Abstract: Disclosed are machine processors and methods performed thereby. The processor has access to processing units for performing data processing and to libraries. Functions in the libraries are implementable to perform parallel processing and graphics processing. The processor may be configured to acquire (e.g., to download from a web server) a download script, possibly with extensions specifying bindings to library functions. Running the script may cause the processor to create, for each processing unit, contexts in which functions may be run, and to run, on the processing units and within a respective context, a portion of the download script. Running the script may also cause the processor to create, for a processing unit, a memory object, transfer data into that memory object, and transfer data back to the processor in such a way that a memory address of the data in the memory object is not returned to the processor.

Abstract: A method and system are described for authenticating one or more digital files in which a feature, characteristic or a portion of the contents of said files is implanted into one or more biometric information files, which are electronically recorded and transmitted and in which the identity of the originator or a trusted third party and all or part of the feature, characteristic or a portion of the contents of said files is determined from said biometric information files.

Abstract: A first data handling node (304) is configured to verify data received in a data distribution network with multiple data handling nodes forming a distribution path of a network topology, by obtaining tag information from a hash server (306). The first data handling node (304) receives data (D3) and a hash tag (H3) from a second data handling node (302). The received data (D3) and hash tag (H3) have been generated by the second node based on a previous hash tag (H1, H2) generated by a preceding third data handling node (300a, 300b). The third node has delivered data (D1, D2) to the second node, and the received data (D3) has been generated by the second node based on the data (D1, D2) delivered by the third data handling node.

Abstract: Implementations for providing a persistent secure execution environment with a hosted computer are described. A host operating system of a computing system provides an encrypted checkpoint to a persistence module that executes in a secure execution environment of a hardware-protected memory area initialized by a security-enabled processor. The encrypted checkpoint is derived at least partly from another secure execution environment that is cryptographically certifiable as including another hardware-protected memory area established in an activation state to refrain from executing software not trusted by the client system.

Abstract: A method of securing electronic control units (ECUs) using message authentication codes includes receiving a message authentication code (MAC) at an ECU; determining that the length of the MAC is greater than or equal to a predefined bit value; authenticating the MAC when the length of the MAC has been determined to be equal to or greater than the predefined bit value; and rejecting the MAC when the length of the MAC has been determined to be less than the predefined bit value.

Abstract: A client device securely transfers personal information to a third-party website. The client device stores personal information of a user and encrypts personal information requested by the third-party website, so that the third-party website can decrypt and retrieve the personal information, and so that a remote proxy server facilitating the transfer of personal information from the client device to the third-party website cannot read the encrypted personal information and has no access to unencrypted personal information.

Abstract: Implementations for providing a secure execution environment with a hosted computer are described. A security-enabled processor establishes a hardware-protected memory area with an activation state that executes only software identified by a client system. The hardware-protected memory area is inaccessible by code that executes outside the hardware-protected memory area. A certification is transmitted to the client system to indicate that the secure execution environment is established, in its activation state, with only the software identified by the request.

Abstract: Apparatus for securely transmitting data between a mobile subscriber (1) having at least one transmission apparatus (2) and a stationary receiver (3), wherein the mobile subscriber (1) can change between a plurality of radio cells (Cell 1, Cell 2, Cell 3) and each radio cell (Cell 1, Cell 2, Cell 3) has at least one transmission apparatus (AP1, AP2, AP3), wherein the at least one transmission apparatus (AP1 to AP3) is also connected in a wired manner to at least one network (LAN A, LAN B), wherein the stationary receiver (3) is likewise connected in a wired manner to the at least one network (LAN A, LAN B), and both the wireless transmission between the mobile subscriber (1) and the transmission apparatus (AP1 to AP3) respectively associated with the latter and the wired data transmission between the transmission apparatus (AP1 to AP3) and the at least one associated network (LAN A, LAN B) are carried out redundantly, and the stationary receiver (3) is redundantly connected in a wired manner to the network (L

Abstract: Embodiments of the present invention provide a method, system and computer program product for sideband control of a secured e-mail message. In an embodiment of the invention, a method for sideband control of a secured e-mail message is provided. The method includes receiving a secured form of a message from a sender in an e-mail client executing in memory by at least one processor of a computer. The method also includes rendering the secured form of the message comprehensible only subsequent to the establishment of a sideband channel of communication with the sender.

