Abstract: Methods and arrangements in a client node and a server node for supporting secure handling of information related to a user, said information being stored by the server node and comprising certain data. The user is assumed to be authenticated towards the server node and to employ a first and a second web application in a web browser supporting cross-Origin resource sharing. The methods and arrangements involve determining whether the first web application is permitted to access the certain data owned by the second web application, and allowing or denying the first web application to access the certain data, based on whether the first web application is permitted to access the data. The methods and arrangements further involve providing user input related to a permission for accessing the certain data, to the server node, and establishing and declaring a mutual trust relation between the first and the second web application.

Abstract: A method for automatically configuring at least one mobile device associated with a user, via a client software application stored on said mobile device using a token generated by a provisioning server and a hashed username with a publicly available redirect server.

Abstract: Described herein are architectures, platforms and methods for selective content sharing feature between computing devices, and particularly, a system that supports user configurable application-level privacy for selective content sharing between computing devices.

Abstract: A differencing generator generates difference data between a first data set and a second data set. An encryption unit encrypts data. An electronic signature generator generates the electronic signature of data. A transmission data generator generates transmission data. The encryption unit encrypts the difference data generated by the differencing generator so as to generate encrypted difference data. The transmission data generator generates transmission data containing both the encrypted difference data generated by the encryption unit and the electronic signature of the second data set as generated by the electronic signature generator.

Abstract: Provided are a method and device for building a security-based environment that uses an eUICC. A method of building a trust relationship in an eUICC environment includes transmitting, by a trust requesting object, a trust relationship requesting message including identification information and signature information of the trust requesting object to a trust verifying object, delivering, by the trust verifying object, the trust relationship requesting message to a trust relationship relay object and receiving trust information of the trust requesting object corresponding to the trust relationship requesting message from the trust relationship relay object, and verifying, by the trust verifying object, the signature information of the trust requesting object using the trust information of the trust requesting object.

Abstract: A gateway is preconfigured to establish an Internet Protocol (IP) tunnel with a default local mobility anchor on behalf of a mobile node. The gateway receives from the mobile node an Internet access request including a mobile identifier and authorization and authentication protocol information, and sends to the default local mobility anchor an IP tunnel request to establish an IP tunnel. The gateway receives from the default local mobility anchor a tunnel redirect message to redirect the IP tunnel from the default local mobility anchor to a serving local mobility anchor and, responsive to the tunnel redirect message, authenticates the mobile node and establishes an IP tunnel with the serving local mobility anchor through which the mobile node communicates.

Abstract: An access process for an electronic device includes storing encrypted partitions in a storage area of the electronic device, with each encrypted partition corresponding to a registered user. A secure element is received from a registered user, with the secure element storing a user key for decrypting an encrypted partition corresponding to the register user providing the user key. A temporary secure channel is established between the secure element and the electronic device, and a registered user associated to one of the encrypted partitions is authenticated in the electronic device. An identification of the registered user authenticated in the electronic device is transmitted to the secure device, and the user key of the authenticated registered user is transmitted from the secure element to the electronic device over the temporary secure channel.

Abstract: Imposing one or more usage constraints on digital content involves communicating a digital content data item to a digital content receiver system. The digital content data item includes the digital content and a usage constraint data item different from a digital license data item, or a reference to the usage constraint data item, the use case item being indicative of the one or more usage constraints.

Abstract: Systems and methods enable a method including: providing a first system; generating data to be sent over a network link; determining a transport protocol that will be used to transmit data over the network communication link; negotiating connection services to be performed on data that will transmitted over the network communication link; sending a request to open a network communication link; sending a request to the connectivity services of the second system for credentials of the second system; receiving the credentials from the connectivity services module of the second system; verifying that the credentials match an authenticated computer system; opening a network connection between the first system and the second system when the second system's credentials have been verified by the connectivity services module of the first system; and transmitting the data to the second system according to the determining network protocol and negotiated connection services.

Abstract: A cloud computing service to securely process queries on a database. A security device and method of operation are also disclosed. The security device may be provisioned with a private key of a subscriber to the cloud service and may have processing hardware that uses that key, sequestering the key and encryption processing in hardware that others, including operating personnel of the cloud service, cannot readily access. Processing within the security device may decrypt queries received from the subscriber and may encrypt responses for communication over a public network. The device may perform functions on clear text, thereby limiting the amount of clear text data processed on the cloud platform, while limiting bandwidth consumed in communicating with the subscriber. Such processing may include formatting data, including arguments in a query, in a security protocol used by the cloud platform.

