Abstract: A subscriber identity module (eUICC), comprises profiles for the utilization of a mobile terminal that include at least a first profile and at least a second profile, of which the second profile (Pr1, Pr2) is devised as an active profile. The first profile is designed as a root profile (PrR) which in a normal state of the subscriber identity module is in an inactive state, and which is devised to be activated in response to an authentication command (AUTHENTICATE) received at the subscriber identity module. The authentication command is specially parameterized for the root profile (PrR) with a specific root value of the network parameter (P2) to be activated during a change-over period. The initially active second profile (Pr1, Pr2) is deactivated during the change-over period. After the end of the change-over period, the first profile (PrR) is again deactivated and the second profile (Pr1, Pr2) is again activated.

Abstract: A managed directory service obtains a request to generate a first account of a first directory within a first network. In response to the request, the managed directory service creates the first account within the first directory. From the request, the managed directory service also obtains credential information of a second account of a second directory within a second network. The managed directory service updates the first account to include this credential information to enable the first account to be used to access the second directory within the second network.

Abstract: In some examples, a software agent may request a token from a server. The request may include dock identifiers associated with one or more docks, credentials, and actions to be performed by the one or more docks. The server may determine, using an access control list, whether the credentials authorize the software agent to instruct the one or more docks to perform the actions. If the server determines that the software agent is authorized, then the server may send a token to the software agent. The software agent may send an action request to the one or more docks. The action request may include the token and the actions. Each dock that receives the request may attempt to validate the token. If the dock successfully validates the token, the dock may perform the actions and send a message to the software agent indicating a result of performing the actions.

Abstract: An example operation may include one or more of connecting, by a disposition node, to a blockchain comprised of a plurality of user nodes connected to a plurality of device nodes that store user data of the plurality of the user nodes, receiving, by the disposition node, a request from a user node of the plurality of the user nodes to dispose of user data (D) on at least one of the device nodes of the plurality of the device nodes, the request contains a disposal policy (P) and a disposal method (M) of the D, executing, by the disposition node, a consensus algorithm to validate the request based on the D, P and M, in response to a validation of the request, accessing, by the disposition node, the D on the at least one of the device nodes of the plurality of the device nodes, generating, by the disposition node, a location sensitive hash of the D (LSH(D)) and a crypto hash of the D (SHA256(D)), storing, by the disposition node, the LSH(D), the SHA256(D), the P and the M on the blockchain, executing, by the dis

Abstract: A secure bus for pre-placement of device capabilities across a set of cryptoprocessors may be provided. A first cryptoprocessor may receive a key corresponding to a second cryptoprocessor and it may receive an object in response to the object being instantiated on the second cryptoprocessor. Next, the first cryptoprocessor may use the key to determine that the second cryptoprocessor signed the object. The first cryptoprocessor may then store the object in the first cryptoprocessor in response to determining that the second cryptoprocessor signed the object. Then the first cryptoprocessor may receive a request for the object and provide a response to the request.

Abstract: Methods for managing a communication session in a communication network are disclosed. For example, a method includes detecting, by a first endpoint comprising at least one processor, an error condition associated with the communication session, sending, by the first endpoint, a notification of the error condition to a second endpoint that is using a transport layer session and receiving, by the first endpoint, a communication from the second endpoint, proposing a response to the error condition. Another method includes receiving, by a first endpoint comprising at least one processor, a notification of an error condition associated with the communication session, selecting, by the first endpoint, a response to the error condition, and sending, by the first endpoint, a communication to a second endpoint that is using a transport layer session, proposing a response to the error condition.

Abstract: Privilege delegation in a computer device is managed by invoking a utility by a first user account. A requested command is captured by an agent plugin which is provided as a plugin to the utility. The agent plugin sends a request message to an agent, which determines an outcome for the requested command including allowing or blocking. If allowed, a reply message from the agent instructs the agent plugin to provide command information to the utility to run the requested command by the operating system with delegated privileges of the second user account. The agent plugin can also be instructed to perform custom messaging, or passively handle the requested command via a child plugin.

Abstract: A response method and system in virtual network computing authentication, and a proxy server, where the method includes receiving, by a proxy server, a password from a controller, receiving challenge information from a serving end, where the challenge information is generated by the serving end based on the virtual network computing authentication, determining a first response value according to the password and the challenge information, and sending the first response value to the serving end in order to resolve a problem that sensitive data of a user is leaked or decrypted by brute force because a response process in the virtual network computing authentication is completed by a client, thereby improving security in the virtual network computing authentication process.

Abstract: A method authenticates a user in order to activate an access mechanism for a device. One or more processors detect a real-time initial emotional state of the user, where the real-time initial emotional state of the user dynamically changes over time. The processor(s) present content as a stimulus to the user, and predict a predicted post-stimulus emotional state of the user, where the predicted post-stimulus emotional state of the user is predicted to be caused by the content being presented to the user, and where the predicted post-stimulus emotional state is dependent upon the real-time initial emotional state of the user. The processor(s) detect a real-time post-stimulus emotional state of the user. The processor(s) match the predicted post-stimulus emotional state of the user to the real-time post-stimulus emotional state of the user, and then authenticate the user and activate an access mechanism for a device.