Abstract: Systems and methods for credential character selection are provided. The system includes one or more sensors configured to detect a character selection and generate a character selection signal, and detect a character selection completion and generate a character selection completion signal. The system also includes one or more processors coupled to the one or more sensors, the one or more processors configured to receive the character selection signal and the character selection completion signal, and generate an output signal based on the received character selection signal that includes components of a credential. The system also includes a network interface component configured to transmit the output signal. The credential characters may be components of a PIN or password. Moreover, the credential character selections may be made on one device, but displayed on a separate coupled device. The character selections may be a selection of a character or a modification of character.

Abstract: Hostile attacks against a computer program are prevented when the program is executed in a computing environment that is controlled by the attacker. A preposition is run in a secure computing environment instead of the original call site, i.e. the IF antecedent, which has a TRUE consequence and a FALSE consequence are run in a secure computing environment. Embodiments of the invention also allow an insecure call site to detect modifications by a hostile attacker surreptitiously. In embodiments of the invention, a script is generated by a script generator from the IF antecedent and TRUE and FALSE consequence source code, for example relative to a call site. The original source code is modified to call the script engine, rather than the preposition. At run-time a script engine executes this script.

Abstract: The illustrative embodiments provide a computer implemented method, apparatus, and computer program product for receiving a request from a client to instantiate an electronic document. After successful completion of mutual authentication between a web application server and the client, the web application server provides the electronic document to the client. The web application server may then receive a set of changes associated with the electronic document to form a modified document. After receiving a request from the client for a digital signature to be generated for the modified document, the web application server generates a digital signature using a private key of the web application server and an identity of an end-user associated with the client. The web application server then signs the modified document with the digital signature.

Abstract: Systems and apparatuses for a secure mobile cloud framework (referred to as MobiCloud) for mobile computing and communication are disclosed. Embodiments of MobiCloud transfer each mobile node from a traditional strictly layer-structured communication node into a service node (SN). Each SN may be used as a service provider or a service broker according its capability. Each SN may be incorporated as a virtualized component of the MobiCloud. In some embodiments, MobiCloud mirrors an SN to one or multiple virtual images in the Cloud for addressing communication and computation deficiencies of mobile devices. Virtual images can create a visualized MANET routing and communication layer that can maximally assist the mobile nodes to enable pervasive computing services for each mobile device owner. A secure data processing framework is disclosed for the MobiCloud.

Abstract: Aspects of the invention include methods and systems for electronically signing a plurality of documents, such as an insurance application, a loan application, a set of mortgage papers, a bank application, or the like. A customer, or multiple customers, electronically submits the signature once and the customer's one signature is applied to all of the areas where the customer signature is required. The electronic signature may include initials and/or a graphical representation of the customer's handwritten signature. Aspects of the invention include an apparatus comprising a display, a memory, and a processor coupled to the memory and programmed with computer-executable instructions that, when executed, perform a method for electronically signing a plurality of documents.

Abstract: A component monitoring system monitors whether a component fitted to a working machine is a genuine component, and prevents the use of a counterfeit product or the like. A working machine is provided with a plurality of exchangeable components, and each component is provided with a wireless tag. A component ID is stored in advance in the wireless tag. When, on the side of the working machine, a component exchange timing or an engine starting timing is detected, the component ID stored in the wireless tag is acquired, and is transmitted to a working machine management device. The working machine management device checks the component ID which has been received from the working machine and a component ID which is stored in a component ID storage means against one another. And, if these two component IDs do not match one another, an abnormal state detection means outputs a warning signal.

Abstract: A Web service description can be extended to cross reference a front-side port associated with a client using a Web service and a back-side port associated with a server providing the Web service. The extending of the Web service description can occur in a standards compliant manner for a programming language within which the Web service description is specified and for a repository in which the Web service description is maintained.

Abstract: For each target cell determined by a handover decision process, a first message is transmitted from a source base station (20S) to a target base station (20T) servicing that target cell. The first message includes an identifier of a wireless device (10) having a communication link with the source base station and information for obtaining authentication data for this wireless device. The authentication data depends on a secret key available to the wireless device and the source base station and on an identity of the target cell. Upon failure of the communication link, a cell is selected at the wireless device, which transmits to that cell a reestablishment request message including its identifier and authentication data depending on the secret key and on an identity of the selected cell.

