Abstract: A secure voice solution for a PDA-type device is provided. Voice data is received from the user using the device microphone and built- in media player software in the device. This data is encrypted and sent as an IP packet. The device then receives, as IP packets, encrypted voice communication from the other party in the encrypted call, which in turn are decrypted in the device and played back on a second media player running on the device. The present invention takes advantage of the device's ability to run two media players simultaneously to in effect, simulate a cellular telephone call. As a result, an encrypted call can be made with PDA-type devices such as the Blackberry® and also such calls can be made using different data paths (cellular, WiFi, Bluetooth) as the calls are made by sending and receiving data over the Internet, not as traditional cellular data signals.

Abstract: A user having remote device wants to access an application that requires that the user possess a user application cryptographic credential. If the application needs to verify the identity of the user, the user's remote device performs a cryptographic operation using the user application cryptographic credentials, and sends the result to the application. A configuration for securely distributing the user application cryptographic credentials includes at least one gateway located at an enterprise that is under the control of an enterprise administrator, and a controller that is not located at the enterprise but can be configured by the enterprise administrator to cooperate with the at least one gateway.

Abstract: Provided is a biometric authentication system capable of preventing spoofing attacks even if leakage of key information and a registration conversion template occurs. A communication terminal device (300) calculates secret key information k? which is exclusive OR of key information k of the registration biological information and masked value c? which is randomly selected from a predetermined error correction code group, and calculates verified information c?? which is exclusive OR of sent information c? and value c?. A biometric authentication device (500) calculates exclusive OR of authentication biological information, information k?, and registration conversion template w, as information c?, wherein the template w is exclusive OR of information x, information k, and authentication parameter c randomly selected from the code group; and performs biometric authentication on the basis of a degree of matching between information c?? corresponding to information c?, and the parameter c.

Abstract: A system for protection of information on a secured microdevice, including a control unit, an obliteration driver, and a circuit arranged to conduct the at least one pulse of electric current. The circuit incorporates at least one resistive load having a localized predetermined resistance such that the delivered portion of stored electric energy is locally resistively converted into a mechanical energy of motion during a time period shorter than a duration of time needed for heat diffusion out a volume in the proximity of the at least the fraction of stored information.

Abstract: A technique to enable secure application and data integrity within a computer system. In one embodiment, one or more secure enclaves are established in which an application and data may be stored and executed.

Abstract: Disclosed herein are systems, methods, and non-transitory computer-readable storage media for asset lease management. The system receives, from a client device associated with a user profile, a lease start request for an asset for which the user profile is authorized. The system identifies a number of available slots for progressively downloading content. If the number of available slots is greater than zero, the system assigns an available slot from the number of available slots to the client device to yield an assigned slot. The system transmits security information, a lease key, and a lease duration associated with the assigned slot to the client device in response to the lease start request, wherein the security information and lease key allow the client device to start a progressive download of the asset for the lease duration. At the end of the lease, the system terminates the lease and releases the assigned slot.

Abstract: An authentication system by which character strings in squares are selected by a rule determined by a user out of a table in which character strings are assigned to obtain a one-time password. The user memorizes a rule of successively selecting three out of the positions of the squares in a table having five rows and five columns, for example. To each square (402) in the table (401) to be presented to the user, a randomly generated two-digit number is assigned. The table (401) is presented to the user, who arranges the numbers in the squares (402) on the basis of the user's own rule to generate a six-digit number used as a one-time password for authenticating the user. Therefore, the rule for obtaining a one-time password is easy for the user to memorize and a long one-time password can be obtained.

Abstract: A firewall cluster comprises three or more firewall processing nodes, which report primary node status based on the reporting node's membership in a preexisting cluster. A controller uses the reported status to assign a primary node in the distributed firewall cluster. Reported primary node status includes reported primary node eligibility if the node is a member of a preexisting cluster, reported primary node status comprising reporting primary node ineligibility if the node is not a member of a preexisting cluster, reported primary node status if the node is a primary node in a preexisting cluster, and reported primary node eligibility in a node that has timed out.

Abstract: A method for enabling a scalable public-key infrastructure (PKI) comprises invoking a process of receiving a message for a device, identifying an association ID for the device, retrieving encrypted association keys stored on the server for communicating with the device, the encrypted association keys encrypted using a wrapping key stored on a Hardware Security Module (HSM). The method further comprises sending the message and the encrypted association keys to the HSM, unwrapping, by the HSM, the encrypted association keys to create unwrapped association keys, cryptographically processing the message to generate a processed message, deleting the unwrapped association keys, sending the processed message to the device, and invoking, concurrently and by a second application, the process.

Abstract: A method for controlling data access in a data-at-rest system includes executing a link intrusion prevention analysis between multiple layers of the data-at-rest system, introducing a privacy policy at enforcement points that span multiple system layers, and dynamically altering the privacy policy.

