Abstract: A method of providing cipher data during a period of time when output of a primary source of cipher data is unavailable is disclosed. The method comprises switching from a primary source of cipher data to an alternate source of cipher data at a beginning of the period of time; using the cipher data from the alternate source during the period of time; and switching back to the primary source at an end of the period of time.

Abstract: A memory system comprises an encryption engine implemented in the hardware of a controller. In starting up the memory system, a boot strapping mechanism is implemented wherein a first portion of firmware when executed pulls in another portion of firmware to be executed. The hardware of the encryption engine is used to verify the integrity of at least the first portion of the firmware. Therefore, only the firmware that is intended to run the system will be executed.

Abstract: A signature generation apparatus includes basic operation execution units each executing a basic operation included in a signature generation procedure; and a whole operation controller connected to the basic operation execution units to control operations in the basic operation execution units and monitor operation states of the basic operation execution units, in which when there is a basic operation execution unit among the basic operation execution units which is executing a secret operation which uses data to be concealed as an argument, the whole operation controller causes basic operation execution units other than the basic operation execution unit to simultaneously execute a random number operation which uses a random number originally used for signature generation as an argument.

Abstract: A system, method, and computer program product are provided for selecting a wireless network based on security information. In use, a plurality of wireless networks is identified. Further, security information associated with each of the wireless networks is collected, such that one of the wireless networks is selected based on the security information.

Abstract: Various embodiments relate to a tamper-proof vehicle sensor system and a related method for sending secure packets between components. A sensing unit may include an angular sensor, such as an anisotropic magnetoresistive (AMR) sensor, which determines the angular position of a magnetic field and produces related angle sensor data. The sensing unit may place the angle sensor data in a packet and may encrypt the packet using a selected encryption key. The sensor may append an encryption key identifier (ID) associated with the selected encryption key onto the packet and send the secure, unidirectional packet to an electrical control unit (ECU). The ECU may then use the appended encryption key ID to retrieve the selected encryption key to decrypt the packet. The ECU may then extract the angle sensor data from the packet to modify the configuration of the vehicle.

Abstract: Embodiments of system, method, and apparatus for virtualizing TPM accesses is described. In some embodiments, an apparatus including a CPU core to execute a software program, a manageability engine coupled to the CPU core, the manageability engine to receive a trusted platform module (TPM) command requested by the software program and to process the TPM command utilizing a manageability firmware by at least creating a TPM network packet, and a network interface coupled to the manageability engine to transmit the TPM network packet to a remote TPM that is external to the apparatus for processing is utilized as a part of this virtualization process.

Abstract: A method of foiling a document exploit type attack on a computer, where the attack attempts to extract malware code from within a document stored on the computer. The method includes monitoring the computer in order to detect repeated function calls made by a given process in respect of the same function but different file descriptors; and in the event that such repeated function calls are detected or the number of such repeated function calls exceeds some threshold, terminating the process that initiated the function calls.

Abstract: A method begins by a processing module obtaining at least an ordering threshold number of encoded data slices to produce obtained encoded data slices. The method continues with the processing module ordering the obtained encoded data slices based on a pseudo-random de-sequencing order to produce a plurality of sets of encoded data slices. The method continues with the processing module dispersed storage error decoding the plurality of sets of encoded data slices to produce a plurality of encrypted data segments. The method continues with the processing module decrypting the plurality of encrypted data segments to produce a plurality of data segments. The method continues with the processing module aggregating the plurality of data segments to produce a data stream.

Abstract: The pureness of a connection between an external device and a host computer can be inspected or monitored to determine the status: connected or disconnected. When it is determined that a disconnection state is entered, an indication can be sent to the host and, in parallel, the data transportation from and/or to the external device may be manipulated. In some embodiments an exemplary connection protector device (CPD) may be added to the connection in between the external device and the host. The CPD can have two connectors one for the host and one for the cable of the external device. The CPD can be adapted to identify any disconnection in the connection with the host and/or the connection with the external device on the other side of the CPD.

