Abstract: An intention to perform a data management function in a computing environment is confirmed by issuing a confirmation prompt requiring a user to input at least one character associated with a subject of the data management function prior to performing the data management function.

Abstract: A system is provided for secure data transmission. The system stores a public master key, private decryption key and secure messaging module for securely transmitting and receiving a digital model data file for transmission via a work order message. For transmitting and receiving the work order message, the system generate public encryption keys using a key generation algorithm in which each of the public encryption keys are unique to a designated message recipient and generated using an input including the public master key, a validity period, and an identifier of the designated message recipient. The system may also store a revocation list that includes identifiers of message recipients that have revoked access to the public master key or private decryption key, and based thereon determine whether or not to encrypt and transmit the work order message, or receive and decrypt the work order message.

Abstract: Systems and methods for virtual machine locking. An example method may include: applying a lock to a virtual machine, the lock enabling ongoing execution of the virtual machine and outbound communication by the virtual machine while precluding unauthenticated inbound communication to the virtual machine, receiving, from a first device and in response to an authentication request, an authentication attempt, processing the authentication attempt to authenticate the first device with respect to the virtual machine, and in response to a determination that the first device was successfully authenticated with respect to the virtual machine, enabling inbound communication from the first device to the virtual machine.

Abstract: Methods and systems are provided for controlling the execution of business logic that allows features to be turned on or off at run time for each particular user entity of a plurality of user entities. Prior to run time a library is configured based on an administrator's interaction with an interactive control panel at a computer of the system. For each particular user entity and for each particular code block of an object that comprises a plurality of code blocks each corresponding to a particular feature and having an enabling predicate associated with that particular code block, the library can be configured by defining an on/off state for each feature of that particular code block via an enabling predicate associated with that particular feature. The library can then be cached in a custom settings cache of the system for use at run time.

Abstract: An information processing apparatus for suitably registering policy information by considering an order of priority while reducing the burden on a user has the following structure. When policy information used for communication with an apparatus of a communication partner is to be registered in a storage unit, and when an address of the apparatus of the communication partner of the policy information to be registered in the storage unit is included in an address of an apparatus of a communication partner of policy information already stored in the storage unit, registering of the policy information to be registered so that an order of priority of the policy information to be registered in the storage unit is set lower than an order of priority of the policy information whose address includes the address of the apparatus of the communication partner of the policy information to be registered is restricted.

Abstract: A method is provided in one example embodiment that includes receiving in an external handler an event notification associated with an event in a virtual partition. A thread in the process in the virtual partition that caused the event can be parked. Other threads and processes may be allowed to resume while a security handler evaluates the event for potential threats. A helper agent within the virtual partition may be instructed to execute a task, such as collecting and assembling event context within the virtual partition, and results based on the task can be returned to the external handler. A policy action can be taken based on the results returned by the helper agent, which may include, for example, instructing the helper agent to terminate the process that caused the event.

Abstract: A method for generating a data frame is disclosed which contains a user data block with the message and a code block. To generate the code block, a first data record is initially coded by means of a first coding algorithm in order to calculate a first code word. Subsequently, the message is transformed. By using the first code words thus generated and the transformed message, a second code word is subsequently calculated by using a second coding algorithm. The data frame comprises the second code word but not the first code word.

Abstract: A method for verifying data integrity of a block device is provided. The method includes providing a secure world execution environment configured to monitor changes to data blocks of a block device, within the secure world execution environment, generating a hash for changed data blocks of the block device, and within the secure world execution environment, verifying and generating a cryptographic signature.

Abstract: A system for two-way authentication using two-dimensional codes is provided. The system includes a memory and a processor coupled to the memory. The processor is to generate a two-dimensional code to be used by a user of a mobile device for accessing a remote resource. The processor is to generate the code in response to a request from the remote resource for the code. The processor is further to receive an authentication request from the mobile device to authenticate the remote resource. The authentication request includes information obtained from the two-dimensional code, the information including an authentication request identifier. The processor is also to compare the authentication request identifier to an expected value to create an authentication indication and to transmit the authentication indication and an authentication credential to the mobile device to authenticate the user to the remote resource.

Abstract: A mobile secure agent on a wireless device executes one or more authenticated data collection profiles provisioned by a private profile producer. Each data package can only be transmitted to a collector certificated by the same private profile producer. Update profiles are signed and provisioned through a tunnel initiated from the mobile secure agent. A Certificate Authority provides libraries, anchors, and certificates in a key management message module to each mobile secure agent which enables revocation and replacement of certificates. Data stored in this way on a wireless device may only be transmitted in encrypted form to an authenticated destination.

