Abstract: Techniques are disclosed herein for establishing a file transfer connection via wearable devices (e.g., head-mounted wearable devices). A service executing on a cloud platform receives a connection authentication request including authentication data from wearable devices, each associated with a mobile device. Upon validating the connection authentication request, a file transfer connection between the wearable devices is established. The service receives a request from one of the wearable devices to transfer a file maintained by an associated mobile device to another mobile device. Upon validating this request, the service sends an authorization to transfer the file.

Abstract: Systems and methods for protecting private data behind a privacy firewall are disclosed. A system for implementing a privacy firewall to determine and provide non-private information from private electronic data includes a data storage repository, a processing device, and a non-transitory, processor-readable storage medium. The storage medium includes programming instructions that, when executed, cause the processing device to analyze a corpus of private electronic data to identify a first one or more portions of the data having non-private information and a second one or more portions of the data having private information, tag the first one or more portions of the data as allowed for use, determine whether the second one or more portions of the data includes non-private elements, and if the second one or more portions of the data comprises non-private elements, extract the non-private elements and tag the non-private elements as information allowed for use.

Abstract: Some embodiments of cloud-based gateway security scanning have been presented. In one embodiment, some data packets are received sequentially at a gateway device. The data packets constitute at least a part of a file being addressed to a client machine coupled to the gateway device. The gateway device forwards an identification of the file to a remote datacenter in parallel with forwarding the data packets to the client machine. The datacenter performs signature matching on the identification and returns a result of the signature matching to the gateway device. The gateway device determining whether to block the file from the client machine based on the result of the signature matching from the datacenter.

Abstract: A computing system includes: a control unit configured to: obtain an information release setting for a raw user information, the raw user information including an information attribute; determine an information format for the information attribute of the raw user information; determine a privacy notion based on the information release setting; generate perturbed user information from the information attribute based on the privacy notion, wherein the information format for the raw user information is preserved in the perturbed user information; and a communication unit, coupled to the control unit, configured to transmit the perturbed user information.

Abstract: A method for verifying the authenticity of a certificate in a web browser using an SSL/TLS protocol in an encrypted Internet connection to an HTTPS website includes establishing an encrypted connection to the HTTPS website using the web browser on a user's terminal device. A certificate including a public key of the HTTPS website and signed by a trusted certificate authority is sent to the user's web browser from the web server using the Internet connection. The certificate authority that signed the certificate is compared against the list of trusted certificate authorities. The certificate authority is verified as being included in the list. The thumbprint of the certificate is sent as an additional security check key using a second messaging channel, external to the Internet connection between HTTPS website and web browser of the user's terminal device, and the contact data in the customer register. The additional security check key is compared with the thumbprint received by the web.

Abstract: A system for regulating dynamic implementation of exceptions in an onboard network firewall includes a client application interface receptive to a data link request from a client device. An onboard connectivity manager includes a firewall interface connected to the onboard network firewall to request the exceptions in response to a connection authorization, a client presence manager receptive to the data link request relayed by the client application interface from the client device, and a network load manager in communication with the firewall interface and the client presence manager. A remote connectivity manager is connected to a remote application service and is in communication with the onboard connectivity manager. The network load manager generates the connection authorization to the firewall interface in response to the connection authorization request and an evaluation of one or more access grant conditions.

Abstract: Secure operations can be performed using security module instances offered as a web service through a resource provider environment. State data and cryptographic material can be loaded and unloaded from the instance as needed, such that the instance can be reused for operations of different customers. The material and data can be stored as a bundle encrypted using a key specific to the hardware security module and a key specific to the resource provider, such that the bundle can only be decrypted in an instance of that type of security module from the associated manufacturer and operated by that particular resource provider. The customer is then only responsible for the allocation of that instance during the respective cryptographic operation(s).

Abstract: Embodiments presented herein provide techniques for managing a digital certificate enrollment process. In particular, embodiments presented herein provide techniques for a certificate authority to issue short-lived SSL certificates and an authentication method for validating certificate signing requests (CSR) for short-lived certificates.

Abstract: A strong authentication token supporting multiple instances associated with different users and protected by a user identity verification mechanism is disclosed. A multi-instance strong authentication token may be adapted to generate dynamic credentials using cryptographic secrets that are specific to a particular instance stored in the token. A method and a system to secure remotely accessible applications using strong authentication tokens supporting multiple instances are disclosed. A method for loading additional tokens into a multi-instance authentication token is disclosed.

Abstract: Computerized embodiments are disclosed for keeping personally identifying information within a protected domain environment when interacting with a computerized service environment. In one embodiment, user interface commands are received from a remote computerized system of the protected domain environment at the computerized service environment via computerized network communications. A data residency protection component is generated within the computerized service environment in response to the user interface commands. The data residency protection component is configured to act as a proxy for the computerized service environment, when executed in the protected domain environment by the remote computerized system, to isolate personally identifying information from visibility or storage outside of the protected domain environment.

Abstract: A Qualified Electronic Signature (QES) system configured to exchange data with first processing means of the requester configured to allow a requester to generate requests requesting a qualified electronic signature through said system to a recipient. The system comprises second processing means of the recipient configured to allow the recipient of the request to sign with his qualified electronic signature.

