Abstract: An intermediary third-party receives, from a master device, a batch of pre-generated secure commands; plays it so as to send sequentially, to a slave device, the commands. The batch includes an initial command indicating the establishment of a channel secured with a session key dependent on a sequence counter, and second commands protected by a MAC code that is a function of the session key. An update of the sequence counter in non-volatile memory of the slave on each new establishment of a secure channel renders the pre-generated batch obsolete by virtue of a new session key. In order to allow the batch to be replayed, the invention provides for each update value of the counter to be temporarily stored in volatile memory, and for the current value to be overwritten in non-volatile memory on predefined events, including a test counter reaching a maximum number of replays.

Abstract: The present invention provides methods, apparatuses and computer program product relating to fake base station detection with core network support. The present invention includes receiving, at a core network, context information from a user equipment, receiving, at the core network, context information from at least one network element, and determining, at the core network, whether the context information received from the user equipment coincides with the context information received from the network element.

Abstract: A system provides cloud-based identity and access management. The system receives a request from a client for an identity management service, authenticates the request, and accesses a microservice based on the request. The system determines, based on the request, a tenancy of the client, a tenancy of a user, and a tenancy of a resource. The system retrieves data from the determined tenancies as required to process the request, where the data is retrieved by the microservice using a connection pool that provides connections to the database. The system then performs the identity management service by the appropriate microservice responsible for processing the received request.

Abstract: Method for automatically distributing, as needed, a user's digital-works and usage-rights to one or more user-devices. A definition of the usage-rights for a digital-work may be stored at one or more locations on a network. A version of said digital-work suitable for a user-device may be provided by one or more locations on said network. When a user who is authorized to utilize said digital-work is active at a user-device, a version of said digital-work and authorization to utilize is automatically transferred when needed to a user-device. The digital-work and authorization may be automatically transferred as needed to any user-device where an authorized user is active. The usage-rights may only be valid for one or more specific users. The usage authorization at each user-device may be less than defined in the full usage-rights maintained on the network. Authorization to utilize said digital-work at a user-device may be extended from time to time by exchanging user-device status across the network.

Abstract: An approach is provided for providing access control to shared data based on a trust level. A method comprising, encrypting, at a first device, data with public attribute keys associated with attributes according to an attribute-based encryption (ABE) scheme, wherein the attributes comprising at least one trust level related attribute representing an access condition for the data based on a trust level; storing the encrypted data into a data center, determining the eligibility of a user of a second device by checking whether a trust level of the user of the second device satisfies the access condition; and issuing to the second device, secret attribute keys associated with attributes and personalized for the user of the second device for decrypting the encrypted data, when the user of the second device is eligible.

Abstract: An access platform or other network elements can include multiple line cards configured to encrypt data. The platform and/or each of the line cards may receive encryption management data that conforms to a predefined encryption management data interface. The encryption management data received by a particular line card may be generated by a conditional access system device and converted to conform to the encryption management data interface by an encryption manager. Line cards may alternatively be configured for connection to separate encryption hardware components. Line cards may include a block of field programmable gate arrays or other type of programmable hardware that can be configured to execute an encryption module.

Abstract: The invention relates to a processing method, including the calculation of one function between a datum to be compared and a reference datum. The function can be written in the form of a sum of: a term that depends on the datum to be compared, a term that depends on the reference datum, and a polynomial, such that all the monomials of the polynomial include at least one coordinate of each datum. The method includes an initialization step including: generating masking data; scrambling reference data by means of a server unit on the basis of said masking data; and calculating, by means of a client unit, the term of the function that depends on the datum to be compared.

Abstract: Systems and methods for data sharing and transaction processing for high security documents are disclosed. According to one embodiment, a method may include (1) at least one computer processor verifying that a sender of a document is authorized to send the document; (2) the at least one computer processor verifying that a receiver of the document is authorized to receive the document; (3) the at least one computer processor identifying at least one restriction to associate with the document; and (4) the at least one computer processor associating the at least one restriction with the document.

Abstract: Methods and systems for intrusion attack recovery include monitoring two or more hosts in a network to generate audit logs of system events. One or more dependency graphs (DGraphs) is generated based on the audit logs. A relevancy score for each edge of the DGraphs is determined. Irrelevant events from the DGraphs are pruned to generate a condensed backtracking graph. An origin is located by backtracking from an attack detection point in the condensed backtracking graph.

Abstract: In a method, each received vehicle-to-X message is at least partly forwarded to at least one application of a vehicle depending on specified information of the vehicle-to-X message (N), the vehicle-to-X message comprising a digital signature. Digital signatures of the vehicle-to-X messages relevant to the decision that a specified action of the application should be carried out are validated depending on a decision signal provided in response to the vehicle-to-X messages being forwarded to the at least one application and which represents an assertion as to whether the vehicle-to-X messages comprise data causing the action to be carried out. A signal is provided depending on a result of the validation of the digital signatures, the signal representing a credibility of the vehicle-to-X messages relevant to the decision.

