Abstract: A system and method for establishing a pairwise temporal key (PTK) between two devices based on a shared master key and using a single message authentication codes (MAC) algorithm is disclosed. The devices use the shared master key to independently compute four MACs representing the desired PTK, a KCK, and a first and a second KMAC. The Responder sends its first KMAC to the Initiator, which retains the computed PTK only if it verifies that the received first KMAC equals its computed first KMAC and hence that the Responder indeed possesses the purportedly shared master key. The Initiator sends a third message including the second KMAC to the Responder. The Responder retains the computed PTK only if it has verified that the received second KMAC equals its computed second KMAC and hence that the Initiator indeed possesses the purportedly shared master key.

Abstract: A method to enable access to resources hosted in a compute cloud begins upon receiving a registration request to initiate a user's registration to use resources hosted in the compute cloud. During a registration process initiated by receipt of the registration request, a federated single sign-on (F-SSO) request is received. The F-SSO request includes an assertion (e.g., an HTTP-based SAML assertion) having authentication data (e.g., an SSH public key, a CIFS username, etc.) for use to enable direct user access to a resource hosted in the compute cloud. Upon validation of the assertion, the authentication data is deployed within the cloud to enable direct user access to the compute cloud resource using the authentication data. In this manner, the cloud provider provides authentication, single sign-on and lifecycle management for the user, despite the “air gap” between the HTTP protocol used for F-SSO and the non-HTTP protocol used for the user's direct access to the cloud resource.

Abstract: A registered provider device encrypts provider input related to a transaction between the provider device and one of many registered user devices to create an encrypted one-time-use provider code (the encryption is performed using an encryption key produced, in part, using a uniquely sequenced number generated by a sequencer maintained by the provider device). Similarly, a provider institution app encrypts user input to create an encrypted one-time-use user code using an encryption key produced, in part, using a uniquely sequenced number generated by a user sequencer maintained by the user device. The provider and provider institution app independently transmit their different encrypted one-time-use codes to an intermediate entity, which decrypts the encrypted codes using one-time-use encryption keys produced using sequencers maintained by the intermediate entity. This decryption generates an authorization request.

Abstract: Systems and methods described herein relate to role-based authorization systems which allow customization of role templates as well as the ability, using roles, for one user to act on behalf of another user.

Abstract: Developing, deploying, and operating an application in a plurality of environments is disclosed, including: defining runtime specific configuration information for a plurality of environments, wherein the runtime environment specific configuration includes topology configuration and security configuration, wherein the runtime environment specific configuration information is stored separately from other configuration information and is protected by an identity management system; executing an application in one of the plurality of environments, wherein execution of the application is controlled by a first role; and presenting a credential associated with the first role to the identity management system to obtain a portion of the runtime environment specific configuration information corresponding to the environment associated with the executing application.

Abstract: A method for the production of a portable data carrier having an integrated circuit and a contact field galvanically connected to the integrated circuit. In an area defined by the contact field, the portable data carrier is shaped and the contact field is embodied such that a direct contacting of the contact field by a contacting component embodied in accordance with the USB standard is possible. The portable data carrier in its final form is produced in chip card technology. Alternatively, an element is produced in chip card technology, which element features the integrated circuit and the contact filed, and data and/or program code required for the operation of the portable data carrier are loaded into the integrated circuit. Subsequently the element is permanently connected to a carrier.

Abstract: A method comprises storing in a memory of a first processing device information relating to one or more historical events visible to the first processing device and a second processing device. The method further comprises, in an authentication sessions between the first processing device and the second processing device, transmitting an indicator derived from at least a portion of the stored information from the first processing device to the second processing device. The indicator permits the second processing device to determine authenticity of the first processing device.

Abstract: In one aspect, an integrated circuit (IC) includes a secure router configured as a trust anchor, a non-volatile random access memory (RAM) direct memory access (DMA) channel coupled to the secure router, a first DMA coupled to the secure router and configured to receive data with a first classification and a second DMA coupled to the secure router and configured to receive data with a second classification. The IC also includes a secure boot/key controller coupled to the secure router and configured as a trust anchor to boot the IC securely and a processor coupled to the secure router and configured to encrypt data, to store protocols, to store instructions to detect malicious intrusions on the IC and to provide key management.

Abstract: A system for protecting an electronic device against malware includes a memory, an operating system configured to execute on the electronic device, and a below-operating-system security agent. The below-operating-system security agent is configured to trap an attempted access of a resource of the electronic device, access one or more security rules to determine whether the attempted access is indicative of malware, and operate at a level below all of the operating systems of the electronic device accessing the memory. The attempted access includes attempting to write instructions to the memory and attempting to execute the instructions.

Abstract: An electronic key registration system includes an electronic key device that stores a key ID and a first piece of information. A controller is arranged in a communication subject. A registration tool writes the key ID to the controller and stores a second piece of information. Encrypted communication between the communication subject and the electronic key device is enabled after the key ID and a corresponding encryption key are written to the controller. An information center, which communicates with the registration tool, receives and compares the first and second pieces of information. The registration tool is permitted to write the key ID when receiving a signal from the information center indicating that the first and second pieces of information conform to each other.