Abstract: A mechanism is provided for identifying a snooping device in a network environment. A snoop echo response extractor generates an echo request packet with a bogus MAC address that will only be received by a snooping device. The snoop echo response extractor also uses an IP address that will cause the snooping device to respond to the echo request.

Abstract: A malware analysis system for automating cause and effect analysis of malware infections is provided. The malware analysis system monitors and records computer system activities. Upon being informed of a suspected malware infection, the malware analysis system creates a time-bounded snapshot of the monitored activities that were conducted within a time frame prior to the notification of the suspected malware infection. The malware analysis system may also create a time-bounded snapshot of the monitored activities that are conducted within a time frame subsequent to the notification of the suspected malware infection. The malware analysis system provides the created snapshot or snapshots for further analysis.

Abstract: A security protection device includes a cover circuit board comprising at least one inner wiring layer and a base circuit board comprising at least one inner wiring layer. The device further includes a security frame between the base circuit board and the cover circuit board, at least one electrically conductive wire being wound and included within the security frame to form at least one winding protection layer around sides of the security frame. The cover circuit board, the security frame, and the base circuit board form an enclosure enclosing a security zone, and the at least one inner wiring layer within the cover circuit board, the at least one inner wiring layer within the base circuit board, and the at least one electrically conductive wire within the security frame are connectable to a security mechanism configured to detect an intrusion into the security zone.

Abstract: A malware analysis system for automating cause and effect analysis of malware infections is provided. The malware analysis system monitors and records computer system activities. Upon being informed of a suspected malware infection, the malware analysis system creates a time-bounded snapshot of the monitored activities that were conducted within a time frame prior to the notification of the suspected malware infection. The malware analysis system may also create a time-bounded snapshot of the monitored activities that are conducted within a time frame subsequent to the notification of the suspected malware infection. The malware analysis system provides the created snapshot or snapshots for further analysis.

Abstract: Methods and devices provide a secure virtual environment within a mobile device for processing documents and conducting secure activities. The methods and devices create a secure application environment in which secure data and documents may be segregated from unsecured data using document encryption, allowing the application of security policies to only the secure application environment. The creation of a secure application environment allows users to access and manipulate secure data on any mobile device, not just specifically designated secure devices, without having to secure all data on the mobile device, while providing the corporate entity with necessary document security. The methods and devices provide for securing data on a mobile device at the data level using encryption.

Abstract: A method and apparatus are disclosed for sharing an integrity security module in a dual-environment computing device. The apparatus include an integrity security module, one or more processors, a detection module and a regeneration module. The one or more processors may have access to the integrity security module and may operate in two distinct operating environments of a dual-environment computing device. The detection module may detect, during an initialization sequence, a power state transition of an operating environment of the dual-environment computing device. The regeneration module may regenerate one or more integrity values from a stored integrity metric log in response to detecting the power state transition of the operating environment of the dual-environment computing device.

Abstract: A novel system and method for accessing data stored in a secure or tamperproof storage device in a wireless communication device is provided. The wireless communication device may include a biometric sensor for capturing a biometric sample of the user. The captured biometric sample may be compared to known biometric samples of users stored in a memory device of the wireless communication device. If the captured biometric sample matches one of the known biometric samples, the user is allowed access to the tamperproof storage device for a preset amount of time. The user may delete existing data, add new data, modify existing data or view existing data stored in the tamperproof storage device.

Abstract: The present invention considers an apparatus for prevention of tampering, unauthorized use, and unauthorized extraction of information from at least one secure system including at least one information device arranged to process information, at least one integrated encryption segment arranged to encrypt the information using at least one encryption process enabled by a set of encryption key information incorporated in at least one secure information storage of the at least one information device, at least one destruction driver arranged to initiate and support at least one controllable energy release in a proximity of the at least one secure information storage of the at least one information device incorporating the set of encryption key information, such that at least fraction of the set of encryption key information has been obliterated during the controllable energy discharge.

