Abstract: Information management is used to enforce and control rights associated with data through the use of policies implemented by a digital rights management (“DRM”) server. An information management system collects information about data objects in a computer system and classifies the data objects into one or more categories. The categories are mapped to service level objectives that include or request encryption and identify DRM policies to associate with data objects within each category. Each DRM policy identifies one or more users authorized to access data objects the DRM policy is associated with. Encryption is orchestrated, in one embodiment, by identifying a data object to the DRM server in an encryption request, and identifying a DRM policy to associate with the data object. The DRM server encrypts the data object and only allows it be decrypted by authorized users.

Abstract: A communication method in an information processing system including a group of first information processing apparatuses that transmit data and a group of second information processing apparatuses that receive the data is disclosed. The communication method includes storing data subject to being transmitted to one of the second information processing apparatuses in a data storage by associating the data with identifier information of the second information processing apparatus, and performing transmission processing to transmit the stored data to the second information processing apparatus in response to reception of a first token generated by the second information processing apparatus serving as a generating source of the first token, the first tokens indicating a transmission right to transmit the data to the second information processing apparatus and being transferred between the group of the first information processing apparatuses and between the group of the second information processing apparatuses.

Abstract: In an embodiment, an integrated circuit comprises a decrypt unit configured to decrypt an encrypted, compressed video stream; an on-chip buffer; and a decompressor coupled to the decrypt unit and the on-chip buffer. The decompressor is configured decompress the video stream, and to store a first portion of each of a first plurality of frames decompressed from the video stream in the on-chip buffer. The decompressor is further configured to store a remaining portion of each of the first plurality of frames in an external memory, wherein each frame as stored in the external memory is incomplete because the first portion is not stored in the external memory.

Abstract: To facilitate authentication over a wireless access network, it is proposed to provide a hub device having an authentication storage means (i.e. a (U)SIM) to which one or more machine devices are connected. Each machine devices connects to a wireless access network and in order to authenticate with that network requests authentication information from the hub device. The core network of the wireless access network, authenticates each machine device and provides the machine devices with parallel access to the access network in accordance with authentication information obtained from the hub device. The authentication information is unique to the respective machine device but also associated with information stored on the authentication storage means of the hub device.

Abstract: Techniques for evaluating detectablity of confidential information stored in authorization policies are described. In an example, an authorization policy has a confidential property. The confidential property is defined by whether application of a test probe to the authorization policy results in the grant of access to a resource. A processor automatically determines whether at least one witness policy can be generated that is observationally equivalent to the authorization policy from the perspective of a potential attacker, but the application of the test probe to the witness policy generates an access denial result. In the case that such a witness policy can be generated, an indication that the confidential property cannot be detected using the test probe is output. In the case that such a witness policy cannot be generated, an indication that the confidential property can be detected using the test probe is output.

Abstract: In a method of communicating content over a wireless communication link between a base station set-top (BSS) and one or more hosts, where each of the one or more hosts have an interface protocol substantially complying with at least a subset of a copy protection standard, an encrypted signal is at least one of received and stored in the BSS, and the encrypted signal is turned into an encrypted data packet stream. The BSS wirelessly transmits the data packet stream to one or more wireless interface apparatuses (WIAs) which are interfaced with at least one host through the interface protocol. In addition, the WIA forwards the encrypted data packet stream to the one or more hosts through implementation of the interface protocol.

Abstract: A method and/or system for using a URI whitelist may include receiving a request to approve an application for release in an application store. The request may comprise application data. The application data may comprise a resource manifest and/or a Uniform Resource Identifier (URI) whitelist. The resource manifest may comprise, for example, one or more resource items. The URI whitelist may comprise, for example, one or more URI items. The request may be analyzed based on application data. A determination may be made whether the applications may be released in the application store based on the analyzing of the applications data. A request to access a particular URI may be received. A determination of whether to grant the request may be based on a resource manifest and/or a URI whitelist associated with the application.

Abstract: A method of establishing a protected environment within a computing device including validating a kernel component loaded into a kernel of the computing device, establishing a security state for the kernel based on the validation, creating a secure process and loading a software component into the secure process, periodically checking the security state of the kernel, and notifying the secure process when the security state of the kernel has changed.

Abstract: Technologies are generally described for providing a signcryption scheme. In some examples, a method performed under control of a sender device may include calculating a public key of the sender device based on a system parameter, calculating a temporary public key of the sender device based on the system parameter, calculating a temporary common key of the sender device based on a temporary secret key of the sender device and a public key of a receiver device, calculating a ciphertext from a message based on the temporary common key and generating a signature of the sender device based on an intermediate parameter, the system parameter and the secret key of the sender device. The temporary secret key of the sender device, intermediate parameter and secret key of the sender device are engaged in a non-associative octonion ring.

Abstract: A display securely decrypts an encrypted image signal. Pixels are disposed between the display substrate and cover in a display area, and provide light to a user in response to a drive signal. Control chiplets disposed between the display substrate and cover in the display area are each connected to one or more of the plurality of pixels. Each receives a respective control signal and produce respective drive signal(s) for the connected pixel(s). A decryption chiplet is disposed between the display substrate and cover. It includes means for receiving the encrypted image signal and a decryptor for decrypting the encrypted image signal to produce a respective control signal for each of the control chiplets.

