Abstract: A data processing system (DPS) supports exchange of digital keys. The DPS comprises a communication module which, when executed by the DPS, is operable to receive, via multiple different network routes, multiple copies of a seed message from a second DPS, as part of a Diffie-Hellman key exchange process with the second DPS, wherein each copy of the seed message includes a seed value. The DPS also comprises a security module which, when executed by the DPS, is operable to perform operations comprising (a) determining a prevalent seed value, based on the multiple copies of the seed message; (b) computing a prevalence metric to indicate how many of the seed messages contained the prevalent seed value; and (c) determining whether a seed exchange portion of the Diffie-Hellman key exchange process has been successfully performed, based on the prevalence metric. Other embodiments are described and claimed.

Abstract: Physical security methods and equipment are applied to mobile devices that use multi-factor authentication mobile apps. Herein, a password management mobile app physically escrows each encrypted password that must be stored into two parts. These are then distributed between two separate, independent physical devices. Only one of those parts is kept only in a separate user gadget like a keyfob. Any reconstitution of each password after decryption requires that the user have on-hand both the mobile device and the separate user gadget. Such reconstitution is one password at a time, and only as needed, and released for use in remote authentication with a master user password entry.

Abstract: An automobile device transmits data to a server in a communication network. The automobile device records the data received from one or more transmitters located in an automobile. The automobile device transmits a random access preamble on an uplink carrier to a base station when a pre-defined condition is met. The automobile device encrypts the data and transmits the encrypted data to a server via a base station.

Abstract: Providing streaming of applications from streaming servers onto clients. The applications are contained within isolated environments, and the isolated environments are streamed from the servers onto clients. The system may include the option of running both in on-line and off-line. When on-line, the system may include authentication of the streaming servers and authentication of clients and credentialing of the isolated environments and applications the clients are configured to run. The system may further include encrypted communication between the streaming servers and the clients. When off-line, the system may include the ability to run already installed isolated environments without requiring credentialing. The system may further include a management interface where administrators may add, remove and configure isolated environments, configure client policies and credentials, and force upgrades.

Abstract: User-specific data for use with a software service may be stored in an encrypted form, where the encryption and/or decryption keys used are associated with a user's biometric data (that the user voluntarily provides after appropriate disclosure, to protect the user's interest in privacy). When the user uses the software service on a device, the device may receive the user-specific data in an encrypted form, and then may use the biometric data to retrieve or generate the cryptographic key that is used to decrypt the user-specific data. The user-specific data is then decrypted and used on the device with the software service.

Abstract: Aspects of the subject matter described herein relate to a simplified login for mobile devices. In aspects, on a first logon, a mobile device asks a user to enter credentials and a PIN. The credentials and PIN are sent to a server which validates user credentials. If the user credentials are valid, the server encrypts data that includes at least the user credentials and the PIN and sends the encrypted data to the mobile device. In subsequent logons, the user may logon using only the PIN. During login, the mobile device sends the PIN in conjunction with the encrypted data. The server can then decrypt the data and compare the received PIN with the decrypted PIN. If the PINs are equal, the server may grant access to a resource according to the credentials.

Abstract: A computing facility, including a storage management system belonging to a first trust zone having a first privilege level, a metadata management system belonging to a second trust zone having a second privilege level higher than the first privilege level, and a security management system belonging to a third trust zone having a third privilege level higher than or equal to the second privilege level. The storage management system is and configured to store multiple content entities, and the metadata management system is configured to manage, for each of the multiple content entities, metadata including a respective content encryption key and a respective retention time, each of the content entities being encrypted by its respective content encryption key. The security management system is configured to manage a master encryption key used to create the respective content encryption keys, and to confirm expiration of the respective retention times.

Abstract: Methods and systems for content filtering of remote file-system access protocols are provided. According to one embodiment, a proxy, implemented within a network gateway device of a private network, monitors remote file-system access protocol sessions involving client computer systems and a server computer system associated with the private network. For each file on a share of the server computer system being accessed by one or more of the client computer systems: (i) a shared holding buffer corresponding to the file is created within a shared memory of the network gateway device; (ii) data being read from or written to the file by the monitored remote file-system access protocol sessions is buffered into the shared holding buffer; and (iii) responsive to a predetermined event, content filtering is performed on the shared holding buffer to determine whether malicious, dangerous or unauthorized content is contained within the shared holding buffer.

Abstract: Methods for activating a second application on a user device using a first application already installed and activated on the user device are described. In one embodiment the second application requests activation from the first application. The first application then authenticates a user before providing an activation response. The activation response can be requested from a remote server by the first application on behalf of the second application. The methods improve the ease of activating new software on a user device.

Abstract: In an assessment or audit of a computer system, an auditing subsystem will parse software development kit (“SDK”) interfaces and obtain customer usage, configuration and security information by applying requests for information to the application programming interfaces provided by the SDK interfaces.

