Abstract: A server in a digital rights management system implements version control for the digital documents being managed. Each document belongs to a document series and has a version number. The server maintains a version control database table that stores, for each document, the document series name and version number, and parameters indicating whether the document is obsoleted or deleted. When registering a new document, based on auto-obsolete and auto-delete parameters inputted by the user, the server automatically obsoletes or deletes certain older version documents that belong to the same series as the new document. The server controls access to the documents so that obsoleted documents will not be accessible to users even if they still have local copies of such documents. When a user requests access to an older version document that is not obsoleted, the server may allow access to the latest version document instead.

Abstract: A method of tracking users over network hosts based on behavior includes analyzing data representing behavior of active network hosts during two or more time windows at a computing apparatus having connectivity to a network. Based on the analyzing, a profile is generated for each network host active in the network during the two or more time windows. Similarity between the profiles for the two or more time windows are determined and, based on the similarity, it may be determined that an identity associated with one of the active network hosts during a time window of the two or more time windows has changed.

Abstract: Provided is a data storage drive for encrypting data, comprising a microprocessor and circuitry coupled to the microprocessor and adapted to receive a session encrypted data key and to decrypt the session encrypted data key using a session key, wherein a result is a data key that is capable of being used to encrypt clear text and to decrypt cipher text written to a storage medium. Also provided is a system, comprising a microprocessor and circuitry coupled to the microprocessor and adapted to receive a session encrypted data key and to decrypt the session encrypted data key using a private key, wherein a result is a secret key that is capable of being used to encrypt clear text and to decrypt cipher text written to a storage medium.

Abstract: Solutions for controlling access to computer applications or data are disclosed. For instance, certain systems advantageously secure access to applications and data by not allowing the file to launch if conditions acceptable to opening the file are not met, even when the user or computer has the authority to access the file. In other instances, certain systems advantageously secure access to applications and data by not allowing the file to launch if the user credentials are not validated, even when the conditions acceptable to opening the file are met.

Abstract: A system, method, and device includes a platform data storage that stores a wrap that secures an executable controller and executable sensors. The wrap is verified, optionally through a downloaded authentication driver. After verifying the wrap, the wrap is opened and a sister of the executable controller is installed into the platform memory to cooperate with the executable controller. Additionally or alternatively, the authentication driver may cooperate with the executable controller. The executable controller allows the platform processor to access data secured in a vault and/or verify the platform to create a connection to an application server.

Abstract: The present invention provides a system, method and apparatus for increasing relevance of a content provided to a visitor by a content provider by providing one or more server computers and at least one data storage communicably coupled to the one or more server computers, receiving at least a portion of a visitor token and at least a portion of a content provider token at the one or more server computers from a content provider device, determining whether a release of an anonymous unfilled demand for the visitor is authorized based on the visitor token, the content provider token and one or more preferences stored in the at least one data storage, and sending at least a portion of the anonymous unfilled demand for the visitor to the content provider device when the release is authorized.

Abstract: A method and apparatus for secure multimedia transfer provides an encrypted data transfer system that makes transferring multimedia content from a client to any incompatible system or to a system outside the location of the client very difficult.

Abstract: Systems, methods, and other embodiments are disclosed that are configured to generate a hierarchy of access rules in a protocol stack. Access rules corresponding to a first layer in a protocol stack are analyzed. The access rules determine, at the first layer, whether network sources are permitted access to a computing device. Dependent access rules are generated based at least in part on a combination of the access rules from the first layer. The dependent access rules are pushed down to a second layer in the protocol stack by implementing the dependent access rules at the second layer to determine, at the second layer, whether the network sources are permitted access to the computing device.

Abstract: Methods and instrumentalities are disclosed that enable one or more domains on one or more devices to be owned or controlled by one or more different local or remote owners, while providing a level of system-wide management of those domains. Each domain may have a different owner, and each owner may specify policies for operation of its domain and for operation of its domain in relation to the platform on which the domain resides, and other domains. A system-wide domain manager may be resident on one of the domains. The system-wide domain manager may enforce the policies of the domain on which it is resident, and it may coordinate the enforcement of the other domains by their respective policies in relation to the domain in which the system-wide domain manager resides. Additionally, the system-wide domain manager may coordinate interaction among the other domains in accordance with their respective policies.

Abstract: Systems and methods of providing spatial security of data stored on a hard disk drive. A method includes associating a user with at least one track and/or sector of the hard disk drive. The method also includes locking the at least one track and/or sector as a default setting. The method additionally includes determining the user has moved into a predefined area. The method further includes unlocking the at least one track and/or sector based on the determining the user has moved into the predefined area.

Abstract: Provided is a data storage drive for encrypting data, comprising a microprocessor and circuitry coupled to the microprocessor and adapted to receive a session encrypted data key and to decrypt the session encrypted data key using a session key, wherein a result is a data key that is capable of being used to encrypt clear text and to decrypt cipher text written to a storage medium. Also provided is a system, comprising a microprocessor and circuitry coupled to the microprocessor and adapted to receive a session encrypted data key and to decrypt the session encrypted data key using a private key, wherein a result is a secret key that is capable of being used to encrypt clear text and to decrypt cipher text written to a storage medium.