Abstract: A network drive system for controlling access to a network drive based on location information on a communication device according to the present technology includes: a storage unit storing a network drive that stores security data and general data; a receiving unit receiving a request for access to the network drive from a first communication device; a location checking unit checking whether the distance between the first communication device and a second communication device designated as a device for controlling access to the network drive is within a critical value; and a policy setting unit that applies a policy allowing the first communication device to access general data stored in the network drive or applies a policy disallowing the first communication device to access general data stored in the network drive, according to results of the determining by the location checking unit.

Abstract: Examples are disclosed for a first device to wirelessly dock to a second device. In some examples, a first device may receive identification from the second device for wirelessly docking. The first device may determine whether the second device is allowed to wirelessly dock and if allowed an authentication process may be implemented. The first device may then wirelessly dock to the second device based on a successful authentication. Other examples are described and claimed.

Abstract: A cryptographic system comprises a white-box implementation of a function; an implementation of a cryptographic algorithm; and an implementation of a combining operation for establishing cryptographically processed data in dependence on an outcome of the function and in dependence on an outcome of the cryptographic algorithm. The combining operation comprises combining an outcome of the cryptographic algorithm with an outcome of the function. Alternatively, the combining operation comprises combining an outcome of the function with a received data element to obtain a combination outcome and applying the cryptographic algorithm to the combination outcome.

Abstract: A thick client installed on a client device includes a network protocol server that serves thin client requests for digital fingerprints of the client device. A thin client requests a digital fingerprint of the client device in which the thin client is executing by forming a URL according to a protocol served by the server of the thick client and addressing the URL to the local client device. The thick client returns the digital fingerprint as a response to the request from the thin client.

Abstract: According to one embodiment, an apparatus comprises a detection engine and a classification engine. The detection engine is responsible for analyzing an object to determine if the object is malicious. The classification engine is configured to (i) receive results of the analysis of the object conducted by the detection engine and (ii) analyze, based at least in part on the results from the detection engine, whether the object is malicious in accordance with a predictive model. Responsive to the detection engine and the classification engine differing in determinations as to whether the object is malicious, information associated with at least a portion of the results of the analysis of the object by at least one of the detection engine and the classification engine is uploaded for determining whether an update of the predictive model is to occur. An update of the predictive model is subsequently received by the classification engine.

Abstract: A content management system manages documents such that a document is received and stored in the content management system. Access privileges (e.g., an Access Control List) to the document are defined for one or more users of the content management system. An occurrence of a document life cycle event with respect to the document is detected and a distribution list is generated for notifying the one or more users of the document life cycle event based on the access privileges of the one or more users.

Abstract: A method and apparatus for quantifying the vulnerability of a system. The apparatus includes a vulnerability calculation unit, a target organization security level calculation unit, a network separation status calculation unit, an interim calculation unit, and a final score calculation unit. The vulnerability calculation unit converts each of the vulnerability identification results of the system into a vulnerability score. The target organization security level calculation unit calculates a target organization security level score based on a technology-field security level score and a management-field security level score. The network separation status calculation unit converts the status of the separation of the local network of the system into a network separation score. The interim calculation unit calculates an interim score. The final score calculation unit quantifies the vulnerability of the system by finally calculating a composite score using the interim score and a simulated intrusion success level.

Abstract: There is described a chip comprising a one-time programmable (OTP) memory programmable to store chip configuration data, and a verification module operable to access the OTP memory. The verification module is operable to receive a verification request relating to a specified portion of the OTP memory, the verification request comprising mask data defining the specified portion of the OTP memory. In response to the verification request, the verification module is operable to use the mask data and the OTP memory to generate verification data relating to the specified portion of the OTP memory, the verification data further being generated based on a secret key of the chip. There is also described a chip-implemented method of generating verification data relating to a specified portion of a one-time programmable (OTP) memory of the chip. There are also described methods for primary or secondary verification systems to verify a configuration of a specified portion of the OTP memory the above mentioned-chip.

Abstract: A client device configured to intercept an outgoing packet. The outgoing packet includes a destination network address. The client device is further configured to use an encryption key to encrypt the outgoing packet to generate an encrypted packet, scatter the encryption key into the encrypted packet according to pattern logic defined by a unique identifier of a routing server, and send the encrypted packet containing the scattered encryption key to the routing server. The routing server is configured to receive the encrypted packet containing the scattered encryption key, extract the encryption key from the encrypted packet using the pattern logic defined by the unique identifier, use the encryption key to decrypt the encrypted packet to obtain the outgoing packet including the destination network address, and send the outgoing packet to the destination network address.

Abstract: Various aspects of the disclosure relate to configuring and providing policies that manage execution of mobile applications. In some embodiments, a user interface may be generated that allows an IT administrator or other operator to set, change and/or add to policy settings. The policy settings can be formatted into a policy file and be made available for download to a mobile device, such as via an application store or to be pushed to the mobile device as part of a data push service. The mobile device, based on the various settings included in the policy file, may perform various actions to enforce the security constraints that are represented by the policy. The various settings that can be included in a policy are numerous and some examples and variations thereof are described in connection with the example embodiments discussed herein.