Abstract: A method, apparatus and computer program product for preventing infection propagation in a DMVPN is presented. An infected spoke router site is isolated from the DMVPN network such that the spoke router may (bi-directionally) completely or partially limit communicating with any network devices (including the hub router, any other spoke routers etc.) within the DMVPN which prevents the DMVPN melt-down, isolates a worm-infected spoke router site from the rest of the DMVPN and restricts the spread of the worm within the DMVPN network.

Abstract: A monitor method and a monitor apparatus for monitoring a data of hardware are provided. The data has private information, identification information and at least one first network transmission address. The monitor apparatus comprises a storage unit and a processing unit. The data is stored in the storage unit according to the identification information. The processing unit is configured to record the identification information and the at least one first network transmission address of the data in a mark information table. In response to a sending system call, when a transmission is arranged to transmit the private information of the data to a second network transmission address which is different from the at least one first network transmission address, the processing unit will output a signal to cease the transmission.

Abstract: Methods, systems, and articles to receive, by a fail-over computing device, a request to instantiate a virtual-machine in response to a virtual-machine failure on a separate physical device. The request includes a minimum security rating. The fail-over computing device then compares the minimum security rating against an assigned security rating of the fail-over computing device and instantiates the virtual-machine if the assigned security rating meets or exceeds the minimum security rating.

Abstract: A method for security planning with hard security constraints includes: receiving security-related requirements of a network to be developed using system inputs and processing components; and generating the network according to the security-related requirements, wherein the network satisfies hard security constraints.

Abstract: In the invention, incorrect authentication information for accessing at least one secured computing asset can be received. A similarity score between the incorrect authentication information and correct authentication information can be determined. One of many different access levels can be assigned to a computing session based upon the similarity score. Access consistent with the assigned access level can be granted. One access level can be an emulation access level that grants access to at least one simulated asset designed to mimic the secured asset. Access to the simulated asset can be provided in a fashion so that a user, who is likely an intruder, is unaware that they are not receiving the secured asset information. A tracking action can be optionally initiated against the intruder. Further, user behavior with the simulated session or a limited access session can be compared against a behavior profile to dynamically increase or decrease session permissions.

Abstract: A method and system for securely executing software or securely loading data generates a secret value at a destination device based on a value transmitted to the destination device, which is algorithmically combined with a secure value stored at the destination device. The destination device, such as a cell phone, remotely accesses an entity or otherwise receives the software or data, where the software or data is encrypted or digitally signed based on the secret value. The cell phone then selectively employs the software or data.

Abstract: A method and system for providing remote user access to secure applications by deployment of SSO software to client workstations, including navigating to a secure server using a web browser on a remote workstation; providing user authorization details to the secure server; downloading an SSO deployment file to the remote workstation upon validation of the user authorization details; executing the SSO deployment file to install an SSO client application on the remote workstation; reading workstation settings and user credentials from a secure file or data store; and running the SSO client application on the workstation to employ the user credentials to logon to the secure application.

Abstract: In general, techniques are described of enabling a client-based web browser application to browse a directory structure provided by a server on a private network via a secure gateway. In particular, an intermediate gateway device is positioned on a network path between the client device and a server device. The gateway device communicates with the client device via a secure network connection (e.g., a Secure Sockets Layer connection). When the gateway device receives a resource identifier that identifies a directory structure from either the client device or the server device, the gateway device alters the resource identifier. In particular, the gateway device alters the resource identifier in such a way that when the client device transmits a request to view the directory structure identified by the resource identifier, the client device transmits a request to view the directory structure in a networking protocol that the gateway device permits to pass through the gateway device.

Abstract: An exemplary method includes receiving a request to register a peer in a peer-to-peer system; generating or selecting a transaction key for the peer; storing the transaction key in association with registration information for the peer; transmitting the transaction key to the peer and, in response to a request to perform a desired peer-to-peer transaction by another peer, generating a token, based at least in part on the transaction key. Such a token allows for secure transactions in a peer-to-peer system including remote storage of data and retrieval of remotely stored data. Other exemplary techniques are also disclosed including exemplary modules for a peer-to-peer server and peers in a peer-to-peer system.

Abstract: Techniques are disclosed that enable extrusion detection (i.e., outgoing confidential information from an enterprise or other entity). The techniques operate to detect outgoing confidential information at the gateway and/or the client, even if that confidential information is encrypted, compressed, or otherwise obfuscated before transmission (e.g., via email or to a portable storage media such as a memory stick).

Abstract: In a network user authentication system, a network user is identified for authentication purposes using the unique identifier for a dedicated physical communication line associated with the building in which the network user is located or a digital certificate which is associated with a secure component or communication line physically attached to a building. An authentication server initially verifies the identification of the dedicated communication line to be associated with a network service subscriber or issues a unique digital certificate to be associated with the dedicated communication line for authentication purposes. The digital certificate may be stored in a building gateway or in an edge site module which is connected to the secure components of a plurality of buildings and stores unique digital certificates for each building.