Abstract: An arrangement for the protection of cryptographic keys and codes from being compromised by external tampering, wherein the arrangement is utilized within a multilayered securing structure. More particularly, there is provided a multilayered securing structure for the protection of cryptographic keys and codes, which may be subject to potential tampering when employed in computers and/or telecommunication systems. A method is provided for producing such multilayered securing structures within a modular substrate with the intent to protect cryptographic keys and codes which are employed in computers and/or telecommunication systems from the dangers of potential tampering or unauthorized access.

Abstract: An auditable cryptographic protected communication system for connecting an enterprise server to a plurality of industrial devices using messaging protocols for each industrial device enabling the industrial devices to receive commands and transmit status and measurement data using the individual device messaging protocols over a network.

Abstract: A device for descrambling encrypted data includes a descrambler, a secure link, and a secure element that securely transmits a control word to the descrambler in a normal operating mode. The secure element includes a first secure register, a read-only memory having a boot code, a random-access memory for storing a firmware image from an external memory, and a processor coupled to the first secure register, the read-only memory, and the random access memory. The processor executes the boot code to generate the control word, stores the control word in the first secure register, and send the stored control word to the descrambler through a secure communication link. The descrambler may include a second secure register that is connected to the first secure register through the secure link. The first and second secure registers are not scannable during a normal operation. The secure link contains buried signal traces.

Abstract: A storage device contains a smart-card device and a memory device, which is connected to a controller. The storage device may be used in the same manner as a conventional smart-card device, or it may be used to store a relatively large amount of data. The memory device may also be used to store data or instructions for use by the smart-card device. The controller includes a security engine that uses critical security parameters stored in, and received from, the smart-card device. The critical security parameters may be sent to the controller in a manner that protects them from being discovered. The critical security parameters may be encryption and/or decryption keys that may encrypt data written to the memory device and/or decrypt data read from the memory device, respectively. Data and instructions used by the smart-card device may therefore stored in the memory device in encrypted form.

Abstract: Methods and systems for cross-site scripting (XSS) defense are described herein. An embodiment includes, embedding one or more tags in content at a server to identify executable and non-executable regions in the content and transmitting the content with the tags to a client based on a request from the client. Another embodiment includes receiving content embedded with one or more permission tags from a server, processing the content and the permission tags, and granting permission to a browser to execute executable content in the content based on the permission tags. A method embodiment also includes receiving content embedded with one or more verify tags from a server, performing an integrity check using the verify tags and granting permission to a browser to execute executable content in the content based on the integrity check.

Abstract: A protecting circuit for a basic input output system (BIOS) chip of a computer includes a platform controller hub (PCH), an inverting circuit connected to the PCH, a BIOS socket to connect the BIOS chip, and a controlling circuit connected between the inverting circuit and the BIOS socket. The PCH outputs a first signal or a second signal, and a third signal. The inverting circuit outputs an inverted signal with a level contrary to the first or second signal. The controlling circuit receives the first or second signal and the inverted signal, to output a processing signal to the BIOS socket, thereby controlling write-protection states of the BIOS chip.

Abstract: An end device may include a camera configured to capture an image of an object, a touch screen configured to receive a touch input and a processor configured to determine to unlock the end device based, at least in part, on the image of the object and the touch input.

Abstract: A method and device for transforming data with a secret parameter in an elliptic curve cryptosystem based on an elliptic curve defined over an underlying prime field, includes multiplying a point of the elliptic curve; representing the data to be transformed, by a scalar representing the secret parameter, wherein the multiplying includes performing at least one point addition operation and at least one point doubling operation on points of the elliptic curve; providing a representation in affine coordinates of the elliptic curve point to be multiplied and a representation in projective coordinates of intermediate elliptic curve points obtained during the multiplying; performing both the point addition operation and the point doubling operation by means of a sequence of elementary prime field operation types, the elementary prime field operation types including: a first type of prime field operations including field multiplication and field squaring of coordinates of the elliptic curve points and a second type

Abstract: A secure data storage system includes a mechanism that can be activated to inhibit access to stored data. In one embodiment, access to stored data can be prevented without having to erase or modify such data. An encryption key, or data used to generate the encryption key, is stored in an MRAM module integrated within the data storage system. The data storage system uses the encryption key to encrypt data received from a host system, and to decrypt the encrypted data when it is subsequently read by a host system. To render the stored data inaccessible, an operator (or an automated process) can expose the MRAM module to a magnetic field of sufficient strength to erase key data therefrom.

