Abstract: Systems, methods and media are provided for selective decryption of files. One method includes monitoring a secure file storage area including at least one file using a selective decryption process associated with the secure file storage area. Content of each of the at least one file is protected with an encryption. The method also includes detecting a request by an application program for one of the at least one file. The method further includes determining whether the application program needs to access the content of the requested file. The method also includes, when it is determined that the application program does not need to access the content of the requested file, allowing the application program to access the file content without decrypting the encryption.

Abstract: Secure communication of user inputs is achieved by isolating part of an endpoint device such that certificates and encryption keys are protected from corruption by malware. Further, the communication is passed through a trusted data relay that is configured to decrypt and/or certify the user inputs encrypted by the isolated part of the endpoint device. The trusted data relay can determine that the user inputs were encrypted or certified by the protected certificates and encryption keys, thus authenticating their origin within the endpoint device. The trusted data relay then forwards the inputs to an intended destination. In some embodiments, the isolated part of the endpoint device is configured to detect input created by auto-completion logic and/or spell checking logic.

Abstract: A method of securing user credentials in a remote repository is provided. In accordance with one embodiment, there is provided a method comprising generating a first private key and a first public key pair from a registered password; generating a second private key and a second public key pair; generating a storage key from the second private key and the first public key; encrypting a set of credentials using the storage key; creating a encrypted credential signature from the encrypted set of credentials and the first private key; and storing the encrypted set of credentials, the encrypted credential signature, and the second public key in the remote repository.

Abstract: A system and methodology that facilitates management and utilization of domain-specific anonymous customer references (ACRs) for protecting subscriber privacy across different domains is disclosed herein. In one aspect, on receiving user authorization, an ACR services (ACRS) component can generate an ACR that is to be inserted in a communication or message transmitted from a user equipment to an untrusted entity. The ACR can be generated based on address data associated with the untrusted entity and/or a unique subscriber identifier associated with the user equipment. As an example, the ACR creation component can generate the ACR based on a cryptographic hash, a static encryption key, and/or a dynamic encryption key. If the ACR is forwarded to a trusted entity, the trusted entity can calculate the unique subscriber identifier based on evaluating the ACR and/or exchange the ACR for the unique subscriber identifier via a secure communication with the ACRS component.

Abstract: A technique processes captured data on a device, wherein selected captured data of a given quality resolution is transferred via a communication link to a separate storage location for future availability. A storage protocol may include different storage organization categories. A possible aspect includes an identifier record to enable future accessibility to selected captured data by one or more authorized parties or approved devices.

Abstract: A device for verifying at least one challenge-response pair includes a coherent light source configured to emit coherent light. A challenge creating device is configured to create an optical challenge to be sent to a physically unclonable function (PUF). A wavefront shaping device is configured to perform a verification based on an optical response from the physically unclonable function (PUF). A detector is configured to read out a result of the verification performed by the wavefront shaping device. A focusing device is configured to focus light exiting from the wavefront shaping device onto the detector for detection.

Abstract: A notification is received at a workload that indicates that a compliance policy update is available for the workload at a compliance policy management system. A synchronization manager on the workload pulls the compliance policy update from the compliance policy management system and deploys it to the workload.

Abstract: Systems and methods for attesting to information about a computing resource involve electronically signed documents. For a computing resource, a document containing information about the resource is generated and electronically signed. The document may be provided to one or more entities as an attestation to at least some of the information contained in the document. Attestation to information in the document may be a prerequisite for performance of one or more actions that may be taken in connection with the computing resource.

Abstract: Disclosed is a method for terminal identity verification and service authentication. After initiating a service request, the terminal generates a user unique code according to user-specific information in an SIM card, and encrypts a name of the user-specific information, and then transmits the encrypted name of the user-specific information together with the user unique code to a credible cloud control center; a service provider generates a unique code according to its own specific information, and transmits an encrypted name of its own specific information together with the generated unique code to the credible cloud control center; and the credible cloud control center authenticates the terminal and the service provider according to their respective unique codes, and when determining that both of them pass the authentication, transmits a communication code to both of them so that they communicate with each other according to the communication code to complete a current service.

Abstract: The present invention relates to a non-intrusive method and apparatus for automatically dispatching security rules in a cloud environment. The method comprises: forming a composition application model of an application in the cloud environment, said composition application model including at least types of various servers for deploying said application; generating a topology model of said various servers in the cloud environment; automatically generating security rules to be adopted by the server-side firewalls of respective servers based on the application context of said application, said composition application model and said topology model; and dispatching said security rules to each server-side firewall based on said composition application model and topology model.

