Entries |
Document | Title | Date |
20080215877 | Offload Processing for Secure Data Transfer - Improvements in security processing are disclosed which enable security processing to be transparent to the application. Security processing (such as Secure Sockets Layer, or “SSL”, or Transport Layer Security, or “TLS”) is performed in (or controlled by) the stack. A decision to enable security processing on a connection can be based on configuration data or security policy, and can also be controlled using explicit enablement directives. Directives may also be provided for allowing applications to communicate with the security processing in the stack for other purposes. Functions within the protocol stack that need access to clear text can now be supported without loss of security processing capability. No modifications to application code, or in some cases only minor modifications (such as inclusion of code to invoke directives), are required to provide this security processing. Improved offloading of security processing is also disclosed, which provides processing efficiencies over prior art offloading techniques. Offload components can be controlled from the kernel, an SSL layer or an application. | 09-04-2008 |
20080235508 | Reducing processing load in proxies for secure communications - In one embodiment, a method for providing secure communications using a proxy is provided. The proxy negotiates with a client and a server to determine a session key to use with communications between the client and the proxy and between the proxy and the server. Encrypted data may then be received from the client at the proxy. The proxy can decrypt the encrypted data for processing using the session key. In one embodiment, the decrypted data is not altered. The proxy then sends the encrypted data that was received from the client to the server without re-encrypting the data that was decrypted. Because the proxy did not alter the data in its processing of the decrypted data and the same session key is used between communications for the proxy and the server, the encrypted data stream that was received from the client can be forwarded to the server. | 09-25-2008 |
20080256353 | Method and Apparatus for Hiding Information in Communication protocol - A method and apparatus for hiding information in a communication protocol signal are disclosed. The apparatus comprises a bit selection unit, an information encoding unit and an information decoding unit, wherein the bit selection unit selects suitable bits in the signal for hiding information, the information encoding unit encodes the information into the suitable bits selected by the bit selection unit, and the information decoding unit decodes the information encoded in the suitable bits. | 10-16-2008 |
20080263352 | Authentication system and method - A security protocol for use by computing devices communicating over an unsecured network is described. The security protocol makes use of secure data provided to a peripheral memory device from a server via a secure connection. When the peripheral memory device is coupled to a computing device that attempts to establish a secure connection to the server, the secure data is used to verify that the server is authentic. Similarly, the secure data assists the server in verifying that the request to access the server is not being made by a malicious third party. | 10-23-2008 |
20080288772 | SYSTEM FOR STORING ENCRYPTED DATA BY SUB-ADDRESS - A system and method for storing encrypted electronic data using a transmission Control Protocol (TCP), requires leaving both the header and the first 48 bytes of the “0” data packet in the data area of the TCP format in clear text. Consequently, the data can be routed to a main address (storage facility), and then to a sub-address (storage device) for storage. A single compression/encryption operation can be accomplished, before storage, at the host (server), the network switch, or the final storage device. | 11-20-2008 |
20080307218 | System and method for using an out-of-band device to program security keys - A provisioning device is provided that communicates over a trusted out-of-band communications channel to digital electronic devices in order to exchange security data such as passwords and private or public keys, thereby establishing a secure communications network between the devices. | 12-11-2008 |
20090006840 | Using an identity-based communication layer for computing device communication - A computer architecture for enterprise device applications provides a real-time, bi-directional communication layer for device communication. An identity-based communications layer provides for secure, end-to-end telemetry and control communications by enabling mutual authentication and encryption between the devices and the enterprise. The identity-based communications layer is situated between a network layer and an application layer and transmits a message between two devices identified by a global address. The global address specifies a protocol, a network, and an address meaningful for the combination of the protocol and the network. | 01-01-2009 |
20090013174 | METHODS AND SYSTEMS FOR HANDLING DIGITAL RIGHTS MANAGEMENT - Systems and methods according to the present invention address this need and others by providing methods and systems for translating media encrypted by various Digital Rights Management (DRM) techniques. This allows end user equipment to receive media in an IMS/IPTV environment when the end user equipment uses a DRM that is different from the media server which is providing the desired media in both unicast and multicast applications. | 01-08-2009 |
20090044006 | SYSTEM FOR BLOCKING SPAM MAIL AND METHOD OF THE SAME - The present invention generally relates to a system for blocking spam mail and a method of the same, and the system in accordance with the present invention, comprising: a Mail transceiver receiving the e-mail, temporarily storing the e-mail in a temporary storage for a set time after authentication mail is transmitted, and deleting the e-mail it a sender's response is not received within the set time, then transmitting the temporarily stored e-mail to mail accounts of recipients of a mail server if the sender's response is received within the set time; an authenticator list classifying and storing, according to each recipient, an e-mail address of the sender authenticated through the authentication mail and an e-mail address of a random sender registered by the recipients of the e-mail to receive the e-mail without authentication; and an authentication processor retrieving whether the e-mail address of the sender is included in the authenticator list, sending the authentication mail to the e-mail address of the sender if the e-mail address of the sender is not included in the authenticator list, and authenticating the sender according to the sender's access and response for the authentication mail. | 02-12-2009 |
20090063849 | DEVICE CERTIFICATE BASED APPLIANCE CONFIGURATION - Embodiments of the present invention address deficiencies of the art in respect to configuring a computing appliance and provide a method, system and computer program product for device certificate based virtual appliance configuration. In one embodiment of the invention, a virtual appliance secure configuration method can be provided. The method can include mounting non-volatile storage to the virtual appliance, retrieving a device certificate from the mounted storage and extracting a signature from the device certificate, activating the virtual appliance in a network domain and acquiring an adapter address and unique identifier for the virtual appliance, and authenticating the signature with the adapter address and unique identifier to ensure a unique active instance of the virtual appliance. | 03-05-2009 |
20090094452 | Efficient Certified Email Protocol - An exemplary optimistic protocol for a two-party transaction includes a setup sub-protocol that includes an authorized Diffie-Hellman key agreement, an exchange sub-protocol that includes sending a certificate from a sending party to a receiving party and sending a receipt from the receiving party to the sending party and a dispute sub-protocol that includes a dispute resolution mechanism for resolving disputes between the sending party and the receiving party due to sending of an invalid certificate, due to sending an invalid receipt, or due to abortion of the exchange sub-protocol. Other exemplary methods, systems, etc., are also disclosed. | 04-09-2009 |
20090100259 | MANAGEMENT NETWORK SECURITY FRAMEWORK AND ITS INFORMATION PROCESSING METHOD - A management network security framework and its information processing method are disclosed. The management network security framework under the present disclosure includes a management station and a managed device. The method under the present disclosure includes: a secure transfer channel is established between the management station and the managed device; the managed device authenticates the management station; and information is exchanged between the management station and the managed device through the secure transfer channel. The embodiment of the present disclosure combines the AAA system, the upper-layer management protocol and the lower-layer security protocol organically. | 04-16-2009 |
20090113201 | SCALEABLE ARCHITECTURE TO SUPPORT HIGH ASSURANCE INTERNET PROTOCOL ENCRYPTION (HAIPE) - A scalable internet protocol (IP) encryption system includes a cryptographic unit that processes sensitive data for packet encryption/decryption and data authentication. A first processing unit with an optional IP Layer hardware accelerator includes a data processing subsystem that processes sensitive data and forwards the data to the cryptographic unit for encryption and data authentication. A management subsystem is operative with the cryptographic unit for configuring IP networking functions and distributing network configuration information to the data processing subsystem through the cryptographic unit. Data processing is separated from management and control functions at the data processing and management subsystems. A second processing unit with an optional IP Layer hardware accelerator receives the encrypted data from the cryptographic unit and processes the encrypted data for IP packet routing, fragmentation and reassembly and receives network configuration information from the management subsystem via the cryptographic unit. | 04-30-2009 |
20090113202 | System and method for providing secure network communications - A method includes receiving a data message, from a first embedded node, in a first end point device. The first data message is addressed to a second embedded node. The method also includes encrypting the first data message to produce an encrypted data message, where the encryption is transparent to the first embedded node. The method further includes transmitting the encrypted data message to a second end point device. An apparatus includes a plurality of embedded node ports each configured to communicate with an embedded node. The apparatus also includes an encrypted communications link port configured to communicate with an end point device. The apparatus further includes a controller connected to communicate with the embedded node ports and the encrypted communications link port. In addition, the apparatus includes a storage connected to be read from and written to by the controller. | 04-30-2009 |
20090113203 | Network System - An encryption communication module on the side of a service providing server reports a global IP address allocated to an NAPT router on the service providing server side and a port number of an outside UDP header used on the global side to an authentication/key exchange server. When receiving an encryption packet from an encryption communication module on the user terminal side, the encryption communication module on the service providing server side overwrite a source/destination IP address of an inside IP header by a source/destination IP address of an outside IP header. The encryption communication module further changes a source port number of an inside TCP•UDP header to a unique value for each communication session in the encryption communication having the same source IP address in the outside IP header. The inverse header change is made when the packet is transmitted to the encryption communication module of the user terminal side. | 04-30-2009 |
20090125712 | NETWORK COMMUNICATIONS SECURITY AGENT - One embodiment of an inventive networking environment includes clients called sending clients because they send network content through a network, and clients called receiving clients because they receive the network content from the sending clients through the network. Both sending clients and receiving clients are “clients” in that they rely on a management server to orchestrate the secure transfer of information from sending clients to receiving clients. | 05-14-2009 |
20090132806 | Method for agreeing between at least one first and one second communication subscriber to security key for securing communication link - The use of suitable measures in a method for agreeing on a security key between at least one first and one second communication station to secure a communication link is improved so that the security level for the communication is increased and the improved method can be combined with already available methods. A first parameter is determined from an authentication and key derivation protocol. In addition, an additional parameter is sent securely from the second to the first communications station. A security key is then determined from the first parameter and the additional parameter. | 05-21-2009 |
20090193247 | PROPRIETARY PROTOCOL TUNNELING OVER EAP - Methods and apparatus provide tunneling one authentication framework over a more widely accepted framework (e.g., EAP). In this manner, pluralities of strong authentication protocols are wirelessly enabled between a supplicant and server that are not otherwise wirelessly enabled. During use, packets are wirelessly transmitted and received between the supplicant and server according to EAP's prescribed message format, including a wireless access point. In a tunnel, various authentication protocols form the payload component of the message format which yields execution capability of more than one protocol, instead of the typical single protocol authentication. Certain tunneled frameworks include NMAS, LDAP/SASL, Open LDAP/SLAPD, or IPSEC. Computer program products, computing systems and various interaction between the supplicant and server are also disclosed. | 07-30-2009 |
20090193248 | Processing Multiple Wireless Communications Security Policies - A computer program product for processing wireless data packets allows for processing packets to consolidate security processing. Security processing is performed in accordance with multiple security policies. This processing is done in a single front end processing block. Different security processes can be performed in parallel. Processing overhead is reduced by eliminating the need to redundantly check packet characteristics to assess the different security requirements imposed by security policies. Further, the present invention also substantially reduces the CPU cycles required to transport data back and forth from memory to a cryptographic coprocessor. | 07-30-2009 |
20090210696 | Method of bootstrapping an authenticated data session configuration - An inventive method is disclosed for bootstrapping a trusted client public key at the server side in a client-server model of e-commerce or distributed computer applications. Generally, the invention integrates security technique elements and user procedural elements in such a way that no vulnerability arises due to the decoupling of elements. It is thus aimed at high security application areas. The readily available support of X.509 client security certificates in web browsers is advantageous for easy deployment at the client side. However, serious usability flaws deter the use of client certificates despite their potential for high security client authentication. The invention circumvents this contradiction at the client registration phase, and extends the benefits of simplified reliance on client public-private key pair to production use of the circumvention. Many variations of the inventive idea are disclosed, including the use of a dummy client security certificate that addresses the interoperability pitfalls of the X.509 technology while the trust in the client public key rests on other elements of the inventive method. | 08-20-2009 |
20090217029 | KERBEROS TICKET VIRTUALIZATION FOR NETWORK LOAD BALANCERS - An exemplary group ticket for a Kerberos protocol includes a service ticket encrypted with a dynamic group key and a plurality of enveloped pairs where each pair includes a name associated with a member of a group and an encrypted the dynamic group key for decryption by a key possessed by the member of the group where decryption of an encrypted dynamic group key allows for decryption of the service ticket. Other exemplary methods, systems, etc., are also disclosed. | 08-27-2009 |
20090254745 | EFFICIENT SECURITY FOR MASHUPS - The present invention provides a method that facilitates secure cross domain mashups in an efficient fashion. The invention allows a first entity, the Masher, to establish at a second entity, the User, a secure mashup by obtaining information from, or taking actions at, a third entity, the Mashee, by using a novel twist to the SSL protocol. The invention is further extended to secure a hub and widget architecture, which allows one Masher to establish at a User, communication with several Mashees. Mutual authentication of all entities, key distribution for authentication, privacy and code verification and dynamic authorization based on the certificate information are provided by the invention. | 10-08-2009 |
20090265541 | ADDRESSING AND ROUTING MECHANISM FOR WEB SERVER CLUSTERS - A method of establishing a Host Identity Protocol session between first and second Host Identity Protocol enabled hosts, where at least said second host is located behind a reverse-proxy. The method comprises providing the reverse-proxy with Diffie-Hellman public keying material of the second host, sending said Diffie-Hellman public keying material from the reverse-proxy to the first host as part of the Host Identity Protocol base exchange procedure, this material being bound to the Host Identity of the reverse-proxy for the purpose of the Host Identity Protocol session, and, at the first host, using the Host Identity of the reverse-proxy as the correspondent Host Identity for the Host Identity Protocol session, and, at the second host, using the Host Identity of the reverse-proxy as the originating Host Identity for the Host Identity Protocol session. | 10-22-2009 |
