Abstract: For secure non-redundant storage of data, to store a data blocklet (sub-block), one takes a hash of each blocklet. The hash value is used as a key to encrypt the blocklet data. The key is then hashed to encrypt it and the hashed key used in the blocklet index to identify the blocklet. The blocklet index entry also conventionally includes the address of that encrypted blocklet. Unless one has a file representation which is a vector of the hash values, one cannot obtain direct information about the original blocklet from the blocklet index or the blocklet storage. To retrieve data, each original blocklet hash is hashed again to generate the index entry.

Abstract: A first virtualization layer is inserted between (i) an operating system of a computer system, and (ii) at least first and second hardware devices of the computer system. Data is communicated between the first hardware device and the second hardware device, via the first virtualization layer, without exposing the data to the operating system.

Abstract: Systems and method to detect malicious media file are described. In one example, an apparatus including a network connection, a memory, and a programmable processor communicatively coupled to the memory is discussed. The memory can include instructions, which when executed by the programmable processor cause the apparatus to receive a data stream from the network connection and detect at least a portion of a media file within the data stream. The instructions can also cause the apparatus to determine a file type of the media file and extract the media file from the data stream. Further, the instructions cause the apparatus to parse the media file to location a suspicious tag, extract an embedded URL from the suspicious tag, determine with the embedded URL is malicious, and block the media file if the embedded URL is malicious.

Abstract: Method and apparatus for monitoring identity misrepresentation by a user on a network are described. In one example, validated identity information for the user is received from a trusted source. Data exchanged between a network client on a device associated with the user and the network is monitored. An identity misrepresentation by the user is detected based on the validated identity information. A notification of the identity misrepresentation is sent to the trusted source.

Abstract: An authenticating device communicating with a server device includes: a dividing unit that divides secret information into plural secret fragments by a threshold secret sharing scheme; a first generating unit that generates plural cryptographic fragments by encrypting the secret fragments using first plural passwords; a first transmitting unit that transmits the cryptographic fragments to the server device; a first receiving unit that receives the cryptographic fragments from the server device, a second generating unit that generates plural secret fragment candidates by decrypting the cryptographic fragments using second plural passwords; a third generating unit that obtains a verifying information candidate by the threshold secret sharing scheme using a group of the secret fragment candidates; a second transmitting unit that transmits the verifying information candidate to the server device; and a second receiving unit that receives result information of comparing the verifying information candidate with ver

Abstract: Systems and methods for configuring and evaluating policies that direct processing of one or more data streams are described. A configuration interface is described for allowing users to specify object oriented policies. These object oriented policies may allow any data structures to be applied with respect to a payload of a received packet stream, including any portions of HTTP traffic. A configuration interface may also allow the user to control the order in which policies and policy groups are executed, in addition to specifying actions to be taken if one or more policies are undefined. Systems and methods for processing the policies may allow efficient processing of object-oriented policies by applying potentially complex data structures to unstructured data streams. A device may also interpret and process a number of flow control commands and policy group invocation statements to determine an order of execution among a number of policies and policy groups.

Abstract: A system on a chip including a bus, a bootup module coupled to the bus and configured to cause the system on a chip to bootup in accordance with a selected security mode, an input module coupled to the bus and configured to receive an input signal and to provide the input signal to the bus, a processor coupled to the bus and configured to process the input signal to provide an intermediate signal, in accordance with a type of content protection associated with the input signal, an encryption module coupled to the bus and configured to cause at least a portion of the intermediate signal to be encrypted to produce an encrypted signal, in accordance with the type of the content protection, and an output module coupled to the bus and configured to output the encrypted signal.

Abstract: A flash storage device and a method for using the flash storage device to prevent unauthorized use of a software application are provided. An identifier may be encoded within specific sectors of the flash storage device. One bits of the identifier may be encoded as unusable ones of the specific sectors and zero bits of the identifier may be encoded as usable one of the specific sectors. Alternatively, the zero bits of the identifier may be encoded as the unusable ones of the specific sectors and the one bits of the identifier may be encoded as the usable ones of the specific sectors. The software application may be permitted to execute on a processing device connected to the flash storage device only when the identifier is encoded within the flash storage device.

Abstract: A method for identifying conference media traffic includes receiving a plurality of dummy packets and matching a series of the plurality of dummy packets to a signature key. The method also includes extracting a first identification from one or more of the plurality of dummy packets in response to matching a series of the plurality of dummy packets to a signature key and determining that a second identification associated with one or more encrypted media packets matches the first identification. The method also includes associating one or more encrypted media packets with a conference in response to determining that the first identification matches the second identification.

Abstract: A multiplication value decision unit (12) decides a multiplication value which is a positive value or a negative value corresponding to a bit value of each bit contained in a binary bit string constituting a scramble pattern generated in a pattern generation unit (11). A multiplication processing unit (13) multiplies symbol data representing each symbol value in the symbol data string formed by the multinary symbol containing a predetermined pair of a positive value and a negative value having an identical absolute value, in the value area, by the multiplication value decided by the multiplication value decision unit (12). Here, the multiplication processing unit (13) successively executes the multiplication between the symbol data for one symbol and the multiplication value decided corresponding to the bit value of the one bit contained in the scramble pattern until the number of symbols expressed by the symbol data string is reached.

