Abstract: Embodiments are directed towards a big data marker (BDM) model that provides label support, seeking, and decoding of arbitrary positions within small or large data streams. The features of the BDM model may be provided by a library having an easy-to-use application programming interface. The library may be considered an extension to existing data optimization and/or data encryption codecs that provides additional labeling and random access capabilities for encoding and decoding. The library enables labeling and seeking of single or multiple labels associated with various positions in a data stream, and allows encoding and decoding of full or partial streams. The library may be used with applications that already manage big data sets for archiving, logging, or backups. The library can also extend the capabilities of existing codecs by enabling the inclusion of labels and random access encoding/decoding via a common programming interface.

Abstract: The systems, methods and apparatuses described herein provide a computing environment that includes secure time management. An apparatus according to the present disclosure may comprise a non-volatile storage to store a synchronization time and a processor. The processor may be configured to generate a request for a current time, transmit the request to a trusted timekeeper, receive a digitally signed response containing a current, real-world time from the trusted timekeeper, verify the digital signature of the response, verify that the response is received within a predefined time, compare a nonce in the request to a nonce in the response, determine that the current, real-world time received from the trusted timekeeper is within a range of a current time calculated at the apparatus and update the synchronization time with the current, real-world time in the response.

Abstract: A method and apparatus for protecting a payload sent between a client device and a Network Application Function node (NAF) in a communications network. At either of the client device and the NAF a determination is made that no existing Security Association (SA) identifier between the client device and the NAF is locally available. An identifier embryo is obtained and an SA identifier is constructed using the identifier embryo. Payload sent between the client device and the NAF is protected using an SA associated with the constructed SA identifier.

Abstract: System for performing a cryptographic operation, comprising a client system and a server system; said server comprising a multi-repository manager, repositories of cryptographic keys, a processor and a memory; and said client comprising a processor and a memory; wherein said two memories store computer executable instructions that, when executed, cause the client and the server to perform a method comprising: the client sending a request of the cryptographic operation to the server; the multi-repository manager obtaining a set of references to cryptographic keys allowed to the request from the repositories of cryptographic keys; the multi-repository manager establishing a cryptographic key referenced in said set of references as the cryptographic key to be used; the multi-repository manager requesting performance of the cryptographic operation to the repository wherein the cryptographic key to be used is stored; the multi-repository manager obtaining the result of the cryptographic operation from the reposito

Abstract: A method and system are provided for co-browsing of patient records on communication devices. The method includes setting up a communication session between a first communication device and one or more second communication devices, where the communication session is initiated by the first communication device. Further, the method includes accessing one or more patient records via a server, where the one or more patient records are accessed at the first communication device. The method further includes sending a reference of the one or more patient records to the one or more second communication devices, where the reference is sent from the first communication device.

Abstract: Systems, methods, and machine-readable media for low latency server-side redirection of User Datagram Protocol (UDP)-based transport protocols traversing a client-side Network Address Translation (NAT) are provided. A request may be sent from a client for a data resource to a first server. The data resource may be received from a second server that has not been previously connected to the client. Receiving the data resource from the second server may be facilitated by the first server through redirecting the request to the second server and providing for the second server to connect to the client and directly respond to the request. The first server may lack at least one of the requested data resource or resources for providing the requested data resource.

Abstract: A system of authorizing access to a resource including a processor obtaining sensor information related to at least two users from one or more sensors, the sensor information including one or more of image information and proximity information of each of the at least two users. Further, an act of identifying current gestures is performed for each of the at least two users in accordance with the sensor information. The current gestures may be compared with pre-stored gesture information related to predetermined gestures and an order of the predetermined gestures. Further, access to the resource may be authorized when it is determined that the current gestures are in accordance with the predetermined gestures and the order of the predetermined gestures.

Abstract: Various embodiments provide techniques and devices for protecting application secrets from operating system attacks. In some examples, applications execute with an isolated user mode of a secure execution environment, while relying on an operating system executing within a separate execution environment for resource management and system services. A proxy kernel can control access by the operating system to data associated with the secure execution environment. Further, the proxy kernel can act as a transparent interface between isolated user mode applications and the operating system during the provision of resource management and system services.

Abstract: Embodiments for tracking multi-layer secured transactions include systems for providing a first transaction channel to a user and sending pre-authorization code to the user via the first transaction channel. The systems terminate the first transaction channel and provide a second transaction channel to the user and receive transaction data from the user comprising the pre-authorization code via the second transaction channel. The systems further identify one or more verifiers associated with the user for one or more transactions based on the transaction data, send a post verification notification to the one or more verifiers, and receive a post verification confirmation from at least one of the one or more verifiers in response to the post verification notification.

Abstract: A method operational within a memory controller is provided for securing content stored in memory. The memory controller may allocate logical memory regions within a memory device to different domains. A different domain-specific key is obtained for each of the different domains, where each domain-specific key is a function of at least a master key and domain-specific information. During write operations, content/data is encrypted, at the memory controller, as it is written into each logical memory region using a domain-specific key corresponding to a domain providing the content and to which the logical memory region is allocated. Similarly, during read operations, content/data is decrypted, at the memory controller, as it is read from each memory region using a domain-specific key corresponding to a domain requesting the content and to which the logical memory region, where the content is stored, is allocated.

