpret and process messages from a legitimate utility and the utility can ensure that the messages it receives are from a legitimate meter and contain legitimate information.09-23-2010
20100205428Method and Apparatus for Distributing Group Data In A Tunneled Encrypted Virtual Private Network - A packet forwarding process, on a data communications device, forwards a packet to a plurality of destinations within a network from that data communications device using an “encrypt, then replicate” method. The packet forwarding process receives a packet that is to be transmitted to the plurality of destinations, and applies a security association to the packet using security information shared between the data communications device, and the plurality of destinations, to create a secured packet. The secured packet contains a header that has a source address and a destination address. The source address is inserted into the header, and then the packet forwarding process replicates the secured packet, once for each of the plurality of destinations. After replication, the destination address is inserted into the header, and the packet forwarding process transmits each replicated secured packet to each of the plurality of destinations authorized to maintain the security association.08-12-2010
20120137125METHODS AND APPARATUS FOR TRANSMITTING AND RECEIVING SECURE AND NON-SECURE DATA - Devices, methods, and systems capable of an enabling transmission and receipt of secure and non-secure data are discussed in this document. According to some embodiments, a network apparatus can transmit ciphered and unciphered data. The network apparatus transmits a first signal indicating a cipher to be used and transmits a second signal indicating that non-secure data is to be transmitted and received unciphered. The network apparatus can cipher secure data and transmits ciphered-secure data and unciphered-non-secure data. A wireless terminal can receive the first and second signals, the ciphered secure data, and the unciphered non-secure data. The wireless terminal can deciphers the received secure data and does not decipher the received non-secure data. System embodiments can include both network-side and network terminal components. Embodiments of the present invention enable secure transmission of data in concert with efficient processing. Other aspects, embodiments, and features are also claimed and described.05-31-2012
20100174899DATA DISTRIBUTION SYSTEM, KEY MANAGEMENT DEVICE, AND KEY MANAGEMENT METHOD - Receiving terminals joining a multicast group are divided into sub groups and rekeying is performed only on the sub group which one of the receiving terminals has left. An encryption key management system having an encryption method is provided in which a multicast server is connected via an IP network, a seed node carries out encryption multicast communications among receiving terminals by using an encryption key, the receiving terminals are properly divided into the sub groups, the single encryption key is used for data distribution of the multicast server, and the number of decoding keys is equal to the number of divided sub groups.07-08-2010
20120173870Systems and Methods for Multi-Level Tagging of Encrypted Items for Additional Security and Efficient Encrypted Item Determination - The present disclosure is directed towards systems and methods for performing multi-level tagging of encrypted items for additional security and efficient encrypted item determination. A device intercepts a message from a server to a client, parses the message and identifies a cookie. The device processes and encrypts the cookie. The device adds a flag to the cookie indicating the device encrypted the cookie. The device re-inserts the modified cookie into the message and transmits the message. The device intercepts a message from a client and determines whether the cookie in the message was encrypted by the device. If the message was not encrypted by the device, the device transmits the message to its destination. If the message was encrypted by the device, the device removes the flag, decrypts the cookie, removes the tag from the cookie, re-inserts the cookie into the message and transmits the message to its final destination.07-05-2012
20120179902NETWORK KEY UPDATE SYSTEM, A SERVER, A NETWORK KEY UPDATE METHOD AND A RECORDING MEDIUM - In order to reduce the frequency with which communication occurs when updating a network key is reduced and minimize the deterioration in performance due to updating without relying on a key tree, a server is provided with an address key allocation unit which generates identifiers for identifying clients by the combination of addresses on a plurality of address spaces and allocates address keys to respective addresses included in the generated identifier, and a network key ciphering unit which generates a network key update key which cannot be generated from the address keys allocated to a client to be disconnected, ciphers a new network key using the network key update key, and delivers the new network key to the clients.07-12-2012
20100275008METHOD AND APPARATUS FOR SECURE PACKET TRANSMISSION - A source endpoint includes a security association database; a processing device and an interface operatively coupled to: receive a first packet requiring security processing; retrieve from the first packet a destination endpoint data address for a destination endpoint that is to receive the first packet; determine an address translation; apply the address translation to the retrieved destination endpoint data address to generate a destination endpoint security address, and create an entry in a storage device, wherein the entry corresponds only to the destination endpoint and comprises the generated destination endpoint security address and a set of security parameters. The source endpoint further indexes the storage device to obtain the security parameters for security processing of the first packet to generate a secured first packet; and sends the secured first packet to the destination endpoint.10-28-2010