Abstract: Aspects herein describe techniques for brokering hosted resources in a virtual desktop infrastructure (VDI) using connection leases to reduce demand on connection brokers and to allow hosted services to be maintained even in the event of a broker outage. When a client device desires to connect to a hosted resource (e.g., a hosted desktop or a hosted application), the client device may present a lease token to the session host. The lease token is a self-sustaining package of data from which a session host can determine whether the requesting client device is authorized to access one or more resources hosted by that session host. The lease token may be cryptographically signed to ensure its contents have not been altered, and further that the lease token originated from a trusted source. Lease tokens may be stored independently from a connection broker, thereby still being usable if the connection broker goes offline.

Abstract: In a credential recovery process, a user is authenticated using an application running on a mobile communications device, and requests recovery of a credential. The application generates a session key encrypted with the public key of a gateway, and sends the encrypted key to the gateway. The gateway recovers the credential from a depository, encrypted using a symmetric key shared with the depository. The gateway decrypts the credential and re-encrypts the credential using the session key. Preferably, the decryption and re-encryption is performed within a hardware secure module within the gateway. The re-encrypted credential is sent to the application, which decrypts the credential and outputs it to the user. In this way, the credential is provided securely to the user and may be made available for use immediately, or nearly so.

Abstract: A cloud-based platform (e.g., cloud-based collaboration and/or storage platform/service) is described that provides advanced control tools for administrators of an enterprise account. The advanced control tools permit the administrator to set mobile security settings for mobile devices running applications that allow a user to access enterprise data in the cloud-based platform; activity notification archiving; support for multiple email domains; automation processes; and policies. The settings selected by the administrator are applied enterprise-wide within the cloud-based platform.

Abstract: The present invention discloses a method and a browser for browsing a web page, and a storage medium, and the method comprises: prestoring identity information of an owner user; receiving a web page browsing request from a browsing user, and obtaining the identity information of the browsing user; comparing the identity information of the browsing user with the prestored identity information of the owner user to determine whether the browsing user is the owner user; browsing a web page in a private browsing mode when the browsing user is determined as the owner user; and browsing a web page in a non-private browsing mode when the browsing user is determined as a non-owner user. By the invention, the privacy of browsing behaviors of the owner user may be effectively protected, and the owner user is enabled to examine browsing behaviors of other non-owner users.

Abstract: A method and a device for setting up a session key between a source entity and a target entity in a communication network comprises a plurality of communicating entities. The method, which relies on the use of symmetrical cryptographic primitives, provides each entity in the session with protection against denial of service attacks by setting up a session in four or five message exchanges.

Abstract: Embodiments for preventing data loss and allowing selective access data include systems and methods that receive a data payload to be stored by the system; split the data payload into a plurality of payload components; secure each of the plurality of payload components; store at least a first of the plurality of payload components at a first repository and at least a second of the plurality of payload components at a second repository; receive a request for access to the data payload; and provide certification that the data payload has not been altered since storing.

Abstract: A client application performs certificate pinning as a means of authenticating the identity of a server. A proxy is interposed in the communications path of the client and the hosting server and provides a proxy security certificate to the client. In response to the client extracting a proxy authentication component from the proxy security certificate, operation of the client is paused and a hosting server authentication component is extracted from a hosting server security certificate. The client operation is resumed, providing the extracted hosting server authentication component to the client, in substitution for the proxy authentication component. Based on receiving the extracted hosting server authentication component, the client authenticates the proxy to receive communications directed to the hosting server.

Abstract: Network-based service content protection techniques are described. In one or more implementations, content is edited locally by a computing device. The edited content is automatically encrypted without any user intervention by the computing device using an encryption credential, e.g., encryption key or other secret. The automatic encryption is performed responsive to a request to store the content at a network-based service provider such that the encrypted content can only be decrypted and accessed with the encryption credential and the encrypted content is uploaded to the network-based service provider.

Abstract: Techniques are disclosed for generating multiple key pairs using different algorithms and similarly installing certificates signed using the different algorithms. A customer server receives a selection of algorithms for generating a public/private key pair (e.g., RSA, ECC, DSA, etc.). The customer server generates key pairs for each selection and also generates corresponding certificate signing requests (CSR). The customer server sends the CSRs to a certificate authority (CA). The CA generates certificates associated with algorithm and sends the certificates to the customer server. The customer server may prompt a user to select one or more of the certificates to install, and upon receiving the selection, the customer installs the certificates.

Abstract: A TCP communication scheme which ensures safe communication up to the communication path near a terminal and eliminates direct attacks from hackers, etc. A terminal (A) and terminal (B) are connected to a relay apparatus (X) and relay apparatus (Y), where the terminal (A) and the terminal (B) are the endpoint terminals positioned at the two ends of a TCP communication connection. The relay apparatuses (X, Y) are each connected to a network (NET). The relay apparatuses (X and Y) are provided so as to be between the terminals (A and B) which had been performing conventional TCP communication, and neither of the relay apparatuses (X and Y) have IP addresses. The relay apparatuses (X and Y) take over the TCP connection between the terminal (A) and the terminal (B), divide the connection into three TCP connections, and establish TCP communication.