20090265542 | Home Node B System Architecture - Some embodiments provide methods and systems for integrating a first communication system with a core network of a second communication system that has a licensed wireless radio access network. The first communication system includes one or more user hosted access points that operate using short range licensed wireless frequencies in order to establish service regions of the first communication system and a network controller for communicatively coupling the service regions to the core network. The first communication system includes a Home Node-B (HNB) system where the access points are Home Node-Bs and the network controller is a HNB Gateway (HNB-GW). Some embodiments define multi-layered protocol stacks for implementing management functionality and control plane functionality for the access points and the network controller. The HNB is connected to the HNB-GW via the Iuh interface. The Iuh management functionality is provided via a HNBAP protocol layer and control plane functionality, such as relay of RANAP, is provided via a RUA protocol layer. | 10-22-2009 |
20090265543 | Home Node B System Architecture with Support for RANAP User Adaptation Protocol - Some embodiments are implemented in a communication system that includes a first communication system comprised of a licensed wireless radio access network and a core network, and a second communication system comprising a plurality of user hosted access points and a network controller. In some embodiments, each access point operates using short range licensed wireless frequencies to establish a service region. In some embodiments, the network controller communicatively couples the core network to the plurality of access points. The method uses three sets of protocol layers: a security layer, a transport layer, and a layer for transferring Radio Access Network Application Part (RANAP) messages, to communicate between the network controller and one of the access points. The method also uses the Iuh interface for the transport of messages across the three sets of protocol layers. | 10-22-2009 |
20090271612 | METHOD, SYSTEM AND DEVICE FOR REALIZING MULTI-PARTY COMMUNICATION SECURITY - A method for realizing multi-party communication security includes: performing identification authentication and negotiating to create an initiation session through running the transport layer security protocol or datagram transport layer security protocol by a Group Control and Keying Server and a group member device; distributing a group session and a rekeying session to the group member device through running a group key management sub-protocol on the Group Control and Keying Server and the group member devices; rekeying through running the group key management sub-protocol on the Group Control and Keying Server and the group member devices, when a rekeying event is detected by the Group Control and Keying Server. A relevant multi-party communication security system and a device are further provided in the present invention. | 10-29-2009 |
20090271613 | METHOD AND SYSTEM FOR PROVIDING NON-PROXY TLS/SSL SUPPORT IN A CONTENT-BASED LOAD BALANCER - Methods and systems for providing non-proxy Secure Sockets Layer and Transport Layer Security (SSL/TLS) support in a content-based load balancer are described. A Transmission Control Protocol (TCP) connection is accepted from a client, and an SSL/TLS connection is established with the client such that random data used in key generation is created. A request is received from the client, and the request is decrypted. The request is processed, a target stack is selected, and the TCP connection, the SSL/TLS connection, and the random data are transferred to the selected target stack such that the client and selected target stack maintain an end-to-end TCP connection with a non-proxy SSL/TLS connection. | 10-29-2009 |
20090282236 | Method And Apparatuses For Establishing A Secure Channel Between A User Terminal And A SIP Server - A method of establishing a secure communication channel between a user terminal ( | 11-12-2009 |
20090287920 | METHOD FOR ESTABLISHING BI-DIRECTIONAL MESSAGING COMMUNICATIONS WITH WIRELESS DEVICES AND WITH REMOTE LOCATIONS OVER A NETWORK - A method, server, device and computer readable medium for establishing a bi-directional communication session between a first device and a server is provided. During the method, a first transport layer connection between the first device and the server is established. The first device is then authenticated with the server over the first transport layer connection. In the event that authenticating the first device is successful, the server and the first device establish a persistent, bi-directional communication session over the first transport layer connection. | 11-19-2009 |
20090300345 | Concept for Client Identification and Authorization in an Asynchronous Request Dispatching Environmnet - The present invention provides client and server identity validation in an asynchronous request dispatching environment with client-side aggregation. An application server receives an asynchronous include request from a client. A first unique identifier associating the client with the asynchronous include is generated and sent to a results server. A second unique identifier identifying the results server is generated and sent to the application server. Results of the asynchronous include are stored in the results server. The application server sends the first and second unique identifiers to the client, which polls the results server and sends the second unique identifier to the results server. The results server uses the second unique identifier to verify the identity of the client. The results server sends the first unique identifier to the client. The client uses the first unique identifier to validate the identity of the results server. | 12-03-2009 |
20090313464 | MIXED MODE SECURITY FOR MESH NETWORKS - Mixed mode security is provided for a mesh network comprising a plurality of open mesh points and at least one secure mesh point that is capable of sending and receiving encrypted traffic. Aspects of the exemplary embodiment include configuring the secure mesh point to forward unencrypted traffic received from one of the plurality of open mesh points; and configuring the secure mesh point to be a source of unencrypted source traffic, and to receive unencrypted traffic that is destined for the secure mesh point to enable routes in the mesh network to terminate at the secure mesh point. | 12-17-2009 |
20090319771 | CONTEXT AWARE SECURITY - Layered semantic security provides a high degree of security for a mobile device based upon contextual awareness that dynamically changes based upon interaction between a user and a near communication device, which in turn interacts with a network, which ultimately interacts to a far communication device. Generating a shared secret key with a master secret and this changing contextual information based on context awareness provides immunity to chosen plain text attacks by providing semantic security at each layer. Thereby, relying upon the overall robustness of the layering of semantic security, processing and power resources consumed can be advantageously adjusted dynamically to enhance concurrent use and service life of a mobile communication device. | 12-24-2009 |
20090327695 | SYSTEMS AND METHODS FOR APPLYING ENCRYPTION TO NETWORK TRAFFIC ON THE BASIS OF POLICY - An information handling system including a receiver for inbound data destined for delivery to a network node, an encryption recognition engine operable to identify whether the inbound data received by the receiver is encrypted and an encryption policy application engine operable to apply encryption policy to the inbound data on the basis of encryption properties identified by the encryption recognition engine in the inbound data. The system may further include an encryption engine operable to selectively encrypt the inbound data on the basis of the encryption policy as applied by the encryption policy application engine and a packet delivery engine operable to deliver the inbound data to its destination. | 12-31-2009 |
20090327696 | AUTHENTICATION WITH AN UNTRUSTED ROOT - Techniques and systems for authentication with an untrusted root between a client and a server are disclosed. In some aspects, a client may connect to a server. The server and client may initiate a secure connection by exchanging certificates. The server may accept a client certificate having an untrusted root that does not chain up to a root certificate verifiable to the server certificate authority. In further aspects, the server may enable the client to associate an untrusted certificate with an existing account associated with the server. The client certificate may be hardware based or generated in software, and may be issued to the client independent of interactions with the server. | 12-31-2009 |
20090327697 | NETWORK SECURITY PROCESSING METHOD AND SYSTEM FOR SELECTING ONE OF SOFTWARE AND HARDWARE CRYPTOGRAPHIC MODULES BY MEANS OF MULTIMEDIA SESSION INFORMATION - In a network security processing method and system for selecting one of software and hardware cryptographic modules by means of multimedia session information, the method includes the following steps: subjecting a plurality of packets of a multimedia session to signaling processing so as to obtain multimedia session information contained in the multimedia session, subjecting the multimedia session to a key authentication negotiation and according to the multimedia session information, making a determination to activate one of the software cryptographic module and the hardware cryptographic module. If the hardware cryptographic module is activated, the hardware cryptographic module performs network security processing of the packets of the multimedia session. If the software cryptographic module is activated, the software cryptographic module performs the network security processing of the packets of the multimedia session. | 12-31-2009 |
20100005288 | SYSTEMS AND METHODS FOR ADJUSTING THE MAXIMUM TRANSMISSION UNIT BY AN INTERMEDIARY DEVICE - The present invention is generally directed towards a remote access architecture for providing peer-to-peer communications and remote access connectivity. In one embodiment, the remote access architecture of the present invention provides a method for establishing a direct connection between peer computing devices via a third computing device, such as a gateway. Additionally, the present invention provides the following techniques to optimize peer-to-peer communications: 1) false acknowledgement of receipt of network packets allowing communications via a lossless protocol of packets constructed for transmission via a lossy protocol, 2) payload shifting of network packets allowing communications via a lossless protocol of packets constructed for transmission via a lossy protocol, 3) reduction of packet fragmentation by adjusting the maximum transmission unit (MTU) parameter, accounting for overhead due to encryption, 4) application-aware prioritization of client-side network communications, and 5) network disruption shielding for reliable and persistent network connectivity and access. | 01-07-2010 |
20100017595 | Security In Networks - Embodiments related to security in networks are described and depicted. | 01-21-2010 |
20100031016 | PROGRAM METHOD, AND DEVICE FOR ENCRYPTION COMMUNICATION - An encryption communication method for performing communication that includes a data transfer phase for transmission of content data and a handshake phase for user authentication or agreement on the transmission method for content data, the method comprising: storing one set of a plurality of content data for multiple users in a common transmission communication region provided for the multiple users; transferring the stored one set of the plurality of content data during the data transfer phase when transferring content data of the multiple users to a communication target device; and receiving the stored one set of the plurality of content data using a plurality of transmission-reception communication regions provided for each of the multi users is provided. | 02-04-2010 |
20100049965 | METHOD AND APPARATUS FOR PROTECTING PERSONAL INFORMATION IN A HOME NETWORK - A method for protecting personal information in a home network is provided, in which a controlled device receives a subscribe request for a service of the controlled device, from a control point, and accepts the subscribe request. The controlled device receives information about the control point from the control point, and performs event delivery to the control point according to a policy that is set based on the information about the control point, when an event occurs in the controlled device. | 02-25-2010 |
20100064130 | SECURE HOST CONNECTION - The present patent disclosure describes a system and method for maintaining persistent secure connections between a terminal and a host. The system comprises a session manager component for storing session information associated with a terminal identifier (ID) of the terminal, the session information comprising a client connection ID for identifying a persistent secure client connection and a terminal connection ID for identifying a secure terminal connection. The system also comprises a connection manager component for establishing communication between the persistent secure client connection, identified by the client connection ID, and the secure terminal connection, identified by the terminal connection ID. The method comprises the step of storing session information associated with a terminal identifier (ID) of the terminal, the session information comprising a client connection ID for identifying a persistent secure client connection and a terminal connection ID for identifying a secure terminal connection. The method further comprises the step of establishing communication between the persistent secure client connection, identified by the client connection ID, and the secure terminal connection, identified by the terminal connection ID. | 03-11-2010 |
20100088504 | System and Method for Implementing an Enhanced Transport Layer Security Protocol - A system and method for implementing an enhanced transport layer security (ETLS) protocol is provided. The system includes a primary server, an ETLS servlet and an ETLS software module. The primary server operates on a computer network and is configured to communicate over the computer network using a non-proprietary security protocol. The ETLS servlet also operates on the computer network and is securely coupled to the primary server. The ETLS servlet is configured to communicate over the computer network using an ETLS security protocol. The ETLS software module operates on a mobile device, and is configured to communicate over the computer network using either the non-proprietary security protocol or the ETLS security protocol. Operationally, the ETLS software module initially contacts the server over the computer network using the non-proprietary security protocol, and subsequently contacts the server through the ETLS servlet using the ETLS security protocol. | 04-08-2010 |
20100095109 | Method for Managing Opaque Presence Indications Within a Presence Access Layer - A method for a presentity to provide private presence information for a watcher. The method includes the presentity providing the private presence information in an encrypted form. The method also includes a presence access layer obtaining the private presence information. The method also includes the presence access layer performing one of decrypting the private presence information and sending the decrypted private presence information to the watcher, and leaving the private presence information in the encrypted form and sending the encrypted private presence information to the watcher, wherein the watcher decrypts the private presence information. | 04-15-2010 |
20100122078 | SYSTEMS AND METHODS FOR CREATING A CODE INSPECTION SYSTEM - A code inspection system produces a dynamic decoy machine that closely parallels one or more protected systems. The code inspection system can analyze and monitor one or more protected systems, and as those protected systems are updated, altered or modified, the dynamic decoy machine, in which potentially malicious code is tested, can also be updated. Thus, the dynamic decoy machine can accurately reflect the current state of the one or more protected systems such that the potentially destructive nature, if any, of suspicious code can be evaluated as if it were in the actual environment of the protected system, without jeopardizing the security of the protected system. | 05-13-2010 |
20100125729 | SYSTEM AND METHOD OF PERFORMING ELECTRONIC TRANSACTIONS - A system and method of performing electronic transactions between a server computer and a client computer. The method implements a communication protocol with encrypted data transmission and mutual authentication between a server and a hardware device via a network, performs a decryption of encrypted server responses, forwards the decrypted server responses from the hardware device to the client computer, displays the decrypted server responses on a client display, receives requests to be sent from the client computer to the server, parses the client requests for predefined transaction information by the hardware device, encrypts and forwards client requests, displays the predefined transaction information upon detection, forwards and encrypts the client request containing the predefined transaction information to the server if a user confirmation is received, and cancels the transaction if no user confirmation is received. | 05-20-2010 |
20100131750 | METHOD TO CONSTRUCT A HIGH-ASSURANCE IPSEC GATEWAY USING AN UNMODIFIED COMMERCIAL IMPLEMENTATION - A system and method of providing secure communications is provided. Messages are encrypted or decrypted in protected memory of a processor. Outbound messages from a secure network are prepared for encryption by adding a header outside of the protected memory and then encrypted in the protected memory. The encryption is performed by retrieving a key from a key cache as designated by rules in the header. The encrypted message is sent to the unsecure network. An inbound message from an unsecure network that is received in unprotected memory is sent to a decryption module in protected memory. The inbound message is decrypted using a key designated in its header and retrieved from the key cache. The decrypted message is returned to the unprotected memory, where it is stripped of the encryption header and then sent to its destination within the secure network. | 05-27-2010 |
20100131751 | SUPPORT OF PHYSICAL LAYER SECURITY IN WIRELESS LOCAL AREA NETWORKS - A method and an apparatus for performing physical layer security operation are disclosed. A physical layer performs measurements continuously, and reports the measurements to a medium access control (MAC) layer. The MAC layer processes the measurements, and sends a security alert to a security manager upon detection of an abnormal condition based on the measurements. The security manager implements a counter-measure upon receipt of the security alert. The measurements include channel impulse response (CIR), physical medium power measurement, automatic gain control (AGC) value and status, automatic frequency control (AFC) gain and status, analog-to-digital converter (ADC) gain, Doppler spread estimate, and/or short preamble matched filter output. The security manager may switch a channel, switch a channel hopping policy, change a back-off protocol, or change a beamforming vector upon reception of the security alert. | 05-27-2010 |