20130173909KEY ENCRYPTION SYSTEM, METHOD, AND NETWORK DEVICES - A network includes encryption devices at customer sites and transport devices provide transport functionality for encrypted data for transmission across networks. A method of controlling access to a first plurality of functions of the encryption devices and access to a second plurality functions of the transport devices is disclosed. The method involves providing a customer with access to at least some of the first plurality of functions and providing a network service provider with access to at least some of the second plurality of functions. The method also involves providing the network service provider with restricted access to a first subset of the first plurality of functions and/or providing the network service provider with restricted access to a second subset of the second plurality of functions. This allows the customer and the service provider to share access to hardware resources such as the encryption devices and the transport devices.07-04-2013
20120254609METHOD FOR TRANSFERRING ENCRYPTED MESSAGES - A method for transferring encoded messages between at least two users, particularly cryptographic protocol, includes message transaction taking place by inserting an authentication device which decodes the messages received from the users and sends especially encoded messages to the users. The method includes the following steps: a10-04-2012
20120254608SSL VPN GATEWAY AND SSL VPN TUNNEL ESTABLISHING METHOD - A Secure Socket Layer Virtual Private Network (SSL VPN) gateway for establishing a SSL VPN tunnel with another SSL VPN gateway includes a storage unit, a processor and a tunnel establishing unit. The storage unit stores a plurality of packet criterions and a plurality group of parameter set values. The tunnel establishing unit includes a tag generator, an initiator, and a negotiator. The tag generator generates a plurality of tags corresponding to the packet criterion and attaches the tags to packets which meet the corresponding packet criterions. When the initiator receives the tagged packets, the initiator initiates the negotiating to negotiate with another gateway for establishing a SSL VPN tunnel according to the group of parameter set values corresponding to the tagged packets.10-04-2012
20120221847SANCTIONED CLIENT DEVICE AND METHODS FOR USE THEREWITH - A client device includes a network interface that transmits a request for the media content to the sanction server, receives second sanction data from the sanction server, transmits second cryptographic data to the caching server, receives first cryptographic data from the caching server and that receives scrambled media content from the caching server. A random number generator generates a random number. A client processing module, in response to the second sanction data, generates the second cryptographic data based on the random number and the second sanction data, generates a scrambling control word based on the second sanction data and the first cryptographic data and descrambles the scrambled media content based on the scrambling control word.08-30-2012
20120221846CRYPTOGRAPHIC SANCTION SERVER AND METHODS FOR USE THEREWITH - A sanction server includes a network interface that receives a request for media content from a client device and transmits first sanction data to a caching server and second sanction data to the client device. A sanction processing module generates the first sanction data based on a random number and generates the second sanction data based on the random number. The caching server generates first cryptographic data based on the first sanction data and sends the first cryptographic data to the client device. The client device generates second cryptographic data based on the first sanction data and sends the second cryptographic data to the caching server. The caching server generates a scrambling control word based on the first sanction data and the second cryptographic data. The client device generates the scrambling control word based on the second sanction data and the first cryptographic data.08-30-2012
20080301434METHOD AND APPARATUS FOR COMBINING INTERNET PROTOCOL AUTHENTICATION AND MOBILITY SIGNALING - Methods and apparatuses for combining internet protocol layer authentication and mobility signaling are disclosed. Various embodiments for providing authentication and mobility signaling when a mobile node moves from a 3GPP access network to a non 3GPP access network and vice versa are described.12-04-2008
20080301433Secure Communications - The subject matter of this specification can be embodied in, among other things, an apparatus that includes a verification module to provide information used to identify a user of the apparatus, a memory for storing information used for securing communications transmitted to a remote device, a processing unit for generating a secured communication based on the stored information, and an interface to communicate with a peripheral interface of a host device. The host device configured to transmit the secured communication to the remote device without accessing content of the secured communication.12-04-2008
20110131409Conditionally intercepting data indicating one or more aspects of a communique to obfuscate the one or more aspects of the communique - A computationally implemented method includes, but is not limited to: intercepting communiqué aspect data that is directed to an end user entity and that indicates one or more aspects of a communiqué directed to the end user entity and that is affiliated with a particular source entity, the intercepting of the communiqué aspect data being in accordance with one or more conditional directives of the end user entity to conditionally obfuscate the communiqué affiliated with the source entity; and transmitting to the end user entity, in response to intercepting the communiqué aspect data and in lieu of transmitting direct indication of the communiqué to the end user entity, covert indicator data that upon reception by the end user entity covertly indicates the one or more aspects of the communiqué. In addition to the foregoing, other method aspects are described in the claims, drawings, and text forming a part of the present disclosure.06-02-2011