Abstract: A method (100) and an apparatus (e.g., a network node (210)) for providing enhanced security using service provider authentication. In addition to authenticating an application signature (245) against a root certificate (235) stored on the network node (210), a first carrier identification (250) associated with the application (240) is compared to a second carrier identification (255). If the first and second carrier identifications match, then the application can be assigned to a trusted protection domain and granted permissions which provide privileged access to the network node. For example, the application can be granted permission to be installed and/or executed on the network node. Otherwise the application can be denied privileged access. Accordingly, a carrier's applications will be only installed onto network nodes that are intended recipients of the applications.

Abstract: A certificate issuer (210) can periodically request, receive, and store current server-based certificate validation protocol (SCVP) staples (225) for supported relying parties (205) from at least one server-based certificate validation protocol (SCVP) responder (215). The certificate issuer (210) can receive a contact initiation request (220) from one of the relying parties (205). Responsive to receiving the contact initiation request (220), the certificate issuer (210) can identify a current SCVP staple from the saved staples that is applicable to the relying party (205). The certificate issuer (210) can conveying a response to the contact initiation request (220) to the relying party (205). The response can comprise the identified SCVP staple and a public key infrastructure (PKI) certificate (230) of the certificate issuer. The SCVP staple can validate a certification path between the PKI certificate (230) and a different certificate trusted by the relying party (205).

Abstract: In one implementation, software components include an identity of a revocation authority. Prior to loading of the software in a given platform, the revocation authority is checked for any revocation messages. The revocation authority creates software component specific messages for any software components to be revoked, rather than using certificate revocation or individual licenses. The messages include mitigation information, such as instructions for automatically configuring already installed software without requiring an update or change in code.

Abstract: In a certification request, a user device includes an object identifier. When a certification authority generates an identity certificate responsive to receiving the certification request, the certification authority includes the object identifier, thereby allowing improved management of the identity certificate at the user device and elsewhere.

Abstract: A proxy receives a message from a computing system in a trusted secure zone directed to a computing system outside the trusted secure zone. The proxy determines if the message includes trusted data. If the message includes trusted data, the proxy stores the trusted data for later use and provides the message to the destination computing system. When the proxy receives a message from a computing system outside the trusted secure zone directed to a computing system in the trusted secure zone, the proxy determines if the received message contains trusted data. If the message contains trusted data, the proxy determines if the trusted data matches previously stored trusted data. If the trusted data does not match, the proxy overwrites the trusted data in the message with the previously stored trusted data. The proxy then provides the modified message to the destination computing system in the trusted secure zone.

Abstract: Techniques are disclosed for methods, architectures and security mechanisms for a third-party application to access content in a cloud-based platform. In one embodiment, a method includes, receiving, at the third-party application, metadata that identifies the file. The method further includes transmitting the metadata to a server which is associated with the third-party application. The metadata enables the server to request the file from the cloud-based environment.

Abstract: A method, performed by a computer device, may include receiving a Short Message Service (SMS) message. The method may further include analyzing one or more sender parameters associated with the received SMS message to validate the one or more sender parameters; determining whether the one or more sender parameters have been validated based on the analysis; rejecting the SMS message in response to determining that the one or more sender parameters have not been validated; analyzing message content included in the SMS message to validate the message content; determining whether the message content has been validated based on the analysis; rejecting the SMS message in response to determining that the message content has not been validated; and forwarding the SMS message to a recipient, in response to validating the one or more sender parameters and in response to validating the message content.

Abstract: An embodiment of a system for securing media content includes a digital media device comprising a memory associated with a secure element. The memory contains a private key and storage for at least one group key. The private key is used to decrypt transmissions from a remote access control system that are encrypted by a corresponding public key. The digital media device further comprises logic configured to respond to a first message received from the remote access control system encrypted by the public key and including a first group key, the logic responding to the first message by decrypting the first group key and storing the first group key in the memory of the secure element. The digital media device further comprises logic configured to decrypt a content key with the first group key. The content key is used to encrypt media content stored on a medium accessible by the digital media device.