20100138648 | INFORMATION PROCESSING APPARATUS - To efficiently perform encryption/decryption and message authentication processing for a plurality of messages in parallel, an information processing apparatus includes a plurality of encryption/decryption and message authentication units which can perform encryption/decryption processing and message authentication processing by switching between them in a predetermined block unit, and are configured to be operable in parallel, and a data transfer control unit which distributes processing target data associated with an encryption/decryption and message authentication processing request to the plurality of encryption/decryption and message authentication units. The data transfer control unit distributes the processing target data so that each of the plurality of encryption/decryption and message authentication units alternately performs the encryption/decryption processing and the message authentication processing in the predetermined block unit for each processing request included in a plurality of processing requests. | 06-03-2010 |
20100138649 | TRANSMISSION OF PACKET DATA OVER A NETWORK WITH SECURITY PROTOCOL - A method, device, system and computer program for providing a transport distribution scheme for a security protocol are disclosed. A first packet data connection is established to a remote node for transmitting packet data over a network with a security protocol. An authentication procedure is performed with the remote node via the first packet data connection for establishing a security protocol session with the remote node. At least one security parameter is negotiated with the remote node for transmitting packets through the first packet data connection. A second packet data connection is established to the remote node, and at least one security parameter is negotiated with the remote node for use with the second packet data connection. The first and second packet data connections are handled as packet data subconnections associated with the security protocol session. | 06-03-2010 |
20100153701 | Layer two encryption for data center interconnectivity - Systems, methods, and other embodiments associated with layer two (L | 06-17-2010 |
20100153702 | TLS KEY AND CGI SESSION ID PAIRING - The prevention of impersonation attacks based on hijacked common gateway interface (CGI) session IDs is disclosed. In accordance with one embodiment, a secured communication channel is formed between a server and a client using an initial transport layer security (TLS) key. Additionally, an authenticated CGI session is formed over the secured communication channel based on an initial CGI session identifier (ID). Further, the initial CGI session ID and the initial TLS key are combined into a pair. Next, incoming data that includes an incoming CGI session ID is received via a secured communication channel. An incoming TLS key of the secured communication channel that carries the incoming CGI session ID is then retrieved. Based on the retrieved incoming TLS key, the incoming data is permitted to execute on the server when the incoming TLS key matches the initial TLS key of the pair. | 06-17-2010 |
20100161958 | Device for Realizing Security Function in Mac of Portable Internet System and Authentication Method Using the Device - The present invention relates to a device for performing a security function in a medium access control (MAC) layer in a wireless portable Internet system and an authentication method thereof. In the wireless portable Internet system including a physical layer and the MAC layer, a security sublayer (i.e., the device for performing the security function in the MAC layer) is provided on an MAC common part sublayer. The security sublayer includes a privacy key management (PKM) control management module, a traffic data encryption/authentication module, a control message processing module, a message authentication module, a Rivest Shamir Adleman (RSA)-based authentication module, an authentication control/security association (SA) control module, and an extensible authentication protocol (EAP) encapsulation/decapsulation module. | 06-24-2010 |
20100161959 | METHOD AND APPARATUS FOR EXTENDING TRANSPORT LAYER SECURITY PROTOCOL FOR POWER-EFFICIENT WIRELESS SECURITY PROCESSING - Embodiments of the invention relate to apparatus, system and method for security extensions to the IETF Transport Layer Protocol (TLS) and IPsec standards that enable wireless devices to perform power-efficient and streamlined security packet processing. Embodiments of the invention enable a processor to use its existing cryptographic processing engines (e.g., AES-CCM) to perform TLS and IPsec security processing. Packets processed for WLAN and TLS security are processed pipelined, eliminating the multi-loop processing that currently exists, and decreases power consumed to process each packet. In addition, the host/chipset complex is woken up after all security processing has been done in the WNIC. | 06-24-2010 |
20100191956 | METHOD AND APPARATUS OF COMMUNICATING SECURITY/ENCRYPTION INFORMATION TO A PHYSICAL LAYER TRANSCEIVER - An apparatus for providing link layer security in a Physical Layer Transceiver (PHY) is disclosed. In one embodiment, the apparatus may comprise analog circuitry configured to interface with a data transmission medium, digital circuitry configured to interface with a Media Access Controller (MAC); and a crypto engine coupled to the digital circuitry. Single interface and multiple interface schemes are provided to control both PHY and crypto functions. Embodiments are disclosed where the PHY controls the crypto device, and where the crypto device controls the PHY. | 07-29-2010 |
20100205427 | INTRODUCING ENCRYPTION, AUTHENTICATION, AND AUTHORIZATION INTO A PUBLICATION AND SUBSCRIPTION ENGINE - A plurality of protocol stacks are deployed. Each of the protocol stacks includes a plurality of composable protocol modules, and each of the composable protocol modules implements common interfaces. It is detected that a first given one of a plurality of clients wishes to connect to a publication-subscription engine and it is determined whether the first given one of the plurality of clients is to be connected in a secure manner. Responsive to determining that the first given one of the plurality of clients is to be connected in the secure manner, an encrypted instance of a first appropriate one of the plurality of protocol stacks is instantiated to effectuate the secure connection. The first given one of the plurality of clients is authenticated and authorized. | 08-12-2010 |
20100228964 | Ethernet PHY Level Security - A system and method are provided for securing links at the physical (PHY) layer in an IEEE 802.3 Ethernet communication system. A local device (LD) receives an electrical waveform representing link partner security information from a network-connected link partner (LP) via unformatted message pages. The LD accesses predetermined LP reference information stored in a tangible memory medium. The LD compares the received LP security information to the LP reference information. In response to the LD matching the received LP security information to the LP reference information, a secure link to the LP is verified. Likewise, the LD may send electrical waveforms representing security information to the LP via the unformatted message pages. In response to the LP matching the LD security information to the LD reference information, a secure link to the LD is verified. | 09-09-2010 |
20100235619 | IMAGE PROCESSING APPARATUS, COMMUNICATION SYSTEM, CONTROL METHOD THEREOF, AND STORAGE MEDIUM - An apparatus connected to a network via a network interface device and capable of executing encrypted communication with an external device on the network requests that a first algorithm to be used in the encrypted communication with the external device is changed to a second algorithm included in the network interface device when the apparatus detects that a condition for shifting to a power saving mode, in which power consumption is smaller than that in a normal power mode, is satisfied while the apparatus is operated in the normal power mode. | 09-16-2010 |
20100235620 | Method and Arrangement for Deciding a Security Setting - The present invention relates to a method and arrangements in a mobile telecommunications network including a plurality of access points ( | 09-16-2010 |
20100241846 | SYSTEM AND METHOD FOR ESTABLISHING A VIRTUAL PRIVATE NETWORK - A system and method for establishing a virtual private network (VPN) between a client and a private data communication network. An encrypted data communication session, such as a—Secure Sockets Layer (SSL) data communication session, is established between a gateway and the client over a public data communication network. The gateway then sends a programming component to the client for automatic installation and execution thereon. The programming component operates to intercept communications from client applications destined for resources on the private data communication network and to send the intercepted communications to the gateway via the encrypted data communication session instead of to the resources on the private data communication network. | 09-23-2010 |
20100268932 | SYSTEM AND METHOD OF VERIFYING THE ORIGIN OF A CLIENT REQUEST - A system and method for verifying the origin of a client request. The system includes two devices, a “Security Device” which resides within the web-server in the client end, and an “Authenticator Device” which resides within the web-server in the server end. The “Security Device” adds an Extended Validation SSL (EV SSL) certificate to the client-side web-request. The “Authenticator Device” then parses the http request from the client, gets the EV SSL certificate and gets the “Organization Name” of the client from this EV SSL certificate. If the “Organization Name” matches a list of “Organization” that the “Authenticator Device” is allowed to do a transaction, then the client request is authenticated and the transaction goes through, else the client-request is denied. | 10-21-2010 |
20100268933 | METHOD FOR NETWORK TRAFFIC MIRRORING WITH DATA PRIVACY - Systems and methods are provided for preserving the privacy of data contained in mirrored network traffic. The mirrored network traffic may comprise data that may be considered confidential, privileged, private, or otherwise sensitive data. For example, the data payload of a frame of mirrored network traffic may include private Voice over IP (VoIP) communications between users on one or more networks. The present invention provides various techniques for securing the privacy of data contained in the mirrored network traffic. Using the techniques of the present invention, network traffic comprising confidential, privileged, private, or otherwise sensitive data may be mirrored in such a manner as to provide for the privacy of such data over at least a portion if not all of the mirrored communications between the mirror source point and the minor destination point. | 10-21-2010 |
20100281249 | MEDIA INDEPENDENT HANDOVER PROTOCOL SECURITY - An apparatus for providing security to media independent handover service includes a point of service for providing the media independent handover services including an independent authenticator. The independent authenticator authenticates candidate access networks prior to the handover of the mobile devices from serving access networks to the candidate access networks, where each of the serving access networks and the candidate access networks belong to a plurality of heterogeneous access networks having the specific serving media. An access controller applies an access control through an access authentication with the point of service providing the media independent handover services through an authentication server, in which when the access authentication is established between the point of service and the authentication server, the mobile devices are authorized to access the media independent handover services through the point of service for the mobile devices attached between heterogeneous media. | 11-04-2010 |
20100281250 | AUTHENTICATION AND ENCRYPTION METHOD AND APPARATUS FOR A WIRELESS LOCAL ACCESS NETWORK - This invention pertains to the field of Wireless Local Area Network (WLAN). This invention allows a secure connection of a user client station to a base unit. The secure connection comprises the use of authentication and encryption means. The base unit comprises a switching unit, at least one firewall, an authentication/encryption unit and at least one port device. The invention also provides a secure roaming scheme when a roaming is performed by a wireless user. | 11-04-2010 |
20100293369 | METHOD FOR REACTIVATION OF A SECURE COMMUNICATION LINK - The invention relates to a method of reactivating a safe communication connection between client computers and a server after restarting the server, wherein safe communication connections are provided between the server and the client computers for the transmission of data. After restarting, or rebooting the server, a data packet is therefore transmitted ( | 11-18-2010 |
20100306525 | EFFICIENT DISTRIBUTION OF COMPUTATION IN KEY AGREEMENT - In Transport Layer Security (TLS) or other communication protocols, the load on the server may be lowered by reducing the number of expensive decryption operations that the server has to perform. When a client contacts a server, the client sends the server the client's public key. The server chooses a secret value, encrypts the value with the client's public key, and sends the encrypted value to the client. When the client decrypts the secret, the server and client share a secret value, which may be used to derive an encryption key for further messages. In many key agreement schemes, the client chooses and encrypts the secret value, and the server recovers the value with an expensive decryption operation. By instead having the server choose the value and send it to the client, an expensive decryption operation is redistributed from the server to the client, thereby freeing server resources. | 12-02-2010 |
20100318784 | CLIENT IDENTIFICATION FOR TRANSPORTATION LAYER SECURITY SESSIONS - Systems, methods, and other embodiments associated with client identification for transportation layer security sessions are described. One example method includes monitoring a first transportation layer security (TLS) communication between a server and a client. The example method may also include interrupting the first TLS communication and causing the first TLS communication to be interrupted. The example method may also include initiating a second TLS communication with a client side device. The second TLS communication may request a certificate from the client side device. The certificate may include secure information that identifies the client. The example method may also include receiving the certificate from the client side device. The example method may also include authenticating the client, the client side device, and so on, based, at least in part, on the certificate. | 12-16-2010 |
20100325418 | SYSTEMS AND METHODS FOR SSL SESSION CLONING - TRANSFER AND REGENERATION OF SSL SECURITY PARAMETERS ACROSS CORES, HOMOGENOUS SYSTEM OR HETEROGENEOUS SYSTEMS - The present invention is directed towards systems and methods for managing SSL session persistence and reuse in a multi-core system. A first core may indicate that an SSL session established by the first core is non-resumable. Responsive to the indication, the core may set an indicator at a location in memory accessible by each core of the multi-core system, the indicator indicating that the SSL session is non-resumable. A second core of the multi-core system may receive a request to reuse the SSL session. The request may include a session identifier of the SSL session. In addition, the session identifier may identify the first core as an establisher of the SSL session. The second core can identify from encoding of the session identifier whether the second core is not the establisher of the SSL session. Responsive to the identification, the second core may determine whether to resume the SSL session. | 12-23-2010 |
20100325419 | SYSTEMS AND METHODS FOR ENCODING THE CORE IDENTIFIER IN THE SESSION IDENTIFIER - The present invention is directed towards systems and methods for managing SSL session persistence and reuse in a multi-core system. A first core may indicate that an SSL session established by the first core is non-resumable. Responsive to the indication, the core may set an indicator at a location in memory accessible by each core of the multi-core system, the indicator indicating that the SSL session is non-resumable. A second core of the multi-core system may receive a request to reuse the SSL session. The request may include a session identifier of the SSL session. In addition, the session identifier may identify the first core as an establisher of the SSL session. The second core can identify from encoding of the session identifier whether the second core is not the establisher of the SSL session. Responsive to the identification, the second core may determine whether to resume the SSL session. | 12-23-2010 |
20100325420 | SYSTEMS AND METHODS FOR HANDLING SSL SESSION NOT REUSABLE ACROSS MULTIPLE CORES - The present invention is directed towards systems and methods for managing SSL session persistence and reuse in a multi-core system. A first core may indicate that an SSL session established by the first core is non-resumable. Responsive to the indication, the core may set an indicator at a location in memory accessible by each core of the multi-core system, the indicator indicating that the SSL session is non-resumable. A second core of the multi-core system may receive a request to reuse the SSL session. The request may include a session identifier of the SSL session. In addition, the session identifier may identify the first core as an establisher of the SSL session. The second core can identify from encoding of the session identifier whether the second core is not the establisher of the SSL session. Responsive to the identification, the second core may determine whether to resume the SSL session. | 12-23-2010 |
20100332822 | WIRELESS MULTIBAND SECURITY - A network device includes a first physical layer (PHY) module, a second physical layer (PHY) module, and a security module. The first PHY module is configured to operate in a first frequency band. The second PHY module is configured to operate in a second frequency band. The security module is configured to establish security for the first frequency band responsive to the network device operating in the first frequency band. The security module is further configured to establish security for the second frequency band prior to the network device switching operation from the first frequency band to the second frequency band. | 12-30-2010 |
