Abstract: This document describes various techniques for distributing credentials based on hardware profiles. A resource access request including a hardware profile is transmitted to a remote entity having access to a previous hardware profile and a credential useful to access a resource is received if at least a portion of the hardware profile matches the previous hardware profile.

Abstract: Two approaches are provided for distributing trust among certificate authorities. Each approach may be used to secure data in motion. One approach provides methods and systems in which a secure data parser is used to distribute trust in a set of certificate authorities during initial negotiation (e.g., the key establishment phase) of a connection between two devices. Another approach of the present invention provides methods and systems in which the secure data parser is used to disperse packets of data into shares. A set of tunnels is established within a communication channel using a set of certificate authorities, keys developed during the establishment of the tunnels are used to encrypt shares of data for each of the tunnels, and the shares of data are transmitted through each of the tunnels. Accordingly, trust is distributed among a set of certificate authorities in the structure of the communication channel itself.

Abstract: An Ethernet interface module comprises a duplex port operable to transfer frames between said Ethernet network and a device and a path coupling a receive portion of the duplex port to a transmit portion of said first full duplex port. A queue is disposed in said first path. Evaluation apparatus is coupled to the queue and determines whether a received frame is addressed to said Ethernet interface module and whether a frame type field contains a frame type. The Ethernet interface module is operable in a first mode such that every said received frame is echoed back out the full duplex port; and is operable in a second mode such that each received frame that meets predetermined evaluation criteria is echoed back out the duplex port and those received frames that do not meet the predetermined evaluation criteria are discarded.

Abstract: Protection of resources hosted on enterprise systems. In an embodiment, an enterprise system receives a request from a portable device to download a resource, and in response formulates multiple security actions and associated conditions for the requested resource. The enterprise system sends the requested resource, the security actions and the conditions to the portable device. The portable device determines whether each condition is satisfied and performs the security actions associated with the conditions determined to have been satisfied. Due to the ability to send multiple security actions and associated conditions, better control in protection and retention of downloaded resources is obtained.

Abstract: Methods, systems, and techniques for managing groups of entities, such as individuals, employees, or systems, and providing entitlement and access to computer resources based on group membership are provided. Example embodiments provide a Group Management System having a Group Management Engine “GME,” an Entitlement Engine, and a Provisioning Engine, which work together to allow simplified grouping of entities and providing entitlement and access to the entities based upon the group membership. In one embodiment, the GME leverages dynamic programming techniques to enable accurate, scalable systems that can manage near real time updates and changes to the group's status or to the entities' status. These components cooperate to enable provisioning of applications based upon current entitlement.

Abstract: A vehicular data communication system includes an authentication device for authenticating an external tool connected to a bus, an authentication control device for determining whether an external tool is authenticated by the authentication device and for setting an authenticated state to permit a data communication between the external tool and an access target ECU on the bus upon determining that the external tool is authenticated by the authentication device, and an authentication maintain device for maintaining the authenticated state within a predetermined period after the authenticated state is set by the authentication control device.

Abstract: A computer implemented method for controlling access to an electronic media source is disclosed. An access control system receives achievement goals and degree of access information. Assessment information is also received by the access control system from one or more input data sources. The access control system determines whether the achievement goals are met based on the received assessment information and forwards an access signal to the electronic media source based on the access determination. The access signal, including a grant signal, is forwarded when the achievement goals are met.

Abstract: Large scale system operation may be provided. Upon receiving an action request from a user, a determination may be made as to whether the user requires elevated permissions to perform the action request. In response to determining that the user requires elevated permissions to perform the action request, the action request may be forwarded to a lockbox for evaluation and a permission response may be received from the lockbox.

Abstract: A system includes authentication of a user with a first server, reception of a request from the user to authenticate the user with a second server, requesting, from the first server, in response to receiving the request, user credentials to access the second server, reception of the user credentials from the first server, and transmission of the user credentials to the second server.

Abstract: A Social Network Service (SNS) account management server transmits, when phone number change schedule information is received from a user terminal, a phone number change schedule message to user terminals respectively corresponding to friend accounts included in a friend list of the corresponding account; confirms, when authentication of the new SNS account is requested from the user terminal, whether or not the account is an account of the changed phone number for the new authentication request based on the previously transmitted phone number change schedule information; transmits, if the account is of the changed phone number, a phone number change notification message to user terminals corresponding to friend accounts included in a friend list of the account of the changed phone number; and updates the changed phone number of the user terminal in a database of each friend account.

Abstract: Providing access to one or more resources to a user device. A method includes at a user device, registering with an identity service to obtain an identity credential. The method further includes at the user device, registering with a policy management service by presenting the identity credential. The method further includes at the user device, providing an indication of current state of the user device to the policy management service. The policy management service can then indicate to the identity service the compliance level of the user device. The method further includes the user device receiving a token from the identity service based on the policy management level of the user device as compared to a policy set.

