Patent application number | Description | Published |
20100107240 | NETWORK LOCATION DETERMINATION FOR DIRECT ACCESS NETWORKS - A client computer that supports different behaviors when connected to a private network behind a network firewall than when outside the network firewall and connected indirectly through an access device. The client computer is configured to attempt communication with a device on the network. Based on the response, the client computer can determine that it is behind the network firewall, and therefore can operate with less restrictive security or settings for other parameters appropriate for when the client is directly connected to the network. Alternatively, the client computer may determine that it is indirectly connected to the network through the Internet or other outside network, and therefore, because it is outside the private network firewall, should operate with more restrictive security or settings of other parameters more appropriate for use in that network location. The described approach operates even if the remote client computer has a direct connection to the network that enables it to authenticate with a domain controller. | 04-29-2010 |
20120185929 | INCORPORATING NETWORK CONNECTION SECURITY LEVELS INTO FIREWALL RULES - Embodiments of the present invention are directed to establishing and/or implementing firewall rules that may employ parameters based on connection security levels for a connection between devices. A firewall may thus provide greater granularity of security and integrate more closely with other security methods to provide better overall security with fewer conflicts. | 07-19-2012 |
20130061309 | Per Process Networking Capabilities - Per process networking capability techniques are described. In one or more implementations, a determination is made as to whether access to a network capability is permitted for a process that is executed on the computing device based on a token that is associated with the process. The token has one or more security identifiers that reference one or more network capabilities described in a manifest. The access to the network capability is managed based on the determination. | 03-07-2013 |
20130067072 | MONITORING REMOTE ACCESS TO AN ENTERPRISE NETWORK - Techniques to provide an improved representation of remote network access for a network administrator managing and controlling access to resources on an enterprise network. The representation indicates resources accessed by a remote computer or by a user of that computer and provides associated information useful for managing remote network access. To create the representation, multiple security associations formed between a remote client computer and resources on the enterprise network are associated with entity sessions, based on identical session identifiers generated for each security association within an entity session. The entity sessions may be aggregated into a to DirectAccess “connection” between the remote client computer and the enterprise network, based on an identity of the remote client computer. Resources accessed over the connection may be identified using a session identifier of each entity session so that security associations in that entity session may be matched with the resources. | 03-14-2013 |
20130152186 | FILTERING KERNEL-MODE NETWORK COMMUNICATIONS - Some embodiments of the invention are directed to techniques for determining whether a process on a computer system that is sending or receiving data, or is attempting to send or receive data, with another computer system is executing in kernel mode or user mode and providing an indicator of this determination to a security engine. In some embodiments, such an indication is provided to a security engine (e.g., a firewall) that implements a security policy based at least in part on whether the sending or receiving process is in kernel mode or user mode, and filter communications based on a process' operating mode. This enables a security engine to maintain security policies of greater specificity and thus improve security of a computer system. | 06-13-2013 |
20140325066 | Monitoring Remote Access to an Enterprise Network - Techniques to provide an improved representation of remote network access for a network administrator managing and controlling access to resources on an enterprise network. The representation indicates resources accessed by a remote computer or by a user of that computer and provides associated information useful for managing remote network access. To create the representation, multiple security associations formed between a remote client computer and resources on the enterprise network are associated with entity sessions, based on identical session identifiers generated for each security association within an entity session. The entity sessions may be aggregated into a DirectAccess “connection” between the remote client computer and the enterprise network, based on an identity of the remote client computer. Resources accessed over the connection may be identified using a session identifier of each entity session so that security associations in that entity session may be matched with the resources. | 10-30-2014 |
20140359159 | FACILITATING UTILIZATION OF DATAGRAM-BASED PROTOCOLS - Methods, systems, and computer-storage media for performing a method of facilitating utilization of datagram-based protocols are provided. In embodiments, the method includes initiating a connection with a datagram socket to establish a pathway using a datagram-based protocol. Thereafter, the datagram-based protocol can be used to communicate data to a virtual private network server. Upon recognizing that a virtual private network interface has been idle for a predetermined period of time, a connection with a connection socket is initiated to establish a pathway using a connection-based protocol. | 12-04-2014 |
