Abstract: Memory security technologies are described. An example processing system includes a processor core and a memory controller coupled to the processor core and a memory. The processor core can receive a content read instruction from an application. The processor core can identify a cache line (CL) from a plurality of CLs of a cryptographic cache block (CCB) requested in the content read instruction. The processor core can load, from a cryptographic tree, tree nodes with security metadata. The processor core can retrieve, from the memory, the CCB. The processor core can generate a second MAC from the CCB. The processor core can compare the first MAC with the second MAC. The processor core can decrypt the CCB using security metadata when the first MAC matches the second MAC. The processor core can send at least the identified CL from the decrypted CCB to the application.

Abstract: A user equipment (UE) is configured to send a direct communication request to a peer UE, wherein the direct communication request comprises a signature authenticating an identity of the UE. The UE is configured to process a direct communication response from the peer UE to authenticate an identity of the peer UE, wherein the direct communication response comprises a signature authenticating the identity of the peer UE. In response to processing the direct communication response from the peer UE to authenticate the identity of the peer UE, the UE is configured to engage in direct communication with the peer UE.

Abstract: A method, computer usable program product or system for automatically sharing a set of sensitive data in accordance with a set of predetermined policy requirements including receiving across a network a set of certified policy commitments for a node; authenticating the set of certified policy commitments; utilizing a processor to automatically determine whether the set of certified policy commitments satisfies the set of predetermined policy requirements; and upon a positive determination, transmitting across the network the set of sensitive data to the node.

Abstract: Methods and systems provide embeddable user interface widgets to third-party applications so that the widgets can be securely embedded in, and securely used from within, the third-party applications. An embeddable widget may be authorized to access a first-party cloud storage system from a third-party application based on the cloud storage system authenticating a request received from the widget. The authentication may be based on an application identifier, an origin identifier, and/or one or more document identifiers received from the third-party application through the embedded widget. The disclosed methods and systems may significantly mitigate security concerns caused by embedding software in third-party sites, such as clickjacking.

Abstract: A method and system for use in distributing token records is disclosed. At least one token record comprises a unique seed associated with a one-time password (OTP) token. An encryption key and a corresponding decryption key are generated for assisting selective encryption and decryption of a token record associated with a OTP token. The encryption key and the decryption key being unique to an end user of the token record. The token record is encrypted with the assistance of the encryption key. One of the decryption key and the encrypted token record is provided to the end user of the token record. The other of the decryption key and the encrypted token record is provided to the end user in response to secure receipt of the one of the decryption key and the encrypted token record by the end user. The encrypted token record can be decrypted with the assistance of the decryption key.

Abstract: A method and system for connecting an Internet of Things (IoT) hub to a wireless network. One embodiment of the method includes establishing a secure communication channel between an IoT hub and an IoT service through a client device using a first secret; generating a second secret on the client device and transmitting it to the IoT hub; encrypting a wireless key using the second secret to generate a first-encrypted key and transmitting it to the IoT service; encrypting the first-encrypted key using the first secret to generate a twice-encrypted key and transmitting it to the IoT hub over the secure communication channel; decrypting the twice-encrypted key at the IoT hub using the first secret to generate the first-encrypted key and decrypting it using the second secret to generate the wireless key usable to establish a secure wireless connection between the IoT hub and the local wireless network.

Abstract: A method for managing users' digital rights to documents protected by digital rights management (DRM), comprising the steps of a rights management system (RMS) server receiving a request from a user for accessing a DRM-protected document, and the RMS server executing a user centric adaptor (UCA) module to check in a UCA database under the user's identification (ID) whether one of a limited number of predetermined policies of digital rights is added to the user's ID, whereas if the user's rights to the document is not revoked by deletion of a predetermined policy under the user's ID in the UCA database, then the UCA module does not block granting the user's request.

Abstract: A portable apparatus is removably and communicatively connectable to a network device to communicate authentication or authorization credentials of a user in connection with the user logging into or entering into a transaction with a network site. The apparatus includes a communications port to connect and disconnect the apparatus to and from the network device and to establish a communication link with the network device when connected thereto. A processor receives a secure message from the network security server via the port. The message has a PIN for authenticating the user to the network site, and is readable only by the apparatus. The processor either transfers, via the port, the received PIN to an application associated with the network site that is executing on the network device or causes the apparatus to display the received PIN for manual transfer to the application associated with the network site.

Abstract: A digital content provider is configured to identify, based at least in part on various customer user profiles, digital content that is to be pre-loaded onto one or more customer computing devices in advance of the digital content being available for at least one mode of consumption by the one or more computing devices. The digital content provider may use these user profiles, as well as other external information, to identify one or more customers that are to receive the digital content. Subsequently, the digital content provider may download the digital content onto each identified customer's one or more computing devices in advance of the at least one mode of consumption becoming available to the customers. Once the mode of consumption is made available, the digital content provider may enable the use of the pre-loaded digital content.