Abstract: Disclosed are a method and a device for extracting a characteristic code of an APK virus. The method comprises: scanning a designated file in an Android installation package APK; extracting an operation instruction in the designated file, and judging whether the operation instruction contains virus information; and if yes, generating a characteristic code of the virus according to the operation instruction. In the application, the characteristic code of the virus APK can be accurately and effectively extracted, so as to facilitate improvement of efficiency and accuracy of identification of the virus APK and a variation thereof, thereby improving the security of an APK application.

Abstract: On-vehicle control units include an attaching section for attaching a message code used to check the validity of the transmission source of communication data, to the communication data. The on-vehicle control units also include an update section for updating a key code and the message code every time communication of communication data has been completed. An authentication section checks communication data and the transmission source thereof on the basis of the result of comparison between the random code obtained by restoring a message code and the random code owned by the on-vehicle control units, which are authorized.

Abstract: Methods and systems are provided for securely authenticating data of an integrated circuit. By authenticating data having keystream blocks inserted between ciphertext portions, it becomes more difficult to mount successful authentication-based attacks.

Abstract: A digital certification analyzer (or “analyzer”) provides protection for digital content stored on servers, file sharing systems, hard drives and USB enabled external drives or other digital repositories. A temporary external secured storage (or “TESS”) system provides an external storage location for digital content hosted and transferred or shared in a digital realm, while the original device hosting the content is turned off or otherwise offline during the file share or file transfer process.

Abstract: In order to simplify and reduce the cost of an electronic device, the size of a first non-volatile memory associated with an integrated circuit is significantly reduced. Instead of using the first non-volatile memory, a second non-volatile memory associated with a processor in the electronic device is used to store an embedded operating system of the integrated circuit, as well as associated data and a configuration of the integrated circuit. To reduce the security risks associated with using this remote second non-volatile memory, the first non-volatile memory may store authorization information and anti-replay information. During a secure boot of the integrated circuit, the authorization information is used to verify that the embedded operating system, the data and the configuration are authorized. In addition, the anti-replay information is used to determine that the embedded operating system, the data and the configuration are different than previously received versions of these items.

Abstract: A software system which uses a specially designed cellular automaton network to perform symmetric-key encryptions and decryptions of user-supplied input messages. The input messages are in the form of text or images or audio data. A mathematical function based on Fibonacci sequences in the complex domain is used to define interactions among the cells of the cellular automaton network. The outputs of the system are encryptions of the user inputs; a simple key inversion procedure enables the decrypting of the encrypted output. The system permits multiple encryptions of the input and this, in turn, requires multiple decryptions to obtain the original input.

Abstract: Methods, systems, and computer-readable storage media for proxy re-encryption of encrypted data stored in a first database of a first server and a second database of a second server. Implementations include actions of receiving a first token at the first server from a client-side computing device, providing a first intermediate re-encrypted value based on a first encrypted value and the first token, transmitting the first intermediate re-encrypted value to the second server, receiving a second intermediate re-encrypted value from the second server, the second intermediate re-encrypted value having been provided by encrypting the first encrypted value at the second server based on a second token, providing the first encrypted value as a first re-encrypted value based on the first intermediate re-encrypted value and the second intermediate re-encrypted value, and storing the first re-encrypted value in the first database.

Abstract: A method receives authentication credentials for a user from a client device and receives a request from the user for content stored on a remote storage system. A portion of the content is encrypted and a corresponding decryption key is available only at the computer system. The remaining portion of the content is unencrypted. The method retrieves the content from the remote storage system and uses the received credentials to determine whether the user is authorized to view the encrypted portion. When the user is not authorized, the method forms alternative content by replacing the encrypted portion with a substitute element and transmits the alternative content to the client device. When the user is authorized, the method decrypts the encrypted portion of the content using the decryption key, and combines the decrypted portion with the unencrypted portion to form updated content. The updated content is transmitted to the client device.

Abstract: Presented is an automated policy-provisioning method for a computing system having a service-oriented architecture. The system comprises at least one managed service and at least one policy enforcement point operable to enforce a runtime policy for the service. The method comprises: receiving in machine-readable form at least one semantic rule defining a condition imposed by a business policy; receiving machine-readable data describing a runtime policy enforcement capability of the at least one policy enforcement point; determining based on the at least one rule and the capability whether the at least one policy enforcement point can meet the condition; based on the determination, deriving a runtime policy suitable for enforcing the condition; and communicating the runtime policy to the at least one policy enforcement point.

Abstract: A method including receiving energy usage data representative of energy usage of a customer during a particular time period. The energy usage data is sign with a digital signature of a utility. The method includes receiving input of a customer effective to select a data block of the energy usage data. The method includes redacting the selected data block from the energy usage data in response to the input. The method includes calculating a hash value for the redacted data block using a per-customer key that is unique to the customer, an initialization vector, and a counter. The method includes replacing in the energy usage data the redacted data block with the calculated hash value corresponding to the redacted data block.