Abstract: A method and apparatus to provide a cryptographic protocol for secure authentication, privacy, and anonymity. The protocol, in one embodiment, is designed to be implemented in a small number of logic gates, executed quickly on simple devices, and provide military grade security.

Abstract: Methods and systems for secure communication between a client application and a secure element on a mobile device involve, for example, encrypting a request including a randomly generated session key by the client application with a user's unique public key and sending the encrypted request to the secure element. The request message is decrypted with a user's unique private key on the secure element, a response message is encrypted with the session key retrieved from the decrypted request and sent to the client application, which decrypts the response with the session key.

Abstract: In one embodiment of the present invention, a first user—the creator—uses a web browser to encrypt some information. The web browser provides to the creator a URL which contains the key used for encryption, such as in the form of an anchor embedded within a URL. The web browser also provides a hash of the cryptographic key and the encrypted information to a web server. The creator transmits the URL to a second user—the viewer—who provides the URL to a web browser, thereby causing the web browser to navigate to a decryption web page maintained by the web server, but without transmitting the cryptographic key to the web server. The viewer's web browser hashes the cryptographic key and sends the hash to the web server, which uses the hash to identify and return the encrypted information to the viewer's web browser, which in turn uses the encryption key to decrypt the message and display the decrypted message to the viewer.

Abstract: A computer or microchip comprising a central controller that connected by a secure control bus with the other parts of the computer or microchip, including a volatile random access memory (RAM) located in a portion of the computer or microchip that is connected to a network. The secure control bus is isolated from any input from the network and provides and ensures direct preemptive control by the central controller over the volatile random access memory (RAM). The direct preemptive control includes transmission of data and/or code to the volatile random access memory (RAM) or erasure of data and/or code in the volatile random access memory (RAM) and includes control of the connection between the central controller and the volatile random access memory (RAM) and between the volatile random access memory (RAM) and a microprocessor having a connection for the network.

Abstract: Methods, systems, computer-readable media, and apparatuses for providing a managed browser are presented. In various embodiments, a computing device may load a managed browser. The managed browser may, for instance, be configured to provide a managed mode in which one or more policies are applied to the managed browser, and an unmanaged mode in which such policies might not be applied and/or in which the browser might not be managed by at least one device manager agent running on the computing device. Based on device state information and/or one or more policies, the managed browser may switch between the managed mode and the unmanaged mode, and the managed browser may provide various functionalities, which may include selectively providing access to enterprise resources, based on such state information and/or the one or more policies.

Abstract: A cryptography module includes a key store having a plurality of storage locations for storing a key as k key fragments including a plurality of random key fragments and a remainder key fragment. One or more crypto-processing segments each operate based on corresponding ones of the k key fragments to process an input signal to produce an output signal.

Abstract: Methods and apparatuses for improving security of an integrated circuit (IC) are provided. A tamper condition is detected and a digital key stored in the IC is erased. The digital key is associated with a first image loaded onto the IC from a first memory. The memory may be a non-volatile memory module. A second image is loaded into a second memory module. The second memory module may be an embedded memory module, e.g., a control random access memory (CRAM) module. The first image is then erased from the first and second memory modules.

Abstract: A cryptographic system includes a memory device and a processor. The memory device has at least two sections, including a first section and a second section. The processor is configured to determine a mode of operation, receive a signal, and selectively zeroize at least one section of the memory device based at least in part on the received signal and the determined mode of operation.

Abstract: A method begins by a processing module receiving data segments of a data stream to produce received data segments. The method continues with the processing module encrypting a data segment of the received data segments to produce an encrypted data segment and dispersed storage error encoding the encrypted data segment to produce a set of encoded data slices in order of receiving the data segments. The method continues with the processing module buffering encoded data slices of sets of the encoded data slices unit to produce buffered encoded data slices and comparing a number of buffered encoded data slices to a threshold. The method continues with the processing module outputting the encoded data slices of the buffered encoded data slices based on a pseudo-random sequencing order when the number of buffered encoded data slices compares favorably to the threshold.

