Abstract: According to one general aspect, a method of using a first probing device may include monitoring one or more encrypted communications sessions between a first computing device and a second computing device. In some implementations of the method, each encrypted communications session includes transmitting a plurality of encrypted data objects between the first and second computing devices. The method may include deriving, by the first probing device, timing information regarding an encrypted communications session. The method may also include transmitting, from the first probing device to a second probing device, the derived timing information.

Abstract: There are disclosed systems and methods for creating a self-signed implicit certificate. In one embodiment, the self-signed implicit certificate is generated and operated upon using transformations of a nature similar to the transformations used in the ECQV protocol. In such a system, a root CA or other computing device avoids having to generate an explicit self-signed certificate by instead generating a self-signed implicit certificate.

Abstract: A method for detecting malware device drivers includes the steps of identifying one or more device drivers loaded on an electronic device, analyzing the device drivers to determine suspicious device drivers, accessing information about the suspicious device drivers in a reputation system, and evaluating whether the suspicious device driver include malware. The suspicious device drivers are not recognized as not including malware. The reputation system is configured to store information about suspicious device drivers. The evaluation is based upon historical data regarding the suspicious device driver.

Abstract: A method and network element identify a set of bit indices for forming compressed keys, which are used to map a set of keys of corresponding input values to assigned lookup values in a hash table, where the keys of the input values have colliding hash values according to a hash function of the hash table. The method includes a set of steps including receiving the set of keys. The bits of the set of keys are traversed to find a best split bit index. The set of keys are split into two subsets according to the best split bit index. A check is made whether all of the set of keys have been split into separate subsets. A selected best split bit is added to a bit index. Alternate split bits are tallied and a bit is selected with a highest tally to add to bit index.

Abstract: The present invention concerns application of digital rights management to industrial automation devices including programmable logic controllers (PLCs), I/O devices, and communication adapters. Digital rights management involves a set of technologies for controlling and managing access to device objects and/or programs such as ladder logic programs. Access to automation device objects and/or programs can be managed by downloading rules of use that define user privileges with respect to automation devices and utilizing digital certificates, among other things, to verify the identity of a user desiring to interact with device programs, for example. Furthermore, the present invention provides for secure transmission of messages to and amongst automation devices utilizing public key cryptography associated with digital certificates.

Abstract: A system and method for automatically generating exploits, such as exploits for target code, is described. In some implementations, the system received binary code and/or source code of a software applications, finds one or more exploitable bugs within the software application, and automatically generates exploits for the exploitable bugs.

Abstract: A method and apparatus is used for generating a perfectly random secret key between two or more transceivers in a wireless communication network. In a point-to-point system, both transceivers produce an estimate of the channel impulse response (CIR) based on the received radio signal. The CIR estimation is synchronized and may include error correction and detection. A long secret key of bits is generated from a digitized version of the CIR estimate, from which a perfectly secret encryption key is derived by privacy amplification.

Abstract: The present application enables the enterprise to configure various policies to address various subsets of the traffic based on various information relating the client, the server, or the details and nature of the interactions between the client and the server. An intermediary deployed between clients and servers may establish an SSL VPN session between a client and a server. The intermediary may receiving a response from a server to a request of a client via the clientless SSL VPN session. The response may comprise one or more cookies. The intermediary may identify an access profile for the clientless SSL VPN session. The access profile may identify one or more policies for proxying cookies. The intermediary may determine, responsive to the one or more policies of the access profile, whether to proxy or bypass proxying for the client the one or more cookies.

Abstract: A mechanism for applying security category labels to multi-tenant applications of a node in a PaaS environment is disclosed. A method of embodiments includes receiving, by a virtual machine (VM) executing on a computing device, a custom security type label (STL) and a custom security policy associated with the custom STL, the custom STL and associated custom security policy applied to one or more multi-tenant applications executed by the VM. The method further include receiving a request to initialize an application on the VM, the request identifying the custom STL as an STL to apply to the application, assigning a local UID maintained by the VM to the application, recording a mapping of the assigned local UID to the custom STL, assigning the custom STL to files of the application, and assigning the custom STL to a running process of the application.

Abstract: Embodiments show an apparatus for verifying a validity of an encrypted token associated to a product, wherein the apparatus has a decryptor for decrypting an encrypted token using a decryption key to obtain a decrypted token having information bits related to the product and structure bits. The apparatus further has an evaluator for evaluating whether the structure bits fulfill a predetermined condition, wherein the encrypted token is verified to be valid when the predetermined condition is fulfilled or is not verified to be valid when the predetermined condition is not fulfilled. Further embodiments show an apparatus for generating an encrypted token associated to a product, wherein the apparatus has a plain token generator and an encryptor for encrypting the plain token using an encryption key to obtain an encrypted token.

