Abstract: A mobile device operating system pools any available entropy. The resulting entropy pool is stored in device memory. When storing entropy in memory, preferably memory addresses are randomly allocated to prevent an attacker from capturing entropy that might have already been used to create a random number. The stored entropy pool provides a readily-available entropy source for any entropy required by the operating system or device applications. Then, when a cryptographic application requests a true random number, the operating system checks to determine whether the pool has available entropy and, if so, a portion of the entropy is provided to enable generation (e.g., by a TRNG) of a true random number that, in turn, may then be used for some cryptographic operation. After providing the entropy, the operating system clears the address locations that were used to provide it so that another entity cannot re-use the entropy.

Abstract: Systems and methods for secure delivery of output surface bitmaps to a display engine. An example processing system comprises: an architecturally protected memory; and a plurality of processing devices communicatively coupled to the architecturally protected memory, each processing device comprising a first processing logic to implement an architecturally-protected execution environment by performing at least one of: executing instructions residing in the architecturally protected memory, or preventing an unauthorized access to the architecturally protected memory; wherein each processing device further comprises a second processing logic to establish a secure communication channel with a second processing device of the processing system, employ the secure communication channel to synchronize a platform identity key representing the processing system, and transmit a platform manifest comprising the platform identity key to a certification system.

Abstract: A Social Network Service (SNS) account management server transmits, when phone number change schedule information is received from a user terminal, a phone number change schedule message to user terminals respectively corresponding to friend accounts included in a friend list of the corresponding account; confirms, when authentication of the new SNS account is requested from the user terminal, whether or not the account is an account of the changed phone number for the new authentication request based on the previously transmitted phone number change schedule information; transmits, if the account is of the changed phone number, a phone number change notification message to user terminals corresponding to friend accounts included in a friend list of the account of the changed phone number; and updates the changed phone number of the user terminal in a database of each friend account.

Abstract: A method for access control to a computer with a mobile end device relies on using contactless interfaces. An authentication to the computer is carried out with the mobile end device and upon a successful authentication the access to the computer is granted or maintained. For preparing the authentication, a certificate is loaded into the mobile end device from a portable data carrier separate from the mobile end device. For authentication, authentication data comprising the certificate or obtained from the certificate are provided to the computer from the mobile end device via the contactless interfaces.

Abstract: An example technique is provided for authenticating a first communication session. The technique includes receiving an indication that a first network device has established a first communication session with a user-side device. A second network device authenticates the first communication session by establishing a second communication session via session initiation protocol (SIP) or voice over Internet protocol (VoIP) communication with the user-side device before the user-side device directs a user password to the first network device in the first communication session. Also, private identification information of the user is retrieved from a database and sent to the user-side device in the second communication session. The user-side device compares the private identification information received in the second communication session to locally stored private identification information to determine whether the received private identification information matches.

Abstract: In a network to which a plurality of electronic devices and a server are connected, an electronic key system controls locking and unlocking of ID information output of each electronic device. Each electronic device includes a switching device that locks or unlocks output of ID information of each electronic device. The server includes an availability changing unit and a management unit. The availability changing unit unlocks only one of the plurality of electronic devices and locks the other electronic devices. The management unit updates a state at which the locking of ID information output and the unlocking of ID information output are swapped between a pair of the electronic devices.

Abstract: Providing access to one or more resources to a user device. A method includes at a user device, registering with an identity service to obtain an identity credential. The method further includes at the user device, registering with a policy management service by presenting the identity credential. The method further includes at the user device, providing an indication of current state of the user device to the policy management service. The policy management service can then indicate to the identity service the compliance level of the user device. The method further includes the user device receiving a token from the identity service based on the policy management level of the user device as compared to a policy set.

Abstract: A method and system for providing a plurality of tamperproof digital certificates for a plurality of public keys of a device by a certification authority wherein a respective signing request for requesting a digital certificate is initially created for each of a plurality of public keys, where the signing request for the ith public key is signed using the jth private key in accordance with a signing rule, the jth private key being dissimilar to the ith private key belonging to the ith public key, and wherein all signing requests are transmitted to the same certification authority in each case, and each signing request is verified in the certification authority, in which case a check is performed to determine whether the ith signing request has been signed using the jth private key in accordance with the signing rule.

Abstract: Techniques for protecting against denial of service attacks are provided. In one embodiment, a network device can extract one or more values from a Transmission Control Protocol (TCP) ACK packet sent by a client device, where the one or more values encode TCP option information. The network device can further decode the one or more values to determine the TCP option information and embed the TCP option information into the TCP ACK packet. The network device can then forward the TCP ACK packet with the embedded TCP option information to a server.

Abstract: In an embodiment, an apparatus includes a first logic to receive from a first node a synchronization portion of a message and to generate a set of state information using the synchronization portion, to synchronize the apparatus with the first node. The apparatus may further include a second logic to decrypt a data portion of the message using the set of state information to obtain a decrypted message. Other embodiments are described and claimed.

Abstract: A set of compliance policy updates are received. The compliance policy updates are sent to workloads for application. A status of the application of the compliance policies to the workloads is received from the workloads and output.