20110016307 | Authorization, authentication and accounting protocols in multicast content distribution networks - An end user computer is assigned a multicast content distribution group by a network service intelligence platform. The network service intelligence platform authenticates a token sent by the user and signed by a third part content controller, and provides the user with credentials for joining the group. The credentials include an authorization key as well as identifications of the user and the requested content. The credentials are encrypted and authenticated by the third party content controller. The user includes the encrypted and authenticated credentials in a join request sent to a network resource, such as an edge router. After verifying the credentials, the network resource adds the end user computer to the multicast group. | 01-20-2011 |
20110035580 | MEDIA ACCESS CONTROL SECURITY MANAGEMENT IN PHYSICAL LAYER - A media access control (MAC) security (MACsec) function block may implement MACsec protocols on a network. A physical layer device (PHY) may connect to the MACsec function block and an interface register configured to store command information for the MACsec function block. A central processing unit (CPU) may provide the command information for the MACsec function block to the PHY via a management data input/output (MDIO) bus. The PHY may execute either a read command or a write command against the MACsec function block based on the command information, receive, from the MACsec function block, a response corresponding to the execution of the read command or write command against the MACsec function block, and provide the response to the CPU via the MDIO bus. | 02-10-2011 |
20110055550 | METHOD AND APPARATUS FOR PRESERVING SECURITY IN VIDEO MULTICASTING SERVICE - A method and an apparatus for maintaining information security in a video multicasting service are provided. The method includes: generating a network abstraction layer unit using received video information; encrypting the network abstraction layer unit of the video information; realtime transport protocol (RTP) packetizing the encrypted network abstraction layer unit of the video information; recording unit format information and field information, included in the network abstraction layer of the video information being stored in a memory, in a header extension field of the RTP header; and transmitting the RTP packet including the encrypted video information to a routing device. | 03-03-2011 |
20110078436 | COMMUNICATION APPARATUS, METHOD FOR CONTROLLING COMMUNICATION APPARATUS AND STORAGE MEDIUM - A control method for controlling an apparatus for performing IPsec communication, and performing negotiation for generating IPsec SA includes performing the negotiation by proposing all combinations of an encryption algorithm, a hash algorithm, and a DH group to a counter apparatus, extracting a combination, which is selected by the counter apparatus, out of all the combinations in a case where the IPsec SA has been successfully generated by the negotiation, storing and using the extracted one combination as an IKE determined value. | 03-31-2011 |
20110087878 | ENABLING QoS FOR MACsec PROTECTED FRAMES - Embodiments associated with enabling Quality of Service (QoS) for MACsec protected frames are described. One example method includes identifying a security indicator in an encrypted network communication and selectively forwarding the encrypted network communication according to a QoS policy. The example method may also include selectively storing a control packet security indicator sniffed from a control packet network communication in response to determining that a match exists between a control packet identification field and a QoS database entry. | 04-14-2011 |
20110145562 | SYSTEM AND METHOD FOR SECURELY TRANSFERING CONTENT FROM SET-TOP BOX TO PERSONAL MEDIA PLAYER - A media player is provided for receiving session data from a security socket layer. The session data includes encrypted content data, a content key and digital rights data, wherein the content key and the digital rights data have been encrypted with a SSL session key. The said media player includes a first processor portion and a second processor portion. The first processor portion is arranged to receive the session data, has a second key. The first processor portion and can generate the SSL session key and can decrypt the session data with the SSL session key. The first processor portion can further re-encrypt the decrypted content key with the second key and can output the re-encrypted content key and digital rights data. The second processor portion is arranged to receive the re-encrypted content key and digital rights data. The first processor portion can further decrypt the content, and is externally inaccessible. | 06-16-2011 |
20110145563 | SECURED FILE-BASED APPLICATION PROGRAMMING INTERFACE - Data communication security systems and methods are disclosed. One such system includes a network interface configured for transport layer protocol communications at a communication port. The network interface includes a security module communicatively connected to a transport layer data path. The system further includes a file-based application programming interface defining a plurality of attributes of the network interface and including at least one attribute associated with data encryption managed by the security module and accessible for use in logical I/O operations. | 06-16-2011 |
20110154017 | SYSTEMS AND METHODS FOR EVALUATING AND PRIORITIZING RESPONSES FROM MULTIPLE OCSP RESPONDERS - The present invention is directed towards systems and methods for determining a status of a client certificate from a plurality of responses for an Online Certificate Status Protocol (OCSP) request. An intermediary device between a plurality of clients and one or more servers identifies a plurality of OCSP responders for determining a status of a client certificate responsive to receiving the client certificate from a client during a Secure Socket Layer (SSL) handshake. Each of the plurality of OCSP responders may transmit a request for the status of the client certificate to a uniform resource locator corresponding to each OCSP responder. The intermediary device may determine a single status for the client certificate from a plurality of statuses of the client certificate received via responses from each uniform resource locator. | 06-23-2011 |
20110154018 | SYSTEMS AND METHODS FOR FLASH CROWD CONTROL AND BATCHING OCSP REQUESTS VIA ONLINE CERTIFICATE STATUS PROTOCOL - The present invention is directed towards systems and methods for batching OCSP requests and caching corresponding responses. An intermediary between a plurality of clients and one or more servers receives a first client certificate during a first SSL handshake with a first client and a second client certificate during a second SSL handshake with a second client. The intermediary may identify that the statuses of the client certificates are not in a cache of the intermediary. An OCSP responder of the intermediary may transmit a single request to an OCSP server to determine the statuses. The intermediary may determine, from a single response received from the OCSP server, whether to establish SSL connections with the clients based on the statuses. The intermediary may store the statuses to the cache for determining whether to establish a SSL connection in response to receiving a client certificate from the first client. | 06-23-2011 |
20110173439 | Stateless Cryptographic Protocol-based Hardware Acceleration - According to one embodiment of the invention, a method comprises an operation of commencing a first phrase and passing control of an authentication handshaking protocol. The first phase is commenced for establishing a secure communication path by a data path processor within a first network device. The first phrase comprises an exchange of data during an authentication handshaking protocol. The passing of control for authentication handshaking protocol by the data path processor to a control path processor is conducted to complete the authentication handshaking protocol. | 07-14-2011 |
20110202755 | SYSTEMS AND METHODS FOR SECURING DATA IN MOTION - Two approaches are provided for distributing trust among a set of certificate authorities. Both approaches are equally secure. In each approach, a secure data parser is integrated with any suitable encryption technology. Each approach may be used to secure data in motion. One approach provides methods and systems in which the secure data parser is used to distribute trust in a set of certificate authorities during initial negotiation (e.g., the key establishment phase) of a connection between two devices. Another approach of the present invention provides methods and systems in which the secure data parser is used to disperse packets of data into shares. A set of tunnels is established within a communication channel using a set of certificate authorities, keys developed during the establishment of the tunnels are used to encrypt shares of data for each of the tunnels, and the shares of data are transmitted through each of the tunnels. Accordingly, trust is distributed among a set of certificate authorities in the structure of the communication channel itself. | 08-18-2011 |
20110208959 | METHOD AND SYSTEM FOR REDUCING PACKET OVERHEAD FOR AN LTE ARCHITECTURE WHILE SECURING TRAFFIC IN AN UNSECURED ENVIRONMENT - A first packet is received at a network element from an E-UTRAN Node B (eNB) of an E-UTRAN access network via a secured communications tunnel of a secured connection, where the first packet encapsulates a second packet therein. It is determined whether the network element serves both a security gateway functionality and a serving gateway functionality of a core packet network based on the first packet and the second packet. The network element negotiates with the eNB to switch further communications from a tunnel mode to a transport mode of the secured connection if it is determined that the network element serves both the security gateway functionality and the serving gateway functionality. Thereafter, the network element exchanges further packets with the eNB via the transport mode of the secured connection after the eNB switches from the tunnel mode to the transport mode. | 08-25-2011 |
20110231649 | AGGRESSIVE REHANDSHAKES ON UNKNOWN SESSION IDENTIFIERS FOR SPLIT SSL - A traffic management device (TMD), system, and processor-readable storage medium are directed to monitoring an encrypted session between a client and a server, determining that the session identifier is unknown, and requesting a renegotiation of the session to acquire a session identifier for the renegotiated session. Determination that the session identifier is unknown may be based on interception and analysis of handshake messages sent by the client and/or the server. Following such determination, a renegotiation of the encrypted session may be triggered by sending a renegotiation request to the client, and a session identifier for the renegotiated session may be determined based on information extracted from subsequent handshake messages exchanged between the client and server during the renegotiation. Determination of the session identifier may enable decryption, encryption and modification of subsequent communications traffic, for example insertion of third party content into traffic sent to the client. | 09-22-2011 |
20110231650 | USE AND GENERATION OF A SESSION KEY IN A SECURE SOCKET LAYER CONNECTION - The invention describes a method and system for verifying the link between a public key and a server's identity without relying on the trustworthiness of the root certificate of the server's certificate chain. The system establishes a secure socket layer type connection between a client and a server. The client and the server create an identical authentication key using a shared secret known to the server and the client. Next, the server transmits a first encrypted message to the client, wherein the first encrypted message includes the server's public key encrypted with the authentication key. Then, the client decrypts the first encrypted message and verifies the correctness of that message including comparing the public key included in the decrypted first encrypted message to the public key transmitted during the set-up of the secure socket layer type connection to authenticate the client. | 09-22-2011 |
20110252227 | METHODS AND SYSTEMS TO BIND A DEVICE TO A COMPUTER SYSTEM - Methods and systems to bind a computer device to one or more computer systems, such that only an authorized computer system may access a protected portion of the device. A processor within the computer system may provide a proxy environment to interface between the device and a trusted environment of the computer system, such as a management environment that is secure from the proxy environment. The device may be configured to authenticate the trusted environment through the proxy environment, and to verify integrity of messages exchanged with the trusted environment through the proxy environment. Authentication may include a SSL and/or TSL handshake protocol. The device may be configured to authenticate a certificate, such as an X.509 certificate, a certificate chain, and/or a hash thereof. The device may include computer memory, a printer, display, circuit board, keyboard, mouse, pointing device, and/or other physical device. | 10-13-2011 |
20110264905 | SYSTEMS AND METHODS FOR SPLIT PROXYING OF SSL VIA WAN APPLIANCES - The present invention is directed towards systems and methods for split proxying Secure Socket Layer (SSL) communications via intermediaries deployed between a client and a server. The method includes establishing, by a server-side intermediary, a SSL session with a server. A client-side intermediary may establish a second SSL session with a client using SSL configuration information received from the server-side intermediary. Both intermediaries may communicate via a third SSL session. The server-side intermediary may decrypt data received from the server using the first SSL session's session key. The server-side intermediary may transmit to the client-side intermediary, via the third SSL session, data encrypted using the third SSL session's session key. The client-side intermediary may decrypt the encrypted data using the third SSL session's session key. The client-side intermediary may transmit to the client the data encrypted using the second SSL session's session key. | 10-27-2011 |
20110276797 | AUTHENTICATION AND AUTHORIZATION FOR INTERNET VIDEO CLIENT - A device is enabled to display Internet TV by accessing a management server with a secret unique ID and receiving back from the server, assuming the ID is approved, a user token and a service list of content servers with knowledge of the user token. A user can select a content server which causes the device to upload its user token and in response receive a content list from the content server, from which content can be selected for display. Neither list may be modified by the device and the device can access only content on a content list. | 11-10-2011 |
20110283101 | System to Enable Detecting Attacks Within Encrypted Traffic - A system and method for detecting network attacks within encrypted network traffic received by a protected network includes a decryption module and an adaptor module. This system and method can be inserted and used with multiple types of operating systems. | 11-17-2011 |
20110289311 | METHOD OF PERFORMANCE-AWARE SECURITY OF UNICAST COMMUNICATION IN HYBRID SATELLITE NETWORKS - A method and apparatus utilizes Layered IPSEC (LES) protocol as an alternative to IPSEC for network-layer security including a modification to the Internet Key Exchange protocol. For application-level security of web browsing with acceptable end-to-end delay, the Dual-mode SSL protocol (DSSL) is used instead of SSL. The LES and DSSL protocols achieve desired end-to-end communication security while allowing the TCP and HTTP proxy servers to function correctly. | 11-24-2011 |
20110307692 | METHOD AND APPARATUS TO PROVIDE FAILOVER CAPABILITY OF CACHED SECURE SESSIONS - A method, apparatus and computer program product for providing failover capability of cached secure sessions is presented. A cached secure session involving a first device and a second device is identified. The cached secure session is encrypted and replicated to a failover device. The encrypted session is then decrypted on the failover to device. An occurrence of a hot failover involving the second device is detected, and processing resumes between the first device and the failover device | 12-15-2011 |
20110314270 | ENCRYPTED NETWORK TRAFFIC INTERCEPTION AND INSPECTION - A method of operating a computing device that allows inspecting data that the device attempts to transmit over a network in an encrypted form for presence of malware, viruses or confidential information. The method includes intercepting a request from an application to an encryption component of an operating system to encrypt the data and acquiring encrypted data generated by the encryption component in response to the request. SSL or TLS protocol may be used for encryption. The request may be intercepted using API hooking. The data in an unencrypted form and an identifier of the encrypted data may be provided to a data inspection facility for establishing a correspondence between the unencrypted and encrypted data, using the identifier. The data inspection facility performs inspection of the unencrypted data to determine whether to allow transmission of the encrypted data over the network. | 12-22-2011 |
20110314271 | Secure Processing Systems and Methods - This disclosure relates to systems and methods for enabling the use of secret digital or electronic information without exposing the sensitive information to unsecured applications. In certain embodiments, the methods may include invoking, by a client application executing in an open processing domain, a secure abstraction layer configured to interface with secret data protected by a secure processing domain. Secure operations may be securely performed on the secret data by the secure abstraction layer in the secure processing domain based on an invocation from a client application running in the open processing domain. | 12-22-2011 |
