Abstract: A Session Initiation Protocol enabled network connected device receives a client certificate from a client device. The SIP enabled network connected device validates the client certificate from information received from a certificate authority. The SIP enabled network connected device determines an identifier of the client device from the client certificate. The SIP enabled network connected stores the identifier of the client device. The SIP enabled network connected device receives a SIP message from the client device. The SIP enabled network connected device inserts the identifier of the client device into the SIP message. The SIP enabled network connected device transmits the SIP message to a destination SIP enabled device after inserting the identifier of the client device into the SIP message.

Abstract: A method executable via operation of configured processing circuitry to identify applications by remote monitoring may include initiating remote communication with a target device through an access point, the access point providing network access to the target device, providing a series of ping messages to the target device via the access point to determine a delay signature of an application running on the target device, comparing the delay signature of the application to a plurality of malware traffic signatures stored in a malware traffic signature library, and determining a matching score between the delay signature of the application and at least some of the malware traffic signatures.

Abstract: Systems, methods, and computer-executable instructions for secure data analysis using encrypted data. An encryption key and a decryption key are created. The security of encryption using the encryption key and the decryption key are based upon factoring. A computation key is created based upon the encryption key. Data is encrypted using the encryption key. The encrypted data and the computation key are provided to a remote system. The remote system is requested to perform data analysis on the encrypted data. An encrypted result of the data analysis is received from the remote system. The encrypted result of the data analysis is decrypted with the decryption key.

Abstract: Systems and methods are provided for use in authenticating a user in connection with a network transaction, based on a biometric personal identification number (PIN). One exemplary method includes intercepting a request associated with a network transaction. The request includes a series of biometric data associated with a user. The exemplary method also includes verifying the series of biometric data and converting, by the computing device, the series of biometric data to an actual personal identification number (PIN) where the actual PIN includes a series of characters. The method then further includes appending the actual PIN to the request, and transmitting the request to an entity, thereby permitting the entity to authenticate the user, at least in part, based on the actual PIN.

Abstract: The present disclosure is directed to a flexible counter system for memory protection. In general, a counter system for supporting memory protection operations in a device may be made more efficient utilizing flexible counter structures. A device may comprise a processing module and a memory module. A flexible counter system in the memory module may comprise at least one data line including a plurality of counters. The bit-size of the counters may be reduced and/or varied from existing implementations through an overflow counter that may account for smaller counters entering an overflow state. Counters that utilize the overflow counter may be identified using a bit indicator. In at least one embodiment selectors corresponding to each of the plurality of counters may be able to map particular memory locations to particular counters.

Abstract: A method and a device for information system access authentication are disclosed. The method includes: performing anonymous authentication to a random verification code generated according to a login request for accessing an information system of a client, and authenticating acquired user name and password information when the anonymous authentication is successful. The device includes an verification code authentication module and a user name and password authentication module connected to the verification code authentication module, wherein the verification code authentication module is configured to perform anonymous authentication to a random verification code generated according to a login request for accessing an information system of client; and the user name and password authentication module is configured to authenticate acquired user name and password information when the anonymous authentication is successful.

Abstract: This application provides a message processing method, an access controller, and a network node. In some aspects, an access controller receives a first message used to obtain Internet Protocol (IP) address information for a user-side device and a first access loop identifier of a first network node, where the first message and the first access loop identifier are sent by the first network node, the first access loop identifier is not carried in the first message. The access controller obtains an authentication, authorization and accounting (AAA) message according to the first access loop identifier, wherein the AAA message comprises the first access loop identifier. The access controller sends the AAA message to an AAA server.

Abstract: Methods, systems, and computer program products for secure distance computations are provided herein.

Abstract: For sharing of information in a virtual or online environment, methods and systems are provided which enable verifying attributes of an individual. An individual registered for participation in a virtual or online environment may provide evidence of the attributes from a verification source that exists outside the virtual or online environment. An administrator associated with the virtual or online environment verifies the attributes by receipt of the evidence. Alternatively, the attribute for the individual may be verified after receipt of one or more signals indicating individuals registered for participation in the virtual or online environment have corroborated the attributes. A verification indication for an attribute may be shared with other individuals in the virtual or online environment.

Abstract: Systems and methods for performing data deduplication one storage blocks while the data is encrypted. An example method may comprise: selecting a first storage block and a second storage block from a plurality of encrypted storage blocks, wherein the first storage block and the second storage block are encrypted using different cryptographic input; causing the first storage block and the second storage block to be decrypted and further encrypted using a common cryptographic input; determining that a cipher text of the first storage block and a cipher text of the second storage block are the same; and updating a reference to the first storage block to reference the second storage block in response to the determining that the cipher text of the first storage block and the cipher text of the second storage block are the same.

Abstract: Technologies for remote device authentication include a client computing device, an identity provider, and an application server in communication over a network. The identity provider sends an authentication challenge to the client. A capability proxy of the client intercepts an authentication challenge response and retrieves one or more security assertions from a secure environment of the client computing device. The capability proxy may be an embedded web server providing an HTTP interface to platform features of the client. The client sends a resource access token based on the security assertions to the identity provider. The identity provider verifies the resource access token and authenticates the client computing device based on the resource access token in addition to user authentication factors such as username and password. The identity provider sends an authentication response to the client, which forwards the authentication response to the application server.