Abstract: Systems and methods for authentication generate keys from secret credentials shared between authenticating parties and authenticators. Generation of the keys may involve utilizing specialized information in the form of parameters that are used to specialize keys. Keys and/or information derived from keys held by multiple authorities may be used to generate other keys such that signatures requiring such keys and/or information can be verified without access to the keys. Keys may also be derived to form a hierarchy of keys that are distributed such that a key holder's ability to decrypt data depends on the key's position in the hierarchy relative to the position of a key used to encrypt the data. Key hierarchies may also be used to distribute key sets to content processing devices to enable the devices to decrypt content such that sources or potential sources of unauthorized content are identifiable from the decrypted content.

Abstract: Systems and methods for transmitting information between virtual environments comprising: copying a first virtual environment, wherein the first virtual environment comprises a plurality of original applications, a first clock, and a first trusted security zone to create a second virtual environment, wherein the second virtual environment comprises a copy of at least some applications of the plurality of original applications, a second clock, and a second trusted security zone. The first trusted security zone may receive a request from a copied application to engage in a transmission with an original application. The first trusted security zone may then determine if a nonce associated with the copied application is a verified nonce, wherein determining if the nonce is a verified nonce comprises comparing, by the first trusted security zone, the nonce associated with the copied application to a nonce associated with the at least one original application.

Abstract: A computer-readable storage medium has embedded thereon non-transient computer-readable code for controlling access to a protected computer network, by intercepting packets that are being exchanged between a computer system and the protected network, and then, for each intercepted packet, identifying the associated application that is running on the computer system, determining whether the application is trusted, for example according to a white list or according to a black list, and disposing of the packet accordingly.

Abstract: A system and method are provided for detecting fraud and/or misuse of data in a computer environment through generating a rule for monitoring at least one of transactions and activities that are associated with the data. The rule can be generated based on one or more criteria related to the at least one of the transactions and the activities that is indicative of fraud or misuse of the data. The rule can be applied to the at least one of the transactions and the activities to determine if an event has occurred, where the event occurs if the at least one criteria has been met. A hit is stored in the event has occurred and a notification can be provided if the event has occurred. A compilation of hits related to the rule can be provided.

Abstract: The invention relates to a method for preventing the fraudulent use of an electronic device and thus for effectively combating the fraudulent dissemination of protected content. The invention further relates to such a device as well as to a method enabling permanent revocation thereof if the device is considered to be unlawfully used or optional reinstatement of the device.

Abstract: External network connectivity of an internal host can be measured by giving an external computer a payload identifying the internal host and instructions to deliver the payload to an external host. The external host may receive the payload and contact the internal host. The internal host's response and receipt of the payload may then determine the Internet connectivity of the internal host. The path from the computer through the trusted host to the internal server shows external network connectivity without exposing the internal host to the external network directly.

Abstract: The invention relates to a server system for providing at least one service. The system having an interface for connecting a server to a user's computer, an authentication device that is designed and provided for request personal identification data of a user who logs onto the server via the user computer and to permit the user computer access if authentication is successful, and a server protection system. The server protection system is designed and provides to compare additional user's computer specific identification data with identification data stored in advance on the server, after successful authentication by the authentication device, and to grant authorization to the user's computer to access the service or services depending on the comparison of the user's computer specific identification data. The invention also relates to a method for providing at least one service and the method for executing an application program.

Abstract: A technique manages consumer authentication. The technique involves communicating with an institutional entity to perform an authentication operation regarding a consumer. The technique further involves conveying a query to the consumer in response to the authentication operation. The query prompts the consumer to indicate whether the consumer participated in the authentication operation. The technique further involves obtaining a response to the query indicating whether the consumer participated in the authentication operation. The authentication operation is legitimate when the response indicates that the consumer participated in the authentication operation. The authentication operation is fraudulent when the response indicates that the consumer did not participate in the authentication operation. In some arrangements, the authentication operation involves knowledge-based authentication (KBA) activity.

Abstract: Systems and methods for establishing a security-related mode of operation for computing devices. A policy data store contains security mode configuration data related to the computing devices. Security mode configuration data is used in establishing a security-related mode of operation for the computing devices.

Abstract: A secure single sign on is extended to a legacy web application that does not support the specific user authentication technique being used, such as SAML or OAuth. A proxy intercepts a request by a client computer to access the legacy application, and forwards the intercepted request to a single sign on identity provider. The identity provider authenticates the user, using the specific authentication technique not supported by the legacy application, and provides an indication of success to the proxy. The proxy transmits a user id and master password wrapped in an HTTP request to the legacy web application, which authenticates the request, creates a session and provides corresponding cookies to the proxy. The proxy forwards the cookies to the client, which utilizes them to continue the session with the legacy application.