Abstract: Methods, systems, and computer-readable storage media for selecting columns for using searchable encryption to query a database storing encrypted data. Implementations include actions of receiving a set of search indices, receiving a search token, and in response: searching at least one search index of the set of search indices based on the search token, and determining that the at least one search index is absent an entry corresponding to the search token, and in response, receiving one or more identifiers, each identifier being associated with a respective ciphertext that is determined to be responsive to the search token, and updating the at least one index to include an entry based on the search token and the one or more identifiers; and transmitting search results, the search results including the one or more ciphertexts that are determined to be responsive to the search token.

Abstract: Concepts and technologies are disclosed herein for preventing spoofing attacks for bone conduction applications. According to one aspect, a device can receive an authentication signal that has propagated through a body. The device can prevent an adversary from using the authentication signal to spoof a user to be authenticated by the device. The device can also authenticate the user.

Abstract: Methods and systems are disclosed for key management for on-the-fly hardware decryption within an integrated circuit. Encrypted information is received from an external memory and stored in an input buffer within the integrated circuit. The encrypted information includes one or more encrypted key blobs. The encrypted key blobs include one or more secret keys for encrypted code associated with one or more encrypted software images stored within the external memory. A key-encryption key (KEK) code for the encrypted key blobs is received from an internal data storage medium within the integrated circuit, and the KEK code is used to generate one or more key-encryption keys (KEKs). A decryption system then decrypts the encrypted key blobs using the KEKs to obtain the secret keys, and the decryption system decrypts the encrypted code using the secret keys. The resulting decrypted software code is then available for further processing.

Abstract: Methods of securely authenticating a host to a storage system are provided. A series of authentication sessions are illustratively performed. Each of the authentication sessions includes the host transmitting an authentication request to the storage system. The storage system authenticates the host based at least in part upon a content of the authentication request. After each successful authentication of the host to the storage system, an encryption key that was utilized in encrypting the authentication request that was transmitted to the storage system is deleted. After each encryption key deletion, a new encryption key that is different than the previous key is optionally stored and is utilized in the next authentication session.

Abstract: A method for authenticating messages is provided. The method includes calculating a hash value based on a key and a message count value and receiving a data message associated with the message count value. The method includes receiving an authentication message that includes the message count value and a message authentication code derived from the data message, the message count value and the key. The method includes applying portions of the data message to look up portions of the hash value and combining the portions of the hash value to form a verification version of the message authentication code. The method includes determining whether the message authentication code matches the verification version of the message authentication code.

Abstract: A system for secure information storage and delivery includes a vault repository that includes a secure vault associated with a user, wherein the secure vault is associated with a service level including at least one of a data type or a data size limit associated with the secure vault, the secure vault being adapted to receive and at least one data entry and securely store the at least one data entry if the at least one of a size or a type of the at least one data entry is consistent with the service level. A mobile vault server coupled to the vault repository creates a mobile vault on a mobile device based on the secure vault and is capable of authenticating the mobile device based on user authentication information. The mobile vault server includes a mobile device handler that communicates with the mobile device.

Abstract: A method and apparatus for a non-revealing do-not-contact list system in which a do-not-contact list of one-way hashed consumer contact information is provided to a set of one or more entities. The set of entities determine whether certain consumers wish to be contacted with the do-not-contact list without discovering actual consumer contact information.

Abstract: Systems, device and techniques are disclosed for automatically determining a permission setting that indicates whether a permission is granted or denied to the application. The automatic determination may be made based on a previous selection by a user. Alternatively, an indication of a permission may be provided to a user and an indication of a permission setting may be received from the user. The permission setting received from the user may be assigned to a permission to an application. Permissions provided to a user may be ordered in a list based on permission or application popularity or frequency.

Abstract: In a network authentication method, upon receipt of correct user login data from a user terminal, a content-provider server transmits a verification request to a verification server via a communication network. After receiving hardware identification data and positioning information, which are associated with the user terminal and a portable personal electronic device carried by a user, the verification server transmits a verification reply indicating successful authentication of the identity of the user when the hardware identification data is successfully verified while the positioning information indicates that the portable personal electronic device is in close proximity to the user terminal.

Abstract: Personal Digital Server (“PDS”) is a unique computer application for the storage, updating, management and sharing of all types of digital media files, including audio, video, images and documents, irrespective of their format. PDS provides users with a single location to store and access, both locally and remotely, all of their digital media. It also provides the user total control of the overall management of these assets.

Abstract: A computer-implemented system and method for secure electronic message exchange including coupling a control platform to a workstation of a plurality of workstations via a communications medium, where the control platform includes one or more apparatuses for monitoring, controlling, conversion, and billing, related to messages exchanged between a plurality of local, users and a plurality of remote users. The system, prevents forwarding or copying of a message sent by a local user of the plurality of local users and received by a remote user of the plurality of remote users, to another party by the control platform. The system and method also provides for authenticating the remote user with the control platform.

