Abstract: In a Reverse Turing Test an applicant seeking access to a computer process is presented with an image containing human-readable data that is intended to be inaccessible to an automated process or bot. In an improved Reverse Turing Test the applicant is presented with multiple sub-images that have to be rearranged in order to yield the overall image. This does not substantially increase a human applicant's difficulty in dealing with the test, but makes it much more difficult for a bot to interpret the image.

Abstract: Systems and methods enabling parallel processing of hash functions are provided. A data string including a plurality of pieces arranged in an order is hashed using a hash function to determine a plurality of authentication checkpoint hashes associated with the pieces. To authenticate the data string, the pieces are grouped into sets, and the authentication checkpoint hash associated with the piece following all other pieces of that set in the order is associated with that set. The system simultaneously performs a separate hash process on each set. That is, the system hashes the pieces of that set using the hash function to determine a result hash, and compares that result hash with the authentication checkpoint hash associated with that set. The initial input to the hash function for the hash process for each set includes one of the pieces and either a default seed or an authentication checkpoint hash.

Abstract: A small piece of hardware connects to a mobile device and filters out attacks and malicious code. Using the piece of hardware, a mobile device can be protected by greater security and possibly by the same level of security offered by its associated corporation/enterprise. In one embodiment, a mobile security system includes a connection mechanism for connecting to a data port of a mobile device and for communicating with the mobile device; a network connection module for acting as a gateway to a network; a security policy for determining whether to forward content intended for the mobile device to the mobile device; and a security engine for executing the security policy.

Abstract: A particular method includes storing, at a mobile device, at least one security credential that is specific to the mobile device. The method also includes transmitting the at least one security credential to a secure user plane location (SUPL) location platform (SLP) to authenticate the mobile device as associated with a SUPL user based on a comparison of the device identifier to a stored device identifier.

Abstract: Accessing data includes determining if the data is provided on a local group of servers or on an external group of servers. If the data is provided on a local group of servers, a storage server is used to access the data. If the data is provided on an external group of servers, a proxy server is used to access the data. The proxy server interacts with an entity accessing the data in a manner that is substantially similar to interaction between the entity and the storage server. Using the proxy server may include initially providing an account id and a password. Following providing an account id and a password, using the proxy server may include using an account id and a shared secret. Using the proxy server may include using RSA ID tokens or cryptographic certificates.

Abstract: A method of securing a computer comprising a microkernel and a system for interfacing with at least one virtualized operating system are presented. The microkernel includes a clock drive, a scheduler and an inter-process communication manager. The system for interfacing forms at least one virtual machine associated with each operating system and allows execution of the latter without modification. The method includes, at the level of the system for interfacing, the steps of:—intercepting any communication between a means external to the operating system and the operating system,—verifying that predefined rules of access to said external means are validated by said communication;—transmitting the communication to the recipient if the rules are validated.

Abstract: Techniques are described for providing customizable sign-on functionality, such as via an access manager system that provides single sign-on functionality and other functionality to other services for use with those services' users. The access manager system may maintain various sign-on and other account information for various users, and provide single sign-on functionality for those users using that maintained information on behalf of multiple unrelated services with which those users interact. The access manager may allow a variety of types of customizations to single sign-on functionality and/or other functionality available from the access manager, such as on a per-service basis via configuration by an operator of the service, such as co-branding customizations, customizations of information to be gathered from users, customizations of authority that may be delegated to other services to act on behalf of users, etc.

Abstract: An arrangement and corresponding method for authentication synchronizing cryptographic key information between a server and a client device, via data signals, where the client device at least comprises one client. The server is at least configured to generate and send to the client device a current encryption key and a next encryption key. The client device is at least configured to encrypt information on the client device using the next encryption key and the client device is at least configured to return a correct One Time Password using the current encryption key. As a consequence of the received correct One Time Password the server then knows that the client has received the current encryption key, used it and stored the information with the next encryption key.

Abstract: Systems and methods to tell apart computers and humans using image recognition task having a dynamic graphical arrangement of randomly selected images. The images can be arranged as a grid or matrix for presentation on a device display for authentication of a user as human. The kinds of graphical images can be derived from a selected category for the image recognition task. A series of randomly generated access codes corresponding to the images can be displayed with the images. The user may enter the access codes corresponding to images from the selected category. An authentication server can compare the access code entry to an authentication reference code corresponding to the particular arrangement of images. The selection of images, their arrangement and their corresponding access codes, may dynamically change in between verification sessions.

Abstract: A method for facilitating electronic certification, and systems for use therewith, are presented in the context of public key encryption infrastructures. Some aspects of the invention provide methods for facilitating electronic certification using authority-neutral service requests sent by an application, which are then formatted by a server comprising a middleware that can convert the authority-neutral request into certification authority specific objects. The server and middleware then return a response from a selected certification authority back to the service requesting application. Thus, the server and/or middleware act as intermediaries that facilitate user transactions in an environment having multiple certification authorities without undue burden on the applications or the expense and reliability problems associated therewith.