20150058628 | FILTERING KERNEL-MODE NETWORK COMMUNICATIONS - Some embodiments of the invention are directed to techniques for determining whether a process on a computer system that is sending or receiving data, or is attempting to send or receive data, with another computer system is executing in kernel mode or user mode and providing an indicator of this determination to a security engine. In some embodiments, such an indication is provided to a security engine (e.g., a firewall) that implements a security policy based at least in part on whether the sending or receiving process is in kernel mode or user mode, and filter communications based on a process' operating mode. This enables a security engine to maintain security policies of greater specificity and thus improve security of a computer system. | 02-26-2015 |
Patent application number | Description | Published |
20090041251 | Method and Device for Agreeing Shared Key Between First Communication Device and Second Communication Device - Based on security parameters previously agreed upon by first and second communication devices, a first security value is determined by the second communication device and transmitted to the first communication device. The first communication device determines second and third security values based on the security parameters and the first security value and transmits the second and third security values to the second communication device. The second communication device determines a fourth security value based on the security parameters and, if the second security value matches the fourth security value, authenticates the first communication device. Upon successful authentication of the first communication device, a shared key is determined by both communication devices based on the third security value and the security parameters. | 02-12-2009 |
20090070862 | Method and System for Enabling a First Party to Provide a Second Party With Personalized Digital Content - A method for enabling a first party to provide a second party with personalized digital content includes at a network unit: in response to receiving a request from a first party, the request including an identifier identifying a second party, retrieving identity credentials of the second party; and transmitting the identity credentials of the second part to a first party or to a content providing system; and in a content providing system: in response to receiving: a) an identifier from the first party, the identifier identifying digital content in a digital content storage, and b) the identity credentials of the second party, personalizing digital content using the identity credentials, the personalizing adapted to enable the second party to reproduce the digital content but to prevent any unauthorized party to reproduce it; and delivering the personalized digital content to the first party. | 03-12-2009 |
20090249070 | Method for Managing User Rights to Electronic Data Objects by a Person Who Acquires Rights - Digital right management systems are technically constructed for protecting and carrying out wishes of a copyright holder such that the digital content is connected in a cryptographic and unique manner to any particular device and/or data carrier. Use of the digital content on other devices of the person who acquires rights is only possible after previous registration by the copyright holder. The person who acquires rights is enabled to manage the acquired rights thereof themselves on the electronic data object without instructing the intervention of a central copyright holder. This is accomplished by the person who acquires the rights creating partial amounts of the user rights having individual user rights. The digital content can be used, respectively, in the periphery of the created partial amounts of the individual user rights. | 10-01-2009 |
20100122086 | METHOD FOR COMBINING DATA TO BE PROCESSED WITH A DATA-SPECIFIC APPARATUS, AND APPARATUS AND COMPUTER PROGRAM FOR IMPLEMENTING THE METHOD - The invention discloses a method and a system for combining data with an apparatus which is provided for processing the data, with the following steps: (a) determining an identifier associated with the apparatus; (b) generating a first key by using the identifier and a second secret key, which is independent of the identifier; (c) generating a decryption algorithm to be used for the second key and providing the decryption algorithm to the apparatus; (d) encrypting a rights object, which allows access to the data, using the first key and the second secret key; (e) transmitting the data and the rights object to the apparatus; (f) decrypting the rights object with the apparatus by using the identifier associated with the apparatus and the decryption algorithm associated with the apparatus; and (g) decrypting the data using a key selected by a rights owner and included in the decrypted rights object. | 05-13-2010 |
20100122352 | Method for Operating an Installation Using Data Protected Against Unauthorized Use - A method and a device for operating a technical installation using data from a third party are provided, the data being protected against unauthorized use. A first and a second rights object are used for protecting the data, the first rights object specifying an authorized use of the data with a variable not defined in respect of its value and the second rights object defining a value for the variable. | 05-13-2010 |
20100146598 | Method, System and Apparatus for Processing Rights - A method for processing rights granted to an operator of a device or a group of devices using a rights object, wherein the method comprises at least the steps of receiving a rights object from the computer of a third party, generating at least one derived rights object based on the rights object received from the computer of the third party, and forwarding the at least one derived rights object to the device or individual devices from the group of devices. A system is provided which operates in accordance with the method. An apparatus that performs the method is also provided. | 06-10-2010 |
