Abstract: Policy-based client-server systems and methods for attestation in managing and securing mobile computing devices. Attestation provides the means to make efficient, secure, and reproducible use of knowledge possessed by trusted expert parties and authorities within the expression and enforcement of policies for controlling use of, and access to, onboard software and hardware, network capabilities, and remote assets and services. Aspects of secure attestation of applications that use shared and dynamically loaded libraries are presented, as well as potential business models for attestation used in such a policy-based system.

Abstract: A group video messaging method stores user information identifying authorized users of a video messaging system, and provides a user interface to the video messaging system. The user interface permits authorized users to transfer video files to the video messaging system for storage and retrieval, and to identify criteria for other authorized users to access each transferred video file. The method also stores in the video messaging system the video files transferred to the system by the authorized users; stores information identifying the user that transferred each stored video file to the video messaging system, and the criteria for authorized users to access the stored video files; and stores information identifying different groups of the authorized users and which of the stored video files are to be accessible to each of the authorized users or authorized user groups.

Abstract: A control unit makes a screen of a display unit display a plurality of pattern display areas to which a predetermined respective plurality of patterns are uniquely assigned at random as a pattern random array in the same layout as that of a plurality of input keys capable of inputting numerical values. The control unit determines a shortest path to go through a sequence of patterns serving as a password of a user in the pattern random array, and replaces a sequence of all patterns existing on the shortest path with a sequence of codes assigned to the respective plurality of input buttons according to a correspondence relationship between the plurality of input buttons and the plurality of pattern display areas to generate a one-time password. The control unit then compares the one-time password with a sequence of codes input by the user by using an input unit to perform authentication.

Abstract: Methods and arrangements for handling encrypted messages are disclosed. The method comprising: generating a multi-part encrypted support message responsive to a request therefor; the generating comprising: inputting a base message; identifying at least one span of sensitive information; visually suppressing the at least one span of sensitive information; replacing the at least one span of sensitive information with a redaction notation; and appending at least one redaction message for the at least one span of sensitive information, the at least one redaction message containing data redacted from the at least one span of insensitive information and being encrypted for subsequent opening via at least one key. Other embodiments are disclosed.

Abstract: Provided is a system which distributes a processing load of security measures and enforce a security policy to be applicable to a large system. Policy information indicating a security measure to be executed on user information transmitted from a client to a server is stored in a policy storing section. Measure arrangement information indicating the security measure executable in each of a plurality of policy enforcement sections is stored in a measure-arrangement storing section. One or more of the policy enforcement sections are selected on the basis of the policy information and the measure arrangement information. Each of the one or more policy enforcement sections executes the security measure on the user information and outputs, on the basis of a selection result, the user information to the other policy enforcement sections among the one or more policy enforcement sections or to the server.

Abstract: Data is stored on a computing device in an encrypted form using a control application. A data access application requests access to the data. It is determined whether the data access application has available a shared encryption key that is available to the control application. If a shared encryption key is available, the shared encryption key is used to encrypt a request for access to the data. If a shared encryption key is not available, a shared encryption key is negotiated with the control application, and the negotiated shared encryption key is used to encrypt the request for access to the data. The control application receives the encrypted request, decrypts the encrypted request using the shared encryption key, and makes the data stored on the computing device in encrypted form available to the data access application in response to the decrypted request.

Abstract: Systems and methods are provided in which external key devices are used for sealing and unsealing data-gathering devices without Internet, wherein the data-gathering devices invalidate the external key devices upon completing data collection in order to seal removable storage. Further, a sealed removable storage is transported to same location of a key server, where the key server uses a multi-factor sealing routine to unlock the sealed removable storage. The routine seals and unseals uses multiple factors including a location of the key server, hardware attributes of the removable storage, hardware attributes of the external key devices, and a private key of the key server. The data-gathering device may be used to support workers collecting data in disconnected parts in the world that are without Internet. The workers may collect data by using mobile devices to transfer data to a shared data-gathering device.

Abstract: A processor of an aspect includes a plurality of packed data registers and a decode unit to decode an instruction. The instruction is to indicate one or more source packed data operands. The one or more source packed data operands are to have four 32-bit results of four prior SMS4 rounds. The one or more source operands are also to have a 32-bit value. An execution unit is coupled with the decode unit and the plurality of the packed data registers. The execution unit, in response to the instruction, is to store a 32-bit result of a current SMS4 round in a destination storage location that is to be indicated by the instruction.

Abstract: Discrete-component-level physical security is provided by the physical securing of defined hardware computing components through computer-controlled processes. Physical locking mechanisms are provided for individual components of a datacenter server chassis and are communicationally coupled to a computing device, which controls the state of the physical locking mechanisms, including in response to user identification and authentication information provided through a user input device that is also part of the server chassis. An access control list controlling physical access correlates user identities to the state of the physical locking mechanisms and other physical security devices and provides for one-time passwords and other like mechanisms. The state of physical security devices are also based on security requirements associated with processing being performed on one or more computing devices protected by such physical security devices.

Abstract: The disclosed subject matter addresses the problem of spoofing by directly and transparently communicating with the apparent sender of the potentially spoofed incoming message or with the communications network handing the communication of the potentially spoofed incoming message. The address of the recipient device of the potentially spoofed incoming message is compared with addresses of communication sent from the apparent sender. As a result of this comparison, it may be determined whether the phone call or message was sent from the apparent source or was spoofed. The times associated with messages sent from the indicated sender and times associated with the incoming message may also be used to determine the authenticity of the apparent sender. The recipient is of the incoming message is notified of a spoofed message.