Abstract: The present solution provides systems and methods for generating DNS queries that are more resistant to being compromised by attackers. To generate the transaction identifier, the DNS resolver uses a cryptographic hash function. The inputs to the hash function may include a predetermined random number, the destination IP address of the name server to be queried, and the domain name to be queried. Because of the inclusion of the name server's IP address in the formula, queries for the same domain name to different name servers may have different transaction identifiers, preventing an attacker from observing a query and predicting the identifiers for other queries. Additional entropy may be provided for generating transaction identifiers by including the port number of the name server and/or a portion of the domain name as inputs to the hash function.

Abstract: A device and method in a provisioning unit of secure provisioning of a virtual machine on a target platform having a specific configuration is provided. The method comprising: receiving (404) a public binding key from the target platform (107), the public binding key being bound to the specific configuration, encrypting (410) a virtual machine provisioning command using the public binding key, and sending (412) the encrypted virtual machine provisioning command, to the target platform (107). By the provided device and method secure provisioning of a virtual machine on a target platform is enabled.

Abstract: A stream data management method includes: storing in a sequence header of the top original moving image information a terminal ID indicating a terminal which generated original moving image information and date-and-time information which is guaranteed by a third party, storing in a sequence header of the next original moving image information a characteristic value of the last partial information of the preceding original moving image information, generating signature-related information of the original moving image information, generating cutout moving image information to which a sequence header is added, generating signature-related information of the cutout moving image information, and verifying originality and actual time of cutout stream data based on the cutout moving image information, the signature-related information of the cutout moving image information, and the signature-related information of the original moving image information.

Abstract: A trusted peripheral device can be utilized with an electronic resource, such as a host machine, in order to enable the secured performance of security and remote management in the electronic environment, where various users might be provisioned on, or otherwise have access to, the electronic resource. The peripheral can have a secure channel for communicating with a centralized management system or service, whereby the management service can remotely connect to this trusted peripheral, using a secure and authenticated network connection, in order to run the above-described functionality on the host to which the peripheral is attached.

Abstract: Provided are an identity (ID)-based encryption and signature method and a terminal that use an ID of a transmitter or a receiver as a part of the filename or the extension of a file transmitted to the receiver by the transmitter. Accordingly, it is possible to enable a user to visually recognize that the file has been provided with security. Also, it is possible to designate an associated program for the extension, and the user can easily decrypt or verify the file through the designated associated program.

Abstract: In some embodiments, a server can establish a session with a remote client. The server can generate a session key portion for the session and a client key portion for the remote client. The server can use a combined encryption key to encrypt client data received from the remote client during the session. The combined encryption key can be generated from a static key portion accessible by the server, the session key portion, and the client key portion. The server can associate the session key portion with the session. The session key portion is accessible by the server during the session. The server can delete the client key portion after providing the client key portion to the remote client. The server can obtain the client key portion from the remote client in response to determining that subsequent transactions during the session involve decrypting the encrypted client data.

Abstract: Embodiments of the present invention provide a method for implementing local routing of traffic, a base station and a system are provided, which relate to the field of communications technologies. The method for implementing local routing of traffic includes: judging whether local routing processing is performed on an uplink traffic flow of a first terminal that serves as a sending end; if it is judged as yes, updating a key of the uplink traffic flow of the first terminal and/or a key of a downlink traffic flow of a second terminal that serves as a receiving end to a public key; forwarding an encrypted data packet of the uplink traffic flow of the first terminal to the second terminal through the downlink traffic flow of the second terminal, where an encryption and decryption operation is not performed on the encrypted data packet before the forwarding or during the forwarding.

Abstract: A circuit for preventing unauthorized access in an integrated circuit includes a plurality of circuit block and a plurality of protection circuits. Each protection circuit is coupled to an input of a corresponding circuit block of the plurality of circuit blocks. Each protection circuit determines whether an access request to the corresponding circuit block is authorized. The protection circuits could be implemented to monitor system-on-chip interconnections of master and slave circuits, for example. A method of preventing unauthorized access in an integrated circuit could be implemented using the circuit.

Abstract: A system and method for implementing a testing framework including a testing unit that receives test instructions; generates a mock consumer request for a web service from a web server and a mock provider response based on the test instructions; transmits the mock consumer request to a tested unit; receives a modified consumer request from the tested unit; and transmit the mock provider response to the tested unit.