20120023324 | INSIDER THREAT CORRELATION TOOL - Systems and methods for calculating threat scores for individuals within an organization or domain are provided. Aspects of the invention relate to computer-implemented methods that form a predictive threat rating for user accounts. In one implementation, a threat score representing a first time period may be calculated. The first threat score may be calculated from a quantification of a plurality of activity violations across a plurality of control groups. Weighting schemes may be applied to certain activities, controls, and/or user accounts. Further embodiments may be configured to consider additional indicators. Further aspects relate to apparatuses configured to execute methods for ranking individual user accounts. Certain embodiments may not block transmissions that violate predefine rules, however, indications of such improper transmission may be considered when constructing a threat rating. | 01-26-2012 |
20120042160 | SYSTEM AND METHOD FOR COGNIZANT TRANSPORT LAYER SECURITY (CTLS) - A method of authentication and authorization over a communications system is provided. Disclosed herein are systems and methods for creating a cryptographic evidence, called authentication/authorization evidence, AE, when a successful authentication/authorization between a client and an authentication server is complete. There are a variety of methods for generating AE. For instance, the AE can be data that is exchanged during the authentication signaling or data that results from it. A distinctive point being that AE results from the authentication process and is used as prior state for the following TLS exchange. An example for creation of AE, is as follows: EAP authentications typically result in an Extended Master Session Key (EMSK). The EMSK can be used to create an Evidence Master Key (EMK) that can then be used to create AE for a variety of servers. | 02-16-2012 |
20120066489 | TCP/IP-BASED COMMUNICATION SYSTEM AND ASSOCIATED METHODOLOGY PROVIDING AN ENHANCED TRANSPORT LAYER PROTOCOL - A more secure TCP/IP protocol stack is provided having an enhanced transport layer. Encryption and decryption logic is arranged on the transmission side and on the reception side for processing a payload of a transport layer protocol, such as TCP or UDP. By employing this enhanced transport layer, a cryptograph process communication can be realized by dissolving various kinds of restrictions which a conventional IPsec or SSL possesses without affecting upper layer processing, and, at the same time, maintaining compatibility with the IP layer. | 03-15-2012 |
20120089828 | SECURE TUNNEL OVER HTTPS CONNECTION - Many secure tunnels require protocols that require special handling, authorization or security certificates, such as L2TP and PPTP. This often eliminates them for use between a corporate or agency network and outside, public networks. A secure socket tunnel protocol (SSTP) adds drivers in both the kernel and user mode to route standard protocol traffic, such as PPP, over a common HTTPS port. In the event of network interruptions, an exchange of a session cookie allows fast reconnection of the underlying HTTPS connection without affecting higher level applications. | 04-12-2012 |
20120110320 | Automatic Secure Client Access - Providing secure network access in a networked client device. A client device is provided with a secure connection adapter. In operation, the secure connection adapter detects the network environment of the client device and determines of the network environment is trusted or untrusted. If the client device is operating in an untrusted network environment, the secure connection adapter establishes a secure connection to an enterprise host using a secure tunnel such as IPSec, SSL, or other secure connection. Programs executing on the client device now operate in the secure network environment, with all network activity routed through the secure connection to the enterprise. Optionally, a split tunnel mechanism may be used to direct some network traffic directly to the Internet from the client device. | 05-03-2012 |
20120110321 | DATA COMMUNICATION USING PORTABLE TERMINAL - In a method in a portable end device ( | 05-03-2012 |
20120117375 | SYSTEMS AND METHODS FOR OPTIMIZING SSL HANDSHAKE PROCESSING - A method for buffering SSL handshake messages prior to computing a message digest for the SSL handshake includes: conducting, by an appliance with a client, an SSL handshake, the SSL handshake comprising a plurality of SSL handshake messages; storing, by the appliance, the plurality of SSL handshake messages; providing, by the appliance to a message digest computing device in response to receiving a client finish message corresponding to the SSL handshake, the plurality of SSL handshake messages; receiving, by the appliance from the message digest computing device, a message digest corresponding to the provided messages; determining by the appliance, the message digest matches a message digest included in the SSL client finish message; and completing, by the appliance with the client, the SSL handshake. Corresponding systems are also described. | 05-10-2012 |
20120131329 | Method and System for Accessing 3rd Generation Network - A for accessing a 3G network. includes: a terminal accessing a wireless local area network by adopting a WAPI protocol, and notifying an AAA server of a 3G network through an AP of the wireless local area network that the terminal intends to access the 3G network; the AAA server obtaining identity information of the terminal through the AP, and performing an EAP-TLS negotiation process with the terminal through the AP after determining that the terminal is a subscription terminal of the 3G network according to the identity information; and the terminal accessing the 3G network after finishing the EAP-TLS negotiation process. A system for accessing a 3G network includes an AP of a wireless local area network and an AAA server of a 3G network. The present invention reduces unnecessary processes (the message interacting, the certificate verification, the signature verification, and so on) and improves the system efficiency. | 05-24-2012 |
20120159149 | METHODS, SYSTEMS, AND COMPUTER READABLE MEDIA FOR DESIGNATING A SECURITY LEVEL FOR A COMMUNICATIONS LINK BETWEEN WIRELESS DEVICES - A content issuer entity designates a transport security level for each of a plurality of electronic certificates and provides the electronic certificates to a first wireless device. A second wireless device establishes a communications link to transfer electronic certificate data associated with one or more electronic certificates stored on the first wireless device to the second wireless device via a wireless transaction and determines, for each stored electronic certificate, a transport security level previously designated at the content issuer entity. At the first wireless device, a highest transport security level is determined from among the respective transport security levels associated with the stored electronic certificates. The electronic certificate data is transferred from the first wireless device to the second wireless device via the communications link in accordance with a security measure that corresponds to the highest determined transport security level. | 06-21-2012 |
20120159150 | SYSTEM AND METHOD FOR IMPLEMENTING AN ENHANCED TRANSPORT LAYER SECURITY PROTOCOL - A system and method for implementing an enhanced transport layer security (ETLS) protocol is provided. The system includes a primary server, an ETLS servlet and an ETLS software module. The primary server operates on a computer network and is configured to communicate over the computer network using a non-proprietary security protocol. The ETLS servlet also operates on the computer network and is securely coupled to the primary server. The ETLS servlet is configured to communicate over the computer network using an ETLS security protocol. The ETLS software module operates on a mobile device, and is configured to communicate over the computer network using either the non-proprietary security protocol or the ETLS security protocol. Operationally, the ETLS software module initially contacts the server over the computer network using the non-proprietary security protocol, and subsequently contacts the server through the ETLS servlet using the ETLS security protocol. | 06-21-2012 |
20120204025 | SYSTEM AND METHOD FOR CLIENT-SIDE AUTHENTICATION FOR SECURE INTERNET COMMUNICATIONS - A system and method for client-side authentication for secure Internet communications is disclosed. In one embodiment, an intermediate device receives a web browser secure socket layer certificate from a web browser, authenticates the web browser using the secure socket layer certificate, and then re-signs the secure socket layer certificate with an intermediate device public key and an intermediate device certificate authority signature. The intermediate device sends the re-signed secure socket layer certificate to a web server and the web server authenticates the intermediate device using the re-signed secure socket layer certificate. In another embodiment, an intermediate device receives a web browser secure socket layer certificate from a web browser, inserts the web browser secure socket layer certificate into a HTTP header of a packet, and sends the packet to a web server. | 08-09-2012 |
20120210122 | PERSONAL ENCRYPTION DEVICE - A method and system for securing a handheld computing device is described. A personal encryption device may be physically connected to a handheld computing device. Responsive to the connection, a main screen user interface may be displayed on a display of the handheld computing device. The main screen user interface may include at least one cryptography option for a user of the handheld computing device. A user-defined input representative of selection of a first cryptography option of the at least one cryptography option may be received, and at least one cryptography process associated with the selected first cryptography option may be implemented by the handheld computing device and personal encryption device. The cryptography options may include encryption, decryption, digital signatures, and digital signature verification. | 08-16-2012 |
20120216033 | COMMUNICATION SYSTEM, PRINTING DEVICE, AND SA ESTABLISHMENT METHOD - A communication system includes an SA parameter exchanging portion that builds and deletes SA, and a nonvolatile storage portion that stores at least a part of information for the SA parameter set, wherein, in a case where a printing device is initialized, the printing device has a message transmission portion that transmits a predetermined message to a communication device if a part of information is stored in a nonvolatile storage portion, and the communication device deletes information for performing IPsec communication with the printing device from a nonvolatile storage portion of the communication device in response to reception of the predetermined message. | 08-23-2012 |
20120246462 | SYSTEM AND METHODS FOR PROVIDING LIVE STREAMING CONTENT USING DIGITAL RIGHTS MANAGEMENT-BASED KEY MANAGEMENT - In the present disclosure, a DRM (in this case IPRM) system may be used to deliver media content keys to a player device in a live streaming environment and take advantage of all DRM related functionalities that come with it, such as proximity control, copy protection enforcement and rights verification. A playlist may be used to deliver a key identifier for encrypted live streaming content. | 09-27-2012 |
20120272054 | Method and system for protecting security of the third layer mobility user plane data in NGN - The disclosure discloses a method for protecting security of layer-3 mobility user plane data in Next Generation Network (NGN), includes: performing authentication by a terminal with an authentication server; after the authentication is passed, obtaining a shared key material by both the terminal and the authentication server; generating, by the terminal and the authentication server, a mobility data security key according to the shared key material; transmitting, by the authentication server, the generated mobility data security key to a mobility data transmission module; protecting security of the layer-3 mobility user plane data, by the terminal and the mobility data transmission module, by using the mobility data security key. The disclosure also discloses a system for protecting security of layer-3 mobility user plane data in NGN. By using the method and the system provided by the disclosure, the protection for security of user plane data between the NGN user and the NGN network side is realized, and the security of user plane data of the terminal in layer-3 mobility session is enhanced. | 10-25-2012 |
20120284505 | DNSSEC SIGNING SERVER - Systems and methods for performing DNSSEC signing are described in which digital signature operations may be performed by a network accessible signing server that is configured to interact with a separate client application. Exemplary methods may include receiving a signing request at the signing server from the client application to sign first data. The signing server may determine an active KSK and/or an active ZSK for the first data. The first data may then be transmitted by the signing server to a digital signature modules, which may include, for example, a hardware support module, or software signing applications. The signing server may receive a digitally signed version of the first data from the digital signature module, and provide the signed first data to the client application. | 11-08-2012 |
20120284506 | METHODS AND APPARATUS FOR PREVENTING CRIMEWARE ATTACKS - A central server configured to mediate communications including establishing secure online sessions between user-controlled devices and 3 | 11-08-2012 |
20130019090 | Method and apparatus for certificate-based cookie securityAANM Wicker; Jason MatthewAACI PittsboroAAST NCAACO USAAGP Wicker; Jason Matthew Pittsboro NC US - A new cookie attribute is defined for use during secure HTTP transport sessions. This attribute is referred to herein as a “certificate attribute” or “server certificate attribute,” or servcertid. This attribute is adapted to point to a server-supplied certificate and, in particular, a digital certificate, such as an X.509 digital certificate. The cookie attribute includes a value, and that value is designed to correspond to one or more content fields in the digital certificate. According to one embodiment, and during a first https session, a first web application executing on a first server provides a web browser with the cookie having the server certificate identifier attribute set to a value corresponding to a content field in a server certificate. Later, when the browser is accessing a second server during a second https session that differs from the first https session, the browser verifies that the value in the cookie matches a corresponding value in the server certificate received from the second server (during the setup of the second https session) before sending the cookie to the second server. This approach ensures that the cookie is presented only over specified https connections and to trusted organizations (as identified by the servcertid value(s) encoded in the attribute). | 01-17-2013 |
20130024684 | ENHANCED APPROACH FOR TRANSMISSION CONTROL PROTOCOL AUTHENTICATION OPTION (TCP-AO) WITH KEY MANAGEMENT PROTOCOLS (KMPS) - A network element supports Transmission Control Protocol Authentication Option (TCP-AO) with a Key Management Protocol (KMP) to authenticate TCP segments over a TCP session. The network element negotiates multiple traffic keys to authenticate TCP segments over a TCP session with a peer network element, and protects the TCP session with the negotiated traffic keys. | 01-24-2013 |
20130031356 | SUPPORTING SECURE SESSIONS IN A CLOUD-BASED PROXY SERVICE - A proxy server in a cloud-based proxy service receives a secure session request from a client device for a secure session. The secure session request is received at the proxy server as a result of a Domain Name System (DNS) request for a domain resolving to the proxy server. The proxy server participates in a secure session negotiation with the client device including transmitting a digital certificate to the client device that is bound to domain and multiple other domains. The proxy server receives an encrypted request from the client device for an action to be performed on a resource that is hosted at an origin server corresponding to the domain. The proxy server decrypts the request and participates in a secure session negotiation with the origin server including receiving a digital certificate from the origin server. The proxy server encrypts the decrypted request using the digital certificate from the origin server and transmits the encrypted request to the origin server. | 01-31-2013 |
20130042100 | METHOD AND APPARATUS FOR FORCED PLAYBACK IN HTTP STREAMING - Systems and methods for enforcing playback of a specific portion of the content in an open non-certified media player/renderer are provided. In accordance with such systems and methods, a key is extracted from a content portion for which playback is to be forced. The extracted key allows a client the ability to gain access to additional/remaining content. Moreover, the existence of forced content, the mechanism(s) utilized for forcing playback, as well as a particular position in the timeline associated with the forced playback are signaled to the client on/through which the open non-certified media player/renderer is implemented. | 02-14-2013 |
20130061038 | Proxy Apparatus for Certificate Authority Reputation Enforcement in the Middle - Network security administrators are enabled with their customizable certificate authority reputation policy store which is informed by an independent certificate authority reputation server. The custom policy store overrides trusted root certificate stores accessible to an operating system web networking layer or to a third party browser. Importing revocation lists or updating browsers or operating system is made redundant. The apparatus redirects or rewrites traffic to protect a plurality of endpoints from a man-in-the-middle attack when a certificate authority has lost control over certificates used in TLS. | 03-07-2013 |
20130061039 | METHOD AND SYSTEM FOR SECURING DATA UTILIZING RECONFIGURABLE LOGIC - A method, an article of manufacture, and a process are provided for securing data sets by dynamically hopping amongst a variety of data encryption and/or manipulation protocols. Such dynamic protocol hopping can be implemented in reconfigurable logic. The encryption protocol applied to the data set is selected from among a plurality of encryption protocols. Preferably, the selection can be driven by a random number generator. | 03-07-2013 |
20130097418 | METHODS AND APPARATUSES TO PROVIDE SECURE COMMUNICATION BETWEEN AN UNTRUSTED WIRELESS ACCESS NETWORK AND A TRUSTED CONTROLLED NETWORK - A secure communication channel between an access point (AP) device associated with a wireless network and a mobile gateway (GW) device of a packet core network is established. Data is exchanged between the wireless network and the packet core network through the secure channel. A client device (UE) is authenticated through the secure communication channel. Device identity information is received from the AP device. A session request is sent to the packet core network. An IP address for the device is received from the packet core network. The communication between the AP device and the packet core network becomes secure without need to run an IP secure protocol on the UE that saves the battery power on the UE. Establishing the fully secure communication between the UE and the packet core network while saving the UE power provides a significant advantage for the mobile technology world. | 04-18-2013 |