Abstract: A method for controlling the execution of an applet for an IC Card including a java card platform, includes a phase for downloading the applet inside the IC Card, a phase for executing the applet through the java card platform and a phase for storing an identification platform number inside a memory portion of the IC Card. The phase for executing the applet has a first step for detecting the identification platform number to perform the phase for executing the applet with or without restrictions, respectively if the identification platform number is not or is detected by the step for detecting. The applet is a java card applet or a SIM toolkit applet.

Abstract: The present application is directed towards systems and methods for aggressively probing a client side connection to determine and counteract a malicious window size attack or similar behavior from a malfunctioning client. The solution described herein detects when a connection may be under malicious attach via improper or unusual window size settings. Responsive to the detection, the solution described herein will setup probes that determine whether or not the client is malicious and does so within an aggressive time period to avoid the tying up of processing cycles, transport layer sockets and buffers, and other resources of the sender.

Abstract: A user interface for a fuel dispenser has a display, a display controller, and control circuitry. The control circuitry includes a processing device, memory, and at least one microswitch. The display controller and the control circuitry are positioned such that the microswitch connects the control circuitry to the display controller. The microswitch is activated if the control circuitry is separated from the display controller. Activation of the microswitch causes any sensitive information stored by the control circuitry to be erased. In one aspect, separation of the display controller from the control circuitry is the only manner by which the processing device and/or the memory may be accessed.

Abstract: The terminal device 600 comprises: a read unit configured to read encrypted content and a content signature from a regular region of a recording medium device 700, and to read a converted title key from an authorized region of the recording medium device 700, the converted title key having been converted from a title key with use of a content signature generated by an authorized signature device 500; a title key reconstruction unit configured to generate a reconstructed title key by reversely converting the converted title key with use of the content signature read by the read unit; and a playback unit configured to decrypt the encrypted content with use of the reconstructed title key to obtain decrypted content, and to play back the decrypted content.

Abstract: A method for achieving code domain isolation. A first set of data is received in a first domain format. The first set of data is changed to a second domain format. The first set of data in the second domain format is captured. The first set of data in the second domain format is changed to a third domain format. The first set of data in the third domain format is prepared for receipt by a user computer system.

Abstract: A program execution device capable of protecting a program against unauthorized analysis and alteration is provided. The program execution device includes an execution unit, a first protection unit, and a second protection unit. The execution unit executes a first program and a second program, and is connected with an external device that is capable of controlling the execution. The first protection unit disconnects the execution unit from the external device while the execution unit is executing the first program. The second protection unit protects the first program while the execution unit is executing the second program.

Abstract: A computer or microchip securely controlled through a private network including a connection to a network of computers including the Internet; a separate connection to at least a private network of computers located in a hardware protected area of said computer or microchip, a first microprocessor, core or processing unit configured to connect to the connection to the network of computers including the Internet; a master controlling device for the computer or microchip located in the hardware protected area; and a secure control bus configured to connect at least said master controlling device with said microprocessor, core or processing unit, and isolated from input from the network and components other than said master controlling device. The master controlling device securely controls an operation executed by the microprocessor, core or processing unit, with secure control being provided through the private network to the private network connection through the secure control bus.

Abstract: A tamper resistant software Agent for enabling, supporting and/or providing various services (e.g., tracking assets; data delete and updating software) comprises multiple functional modules, including a loader module (CLM) that loads and gains control during POST, independent of the OS, an Adaptive Installer Module (AIM), and a Communications Driver Agent (CDA). Once control is handed to the CLM, it loads the AIM, which in turn locates, validates, decompresses and adapts the CDA for the detected OS environment. The CDA exists in two forms, a mini CDA that determines whether a full or current CDA is located somewhere on the device, and if not, to load the full-function CDA from a network; and a full-function CDA that is responsible for all communications between the device and the monitoring server. In another aspect, the servicing functions that the Agent performs can be controlled by a remote server, by combining generic sub-function calls available in the Agent.

