Abstract: Embodiments are directed to provisioning private virtual machines in a public cloud and to managing private virtual machines hosted on a public cloud. In one scenario, a computer system receives authentication information for a private domain from an entity. The entity indicates that their private virtual machines are to be provisioned on a public cloud, where the entity's private domain is accessible using the authentication information. The computer system establishes a virtual network on the public cloud which is configured to host the entity's private virtual machines, where each virtual machine hosts remote applications. The computer system establishes an authenticated connection from the virtual network to the entity's private domain using the received authentication information and provides the entity's private virtual machines on the public cloud.

Abstract: Embodiments are directed to providing access to a resource over a network. A client device may request access to a server. An application may be provided to the client device. The application may cause control of the client device to be switched from a first desktop to a secure desktop. The secure desktop may be configured to restrict applications access to within the secure desktop. An indication of the resource on the server to map to may be received at the client device. The indicated resource may be mapped onto a file system on the client device. Mapping may comprise using a remote file access protocol, using DLL injection, or adding a kernel module to an operating system on the client device. The mapped resource may be constrained to be accessed through the secure desktop.

Abstract: When a request for acquiring authorization information is received from a resource service application that is a request source, an image forming apparatus transmits a request for further delegating an authorization delegated from a user to the resource service application to an authorization server system together with first authorization information, and acquires second authorization information issued based on the first authorization information from the authorization server system.

Abstract: A method is performed at a computer system having one or more processors and memory storing one or more programs executed by the one or more processors. The method includes generating a document, including marking one or more portions of the document as private; and sending the document to an intermediary system for transmission to a destination system. Prior to the document being transmitted to the destination system, the marked portions of the document are encrypted by the intermediary system using a key that is unavailable to the destination system.

Abstract: Implementations of the present disclosure provide systems and methods for seamlessly transferring a communication session from a first client to a second client via a close-range communication connection. Implementations contemplate serializing a set of unique identifiers pertaining to a communication session and transmitting the set of serialized identifiers from the first client to the second client via a close-range communication connection. The second client de-serializes the set of unique identifiers and transmits a request to a communication session server to assume control of the communication session from the first client. A communication session server may perform an authentication of the second client that requires the second client to provide credentials associated with a user account. In some implementations, the present disclosure provides for the creation of a temporary use token that enables a client to temporarily acquire credentials associated with a user account.

Abstract: A mobile terminal detection method and a mobile terminal. The method includes: reading a first international mobile equipment identity (IMEI) stored in a flash; comparing the first IMEI with a backup IMEI stored in a one-time programmable data (OTP) region which is prohibited from being modified; and disabling the mobile terminal when the first IMEI and the backup IMEI are inconsistent. In the present invention, the IMEI plaintext is directly backed up to the OTP region of the mobile terminal, and the value of the IMEI stored in the flash and the value of the backup IMEI are dynamically compared, so as to conveniently detect the legitimacy of the IMEI of the mobile terminal, effectively protect the IMEI number of the mobile terminal from being arbitrarily modified, and ensure the legitimate interests of users and operators.

Abstract: A computerized method is described in which a received object is analyzed by a malicious content detection (MCD) system to determine whether the object is malware or non-malware. The analysis may include the generation of a fuzzy hash based on a collection of behaviors for the received object. The fuzzy hash may be used by the MCD system to determine the similarity of the received object with one or more objects in previously classified/analyzed clusters. Upon detection of a “similar” object, the suspect object may be associated with the cluster and classified based on information attached to the cluster. This similarity matching provides 1) greater flexibility in analyzing potential malware objects, which may share multiple characteristics and behaviors but are also slightly different from previously classified objects and 2) a more efficient technique for classifying/assigning attributes to objects.

Abstract: The invention relates to a system and method for generating and authenticating one time dynamic password based on the context information related to a user. It involves retrieving user context information and generating a dynamic value based on that. The first one time dynamic password is generated at the user device using the first dynamic value and the user PIN. The first dynamic value along with the user identifier is sent to the authentication server. The authentication server sends the user identifier to the context management server. The context management server has access the context information used to generate the first dynamic value and based on that they generate a second dynamic value. The authentication server receives this value and generates the second one time dynamic password and if it matches with the first one time dynamic password then the authentication server authenticates the first one time dynamic password.

Abstract: Disclosed is a method in which a portable device processor may generate an application-level certificate for an application installed on the portable device. The processor may, for example, insert an application name in a package name field of a self-signed device-level certificate of the portable device to generate an application-level self-signed certificate. A request to authenticate the application may be forwarded to the controller. The request may include the application-level certificate. The portable device processor may receive a request to form a secure communication channel between the portable device and the controller based on the authenticated application-level certificate. A controller may respond to a portable device request for services by authenticating an application-level certificate provided by the portable device so requested services may be securely provided to the portable device.

Abstract: The method for obtaining information relating to the integrity of an article (2) as assessed from an exposure of said article (2) to physical or environmental conditions during a time span during which said article (2) is transported comprises a) providing a device (1) to be located in proximity to said article (2) during said transport, digital certificate data (C) and first digital private key data (K1*) being stored in said device (1); d) storing in said device (1) data (I) related to said physical or environmental conditions, said data being referred to as integrity data (I); e) creating within said device (1) first digitally signed data (DS1) by digitally signing data comprising said integrity data (I) and said digital certificate data (C), using said first digital private key data (K1*); f) storing said first digitally signed data (DS1) in said device (1). A high degree of security against malpractice and data falsification can be achieved. A corresponding device (1) is also presented.