20130117554 | User key management for the Secure Shell (SSH) - Management of user keys for public key authentication using the SSH in large SSH deployments is automated by deploying a management system in the environment, discovering SSH identity keys and authorized keys, analyzing authorized connections between user accounts, and automatically managing the authorized connections and the key pairs used for authentication. | 05-09-2013 |
20130117555 | METHOD AND SYSTEM FOR DATA ENCRYPTION AND DECRYPTION IN DATA TRANSMISSION THROUGH THE WEB - This invention provides a method and system for data encryption and decryption in data transmission through the web. The method includes: a browser sends a cryptographic information acquisition request to a cryptographic information providing equipment; the cryptographic information providing equipment sends cryptographic information back to the browser via an HTTPS channel; the cryptographic information includes a cryptographic algorithm and a cryptographic index; the browser uses the cryptographic algorithm to encrypt the data to be transmitted, and sends the encrypted data and the cryptographic index to the web server via an HTTP channel; the web server obtains the cryptographic algorithm corresponding to the cryptographic index from the cryptographic information providing equipment, then decrypts the encrypted data. Embodiments of the present invention can alleviate the load in the HTTPS channel, and improve the overall performance. | 05-09-2013 |
20130124851 | FILE-BASED APPLICATION PROGRAMMING INTERFACE PROVIDING SELECTABLE SECURITY FEATURES - A data communication security system is disclosed that includes a network interface including a first security module implementing a first security architecture, and a second security module implementing a second security architecture different from the first security architecture. The network interface further includes a file-based application programming interface defining a plurality of attributes of the network interface and including at least one attribute associated with data security managed by one of the first and second security modules. The file-based application programming interface includes at least one attribute from among the plurality of attributes that is associated with selecting between the first or second security modules. | 05-16-2013 |
20130159698 | CHAOTIC CRYPTOGRAPHY FOR OFDM BASED COMMUNICATIONS SYSTEMS - A chaotic cryptographic technique for orthogonal frequency division multiplexing (OFDM) based wireless/wired communication systems is implemented with an OFDM symbol structure based on symmetric key cryptography. At the receiver side, data detection becomes infeasible without knowledge of the secret key. Without the knowledge of the key, the signal will be a noise-like signal. The computational power required to implement the technique is very low, rendering the system an attractive option for high data rate communications based on OFDM technology. The system security is proportional to (L×N)! where N is the number of subcarriers in the OFDM system and L is the number of OFDM symbols involved in the encryption process. For OFDM applications where ≧256, L may be set to 1 and breaking the system would require N! exhaustive-search trials. In the case that N<256, L may be increased. | 06-20-2013 |
20130166903 | Communication of Information between a Plurality of Network Elements - A communications protocol interface may be configured as being divisible into a core portion and an extensible portion. The extensible portion of the communications protocol interface may be further configured so that each network element can communicate a unique and optimally small subset of actual interoperable data that corresponds to at least a portion of a larger defined data set. A software generator program may be configured to generate a set of extensible source code that operates upon the subset of actual data and that directs the execution of the extensible portion of the communications protocol interface for a particular network element. | 06-27-2013 |
20130166904 | MULTIMEDIA PRIVACY ENHANCER - The disclosure relates to a method and a system for protecting private multimedia content which comprises a central server in communication with a client application, characterized in that a user uploads a private multimedia content to the central server and a reference file is generated including a pointer to the private multimedia content and access requirements associated. The reference file is uploaded to multimedia servers and other users of the network download it through a web browser. The client application extracts the pointer from the reference file and sends a request to the central server, where it is checked if the request fulfils the access requirements associated for the private multimedia content requested. | 06-27-2013 |
20130166905 | METHODS AND ARRANGEMENTS FOR SECURE COMMUNICATION OVER AN IP NETWORK - The embodiments of the present invention relate to a method in a transmitting node; a method in a receiving node; a transmitting node and a receiving node in an IP network employing Internet security. The receiving node comprises a Receiving Unit, a Processing Unit and a Transmitting Unit. When an IP packet is received, the Processing Unit is adapted to derive a Security Association and a Traffic Class associated with the IP packet. The Processing unit is also adapted to maintain one anti-replay window for each Traffic Class within the Security Association and to determine if a sequence number of the IP packet is within the anti-replay window of the Traffic Class and is not a duplicate of an earlier received packet. If said sequence number is not within the anti-replay window or is a duplicate of an earlier received packet, the packet is dropped. | 06-27-2013 |
20130173906 | CLONING STORAGE DEVICES THROUGH SECURE COMMUNICATIONS LINKS - New storage devices located remote to old storage devices may be cloned through a secure data communications link established with a secure boot device located in the storage device. The secure communications link cryptographically splits data and encrypts the data for transmission over unsecure public network through the secure communications link. The cloning process may be completed between the new storage device and the old storage device with little or no involvement from other devices. | 07-04-2013 |
20130179678 | Stateless Cryptographic Protocol-based Hardware Acceleration - According to one embodiment of the invention, a method comprises an operation of commencing a first phrase and passing control of an authentication handshaking protocol. The first phase is commenced for establishing a secure communication path by a data path processor within a first network device. The first phrase comprises an exchange of data during an authentication handshaking protocol. The passing of control for authentication handshaking protocol by the data path processor to a control path processor is conducted to complete the authentication handshaking protocol. | 07-11-2013 |
20130198509 | SYSTEM AND METHOD FOR INNOVATIVE MANAGEMENT OF TRANSPORT LAYER SECURITY SESSION TICKETS IN A NETWORK ENVIRONMENT - An example method includes identifying a transport layer security (TLS) session between a client and a server, parsing one or more TLS messages to identify a session ticket associated with the session, transforming the session ticket into a fixed size session token, and managing the session using the session token to identify the session. The transforming may include computing a hash value of the session ticket using a hashing algorithm. If any of the TLS messages is spread across more than one TLS protocol record, the method can include computing a hash value of a portion of the session ticket encountered in a TLS protocol record using a hashing algorithm, incrementally computing another hash value of another portion of the session ticket encountered in a subsequent TLS protocol record from the previously computed hash value, and repeating the incremental computing until portions of the session ticket have been processed. | 08-01-2013 |
20130219166 | HARDWARE BASED IDENTITY MANAGER - A method for providing authentication credentials to a server over a communications network includes initiating communication with a server over a communications network. The communication is to be established using a secure connection. A message is received from the server over the communications network as well as a request for a digital certificate associated with a first user account accessible to the server. An encrypted private key is decrypted in a secure hardware module to obtain a decrypted private key. The decrypted private key is associated with the first user account. The message received from the server is passed to the secure hardware module. The message is digitally signed in the secure hardware module using the decrypted private key. The digital certificate and the digitally signed message are sent to the server over the communication network. | 08-22-2013 |
20130227272 | Dynamic Selection of Security Protocol - Techniques described herein enable a client to store information indicating whether various hosts (e.g., servers, web domains) support a preferred security protocol, such as a False Start-modified TLS or SSL protocol. The client may then use this information to dynamically determine whether to use the preferred protocol when connecting to a particular host. When the client attempts a handshake to establish a secure connection with a host for the first time, the client does so using the preferred protocol. If the handshake fails, the client locally stores domain or other identifying information for the host so that the client may employ a non-preferred protocol in subsequent connection attempts. Thus, a client may avoid performance degradation caused by attempting a preferred-protocol connection with a host that does not support the preferred protocol. Stored information may include a time stamp enable periodic checks for host capability updates. | 08-29-2013 |
20130227273 | PRIVACY-PRESERVING PUBLISH-SUBSCRIBE PROTOCOL IN A DISTRIBUTED MODEL - A method and system for providing privacy in a publish-subscribe protocol is provided. A server transmits to a client a public key. The server receives from the client a pseudonym of an interest based on a division malleable commitment method applied to the public key, wherein the pseudonym of the interest functions as a commitment of the client. The server encrypts an item with a padded key and encrypting the padded key. The server transmits to the client, the encrypted item and a pseudonym of a topic associated with the item based on a modification of the commitment by the server using a hybrid conditional-oblivious transfer protocol. When the interest of the client equals the topic associated with the item, the client retrieves a correct padded key to decrypt the encrypted data item; otherwise the client retrieves a random key that is unable to decrypt the encrypted data item. | 08-29-2013 |
20130254531 | IMS MULTIMEDIA COMMUNICATION METHOD AND SYSTEM, TERMINAL AND IMS CORE NETWORK - An IMS multimedia communication method and system, terminal and IMS core network, wherein the IMS multimedia communication method includes signal negotiation performed between the terminal and the IMS core network, and during the process of signal negotiation, an IPSec-ESP security association for media transmission is established between the terminal and the IMS core network; the media content is transmitted between the terminal and the IMS core network via the IPSec-ESP security association for media transmission. The security of media content transmitted between the terminal and the IMS core network is maintained solving the safety problem of multimedia communication under IMS in related technology, and preventing the media content from being maliciously stolen and tampered by others when transmitted between the terminal and the IMS core network. | 09-26-2013 |
20130283037 | REDUNDANCY FOR REAL TIME COMMUNICATIONS - Systems and methods of redundancy for real time communications are disclosed. One such system includes a first device and a second device, where the first device includes a redundant tunneled services element (RTSE) and the second device includes a redundant tunnel services control function (RTSCF). The RTSCF is in communication with the RTSE and is operable to establish a redundant secure tunnel to the RTSE. The RTSE is operable to redundantly convey a first stream of media packets over the redundant secure tunnel to the RTSCF. The RTSCF is operable to redundantly convey a second stream of media packets over the redundant secure tunnel to the RTSE. | 10-24-2013 |
20130290699 | METHODS FOR SECURE COMMUNICATION BETWEEN NETWORK DEVICE SERVICES AND DEVICES THEREOF - A method, non-transitory computer readable medium, and network device that generates a network communication including a destination address associated with a second network device and a destination port number, wherein the destination port number corresponds to a service operating on the second network device. An initial SSL handshake protocol message is generated and at least the destination port number is inserted into a server name indicator (SNI) extension of the initial SSL handshake protocol message. An SSL connection is established with the second network device using a predetermined port number and the initial SSL handshake protocol message is sent to the second network device. Information included in the network communication is sent to the second network device using the SSL connection. | 10-31-2013 |
20130305036 | TLS ABBREVIATED SESSION IDENTIFIER PROTOCOL - A method, system and computer program product related to an authentication security protocol, which associates a unique Abbreviated Session Identifier (ASI) with some application data packets transmitted, for example, from a client to a server. The present technology can be a modified version of the Transport Layer Security (TLS) protocol. A method of authentication comprises an initial setup comprising negotiating a secure network connection between client and server using TLS, providing a unique ASI by the server, associating the ASI with a TLS protocol session identifier, transmitting the unique ASI and the TLS protocol session identifier to the client, and establishing the secure network connection between the client and server. Subsequent data packets transferred between the client and server may include the unique ASI. | 11-14-2013 |
20130311766 | ESTABLISHING NETWORK SECURITY USING INTERNET PROTOCOL SECURITY POLICIES - Techniques for configuring network security include obtaining non-packet flow information, evaluating a policy rule based on the obtained information, and proposing a security arrangement based on the evaluation. The non-packet flow information can include, for example, authentication information obtained during an Internet Key Exchange protocol session or information obtained from a layered service provider. Therefore, policies such as Internet Protocol security (IPsec) policies can be defined and implemented so that they more accurately reflect the network's security requirements. | 11-21-2013 |
20130318341 | Highly Scalable Architecture for Application Network Appliances - A highly scalable application network appliance is described herein. According to one embodiment, a network element includes a switch fabric, a first service module coupled to the switch fabric, and a second service module coupled to the first service module over the switch fabric. In response to packets of a network transaction received from a client over a first network to access a server of a data center having multiple servers over a second network, the first service module is configured to perform a first portion of OSI (open system interconnection) compatible layers of network processes on the packets while the second service module is configured to perform a second portion of the OSI compatible layers of network processes on the packets. The first portion includes at least one OSI compatible layer that is not included in the second portion. Other methods and apparatuses are also described. | 11-28-2013 |
20130339724 | SELECTIVE ENCRYPTION IN MOBILE DEVICES - A method, product and system for selective encryption in a mobile device. The method comprising: selectively encrypting requests issued by the mobile device, wherein said selectively encrypting comprises: obtaining a request issued by an application executed by the mobile device, the request having one or more characteristics, the request has a destination; determining, based on the one or more characteristics, whether to encrypt the request; and in response to a determination to encrypt the request, re-routing the request to be transmitted to the destination through a secure channel; whereby the request is encrypted regardless of the destination being a priori associated with the secure channel. | 12-19-2013 |
20130339725 | METHOD AND SYSTEM FOR MONITORING ENCRYPTED DATA TRANSMISSIONS - A method for efficiently decrypting asymmetric SSL pre-master keys is divided into a key agent component that runs in user mode, and an SSL driver running in kernel mode. The key agent can take advantage of multiple threads for decoding keys in a multi-processor environment, while the SSL driver handles the task of symmetric decryption of the SSL encrypted data stream. The method is of advantage in applications such as firewalls with deep packet inspection in which all encrypted data traffic passing through the firewall must be decrypted for inspection. | 12-19-2013 |
20140032897 | SECURELY ESTABLISHING A COMMUNICATION CHANNEL BETWEEN A SWITCH AND A NETWORK-BASED APPLICATION USING A UNIQUE IDENTIFIER FOR THE NETWORK-BASED APPLICATION - A network-based application can establish a secure network connection to a switch. A unique identifier (UID) is generated for the network-based application, and a secure authentication request is generated from the network-based application. The UID for the network-based application is embedded in the secure authentication request. The secure authentication request is communicated to the switch. A response to the secure authentication request is received from the switch. One or more operations are performed that utilize the UID to establish a secure communication channel between the network-based application and the switch. | 01-30-2014 |
