Abstract: Techniques are disclosed for dynamically managing hardening policies in a client computer (e.g., of an enterprise network). A hardening management application monitors activity on the client computer that is associated with a first hardening policy. The monitored activity is evaluated based on one or more metrics. Upon determining that at least one of the metrics is outside of a tolerance specified in the first hardening policy, the client computer is associated with a second hardening policy. The client computer is reconfigured based on the second hardening policy.

Abstract: Even when an intermediate server exists, a plurality of servers simultaneously authenticates a user securely. A user apparatus disperses a password. The user apparatus obtains a ciphertext, which is obtained by encrypting a dispersed value. The intermediate server transmits the ciphertext to an authentication server. The authentication server decrypts the ciphertext to obtain the dispersed value. The authentication server determines a verification value. The authentication server obtains a ciphertext. The intermediate server decrypts the ciphertext to obtain the verification value. The intermediate server verifies whether a sum total of the verification values is equal to 0 or not. The authentication server determines a verification value. The authentication server obtains a ciphertext. The authentication server decrypts the ciphertext to obtain the verification value. The authentication server verifies whether a sum total of the verification values is equal to 0 or not.

Abstract: A content management system implementing methodologies providing retroactive shared content item links is disclosed. The content management system and methodologies allow a team administrator of a team to configure a team-wide shared link policy that determines whether non-team members can access content items associated with team accounts using shared links generated for the content items by team members. The team shared link policy has two settings. In a first setting, the content management system allows non-team members to use shared links generated by team members to access content items associated with team accounts. In a second setting, the content management system blocks access to the content items by non-team members. Shared links are retroactive in the sense they do not need to be regenerated after the team shared link policy has been changed from the second setting back to the first setting.

Abstract: In an aspect, a method can include generating a cyclic redundancy check code for a binary data item, using a generator polynomial; and masking, using polynomial addition, the binary data item with a binary mask. The method can also include at least one of: storing, by a microcircuit, the masked binary data item in a memory of an electronic device; or transferring, by the microcircuit, the masked data item to another device. The cyclic redundancy check code for the binary data item can be generated from the masked binary data item to prevent discovery of the binary data item by a side-channel attack during the generating the cyclic redundancy check. The binary mask can be a multiple of a random number and the generator polynomial, such that respective cyclic redundancy check code of the masked data item and the binary data item have a same result.

Abstract: A computing device may include a presence-sensitive display, at least one processor, and a memory storing instructions that, when executed by the at least one processor, cause the at least one processor to output, for display at the presence-sensitive display, a graphical keyboard including a plurality of keys and a suggestion region; determine, based on a selection of the suggestion region or one or more keys from the plurality of keys, a search query; retrieve one or more search results determined based on the search query; and output, in place of at least a portion of the graphical keyboard, a visual representation of a particular search result of the one or more search results.

Abstract: An application creating apparatus generates first authentication information using an authentication element is provided. The apparatus includes an application module when the application module is created, inserts the first authentication information into the application module, and distributes the application module. A user digital device that executes the application module checks the authentication element and the first authentication information included in the application module, generates second authentication information for the authentication element, and determines whether to execute the application module based on a result of comparison between the first authentication information and the second authentication information.

Abstract: Disclosed is a key downloading method. The method comprises: sending a hardware series number (SN) and a first random number (Rnd1) to a key server; receiving a second random number (Rnd2), a first encrypted text (C1) and a key server working certificate (KSWCRT) sent by the key server; authenticating the validity of KSWCRT by using a KSRCRT; if valid, extracting a public key (PuKS) from the KSWCRT, and decrypting the first encrypted text (C1) by using the PuKS to obtain a third random number (Rnd1?); determining whether Rnd1 is consistent with Rnd1?; if consistent, encrypting the second random number (Rnd2) by using a terminal authentication public key (TKP_Pu) to generate a third encrypted text (C2?), and sending the C2? to the key server; receiving an key encrypted text (Ctmk) sent by the key server; and obtain a master key (TMK), and storing the TMK in a security control module.

Abstract: One or more proxy logs are processed in order to generate a graph of domains, wherein those domain pairs in the graph that are connected have low support and high confidence. One or more domains within the graph that are highly connected to other domains in the graph are identified. The identified domains are flagged as suspicious domains.

Abstract: Disclosed are a password entry method and system. In the present invention, an intelligent display terminal receives a password entry instruction of a user, and randomly generates image data of a soft keyboard; the intelligent display terminal decomposes the image data of the soft keyboard into image data of a first soft keyboard and image data of a second soft keyboard by using a subtractive color process; the intelligent display terminal displays an image of the first soft keyboard according to the image data of the first soft keyboard, and sends the image data of the second soft keyboard to a portable display terminal; and the portable display terminal combines the image data of the first soft keyboard and the image data of the second soft keyboard by using an additive color process to restore an image of the soft keyboard, and displays the image of the soft keyboard.

