669 results about "Cryptographic protocol" patented technology

A data processing system implements a security protocol based on processing data in packets. The data processing system comprises processing packets for storing filter code and processing data packets according to stored filter code, and a policy managing function for generating filter code and communicating generated filter code for packet processing. The packet processing function is arranged to examine, whether the stored filter code is applicable for processing a certain packet. If the stored filter code is not applicable for the processing of a packet, the packet is communicated to the policy managing function, which generates filter code applicable for the processing of the packet and communicates the generated filter code for packet processing.

Systems and methods are provided which implement a bridge server to provide user access to one or more secure applications. A bridge server of embodiments is disposed between a user and a secure application and invokes bridge server security protocols with respect to the user and secure application security protocols with respect to the secure application. In operation according to embodiments, client applications will link into a bridge server, the user will be authenticated by the bridge server, and a valid user will be correlated to an account of the secure application by the bridge server. Bridge servers of embodiments facilitate providing features with respect to secure application user access unavailable using the secure application security protocols.

Embodiments of the invention include apparatuses, methods, and computer-program products that provide for a unique financial transaction security system. In one embodiment, the financial transaction security system receives a security protocol from a user. The security protocol includes instructions for allowing transactions without authentication and security features for the user if authentication is necessary. The system then determines that the user is conducting a transaction, compares the transaction to the instructions, and determines whether the transaction can occur without authentication. If the user is required to authenticate his identity, the system requests input from the user, compares the input to the security feature, and determines if the user is authenticated. The user is able to customize both the instructions and the security features to provide greater control over financial transaction security.

A method of distributed collaborative computing is provided. The method includes: partitioning a collaboration function into sub-functions; assigning at least one said sub-function to each of a plurality of logical processes; associating a respective management process with each of said plurality of logical processes, said logical processes configured so that each said logical process is capable of communicating with every other said logical process through said respective management process; communicating between said logical processes using said respective management processes; and monitoring said respective management processes with a single supervisor process; wherein said communicating employs a secure protocol on a dedicated network.

A multi-party security protocol that incorporates biometric-based authentication and withstands attacks against any single party (e.g., mobile phone, cloud, or the user). The protocol involves the function split between mobile and cloud and the mechanisms to chain-hold the secrets. A key generation mechanisms binds secrets to a specific device or URL (uniform resource locator) by adding salt to a master credential. An inline CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) handling mechanism uses the same sensor modality as the authentication process, which not only improves the usability, but also facilitates the authentication process. This architecture further enhances existing overall system security (e.g., handling untrusted or compromised cloud service, phone being lost, impersonation, etc.) and also improves the usability by automatically handling the CAPTCHA.

A federated identity, established through possession of a single sign-on token, will allow a personal wireless device (PWD) to be used in a commercial environment to purchase goods or services, access a building, access a telephone, wireless, or computer network, or in numerous other instances. The token may be obtained by the user authenticating with the PWD and the PWD authenticating with the network. When the PWD comes within range of a service provider, a session is established using a short range wireless protocol, such as Bluetooth or infrared. The session is secured using a security protocol such as SSL, and the service provider authenticates its identity to the PWD. Policy may be implemented regarding transmission of the token to the service provider. Upon receipt of the token, the service provider will validate the token with the federated identity provider, obtain identifying information, and complete the transaction.

A policy-based framework is described. This policy-based framework may be used to specify the privileges for logical entities to perform operations associated with an access-control element (such as an electronic Subscriber Identity Module) located within a secure element in an electronic device. Note that different logical entities may have different privileges for different operations associated with the same or different access-control elements. Moreover, the policy-based framework may specify types of credentials that are used by the logical entities during authentication, so that different types of credentials may be used for different operations and/or by different logical entities. Furthermore, the policy-based framework may specify the security protocols and security levels that are used by the logical entities during authentication, so that different security protocols and security levels may be used for different operations and/or by different logical entities.

An Internet protocol (IP) based location system that employs a global positioning system (GPS) component in connection with a position determining entity (PDE) component to determine location of target mobile station(s) via the Internet. As such the system provides an internet protocol based scheme (e.g., UDP) to initiate a location determination session within a CDMA network. The system can provide a location determining service even when the mobile station(s) are not within a home network (e.g., roaming situations). The system can also employ HTTP over TCP/IP so as to facilitate communications between the mobile station(s) and a mobile positioning center (MPC) (e.g., authentication and/or security protocols/schemes). Furthermore, the system can identify a PDE of a plurality of available PDEs that is most suitable for a given state of the mobile station and/or state of the user and/or particular location based application being employed by the mobile station.

A highly reliable industrial control system is produced using a network running a standard serial protocol. A safety protocol is embedded within the standard serial protocol by adding to special error detecting data redundant with the protocol of the standard serial network. In addition an overarching protocol involving timing of messages is imposed to provide the necessary level of reliability in the standard serial network. This approach allows the safety protocol to be used with a wide variety of commercially available serial communication standards without modification of the media or the specialized integrated circuits used for that communication. Safety protocol may be implemented in an additional level for integrated circuits or through firmware changes in programmable aspects of the industrial controller components.

Cryptographic hashing circuitry such as mining circuitry used to mine digital currency may be formed on an integrated circuit. The hashing circuitry may include sequential rounds of register and logic circuitry that perform operations of a cryptographic protocol. A final hash output from the hashing circuitry may be checked using a difficulty comparison circuit to determine whether the hash output satisfies predetermined difficulty criteria. The difficulty comparison circuit may be configured as a hardwired comparison circuit having logic gates for checking only a subset of bits in the hash output. The comparison circuit may be adapted to change the number of bits that is checked based on a target number of bits for comparison set by the Bitcoin protocol. Candidate solutions found using the hardwired comparison circuit may then be fed to a host controller that checks the entire hash output to determine whether the candidate solution is valid.

