Abstract: Instructions and logic provide SIMD SM3 cryptographic hashing functionality. Some embodiments include a processor comprising: a decoder to decode instructions for a SIMD SM3 message expansion, specifying first and second source data operand sets, and an expansion extent. Processor execution units, responsive to the instruction, perform a number of SM3 message expansions, from the first and second source data operand sets, determined by the specified expansion extent and store the result into a SIMD destination register. Some embodiments also execute instructions for a SIMD SM3 hash round-slice portion of the hashing algorithm, from an intermediate hash value input, a source data set, and a round constant set. Processor execution units perform a set of SM3 hashing round iterations upon the source data set, applying the intermediate hash value input and the round constant set, and store a new hash value result in a SIMD destination register.

Abstract: A system for operating an enterprise computer network including multiple network objects, said system comprising monitoring and collection functionality for obtaining continuously updated information regarding at least one of access permissions and actual usage of said network objects, and entitlement review by owner functionality operative to present to at least one owner of at least one network object a visually sensible indication of authorization status including a specific indication of users which were not yet authorized by said at least one owner of said at least one network object.

Abstract: According to one embodiment, a system includes a processor and logic integrated with and/or executable by the processor, the logic being configured to identify a security issue affecting a first peer in one or more secure transmission control protocol/user datagram protocol (TCR/UDP) sessions, inform a second peer about the security issue using the first peer of the one or more TCP/UDP sessions, and perform at least one action in response to identifying and/or being informed about the security issue. In another embodiment, a method for providing a secure TCP/UDP session includes identifying a security issue affecting a first peer in one or more TCP/UDP sessions, informing a second peer about the security issue using the first peer of the one or more TCP/UDP sessions, and performing at least one action in response to identifying and/or being informed about the security issue.

Abstract: Disclosed is a system for delegating authentication of an untrusted application executing on a client device. For delegated authentication, an untrusted application relies on a trusted application executing in the same environment for authentication purposes. The delegated authentication process avoids requiring the user of the untrusted application to provide authentication credentials. The disclosed system for delegating authentication enables any trusted application executing in the same computing environment to authenticate the untrusted application.

Abstract: Disclosed are exemplary aspects of systems and methods for blocking execution of scripts. An exemplary method comprises: intercepting a request for a script from a client to a server; generating a bytecode of the intercepted script; computing a hash sum of the generated bytecode; determining a degree of similarity between the hash sum of the bytecode and a plurality of hash sums of malicious and clean scripts stored in a database; identifying a similar hash sum from the database whose degree of similarity with the hash sum of the bytecode is within a threshold of similarity; determining a coefficient of trust of the similar hash sum; determining whether the requested script is malicious based on the degree of similarity and the coefficient of trust of the similar hash sum; and blocking the execution of the malicious script on the client.

Abstract: In one embodiment, a method includes identifying a user-initiated precursor of an anticipated exposure event. The method also includes, in response to the identifying, automatically determining particular content that would be exposed if the exposure event were to occur. In addition, the method includes automatically determining one or more users to which the particular content would be exposed if the exposure event were to occur. Further, the method includes, before the exposure event occurs, publishing a result of the automatically determining to a user associated with the user-initiated precursor. Also, the method includes, in response to a detected occurrence of the exposure event, monitoring a plurality of communications platforms for follow-on exposure events in relation to the particular content which chain from the exposure event.

Abstract: A system for managing credentials for authenticating and securely communicating with trusted hosts, for example, in a cloud computing environment. The system dynamically updates credentials stored in a database and injects the updated credentials back into a runtime environment without restarting the runtime environment or applications running on the runtime environment. Embodiments of the present invention further enable credentials to be tracked and managed on a per-tenant basis, allowing each tenant that is running an application on a runtime environment to customize which hosts should be trusted.

Abstract: An access manager manages access to a resource. At a first time, the access manager designates a variable attribute associated with a recurring public event as a shared secret between the access manager and a user. At a second time occurring after the first time, the access manager receives a shared key from the user. As received, the shared key is based on a value of the variable attribute associated with the recurring public event at a most recent recurrence of the recurring public event relative to the second time. The access manager evaluates the shared key. In response to the evaluation, the access manager grants or denies the user access to the resource.

Abstract: Embodiments are directed to sharing secure communication secrets with a network monitoring device (NMD). The NMD may passively monitor network packets communicated between client computers and server computers. If a secure communication session is established between a client computer and a server computer, a key provider may provide the NMD a session key that corresponds to the secure communication session. The NMD may buffer each network packet associated with the secure communication session until the NMD is provided a session key for the secure communication session. The NMD may use the session key to decrypt network packets communicated between the client computer and the server computer. The NMD may then proceed to analyze the secure communication session based on the contents of the decrypted network packets.

