Abstract: Systems and methods are provided that include: accessing implicit authentication data from a possession factor associated with an authorized user; at the possession factor or at an authentication platform: generating a possession confidence level using the implicit authentication data, the possession confidence level being one of a plurality of possession confidence levels, the possession confidence level indicating a likelihood that the possession factor is possessed by the authorized user; identifying, among a plurality of varying authentication requirements, an authentication requirement for the transaction based on the possession confidence level, the authentication requirement defines a process or action to prove authority to perform the transaction or a process or action to prove an identity of a user attempting to perform the transaction; and implementing the authentication requirement for the transaction.

Abstract: One example method of operation may include receiving a request, from an entity, for one or more tokens based on one or more attributes, encrypting and masking the one or more attributes, adding the encrypted and masked one or more attributes to the one or more tokens, and transmitting the one or more tokens to the entity.

Abstract: A device for securing USB or Firewire port interconnections includes a microcontroller comprising a processor; a first connector/lead in communication with the microcontroller and configured to be coupled with a USB or Firewire external device; and a second connector/lead in communication with the microcontroller and configured to be coupled with a protected host. An optional user interface communicates with the microcontroller. When the microcontroller detects that the external device is coupled to the first connector/lead, the processor is configured to display a prompt on the user interface for a user to initiate inputs prior to the external device being allowed to connect with the protected host; or is configured to automatically prevent the external device from being connected with the protected host if the external device is on a blacklist of devices known to have device handlers in the protected host at a BIOS level, without modifying the protected host.

Abstract: Aspects of the present disclosure include systems and methods for detecting unwanted software. An exemplary method comprises identifying a first file associated with a first application and a second file installed on the computing device, wherein the first file is related to the second file, identifying a second application installed on the computing device that uses at least one of the first and second files, determining a first frequency of use for the first application and a second frequency of use for the second application, determining that the second application was installed at substantially the same time as the first application based on a comparison of the first frequency of use and the second frequency of use and determining that the first application is an unwanted application when the comparison of the first frequency and the second frequency results in a degree of similarity greater than a threshold value.

Abstract: The subject matter discloses a method for securing personal information, comprising securing the personal information stored on a data server using a cryptographic secret, said cryptographic secret is unique to a user, storing a first share of the cryptographic secret on a secret storage server communicating with the data server and a second share of the cryptographic secret on a computerized device controlled by the user, detecting a request from the data server to perform an action on the personal information, transmitting the request to the computerized device controlled by the user to use the second share of the cryptographic secret to decrypt the personal information, decrypting the personal information using the first share and the second share, without storing both the first share and the second share in a single device concurrently and performing the action on the personal information on the data server.

Abstract: A data processing method and apparatus relate to the field of communications technologies and applicable to data processing used to resolve a low security problem of data stored in a memory. A memory encryption/decryption (MED) apparatus receives a data write command, encrypts to-be-written data, scrambles an address to which data is to be written, and then saves a cyclic redundancy check (CRC) code of the to-be-written data and encrypted to-be-written data in a memory according to a scrambled address to which data is to be written. Solutions provided in the embodiments of the present disclosure are.

Abstract: Theft detection in data center networks may be provided. First, a first leaf switch may create an entry in a first distributed secure cache in response to an endpoint appearing on the first leaf switch. The entry may correspond to the endpoint and may be marked as having a tentative state. Then a request message may be sent to a plurality of leaf switches. The request message may comprise data identifying the endpoint. Next, a reply message may be received in response to the request message from a second leaf switch within the plurality of leaf switches. The tentative state may then be removed from the entry in response to the reply message indicating that the endpoint is valid.

Abstract: Methods, systems, and devices for user authentication are described. A user may attempt an authentication procedure when accessing an application or cloud platform. When the user requests access to the application or cloud platform, a server may determine one or more unique identifiers to display at a first application for the user, and the user may select one of the unique identifiers. The server may then display unique identifiers (e.g., in some cases, the same unique identifiers) at a second application associated with the user. The user may verify that the selected unique identifier is displayed on the second application, and may select the same unique identifier in the second application. Additionally, the user may input a user-specific identifier to confirm their identity. The server may authenticate the user's identity if the user selected matching unique identifiers, and if the user-specific identifier matches an expected identifier for the user.

Abstract: Scalable certificate management system architectures. An example system may include one or more application platforms (e.g., VMs) that run a registration authority and are communicatively connected to one or more compute engines that perform cryptographic computations required by the registration authority. The system may also include one or more application platforms that run an enrollment certificate authority and that are communicatively connected to one or more compute engines that perform cryptographic computations required by the enrollment certificate authority. It may further include one or more application platforms that run a pseudonym certificate authority and that are communicatively connected to one or more compute engines that perform cryptographic computations required by the pseudonym certificate authority.

Abstract: Described herein are systems, methods, and software to enhance secure communications between computing systems. In one implementation, a communication service identifies a communication request for a first application on a first computing system to transfer data to a second application on a second computing system. In response to the request, the communication service generates a packet, wherein the packet includes an encrypted portion for the data and private addressing associated with the first and second applications, and an unencrypted portion for group identifier information and public addressing information. Once the packet is generated, the packet is transferred to the second computing system.