A user transaction request is received at a client device. A web browser plug-in communicates the user transaction request to a server that determines whether the user transaction request is a secure transaction. Transaction data is received from the server via the web browser plug-in. If the received transaction data indicates a secure transaction, the user is prompted to provide biometric data from a user using a biometric device and related security protocols. The web browser plug-in then communicates a transaction confirmation to the server.

In one embodiment, the present invention is directed to a processor-based device that prevents unauthorized use, comprising a processor for executing software instructions, software instructions defining at least one user application, a wireless communication subsystem that is operable to transmit and receive data utilizing a wireless protocol, and software instructions defining a security protocol process that is operable to prevent execution of the software instructions defining the at least one user application by the processor when a message is received via the wireless communication subsystem, wherein the message indicates that the processor-based device is not in possession of a rightful user.

An approach provides interdomain traversal to support packetized voice transmissions. A request is received and specifies a directory number for establishing a communication session from a first endpoint to a second endpoint. The first endpoint is behind a first network address translator of a first domain, and the second endpoint is within a second domain. A service provider network is accessed to determine a network address for communicating with the second endpoint based on the directory number, to determine existence of a second network address translator within the second domain, and to establish, if the network address can be determined, a media path between the first endpoint and the second endpoint based on the network address to support the communication session. An encrypted session is established with a proxy server according to a cryptographic protocol to support the media path. The proxy server resides within the second domain.

A transaction system for use with passive data storage media, such as optical memory cards, uses secure protocols involving digital certificates for communication between a read/write drive and the medium and also for communication between the drive and a host computer. The drive is physically secured with tamper resistant features and stores cryptographic keys and firmware for executing the secure protocols. All messages (data or commands) passed between the drive and the passive medium or host computer not only are encrypted but also include at least one digital certificate for authenticating the message. Typically, asymmetric (public-private key) encryption is used and keys may be derived from an authorized user's password, personal identification number, or biometric data. The drive includes sensors to detect any attempted intrusions and a control unit that will destroy the critical information (keys and protocol code) in response to a detected intrusion. The keys and protocols stored in a drive can themselves be changed through appropriate use of a secure protocol involving digital certificates.

A wireless computing device operating as a controller of a peer-to-peer group configured to generate unique master keys for each device joining the group. The wireless computing device may use the unique master keys to selectively remove remote devices from the group such that the remote device cannot later rejoin the group. Other remote devices, each possessing a master key that remains valid, can disconnect from the group and later reconnect to the group without express user action. To support such behavior, the wireless device may provide a user interface through which a user may manage connected remote devices by providing commands to selectively disconnect or remove remote devices from the group.

A processor including general-purpose and cryptographic functionality, in which cryptographic operations are visible to user-specified software. According to one embodiment, a processor may include instruction execution logic configured to execute instructions specified by a user of the processor, where the instructions are compliant with a general-purpose instruction set architecture. The processor may further include a cryptographic functional unit configured to implement a plurality of cryptographic operations, and further configured to process the cryptographic operations independently of the instruction execution logic. A subset of the instructions may be executable to cause individual ones of the cryptographic operations to be processed by the cryptographic functional unit.

Frame of the invention includes three entities: accessing requestor, accessing controller, and strategy manager. The strategy manager manages the accessing requestor and the accessing controller as well as implements bidirectional user ID authentication between them, and evaluates integrality of platform. Based on decision made from the strategy manager, the accessing requestor and the accessing controller control local ports. Before terminal is connected to network, trusty network connection architecture (TNCA) measures state of platform. Based on secure protocol of trusty third party, the invention implements the said authentication and evaluation of platform so as to guarantee security of TNCA. Introducing strategy manager simplifies key management of the architecture, raises extensibility of the architecture. Features are: higher security for evaluating integrality of platform, centralized verifying integrality, and higher universality.

Techniques, systems and methods are described relating to combining biometric and cryptographic techniques to support securely embedding data within a token and subsequent biometrically-enabled recovery of said data. Various transformation approaches are described that provide a secure means for transforming a stored or live, secure biometric-based identity token, embedding data into such tokens and biometric-based matching to both verify the user's identity and recover the embedded data. Security enhancements to a range of existing protocols are described using the techniques. Systems using novel protocols based on these techniques are described

Methods and apparatuses are disclosed for improving DES and other cryptographic protocols against external monitoring attacks by reducing the amount (and signal-to-noise ratio) of useful information leaked during processing. An improved DES implementation of the invention instead uses two 56-bit keys (K1 and K2) and two 64-bit plaintext messages (M1 and M2), each associated with a permutation (i.e., K1P, K2P and M1P, M2P) such that K1P{K1} XOR K2P{K2} equals the “standard” DES key K, and M1P{M1} XOR M2P{M2} equals the “standard” message. During operation of the device, the tables are preferably periodically updated, by introducing fresh entropy into the tables faster than information leaks out, so that attackers will not be able to obtain the table contents by analysis of measurements. The technique is implementable in cryptographic smartcards, tamper resistant chips, and secure processing systems of all kinds.

A system and method for efficient security protocols in a virtualized datacenter environment are contemplated. In one embodiment, a system is provided comprising a hypervisor coupled to one or more protected virtual machines (VMs) and a security VM. Within a private communication channel, a split kernel loader provides an end-to-end communication between a paravirtualized security device driver, or symbiont, and the security VM. The symbiont monitors kernel-level activities of a corresponding guest OS, and conveys kernel-level metadata to the security VM via the private communication channel. Therefore, the well-known semantic gap problem is solved. The security VM is able to read all of the memory of a protected VM, detect locations of memory compromised by a malicious rootkit, and remediate any detected problems.