Abstract: The present disclosure provides systems and methods for authenticating photographic data. In one embodiment, a method comprises providing an image authentication application for use on a client device, the application configured to control image capture and transmission; receiving an image data file from the application at the authentication server comprising a photographic image captured by the application and metadata associated therewith; applying a watermark to the photographic image to create a watermarked image; applying date and time information to the tagged image; applying location information to the tagged image; creating a web address associated with the image data file; uploading the photographic image, the tagged image, or both to the web address; and transmitting an authenticated image file to the client device, the authenticated image file comprising one or more of: the watermarked image, the photographic image, the date and time information, geographic information, and the web address.

Abstract: A digital message is signed and, if a request is approved, receives a time stamp. The request is computed as a first function of the message and a current one of a sequence of passwords computed such that each password corresponds to an index unit. Each of the passwords may be computed as a function, such as a hash function, pseudo-random function, or encryption function, of the subsequent password, whereby the sequence terminates with an initial password that forms a public key parameter for the password sequence. At least one hash tree uses at least a subset of the passwords as inputs to a hash tree used to verify the passwords.

Abstract: The embodiments relate to a near field communication system including a plurality of near field communication devices which communicate with each other via a radio interface. During generation of a common cryptographic key between the near field communication devices of the near field communication system, at least one of the two near field communication devices monitors during generation of the cryptographic key via the radio interface in a generation period whether an additional near field communication device which could be a potential active attacker communicates with one of the near field communication devices via the radio interface. If such a suspicious type of communication is detected, generation of the common cryptographic key is optionally terminated.

Abstract: Persistent communication layer credentials generated on a persistent communication layer at one network may be leveraged to perform authentication on another. For example, the persistent communication layer credentials may include application-layer credentials derived on an application layer. The application-layer credentials may be used to establish authentication credentials for authenticating a mobile device for access to services at a network server. The authentication credentials may be derived from the application-layer credentials of another network to enable a seamless handoff from one network to another. The authentication credentials may be derived from the application-layer credentials using reverse bootstrapping or other key derivation functions. The mobile device and/or network entity to which the mobile device is being authenticated may enable communication of authentication information between the communication layers to enable authentication of a device using multiple communication layers.

Abstract: A method of providing security in a computer system includes producing an output block of data from an input block of data, which may be performed by one or more logic circuits. The output block of data may be produced by a cipher that includes a plurality of parallel, different mixing functions and a combination function. In this regard, producing the output block of data includes applying the plurality of parallel, different mixing functions to the input block of data to produce a plurality of updated blocks of data, with each mixing function mapping the input block of data to a respective one of the plurality of updated blocks of data. And producing the output block of data includes combining the plurality of updated blocks of data in the combination function to produce the output block of data.

Abstract: Techniques for password constraint enforcement used in external site authentication are disclosed. In some embodiments, password constraint enforcement used in external site authentication includes monitoring encrypted network communications between a client and an external site (e.g., a remote server), in which the encrypted network communications are encrypted using a first protocol (e.g., Secure Sockets Layer (SSL) protocol, HTTPS protocol, or another protocol for encrypted network communications); and determining if the client sends a request to create user credentials for an external site authentication. In some embodiments, password constraint enforcement used in external site authentication further includes performing password constraint enforcement used in the external site authentication.

Abstract: A network includes encryption devices at customer sites and transport devices provide transport functionality for encrypted data for transmission across networks. A method of controlling access to a first plurality of functions of the encryption devices and access to a second plurality functions of the transport devices is disclosed. The method involves providing a customer with access to at least some of the first plurality of functions and providing a network service provider with access to at least some of the second plurality of functions. The method also involves providing the network service provider with restricted access to a first subset of the first plurality of functions and/or providing the network service provider with restricted access to a second subset of the second plurality of functions. This allows the customer and the service provider to share access to hardware resources such as the encryption devices and the transport devices.

Abstract: Various techniques for exploit detection based on heap spray detection are disclosed. In some embodiments, exploit detection based on heap spray detection includes executing a program in a virtual environment; and detecting heap spray in memory while executing the program in the virtual environment. In some embodiments, exploit detection based on heap spray detection includes executing a program in a virtual environment; and detecting heap spray related malware in response to a modification of an execution environment in the virtual environment.

Abstract: According to some embodiments, an application server may have a repository to facilitate a transfer of data between data storage elements. A datastore may be stored in the repository for a data storage element, the datastore including a password reference identifier. A password center table may be created in the repository to associate the password reference identifier with an actual encrypted password for the data storage element. At execution time, the password reference identifier in the datastore may be automatically replaced with the actual encrypted password for the data storage element.

Abstract: A computer implemented system and method of sharing files between a link sharer and a link recipient over a network. The method comprises generating, in response to a request by a link sharer, a file sharing link to a file set, where the link does not provide a link recipient the ability to modify the contents of the linked file set. In response to receiving an indication that the generated link has been activated by a link recipient, displaying a representation of the linked file set with a display element configured to send a request for modification rights to the linked file set when activated by the link recipient. In response to receiving the request for modification rights, either automatically granting modification rights to the linked file set or sending notice to the link sharer indicating that the link recipient is requesting modification rights to the linked file set.

Abstract: Embodiments of the invention are directed to systems, methods and computer program products for establishing a secure connection between a data repository and an intelligence application.