Abstract: A method, system and devices for creating access to a wireless communication device by using BAN, comprising detecting the presence of a user's body by using a BAN enabled access module connected to the wireless communication device, collecting biometric data of the user and receiving authentication data from a BAN enabled peripheral device through BAN by using the BAN enabled access module and allowing access to the wireless communication device if the collected biometric data and the received authentication data are valid.

Abstract: For a host that executes one or more guest virtual machines (GVMs), some embodiments provide a novel encryption method for encrypting the data messages sent by the GVMs. The method initially receives a data message to send for a GVM executing on the host. The method then determines whether it should encrypt the data message based on a set of one or more encryption rules. When the process determines that it should encrypt the received data message, it encrypts the data message and forwards the encrypted data message to its destination; otherwise, the method just forwards the received data message unencrypted to its destination. In some embodiments, the host encrypts differently the data messages for different GVMs that execute on the host.

Abstract: A system and method of granting a service authorization to a service provider in a regulating or funding agency of a first organization to access one or more individual's information in a second organization, where a service authorization comprises an authorization to access information and to provide specific services from said regulating or funding agency, the request for service authorization coming from an organization from an individual, patent or guardian of the individual, or regulating or funding organization, for service to be provided to an individual whose private information is stored within the second organization. A system for approving or rejecting the service authorization requests is provided based on authorization of the service provider, as well as a system and method for recording and sharing the outcomes of all decisions with the organization. If a service authorization is approved, it may be integrated into the organization's own workflow.

Abstract: A wearable computer interface comprising a three dimensional (3D) range camera and a picture camera that image the user and a controller that process the images to identify the user and determine if the user is authorized to use the interface to access functionalities provided by a computer interfaced by the interface.

Abstract: A network system includes first nodes and a second node. Each first node is directly communicatively connected to the second node, or each first node is indirectly communicatively connected to the second node through another first node. The second node includes a network layer and an application layer. When a new node desires is joining the first nodes, the network layer sends an update signal including first network address information of the new node. The application layer is configured to connect to a database and perform an authentication on the first network address information of the new node based on a node list in the database. When the new node passes the authentication, the application layer stores the update signal in the database.

Abstract: Embodiments of methods, systems and storage media associated with publication of message content may be described. In embodiments, a content creator may provide content to a message management node. Based on application of one or more business rules, one or more authorized recipients of the message content may be identified, and the message content may be provided to the one or more recipients. In various embodiments, the message content may be reviewed by one or more approvers prior to publication. The message content may not be provided to the authorized recipients without approval from the approvers. Other embodiments may be described and claimed.

Abstract: An image processing apparatus may include a communication device, an image processing device, a reception device, at least one processor, and a memory. The communication device may be configured to communicate with a server. The reception device may be configured to receive first authentication data and a request for using the server. The memory may store computer executable instructions that, when executed by the at least one processor, cause the image processing apparatus to: allow a user to login when the first authentication data satisfies a prescribed authentication condition; automatically request, to the server, permission to use the server regardless of whether the reception device receives the request, once the user has logged in; and execute an image process using both the image processing device and the server.

Abstract: Systems and methods for providing trusted time service for the off-line mode of operation of a processing system. An example processing system comprises: a first processing device communicatively coupled to a real-time clock, the first processing device to modify an epoch value associated with the real-time clock responsive to detecting a reset of the real-time clock; and a second processing device to execute, in a first trusted execution environment, a first application to receive, from the first processing device, a first time value outputted by the real-time clock and a first epoch value associated with the real-time clock.

Abstract: To provide enhanced operation of virtualized computing systems, various systems, apparatuses, methods, and software are provided herein. In a first example, a method of operating a computing system to control access to data resources by virtual machines is provided. The method includes receiving an access token and an instantiation command from an end user system. Responsive to the instantiation command, the method includes instantiating a virtual machine identified by the instantiation command using the access token as user data for the virtual machine during instantiation. The method also includes, in the virtual machine, executing a security module responsive to instantiation that transfers the access token for delivery to an authorization system, receiving credentials responsive to the access token, and accessing a data resource using the credentials.

Abstract: In at least one embodiment, a method and a system include a node potentially having information responsive to an information request distributed into, for example, a federated coalition network where the node receives at least one information request packet, conducts a search of information at the node to determine if requested information is present, when the requested information is present, then the node sends an acknowledgement to a requesting node, linear network codes the requested information into m packets where m is greater than or equal to k, which is the number of packets needed to be received by the requesting node to reconstruct the requested information, selects multiple paths between the node and the requesting node such that no third party will see more than k?1 different packets, and transmits the m packets distributed over the selected paths.

Abstract: For a host that executes one or more guest virtual machines (GVMs), some embodiments provide a novel encryption method for encrypting the data messages sent by the GVMs. The method initially receives a data message to send for a GVM executing on the host. The method then determines whether it should encrypt the data message based on a set of one or more encryption rules. When the process determines that it should encrypt the received data message, it encrypts the data message and forwards the encrypted data message to its destination; otherwise, the method just forwards the received data message unencrypted to its destination. In some embodiments, the host encrypts differently the data messages for different GVMs that execute on the host.