Abstract: A method for communication includes receiving in a secure installation via a network from a remote user terminal an input comprising a stream of symbols that has been encrypted using a preselected encryption key. The encrypted stream of symbols is decoded in the secure installation using a decryption key corresponding to the preselected encryption key, to produce a clear stream of symbols. A computer program running on a processor in the secure installation is used in processing the symbols in the clear stream and generating a graphical output in a predefined display format in response to processing the symbols. The graphical output is outputted from the secure installation to the network in an unencrypted format for display on the remote user terminal.

Abstract: Challenge-response authentication protocols are disclosed herein, including systems and methods for a first device to authenticate a second device. In one embodiment, the following operations are performed by the first device: (a) sending to the second device: (i) a challenge value corresponding to an expected response value known by the first device, and (ii) a hiding value; (b) receiving from the second device a masked response value; (c) obtaining an expected masked response value from the expected response value and the hiding value; and (d) determining whether the expected masked response value matches the masked response value received from the second device. The operations from the perspective of the second device are also disclosed, which in some embodiments include computing the masked response value using the challenge value, the hiding value, and secret information known to the second device.

Abstract: Disclosed are various embodiments for identifying a table of non-decoy data matching a set of criteria. Decoy data is inserted into the table of non-decoy data. The decoy data is detected in a result comprising the decoy data, the result generated in response to an access of the data store. An alarm is generated based at least upon the result.

Abstract: A verified software system may be executable on secure hardware. Prior to being executed, the software system may be verified as conforming to a software specification. First credentials attesting to an identity of the software system may be sent to an external application. Second credentials signed by a provider of the secure hardware may be sent to the external application. The second credentials may attest to an identity of the secure hardware. The external application may securely exchange one or more messages with a software application of the software system. For example, the one or more messages may be decryptable only by the external application and the software application to provide confidentiality for each message. As another example, an attestation may vouch for an identity of a sender of each of the one or more messages to attest to an integrity of each message.

Abstract: A computer apparatus is remotely initiated. Confirmation of a detected and authenticated presence of a user is detected and confirmed remote from the computer apparatus. A dedicated resource that will be implemented using the computer apparatus is logged in in a protected workstate that prevents access to the computer apparatus until a local presence of the user is detected and authenticated. The workstate of the computer apparatus is unprotected upon confirmation of the local presence of the user. Access to the user is allowed upon unprotecting the workstate of the computer apparatus.

Abstract: A method and system for accepting user inputs over a network. The user is provided with an input widget on a client system to collect and send an input and user identity information to a server system, without the requirement to authenticate the user identity on the client system upfront. The server stores the user input and the user identity information, and associates the user input information with the user identity information. The server system sends to the user identity URL a message comprising of the user input information and an indication of action such as a link that the user is to perform to confirm the authenticity of the input. In response to the indicated action being performed, the server system processes the user input as authenticated input.

Abstract: A method and system for encrypting a first piece of information M to be sent by a sender [100] to a receiver [110] allows both sender and receiver to compute a secret message key using identity-based information and a bilinear map. The sender uses a bilinear map to encrypt a message M, producing ciphertext V to be sent from the sender [100] to the receiver [110]. The receiver [110] uses the bilinear map to decrypt V and recover the original message M. According to one embodiment, the bilinear map is based on a Weil pairing or a Tate pairing defined on a subgroup of an elliptic curve. Also described are several applications of the techniques, including key revocation, credential management, and return receipt notification.

Abstract: A method includes receiving at a processor, an indication of a user touching a point on a data entry device, receiving at the processor, an indication of a user gazing in a direction, and comparing via the processor the touched point and the gazing direction to a known touch point and gaze direction to verify the user is an authorized user.

Abstract: Installer code is received from a network attached storage (NAS) system at a client device. The installer code executing at the client device performs a selected subset of administrative tasks at the client device, where the administrative tasks are tasks associated with the NAS system. The selected subset of administrative tasks includes installing a backup software component.

Abstract: A restricted access device such as a cellphone, a tablet or a personal computer, analyzes contemporaneous keyboard inputs of a password and gestures to authenticate the user and enable further access to applications and processes of the restricted access device. The gestures may be facial gestures detected by a camera or may be gestures made by an avatar rendered on a display of the device. The password may be shorted based upon the context of the authentication as well as any gestures occurring during password entry. The gestures may be learned by the restricted access device during the password entry process.

Abstract: When authentication processing is performed without requesting a user to input authentication information and receiving the authentication information in response to authentication processing performed in another authentication server system having successfully been performed, a notification is not issued to a terminal to be operated by the user.