Abstract: The speed at which encrypt and decrypt operations may be performed in a general purpose processor is increased by providing a separate encrypt data path and decrypt data path. With separate data paths, each of the data paths may be individually optimized in order to reduce delays in a critical path. In addition, delays may be hidden in a non-critical last round.

Abstract: Various approaches are described for auditing integrity of stored data. In one approach, a data set is provided from a client to a storage provider, and the data set is stored at a first storage arrangement by the storage provider. An auditor determines whether the data set stored at the first storage arrangement is corrupt without reliance on any part of the data set and any derivative of any part of the data set stored by the client. While the auditor is determining whether the data set stored at the first storage arrangement is corrupt, the auditor is prevented from being exposed to information specified by the data set. The auditor outputs data indicative of data corruption in response to determining that the data set stored at the first storage arrangement is corrupt.

Abstract: A method and apparatus for detecting malware in network traffic is described. One embodiment executes, in an emulation environment, an executable file as it is being received serially over a network, execution beginning once a block of data including an entry point of the executable file has been received, execution halting whenever an instruction in the executable file references data not yet received and resuming once the data not yet received has been received, execution ceasing upon satisfaction of a termination condition; examining the emulation environment for indications that the executable file includes malware; and taking corrective action responsive to the results of examining the emulation environment for indications that the executable file includes malware.

Abstract: A reader element is associated with an identity verification element. The reader element has a biometric input device and is configured, through enrollment of a biometric element is used to encrypt a character sequence associated with the identity verification element. In a verification phase subsequent to the enrollment, a user may be spared a step of providing the character sequence by, instead, providing the biometric element. Responsive to receiving the biometric element, the reader element may decrypt the character sequence and provide the character sequence to the identity verification element.

Abstract: A web portal for issuing multiple digital certificates to users of an entity (e.g., a law-enforcement agency or corporation) is described herein. The digital certificates enable users to access confidential records—such as telecommunication records—by requesting the records through a web site. A master digital certificate is issued for the entity, and a user associated with the master digital certificate can request slave certificates to be issued to other employees or affiliates of the entity. A certificate provisioning server is configured to only issue slave certificates at the request of the user with the master digital certificate. Once issued, a slave certificate is communicated to an authentication server, which notifies the assignee of the slave certificate of its online location.

Abstract: A multiplication value decision unit (12) decides a multiplication value which is a positive value or a negative value corresponding to a bit value of each bit contained in a binary bit string constituting a scramble pattern generated in a pattern generation unit (11). A multiplication processing unit (13) multiplies symbol data representing each symbol value in the symbol data string formed by the multinary symbol containing a predetermined pair of a positive value and a negative value having an identical absolute value, in the value area, by the multiplication value decided by the multiplication value decision unit (12). Here, the multiplication processing unit (13) successively executes the multiplication between the symbol data for one symbol and the multiplication value decided corresponding to the bit value of the one bit contained in the scramble pattern until the number of symbols expressed by the symbol data string is reached.

Abstract: A system and method for authenticating a peer device onto a network using Extensible Authentication Protocol (EAP). The key lifetime associated with the keying material generated in the peer device and the authentication server is communicated from the authenticator to the peer device within the EAP Success message. The peer device, having been provided with the key lifetime, can anticipate the termination of its authenticated session and initiate re-authentication prior to expiry of the key lifetime.

Abstract: Users of a computer are prevented from directly accessing certain hardware for which a driver is installed on the computer. The users are provided a limited, indirect manner to access the hardware for a specific purpose or to do a specific job. One example of such hardware is a wireless hardware communication interface. The wireless activity of the computer may be restricted so that the wireless hardware communication interface is prevented from communicating with any devices compatible with the wireless hardware communication interface other than one or more specific devices.

Abstract: In a web-based service environment, third party providers need to have varying degrees of access to user data for their complementary services. To prevent third party providers from having broader access than necessary or not adequate levels of access, transferable restricted security tickets are employed to determine an appropriate level of access for third parties. Tickets with expiration and restriction roles define a duration and level of access for a third party. The restrictions are determined through an intersection of the authorizing user's security role and restriction roles defined in the system.

Abstract: The present invention discloses a method, a computer program product, a system, and a device for securing content of a surface-based computing device. In the invention, a delineated region of a surface of a surface-based computing device referred to as a section can be identified. The section can be a computing space owned by at least one user referred to as a section owner. Other regions of the surface exist that are computing spaces distinct from the section. A set of section specific settings can be established that are configurable by the section owner. An attempt to convey at least one software object across a section boundary separating the section from one of the other regions can be identified. The section specific settings can be applied to the attempt. Appropriate programmatic actions can be taken based upon the section specific settings.