Abstract: A mobile device has a private memory that stores multiple software programs including a trusted software program. A non-private memory stores copies of the software programs except the trusted software program. The mobile device can be set in a full non-private mode, a modified non-private mode, or a private mode. In the full non-private mode, the full non-private memory is restored with copies of the software programs stored at the private memory. In the modified non-private mode, only selected software programs are restored at the non-private memory with a copy from the private memory. In the private mode, the trusted software program at the private memory can be executed.

Abstract: The invention enables digital music content to be downloaded to and used on a portable wireless computing device. An application running on the wireless device has been automatically adapted to parameters associated with the wireless device without end-user input (e.g. the application has been configured in dependence on the device OS and firmware, related bugs, screen size, pixel number, security models, connection handling, memory etc. This application enables an end-user to browse and search music content on a remote server using a wireless network; to download music content from that remote server using the wireless network and to playback and manage that downloaded music content. The application also includes a digital rights management system that enables unlimited legal downloads of different music tracks to the device and also enables any of those tracks stored on the device to be played so long as a subscription service has not terminated.

Abstract: A method of and system for gate-level masking of secret data during a cryptographic process is described. A mask share is determined, wherein a first portion of the mask share includes a first number of zero-values and a second number of one-values, and a second portion of the mask share includes the first number of one-values and the second number of zero-values. Masked data values and the first portion of the mask share are input into a first portion of masked gate logic, and the masked data values and the second portion of the mask share are input into a second portion of the masked gate logic. A first output from the first portion of the masked gate logic and a second output from the second portion of the masked gate logic are identified, wherein either the first output or the second output is a zero-value.

Abstract: A system and method for managing communication. The system and method applying to but not limited to settop boxes (STBs) and other devices used to interface services. The management including any number of features and processes associated with achieving Quality of Service (QoS) across different domains and according to network limitations associated with the same.

Abstract: The present application is directed a computer-implemented methods and systems implementing control policies created or modified by Software Defined Network applications. The control policies can be provided to SDN controllers for implementation.

Abstract: A bundle of public counters and a corresponding bundle of private counters are created and transmitted to a user device. The user device receives a request and processes the request without accessing a secure element processor on the user device. The user device calculates a security code using the private counter and a number. The user device transmits the calculated security code and one of the bundle of public counters in response to the request. A receiver of the response to the request determines the validity of the public counter and looks up the corresponding private counter using the public counter. The receiver determines the validity of the security code by recomputing it using the private counter and the number.

Abstract: A method includes authenticating, by a computing device, a first connection between one or more storage units and at least one of the computing device and a first user computing device. The method further includes determining, by the computing device, to add a second connection between the one or more storage units and at least one of the computing device and a second user computing device. The method further includes generating, by the computing device, a secret code and sending the secret code to the one or more storage units via the first connection. The method further includes sending, by the one or more storage units, responses to the secret code to the computing device via the second connection. The method further includes authenticating, by the computing device, the second connection based on the authentication of the first connection and the responses from the one or more storage units.

Abstract: Although TLS provides desirable end-to-end encryption, there are circumstances in which it is desirable or a regulatory requirement for a client to establish a TLS connection through an intermediary that is capable of creating an archival record. There is provided a modification to the TLS protocol that allows an aware client to provide a recovery record to such an intermediary. The recovery record permits the intermediary to verify that the encrypted recovery records can be decrypted by a party that holds the corresponding private key but does not enable decryption by the intermediary.

Abstract: A device attestation server and method for attesting to the integrity of a mobile device is provided. An attestation request is sent from a mobile device to a device attestation server. The device attestation server runs an attestation method that is supported by the mobile device. The device attestation server creates an attestation token that includes a validation result and a plurality of attributes. The device attestation server sends the attestation token to the mobile device, which performs a validation method using the attestation token.

Abstract: An anonymized biometric representation of a target individual is used in a computer based security system. A detailed input biometric signal associated with a target individual is obtained. A weakened biometric representation of the detailed biometric signal is constructed such that the weakened biometric representation is designed to identify a plurality of individuals including the target individual. The target individual is enrolled in a data store associated with the computer based security system wherein the weakened biometric representation is included in a record for the target individual. In another aspect of the invention, a detailed input biometric signal from a screening candidate individual is obtained. The detailed biometric signal of the screening candidate is matched against the weakened biometric representation included in the record for the target individual.

Abstract: A cloud network may include a distributed security switch (DSS). The DSS may be to receive configuration information from the hypervisor. The configuration information may include a set of access mode attributes and a security policy. The DSS may be to determine that a packet is to be directed from a source virtual machine to a target virtual machine. The DSS may be to identify an egress interface of the source virtual machine and an ingress interface of the target virtual machine. The egress interface may be associated with a first access mode attribute and the ingress interface being associated with a second access mode attribute. The DSS may be to selectively route the packet, using the shared memory, based on the first access mode attribute, the second access mode attribute, and the security policy.