Abstract: A method and a device for directing traffic are provided. The method includes: determining whether a tag of a to-be-sent data packet is same as a reference tag configured in a preset matching rule; under situations where a determination result is that tag of the to-be-sent data packet is not the same as the reference tag configured in the preset matching rule, configuring the to-be-sent data packet with the reference tag by redirecting the to-be-sent data packet; sending the to-be-sent data packet configured with the reference tag.

Abstract: Examples disclosed herein relate to data objects associated with private set intersection (PSI). Some examples disclosed herein may enable identifying a set of server elements and a set of data objects. Each data object of the set of data objects may be associated with at least one server element of the set of server elements. Some examples further enable sending the set of server elements and the set of data objects to a client computing device that has a set of client elements. A private set intersection (PSI) between the set of server elements and the set of client elements may be inaccessible by the client computing device, and a subset of the set of data objects that are associated with the PSI may be accessible by the client computing device.

Abstract: The present invention involves with a method and system of state consistency protection for Intel software guard extension (SGX). In a method of state consistency protection for a central processing unit capable of creating enclaves, the central processing unit supports creation of at least one enclave, wherein the central processing unit communicates with a remote server providing services for the central processing unit through remote communication and the remote server has a remote attestation module, configuring the remote attestation module to facilitate the completion of every execution state storing operation and/or every execution state restoring operation, wherein the remote attestation refers to an attestation mechanism by which the central processing unit proves to the remote server that it has created the specific enclave in a local platform so that the remote server trusts the specific enclave. The present invention does not require special hardware and is favorable to cross-platform migration.

Abstract: This invention is directed to an encryption communication system for preventing leakage of a common key and improving the confidentiality of communication information.

Abstract: A device having a fingerprint reader and a first heart rate monitor which are co-located such that a person's heart rate is obtained at the same time as this fingerprint. The device is integral to yet another heart rate monitor for monitoring the performance of the person in exercise. The readings of the other heart rate monitor correlates to the readings of the first heart rate monitor if the person whose fingerprint is read is the same person wearing the second heart rate monitor, in which case the fingerprint is deemed acceptable for identifying the person. Other biometric identification besides fingerprint can be used such as iris recognition.

Abstract: A secure end-to-end communication system is implemented via one or more security processing devices. In one embodiment, a method includes: loading, by a key manager, a first set of keys into a security device; encrypting first data with the first set of keys using the security device; and sending, over a network, the encrypted first data to an external site or a mobile device. The method may further include: requesting the encrypted data from the external site or mobile device; receiving, over the network, the encrypted first data; and decrypting the received encrypted first data with the first set of keys using the security device.

Abstract: A method and an apparatus for secure interaction between terminals, where the method includes indicating or indirectly indicating, by a companion terminal with an embedded Universal Integrated Circuit Card (eUICC), a Hypertext Transfer Protocol (HTTP) over Secure Socket Layer (HTTPS) Uniform Resource Locator (URL) including security information to a primary terminal such that the primary terminal initiates establishment of a local Transport Layer Security (TLS) connection according to the HTTPS URL, receiving, by the companion terminal, an HTTP request from the primary terminal using the local TLS connection, completing establishment of an HTTPS session when the companion terminal determines that the HTTP request includes the security information, and receiving, by the companion terminal, an operation instruction for the eUICC from the primary terminal using the HTTPS session.

Abstract: An operating system, when having incorporated data, with a certificate attached, for limiting a function of copying a screen, limits the function of the operating system and when receiving a request for a result of an inspection to determine whether the incorporated data is valid, sends out the result of the inspection in response to the request. An application program makes a request to the operating system for the result of the inspection of the data incorporated in the operating system at startup or return from a background processing. When an inspection result sent from the operating system indicates that the data is invalid, the application program forbids a display control means to display a given screen and instructs the operating system to incorporate a valid data therein. When the inspection result indicates that the data is valid, the application program makes the display means display the given screen.

Abstract: A threat detection method and apparatus, and a network system are disclosed. The threat detection apparatus obtains page code of a first display page group identified by the URL and an overall size occupied by the first display page group in a display area of the browser when loading a URL in a browser of a Web sandbox; inject preset dynamic code into the page code of the first display page group; parses and executes the page code that includes the preset dynamic code; sends a request message when a value of a display variable is greater than or equal to a preset value, to request to obtain page code of a second display page group; receives a response message that carries the page code of the second display page group; and detects in the Web sandbox, whether the page code of the second display page group carries attack code.

Abstract: Generating a set of attempted external contacts associated with a malware sample is disclosed. A malware sample is executed in an accelerated computing environment. In the accelerated computing environment, a guest time is advanced more quickly than a time by which a host time is advanced. A set of one or more attempted external contacts generated by the executing malware sample is recorded. The set of attempted external contacts includes at least one generated domain name. A remedial action is taken with respect to the generated domain name.

Abstract: Disclosed herein are user equipment (UE) configured to communicate with a vehicle-to-everything (V2X) control function (CF) and a V2X Key Management Function (KMF). The UE includes processing circuitry configured to select a broadcast service from a plurality of available broadcast services and encode a key request message for transmission to the V2X KMF. The key request message includes a service identification (ID) of the selected broadcast service and identification of V2X security techniques supported by the UE. A key response message received from the V2X KMF in response to the key request message is decoded. The key response message identifies a V2X security technique of the V2X security techniques. The identified V2X security technique is execute to obtain security credentials provisioned by the V2X KMF. Data is encoded for transmission to a second UE during the selected broadcast service, where the encoding is based on the provisioned security credentials.