Abstract: A method and system for receiving from an authenticated user, at an authorization server, via a service provider, an authorization request to perform a sensitive operation on a first device. The method also includes generating, by the authorization server and in response to receiving the authorization request, an authorization token that includes a device constraint and a binding code constraint, which includes a binding code. Additionally, the method includes transmitting the authorization token to an isolated execution environment of the first device, where the sensitive operation is not permitted on the first device unless the first device successfully performs a verification in the isolated execution environment using the authorization token. Furthermore, the method includes permitting the sensitive operation based on the verification.

Abstract: Among other things, one or more techniques and/or systems are provided for sustained data protection. In particular, a data protector may define a set of access levels associated with content within data using a set of access policies (e.g., a partial access level to inventory data for an inventory server, a full access level to inventory data and billing data for a shopping website server, etc.). The data protector may secure (e.g., encrypt) the data to create protected data, so that clients may be unable to access content of the protected data without obtaining access through the data protector. In this way, the data protector may selectively provide clients with access to content within the protected data according to respective access levels for the different clients (e.g., access to inventory data, but not billing data, may be provided to the inventory server by the data protector).

Abstract: An algorithm (such as the MD5 hash function) is applied to a file to produce an intrinsic unique identifier (IUI) for the file (or message digest). The file is encrypted using its IUI as the key for the encryption algorithm. An algorithm is then applied to the encrypted file to produce an IUI for the encrypted file. The encrypted file is safely stored or transferred within a network and is uniquely identifiable by its IUI. The encrypted file is decrypted using the IUI of the plaintext file as the key. The IUI serves as both a key to decrypt the file and also as verification that the integrity of the plaintext file has not been compromised. IUIs for any number of such encrypted files may be assembled into a descriptor file that includes meta data for each file, the IUI of the plaintext file and the IUI of the encrypted file. An algorithm is applied to the descriptor file to produce an IUI for the descriptor file.

Abstract: Operator authorizations are autonomically adjusted in many ways to automatically account for many different variables. Operator authorization may be adjusted according to an operator's past activity record so previous experience is not lost when the operator is rehired. Operator authorization may be adjusted according to the operator's quality and performance. Operator authorization may also be adjusted by recognizing similar operations to those the operator is authorized to perform, and authorizing the operator to perform one or more similar operations. Operator authorization may also be adjusted to a lesser level or may be revoked for an operation based on the passage of time. A manufacturing system may efficiently track operators taking into account different activity periods, the passage of time, the operator's performance, and similar operations to autonomically adjust the authorization of the operators as needed.

Abstract: Methods and systems for proximity-based access control include determining whether a distance from a first mobile device to each of one or more safe mobile devices falls below a threshold distance; determining whether a number of safe mobile devices within the threshold distance exceeds a safe gathering threshold with a processor; and activating a safe gathering policy in accordance with the safe gathering threshold that decreases a security level in the first mobile device.

Abstract: The present invention provides a method and system for securing sensitive data from unauthorized access or use. The method and system of the present invention is useful in a wide variety of settings, including commercial settings generally available to the public which may be extremely large or small with respect to the number of users. The method and system of the present invention is also useful in a more private setting, such as with a corporation or governmental agency, as well as between corporation, governmental agencies or any other entity.

Abstract: A method is for operating a cryptographic device to reduce effects of power analysis and time attacks. The method may include executing a first set of cryptographic algorithm computations with a first crypto-processor of the cryptographic device. The first set of cryptographic algorithm computations may provide encryption of a first set of data to be protected with a first secret key stored in the cryptographic device. The method may further include executing a second set of cryptographic algorithm computations with a second crypto-processor of the cryptographic device for providing encryption of a second set of data different from the first set of data to be protected with a second different secret key.

Abstract: A method is provided in one embodiment and includes receiving a request for a session at a network element; communicating a query for whitelist data to a provisioning element; receiving the whitelist data at the network element; and communicating a message to an access point that communicated the request, where the message is indicative of whether the session is to be accepted or denied based on the whitelist data. In more specific implementations, the network element is a gateway configured to receive the whitelist data via a RADIUS access accept message. In addition, source Internet protocol (IP) address verification associated with the session can be executed before a wireless device associated with the access point is permitted access to a network.

Abstract: Provided herein are systems and methods for an Integrated File Level Cryptographical Access Control (IFLCAC). The system comprises, on a local computer, an encryption database to store information relating to encrypted files and encryption algorithms, a user interface communicatively linked to the encryption database, an administrator interface communicatively linked to the encryption database independently of the user interface, and a file system gateway communicatively linked to the encryption database that resides above and operates independently of the file system and transparently to any calling application on the local computer. Also provided are methods of using the IFLCAC system and a computer program product comprising a memory tangibly storing computer executable instructions for the IFLCAC system and method and one or more computer readable media tangibly storing computer executable instructions for the IFLCAC system and method.