Abstract: Exposure of sensitive tenant information is minimized in a multi-tenant/multi-user environment. A unique encryption key is provided for each tenant. The tenant encryption key is never stored in the clear and each copy of the tenant encryption key is protected by a user derived password. A secure folder is created for each tenant and encrypted by the tenant encryption key. Secure folders are mounted only on-demand, i.e. when an authenticated request is received for that tenant. The secure folders are mounted only for specific durations only. Otherwise, they are un-mounted. When a secure folder is mounted, any read/write operation to the secure folder is encrypted/decrypted on-the-fly. When the secure folder is un-mounted, all file contents in the secure folder, and the secure folder itself, are not visible in the file system and no application can browse to the secure folder without the tenant encryption key.

Abstract: Data is stored on a computing device in encrypted form in respective digital containers. At least one data access application is stored on the computing device. A control application of the computing device connects to a remote control center. A command from the remote control center is received at the connected control application. The command contains an action to be taken in respect of at least one of the at least one data access application and the containers stored on the computing device. The command is passed from the connected control application to the data access application or container, and the data access application or container carries out the command.

Abstract: In one embodiment a method, system and apparatus is described for detecting a malicious network connection, the method system and apparatus including determining, for each connection over a network, if each connection is a persistent connection, if, as a result of the determining, a first connection is determined to be a persistent connection, collecting connection statistics for the first connection, creating a feature vector for the first connection based on the collected statistics, performing outlier detection for all of the feature vector for all connections over a network which have been determined to be persistent connections, and reporting detected outliers. Related methods, systems and apparatus are also described.

Abstract: A secure provisioning manifest used to authenticate and securely communicate with peripherals attached to a computer is provided with techniques to withdraw the authentication and terminate the secure communications with any peripheral when operating parameters for the peripheral indicate that there is a security threat associated with the peripheral. A secure I/O module, that is separate from an operating system and transaction software executed by a processor of the computer, uses the secure provisioning manifest to establish a secure encrypted session for communicating with each peripheral attached to the computer when a peripheral is authenticated and able to establish a secure encrypted session. The secure I/O module uses current and known operating parameters for each peripheral to periodically determine if a peripheral has been compromised by a security threat.

Abstract: A data access application key is generated. The data access application key is for use by a data access application to enable decryption of data that is stored in encrypted form on a computing device using the data access application key. The data access application key is generated using an identifier of the data access application and an application key that is specific to at least one of the computing device and/or a user of the computing device.

Abstract: A processor of an aspect includes a decode unit to decode a user-level instruction. The user-level instruction is to indicate a page of a secure enclave and is to indicate a linear address. An execution logic is coupled with the decode unit. The execution logic is operable, in response to the user-level instruction, to change an initial linear address of the page of the secure enclave. The initial linear address is to be stored in an enclave page storage metadata unit. The initial linear address is to be changed by the execution logic to the linear address that is to be indicated by the user-level instruction. The change to the linear address is performed without contents of the page of the secure enclave being lost.

Abstract: An information processing apparatus includes a first receiving unit that receives a registration instruction to register a second information processing apparatus from a first information processing apparatus, a key generating unit that generates key information when the first receiving unit has received the registration instruction, an associating unit that associates, with the key information, registration instructing user identification information, an instruction generating unit that generates an instruction, including the key information, to cause the second information processing apparatus to communicate with the information processing apparatus, a transmitting unit that transmits the instruction to the first information processing apparatus, a second receiving unit that receives the key information and information related to registration of the second information processing apparatus, and a memory unit that stores the registration instructing user identification information in association with the info

Abstract: Authentication translation is disclosed. A request to access a resource is received at an authentication translator, as is an authentication input. The authentication input corresponds to at least one stored record. The stored record is associated at least with the resource. In response to the receiving, a previously stored credential associated with the resource is accessed. The credential is provided to the resource.

Abstract: Described systems and methods allow a mobile device, such as a smartphone or a tablet computer, to protect a user of the respective device from fraud and/or loss of privacy. In some embodiments, the mobile device receives from a server a risk indicator indicative of whether executing a target application causes a privacy risk. Determining the risk indicator includes automatically supplying a test input to a data field used by the target application, the data field configured to hold a private item such as a password or a geolocation indicator. Determining the risk indicator further comprises determining whether a test device executing an instance of the target application transmits an indicator of the test input, such as the test input itself or a hash of the test input, to another party on the network.

Abstract: Various embodiments of modular battery authentication circuits are described. The various modular battery authentication circuits are intended to be utilized with electrically powered devices that do not comprise existing battery authentication capabilities. In one embodiment, a modular battery authentication adapter is described. The adapter comprises a housing in which a modular battery authentication circuit resides. One end of the adapter is positioned within a power input port of a device and a modular battery is positioned within the opposing end of the adapter. The authentication circuit within the adapter communicates with the modular battery to determine its authenticity before allowing the battery to power the device. A modular battery comprising an internal authentication circuit is also described. The modular battery is designed to interact with firmware stored within the device to determine whether the modular battery meets certain operational criteria.