Abstract: Policy enforcement previously available for web proxy access methods is extended and applied to layer 3 packets flowing through VPN channels. With these extensions, a common security policy is possible that is enforceable between VPN proxied access and VPN tunneled access. Equivalent security policy to tunnel based VPN access without comprising the inherent performance, scalability and application compatibility advantages tunne based VPNs have over their proxy based VPN counterparts.

Abstract: An appliance is capable of storing and processing data related to details surrounding its ownership, behavior, and history within itself in a secure and unalterable way. The appliance may experience multiple transfers in ownership during its lifetime. Certain data stored in the appliance may be encrypted such that only qualifying parties (e.g., owners) may be able to access the data. Some data may remain private to an individual owner while other data may be made available to subsequent owners by passing a shared secret that can be utilized to decrypt the other data. Data may be stored in the appliance in chronological order and may be signed by appropriate parties such that it is not possible to alter the data without detection.

Abstract: A processor of an aspect includes a plurality of packed data registers, and a decode unit to decode an instruction. The instruction is to indicate one or more source packed data operands. The one or more source packed data operands are to have four 32-bit results of four prior SM4 cryptographic rounds, and four 32-bit values. The processor also includes an execution unit coupled with the decode unit and the plurality of the packed data registers. The execution unit, in response to the instruction, is to store four 32-bit results of four immediately subsequent and sequential SM4 cryptographic rounds in a destination storage location that is to be indicated by the instruction.

Abstract: Techniques are disclosed for using a global unified session identifier across data centers. Upon creating an initial session in the data center for a user first accessing the data center, a session identifier is generated for the user session. Because the initial session is the first session created for that user, the initial session identifier is designated as the global unified session identifier for all sessions that may be created for the user in other data centers within the enterprise network. Data centers may then map the global unified session identifiers to locally generated session identifiers for the user. A global unified session identifier enables various user session actions to be performed globally across the data centers, including global logout, global session termination, global session updates, and/or the like. A global unified session identifier prevents the risk of collision that can occur between randomly generated numbers of different data centers.

Abstract: A system for sterilizing data sent through electronic messages includes first computing circuitry configured to receive a first electronic communication including first data having executable code and generate optical data representative of the first data. The system further includes second computing circuitry configured to receive the optical data from the first computing circuitry, convert the optical data into second data representative of the optical data, and transmit a second electronic communication that includes the second data and omits the first data.

Abstract: A method for authorizing a smart-home device for enrollment with a demand-response program may include receiving, at a control server of an energy management system and for the smart-home device, identifying information for a user account. The method may also include sending the identifying information from the control server to an Application Program Interface (API) with an enrollment request. The method may additionally include receiving, at the control server, a determination from the API as to whether the identifying information for the user account was matched to an existing utility account. The method may further include based on the determination from the API, determining whether the smart-home device can be enrolled with the demand-response program.

Abstract: An optimized hardware architecture and method introducing a simple arithmetic processor that allows efficient implementation of an Elliptical Curve Cryptography point doubling algorithm for Jacobian coordinates. The optimized architecture additionally reduces the required storage for intermediate values to one intermediate value.

Abstract: An information processing device includes: an authentication unit configured to compare, when receiving first user information used for authentication processing of determining whether a user has authority to use the information processing device, the first user information with second user information identifying users having the authority to use the information processing device, and execute the authentication processing; a first storage unit storing first association information in which installation screen information identifying an installation screen for installation of an application is associated with each piece of the second user information; and a second display unit configured to generate, based on a command associated with an application selected by a user among an application displayed by a first display unit, an installation screen identified by installation screen information which is associated with second user information identifying the user, and display the installation screen.

Abstract: An authentication device is provided that authenticates an electronic device based on the responses from distinct types of physically unclonable functions. The authentication device receives a device identifier associated with the electronic device. It then sends one or more challenges to the electronic device. In response, the authentication device receives one or more responses from the electronic device, the one or more responses including characteristic information generated from two or more distinct types of physically unclonable functions in the electronic device.

Abstract: A method for storage unit communication is provided. The method includes detecting an event associated with a loss of trust for the data stored within a storage unit and encrypting, at the storage unit, data that is being transmitted along an outbound path from the storage unit to a requestor, wherein the encrypting is responsive to detecting the event.