Abstract: Systems, devices or methods provide for control of sensitive data in a computer system that includes at least one central server communicatively-coupled to a plurality of client computers. A particular method relates to the execution of software code on the at least one central server to monitor data communications of the plurality of client computers for sensitive data. A subset of the data communications is restricted when sensitive data is detected. Configuration data is provided to each of the plurality of client computers. Software code is executed on each of the plurality of client computers to detect accesses to sensitive data by one or more applications running on a client computer. Actions of the one or more applications running on a client computer are monitored to determine whether or not a trigger event has occurred. In response to determining that the trigger event has occurred, a notification is sent.

Abstract: A computer-implemented method may include providing a security service capable of monitoring information shared by users of at least one communication service. The computer-implemented method may also include identifying a user of the communication service that has registered for the security service and maintaining a database that identifies potentially sensitive information. The computer-implemented method may further include determining, while monitoring information shared by the user via the communication service, that the user is attempting to share information that is potentially sensitive. In addition, the computer-implemented method may notify the user of the user's attempt to share potentially sensitive information via the communication service. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A system and methodology that facilitates user friendly, automatic and/or dynamic femtocell access provisioning based on social network, presence, and/or user preference information is provided. In particular, the system can includes femto access manager that can identify a list of ‘close friends’, to which the femtocell owner is likely to grant femtocell access, based on an analysis of access data (e.g., data from social networks, communication logs, calendars, address books, websites and/or blogs, transaction related data, and the like). Further, an access priority associated with each of the close friends can be determined based in part on location data, availability data, and/or predefined policies. Furthermore, the femto access control list, within the femto access point (FAP), can be populated, dynamically and/or automatically, with the highest priority friends from the close friends list.

Abstract: There are provided a role information storing unit (11) that stores role information including information indicative of subject sets, and information capable of specifying inclusion relationships between subject sets, a policy description storing unit (12) that stores policy descriptions including information indicative of policies and information for identifying subject sets to which the policies are to be applied, a policy stratifying unit (13) that generates a policy hierarchy in which two or more policies are stratified based on inclusion relationships between subject sets to which each policy is applied, and a policy ordering unit (14) that totally orders policy sets made of the two or more policies to be totally ordered based on information indicative of the policy hierarchy while maintaining a higher/lower relationship in a hierarchy.

Abstract: A computer-implemented method for analyzing client-side storage security for Internet applications may include 1) identifying an interactive Internet resource, 2) identifying at least one input field for entering sensitive data within the interactive Internet resource, 3) identifying at least one instance of local client-side storage performed by the interactive Internet resource by simulating at least one interaction with the interactive Internet resource, and 4) comparing the instance of local client-side storage with a content of the input field to determine that the interactive Internet resource performs local client-side storage of sensitive data. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: An authentication information management program of an authentication information management apparatus allowing the authentication information management apparatus to execute: changing the first authentication information in correspondence information which is information including the first authentication information and second authentication information in association with each other and stored in a storage section of the authentication information management apparatus; transmitting the authentication apparatus of the changed first authentication information; determining, in response to a request from the apparatus to be authenticated, whether the second authentication information in the authentication request coincides with the second authentication information in the correspondence information; and returning, in the case where it is determined that the second authentication information in the authentication request coincides with the second authentication information in the correspondence information, the

Abstract: A method of authenticating a user of a computing device is proposed, together with computing device on which the method is implemented. In the method a modified base image is overlaid with a modified overlay image on a display. At least one of the modified base image and modified overlay image is moved by the user. Positive authentication is indicated in response to the base image reference point on the modified base image being aligned, at least one of the base image reference point and the overlay image reference point having coordinates in three dimensions.

Abstract: A graphical authentication identifier is used to facilitate automatic authentication of a user. A graphical identifier authentication system receives a request from an authenticating entity for a onetime use graphical authentication identifier. In response to the received request, a onetime use graphical authentication identifier to be displayed by the authenticating entity is generated. A request for user authentication information by the authenticating entity is encoded in the graphical authentication identifier, which is transmitted to the authenticating entity for display (e.g., on a login screen). The onetime use graphical authentication identifier being displayed by the authenticating entity is captured by a registered user operated computing device.

Abstract: The method involves exchange of a quantum signal between a first quantum node and a second quantum node as is usual in known quantum key distribution (QKD) scheme. The first quantum node communicates details of the quantum signal it sent or received with a first remote node. The first remote node thus has all the information to required to take the place of the first quantum node in the key agreement step with the second quantum node. The first quantum node may be arranged to transmit the quantum signal to the second quantum node, in which case the invention provides a distributed quantum transmitter with the control logic in the first remote node being distributed remotely from the actual quantum transmitter in the first quantum node. Communications between the first remote node and first quantum node may comprise or be protected by a quantum key derived by conventional QKD.

Abstract: A method of obtaining, in an electronic circuit, at least one first key intended to be used in a cryptographic mechanism, on the basis of at least one second key contained in the same circuit, the first key being stored in at least one first storage element of the circuit, the first storage element being reinitialized automatically after a duration independent of the fact that the circuit is or is not powered. Also described are applications of this method to encrypted transmissions, usage controls, as well as an electronic circuit implementing these methods.