Abstract: A system and method is disclosed that enables the display of permits and/or permit information related to a specific location, collection of permitting data onsite, comparison of the onsite data to permitted constraints, and reporting the results of the inspection (as required under the appropriate regulatory policy or as requested by the organization or entity being inspected), as well as sending immediate notifications, as appropriate, to decision makers. In certain embodiments, the system and method may also offer predictions on the likelihood of an enforcement action against the organization given factors such as, but not limited to, the type of violation, degree of violation, and enforcement actions against others for similar violations. In other embodiments, the system and method allows the permittee to mitigate the risk of a violation by notifying emergency personnel in addition to decision makers within the organization.

Abstract: The invention provides systems, methods and devices for performing passcode authentication. In one embodiment of the invention, a method of performing passcode authentication conducted at a mobile device is provided which comprises the steps of: receiving an authentication request from a security gateway; receiving a passcode entered by a user of the mobile device; comparing the entered passcode to a passcode offset securely stored in a hardware security module (HSM) coupled to the mobile device; and, if the entered passcode corresponds with the passcode offset, generating a secure authentication confirmation message and transmitting the confirmation message to the security gateway; or, if the entered passcode does not correspond with the passcode offset, generating a secure authentication denial message and transmitting the authentication denial message to the security gateway.

Abstract: Methods and systems for a security-activated production device include but are not limited to obtaining access to an object data file configured to produce one or more objects on the production device; verifying an authorization code associated with the object data file; and controlling operation of the production device to enable or prevent production of the one or more objects pursuant to the authorization code in accordance with one or more predetermined conditions.

Abstract: Implementations for a secure remote kernel module signing are disclosed. In one example, the method includes receiving an indicator of a public key associated with a client computing device, determining that the public key associated with the client computing device is in common with a public key associated with a first server computing device, compiling the script, signing the compiled script with a private key that is associated with the public key that is in common with the client computing device and the first server computing device without generating a new private key, and sending the signed compiled script to the client computing device.

Abstract: A computer-implemented method for securing data and computer systems is described. In one embodiment, a request to connect to a server is received at an intermediary network device. It is detected, at the intermediary network device, that the server uses a one-time password (OTP) protocol. Based at least in part on the detecting that the server uses an OTP protocol, an action is performed by the intermediary network device. The action may include blocking, at the intermediary network device, a connection other than the connection to the server that uses the OTP protocol.

Abstract: Selective regulation of information transmission from mobile applications to a third-party privacy compliant target system. A privacy policy is configured for and mapped to each of a multiplicity of mobile application concerns, with each privacy policy comprising rules regulating the transmission of information to a third-party privacy compliant target system. Instrumentation instructions can be integrated with a mobile application and provided to a mobile device. The instrumentation instructions direct the mobile application to submit a privacy policy request comprising a mobile application identifier from the mobile device to a third-party privacy compliance system and enable sending information from the mobile device to the third-party privacy compliant target system, subject to the privacy policy.

Abstract: An apparatus and method are disclosed for determining authentication frequency (i.e., the length of time between authenticating and re-authenticating a user) and challenge type (e.g., username/password, fingerprint recognition, voice recognition, etc.) based on what software applications a user is running on a data-processing system, and how those applications are being used (e.g., what functions are used, what data is input to or output by the application, how often and for how long applications are used, what input devices and output devices are used, etc.) Advantageously, the illustrative embodiment enables authentication frequency and challenge type to be adjusted based on the likelihood of malicious activity and/or the potential cost of malicious activity, as inferred from current and past application usage. In addition, the illustrative embodiment enables selection of an authentication challenge type that is less intrusive to a user based on current application usage.

Abstract: Disclosed is a system and method for restoring modified data. An example method includes intercepting, by an activity tracking module, a request from a program to modify data; determining, by an analysis module, parameters of the intercepted request; generating, by the analysis module, a request to generate a backup copy of the data based on at least one of the determined parameters of the intercepted request; and generating and storing, by a backup module, the backup copy of the data in an electronic database.

Abstract: Preventing return-oriented programming exploits by identifying a set of contiguous computer software instructions extending from a first location within a computer memory to a second location within the computer memory, where the set of computer software instructions includes a return-oriented programming gadget, copying the set of computer software instructions to extend from a third location within the computer memory to a fourth location within the computer memory, placing a branching instruction at the first memory location, where the branching instruction branches to the third location, appending a return branching instruction to the copy of the set of computer software instructions, where the return branching instruction branches to a fifth location within the computer memory that immediately follows the second location, and overwriting at least a portion of the return-oriented programming gadget between the first location and the second location.