Abstract: The present document describes systems and methods that, in some situations, improve data security. In one embodiment, communications between a client and a server are encrypted using an envelope-based encryption scheme. The envelope includes: a data encryption key reference; and data encrypted with a corresponding data encryption key. A data encryption key server maintains a collection of data encryption keys that are accessible using corresponding data encryption key references. In another embodiment, a storage server maintains stored data using the envelope-based encryption scheme. The stored data is made available to particular clients in encrypted or plaintext form based at least in part on a trust score determined for each client's request. In yet another embodiment, as a result of a secure transport handshake, a client is provided with a pluggable cipher suite.

Abstract: A method for visual authentication with a monitoring system. The method includes pre-provisioning the monitoring system with a reference visual authentication element, obtaining an image of a user-presented visual authentication element and generating a validation result by validating the user-presented visual authentication element against the reference visual authentication element. The method further includes, based on the validation result, making a determination that the user-presented visual authentication element matches the reference visual authentication element, and taking an action affiliated with the reference visual authentication element.

Abstract: A hack-proof computer interface between a public-side operating system and a private-side operating system utilizing a “King's food taster” approach. A public-side operating system is exposed to the outside world, while a private-side operating system is isolated from the outside world except through the hack-proof interface. This effectively prevents infection of the private-side operating system with viruses or other computer malware from the outside world. The hack-proof interface includes a bitmap-coupled interface, such as a camera capturing a video image of the visible computer screen public-side operating system. A security device, such as a video scrambler or security lens, distorts or decimates the video image sufficiently to prevent active virus code from passing through the bitmap-coupled interface.

Abstract: A processing or memory device may include a first encryption pipeline to encrypt and decrypt data with a first encryption mode and a second encryption pipeline to encrypt and decrypt data with a second encryption mode, wherein the first encryption pipeline and the second encryption pipeline share a single, shared pipeline for a majority of encryption and decryption operations performed by the first encryption pipeline and by the second encryption pipeline. A controller (and/or other logic) may direct selection of encrypted (or decrypted) data from the first and second encryption pipelines responsive to a region of memory to which a physical address of a memory request is directed. The result of the selection may result in bypassing encryption/decryption or encrypting/decrypting the data according to the first encryption mode or the second encryption mode. More than two encryption modes are envisioned.

Abstract: Techniques are disclosed for accelerating online certificate status protocol (OCSP) response distribution to relying parties using a content delivery network (CDN). A certificate authority generates updated OCSP responses for OCSP responses cached in the CDN that are about to expire. In addition, the certificate authority pre-generates cache keys in place of CDNs generating the keys. The certificate authority sends the OCSP responses and the cache keys in one transaction, and the CDN, in turn, consumes the new OCSP responses using the cache keys.

Abstract: A system and method for efficiently obtaining user configuration information for a given device. Multiple devices are deployed in an environment and may be storage appliances. A directory service and an authentication service may be used to determine whether a login session attempt on a deployed device is successful. An identity and access manager (IAM) is used to for this determination and to communicate with the directory service and the authentication service. A device of the one or more of the deployed devices does not store user configuration information. Responsive to an attempted login by a user, the device mimics the existence of the user and generates a request for directory lookup and authentication for the user which is conveyed to an external device. If a positive response is received in response to the request, the user is permitted to login to the device and a session is created for the user.

Abstract: Disclosed is a system and method for identifying a path in a tree data structure having a plurality of levels. An example method includes receiving a request from a software application to access a resource in a computer file system using a requested path; identifying a first element in the requested path; comparing the first element with nodes in a first level of the tree data structure to identify an exact match; if the first element does not have an exact match, comparing the first element with at least one mask node in the first level of the tree data structure to identify a match by mask; and if the first element does not match one of mask nodes in the first level of the tree data structure, determining that the requested path is not in the tree data structure.

Abstract: A computer-implemented method for distilling a malware program in a system is disclosed. The computer-implemented method includes steps of receiving a known malware program sample; providing a benign program containing a first instruction set associated with a security; extracting the instruction set; tracing a program segment associated with the instruction set from the benign program using a plurality of data flow pathways; slicing the program segment into a plurality of independent data flow elements; identifying a partial program having elements identical to the plurality of independent data flow elements from the known malware program sample; and removing the partial program from the known malware program sample to distill the malware program.

Abstract: A framework, which conforms to the OAuth standard, involves a generic OAuth authorization server that can be used by multiple resource servers in order to ensure that access to resources stored on those resource servers is limited to access to which the resource owner consents. Each resource server registers, with the OAuth authorization server, metadata for that resource server, indicating scopes that are recognized by the resource server. The OAuth authorization server refers to this metadata when requesting consent from a resource owner on behalf of a client application, so that the consent will be of an appropriate scope. The OAuth authorization server refers to this metadata when constructing an access token to provide to the client application for use in accessing the resources on the resource server. The OAuth authorization server uses this metadata to map issued access tokens to the scopes to which those access tokens grant access.

Abstract: Disclosed are a computer system, a signature verification server, a method of supporting signature verification by a computer system, and a method of verifying signature.