Abstract: A method and system for utilizing target browsers. A web page received from a server includes a client program. The client program is executed, which includes: (i) receiving a selection of at least one target browser by a user at a user interface at a first terminal, wherein the user interface displays two or more target browsers for each group of target browsers of two or more groups of target browsers from which the user has selected the at least one target browser; (ii) generating a message that includes the selected at least one target browser; and (iii) sending the message to the server.

Abstract: An approach is provided for enabling a web browser to decrypt and to display encrypted information based on entropy calculations of the information. The decryption manager determines at least one entropy value for at least one element of at least one webpage. The decryption manager causes, at least in part, a decryption of the at least one element to generate at least one decrypted element based, at least in part, on a comparison of the at least one entropy value against one or more entropy threshold values.

Abstract: Systems and methods of licensing and identification of a virtual network appliance. The systems and methods obtain information specific to an instance of a virtual machine corresponding to the virtual network appliance. The instance of the virtual machine is deployed on a predetermined virtualization platform. The systems and methods can generate an identifier as well as a serial number for the virtual machine based at least on the information specific to the instance of the virtual machine, and generate a license including license data for the virtual network appliance, embedding at least the identifier for the virtual machine in the license data. The information specific to the instance of the virtual machine can include a universally unique identifier (UUID) and at least one virtual media access control (MAC) address for the virtual machine deployed on the predetermined virtualization platform.

Abstract: A system and method for controlling use of content in accordance with usage rights associated with the content and determined in accordance with the environment of a user device. A request is received for secure content from a user device and the integrity of the environment of the user device is verified. Appropriate usage rights are retrieved based upon the results of the verification of integrity and the content is rendered on the user device in accordance with the appropriate usage rights.

Abstract: Extracting data from a source system includes generating an authorization model of the data protection controls applied to the extracted data by the source system. The authorization model is used to map the data protection control applied to the extracted data to generate corresponding data protection controls provided in target system. The extracted data is imported to the target system including implementing the corresponding data protection controls.

Abstract: A method for authenticating an Internet Protocol Security (IPsec) packet, wherein the method comprises, receiving the IPsec packet via an input port, performing a Sequence-Integrity Check Value (SEQ-ICV) check that validates a sequence number within the IPsec packet, and performing an Integrity Check Value (ICV) check that validates a checksum within the IPsec packet, wherein the SEQ-ICV check is performed before the ICV check. In yet another example embodiment, an apparatus for transmitting an IPsec packet, comprising a processor, and a transmitter coupled to the processor, wherein the transmitter is configured to transmit an IPsec packet that comprises a header that comprises a sequence number field that provides a sequence number, and a payload that comprises one or more SEQ-ICV segments used to authenticate the sequence number within the IPsec packet.

Abstract: In certain embodiments, a system receives a first request from a user to perform a function with an enterprise. The system communicates a second request for the user to provide a thought to facilitate authenticating the user with the enterprise. The system receives a string of characters corresponding to the thought. The string may be generated based at least in part upon electromagnetic signals, which the user generates by developing the thought. The system compares the received string to a stored string that corresponds to a thought of the user to authenticate the user. Based at least in part upon the comparison, the system determines whether the user is authenticated to perform the function.

Abstract: Disclosed is a radio system, method, and device for a mobile station to indicate to an authentication controller, in an authentication response message, which of a plurality of group key link layer encryption keys (GKEK)s it currently has in its possession, and to work with the authentication controller to more intelligently manage multiple GKEKs. The authentication controller can use the information obtained from the authentication response message to determine which of a plurality of GKEKs to advertise in a key announcement broadcast. Furthermore, individual requests for a future LLE key (LEK) to be used for link layer encryption (LLE) encrypting and decrypting inbound and outbound group communications between base station(s) and mobile station(s) are responded to with a broadcast GKEK-encrypted transmission including the future LEK. Only the requesting mobile station transmits an acknowledgment packet in response to the broadcast.

Abstract: A security payload is attached to a received binary executable file. The security payload is adapted to intercept application programming interface (API) calls to system resources from the binary executable file via export address redirection back to the security payload. Upon execution of the binary executable file, the security payload replaces system library export addresses within a process address space for the binary executable file with security monitoring stub addresses to the security payload. Upon the binary executable computer file issuing a call to a given API, the process address space directs the call to the given API back to the security payload via one of the security monitoring stub addresses that is associated with the given API. The security payload then can assess whether the call to the given API is a security breach.