Abstract: A method and a terminal device for making multi-system constraint of a specified permission in a digital rights. A rights object related to content object is obtained by an executing device. The specific permission descriptions of the rights object include system constraint descriptions of a plurality of systems of the same type. The executing device obtains a corresponding system information in the device according to the system constraint descriptions and compares the system information in the device with the system information in the system constraint descriptions, so as to judge whether there is any system permitted in system constraint descriptions. If yes, it determines to permit executing the specific permission for the content object; otherwise, it determines not to permit executing said specific permission for the content object.

Abstract: Techniques to securely boot up an electronics device (e.g., a cellular phone) from an external storage device are described. Secure data (e.g., a hash digest, a signature, a cryptographic key, and so on) is initially retrieved from a non-writable area of an external memory device (e.g., an one-time programmable (OTP) area of a NAND Flash device). A first program (e.g., a boot program) is retrieved from a writable or main area of the external memory device and authenticated based on the secure data. The first program is enabled for execution if authenticated. A second program may be retrieved from the main area of the external memory device and authenticated based on the secure data. The second program is enabled for execution if authenticated. Additional programs may be retrieved and authenticated. Each program may be authenticated using a secure hash function, a digital signature, and/or some other cryptographic technique.

Abstract: A system and method for controlling the execution of executable files. The executables are identified by either a cryptographic digest or a digital certificate. The crytographic digest is computed from the binary image of the executable. An executable that is attempting to execute is intercepted by a protection module that consults a database of stored rules over a secure channel to determine whether or not the executable can be identified as a permitted executable and whether or not it has permission to execute on a particular computer system under certain specified conditions. If a stored permission is available, it is used to control the execution. Otherwise, the user is consulted for permission.

Abstract: According to one embodiment a method is disclosed involving storing in a device a static policy framework and one or more dynamic policy algorithms, and controlling policy management in the device by operating the static policy framework and executing the dynamic policy algorithms. The invention also provides in other embodiments an apparatus configured to perform such a method and a computer program product for performing the method.

Abstract: A system and method for establishing a connection on a mobile computing device. A secret is generated on a trusted platform of the mobile computing device. The secret is transported to a secure channel application. The secure channel application establishes a trusted local communication channel between the trusted platform and a SIM (subscriber identity module)/Smartcard. The secret is received by the SIM/Smartcard. The secret, after being received by the SIM/Smartcard, is provided to a secure channel applet on the SIM/Smartcard. The secure channel applet establishes the trusted local communication channel between the SIM/Smartcard and the trusted platform, wherein the secret is shared by the trusted platform and the SIM/Smartcard.

Abstract: A method for transmitting policy information between network equipment, extending protocol types of messages in layer-2, layer-3 or a higher application layer between an IP-uplink broadband user access equipment and a BRAS so as to construct a PITP to bear policy information; a PITP message includes a policy information transmission type field, an operation type field and a policy information content field, and different types of policy information are distinguished by the policy information transmission type field; transmission of the policy information is implemented through a point-to-point means or a broadcast means in layer-2, a unicast or a multicast in layer-3 or a higher application layer. The present invention implements policy information transmission, prevents account intrusions and hacker attacks, makes it convenient for the broadband user access equipment to implement dynamic QoS policy adjustment in terms of different users and makes it easy for integrated managing the online equipment.

Abstract: The system and method uses user generated questions and answers of multiple levels for added protection from adversaries. There are a first set of question(s) and answer(s) corresponding to the first set of questions as well as a second set of plurality of questions and answers corresponding to the second set of plurality of questions. The second set of plurality of answers is concatenated to form a single pass phrase. To enter the pass phrase at a client workstation, a user is presented with a plurality of entries for entering the second set of plurality of answers and an option to request a second set of plurality of questions. If the correct first set of answer(s) is entered immediately or entered after the first set of question(s) is displayed, the second set of plurality of questions is displayed.

Abstract: A robust technique to prevent illicit copying of video information notwithstanding the use of image scaling. A watermark is embedded into the video signal (e.g., DVD's content or other video sources) at different scales (i.e., sizes). The watermark is maintained at each scale for a predetermined time duration that is sufficient to allow the detector circuit in a DVD-recorder, DVHS recorder, DVCR, or any other digital format recorder to detect, extract, and process information contained in the watermark. At the end of the predetermined time duration, the watermark is changed to a different scale preferably on a pseudo-random basis to ensure that each one of all the scales in a predetermined scaling range is achieved a predetermined number of times. Thereby the recorder shuts off a number of times during play of the content, each time the detector circuit senses the watermark.

Abstract: Techniques for protecting the security of digital representations and of analog forms made from them, including a technique for authenticating an analog form produced from the digital representation, an active watermark that contains program code that may be executed when the watermark is read, and a watermark agent that reads watermarks and sends messages with information concerning the digital representations that contain the watermarks. A watermark agent may be a permanent resident of a node in a network or of a device or it may move from one network node to another. The watermark agent executes code which examines digital representations residing in the node or device for watermarked digital representations that are of interest to the watermark agent. The watermark agent then sends messages which report the results of its examination of the digital representations. If the watermarks are active, the agent and the active watermark may cooperate.