Abstract: The system and method described herein may provide unified transport and security protocols. In particular, the unified transport and security protocols may include a Secure Frame Layer transport and security protocol that includes stages for initially configuring a requester device and a responder device, identifying the requester device and the responder device to one another, and authenticating message frames communicated between the requester device and the responder device. Additionally, the unified transport and security protocols may further include a Secure Persistent User Datagram Protocol that includes modes for processing message frames received at the requester device and the responder device, recovering the requester device in response to packet loss, retransmitting lost packets sent between the requester device and the responder device, and updating location information for the requester device to restore a communications session between the requester device and the responder device.

Abstract: A validating device receives, from a client device associated with a user, a representation for a first credential associated with the user. The validating device validates the representation for the first credential associated with the user based on data derived from the representation for the first credential associated with the user and identification data associated with the validating device. The validating device obtains a first set of data associated with the user and a second set of data associated with the user. The second set of data is different from the first set of data. The first set of data is obtained based on verifying the identification data associated with the validating device. Obtaining the second set of data is independent of verifying the identification data associated with the validating device.

Abstract: Disclosed are methods and devices for provisioning authorization claims, which are enforced to control access of users to objects (resources) in a computer system, and which are to be equivalent to an attribute-based access control (ABAC) policy. A policy converter according to the invention includes a policy processor processing the policy by partial evaluation against attribute values of the users, objects or permission levels in the system and outputting simplified policies, which are subject to reverse evaluation in a reverse policy evaluator, whereby users, objects and permission levels to be associated by way of a single authorization claim are obtained. Responsible for the defining of the authorization claim and its distribution in the computer system are an authorization claim generator and an authorization claim distribution interface. The invention may be so configured as to return a single authorization claim for each combination of an object and a permission level.

Abstract: The embodiments of the present invention disclose a nonvolatile memory and an electronic device, where each time the nonvolatile memory is powered on, an exchanger is used to implement a random exchange of at least one address subsignal and its inverted signal in a bank decoder and/or a row decoder in a bank and/or a column decoder in a bank, which causes that data stored before the nonvolatile memory is powered off is interrupted when the nonvolatile memory is powered off and then powered on and that data stored in the nonvolatile memory cannot be read sequentially from original storage addresses to achieve an encrypting effect and increase security of the data stored in the nonvolatile memory.

Abstract: The described embodiments comprise an electronic device that executes an application, the electronic device including a processing subsystem. In these embodiments, the processing subsystem is configured to acquire a receipt associated with the application, wherein the application was purchased by a purchasing entity and installed on the electronic device after being assigned to a user of the electronic device by the purchasing entity. The processing subsystem is further configured to determine, using the receipt, if the application has expired. When the application has not expired, The processing subsystem is configured to execute the application with predetermined functions of the application enabled. When the application has expired, The processing subsystem is configured to execute the application with the predetermined functions of the application disabled.

Abstract: Systems and techniques for granting of network access to a new network device are described. Specifically, various techniques and systems are provided for connecting a new network device to a network and limiting access of the network device while authenticating the new network device. Exemplary embodiments of the present invention include a computer-implemented method.

Abstract: A method and system for managing data traffic and protecting computing assets. The method and system includes analyzing HTTP requests to determine if the HTTP requests are overly segmented, and, if the HTTP request is overly segmented, blocking and/or black-listing the malevolent communications and computing device. The analysis to determine if an HTTP request is overly segmented includes comparing the packet's size to a threshold, identifying the packet's content or lack thereof, identifying whether the packet is the last packet in a communication, and identifying whether the packet ends with the “\n” ASCII character.

Abstract: A computing device can enable a user to navigate to an application or other digital object directly from a lock screen of the device. A user can specify a credential, such as a short code, that is associated with a specific application. If the credential is recognized, the device can be unlocked and the corresponding application displayed. The user can then be granted full or partial access to functionality and/or data of the device, as may depend at least in part upon the type of credential or a level of access specified for the credential. The credential can be based at least in part upon, or independent of, a general unlock credential for the device. In some embodiments, the user can be able to specify the amount and/or type of access to be granted under a credential, such as access only to utilize the corresponding application.

Abstract: Licenses to software services are assigned automatically to users as a function of one or more user attributes. An attribute can include membership in a group such as a license group or a security group, among other things such as location. License assignments can also be retracted automatically upon changes in one or more user attributes.

Abstract: Identifying a behavior of a service is disclosed. A predetermined interrogation packet that corresponds to a hypothesis is sent to a network communication port of a receiver. The predetermined packet is one of a plurality of predetermined interrogation packets sent to the network communication port. The hypothesis is consistent with a behavior of a corresponding service. The predetermined interrogation packet invites an expected action. The expected action is detected. It is determined that the behavior of the service that corresponds to the hypothesis is operating.