Abstract: A method in one example implementation includes intercepting a request associated with an execution of an object (e.g., a kernel module or a binary) in a computer configured to operate in a virtual machine environment. The request is associated with a privileged domain of the computer that operates logically below one or more operating systems. The method also includes verifying an authorization of the object by computing a checksum for the object and comparing the checksum to a plurality of stored checksums in a memory element. The execution of the object is denied if it is not authorized. In other embodiments, the method can include evaluating a plurality of entries within the memory element of the computer, wherein the entries include authorized binaries and kernel modules. In other embodiments, the method can include intercepting an attempt from a remote computer to execute code from a previously authorized binary.

Abstract: A mechanism is provided for enhancing password protection. A combination password that comprises dynamic text interspersed within a static user password is received from a user. A determination is made as to whether the combination password is to be verified without the dynamic text. Responsive to identifying that the combination password is to be verified without the dynamic text, the dynamic text is filtered from the combination password based on an identified dynamic suggestion issued to the user prior to the combination password being received thereby forming a filtered password. The filtered password is then authenticated using information stored for the user. Responsive to validating the filtered password, access is granted by the user to a secured system.

Abstract: Techniques are described for securely booting and executing a virtual machine (VM) image in an untrusted cloud infrastructure. A multi-core processor may be configured with additional hardware components—referred to as a trust anchor. The trust anchor may be provisioned with a private/public key pair, which allows the multi-core CPU to authenticate itself as being able to securely boot and execute a virtual machine (VM) image in an untrusted cloud infrastructure.

Abstract: A security service determines whether to grant a user access to a resource. The service receives from the user a security term in an obscured form derived from a revealed form of the security term according to a predefined padding scheme known to the user and to the security service. The service applies the padding scheme to the received term to result in a de-padded security term and confirms that the de-padded security term matches the retrieved revealed security term. Additionally, the service confirms that the received term has not been previously employed within a predetermined frame of reference. Accordingly, if the received obscured security term is purloined and re-used within the predetermined frame of reference, the security service denies access to the resource.

Abstract: The invention relates to methods and apparatuses for acquiring a physical measurement, and for creating a cryptographic certification of that measurement, such that its value and time can be verified by a party that was not necessarily present at the measurement. The certified measurement may also include corroborative information for associating the actual physical measurement process with the certified measurement. Such corroborative information may reflect the internal or external state of the measurement certification device, as well as witness identifiers of any persons that may have been present at the measurement acquisition and certification. The certification may include a signal receiver to receive timing signals from a satellite or other external source. The external timing signals may be used to generate the time included in the certified measurement, or could be used to determine the location of the measurement certification device for inclusion in the certified measurement.

Abstract: A processing device comprising a processor coupled to a memory is configured to determine a risk of simultaneous theft of a primary device and at least one satellite device associated with the primary device, and to identify said at least one satellite device as an appropriate authentication factor for use in an authentication process involving the primary device, based at least in part on the determined risk. The identified satellite device may serve as an additional or alternative authentication factor relative to one or more other authentication factors. The processing device may comprise the primary device itself, or another separate device, such as an authentication server that also participates in the authentication process. Information associated with the identified satellite device is utilized in the authentication process to authenticate a user of the primary device.

Abstract: Disclosed are a method and apparatus for a data storage library comprising a plurality of drives and a combination bridge controller device adapted to direct and make compatible communication traffic between a client and the plurality of drives. The combination bridge controller device is further adapted to encrypt a first data package received from the client. The combination bridge controller device is further adapted to transmit the encrypted first data package, a first moniker and a first message authentication code to one of the plurality of drives for storage to a cooperating mobile storage medium. The combination bridge controller device is further adapted to decrypt the first data package when used in combination with a first key associated with the first moniker and guarantee the decryption of the first data package was successfully accomplished with authentication of the first message authentication code.