Abstract: Embodiments of the invention relate to systems and methods for confidential mutual authentication. A first computer may blind its public key using a blinding factor. The first computer may generate a shared secret using its private key, the blinding factor, and a public key of a second computer. The first computer may encrypt the blinding factor and a certificate including its public key using the shared secret. The first computer may send its blinded public key, the encrypted blinding factor, and the encrypted certificate to the second computer. The second computer may generate the same shared secret using its private key and the blinded public key of the first computer. The second computer may authenticate the first computer by verifying its blinded public key using the blinding factor and the certificate of the first computer. The first computer authenticates the second computer similarly.

Abstract: A method including a server acquires verification code parameters required for generating a verification code; the server uses the verification code parameters as an input to a three-dimensional model to generate a three-dimensional image, wherein recognizable content corresponding to a specified visual focus position of a user is embedded in the three-dimensional image; and the server sends the three-dimensional image to a client terminal as a verification code for display.

Abstract: This disclosure provides a method, performed in a wireless device, for obtaining initial access to a network in order to establish a connection to a server connected to the network. The wireless device stores a device public key and a device private key. The server stores the device public key. The method comprises transmitting an initial access request to a network node of the network and receiving an authentication request from the network node, the authentication request comprising a challenge. The method comprises generating a device authenticator based on the challenge and the device public key, and transmitting an authentication response to the network node. The authentication response comprises the device authenticator. The method comprises receiving an initial access response from the network node, the initial access response comprising an indicator of whether the initial access is granted or denied.

Abstract: Methods, systems, and computer-readable storage media for receiving, by a web browser executing on a client-side device, a response from a server, the response provided in a taint-enhanced data format, processing, by a Javascript framework executed by the web browser, the response to parse data within the response and, for any data values marked as tainted, providing respective taint string Javascript objects as sanitized data, and providing the sanitized data to a document object model (DOM).

Abstract: Examples described relate to disabling of MAC address aging time for an IoT device on a network switch. In an example, in response to a device joining a network, a network switch in the network may determine a media access control (MAC) address of the device. The network switch may then send the MAC address to an authentication server. In response, the network switch may receive a Vendor Specific Attribute (VSA) associated with the MAC address from the authentication server. The VSA indicates that the MAC address relates to an IoT device. Based on the VSA, the network switch may recognize the MAC address of the device as a MAC address of the IoT device. In response to recognizing, the network switch may disable MAC address aging time for the MAC address of the IoT device on the network switch.

Abstract: Systems and methods for protecting vulnerable code by obtaining an input file comprising code representing executable files; generating a protected executable file by replacing an unencrypted version of each vulnerable function of the input file with a VM-exit generating instruction; and generating a database file including an encrypted version of each vulnerable function deleted from the input file. The protected executable file, database file are stored on a target device. A UEFI application initializes a hypervisor which accesses the decryption key using a TPM device and loads an operating system. When the hypervisor detects an attempt to execute an encrypted version of a vulnerable function it decrypts the encrypted version of the vulnerable function.

Abstract: A container corresponding to executable code may be received. In response to receiving the container, a container manager resident in a memory of a computation environment may be executed to verify the container. The container manager may be verified by a boot loader of the computation environment. Permissions of the container to access the resources of a computation environment may be determined after the verification of the container by the container manager. Access to one or more resources of the computation environment may be provided by transferring control to the one or more resources from the container manager to the container based on the permissions of the container for the resources of the computation environment.

Abstract: An Internet resource provider (IRP) may authenticate a user and, upon a successful authentication, allow the user to perform one or more actions on webpages that are within an account of the user. The IPR may store the most recent actions of the user in a temporary access code (TAC) database. If the user has a problem, the user may select a TAC button on a webpage within the account of the user. The IPR may generate a TAC, store the TAC in association with the recent activities of the user in the TAC database and transmit the TAC to the user. The user may contact and provide the TAC to a customer support service center. The customer support service center may authenticate the user based solely on the TAC and determine the one or more recent actions of the user in the TAC database. The customer support service center may provide assistance to the user based at least partially on the one or more recent actions of the user.

Abstract: Disclosed is a system for deploying a secure server that provides one or more network services. Generally stated, a secure server is deployed in a secure environment behind a privacy barrier. The secure server is configured to interact with a service host on a public network outside the privacy barrier. The service host facilitates routing information from the public network through the privacy barrier to the secure server.