20140068245 | SYSTEMS AND METHODS FOR HANDLING SSL SESSION NOT REUSABLE ACROSS MULTIPLE CORES - The present invention is directed towards systems and methods for managing SSL session persistence and reuse in a multi-core system. A first core may indicate that an SSL session established by the first core is non-resumable. Responsive to the indication, the core may set an indicator at a location in memory accessible by each core of the multi-core system, the indicator indicating that the SSL session is non-resumable. A second core of the multi-core system may receive a request to reuse the SSL session. The request may include a session identifier of the SSL session. In addition, the session identifier may identify the first core as an establisher of the SSL session. The second core can identify from encoding of the session identifier whether the second core is not the establisher of the SSL session. Responsive to the identification, the second core may determine whether to resume the SSL session. | 03-06-2014 |
20140095861 | Input Consistency Verification for Server Assisted Secure Function Evaluation - Server-assisted secure function evaluation (SFE) is performed with input consistency verification for two parties that want to evaluate a function. The server computes a garbled circuit corresponding to the function. A predefined bit of the 0-secret of wire i in the garbled circuit is set to a random bit b | 04-03-2014 |
20140095862 | SECURITY ASSOCIATION DETECTION FOR INTERNET PROTOCOL SECURITY - According to an example, a detection message may be sent for security association detection for Internet protocol security. The detection message includes a detection flag. The detection message may be an encapsulated message including the detection flag. | 04-03-2014 |
20140101435 | ENCRYPTED COMMUNICATION APPARATUS AND CONTROL METHOD THEREFOR - An encrypted communication apparatus determines a security protocol in IPsec to be applied to an IP packet, and calculates, based on the determined security protocol, a packet size which prevents the IP packet from being fragmented even if IPsec is applied to the IP packet. The packet size to be calculated is independent of an encryption algorithm and authentication algorithm which are actually specified by the determined security protocol. | 04-10-2014 |
20140108781 | Method and System for Negotiation Based on IKE Messages - The present invention provides a method and a system for negotiation based on IKE messages. A standby device updates a value of a stored third identity according to an update notification of an active device. The update notification of the active device is sent by the active device after updating a value of a stored second identity. When the standby device switches to a new active device, the new active device sends a second message for negotiating IPSec information to a peer device according to the updated third identity. The third identity is an identity that is stored in the standby device and used to acquire state information of the active device. | 04-17-2014 |
20140115320 | TCP/IP-BASED COMMUNICATION SYSTEM AND ASSOCIATED METHODOLOGY PROVIDING AN ENHANCED TRANSPORT LAYER PROTOCOL - A more secure TCP/IP protocol stack is provided having an enhanced transport layer. Encryption and decryption logic is arranged on the transmission side and on the reception side for processing a payload of a transport layer protocol, such as TCP or UDP. By employing this enhanced transport layer, a cryptograph process communication can be realized by dissolving various kinds of restrictions which a conventional IPsec or SSL possesses without affecting upper layer processing, and, at the same time, maintaining compatibility with the IP layer. | 04-24-2014 |
20140122865 | SYSTEMS AND METHODS FOR SPLIT PROXYING OF SSL VIA WAN APPLIANCES - The present invention is directed towards systems and methods for split proxying Secure Socket Layer (SSL) communications via intermediaries deployed between a client and a server. The method includes establishing, by a server-side intermediary, a SSL session with a server. A client-side intermediary may establish a second SSL session with a client using SSL configuration information received from the server-side intermediary. Both intermediaries may communicate via a third SSL session. The server-side intermediary may decrypt data received from the server using the first SSL session's session key. The server-side intermediary may transmit to the client-side intermediary, via the third SSL session, data encrypted using the third SSL session's session key. The client-side intermediary may decrypt the encrypted data using the third SSL session's session key. The client-side intermediary may transmit to the client the data encrypted using the second SSL session's session key. | 05-01-2014 |
20140136833 | METHOD AND SYSTEM FOR GENERATING A SECURE MESSAGE AS A URL MESSAGE - A method for generating and delivering a message via a web service is provided. A message for a recipient is converted to a URL and sent. A request is received from a sender having a first type of security to send a message also having the first type of security to the recipient having a second type of security. A URL message is created in response to receiving the request to send the message to the recipient and the URL message is sent to the recipient. A URL message response is received from the recipient and provides a landing message to the recipient in response to receiving the URL message response. The landing message includes a hint requesting an answer from the recipient. An answer is received from the recipient and the message is sent to the recipient using the second type of security in response to receiving the answer. | 05-15-2014 |
20140136834 | HTTP Layer Countermeasures Against Blockwise Chosen Boundary Attack - A client application, when executed by a processor, is operative to create a HyperText Transfer Protocol (HTTP) request containing a target header that includes a confidential value. The HTTP request is to be sent over a Secure Sockets Layer (SSL) 3.0 connection or a Transport Layer Security (TLS) 1.0 connection to a web server. The client application implements at its HTTP layer a countermeasure to a blockwise chosen-boundary attack. The client application generates an additional header having a header name that is not recognizable by the web server and inserts the additional header into the HTTP request ahead of the target header, thus creating a modified HTTP request. The modified HTTP request is to be sent, instead of the unmodified HTTP request, over the SSL 3.0 connection or the TLS 1.0 connection to the web server. | 05-15-2014 |
20140143535 | AUTHENTICATED FILE HANDLES FOR NETWORK FILE SYSTEMS - One or more file sharing computers receives a client request including an IP address and port number used by the client (computer). The one or more computers respond by creating an enhanced file handle from a hash on a combination of the IP address, port number, restricted key, and a standard file handle, and concatenating the hash with the standard file handle. The enhanced file handle is sent to the client and used by the client in a second request. The one or more computers uncouple the standard file handle and hash combination. Using the client IP address, port number, restricted key and standard file handle from the client second request, the one or more computers create a second combination. The second combination hash is compared to the first combination hash and in response to determining a match, the second request is accepted, and otherwise denied. | 05-22-2014 |
20140223169 | TCP/IP-BASED COMMUNICATION SYSTEM AND ASSOCIATED METHODOLOGY PROVIDING AN ENHANCED TRANSPORT LAYER PROTOCOL - A more secure TCP/IP protocol stack is provided having an enhanced transport layer. Encryption and decryption logic is arranged on the transmission side and on the reception side for processing a payload of a transport layer protocol, such as TCP or UDP. By employing this enhanced transport layer, a cryptograph process communication can be realized by dissolving various kinds of restrictions which a conventional IPsec or SSL possesses without affecting upper layer processing, and, at the same time, maintaining compatibility with the IP layer. | 08-07-2014 |
20140250296 | STRICT COMMUNICATIONS TRANSPORT SECURITY - Strict transport security controls are arranged to detect a first navigation command of a network-enabled application to navigate from a secure connection established with a first network address and to navigate to a second network address using an unsecure reference. A filter is used to filter, in response to the detection of the first navigation command, referring information in a second navigation command used to establish a second address secure connection with a device having the second network address. The strict transport security controls service is optionally arranged to provide a warning signal upon detecting formation of the second navigation command. | 09-04-2014 |
20140281480 | SYSTEMS AND METHODS FOR PROVIDING SECURE COMMUNICATION - A client includes a security agent configured to create a client certificate that corresponds to one or more client identifiers. A server includes a server certificate and is in communication with the security agent. The server is configured to facilitate establishing an initial mutually authenticated transport layer security (TLS) session with the client based on the client certificate and the server certificate. The server is also configured to extract the client certificate from the security agent once the TLS session is established. The server is configured to store the certificate as being associated with only the corresponding client identifier(s) and to categorize the association between the client certificate and the corresponding client identifier(s) as being secure but not trusted for the client until the identity of the client has been verified. Moreover, the server is configured to receive an indication that the identity of the client has been verified. | 09-18-2014 |
20140281481 | DLNA/DTCP STREAM CONVERSION FOR SECURE MEDIA PLAYBACK - A process for converting a DTCP-IP transport stream into HLS format, comprising receiving an encrypted DTCP-IP transport stream comprising DTCP frames at a secondary device from a source device, with each of the plurality of DTCP frames comprising encrypted 16-byte portions, forming chunks from the DTCP frames by grouping encrypted 16-byte portions into a chunk, adding HLS padding bytes to the end of each chunk and encrypting the HLS padding bytes to form an encrypted chunk, loading each of the encrypted chunks and a playlist to a media proxy server at the secondary device, loading a DTCP key onto a security proxy server, and providing the playlist, each of the encrypted chunks, and the DTCP key to a native media player on the secondary device, such that the native media player follows the playlist to decrypt the encrypted chunks using the DTCP key and plays back the chunks. | 09-18-2014 |
20140281482 | SECURE STORAGE AND SHARING OF USER OBJECTS - Information objects model real-world objects or concepts that may be associated with users, such as vehicles, homes, people, animals, accounts, places, and the like. The objects have a set of associated properties, which have corresponding required protection levels indicating a level of permission that another user must have to the object in order to be able to receive and access the value of that property in the object. Objects are stored by a framework using techniques that reduce or eliminate the possibility of unauthorized access. For example, an object is durably stored in encrypted form in device storage, with the values of properties encrypted in different manners according to the different corresponding protection levels. When sharing an object with another user or other entity, the required protection levels of the object properties are respected in order to prohibit the other entity from obtaining access to unauthorized portions of an object. | 09-18-2014 |
20140304498 | SYSTEMS AND METHODS FOR NEXTPROTO NEGOTIATION EXTENSION HANDLING USING MIXED MODE - This disclosure is directed to systems and methods for handling the processing of a next protocol negotiation extension for a transport layer security (TLS) session. A device, intermediary to a client and a server, may receive a client hello message from the client in a handshake to establish a transport layer security (TLS) session with the server. The client hello message may include a next protocol negotiation extension. The device may include a first TLS processor that is software based and a second TLS processor that is hardware based. The device may determine that the client hello message includes the next protocol negotiation extension. The device may establish, responsive to the determination, the TLS session using the first TLS processor. The device may process, upon establishment of the TLS session using the first TLS processor, encrypted data for the TLS session using the second TLS processor. | 10-09-2014 |
20140304499 | SYSTEMS AND METHODS FOR SSL SESSION MANAGEMENT IN A CLUSTER SYSTEM - The present invention is directed towards systems and methods for managing one or more SSL sessions. A first node from a cluster of nodes intermediary between a client and a server may receive a first request from the client to use a first session established with the server. The first request may include a session identifier of the first session. The first node may determine that the first session is not identified in a cache of the first node. The first node may identify, via a hash table responsive to the determination, an owner node of the first session from the cluster using a key. The key may be determined based on the session identifier. The first node may send a second request to the identified owner node for session data of the first session. The session data may be for establishing a second session with the server. | 10-09-2014 |
20140310512 | SECURE NETWORK TUNNEL BETWEEN A COMPUTING DEVICE AND AN ENDPOINT - The present disclosure presents a system, method and apparatus herein enabling secure coupling of a computing device, such as a mobile device with an endpoint, such as an application server. The computing device can include any electronic device such as a computer, a server, an application server, a mobile device or tablet. The endpoint can be any electronic device as well that is located within an enterprise network. In at least one embodiment, the secure coupling of the mobile device with a computing device can include a security gateway server. In one example, the security gateway server can be a tunnel service server. In another embodiment, an application server can include a tunnel service module to provide the secure coupling with the mobile device. | 10-16-2014 |
20140337613 | SELECTIVELY PERFORMING MAN IN THE MIDDLE DECRYPTION - An agent on a device within a network receives a request to access a resource outside the network. A first encrypted connection is established between the device and the agent, and a second encrypted connection is established between the agent and the resource, to facilitate encrypted communication traffic between the device and the resource. The agent sends a policy request to a network appliance within the network, the request specifying the resource. The agent receives a policy response indicating that the resource is associated with one or more security policies of the network. Traffic passing between the device and the resource is selectively decrypted and inspected depending on the security policies. | 11-13-2014 |
20140365759 | Signaling and Carriage of Protection and Usage Information for Dynamic Adaptive Streaming - A Dynamic Adaptive Streaming over Hypertext Transport Protocol (DASH) server component is disclosed. The DASH server component may comprise a memory, a processor coupled to the memory, and a transmitter coupled to the processor. The processor may be configured to generate one or more keys containing content protection information for media content, associate the keys with one or more segments of media content, store the keys in a DASH metadata track in the memory, and generate a media presentation description (MPD) specifying an association between the keys and the segments of media content. The transmitter may be configured to transmit the keys to at least one client independently of transmitting the media content and transmit the MPD to the at least one client. | 12-11-2014 |
20140365760 | COMMUNICATION EQUIPMENT FOR SECURE COMMUNICATION - Communication equipment includes a communication device ( | 12-11-2014 |
20140372747 | SYSTEM AND METHOD FOR MANAGING TLS CONNECTIONS AMONG SEPARATE APPLICATIONS WITHIN A NETWORK OF COMPUTING SYSTEMS - An approach for reutilizing transport layer security (TLS) connections among separate application is provided. In one aspect, a computing system establishes a a transmission control program/Internet protocol (TCP/IP) connection between a first application of a first endpoint and a second application on a second endpoint. The computing system further performs a TLS handshake over the established TCP/IP connection. The computing system also transmits a request from a third application of the second endpoint to transfer a TLS context from the second application on the second endpoint. In response to the second application on the second endpoint accepting the transfer request, the second application utilizing via the one or more computer processors, a predetermined method of providing a TLS context to the third application, wherein the third application of the second endpoint and the first application of the first endpoint communicate securely. | 12-18-2014 |
20140380038 | SECURE INTERNET PROTOCOL (IP) FRONT-END FOR VIRTUALIZED ENVIRONMENTS - An IPSec front-end may be configured to encrypt, decrypt and authenticate packets on behalf of a host on an insecure network and a peer on a secure network. For example, the IPSec front-end may receive internet protocol (IP) packets from the host and encrypt the data and format the data as an internet protocol security (IPsec) packet for transmission to the peer. When the peer responds with an IPSec packet, the IPSec front-end may decrypt the data and format the data as an IP packet. The IPSec front-end may be software executing on a Linux server. | 12-25-2014 |
20150026453 | SYSTEM AND METHOD FOR ESTABLISHING SECURITY IN NETWORK DEVICES CAPABLE OF OPERATING IN MULTIPLE FREQUENCY BANDS - A Network device including a security module to establish, in response to the network device being capable of operating in multiple frequency bands, and in response to the network device operating in a first frequency band, security for the frequency band and a second frequency band by performing a single authentication in the first frequency band prior to the network device switching operation form the first frequency band to the second frequency band. A session transfer module to transfer, subsequent to the network device switching operation from the first frequency band to the second frequency band, a communication session of the network device from the first frequency band to the second frequency band. The communication session resumes in the second frequency band using the security established for the second frequency band during the operation of the network device in the first frequency band. | 01-22-2015 |