20100161999 | Scalable RFID systems: a privacy preserving protocol with constant-time identification - A protocol with constant-time complexity solves the problem of private identification of tags in low-cost, large-scale radio frequency identification (RFID) systems—assuming that an adversary has complete control over the communication channel. Each RFID tag has an internal counter, c, and is preloaded with a unique pseudonym, ψ, and a secret key, k. A RFID reader attempting to identify and authenticate a tag within its range generates and transmits a random nonce to the RFID tag, which returns a first hash of its current pseudonym and counter, and a second hash that is a function of the secret key. The reader uses the returned data to identify the RFID tag and its secret key by reference to a database and returns other hash values that authenticate the reader to the RFID tag. The most expensive operation that RFID tags are required to perform is a hash function. | 06-24-2010 |
20110161234 | ORDERING SCHEME - An ordering scheme is described, for example an ordering and payment scheme for mobile communication devices. The ordering scheme enables an Internet shop or another service provider to issue binding offers to a mobile communication device or the like and to receive an acceptance of the offer from the mobile device. The acceptance is encrypted using a private key of mobile device and the offer may be encrypted using a private key of the service provider. The service provider liaises with a payment broker and a charging system for controlling the transfer of funds from the user to the service provider. An identity management system may be provided to control access to the modules of the ordering scheme. | 06-30-2011 |
20130207780 | SCALABLE RFID SYSTEMS: A PRIVACY-PRESERVING PROTOCOL WITH CONSTANT-TIME IDENTIFICATION - A protocol with constant-time complexity solves the problem of private identification of tags in low-cost, large-scale radio frequency identification (RFID) systems—assuming that an adversary has complete control over the communication channel. Each RFID tag has an internal counter, c, and is preloaded with a unique pseudonym, ψ, and a secret key, k. A RFID reader attempting to identify and authenticate a tag within its range generates and transmits a random nonce to the RFID tag, which returns a first hash of its current pseudonym and counter, and a second hash that is a function of the secret key. The reader uses the returned data to identify the RFID tag and its secret key by reference to a database and returns other hash values that authenticate the reader to the RFID tag. The most expensive operation that RFID tags are required to perform is a hash function. | 08-15-2013 |
Patent application number | Description | Published |
20100278521 | Fourier telescopic imaging system and method - A system and method for imaging far away fast moving objects such as satellites in low earth orbit. The object to be imaged is illuminated simultaneously with a composite beam comprised of a large number of separate laser beams from a large number of laser sources each from a separate position with each of the separate laser beams shifted in frequency with respect to each other beam so as to produce a large number of beat frequencies in the composite beam. The positions of the laser sources are changed rapidly during an illumination period of a few seconds. Light reflected from the object is collected in a large number of light buckets and information defining the intensity of the collected reflected light as a function of time is stored. The positions and frequencies of each of the laser sources are also recorded and stored as a function of time. The stored information defining the intensity of the collected reflected light is analyzed by one or more computer processors utilizing special algorithms to produce a image of the object. | 11-04-2010 |
20120044320 | High resolution 3-D holographic camera - A high resolution 3-D holographic camera. A reference spot on a target is illuminated by three spatially separated beamlets (simultaneously produced from a single laser beam), producing a lateral shear of a wavefront on the target. The camera measures the resulting reflected speckle intensity pattern which are related the gradient of the interfered complex fields. At the same time a flood beam illuminates the entire target and reflected speckle is also recorded by the same camera to provide the necessary object spatial frequencies. The illumination patterns are sequenced in time, stepping through offset phase shifts to provide data necessary to reconstruct an image of the target from the recorded reflected light. The reference spot phase and amplitude are then reconstructed, and the reference spot's complex field is then digitally interfered with the flood illuminated speckle field by use of a special algorithm. In order to obtain a high resolution 3D image of the target, a second measurement is acquired with the laser beam slightly shifted in frequency to second color. | 02-23-2012 |
20120105822 | Super resolution telescope - A super-resolution telescope. A target is illuminated with at least three laser beams, each beam having a slightly different frequency so as to produce an illumination pattern comprised of several sets of straight interference fringes which sweep across the target. The frequencies of the illumination beams are chosen so that each pair of beams has a unique beat frequency, and the corresponding fringe pattern for each pair sweeps over the target at a unique speed. By collecting a series of images, and demodulating them at the various beat frequencies, the downshifted spatial frequencies can be identified, correctly up-shifted, and fitted together with a set of special Fourier transform based algorithms to reconstruct high-resolution images. Applicants have performed laboratory experiments that this invention can provide resolution substantially better than diffraction limited resolution. | 05-03-2012 |