Abstract: A method for providing multiple users with security access to an electronic system is provided. The method comprising: providing a plurality of parent security roles, wherein each parent security role includes a plurality of transactions authorized to be performed in the electronic system, providing a plurality of child security roles, wherein each child security role is derived from one of the plurality of parent security roles, setting up the multiple users in the electronic system and their associated user passwords, assigning one of the plurality of child security roles to each of the multiple users to provide the multiple users with security access to the electronic system at once, and providing each of the multiple users with security access to the electronic system, via the associated user password, in accordance with the child security role assigned to the user.

Abstract: Techniques for trusted platform module (TPM) assisted data center management are provided. A data center registers TPM remote attestations for physical processing environments of physical devices within a data center. Each time a physical processing environment is established; a new TPM remote attestation is generated and validated against the registered TPM remote attestation. Additionally, during registration other identifying information is supplied to the physical processing environments that permit each physical processing environment to be authenticated, validated, and controlled via unique identities. Inter-data center communication is established for sharing virtual processing environments and administrative operations are authenticated within each of the data centers perform any administrative operation is permitted to process within a particular data center.

Abstract: A system and method of dynamically altering the encoding, structure or other attribute of a cryptographic key, typically a license activation key, to render useless keys that have been created by illegal key generation “cracks”. An encoding/decoding engine provides a plurality of key obfuscation algorithms that may alter the structure, encoding or any other attribute of a given key. A changeable combination code is supplied to the encoding/decoding engine that specifies a subset of the algorithms to apply during the encoding or decoding phase. The encoding engine is used during key generation and the decoding engine used during key usage. The same combination code must be used during decoding as was used during encoding to recover the original key or a valid key will not be recovered. Thus, a system can be rapidly re-keyed by selecting a new combination of encoding/decoding algorithms. The selection of algorithms comprises a combination code.

Abstract: A cloud data protection system protects cloud data of an enterprise. A protection policy for the enterprise is established by an administrator of the enterprise. The protection policy describes one or more types of cloud data protection to provide to the enterprise's cloud data. The cloud data protection system examines the protection policy to identify cloud data associated with the enterprise to access in order to implement the policy, and uses a personality object to retrieve the identified cloud data from one or more cloud services. The cloud data protection system performs one or more protection actions on the retrieved cloud data. The protection actions can include scanning the cloud data for malicious software, for compliance with a data loss prevention policy, or for data matching a discovery specification. The protection actions can also include archiving or backing up the cloud data.

Abstract: The present disclosure relates to systems and methods for providing secure support to virtual appliances delivered to customer sites without passwords or enabled ports for service. A virtual appliance may be established on a first device. The virtual appliance may comprise a self-contained virtual machine with a pre-installed operating system and may be established with no root password enabled and a remote access port disabled. An administration tool may receive from a requestor a request to enable maintenance for the virtual appliance. The administration tool may generate, responsive to the request, a random password. The administration tool may enable, responsive to the request, the remote access port. The virtual appliance may wait for a connection to the remote access port for a predetermined period of time. The administration tool may transmit the random password to a service of a second device remote to the first device.

Abstract: A server (120) uses a password (?) to construct a multiplicative group (ZN*) with a (hidden) smooth order subgroup (<x?>), where the group order (P?) depends on the password. The client (110) uses its knowledge of the password to generate a root extraction problem instance (z) in the group and to generate data (y) allowing the server to construct a discrete logarithm problem instance (y?) in the subgroup. The server uses its knowledge of the group order to solve the root extraction problem, and solves the discrete logarithm problem efficiently by leveraging the smoothness of the subgroup. A shared key (sk) can be computed as a function of the solutions to the discrete logarithm and root extraction problem instances. In some embodiments, in an oblivious transfer protocol, the server queries the client (at 230) for data whose position in a database (210) is defined by the password. The client provides (240) such data without knowing the data position associated with the server's query.

Abstract: A system and method in one embodiment includes modules for detecting an access request by an application to access information in a mobile device, determining that the application is a potential threat according to at least one policy filter, and blocking a send request by the application to send the information from the mobile device without a user's consent. More specific embodiments include user selecting the information through a selection menu on a graphical user interface that includes information categories pre-populated by an operating system of the mobile device, and keywords that can be input by the user. Other embodiments include queuing the send request in a queue with other requests, and presenting an outbox comprising the queue to the user to choose to consent to the requests. The outbox includes graphical elements configured to permit the user to selectively consent to any requests in the queue.

Abstract: A method is performed in a network security system implemented in a computer or electronic device that is coupled to secured online resources for detecting unauthorized accesses of those secured online resources. The method includes monitoring a user activity session. It is determined whether the user activity session is indicative of a hidden session by an attacker, where the determination includes comparing the user activity session to an average user activity session.

Abstract: Provided is a data storage drive for encrypting data, comprising a microprocessor and circuitry coupled to the microprocessor and adapted to receive a session encrypted data key and to decrypt the session encrypted data key using a session key, wherein a result is a data key that is capable of being used to encrypt clear text and to decrypt cipher text written to a storage medium. Also provided is a system, comprising a microprocessor and circuitry coupled to the microprocessor and adapted to receive a session encrypted data key and to decrypt the session encrypted data key using a private key, wherein a result is a secret key that is capable of being used to encrypt clear text and to decrypt cipher text written to a storage medium.

Abstract: Techniques for identity controlled data centers are provided. Remote processing environments are authenticated via identity associations. Virtual remote processing environments are subsequently installed and authenticated on the remote processing environments on which they are deployed and they receive unique virtual remote processing environment identities, which are locally and independently assigned within their remote processing environments. Applications deployed to the virtual remote processing environments are also authenticated and acquire identities for the virtual remote processing environments in which they are deployed. The processing of the remote virtual processing environments and the applications are circumscribed by independently acquired policies within the remote processing environments.