20110131408DOCUMENT LINK SECURITY - A method, system, and computer usable program product for document link security are provided in the illustrative embodiments. A link is created to a document stored in a data storage device accessible from a data processing system. A characteristic of the document is encrypted in the link. The link with the encrypted characteristic forms an encrypted locator. The encrypted locator may be embedded into another data, such as a page, which may be transmitted with the embedded encrypted locator. A request for the document may be received. The request may include encrypted information. The encrypted information may be the encrypted locator, the encrypted characteristic, or a combination thereof. The encrypted information is decrypted. The document is accessed using the decrypted information. The document is provided in response to the request.06-02-2011
20120239923Wireless Activation Of IP Devices - A method of activating a wireless IP device by providing access to an installer to a customer's personal router or modem/router combination and providing access to the installer to a wireless Access Point which is supplied by the installer where the Access Point has a first slot for a default SSID2 password for a first wireless IP device and a second slot for an SSID1 password for a second wireless IP device. Connecting a first wireless IP device while in its initial or default state to the first slot where the first device and the wireless Access Point have a common default SSID2 code and factory preprogrammed public key and where, as soon as the device is powered up, the IP device immediately begins communicating through the wireless access point and the customer's router or modem/router to the internet, checking into a control server.09-20-2012
20120239925SECURE MESSAGING - A method for secure communication of a message. The method includes providing a message including a plurality of message packets, providing a nodal network including a plurality of nodes, where nodal operations are capable of execution on the message packets at the nodes, gaining, by a first node of the network, a first message packet, processing the first message packet by the first node, relinquishing the first message packet as processed by the first node, gaining, by any other node of the network, at least one other message packet, processing the other message packet by the other node, relinquishing the other message packet as processed by the other node, receiving, by a message destination node of the network, a first message packet, receiving, by the message destination node, at least a second message packet, and processing the first message packet and the second message packet to provide a reproduced message.09-20-2012
20090083537SERVER CONFIGURATION SELECTION FOR SSL INTERCEPTION - A network intermediary device such as a transaction accelerator intercepts a client request for a secure communication connection with a server. The intermediary issues a substitute connection request to the server and receives a digital certificate during establishment of a secure communication session between the intermediary and the server. Based on information in the received digital certificate, the intermediary selects an appropriate operational configuration for responding to the client's request. The intermediary consults an ordered list or other collection of digital certificates it possesses, and chooses one having a common name that matches the server's common name. The match may comprise the first matching name, the longest match, the best match, the broadest match (e.g., a certificate having a name that includes one or more wildcard characters), etc. The intermediary then uses the selected certificate (and corresponding private key) to establish a secure communication session with the client.03-26-2009
20120324217SYSTEM AND METHODS FOR FACILITATING SECURE COMMUNICATIONS ON A WEBSITE - A system and methods for facilitating secure communications on a website are presented. The system comprising a security server configured to receive a secure message from a creator device is disclosed. The security server encodes the received message and sends the encoded message or a representation of the encoded message for posting on the website so that one or more users of the website have the ability to request that the security server make the message available after the encoded message has been decoded.12-20-2012
20120324216TUNNEL INTERFACE FOR SECURING TRAFFIC OVER A NETWORK - Methods and systems for a flexible, scalable hardware and software platform that allows a managed security service provider to easily provide security services to multiple customers is provided. According to one embodiment, a request to establish an IP connection between two locations of a subscriber is received at a service management system (SMS) of the service provider. A tunnel is established between service processing switches coupled in communication through a public network. First and second packet routing nodes within the service processing switches are associated with the first and second locations, respectively. An encryption configuration decision is bound with a routing configuration of the packet routing nodes, by, when the request is to establish a secure IP connection, configuring, the packet routing nodes to cause all packets transmitted to the other location to be encrypted and to cause all packets received from the other location to be decrypted.12-20-2012