Abstract: The disclosed technology is generally directed to device security in an IoT environment. For example, such technology is usable in IoT security. In one example of the technology, a set of security rules that is associated with an expected condition of at least one IoT device is stored. IoT data associated with the at least one IoT device is received. The IoT data may be aggregated data that includes at least two different types of data. A determination is made, based on the IoT data, as to whether the set of security rules has been violated. An alert is selectively sent based on the determination.

Abstract: Use of cryptographic key-store hardware security modules is optimized in a system having a first scarce high-security key storage device and a second more plentiful low-security key storage device comprising securing a cryptographic key to the higher security level by initially storing the key in the first storage device, then responsive to an event, evaluating the stored key against one or more rules, and subsequent to the evaluation, reclassifying the stored key for relocation, encrypting the reclassified key using a key-encryption key; relocating the reclassified key into the second, lower-security storage device, and storing the key-encryption key in the first storage device.

Abstract: Techniques to facilitate detection of whether or not applications are executed on physical devices are disclosed herein. In at least one implementation, a mobile application that generates a web service request is executed on a computing system. The computing system executes a client security component of the mobile application to collect attributes associated with the computing system and an operating environment on which the mobile application is executing, and utilizes a mobile application programming interface to transfer the web service request including the attributes for delivery to a web server. The web server executes a server security component of a web service to extract the attributes from the web service request and process the attributes to determine whether or not the mobile application is being executed on a physical mobile device.

Abstract: In some examples, a method includes assigning, with an Access Point (AP) in a wireless network, a value for an Authentication Control Threshold (ACT) field in an advertisement packet that allows devices having a predetermined access control role to immediately attempt to associate with the AP. The method can further include transmitting, with the AP, the advertisement packet including the value for the ACT field for devices having the predetermined access control role.

Abstract: In one embodiment, an instruction is received at a blockchain server from a first digital rights management (DRM) client, the instruction including an instruction to transfer a DRM license to an encrypted content item to a second DRM client. A block to be recorded in a blockchain, is created, the block including a content item ID of said encrypted content item, one of a device ID of a device including the second DRM client or a user ID of a user of the second DRM client, DRM license information for said DRM license, and a DRM decryption key for decrypting said encrypted content item. The block is recorded in the blockchain. A confirmation message is sent to the second DRM client confirming that the block was written to the blockchain. Related systems, methods, and apparatuses are also described.

Abstract: Techniques for signer-initiated electronic document signing via an electronic signature service using a mobile or other client device are described. Example embodiments provide an electronic signature service (“ESS”) configured to facilitate the creation, storage, and management of documents and corresponding electronic signatures. In some embodiments, when a signer user receives a hard copy (e.g., paper) signature document, the signer may capture an image of the signature document with a camera of a mobile device. The signer can then import the captured image into the ESS for signature, storage, and/or transmission to other parties.

Abstract: Systems and methods are provided for managing electronic tokens for device interactions. In some embodiments, a unified graphical user interface is provided for an account, for controlling the activation status and settings associated with authorized electronic devices used for conducting transactions on the account. The electronic devices may be programmed with an electronic token that allows a server to look up sensitive account information, although the electronic token does not divulge the account information itself. Therefore, if an electronic token is compromised or stolen, the account does not need to be closed, and sensitive information remains safe. Moreover, the unified graphical user interface provides detailed and highly customizable controls for settings and restrictions associated with each of the electronic tokens, without modifying or accessing sensitive account or personal information.

Abstract: The present disclosure relates to a transaction licensing system (TLS) for managing transactions and entitlements in a cloud-based system, wherein a transaction is a communication with an external server. The TLS includes at least one transaction licensing database (TLDB) that is configure to store entitlement and transaction data. The entitlements may include a general entitlement pool, as well as specialized entitlement pools with entitlements for executing particular transactions. The TLS is configured to determine identifying information for a transaction and then use this information to determine whether the general or specialized entitlement pools associated with the transaction has entitlements available in the TLDB to execute the transaction. When a suitable entitlement is determined to be available, the transaction is executed and the general or specialized entitlement pool is appropriately decremented. When no suitable entitlements are available, the TLS returns an exception.

Abstract: In an example implementation according to aspects of the present disclosure, a method may include identifying, by a computing system, an infrastructure device and an end-host device within a network. The method may further include disseminating, by the computing system, network traffic rules to the infrastructure device, the network traffic rules to route network traffic between end-host devices through the infrastructure device. Further, the network traffic transmitted from a first end-host device to a second end-host device is passed through the infrastructure device to the second end-host device in accordance with the network traffic rules, and network traffic transmitted from the first end-host device to the infrastructure device is blocked by the infrastructure device in accordance with the network traffic rules.

Abstract: A computing device includes a hardware resource, a component to send a transaction signal including a target address of the hardware resource, a security data associated with an initiator of the transaction signal, and a safety data associated with the initiator, and an access control unit coupled to the component and the hardware resource, the access control unit to receive the transaction signal, determine whether security access is granted based on the transaction signal, determine whether safety access is granted based on the transaction signal, and allow access to the hardware resource based on both the security access and the safety access being granted.