Abstract: Cryptographic key management and usage is accomplished by employing a hybrid symmetric/asymmetric security context wherein seed values are associated with randomly generated cryptographic keys. A security context environment is maintained wherein cryptographic keys are reliably reproduced when needed.

Abstract: In an embodiment of the invention, a method includes: determining, in a computer, an area where an undesired computer program will reside; and providing a data object in the area, so that the data object is an antibody that provides security to the computer and immunity against the undesired program. Another embodiment of the invention also provides an apparatus (or system) that can be configured to perform at least some of the above functionalities.

Abstract: A first network device of a first communication network obtains a challenge, generates a first PFS parameter, obtains a first verification code for the first PFS parameter, and sends the challenge, the first PFS parameter and the first verification code to a communication device, which in turn receives the challenge, the first PFS parameter and the first verification code, forwards the challenge or a derivative thereof to an identity module, receives at least one result parameter as response from the identity module, determines, based on the result parameter, whether the first PFS parameter is authentic, and if the determination is positive generates and sends the second PFS parameter to the first network device, which in turn verifies the second PFS parameter.

Abstract: Some embodiments of the invention provide a mobile device that restricts access to its applications. The mobile device, displays, on the device's touch screen display, a lock screen page for accessing the device in a primary access mode or a secondary access mode. The primary access mode provides access to several of the device's applications, and the secondary access mode provides access to a limited set of the applications. The mobile device receives a touch input on the lock screen page to access the device in the secondary access mode. The mobile device unlocks the device to the secondary access mode by allowing access to the set of applications and restricting access to the remaining applications in the plurality of applications.

Abstract: The present invention is related to a wireless transmit/receive unit (WTRU) for providing advanced security functions. The WTRU includes trusted platform module (TPM) for performing trusted computing operations; and a secure time component (STC) for providing a secure measurement of a current time. The STC and the TPM are integrated to provide accurate trusted time information to internal and external to the WTRU. The STC may be located on an expanded a subscriber identity module (SIM), on the WTRU platform, or two STCs may be used, one in each location. Similarly, the TPM may be located on an expanded SIM, on the WTRU platform, or two TPMs may be used, one in each location. Preferably, the STC will include a real time clock (RTC); a tamper detection and power failure unit; and a time report and sync controller.

Abstract: Methods for managing a communication session in a communication network are disclosed. For example, a method includes detecting, by a first endpoint comprising at least one processor, an error condition associated with the communication session, sending, by the first endpoint, a notification of the error condition to a second endpoint that is using a transport layer session and receiving, by the first endpoint, a communication from the second endpoint, proposing a response to the error condition. Another method includes receiving, by a first endpoint comprising at least one processor, a notification of an error condition associated with the communication session, selecting, by the first endpoint, a response to the error condition, and sending, by the first endpoint, a communication to a second endpoint that is using a transport layer session, proposing a response to the error condition.

Abstract: A method and system for authenticating a user at a first computer to first and second applications installed in a second computer. The second computer receives from the user a first request to access the first application, and in response, the second computer redirects the first request to a third computer, and in response, the third computer determines that the user was previously authenticated and so notifies the second computer, and in response, the second computer returns a first session key to the third computer. The first session key enables a session with the first application but not with the second application. A second session key was sent by the third computer to the first computer after the third computer received the first session key from the second computer. The second session key enables a session with both the first application and the second application.

Abstract: A process is provided for communication security certificate revocation status verification by using the client device as a proxy in online status verification protocol. The process utilizes a nonce of an authentication protocol request message (nonce_A) to derive the nonce for the revocation status protocol request (nonce_S) to reduce the number of message exchanges needed between the client and the verifier devices, and a mechanism to send the nonce (nonce_S) prior to actual authentication protocol execution to ease the connectivity requirement of client device from on-demand connectivity to periodic connectivity. Similar functionality is achieved using a random seed established between the verifier and client. The verifier picks a seed for random number generation and sends that seed to the client. The client derives the nonce_S from the seed before status protocol execution, and the verifier derives the nonce_S from the seed before proxied status response verification.

Abstract: A security authentication method, device, and system are provided. A first device and a second device perform security authentication by using a first mapping key and a second mapping key, where the first mapping key is generated according to an initial key of the first device and a first predetermined algorithm, the second mapping key is generated according to an initial key of the second device and the first predetermined algorithm. A device in embodiments of the present invention performs security authentication by using a mapped initial key, which can increase the difficulty for an attacker to acquire a key, thereby improving security of a wireless network connection.

Abstract: A system and method for managing pestware on a protected computer is described. The method in one variation includes monitoring events during a boot sequence of the computer; managing pestware-related events before native applications can run and after a kernel is loaded; managing pestware-related events when native applications can run; and scanning a registry of the computer for pestware when native applications can run. In variations, a pestware management engine is initialized after an operating system of the protected computer is initialized and the pestware management system both receives an event log of the monitored events and compiles the set of behavior rules utilized by kernel-level monitor.