Abstract: Systems, computer program products, and methods are described herein for identifying threat vectors and implementing controls for securing resources within a network. The present invention is configured to determine one or more threat vectors associated with the resource; determine one or more controls associated with each of the one or more threat vectors associated with the resource; determine whether the one or more controls associated with the at least one of the one or more threat vectors is capable of detecting the access by an external computing device via at least one of the one or more types of access; and dynamically generate a graphical representation of the resource and the one or more threat vectors based on at least the received analysis request.

Abstract: A system and method manages workflows exchanges a document between a first server associated with a first service provider and a second server associated with a second service provider over a network. A first workflow engine associated with the first service provider is configured to apply the document to a first workflow based on a first set of rules. A second workflow engine associated with the second service provider is configured to apply the document to a second workflow based a second set of rules. The first and second workflow engines run the first workflow at first service provider asynchronous to the second workflow at the second service provider. The system and method transports a document between the first service provider and second service provider. A first server encrypts the document to create an encrypted document and append an unencrypted header to the encrypted document. The header has a pairwise relationship identifier.

Abstract: The present disclosure is directed to a system and method for remotely initializing at least one device in communication with a local host device utilizing an asymmetric cryptographic authorization scheme. According to various embodiments, at least one remote device sends an authorization request including a random value to the local host device. The local host device returns an approval response to the remote device, where the approval response includes the random value encoded utilizing a private key. The remote device is then initialized (e.g. powered on or placed in an active state) upon verification of the encoded random value utilizing a public key that is paired with the private key.

Abstract: A system and method uses multiple devices in concert as security for accessing an account. The system and method may use one or more security measures based on unique gestures, coordinated gestures between two devices, presence of multiple devices, sequence of actions, and other measures to prevent fraud. Additionally, these security measures may be rearranged or changed such that the devices may collaborate to provide access to multiple different accounts.

Abstract: An aspect includes a cognitive password entry system. A processor detects a login attempt targeting a website for a user identifier having a previously stored instance of a password associated with the user identifier. A number of login attempts is monitored since the password was manually entered at the website. The processor determines whether a prompting period has been reached based on the number of login attempts meeting a prompting period threshold. The stored instance of the password is used as an entered password for the login attempt based on determining that the prompting period has not been reached. A cognitive aid prompt is output based on determining that the prompting period has been reached.

Abstract: Techniques are described for anonymous peer storage. In one example, techniques include invoking an action of backing up one or more files utilizing distributed storage for a node Ni in a multi-node network; encrypting the one or more files into a combined encrypted file with a private key required to decrypt the combined encrypted file; splitting the combined encrypted file into Pi portions (P1, P2 . . . Pn) and associating a file identifier Fi to each Pi; anonymously distributing the Pi portions and associated identifier Fi to other nodes Nj and Nk wherein each of j and k is different from i; retaining a look up file containing for the each Pi, the (Nj, Nk) pairs, the Fi, and the private key for future retrieval and decryption; and responsive to receiving an anonymous request containing the Fi by one of the Nj and the Nk, returning the Pi.

Abstract: In particular embodiments, a first computing device may receive a request from a second computing device to access a first entity of an infrastructure, the second computing device being coupled to the first computing device, then determining an eligibility of the second computing device to access as least the first entity of the infrastructure, and if the second computing device is determined to be eligible to access the first entity, then assigning a second ticket to the second computing device responsive to the received request.

Abstract: In particular embodiments, a client device may established a first connection to a ticket server of a gateway, wherein the gateway couples the client device to a first computing device, retrieve a permission vector from the ticket server though the first connection, wherein the retrieved permission vector contains at least one or more tickets to authenticate and authorize the client device access to at least the gateway and the first computing device, and establish a second connection to the first computing device based at least on the retrieved tickets

Abstract: An optimized hardware architecture and method introducing a simple arithmetic processor that allows efficient implementation of an Elliptical Curve Cryptography point doubling algorithm for Jacobian coordinates. The optimized architecture additionally reduces the required storage for intermediate values.

Abstract: A method for establishing a secure communication channel between an off-card entity and an embedded Universal Integrated Circuit Card (eUICC) is provided. The method involves establishing symmetric keys that are ephemeral in scope. Specifically, an off-card entity, and each eUICC in a set of eUICCs managed by the off-card entity, possess long-term Public Key Infrastructure (PKI) information. When a secure communication channel is to be established between the off-card entity and an eUICC, the eUICC and the off-card entity can authenticate one another in accordance with the respectively-possessed PKI information (e.g., verifying public keys). After authentication, the off-card entity and the eUICC establish a shared session-based symmetric key for implementing the secure communication channel. Specifically, the shared session-based symmetric key is generated according to whether perfect or half forward security is desired.