Abstract: Disclosed herein are systems, method and computer readable medium for providing authentication of an entity B by an entity A. In the method, entity A selects a value p, a range [a, b] and a granularity epsilon. Entity A sends p, [a, b], and epsilon to entity B. Entity B initializes a value yB=0 and for each x in {a, a+epsilon, . . . , b?epsilon, b} and computes z=E(x)*x. The function E(x) is an encryption scheme and the multiplication is carried out mod p. Entity B updates yB=yB+z. After processing each x, entity B sends yB to entity A. Entity A performs the same calculation and generates a yA value and compares yA with yB. If yB=yA, Entity A authenticate entity B. In one aspect, a light HMAC scheme splits an input x into n blocks with key expansion.

Abstract: A process may be utilized for securing unlock password generation and distribution. A first set of exclusive responsibilities, assigned to a trusted authority, includes random generation and encryption of an unlock password to compose a randomly generated encrypted unlock password. Further, a second set of exclusive responsibilities, assigned to a security agent, includes sending information associated with the unlock password and a digital signature of information associated with the unlock password to a communication device configured for a network in order to mate the unlock password to the communication device, and sending the randomly generated and encrypted unlock password along with mating data to a password processing center. In addition, a third set of exclusive responsibilities, assigned to a password processing center, includes decrypting the randomly generated and encrypted unlock password.

Abstract: A system and method administers security in a logical namespace of a storage system environment. A remote agent performs an integral security-related role within a management framework that is directed to off-loading administration of privileges from a namespace and storage management (NSM) server for namespace and storage management. NSM server rights are defined and assigned to a user of the NSM server in accordance with a security administration feature of the management framework. In addition, a multi-stage authentication procedure is provided to ensure that a user has the appropriate rights to perform operations on the NSM server.

Abstract: An information recording medium manufacturing method includes the steps of: determining an encryption mode of each sector, which serves as an encrypt processing unit; generating encrypted data having different variations by using a plurality of cryptographic keys for a segment portion; generating encrypted data by using a single cryptographic key for a non-segment portion; and recording the encrypted data. In determining the encryption mode, a cryptographic key for each sector is specified on the basis of an auxiliary file including determination information indicating whether each sector is data of a segment portion or data of a non-segment portion and identification information for identifying a segment and a variation associated with the sector if the sector is found to be the data of a segment portion. In generating the encrypted data for the segment portion or for the non-segment portion, the encrypted data is generated by using the specified cryptographic key.

Abstract: In order to create and access a secure storage account in a non-volatile memory device, an account identification value is calculated. A memory identification value is read from a first non-volatile memory device. The memory identification value and the account identification value are transmitted to a second non-volatile memory device, and a calculated credential is received. A command is transmitted to create a secure storage account in the first non-volatile memory device, where the command contains the credential and the account identification value. To access the account, a sequence is transmitted, containing the account identification value and a value based on the credential. A secure storage system contains a first non-volatile memory device that stores a memory identification value and contains a secure partition accessible using a credential, a second non-volatile memory device that can compute the credential, and a host adapted to create and access the secure partition.

Abstract: A method of authenticating an object in which a computer system receives indicating data from a sensing device. The indicating data is generated in response to sensing of coded data provided on or in a surface associated with the object and is indicative of an identity of the object and at least part of a signature. The signature is in turn a digital signature of at least part of the identity. The computer system uses the indicating to determine a received identity and a received signature part, before using the using the received identity to determine at least a determined signature part. The determined signature part is then compared to the received signature part to authenticate the object.

Abstract: An image forming apparatus for attaching an electronic signature to image data read from a paper document is disclosed. Validity of a first public key certificate that certifies a first signature key is determined. A first electronic signature-for the image data is generated by using the first signature key. The first electronic signature is prevented from being generated in response to an event that it is determined that the first public key certificate is invalid.

Abstract: An interactively authorizing access control method applicable to an access control center is disclosed. According to the present invention, an effective time interval can be set for the permit by an authorized person of the object according to his/her usual pass time such that when the access control center identifies the permit is valid, the effectiveness of the permit can be further determined according to the effective time interval set by the authorized person, thereby determining whether the object is allowed to pass.

Abstract: Methods of securely communicating a message from a first terminal to a second terminal include generating a keypad including a random sequence of bits having a length L, encrypting the message at the first terminal using a bit string beginning at an offset O in the keypad, and transmitting the encrypted message and an indicator of the offset O to the second terminal. A communication terminal includes a controller, a communication module configured to establish a location-limited communication channel, and an encryption unit configured to store a keypad including a random sequence of bits having a length L, to encrypt an outgoing message using the keypad, and to decrypt an incoming message using the keypad.