Abstract: A mechanism for applying security category labels to multi-tenant applications of a node in a PaaS environment is disclosed. A method of embodiments includes generating, by a virtual machine (VM), a unique security category label (SCL) for each local user identification (UID) maintained by the VM, assigning, for each local UID maintained by the VM, the unique SCL associated with the local UID to one or more Internet Protocol (IP) addresses mapped to the local UID, receiving a request to initialize an application on the VM, assigning a local UID of the local UIDs maintained by the VM to the application, assigning files of the application the unique SCL associated with the local UID of the application, and assigning the unique SCL associated with the local UID of the application to a running process of the application.

Abstract: A device certificate binds an identity of a first device to a public key of the first device. The first device comprises a certificate authority service that creates for a process on the first device a process certificate certifying one or more capabilities of the process on the first device. The process certificate is presented to the second device. Upon validating the process certificate using the device certificate, the second device permits the process on the first device to have on the second device one or more of the verified certified capabilities.

Abstract: Described herein are various technologies pertaining to constructions of a password-based authentication protocol that are configured to allow a user to register with and authenticate to an online service without the online service receiving a password or a deterministic function of the password of the user. When registering with an online service, a client computing device establishes a cryptographically strong random secret and stores an encryption of such secret with a data storage device. The storage device also never receives the password or a deterministic function of the password. When the user wishes to authenticate to the online service, the user employs her password to retrieve the encrypted secret from the storage device, decrypts such secret, and utilizes the decrypted secret to answer a cryptographically strong challenge provided to the user by the online service upon the online service receiving a username pertaining to such user.

Abstract: Methods and systems provide embeddable user interface widgets to third-party applications so that the widgets can be securely embedded in, and securely used from within, the third-party applications. An embeddable widget may be authorized to access a first-party cloud storage system from a third-party application based on the cloud storage system authenticating a request received from the widget. The authentication may be based on an application identifier, an origin identifier, and/or one or more document identifiers received from the third-party application through the embedded widget. The disclosed methods and systems may significantly mitigate security concerns caused by embedding software in third-party sites, such as clickjacking.

Abstract: A method and system for automatically logging in a client is disclosed in the present invention, mainly comprising: use encrypted ICCID for the authentification of user's identity during automatic login; when authentification is passed, determine the account information corresponding to the identification of the client to be logged in currently by the user, and log in the client automatically with the determined account information, so that the user can conveniently manage the account information corresponding to each client when he guarantees the security of the account information simultaneously, avoiding the troublesome inputting of username and password of the account and achieving the purpose of automatically logging in a client.

Abstract: Aspects include a mechanism of entitling users to transacted-for digital content access, indicating download authorization with discrete authentication URLs, and validating download attempts using each such URL. The authentication mechanism comprises producing an encrypted string included in a URL provided to a user. The encrypted string comprises transaction identifier information, and information about the transacted-for entitlement. When a user wishes to exercise the transacted-for entitlement, the user activates the URL, which is resolved to a location that has/can obtain access to the key(s) used in producing the encrypted string, decrypt the string, and use the information in it to validate the URL and the entitlement. The validation can use data retrieved from a database, using the transaction identifier as a key. The entitlement information included in the now-decrypted string can be compared with the prior download information.

Abstract: Disclosed is an appliance, system, method and corresponding software application for encrypting and processing data. A symbol based encryption module may be adapted to encrypt data on a symbol basis such that some or all of the encrypted data remains processable.

Abstract: Access to virtual machine inputs and outputs are controlled. Controlling access to virtual machine inputs and outputs may comprise locking inputs and outputs of a virtual machine from within the virtual machine, other than a predefined limited access input, detecting a request to unlock the inputs and outputs of the virtual machine; determining if a requester is authorized to unlock the inputs and outputs of the virtual machine and unlocking, temporarily, the inputs and outputs of the virtual machine if the requester is authorized. The predefined limited access input is configured to receive an input device with a private secret for unlocking the inputs and outputs of the virtual machine. The inputs and outputs are unlocked when an input device having a shared password is attached.

Abstract: A method of facilitating zero sign-on access to media services depending on trust credentials. The trust credentials may be cookies, certificates, and other data sets operable to be stored on a device used to access the media services such that information included therein may be used to control the zero sign-on capabilities of the user device.

Abstract: Method for communicating data in a computer network involves dynamically modifying at a first location in the computer network a plurality of true values. The true values correctly represent the plurality of identify parameters. These true values are transformed to false values, which incorrectly represent the identity parameters. Subsequently, the identity parameters are modified at a second location to transform the false values back to the true values. The position of the first and/or second locations varies dynamically as part of this process. A bridge transforms identity parameter values when communicating outside the network. Dynamic modification of the identity parameters occurs in accordance with a mission plan that can be modified without interrupting communication of data in the network.