Abstract: A re-encryption service module in a multi-tiered encryption system that manages key rotation policies continuously or periodically re-encrypts data. Each encryption tier in the system can include a node programmed to service encryption, decryption, and/or re-encryption requests and a key store to store encryption keys. A computing node that interfaces with a requesting device may include the re-encryption service module. The re-encryption module may receive encrypted data and a key identifier identifying the key used to encrypt the data. The re-encryption module may decrypt the encrypted data using the identified key, retrieve a new key if the identified key is exhausted, and use the new key to encrypt the decrypted data. The key identifier may be updated to identify the new key and the re-encrypted data and the updated key identifier may be transmitted to the requesting device.

Abstract: A system for securely moving data from one location to another exchanges key material between the locations. The system enables cryptosystems to use key material distributed over a quantum channel.

Abstract: A system and method of dynamically altering the encoding, structure or other attribute of a cryptographic key, typically a license activation key, to render useless keys that have been created by illegal key generation “cracks”. An encoding/decoding engine provides a plurality of key obfuscation algorithms that may alter the structure, encoding or any other attribute of a given key. A changeable combination code is supplied to the encoding/decoding engine that specifies a subset of the algorithms to apply during the encoding or decoding phase. The encoding engine is used during key generation and the decoding engine used during key usage. The same combination code must be used during decoding as was used during encoding to recover the original key or a valid key will not be recovered. Thus, a system can be rapidly re-keyed by selecting a new combination of encoding/decoding algorithms. The selection of algorithms comprises a combination code.

Abstract: A cloud data protection system protects cloud data of an enterprise. A protection policy for the enterprise is established by an administrator of the enterprise. The protection policy describes one or more types of cloud data protection to provide to the enterprise's cloud data. The cloud data protection system examines the protection policy to identify cloud data associated with the enterprise to access in order to implement the policy, and uses a personality object to retrieve the identified cloud data from one or more cloud services. The cloud data protection system performs one or more protection actions on the retrieved cloud data. The protection actions can include scanning the cloud data for malicious software, for compliance with a data loss prevention policy, or for data matching a discovery specification. The protection actions can also include archiving or backing up the cloud data.

Abstract: A method and system for providing a first network resource with secure but limited access to a second network resource. A method embodying the invention includes receiving a request to access the second resource. It is verified that the source of the request is the first resource. It is then verified that the request was originated by a user through, for example, a web browser, and then a user's credentials are authenticated. Only when the request can be properly verified and the user credentials authenticated, is access to the second resource granted. Beneficially, the first resource cannot access the second without the user's knowledge or, at least, implicit consent.

Abstract: The present disclosure relates to systems and methods for providing secure support to virtual appliances delivered to customer sites without passwords or enabled ports for service. A virtual appliance may be established on a first device. The virtual appliance may comprise a self-contained virtual machine with a pre-installed operating system and may be established with no root password enabled and a remote access port disabled. An administration tool may receive from a requestor a request to enable maintenance for the virtual appliance. The administration tool may generate, responsive to the request, a random password. The administration tool may enable, responsive to the request, the remote access port. The virtual appliance may wait for a connection to the remote access port for a predetermined period of time. The administration tool may transmit the random password to a service of a second device remote to the first device.

Abstract: A tag generation method for generating tags used in data packets in a broadcast encryption system is provided. The method includes detecting at least one revoked leaf node; setting a node identification (node ID) assigned to at least one node among nodes assigned node IDs at a layer 0 and to which the at least one revoked leaf node is subordinate, to a node path identification (NPID) of the at least one revoked leaf node at the layer 0; generating a tag list in the layer 0 by combining the NPID of each of the at least one revoked leaf nodes at the layer 0 in order of increment of node IDs of the corresponding at least one revoked leaf nodes; and generating a tag list in a lowest layer by repeatedly performing the setting and generation operation down to the lowest layer.

Abstract: A method for obtaining a secure connection between a first server and a client. The method may comprise establishing a secure communication session between a second server and the client, wherein the second server is trusted by the first server, and the second server is configured to authenticate the client. The client may receive a client token, wherein the client token contains data associated with the first server, the second server, the client, and a digital signature. Then, the client may request secure communication access to the first server, wherein the request includes transferring the client token to the first server. Finally, the client may receive a grant of secure communication access to the first server based on authentication of the client by the first server, wherein the authentication is based on the client token validating the client and the digital signature validating the client token.

Abstract: The compromised password mitigation module comprises a compromised password collection module, compromised password storing module, a logging module, account protection module and user database. The compromised password collection module receives or gathers sets login names, compromised password hashes and hash functions. The compromised password collection module provides this gathered information to the compromised password storing module. The compromised password storing module stores this information in user records in the user database. The compromised password hashes and hash functions are advantageously stored along with the actual password hash. The logging module uses the user records when evaluating access to determine whether a submitted password matches both a compromised password hash and an actual password hash. If a match is found, access to the system is denied and additional protective action is taken by decal protection module. If no match is found, the user is allowed to access the system.