Abstract: A method of managing electronic safes, comprising a step of authenticating a user requesting access to a safe, by means of authentication data of said user, said authentication data to be provided by the user being dependant of an entity by means of which the user is requesting said access.

Abstract: Dynamic resolution of Fully Qualified Domain Name (FQDN) address objects in policy definitions is provided. In some embodiments, dynamic resolution of Fully Qualified Domain Name (FQDN) address objects in policy definitions includes receiving a network policy that includes a domain name (e.g., the network policy can include a network security rule that is based on the domain name); and periodically updating Internet Protocol (IP) address information associated with the domain name by performing a Domain Name Server (DNS) query.

Abstract: A system and method to control the writing on electronic paper (e-paper). An e-paper device may incorporate authentication indicia as part of informational data written on e-paper material. The informational data is protected by a security methodology that is accessible to authorized entities. A reader device may be used to help make a verification determination of whether encrypted or encoded data has been altered. In some instances an output alert operably coupled to the reader device serves as a verification status indicator.

Abstract: An improved MAC aggregation technique is disclosed that yields an aggregate MAC much shorter than the concatenation of constituent MACs while achieving improved resilience to denial-of-service (DoS) attacks. The aggregate MAC is constructed in a manner wherein upon instance of channel impairments or malicious attack (e.g., from a rogue node or man-in-the-middle attacker), only a portion of the aggregate MAC will include corrupted data, at least a portion of the aggregate MAC thereby including valid verifiable data. A source of corruption of the aggregate MAC may be ascertained based on indicia of which constituent MACs are included in the valid portion; and constituent MACs that are wholly included in the valid portion may be declared valid.

Abstract: Embodiments relate to systems and methods for the management and enforcement of blacklists of counterfeited, cloned or otherwise unauthenticated devices. In an embodiment, a system comprises an accessory comprising an authentication chip including data signed by a private verification key, the data including a unique identifier related to the accessory, and a device comprising a public verification key forming a verification key pair with the private verification key and an identifier list, the device configured to read the data from the authentication chip, compare the unique identifier with the identifier list, and reject the accessory if the unique identifier is found in the identifier list.

Abstract: An intrusion detection system for detecting and defeating unauthorized intrusion within a computer network of an infrastructure element of a high value target, the system including a pre-processor configured to receive data from a computer network of an infrastructure element of a high value target and to output filtered data, a grammar applicator configured to apply grammars produced using a grammar based compression and learning algorithm to the filtered data, a decision making device configured to provide a recommendation based on an input from the grammar applicator as to whether the data in the computer network constitutes an unauthorized intrusion, and an emulator in communication with the decision making device configured to expand a sampling of the filtered data using a polymorphic transformation to allow the decision making device to further analyze the sampled data to determine an unauthorized intrusion. A method and a computer software code are also disclosed.

Abstract: In some embodiments, a method includes receiving a first record set from a first compute device and a second record set from a second compute device. Each record from the first record set has a first attribute string; and each record from the second record set has a first attribute string. The method includes defining a third record set to include each record from the first record set that has a first attribute string equal to a first attribute string of a record from the second record set. The method also includes repeating the above steps for a fourth record set from the first compute device and a fifth record set from the second compute device to further define the third record set. Each record from the fourth record set has a second attribute string and each record from the fifth record set has a second attribute string.

Abstract: In a processor including a CPU core executing instruction codes and a cache memory part having plural ways, encryption counter data encrypting and decrypting data input/output for the core in a common key encryption system are stored at one way among the plural ways, an XOR operation is performed between the encryption counter data and the input/output data, and the common key encryption process generating the encryption counter data is not executed every time when the data is encrypted or decrypted, to thereby enable high-speed memory access without sacrificing security.

Abstract: A copy prohibition method and system is disclosed, which can provide a preview page with copy prohibition means inserted thereinto, so as to prohibit a copy of information displayed on the preview page, the method comprising receiving a selection request for a preview page of a predetermined webpage from a user; inserting copy prohibition means into the preview page; and providing the preview page with the copy prohibition means inserted thereinto to the user. When providing the preview page to the user, the user is notified that the corresponding preview page has the copy prohibition function. Thus, the user becomes easily aware of that the copy is prohibited in the corresponding preview page.

Abstract: Apparatus and method for synchronizing objects, e, g., encryption key objects, between pairs of appliances, particularly lifetime key management (LKM) appliances. Each LKM has a local sequence counter where increasing sequence numbers are generated and applied to objects. A peer counter is used to indicate the sequence number of an object synchronized from a peer appliance. When two appliances are synchronized, only those new objects with sequence numbers at least equal to or higher than that within the other appliance are transferred. When synchronized to each other, each appliance will have an up-to-date stored set of objects for all of the appliances in the group. Each object has a unique identification number that are compared to eliminate duplicate objects. During synchronization, if unique identification numbers match between a newly received object and a previously stored key, version numbers may be used to determine which object the receiving appliance should store.