20110238980SYSTEM AND METHODS FOR REMOTE MAINTENANCE IN AN ELECTRONIC NETWORK WITH MULTIPLE CLIENTS - A method for verifying electronic software code integrity may comprise providing a list of encryption keys to a client, encrypting a software code packet using one of the plurality of encryption keys, delivering the encrypted software code packet to the client, and informing the client to choose an encryption key for decryption based on the specific time factor. Each encryption key on the list may correlate to a respective time factor. The one of the plurality of encryption keys may be chosen from the list based at least in part on a specific time factor.09-29-2011
20110238979Device for Preventing, Detecting and Responding to Security Threats - A device to prevent, detect and respond to one or more security threats between one or more controlled hosts and one or more services accessible from the controlled host. The device determines the authenticity of a user of a controlled host and activates user specific configurations under which the device monitors and controls all communications between the user, the controlled host and the services. As such, the device ensures the flow of only legitimate and authorized communications. Suspicious communications, such as those with malicious intent, malformed packets, among others, are stopped, reported for analysis and action. Additionally, upon detecting suspicious communication, the device modifies the activated user specific configurations under which the device monitors and controls the communications between the user, the controlled host and the services.09-29-2011
20120278611VPN-BASED METHOD AND SYSTEM FOR MOBILE COMMUNICATION TERMINAL TO ACCESS DATA SECURELY - A VPN-based method for a mobile communication terminal to access data securely comprises: when a data security device is operating in the mobile communication terminal, the data security device allows the mobile communication terminal to access an intranet but inhibits the mobile communication terminal from accessing an external network; and when the data security device is not operating in the mobile communication terminal, a VPN server inhibits the mobile communication terminal from accessing the intranet. The data security device is disposed in the mobile communication terminal. The data security device cooperates with the VPN server to inhibit the user of the mobile communication terminal from sending protected files to the external network via a network when the data security device is deactivated and to inhibit applications running on the data security device from accessing networks outside the VPN resources to release the protected files to the external network.11-01-2012
20120331284Media Agnostic, Distributed, and Defendable Data Retention - A data protector is described. In an implementation, the data protector promotes and enforces a data retention policy of a data consumer. In an implementation, the data protector limits access to sensitive data to the data consumers. A key manager provides a time-limited encryption key to the data protector. Responsive to collection of the time-limited encryption key from the key manager and sensitive data from a data provider, the data protector encrypts the sensitive data with the time-limited encryption key effective to produce encrypted sensitive data. In some embodiments, the data protector' provides a data consumer with access to the encrypted sensitive data and the key manager provides the data consumer with access to the time-limited encryption key to decrypt the encrypted sensitive data. The key manager deletes the time-limited encryption key in compliance with the data retention policy of the data consumer.12-27-2012
20110320807SYSTEM AND METHOD FOR PROCESSING ENCODED MESSAGES - Systems and methods for processing encoded messages at a message receiver. A received encoded message is decoded and stored in a memory. The stored decoded message can subsequently be displayed or otherwise processed without repeating the decoding operations. Decoding operations may include signature verification, decryption, other types of decoding, or some combination thereof.12-29-2011
20130013914System and Method for Monitoring Secure Data on a Network - A system and method for monitoring secure digital data on a network are provided. An exemplary network monitoring system may include a network device in communication with a user and a network. Further, a server may be in communication with the network. A browser and monitoring program may be stored on the network device, and the network device may receive secure digital data from the network. The browser may convert the secure digital data or a portion thereof into source data, and the monitoring program may transfer the source data or a portion thereof to the server. In an exemplary embodiment, the monitoring program may include a service component and an interface program.01-10-2013
20130013913ELECTRONIC DEVICE WITH MESSAGE ENCRYPTION FUNCTION AND MESSAGE ENCRYPTION METHOD - An electronic device with a message encryption function includes a configure interface module for setting an encryption code, a storage module, an encryption module, and a message processing module. The message processing module is electrically connected to the configure interface module, the storage module and the encryption module for receiving or sending a message, accessing the encryption code from the configure interface module, and transmitting the message and the encryption code to the encryption module. The encryption module encrypts the message with the encryption code so as to generate an encrypted message and then transmits the encrypted message to the message processing module. The message processing module stores the encrypted message in the storage module.01-10-2013