Abstract: A method for providing evidential data is disclosed. The method includes establishing one or more first secret tokens with a server; obtaining one or more data items from one or more sensors; modifying the one or more data items with at least one of the one or more first secret tokens to provide one or more modified data items; generating a respective first hash value for each of the one or more modified data items; generating a second hash value for a data set including each of the one or more data items; and transmitting the one or more data items, the one or more first hash values, and the second hash value to the server.

Abstract: A system and method helps to control “read” and/or “write” access to electronic paper (e-paper). Informational data may be on a restricted portion of e-paper material that is protected by a security methodology accessible to authorized entities. Some embodiments maintain a record of access activity regarding the restricted portion, and a record of access activity regarding use of an item or product or service related to the e-paper informational data. Some implementations include an authorization listing of a party having a particular access privilege or authorization to make modifications to various restricted portions including an authentication region and a protected region. One possible aspect includes performing a verification analysis of data indicia in a restricted portion of the e-paper media. Additional possible system and process components may determine an authenticity status of the data indicia, and provide an output result.

Abstract: Key information that is currently in use is archived in a management server to prevent the key information from being lost. A storage device 10 is communicatably connected to a management server 60 managing key information 1. The storage device includes a memory device 21, and a controller 100 controlling the memory device. The controller implements encryption processing on data inputted and outputted to and from the memory device by using the key information. When stoppage of an operation is indicated, the controller determines whether the key information used by the controller is managed by the management server, stops the operation in a case where the key information is managed by the management server, and does not stop the operation in a case where the key information is determined not to be managed by the management server.

Abstract: Organizations maintain and generate large amounts of sensitive information using computer hardware resources and services of a service provider. Furthermore, there is a need to be able to delete large amounts of data securely and quickly by encrypting the data with a key and destroying the key. To ensure that information stored remotely is secured and capable of secure deletion, cryptographic keys used by the organization should be prevented from being persistently stored during serialization operations. If the keys used to encrypt the data have not been exposed during serialization operation, they may be deleted or destroyed enabling the destruction of data encrypted with the keys.

Abstract: Functionality is described herein for receiving events which characterize features in an environment, and for identifying at least one policy based on the events. The functionality consults a certificate, associated with the policy, to determine whether the policy is valid. If valid, the functionality uses the policy to govern the behavior of at least one application, such as by controlling the application's consumption of events. A trusted passport authority may be employed to generate the certificates. Each certificate may: (1) identify that it originated from the trusted passport authority; (2) contain context information which describes a context in which the policy is intended to be applied within an environment; and/or (3) contain machine-readable content that, when executed, carries out at least one aspect of the policy.

Abstract: A method and structure for a secure object, as tangibly embodied in a computer-readable storage medium. The secure object includes a cryptographically protected region containing at least one of code and data, an initial integrity tree that protects an integrity of contents of the cryptographically protected region; and an unprotected region that includes a loader, an esm (enter secure mode) instruction, and one or more communication buffers.

Abstract: A local gateway device receives email across the internet from a sender of the email and forwards it across the internet to an email filtering system. The email filtering system analyzes the email to determine whether it is spam, phishing or contains a virus and sends it back to the local gateway device along with the filtered determination. The local gateway device forwards the received email and the filtered determination to a local junk store which handles the email appropriately. For example, if the email has been determined to be spam, phishing or containing a virus, the junk store can quarantine the email and if the email has been determined to be non-spun and/or not phishing and/or not containing a virus, the junk store can forward the email to a local mail server for delivery.

Abstract: A method and system for generating and processing an authenticity certificate. A request for a step certificate is received from a requester entity. The step certificate authenticates an involvement of the requester entity about an object. The request includes an object identifier, a requester entity type of the requester entity, and a requester identity certificate of the requester entity. The object identifier is hashed. A signature is created and includes the hashed object identifier, the requester entity type, a certifier identity certificate, and the requester identity certificate. A hashing result is generated by hashing a concatenation of the object identifier, the requester entity type, the certifier entity certificate, the requester identity certificate, and the signature. The step certificate is generated and includes the hashing result. The step certificate is encrypted. The encrypted step certificate is sent to the requester entity for subsequently storing the step certificate on a media.

Abstract: Organizations maintain and generate large amounts of sensitive information using computer hardware resources and services of a service provider. Furthermore, there is a need to be able to delete large amounts of data securely and quickly by encrypting the data with a key and destroying the key. To ensure that information stored remotely is secured and capable of secure deletion, cryptographic keys used by the organization should be prevented from being persistently stored during serialization operations. Signaling methods are used to notify virtual machine instances of serialization events in order to prevent keying material from being stored persistently.

Abstract: This disclosure relates to a system and related operating methods. A computer-implemented server device receives a request from a device that includes an identifier proposed for a potential account holder. The computer-implemented server device determines whether the identifier is available for use with a new account, and communicates a response to the device that indicates whether the identifier is available for use with the new account. The response is presented at the device and includes an image that contains a visually obfuscated representation of an alphanumeric message that indicates either a success or a failure.