Abstract: Disclosed is a method for establishing an enhanced security context between a remote station and a serving network. In the method, the remote station forwards a first message to the serving network, wherein the first message includes an information element signaling that the remote station supports an enhanced security context. The remote station generates at least one session key, in accordance with the enhanced security context, using the information element. The remote station receives, in response to the first message, a second message having an indication that the serving network supports the enhanced security context. The remote station, in response to the second message, has wireless communications protected by the at least one session key.

Abstract: The present invention relates to a method for sharing data of a device in M2M communication and a system therefor. The invention comprises: a step of allowing a resource user terminal to request access authority of protected resource data to a resource owner terminal, in order to prevent a security threat; a verification step of allowing the resource owner terminal to verify the resource user terminal to request the setting of the access authority to an M2M server, and to transmit a verification key issued from the M2M server to the resource user terminal; an access authority setting step of allowing the M2M server to generate an access authentication key based on the verification key, and to transmit the access authentication key to the resource user terminal; and a using step of allowing the resource user terminal to inquire about the protected resource data from the M2M server based on the access authentication key, and to use the protected resource data.

Abstract: Disclosed is a method for transitioning a remote station from a current serving network node having an enhanced security context to a new serving network node. In the method, the remote station provides at least one legacy key, and generates at least one session key based on a calculation using a root key and using an information element associated with the enhanced security context. The remote station forwards a first message having the information element to the new serving network node. The remote station receives a second message, from the new serving network node, having a response based on either the legacy key or the session key. The remote station determines that the new serving network node does not support the enhanced security context if the response of the second message is based on the legacy key. Accordingly, the remote station protects communications based on the legacy key upon determining that the enhanced security context is not supported.

Abstract: A system and method of detecting command and control behavior of malware on a client computer is disclosed. One or more DNS messages are monitored from one or more client computers to a DNS server to determine a risk that one or more client computers is communicating with a botnet. Real-time entity profiles are generated for at least one of each of the one or more client computers, DNS domain query names, resolved IP addresses of query domain names, client computer-query domain name pairs, pairs of query domain name and corresponding resolved IP address, or query domain name-IP address cliques based on each of the one or more DNS messages. Using the real-time entity profiles, a risk that any of the one or more client computers is infected by malware that utilizes DNS messages for command and control or illegitimate data transmission purposes is determined. One or more scores are generated representing probabilities that one or more client computers is infected by malware.

Abstract: The present invention makes it possible to perform transmission of stereo image data between devices in a favorable manner. A source device (disc player 210) receives E-EDID from a sink device (television receiver 250) via DDC of an HDMI cable 350. This E-EDID contains information on 3D image data transmission modes that can be supported by the sink device. On the basis of the information on 3D image data transmission modes from the sink device, the source device selects a predetermined transmission mode from among the 3D image data transmission modes that can be supported by the sink device. The sink device transmits 3D image data in the selected transmission mode to the sink device. For the convenience of processing in the sink device, the source device transmits information on the transmission mode for the 3D image data transmitted, to the sink device by using an AVI InfoFrame packet or the like.

Abstract: Aspects of the invention include methods and systems for electronically signing a plurality of documents, such as an insurance application, a loan application, a set of mortgage papers, a bank application, or the like. A customer, or multiple customers, electronically submits the signature once and the customer's one signature is applied to all of the areas where the customer signature is required. The electronic signature may include initials and/or a graphical representation of the customer's handwritten signature. Aspects of the invention include an apparatus comprising a display, a memory, and a processor coupled to the memory and programmed with computer-executable instructions that, when executed, perform a method for electronically signing a plurality of documents.

Abstract: A Software-as-a-Service (SaaS) access control application on a client device is configured with a certificate that identifies a user, and with configuration information for one or more SaaS applications to access, and including an IDP identifier for the SaaS application. The SaaS access control application includes software to be inserted into a network software stack of the client device and software configured to serve as an identity provider for assertions. A request, made by an application on the client device to a SaaS service provider identified by a Universal Resource Locator (URL) provided during configuration of the SaaS access control application, is intercepted within the network software stack of the client device. The SaaS access control application generates an assertion based on the certificate and configuration information. The requesting application is caused to make a request to the SaaS service provider with the assertion embedded in the request.