20130024685PROVISIONING CREDENTIALS FOR EMBEDDED WIRELESS DEVICES - A system and method are used to connect an installed device to a local premise network, such as a home network provided by a router in the home. A user may use a host device, such as a mobile telephone that is already connected to the home network to provide the home network credentials to the installed device without having to enter the home network credentials manually into the installed device such as a thermostat.01-24-2013
20130173910METHOD FOR SHARING SECRET VALUES BETWEEN SENSOR NODES IN MULTI-HOP WIRELESS COMMUNICATION NETWORK - A method for sharing a secret key between a source node and a destination node includes (a) adding, at each forward intermediate node, a secret key between the forward intermediate node and a node before the forward intermediate node to the secret key sharing request message; (b) generating a shared secret key between the source node and the destination node from the secret key between the forward intermediate node and the node before the forward intermediate node added in the secret key sharing request message; (c) adding, at each backward intermediate node, a secret key between the backward intermediate node and a node before it to the secret key sharing response message; and (d) generating the shared secret key between the destination node and the source node from the secret key between the backward intermediate node and the node before it added in the secret key sharing response message.07-04-2013
20080229095METHOD AND APPARATUS FOR DYNAMICALLY SECURING VOICE AND OTHER DELAY-SENSITIVE NETWORK TRAFFIC - A method comprises receiving a request for secure network traffic from a device having a private network address at a source node, obtaining the private network address of a requested destination device at a destination node from a route server based on signaling information associated with the request, obtaining the public network address of the destination node associated with the private network address, creating in response to the request a virtual circuit between the source node and the destination node based on the public network address of the destination node, and encrypting network traffic for transporting at least from the source node to the destination node through the virtual circuit. The process is dynamic in that the virtual circuit is created in response to the request. Hence, the process operates as if a fully meshed network exists but requires less provisioning and maintenance than a fully meshed network architecture. Furthermore, the process is readily scalable as if a hub and spoke network exists but is more suitable for delay-sensitive traffic, such as voice and video, than a hub and spoke network architecture.09-18-2008
20080201574Data encryption apparatus, data decryption apparatus, data encryption method, data decryption method, and data relay apparatus - A RAID system includes a RAID controller that sends to a disc apparatus data to be encrypted by a data relay apparatus connected to the RAID controller and the disk apparatus. When receiving a data transfer request packet indicating a first receivable size, the data relay apparatus establishes a second receivable size that is equal to or greater than the first receivable size and that is a multiple of an encryption data size. When the RAID controller receives a data transfer request packet containing the established second receivable size, and in response to the data transfer request packet thus received, the data relay apparatus receives data of the second receivable size sent from the RAID controller. The data relay apparatus also encrypts the received data in units of the encryption data size, and then the encrypted data is sent to the disk apparatus in units of the first receivable size.08-21-2008
20130173907PKI GATEWAY - A PKI gateway allows an enterprise to maintain a limited number of PKI protocol interfaces while servicing every standard and proprietary PKI protocol used by a customer of the enterprise. The PKI gateway listens for a PKI management request, adds contextual information needed by the certificate authority, translates the request into the appropriate protocol, and executes the request.07-04-2013
20130173908Hash Table Organization - Disclosed are various embodiments for improving hash table utilization. A key corresponding to a data item to be inserted into a hash table can be transformed to improve the entropy of the key space and the resultant hash codes that can generated. Transformation data can be inserted into the key in various ways, which can result in a greater degree of variance in the resultant hash code calculated based upon the transformed key.07-04-2013
20110264906METHOD AND NODES FOR PROVIDING SECURE ACCESS TO CLOUD COMPUTING FOR MOBILE USERS - A mobile node, a gateway node and methods are provided for securely storing a content into a remote node. The mobile node, or a gateway node of a network providing access to the mobile node, applies a content key to the content prior to sending the content for storage in the remote node. The content key is generated at the mobile node, based on a random value obtained from an authentication server, or directly at the authentication server if applied by the gateway node. The content key is not preserved in the mobile node or in the gateway node, for security purposes. When the mobile node or the gateway node fetches again the content from the remote node, the same content key is generated again for decrypting the content. The remote node does not have access to the content key and can therefore no read or modify the content.10-27-2011
20080222411SYSTEM FOR MANAGING PROGRAM APPLICATIONS STORABLE IN A MOBILE TERMINAL - Management server 09-11-2008