20150039881 | Triggering an Internet Packet Protocol Against Malware - A process of triggering an Internet packet protocol against malware includes providing protocol trigger mechanisms configured to affect network access and data object access against malware, denial of service attacks, and distributed denial of service attacks, A multi-level security system is established with a cryptographically secure network channel, or another equivalent encrypted channel, and a second object of an encrypted document or data message that uses the secure network channel. The equivalent encrypted channel can be a Virtual Private Network tunnel (VPN) including MPPE/PPTP/CIPE/Open VPN, Secure Socket Layer (SSL), or IPSec tunnel. | 02-05-2015 |
20150052347 | FILE-BASED APPLICATION PROGRAMMING INTERFACE PROVIDING SELECTABLE SECURITY FEATURES - A data communication security system is disclosed that includes a network interface including a first security module implementing a first security architecture, and a second security module implementing a second security architecture different from the first security architecture. The network interface further includes a file-based application programming interface defining a plurality of attributes of the network interface and including at least one attribute associated with data security managed by one of the first and second security modules. The file-based application programming interface includes at least one attribute from among the plurality of attributes that is associated with selecting between the first or second security modules. | 02-19-2015 |
20150052348 | SESSION LAYER DATA SECURITY - A first application at a first device selects one of multiple encapsulation format types based on a cost or bandwidth associated with a network, or associated with a link of the network, connected between the first application at the first device and a second application at a second device. The first application receives, at the first application from Open Systems Interconnection (OSI) layers above an OSI session layer, payload data associated with a session, and generates one or more session layer encapsulated blocks of the payload data using the selected one of the multiple encapsulated format types. The first application encrypts the payload data, and other data of the one or more session layer encapsulated blocks, and passes the encrypted session layer encapsulated block to OSI layers below the session layer for sending to the second application at the second device. | 02-19-2015 |
20150082021 | MOBILE PROXY FOR WEBRTC INTEROPERABILITY - An example method and system for a mobile proxy for WebRTC interoperability is discussed. The method may include receiving a DTLS security handshake from a WebRTC API of a browser endpoint, negotiating an encryption mechanism through a signaling protocol with a non-WebRTC enabled endpoint, completing, using one or more hardware processors, the DTLS security handshake with the WebRTC API of the browser endpoint based on the encryption mechanism, and exchanging, through a mobile proxy, first media traffic from the browser endpoint with the non-WebRTC enabled endpoint and second media traffic from the non-WebRTC enabled endpoint with the browser endpoint. In various embodiments, if the non-WebRTC endpoint uses SDES for negotiation of the encryption mechanism, the encryption mechanism may include SDES-conveyed key information. However, if the non-WebRTC endpoint uses RTP for media exchange of the second media traffic, the encryption mechanism may correspond to a null cipher mode | 03-19-2015 |
20150113264 | INLINE INSPECTION OF SECURITY PROTOCOLS - Systems and methods for inline security protocol inspection are provided. According to one embodiment, a security device receives an encrypted raw packet from a first network appliance and buffers the encrypted raw packet in a buffer. An inspection module accesses the encrypted raw packet from the buffer, decrypts the encrypted raw packet to produce a plain text and scans the plain text by the inspection module. | 04-23-2015 |
20150304288 | SYSTEM AND METHOD FOR END-TO-END ENCRYPTION AND SECURITY INDICATION AT AN ENDPOINT - Disclosed herein are systems, methods, and non-transitory computer-readable storage media for implementing real-time transport control protocol to obtain an end-to-end encryption and security status of a communication session. The system collects real-time transport control protocol messages associated with a communication session, wherein the real-time transport control protocol messages are generated by devices in the communication session, and wherein the real-time transport control protocol messages include security information associated with the communication session. Then, based on the real-time transport control protocol messages, the system determines a security status associated with the communication session. The system can also generate an indication of the security status associated with the communication session. Further, the system can generate an indication of the security status of a communication session on a per participant basis. | 10-22-2015 |
20150312217 | CLIENT-SIDE ENCRYPTION OF FORM DATA - Disclosed are various embodiments that facilitate client-side encryption of form data. A network page is sent to a client. The network page includes executable encryption code configured to encrypt a form data item. The client is configured to receive the form data item via a form field of the network page. In response to receiving the form data item from the client, it is determined whether the form data item that has been received has been encrypted in the client by the executable encryption code. The form data item is then encrypted when the form data item that has been received has not been encrypted in the client by the executable encryption code. However, the form data item is not encrypted when the form data item that has been received has been encrypted in the client by the executable encryption code. | 10-29-2015 |
20150341317 | Unidirectional Deep Packet Inspection - The invention relates to a communication device ( | 11-26-2015 |
20150341341 | APPARATUS AND METHOD FOR SECURING A DEBUGGING SESSION - A device executes debugging instructions received from a debugging computer. The device receives a debugging establishment request from the debugging computer. The device transmits a unique identifier associated with the device and a secured expiration value to the debugging computer. The device receives a transport layer security (TLS) certificate from the debugging computer and establishes a secured and authenticated link with the debugging computer using the TLS certificate. The device enables a debugging mode, responsive to determining that an identifier in the TLS certificate matches the unique identifier and that a secured expiration value in the TLS certificate is valid and within a predefined validity range, and executes, in the debugging mode, debugging instructions received from the debugging computer. | 11-26-2015 |
20150350247 | EFFICIENT SECURE INSTANT MESSAGING - A method and apparatus of a device that enables a user to participate in a secure instant messaging session by starting with a low security connection before switching to a high security connection is described. The device concurrently establishes a low security connection and a high security connection with a remote participant of the secure instant messaging session. The device sends a first message to the remote participant through the low security connection while the high security connection is being established. The device further determines whether the high security connection is established. If the high security connection is established, the device can send a second message to the remote participant through the high security connection. If the high security connection is not yet established, the device can send the second message to the remote participant through the low security connection. | 12-03-2015 |
20150373048 | Enterprise Mobile Notification Solution - The present invention provides mobile clients that can be easily distributed using any third party MDM (Mobile Device Management) solutions, or mobile app stores. Two operational modes provide only messaging functions, or give more functions to manage and control various processes in the system server. This gives an easy way for Enterprises to manage their license cost by providing advance functions to targeted technical users. The solution works on all the above mentioned platforms and enables an Enterprise to work with heterogeneous mobile devices and platforms. An admin panel on the server software through which an admin can control each and every mobile device, and its access to the information. The present invention provides an easy to define general policy through which rules can be defined for all devices. Similarly, specific rules for individual devices can also be defined, and applied instantaneously. | 12-24-2015 |
20160006762 | METHOD FOR CREATING A PROFILE IN A SECURITY DOMAIN OF A SECURED ELEMENT - Disclosed is a method for creating a profile in a target security domain of a secure element. In various implementations, the method includes a reception operation by said target security domain, according to a secure protocol not interpretable by this security domain, of data comprising an installation script of said profile encrypted with a key of the target security domain; a transfer operation of data to a privileged security domain capable of interpreting the protocol; a decryption operation of said protocol by said privileged security domain to obtain said encrypted script; an operation for sending the encrypted script to said target security domain; and a decryption operation of said encrypted script with said key and execution of said script by the target security domain to install said profile. Other embodiments include systems and devices that implement similar functionality. | 01-07-2016 |
20160028701 | Data Processing Method and Apparatus - A data processing method and apparatus, where the method includes acquiring a first network data packet that is sent by a target application that runs in an untrusted execution domain, where the first network data packet includes a first identifier; acquiring, in a trusted execution domain, first data corresponding to the first identifier; generating, in the trusted execution domain, a second network data packet according to the first data and the first network data packet; performing, in the trusted execution domain, encryption on the second network data packet by using a first session key to acquire an encrypted second network data packet; and sending the encrypted second network data packet to the target server. The data processing method and apparatus in the embodiments of the present invention can effectively prevent an attacker from stealing data. | 01-28-2016 |
20160050561 | MACHINE-TO-MACHINE CELLULAR COMMUNICATION SECURITY - Communicating between a mobile terminal and a Gateway GPRS Support Node (GGSN) in a Home Public Land Mobile Network (HPLMN) of the mobile terminal. An authentication and key agreement push message is communicated from the GGSN to the mobile terminal. This communicating is via a control plane channel and/or the authentication and key agreement push message is generated at the GGSN. | 02-18-2016 |
20160050568 | MACHINE-TO-MACHINE CELLULAR COMMUNICATION SECURITY - Communication between a mobile terminal operating in a cellular network and a server is provided. Communication between the mobile terminal and the server is routed through a Serving GPRS Support Node (SGSN) of the cellular network in which the mobile terminal is operating. Cryptographic integrity check information is communicated in data link layer messages between the mobile terminal and the SGSN. | 02-18-2016 |
20160057131 | SECURE CONNECTION CERTIFICATE VERIFICATION - One or more computer processors identify a first certificate that is used to establish a secure Internet connection. One or more computer processors identify a stored second certificate that shares at least one attribute with the first certificate. One or more computer processors determine a policy action based, at least in part, on a result of a comparison between an attribute of the first certificate and an attribute of the second certificate. | 02-25-2016 |
20160080416 | SECURITY FOR GROUP ADDRESSED DATA PACKETS IN WIRELESS NETWORKS - A wireless network includes a border router, multiple router nodes and end devices. All nodes of the wireless network use a same group key for encryption and decryption of payloads of multicast layer-2 packets. A router node of the wireless network receives a group key from its parent node, and forwards the group key to its child nodes. The router node receives a layer-2 multicast packet with a payload specifying a multicast layer-3 address. The router node decrypts the payload using the group key. If at least one child node of the router node belongs to a group corresponding to the multicast layer-3 address, the router node forwards the encrypted payload as a layer-2 multicast packet to corresponding child nodes. Use of a same group key across all nodes of the wireless network reduces storage space in a node for storing group keys, and also simplifies group key handling. | 03-17-2016 |
20160094581 | HTTPS request enrichment - This disclosure provides for a network element (in the middle) to inject enrichments into SSL connections, and for taking them out. This network element is sometimes referred to herein as a “middle box.” In the context of layered software architecture, this solution preferably is implemented by a library that operates below the SSL layer and above the TCP sockets layer at the two endpoints of the SSL connection. Preferably, the SSL enrichments are implemented as SSL/TLS records. | 03-31-2016 |
20160094993 | WIDE AREA NETWORK ACCESS MANAGEMENT COMPUTER - A system and method for connecting a classified internet protocol (IP) network to a public IP network including an unclassified computing device. The unclassified computing device is a wide area network access management computer which directly connects to a National Security Agency (NSA) High Assurance Internet Protocol Encryptor (HAIPE) device and interfaces between the IP network and the classified IP network. The wide area network access management computer includes a graphical user interface, an internal data network communications interface, an external data network communications interface and a processing unit. The processing unit operates the network interfaces and presents information to the graphical user interface and interprets user input from the graphical user interface. The processing unit also performs the processing and protocols associated with the internal and external networks, performs client processing and allows the user to interact with services on any of the attached networks. | 03-31-2016 |
20160099968 | INFRASTRUCTURE LEVEL LAN SECURITY - Techniques are disclosed for securing traffic flowing across multi-tenant virtualized infrastructures using group key-based encryption. In one embodiment, an encryption module of a virtual machine (VM) host intercepts layer 2 (L2) frames sent via a virtual NIC (vNIC). The encryption module determines whether the vNIC is connected to a “secure wire,” and invokes an API exposed by a key management module to encrypt the frames using a group key associated with the secure wire, if any. Encryption may be performed for all frames from the vNIC, or according to a policy. In one embodiment, the encryption module may be located at a layer farthest from the vNIC, and encryption may be transparent to both the VM and a virtual switch. Unauthorized network entities which lack the group key cannot decipher the data of encrypted frames, even if they gain access to such frames. | 04-07-2016 |
20160127414 | TLS connection abandoning - A network-based appliance includes a mechanism to enable the appliance to extract itself from man-in-the-middle (MITM) processing during a client-server handshake and without interrupting that connection. The mechanism enables the appliance to decide (e.g., based on a rule match against a received server certificate) to stop performing MITM during the handshake and thus to de-insert itself transparently, i.e., without interfering or signaling to either end of the session that this operation is occurring. Once the connection is abandoned in the manner, the appliance ignores additional traffic flow and thus can free up processing resources (CPU, memory, and the like) that would otherwise be required to decrypt the connection (even if no further inspection or rewrite processing would be expected to occur). | 05-05-2016 |
20160142440 | Method and Apparatus for Decryption of Encrypted SSL Data from Packet Traces - A system for decrypts encrypted Secure Sockets Layer (SSL) data from packet traces without using private keys or a proxy. Decryption of encrypted SSL data is accomplished by intercepting a session key associated with a communication session transmitted from a user device to a server during handshaking between the user device and the server. The session key is then used to decrypt packet level traces of the communication session. The decrypted packet level traces are then used to measure traffic. | 05-19-2016 |
20160182232 | TLS PROTOCOL EXTENSION | 06-23-2016 |
20160380999 | User Identifier Based Device, Identity and Activity Management System - The present disclosure generally relates to user and device Authentication. More specifically, the present disclosure relates to a technique of single sign-on (SSO) authentication. An apparatus embodiment of a single sign-on (SSO) authentication system comprises a service provider node configured to provide access to at least one service over a network; an identity authenticator accessible over the network; a user terminal including an authentication component configured to build a secure association with the identity authenticator; and a user agent configured to access the service provider node to request a service of the provided at least one service. The service provider node is further configured to request a user identifier from a user and to request the identity authenticator for verification of a given user identifier. The identity authenticator is further configured to connect to the authentication component of the user terminal to verify the user identifier and to provide the service provider node with verification information indicating the verification of the given user identifier. A corresponding identity authenticator, user terminal and method are also provided. | 12-29-2016 |
20180025170 | FILE TRANSFER USING AN IN-BROWSER STAGING DATABASE | 01-25-2018 |
20180027412 | SYSTEM AND METHOD FOR WIRELESS COMMUNICATION OF GLUCOSE DATA | 01-25-2018 |
20190149576 | METHOD AND SYSTEM FOR AUTHENTICATING APPLICATION PROGRAM INTERFACE (API) INVOKERS | 05-16-2019 |