Abstract: In one implementation, a computer-implemented method includes receiving a request to access an electronic document collection that integrates a plurality of electronic sub-documents that are each of one of a plurality of defined document types. The method also includes retrieving information that is associated with the document collection, wherein the retrieved information identifies a first sub-document of the plurality of sub-documents using a first non-address identifier, and identifying a first software application that is configured to provide access to the first sub-document. The method additionally includes initiating a first connection with a first server that causes execution of the identified first software application and that, using the first non-address identifier, provides access to the first sub-document.

Abstract: This method comprises the steps of: —choosing (1) a security parameter n,—segmenting (2) the file in n chunks S1, . . . , Sn, —randomly choosing (3) n2 coefficients aij for i=1, . . . , n and j=1, . . . , n,—verifying (3) that the vectors ai1, . . . , ain, for i=1, . . . , n, are linearly independent, otherwise generating the coefficients again, —computing (4) n linear combinations Ci=ai1S1+ . . . +aijSj+ . . . +ain·Sn, for i=1, n,—choosing (5) n storage service providers Oi, . . . , On among said plurality of storage service provider, —generating (6a; 6b; 6c) n file identifiers ID?1, . . . , ID?n designating said file (F),—storing (6a; 6b; 6c) the combination Ci at the storage service provider Oi in association with the file identifier ID?i, for i=1, . . . , n,—storing the file identifier ID?i and the provider identifier Oi, for i=1, . . . , n, in a file descriptor corresponding to the file (F), this file descriptor being stored in a local memory (LM),—storing the set of coefficients ai,1, . . .

Abstract: Devices and methods provide for enabling a user to use a single user authentication device such as smart-card reader, such that the user is capable of securely interfacing with two or more isolated computers and enabling the user to authenticate and remain authenticated at multiple computers at the same time. Once the user removes the smart-card from the smart-card reader, the authentication session on all coupled computers is terminated at once. The user authentication device comprises: an authentication module connected via a channel selection switch to one of a plurality of channels, each interfacing with a respective coupled computer.

Abstract: Systems and methods of classifying sessions are disclosed. A particular method monitors user activity at one or more servers accessible via a network and capturing event entries in an activity log for user activity that is detected. The event entries include descriptive information regarding a user action, a client identifier and a session identifier. The method also includes attempting to classify sessions associated with a plurality of event entries of the activity log as legitimate use or illegitimate use of resources of the one or more servers. The method further includes identifying unclassified sessions. The method also includes determining a count of a number of unclassified sessions associated with a particular client identifier and determining a total number of sessions associated with the particular client identifier. The method further includes classifying the unclassified sessions as legitimate use or illegitimate use of the resources of the one or more servers.

Abstract: Disclosed are systems, methods and computer program products for copying encrypted and unencrypted files between data storage devices. In one aspect, the system detects a request to copy a file from a first data storage device to a second data storage device, determines one or more parameters of the copied file, the first data storage device and the second data storage device, selects, based on the one or more parameters, a file encryption policy for the copies file, and applies the selected encryption policy to the copied file.

Abstract: In one implementation, a computer-implemented method includes receiving a request to access an electronic document collection that integrates a plurality of electronic sub-documents that are each of one of a plurality of defined document types. The method also includes retrieving information that is associated with the document collection, wherein the retrieved information identifies a first sub-document of the plurality of sub-documents using a first non-address identifier, and identifying a first software application that is configured to provide access to the first sub-document. The method additionally includes initiating a first connection with a first server that causes execution of the identified first software application and that, using the first non-address identifier, provides access to the first sub-document.

Abstract: In certain embodiments, a method includes receiving a message at a first network interface of a first node. The first network interface communicates with a first network while a second network interface communicates with a second network. The method includes determining a set of expected tokens and an expected order of tokens. A plurality of tokens are accessed that were generated for the message, each of the plurality of tokens associated with a policy service of a plurality of policy services. The method includes generating a plurality of decrypted tokens from the plurality of tokens using a first parameter associated with the plurality of policy services and validating the decrypted tokens by comparing the decrypted tokens to the set of expected tokens. In response to validating the decrypted tokens and determining that the decrypted tokens are in the expected order, an approval is generated.

Abstract: System and method for auditing for usage of licensed software in which a client executing the software generates and transmits a license key and a covert key to a server via network connection. The license key is transmitted to the server upon activation of the licensed software at the client. The covert key is generated based on at least a portion of the software code activated at the client and is transmitted to the server at random or at predetermined time intervals after transmission of the licensed key so as to avoid detection by a user. The license and covert keys are each associated with a device fingerprint that uniquely identifies the device transmitting each one of the respective keys. Unauthorized software usage at a client is determined at least when a covert key does not correspond to a device fingerprint having an associated license key.

Abstract: Example embodiments provide various techniques for locating cryptographic keys stored in a cache. The cryptographic keys are temporarily stored in the cache until retrieved for use in a cryptographic operation. The cryptographic key may be located or found through reference to its cryptographic key identifier. In an example, a particular cryptographic key may be needed for a cryptographic operation. The cache is first searched to locate this cryptographic key. To locate the cryptographic key, the cryptographic key identifier that is associated with this cryptographic key is provided. In turn, the cryptographic key identifier may be used as an address into the cache. The address identifies a location of the cryptographic key within the cache. The cryptographic key may then be retrieved from the cache at the identified address and then used in the cryptographic operation.

Abstract: A method and system for secure distribution of digital content, using a disintegration tool under control of a distributor of the digital content to divide the digital content into protected and unprotected segments, delivering the unprotected segments to the customer along with installation software and identification information. The segments to be protected are modified using the identification information on the distribution medium and hardware information unique to a particular customer device. Upon communication of this information from the customer device, the modified segments are sent to the customer device for integration with the unprotected segments to generate a modified digital content operable only on the particular customer device.