20130179680DIGITAL RIGHTS DOMAIN MANAGEMENT FOR SECURE CONTENT DISTRIBUTION IN A LOCAL NETWORK - Systems and methods for secure content distribution to playback devices connected to a local network via a residential gateway using secure links are disclosed. One embodiment of the invention includes a content server, a rights management server, a residential gateway configured to communicate with the content server and the rights management server via a network, and a playback device configured to communicate with the residential gateway via a local network. In addition, the residential gateway is configured to receive protected content from the content server, the playback device is configured to request access to the protected content from the residential gateway, the residential gateway is configured to request access to the protected content from the rights management server and the request includes information uniquely identifying the playback device, the rights management server is configured to provide access information to the residential gateway when the information uniquely identifying the playback device satisfies at least one predetermined criterion with respect to playback devices associated with the residential gateway, the residential gateway and the playback device are configured to create a secure link between the residential gateway and the playback device via the local network, and the residential gateway is configured to decrypt the protected content using the access information provided by the rights management server and to encrypt the decrypted content for distribution to the playback device via the secure link.07-11-2013
20130138950KEY SETTING METHOD, NODE, AND NETWORK SYSTEM - A key setting method executed by a node transmitting and receiving data through multi-hop communication in an ad-hoc network among multiple ad-hoc networks, includes detecting connection with a mobile terminal communicating with a server connected to a gateway in each ad-hoc network among the ad-hoc networks; transmitting by simultaneously reporting to the ad-hoc network, an acquisition request for a key for encrypting the data when the connection with the mobile terminal is detected at the detecting; receiving from the server via the mobile terminal, a key specific to a gateway and transmitted from the gateway to the server consequent to transfer of the simultaneously reported acquisition request to the gateway in the ad-hoc network; and setting the key specific to the gateway received at the receiving as the key for encrypting the data.05-30-2013
20130091350METHODS AND SYSTEMS FOR PROXYING DATA - Methods and systems are provided for proxying data between an application server and a client device. One exemplary application system includes an application server to generate a virtual application and a proxy server coupled to the application server over a network to provide the virtual application to a client device. The proxy server receives input data from the client device and provides the input data to the application server, wherein the application server encodes the input data for an action in response to authenticating the proxy server and provides the data encoded for the action to the proxy server. The proxy server performs the action on the data and provides the result to the client device.04-11-2013
20130091351DIFFERENTIAL CLIENT-SIDE ENCRYPTION OF INFORMATION ORIGINATING FROM A CLIENT - A method may include allocating a number of public keys, where each respective public key is allocated to a respective entity of a number of entities; storing a number of private keys, where each respective private corresponds to a respective public key; storing one or more decryption algorithms, where each respective decryption algorithm is configured to decrypt data previously encrypted using at least one encryption algorithm of the encryption algorithms. Each respective encryption algorithm may be configured to encrypt data using at least one public key. Each respective decryption algorithm may be configured to decrypt data using at least one private key. The method may include receiving encrypted data, where the encrypted data is encrypted using a first public key and a first encryption algorithm, and the encrypted data is provided over a network.04-11-2013
20130124853DIGITAL RIGHTS MANAGEMENT DISTRIBUTION SYSTEM - In an example embodiment, a digital content distributor may transmit an unsigned license associated with a protected digital object to a digital rights management provider. The digital rights management provider may digitally sign the license and may transmit the signed license to the digital content distributor.05-16-2013
20130145146SYSTEMS AND METHODS FOR BULK ENCRYPTION AND DECRYPTION OF TRANSMITTED DATA - A method for using a network appliance to efficiently buffer and encrypt data for transmission includes: receiving, by an appliance via a connection, two or more SSL records comprising encrypted messages; decrypting the two or more messages; buffering, by the appliance, the two or more decrypted messages; determining, by the appliance, that a transmittal condition has been satisfied; encrypting, by the appliance in response to the determination, the first decrypted message and a portion of the second decrypted message to produce a third SSL record; and transmitting, by the appliance via a second connection, the third record. Corresponding systems are also described.06-06-2013
20130145145SYSTEM AND METHOD OF SECURING DATA USING A SERVER-RESIDENT KEY - A system and method for increasing security of data is presented. This system uses a remote server to increase the security of locally stored data, even in the presence of physical and software security threats. This method is significantly bolstered when at least a small portion of memory on the local machine used to temporarily store the encryption key is safe from physical and software attacks and can be further bolstered if user-interaction is required upon authentication.06-06-2013
20130145147Content Protection Method - A method for protecting content to be distributed to a pool of receiving terminals connected to a content distribution network and each having a specific security level depending on the technical securing means used, the method comprising the following steps: 06-06-2013