Abstract: A method, system, and computer program product for deploying data to a web server for streaming video to a mobile device. The method can include receiving a request for streaming video from a mobile device upon the resolving of the request by a DNS. The method can further include simultaneously sending both a request to a database for the video requested and a playlist for the video to the mobile device. The method can then include receiving the video from the database. The video received is sent as a sequence of blocks, where each block can further be comprised of a sequence of chunks. The method can even further include decompressing each block and storing each chunk on a web server. The method can further include an exchange of a security credential.

Abstract: A media processing device, such as a set top box, having selectable hardware and software components for forming media pathways compliant with security definitions provided by downloaded or preinstalled software applications. Such applications may include, for example, a downloadable conditional access security or DRM element/definition. A corresponding certification process can entail certifying a portion of an overall secure pathway, with one or more applications providing the final portion of the certification. Alternatively, predefined conditional access mechanisms are provided, with an application establishing which mechanism is to be used. In various embodiments, a set top box or resident software application may exchange capabilities with other devices in a media consumption network to compare against the requirements of the software application.

Abstract: The invention relates to a system and a method for privacy preservation of sensitive attributes stored in a database. The invention reduces the complexity and enhances privacy preservation of the database by determining the distribution of sensitive data based on Kurtosis measurement. The invention further determines and compares the optimal value of k-sensitive attributes in k-anonymity data sanitization model with the optimal value of l sensitive attributes in l diversity data sanitization model using adversary information gain. The invention reduces the complexity of the method for preserving privacy by applying k anonymity only, when the distribution of the sensitive data is leptokurtic and optimal value of k is greater than the optimal value of l.

Abstract: A method and apparatus for configuring electronic devices is provided. The method includes collecting, at a device management apparatus, user information regarding a user within a predetermined area; and controlling access to an electronic device based on the user information.

Abstract: A trust system and method is disclosed for use in computing devices, particularly portable devices, in which a central Authority shares secrets and sensitive data with users of the respective devices. The central Authority maintains control over how and when shared secrets and data are used. In one embodiment, the secrets and data are protected by hardware-rooted encryption and cryptographic hashing, and can be stored securely in untrusted storage. The problem of transient trust and revocation of data is reduced to that of secure key management and keeping a runtime check of the integrity of the secure storage areas containing these keys (and other secrets). These hardware-protected keys and other secrets can further protect the confidentiality and/or integrity of any amount of other information of arbitrary size (e.g., files, programs, data) by the use of strong encryption and/or keyed-hashing, respectively.

Abstract: Systems and methods are provided for accessing and managing a virtual desktop. In some examples a desktop access manager may be provided to enable and communicatively link a virtual desktop key such that a user may access a linked desktop virtually over a second computing device. The systems and methods provide increased security when accessing a virtual desktop and enable customization of access to the virtual desktop.

Abstract: The present invention provides a method and system for securing sensitive data from unauthorized access or use. The method and system of the present invention is useful in a wide variety of settings, including commercial settings generally available to the public which may be extremely large or small with respect to the number of users. The method and system of the present invention is also useful in a more private setting, such as with a corporation or governmental agency, as well as between corporation, governmental agencies or any other entity.

Abstract: A method, arrangement, and first access router in a packet-switched communication network for determining that a first endpoint originating a communication session with a second endpoint is not initiating a malicious man-in-the-middle attack. The first access router provides access for the first endpoint to the network and a second access router provides access for the second endpoint. The first and second access routers facilitate conducting a secure key exchange between the first and second endpoints, wherein a shared secret key is generated. The first access router utilizes a Prefix Reachability Detection (PRD) protocol to determine the first endpoint is topologically legitimate due to being topologically located behind the first access router, and then sends a Prefix Request Test Initialization (PRTI) message to the second access router indicating the first endpoint is topologically legitimate.

Abstract: A method inputs a password in an electronic apparatus. In the method, whether an authentication number input request corresponding to a password exists is determined. When the authentication number input request exists, a screen for requiring input of an authentication query number and a corresponding authentication number is displayed. Whether the input authentication number and the input authentication query number match with each other is determined. When they match with each other, relevant approval screen or a relevant function is entered. Since a specific authentication number with respect to a specific authentication query number among a plurality of authentication query numbers is used with a general number or character in a combined manner, a password may be kept safe even when exposed and so use convenience is provided.

Abstract: A method comprises storing, at the server computer system, user profile information for the remote user. The user profile information for the remote user (or a link to the user profile information) is encrypted using authentication information. The user profile information is associated with user identification information, at the server computer system, using the authentication information, which is selectively made available by the remote user via the network to the server computer system in order to enable the server computer system to associate the user profile information with the user identification information.

Abstract: In the field of computer and data security, the identifier (ID) of a computing device is protected by providing a secure signature used to verify the ID. The signature is computed from the ID using a “White Box” cryptographic process and a hash function. This provides a signature that is computationally easy to verify but difficult or impossible to generate by a hacker (unauthorized user). This method of first creating the signature and later verifying the identifier using the signature and the associated computing apparatus are thereby useful for protection against hacking of such identifiers of computing devices.