Abstract: A security system and method secures and responds to security threats in a computer having a CPU, a Kernel/OS, and software applications. A data collector intercepts a selection of first tier calls between the CPU and Kernel/OS and/or second tier calls between the Kernel/Operating System and the applications, and stores information pertaining thereof. An Analytic Engine maps the stored first and second tier call information to a rulebase containing patterns of security threats, to generate a threat analysis, and then responds to the threat analysis. The Analytic Engine enlarges or contracts the selection of first and second tier calls to increase or decrease specificity of the threat analysis. A Management Module generates user interfaces accessible remotely by a user device, to update the rulebase and configure the collector, the Kernel module, and the Analytic Engine.

Abstract: A method for encrypting data with an encryption entity includes, in a step a), dividing a plaintext into a number of N blocks. In a step b), each of the blocks are encrypted with an encryption key resulting in a number of ciphertext blocks. In a step c), a linear All-Or-Nothing scheme is applied on the ciphertext blocks. In a step d), each of the ciphertext blocks output from step c) is transformed with a transformation procedure such that the information in different ciphertext blocks is transformed differently based on the encryption key and such that the transformation procedure is only revertable with knowledge of the encryption key. In a step e), the transformed ciphertext blocks are dispersed according to an information dispersal procedure.

Abstract: A method comprising receiving, by a network element, a data packet, searching, by the network element, the received data packet at a first hierarchical level to determine whether a substring of a string of a regular expression exists in the received data packet, searching, by the network element when the search of the received data packet at the first hierarchical level finds a match, the received data packet at a second hierarchical level to determine whether the string of the regular expression exists in the received data packet, and transmitting, by the network element, the received data packet to a next network element along an original path of the received data packet without searching the received data packet at a third hierarchical level when the search of the received data packet at the first or second hierarchical level does not find a match.

Abstract: A module with an embedded universal integrated circuit card (eUICC) can include a profile for the eUICC. The profile can include a first and second shared secret key K for authenticating with a wireless network. The first shared secret key K can be encrypted with a first key, and the second shared secret key K can be encrypted with a second key. The module can (i) receive the first key, (ii) decrypt the first shared secret key K with the first key, and (iii) subsequently authenticate with the wireless network using the plaintext first shared secret key K. The wireless network can authenticate the user of the module using a second factor. The module can then (i) receive the second key, (ii) decrypt the second shared secret key K, and (iii) authenticate with the wireless network using the second shared secret key K. The module can comprise a mobile phone.

Abstract: A Cross-Platform Single Sign On (CP-SSO) experience is provided herein to enable users to access multiple services via a single login when working across different platforms. A user may work across different platform when using multiple devices, when using multiple browsers on a single device, or when an integrated application requires a separate login for access within a host web application or portal service. A proxy token service manages login requests and authentication tokens after a given service has been logged into once by a user, so that the user does not need to provide login credentials on subsequent requests for the given service. By enabling a CP-SSO experience, network efficiency is improved, and the user experience is also improved as users do not need to supply authentication credentials as frequently and may freely choose to use multiple platforms instead of limiting usage to a single platform.

Abstract: A method for providing a virtual Wi-Fi network with secure tunnel provisioning is disclosed. The method provides a reliable, persistent connection between wireless communications enabled devices located at a user's premises and a service provider, and includes the steps of using a software code running on a computing device to pass instructions including a remote server address to an Application Programming Interface (API) running on a wireless router connected to the computing device through a Local Area Network (LAN); using the wireless router to establish a secure communication session with the remote server through a Wide Area Network (WAN); receiving at the wireless router through the WAN parameters required to set up a wireless Virtual Local Area Network (VLAN); and using the router, establishing a wireless VLAN at the user's premises and connecting the wireless VLAN to the remote server through the WAN using a secure tunnel connection.

Abstract: Techniques described herein may be used to centralize authentication and authorization for accessing cloud services provided by different cloud platform deployments. A user equipment (UE) may provide user information to a cloud admin server. The cloud admin server may authenticate and authorize the UE locally and then initiate a sign on procedure with each cloud platform deployment. The sign on procedure may include obtaining user group information for the user and providing the user group information to the cloud platform deployments so that the cloud platform deployments may return permission information without having to each perform an authentication and authorization procedure. The cloud admin server may relay the permission information to the UE, and the UE may use the permission information to access any/all of the cloud services.

Abstract: Methods and apparatus are described for automatically modifying web page code. Specific implementations relate to the modification of web page code for the purpose of combatting Man-in-the-Browser (MitB) attacks.

Abstract: A method and system configured to produce a cryptographic signature on a message, under a key, at a user computer wherein the key is shared between the user computer, which stores a first key-share, and an authentication computer, which stores a second key-share and a first authentication value. The user computer encodes the message to produce a blinded message, produces the first authentication value from a user password and a secret value, and produces a second authentication value by encoding the first authentication value and a nonce. The authentication computer uses the nonce to determine if the first authentication value is correct and, if so, encodes the blinded message using the second key-share to produce a partial signature. The user computer produces a signature on the message under the key by encoding the partial signature and the message using the first key-share and an unblinding function.