20110213957LAYERED PROTECTION AND VALIDATION OF IDENTITY DATA DELIVERED ONLINE VIA MULTIPLE INTERMEDIATE CLIENTS - A method is provided for securely delivering identity data units over a communications network to a client device. The method includes receiving a selection from a customer identifying a final zipped package to be unpacked. The final zipped package is unpacked to obtain a common package and a digital signature file signed by an entity generating identity data requested by the customer. The digital signature in the digital signature file is verified and the common package is unpacked to obtain a plurality of outer packages and an encrypted symmetric key. The symmetric key is decrypted with a private key associated with the customer and each of the outer packages is decrypted with the symmetric key to obtain a plurality of identity data units.09-01-2011
20130151844Method and Apparatus for Secure Setup of an Encrypted Connection between Two Communication Devices - An electronic device includes a first connection interface and a second connection interface. The first connection interface is operable to exchange security information with another electronic device for use in encrypting data transmissions with the other electronic device. The first connection interface is inoperable to communicate payload data encrypted using the security information. The second connection interface is different than the first connection interface and operable to securely communicate payload data with the other electronic device over an unsecure medium in accordance with the security information exchanged via the first connection interface.06-13-2013
20130151845METHODS, SYSTEMS, AND COMPUTER READABLE MEDIA FOR ENCRYPTING DIAMETER IDENTIFICATION INFORMATION IN A COMMUNICATION NETWORK - The subject matter described herein includes systems, methods, and computer readable media for encrypting Diameter identification information contained in Diameter signaling messages. The system includes a Diameter agent that comprises a network interface configured to receive, from a first Diameter node, a Diameter signaling message that includes Diameter identification information associated with the first Diameter node and a Diameter encryption topology hiding module (ETHM) configured to encrypt the Diameter identification information to generate encrypted Diameter identification information and to replace the Diameter identification information in the Diameter signaling message with the encrypted Diameter identification information. The Diameter agent further includes a routing module configured to route the Diameter signaling message with the encrypted Diameter identification information to a second Diameter node.06-13-2013
20110314273DATA GRADING TRANSMISSION METHOD - A data grading transmission method includes steps of enabling a transmitting terminal to grade data according to a preset data security rule and to mark the data with labels; designating transmission routes of the data according to levels of the graded data; and enabling the data to be transmitted from the transmitting terminal to the receiving terminal through the designated transmission routes, and cascading the data having the same label according to the labels of the data. Thereby, grading data according to privacy and designating transmission routes of data reduce network establishment cost and effectively regulate data transmission rate through the data grading transmission method.12-22-2011
20110314272SECURE TRANSFER OF BUSINESS DATA TO A HOSTED SYSTEM - A system and method for uploading data from a customer system to a hosted system is disclosed. A stub is integrated with a firewall between the customer system and the hosted system. The stub includes an inbound layer on the customer system side of the firewall and an outbound layer on the hosted system side of the firewall, and the inbound layer includes a write-only directory. A demon is connected between the inbound layer and the outbound layer of the stub. The demon is configured to recognize newly received data in the write-only directory of the inbound layer, encrypt the newly received data to generate encrypted data, and move the encrypted data to the outbound layer for access by the hosted system.12-22-2011
20130191628Media Path Monitoring Over a Secure Network - Techniques are provided for obtaining header information from a packet configured for real-time communications transport over a network. The header information is used to monitor network performance of one or more secure portions of the network. The packet is encrypted using a security protocol and encapsulated using a transport protocol to produce a transport packet for transmission over the network. The transport packet header information is inserted into the transport packet prior to transmission over the network. The header information is used by a downstream network device or network analyzer to determine performance metrics for the network without decrypting the encrypted packet.07-25-2013
20130191630Auditing and controlling encrypted communications - Use of one or more computer systems may be audited by performing a man-in-the-middle attack against a cryptographic protocol (e.g., SSH) at one or more interceptors, transmitting audit data to a centralized audit server. Operations performed using the encrypted connection may be controlled and restricted.07-25-2013
20130191629SECURE GROUP-BASED DATA STORAGE IN THE CLOUD - Methods of securely storing documents electronically for access by members of a workgroup, methods of changing membership in the workgroup, and systems for providing secure data storage for a workgroup of changeable membership. Various embodiments use an encrypting vault key for a workgroup to encrypt the data files or session keys, and then encrypt the decrypting vault key, which corresponds with the encrypting vault key, using the public key of each member of the workgroup. If the workgroup membership is changed, the decrypting vault key can be re-encrypted with the public keys of each member of the workgroup without needing to download or re-upload the encrypted files associated with that workgroup. Other embodiments are disclosed.07-25-2013