Abstract: A method for allowing an operating system (OS), to access an encrypted data storage system of a computer, wherein: the data storage system comprises: a partition; and first encrypted data units that comprise partition table data of said data storage system; and said computer is connectable to an external device comprising: a boot loader for an external OS that is not installed on the computer; and partitioning information capturing an expected location of said partition in the data storage system; and wherein second encrypted data units that comprise reference partition table data for said data storage system are available from said computer or said external device, the method comprising: upon connection of said external device to the computer, instructing to boot the computer from said boot loader; and during or after booting of the computer: comparing the first and second encrypted data units; and if the first and second encrypted data units match, allow the external OS to access, based on the partitioning

Abstract: A system on chip includes a central processing unit and a key manager coupled to the central processing unit. The key manager includes a random number generator configured to generate a key and a key memory configured to store the key and a user setting value associated with the key.

Abstract: The present invention is notably directed to a method for allowing an operating system, or OS, to access an encrypted data storage system of a computer (10), wherein: the data storage system (11) comprises: a partition (122); and first encrypted data units (120) that comprise partition table data of said data storage system; and said computer (10) is connectable to an external device (20) comprising: a boot loader (24) for an external OS (112) that is not installed on the computer; and partitioning information (22) capturing an expected location of said partition (122) in the data storage system; and wherein second encrypted data units (220) that comprise reference partition table data for said data storage system are available from said computer (10) or said external device, the method comprising: upon connection (S21) of said external device (20) to the computer, instructing to boot (S23) the computer (10) from said boot loader (24); and during or after booting of the computer: comparing (S25) the first (12

Abstract: Methods, systems, and computer-readable media for selectively enabling and disabling biometric authentication are presented. In some embodiments, a computing platform may receive, from a device monitoring and management computer system, a device state indicator message comprising device state information associated with a mobile computing device. Subsequently, the computing platform may set a biometric authentication flag for the mobile computing device based on the device state indicator message received from the device monitoring and management computer system. Then, the computing platform may generate an authentication functionality message for the mobile computing device based on the biometric authentication flag set for the mobile computing device, and the authentication functionality message may be configured to selectively enable or disable one or more biometric authentication functions provided by the mobile computing device.

Abstract: One of n?2 servers, connectable via a network, implements a cryptographic protocol using a secret key K which is shared between the n servers, and includes first and second server compartments. The first is connectable to the network, adapted to implement the cryptographic protocol, and stores a current key share of the secret key K. The second is inaccessible from the network in the operation of the server, stores a set of master keys, and is adapted, for each of successive time periods, to unilaterally generate a new key share of the secret key K and to supply it to the first as the current key share for that time period. The new key share includes a random share of a predetermined value p which is shared between the n servers, and the random share includes a function of the set of master keys.

Abstract: A method for validating a signature request for a first message M, comprising: receiving, a validation challenge (VC) from a signature creation device (SCD), the VC created by the SCD, in response to receiving the signature request and message M from a user, using a second message M? which is based on message M and a secret shared between the SCD and user, the VC generated by encrypting message M? using the secret; generating, the message M? from the VC by decrypting the VC using the secret; displaying the message M? to the user; receiving confirmation from the user that the displayed message M? corresponds to the message M; generating, a validation code confirming the signature request to create a signature; and outputting the code to the SCD, to cause the SCD to generate the signature for the user for message M based on successfully verifying the code.

Abstract: A system for cryptographically authenticated communication, wherein an activation signal is sent from a communications device to a memory device (410). The memory device derives a random challenge from at least one physical property of the activation signal and sends it back to the communications device (420). A signature is computed using the received random challenge (440) and sent, together with a certificate, to the memory device (450).

Abstract: The invention relates to a data-processing method that includes encoding a plurality of data of n bits into code words having a predefined constant Hamming weight, characterized in that said method also includes using (4000) encryption operations or arithmetic operations on the resulting code word(s) and also in that encoding each datum includes: decomposing (100) the datum into a plurality of m bit sequences to be encoded, m strictly being less than n; encoding (300) each bit sequence into a partial code word, each having a predefined Hamming weight, such that the sum of the Hamming weights of the partial code words are equal to the Hamming weights of the code word; and concatenating (300) the partial code words such as to produce the code word corresponding to the datum. The invention also relates to a data transmission method and to an electronic circuit configured to implement said methods.

Abstract: A communication method to publish a user message suitable for one or more vendors. The communication method may be performed by one or more controllers and may include one or more acts of receiving a message from a user station of a user; processing the received message to anonymize the message to conceal an identity of the user; publishing the anonymized message and anonymous link information; receiving a request from a vendor of the one or more vendors for user context information corresponding to the user in response to the published anonymized message; receiving restriction information in accordance with a user persona selected by the user from a plurality of user personas that are each associated with the user; and providing the user context information in accordance with the restriction information.

Abstract: A system and method for generating a signature for a document using an identity verification token. The identity verification token receives a request that includes a set of credential data from a signatory, obtains a document identifier that identifies the document to a service provider, and obtains a token identifier that identifies the identity verification token to the service provider. The identity verification token generates the signature based at least in part on the obtained document identifier, the received set of credential data, and obtained the token identifier, and provides the signature.

Abstract: Policy changes are propagated to access control devices of a distributed system. The policy changes are given immediate effect without having to wait for the changes to propagate through the system. A token encodes the policy change and can be provided in connection with access requests. Before an access control device has received a propagated policy change, the access control device can evaluate a token provided in connection with a request to determine, consistent with the policy change, whether to fulfill the request.