Abstract: Information leakage prevention in a cryptographic protocol is implemented in a network device. The technique implements an error message processing strategy to mask information otherwise useful to an attacker and that has been generated (by decryption processes) as a consequence of an attacker's exploit. The technique avoids information leakage associated with a padding oracle attack. In one aspect each error message (irrespective of its content) is replaced with a generic error message so that the attacker does not obtain the specific error message content(s) that might otherwise provide useful information. In addition to masking the error message content, the technique preferably implements a “delay” policy that delays the transmission of particular error messages (or message types) to hide (from the attacker's point-of-view) whether a particular error message is relevant to (or a consequence of) the attacker's exploit.

Abstract: A method to prevent information leakage in a cryptographic protocol is implemented in a network device. The method implements an error message processing strategy to mask information otherwise useful to an attacker and that has been generated (by decryption processes) as a consequence of an attacker's exploit. The technique avoids information leakage associated with a padding oracle attack. In one aspect each error message (irrespective of its content) is replaced with a generic error message so that the attacker does not obtain the specific error message content(s) that might otherwise provide useful information. In addition to masking the error message content, the technique preferably implements a “delay” policy that delays the transmission of particular error messages (or message types) to hide (from the attacker's point-of-view) whether a particular error message is relevant to (or a consequence of) the attacker's exploit.

Abstract: A method to prevent information leakage in a cryptographic protocol is implemented in a network device. The method implements an error message processing strategy to mask information otherwise useful to an attacker and that has been generated (by decryption processes) as a consequence of an attacker's exploit. The technique avoids information leakage associated with a padding oracle attack. In one aspect each error message (irrespective of its content) is replaced with a generic error message so that the attacker does not obtain the specific error message content(s) that might otherwise provide useful information. In addition to masking the error message content, the technique preferably implements a “delay” policy that delays the transmission of particular error messages (or message types) to hide (from the attacker's point-of-view) whether a particular error message is relevant to (or a consequence of) the attacker's exploit.

Abstract: The different illustrative embodiments provide a method, a computer program product, and an apparatus for managing secure sessions. An identity of a requestor is verified in response to receiving a request from the requestor to access a resource. The identity of the requestor comprises authentication information used to identify a number of privileges to the resource for the requestor. A session cookie is sent to the requestor by a first data processing system. The session cookie identifies the number of privileges for a session. A migration cookie is sent to the requestor by the first data processing system, wherein the migration cookie is used to recreate the session on a second data processing system.

Abstract: The different illustrative embodiments provide a method, a computer program product, and an apparatus for restoring secure sessions. A determination is made whether cached information for a session for the requestor is stored at the data processing system using a session cookie responsive to receiving a request at a data processing system from a requestor to access a resource. Access to the resource is controlled using the cached information and a number of privileges for the requestor associated with the cached information responsive to a determination that the cached information for the session is stored at the data processing system. A migration cookie is requested from the requestor responsive to an absence of a determination that the cached information for the session is stored at the data processing system. The cached information is generated for the session using the migration cookie.

Abstract: A cryptographic system for use in a data processing system. The system includes a security layer and a plurality of cryptographic routines, wherein the plurality of cryptographic routines are accessed through the security layer. Also included is a keystore and a keystore application program interface layer coupled to the security layer. The keystore application program interface layer receives a call from an application to perform a cryptographic operation, identifies a routine, calls the routine to perform the cryptographic operation, receives a result from the routine, and returns the result to the application.