Abstract: Instructions and logic provide memory key protection functionality. Embodiments include a processor having a register to store a memory protection field. A decoder decodes an instruction having an addressing form field for a memory operand to specify one or more memory addresses, and a memory protection key. One or more execution units, responsive to the memory protection field having a first value and to the addressing form field of the decoded instruction having a second value, enforce memory protection according to said first value of the memory protection field, using the specified memory protection key, for accessing the one or more memory addresses, and fault if a portion of the memory protection key specified by the decoded instruction does not match a stored key value associated with the one or more memory addresses.

Abstract: A syndication system facilitates rights management services between media content owners and media hosting services that elect to participate in the syndication system and mutually elect to participate with each other. The syndication system utilizes a content recognition system to identify hosted media content and ownership rights associated with the hosted content. By applying melody recognition, the content recognition system can identify compositions embodied in hosted media content even when these compositions do not precisely match any known sound recording. Thus, the content recognition system is beneficially able to detect, for example, recorded cover performances and recorded live performances embodied in hosted media content. Once identified, ownership information is determined and the syndication system can facilitate rights management policies associated with the content such as monetizing or blocking the protected content.

Abstract: Methods and devices for storing sent message data are described. The sent message data corresponds to a message sent to a destination by a communication device via a server. The method includes compiling a first portion of the message which has a plurality of components; applying security encoding to the first portion; and storing the first portion. The first portion includes at least one but not all of the plurality of components in the message, and pointers to the components not included in the first portion. A method of verifying sent message data on a communication device is also described.

Abstract: A method includes a computing system reading a rule file that includes one or more rules having specified paths to methods, such that each method corresponds to one of a sink, source, or sanitizer. The method includes the computing system matching the methods to corresponding ones of sinks, sources, or sanitizers determined through a static analysis of an application. The static analysis determines at least flows from sources of information to sinks that use the information. The method includes the computing system, using the sinks, sources, and sanitizers found by the matching, performing a taint analysis to determine at least tainted flows from sources to sinks, the tainted flows being flows that pass information to sinks without the information being endorsed by a sanitizer. Apparatus and program products are also shown.

Abstract: A method for containing a threat in network environment using dynamic firewall policies is provided. In one example embodiment, the method can include detecting a threat originating from a first node having a source address in a network, applying a local firewall policy to block connections with the source address, and broadcasting an alert to a second node in the network. In more particular embodiments, an alert may be sent to a network administrator identifying the source address and providing remedial information. In yet other particular embodiments, the method may also include applying a remote firewall policy to the first node blocking outgoing connections from the first node.

Abstract: Challenge-response authentication protocols are disclosed herein, including systems and methods for a first device to authenticate a second device. In one embodiment, the following operations are performed by the first device: (a) sending to the second device: (i) a challenge value corresponding to an expected response value known by the first device, and (ii) a hiding value; (b) receiving from the second device a masked response value; (c) obtaining an expected masked response value from the expected response value and the hiding value; and (d) determining whether the expected masked response value matches the masked response value received from the second device. The operations from the perspective of the second device are also disclosed, which in some embodiments include computing the masked response value using the challenge value, the hiding value, and secret information known to the second device.

Abstract: A computer apparatus is remotely initiated. Confirmation of a detected and authenticated presence of a user is detected and confirmed remote from the computer apparatus. A dedicated resource that will be implemented using the computer apparatus is logged in in a protected workstate that prevents access to the computer apparatus until a local presence of the user is detected and authenticated. The workstate of the computer apparatus is unprotected upon confirmation of the local presence of the user. Access to the user is allowed upon unprotecting the workstate of the computer apparatus.

Abstract: Installer code is received from a network attached storage (NAS) system at a client device. The installer code executing at the client device performs a selected subset of administrative tasks at the client device, where the administrative tasks are tasks associated with the NAS system. The selected subset of administrative tasks includes installing a backup software component.

Abstract: A method for authenticating an Internet Protocol Security (IPsec) packet, wherein the method comprises, receiving the IPsec packet via an input port, performing a Sequence-Integrity Check Value (SEQ-ICV) check that validates a sequence number within the IPsec packet, and performing an Integrity Check Value (ICV) check that validates a checksum within the IPsec packet, wherein the SEQ-ICV check is performed before the ICV check. In yet another example embodiment, an apparatus for transmitting an IPsec packet, comprising a processor, and a transmitter coupled to the processor, wherein the transmitter is configured to transmit an IPsec packet that comprises a header that comprises a sequence number field that provides a sequence number, and a payload that comprises one or more SEQ-ICV segments used to authenticate the sequence number within the IPsec packet.