Abstract: One or more first servers may receive a token, generated by a second server based on the second server validating an authorization parameter received by a third server; receive, from the second server, a token parameter, associated with the token and being associated with the authorization parameter and identifying a credential associated with the third server; receive, from the third server, a request to update the credential, the request including the token; validate the token; form an updated credential based on the token parameter and based on validating the token; and provide the updated credential to the third server. The credential may be replaced, by the third server, with the updated credential without interaction with a user of the third server.

Abstract: A method for realizing content sharing among mobile terminals comprises: receiving an index of access content sent by a requesting mobile terminal; looking up a shareable content index table for the index of the access content; and sending identification information of a mobile terminal having the index of the access content to the requesting mobile terminal if the index of the access content is found, so that the requesting mobile terminal obtains the requested access content from the mobile terminal having the index of the access content via wireless communication.

Abstract: A command is communicated by a computer and received by a sequential storage access device. The command includes a sequence indicator. The sequential storage access device uses the sequence indicator, in a communication path failure recovery operation, to at least determine whether a command has been confirmed by the device driver as being processed by the sequential access storage device.

Abstract: An apparatus for consolidated data services comprising a plurality of devices, a plurality of data services and a content application programming interface (API). A user API provides user identification for each of the plurality of devices using one or more of a plurality of user API methods. A feedback API configured to receive data from each of the plurality of devices that identifies media content that was delivered to the plurality of devices using one or more of a plurality of feedback API methods. A device API configured to provide a client system to one or more of the plurality of devices using one or more of a plurality of device API methods. A web service consolidator coupled to the content API, the user API, the feedback API, the device API, the update API, a plurality of data services and the plurality of devices through the communications media.

Abstract: Provided are a display device configuring a multi-display and a display method. The multi-media display receives a DisplayPort signal from outside, converts the received signal into a set of LVTTL signals, converts a portion of the LVTTL signals into a high-quality image signal capable of using HDMI to display multimedia on a corresponding display device, and converts another portion of the LVTTL signals into a DisplayPort signal to transmit the DisplayPort signal to another display device. Accordingly, an infinite multi-display can display high quality multimedia.

Abstract: A system for bridging user identities between at least a first and a second security domain, including a bridge associated with the first security domain for intercepting messages for service in the second domain from users in the first domain. The bridge authenticates the user identities against a local authentication source by using an established key relationship and binds a security token with the message. A gateway is associated with the second domain for gating inbound access and outbound communication with a service in the second domain and for receiving the authenticated message and verifying the authenticity of the security token by using a certificate of the trusted authentication source and authorizing access to the service upon confirmation of the authorization, such that the authorization is independent of the identity of the user.

Abstract: According to one embodiment, in response to a list of fingerprints representing data chunks of a first batch for replication, a second batch previously transmitted to the target storage system is identified based on at least a portion of the fingerprints of the first batch. Differential encoding information is generated representing a difference between fingerprints of the first batch and the second batch. The differential encoding information is transmitted to the target storage system, without transmitting all full fingerprints of the first batch, to allow the target storage system to determine which of the data chunks are missing at the target storage system. In response to information received from the target storage system indicating one or more data chunks that are missing at the target storage system, the missing data chunks are then transmitted to the target storage system.

Abstract: A computer-based method and system of distributing biological sample data acquired as a digital image of a subject biological sample. The acquired digital image and image capture data are processed according to at least one user. This results in processed image data and capture metadata. The processed image data represents biological sample data of the subject biological sample. A package processing combines the processed image data and capture metadata into a working Package. The method and system enables simultaneous electronic access to the working Package by multiple users, across multiple sectors, in addition to the one user.

Abstract: In a method for configuring access rights, a UPnP (Universal Plug and Play) device receives CPID information sent by a first CP without administrator rights, wherein the CPID information comprises an ID of another CP obtained by the first CP. Then the UPnP device sends a CPID list that carries the CPID information to a second CP with administrator rights. And the UPnP device receives a CP right configuration command sent by the second CP, and configures access rights for at least one CP corresponding to a CPID in the CPID list.