20130191631Auditing and policy control at SSH endpoints - SSH sessions and other protocol sessions (e.g., RDP) may be audited using an interceptor embedded within an SSH server or other protocol server. Operations performed over an SSH connection may be controlled, including controlling what files are transferred.07-25-2013
20120030459Secure Network Extension Device and Method - A network extension device comprising a CPU, memory, protected I/O connectable to local controls and peripherals, external communications port, a trusted device connected to the CPU such that it can provide attestation of the network extension device's trusted operation to a connected known external network, and a protected interface connected to at least one network extension module that includes a local network communications port. Optionally, a traffic encryption module may be provided, and the trusted device's attestation may include a check of its operation. Also, a method comprising connecting the network extension device to an external network, performing an operating mode check, causing the network extension device to operate in a mode and perform a security check that correspond to the result, causing the trusted device to attest trusted operation to the external network and thereafter causing the CPU to function fully and permitting access to the external network.02-02-2012
20120066491HITLESS MANUAL CRYPTOGRAPHIC KEY REFRESH IN SECURE PACKET NETWORKS - In a hitless manual cryptographic key refresh scheme, a state machine is independently maintained at each network node. The state machine includes a first state, a second state, and a third state. In the first state, which is the steady state, a current cryptographic key is used both for generating signatures for outgoing packets and for authenticating signatures of incoming packets. In the second state, which is entered when a new cryptographic key is provisioned, the old (i.e. formerly current) key is still used for generating signatures for outgoing packets, however one or, if necessary, both of the old key and the newly provisioned key is used for authenticating signatures of incoming packets. In the third state, the new key is used for generating signatures for outgoing packets and either one or both of the old key and new key are used for authenticating signatures of incoming packets.03-15-2012
20120066490CRYPTOGRAPHIC DEVICE MANAGEMENT METHOD, CRYPTOGRAPHIC DEVICE MANAGEMENT SERVER, AND PROGRAM - A cryptographic device management server receives a first cryptographic calculation request from an arbitrary terminal device via a network, transmits a second cryptographic calculation request generated on the basis of the first cryptographic calculation request, management information of the terminal device and management information of the cryptographic device to a cryptographic device selected on the basis of the management information of the terminal devices and management information of the cryptographic devices stored in the cryptographic device management server, via a connection interface, receives a second cryptographic calculation result from the cryptographic device, and transmits a first cryptographic calculation result generated on the basis of the second cryptographic calculation result, the management information of the terminal device and the management information of the cryptographic device to the terminal device of the source of the first cryptographic calculation request via the network.03-15-2012
20120072713General Purpose Distributed Encrypted File System - A general purpose distributed encrypted file system generates a block key on a client machine. The client machine encrypts a file using the block key. Then, the client encrypts the block key on the first client machine with a public key of a keystore associated with a user and associates the encrypted block key with the encrypted data block as crypto metadata. The client machine caches the encrypted data block and the crypto metadata and sends the encrypted data block and the crypto metadata to a network file system server. When the client machine receives a return code from the network file system server indicating successful writes of the encrypted data block and the crypto metadata, the client machine clears the cached encrypted data block and the crypto metadata.03-22-2012
20120096258SERVICE SYSTEM - A service server can: associate identification tags which identify users, with other-user identification tags, and store said identification tags; and associate the identification tags with identification data uniquely identifying users in service servers, and an encryption key for identification data and store said identification tags. A control server device stores a table for storing encryption data, encrypted identifiers of service servers used by users. The gateway server device receives an other-user identification tag associated with an identification tag and stored in a service server. If the other-user identification tag is associated and stored, the encryption key, the encryption data, which is associated with identification data related to the other-user identification tag and stored in the control server device, is decoded, the service server that can be used by users of the other-user identification tags is obtained; and is determined whether the first identification tag should be associated with the other-user identification tag.04-19-2012

Patent applications in class Particular node (e.g., gateway, bridge, router, etc.) for directing data and applying cryptography

Patent applications in all subclasses Particular node (e.g., gateway, bridge, router, etc.) for directing data and applying cryptography