Abstract: Information leaked from smart cards and other tamper resistant cryptographic devices can be statistically analyzed to determine keys or other secret data. A data collection and analysis system is configured with an analog-to-digital converter connected to measure the device's consumption of electrical power, or some other property of the target device, that varies during the device's processing. As the target device performs cryptographic operations, data from the A/D converter are recorded for each cryptographic operation. The stored data are then processed using statistical analysis, yielding the entire key, or partial information about the key that can be used to accelerate a brute force search or other attack.

Abstract: Instructions and logic provide memory key protection functionality. Embodiments include a processor having a register to store a memory protection field. A decoder decodes an instruction having an addressing form field for a memory operand to specify one or more memory addresses, and a memory protection key. One or more execution units, responsive to the memory protection field having a first value and to the addressing form field of the decoded instruction having a second value, enforce memory protection according to said first value of the memory protection field, using the specified memory protection key, for accessing the one or more memory addresses, and fault if a portion of the memory protection key specified by the decoded instruction does not match a stored key value associated with the one or more memory addresses.

Abstract: A storage device contains a smart-card device and a memory device, which is connected to a controller. The storage device may be used in the same manner as a conventional smart-card device, or it may be used to store a relatively large amount of data. The memory device may also be used to store data or instructions for use by the smart-card device. The controller includes a security engine that uses critical security parameters stored in, and received from, the smart-card device. The critical security parameters may be sent to the controller in a manner that protects them from being discovered. The critical security parameters may be encryption and/or decryption keys that may encrypt data written to the memory device and/or decrypt data read from the memory device, respectively. Data and instructions used by the smart-card device may therefore stored in the memory device in encrypted form.

Abstract: Embodiments of the present invention address deficiencies of the art in respect to applying application security to an extension point oriented application framework, and provide a novel and non-obvious method, system and computer program product for log-in module deployment and configuration in an extension point oriented application. In this regard, a method for log-in module deployment and configuration in an extension point oriented application can include installing a proxy to a login controller plug-in for the extension point oriented application, and proxying login module directives from an external security service to the login controller plug-in for the extension point oriented application.

Abstract: A detection engine may be implemented by receiving network traffic and processing the traffic into one or more session datasets. Sessions not initiated by an internal host may be discarded. The frequency between the communication packets from the internal host to external host may be grouped or processed into rapid-exchange instances. The number of rapid-exchange instances, the time intervals between them, and/or the rhythm and directions of the initiation of the instances may be analyzed to determine that a human actor is manually controlling the external host. In some embodiments, when it is determined that only one human actor is involved, alarm data may be generated that indicates that a network intrusion involving manual remote control has occurred or is underway.

Abstract: The invention relates to a method and system for managing and checking different identity data relating to a person. According to the invention, a derived-identity management server generates for the person at least part of the identity data with which said person can be authenticated in relation to a service provider for the derived-identity domain, on the basis of information derived from identity data from parent domains. The identity data generation processing ensures that no link can be established from two authentications in two separate domains in the absence of link information. If necessary, said link information is transmitted by a parent domain to a derived-identity server so that the latter establishes the link between the identity data of the derived-identity domain and the identity data of the parent domain, e.g. for the cascade revocation of a person from various domains.

Abstract: A user may utilize a set of credentials to access, through a managed directory service, one or more services provided by a computing resource service provider. The managed directory service may be configured to identify one or more policies applicable to the user. These policies may define the level of access to the one or more services provided by the computing resource service provider. Based at least in part on these policies, the managed directory service may transmit a request to an identity management system to obtain a set of temporary credentials that may be used to enable the user to access the one or more services. Accordingly, the managed directory service may be configured to enable the user, based at least in part on the policies and the set of temporary credentials, to access an interface, which can be used to access the one or more services.

Abstract: A system and method configured for providing a cryptographic platform for exchanging information. One or more information transactions including encrypted information may be generated and/or provided to a distributed ledger. The one or more information transactions may include information intended for one or more parties. Information transactions intended for one or more parties may be identified. An information transaction may include one or more of a transaction identifier associated with one or more parties, an information payload, and/or other information. The information payload may include encrypted information. The encrypted information may be encrypted with one or more public keys associated with one or more parties. One or more information transactions may be retrieved from the distributed ledger. The encrypted information may be decrypted with one or more private keys that correspond to the public keys. Presentation of the encrypted information to one or more parties may be facilitated.

Abstract: A syndication system facilitates rights management services between media content owners and media hosting services that elect to participate in the syndication system and mutually elect to participate with each other. The syndication system utilizes a content recognition system to identify hosted media content and ownership rights associated with the hosted content. By applying melody recognition, the content recognition system can identify compositions embodied in hosted media content even when these compositions do not precisely match any known sound recording. Thus, the content recognition system is beneficially able to detect, for example, recorded cover performances and recorded live performances embodied in hosted media content. Once identified, ownership information is determined and the syndication system can facilitate rights management policies associated with the content such as monetizing or blocking the protected content.