Abstract: Mechanisms are provided to implement framework level mode specific file access operations. In a mode such as a work or enterprise mode, read and write accesses are directed to one or more secured locations. File data and metadata may be secured with encryption and/or authentication mechanisms. Conventional mobile solutions provide only for mode encryption distinctions at the application level, e.g. one work application may prevent access to certain data, but a different application may want to allow access to that same data. Various embodiments provide framework level mode sensitive encryption that does not require different, mutually exclusive, or possibly conflicting applications or platforms. A device and associated applications may have access to different data based on a current mode.

Abstract: Securely transferring session credentials from a client-side traffic management device (TMD) to a second server-side TMD that replaces a first server-side TMD. A client-side TMD and the first server-side TMD have copies of secret data associated with an encrypted session between a client device and a server device. The first server-side TMD may be replaced with the second server-side TMD, which may not have the secret data. In response to a request to create an encrypted connection associated with the encrypted session, the client-side TMD encrypts the secret data using the server device's public key and transmits the encrypted secret data to the second server-side TMD. Using the server device's private key, the second server-side TMD decrypts the secret data and participates in the encrypted connection.

Abstract: Techniques involving migrating authenticated content on a network towards the consumer of the content. One representative technique includes a network node receiving an encrypted seed having at least a location of the user data at a network service that stores the user data, and a cryptographic key to access the user data. The seed is received in response to a user login attempt to the network service. The user data is requested from the location using at least the received cryptographic key. The method further includes receiving and storing the user data at the network node, where the network node is physically closer to a location of the user than is the location of the network service. If the user is successfully authenticated, user access is provided to the stored user data at the network node rather than from the network service.

Abstract: The execution of a process within a VM may be monitored, and when a trigger event occurs, additional monitoring is initiated, including storing behavior data describing the real-time events taking place inside the VM. This behavior data may then be compared to information about the expected behavior of that type of process in order to determine whether malware has compromised the VM.

Abstract: Provided are a smart card service method and an apparatus for performing the same. The smart card service method includes receiving a certificate generation request from a terminal, transmitting the certificate generation request to an authentication processing device, and storing credential information with respect to the generated certificate in a virtual machine associated with the terminal in response to a certificate generation success message provided from the authentication processing device. Thus, it is possible to reduce costs in accordance with manufacturing smart card hardware, and support smart card services in a more enhanced security environment.

Abstract: A constrained network entity may determine, via an authentication procedure with a core network entity, the trustworthiness of an endpoint attempting to establish a secure channel with the constrained network entity. The constrained network entity may receive a certificate from the endpoint attempting to establish the secure channel and the constrained network entity may send the certificate asserted by the endpoint to a core network entity for validation. The core network entity may receive the certificate during a key exchange with the constrained network entity and the core network entity may indicate to the constrained network entity the validity of the certificate. The constrained network entity may determine whether to establish the secure channel with the endpoint based on the validity of the certificate.

Abstract: A method for software inspection analyzes a body of computer code to assess whether the body of computer code contains malware. Various embodiments extract the executable elements of the body of computer code and modify those elements using rules defining the format of instructions for the programming language in which the computer code was written, and using rules defined from the security specification of that programming language, to produce a model of the body of computer code. The method then analyzes the model using a model checking system, which determines whether any of the language rules have been violated, in which case the method flags the computer code as potentially including malware.

Abstract: Authenticity and responsiveness of evidence (e.g., biometric evidence) may be validated without regard for whether there is direct control over a sensor that acquired the evidence. In some implementations, only a data block containing evidence that is (1) appended with a server-generated challenge (e.g., a nonce) and (2) signed or encrypted by the sensor may validate that the evidence is responsive to a current request and belongs to a current session. In some implementations, trust may be established and/or enhanced due to one or more security features (e.g., anti-spoofing, anti-tampering, and/or other security features) being collocated with the sensor at the actual sampling site.

Abstract: A technique provisions a mobile device (e.g., a smart phone, a tablet, a personal digital assistant, etc.) with a security application on the fly. The technique involves providing, by processing circuitry of the mobile device, an initial access request to an enterprise gateway which is operated by an enterprise. The technique further involves receiving, by the processing circuitry, an enterprise response message from the enterprise gateway in response to the initial access request. The enterprise response message denies access to a set of enterprise resources of the enterprise. The technique further involves automatically prompting, by the processing circuitry, the mobile device to install a mobile security application from an application server in response to the enterprise response message denying access to the set of enterprise resources of the enterprise.

Abstract: Embodiments include a method of disseminating information regarding at least one electrical device using a registration server. The at least one electrical device has unique identification information, an internal IP address, and an external IP address, wherein the external IP address is an IP address of a first gateway device for a first local network.