Abstract: In certain embodiments, an information obfuscation service may be incorporated directly into the main applications processor of a portable computing device such that the applications processor and its relevant storage peripherals may be securely shared via a virtualization firmware module, avoiding the use of specialized hardware or major modifications of the operating system. The virtualizing and obfuscating storage firmware module may enable a much higher level of assurance in information-at-rest protection while using only the memory protection and privilege mode facilities inherent in common portable device applications microprocessors. The virtualizing and obfuscating storage firmware may interpose storage accesses originating from the operating system. This interposition may be performed seamlessly, without explicit knowledge of the operating system.

Abstract: A processing system includes a processor to construct an input message comprising a target value and a nonce and a hardware accelerator, communicatively coupled to the processor, implementing a plurality of circuits to perform stage-1 secure hash algorithm (SHA) hash and stage-2 SHA hash, wherein to perform the stage-2 SHA hash, the hardware accelerator is to perform a plurality of rounds of compression on state data stored in a plurality of registers associated with a stage-2 SHA hash circuit using an input value, calculate a plurality of speculative computation bits using a plurality of bits of the state data, and transmit the plurality of speculative computation bits to the processor.

Abstract: Robust security of copyright-protected content is provided when such content is digitally stored in a storage device of a client device in encrypted form. The copyright-protected content is encrypted by a server device using a private key and a corresponding public key is used for decryption by the client device. Because access to the private key cannot be determined from the corresponding public key, and because the private key and public key are based at least in part on a unique ID number embedded in the data storage device, decryption can only be performed by the data storage device in the client device. In some embodiments, robust security of private data stored in a server device is provided using a similar public-key/private-key pair and encryption scheme.

Abstract: An electronic device dynamically generates a password for one-time only usage. The one-time password is constructed by placing, in a random sequential order: (i) several randomly chosen digits and (ii) several digits, which are randomly selected from personal identification numbers, which were previously provided by an authorized user. The current user of the device is presented with a natural-language password hint, which describes the sequence of digits in the password. Only the authorized user knows the personal identification numbers; and so is able to construct, on-the-fly, the one-time password, and present that password to the device. The password hint may be presented aloud, in audio form, and the password may be entered into the device via speech. If someone nearby hears the hint and/or the password, they cannot use it at a later time to gain device control or data access, since the password is only valid the one time.

Abstract: Example embodiments include systems and methods for establishing secure wireless communications, including receive from a mobile user equipment (UE), via the access point (AP), a request to access the network, send, to the UE, a web page sign-in option of a third-party credential, receive an indication to use the third-party credential, redirect the UE to a corresponding third-party website login page and include an identifier, receive an authorization from the UE via the AP, the authorization having been sent to the UE from the third-party website after providing valid third-party credential to the third-party website, generate a proxy-credential, bind the authorization to the proxy-credential in the database, send the proxy-credential to the mobile user equipment via the access point, and authorize, via the access control server and the AP, the UE to establish a secure connection.

Abstract: A method for authenticating a document comprises obtaining the contents of a document, obtaining biometric characteristics from an individual, forming a message based on the contents of the document and the biometric characteristics of the individual, generating a digital signature based on the message and a key, and writing the digital signature to an Radio Frequency Identification (RFID) tag affixed to the document.

Abstract: A method performed by a processor of a first electronic device includes transmitting first authentication information through a Body Area Network (BAN) interface circuit that communicates with a second electronic device using electrical signals conducted through electrodes contacting a body of a user extending between the first and second electronic devices. Second authentication information is received through a radiofrequency transceiver circuit that communicates via an antenna through an air-interface with the second electronic device. A command to control an operation of the second electronic device is communicated responsive to determining that a combination of the first authentication information and the second authentication information satisfies an authentication rule.

Abstract: In various embodiments, methods and systems for implementing motion-based parental controls on mobile devices using virtual private network (VPN)-based parental control services are provided. A parental control profile is received at a controlled device where the parental control profile includes instructions to configure the controlled device with a device motion-based control policy. The device motion-based control policy includes a motion-related condition and a resource that is restricted when the motion-related condition is met. A VPN is configured using the parental control profile. The VPN comprises a virtual point-to-point connection between the controlled device and a network of the parental control service. When it is determined that the motion-related condition of the controlled device has been met, a restricted mode is initiated on the controlled device to restrict the resource.

Abstract: One or more beaconing devices transmit synchronized changing beacons. The changing beacons trigger execution of an application that is installed but closed or not running on a mobile device, that is in wireless beaconing range of a beaconing device, and that has registered the changing beacons with the mobile device operating system (“OS”) to trigger execution of the application upon receipt of the changing beacons. The changing beacons also keep the executing application running by resetting OS policies for closing the application when it is running with the mobile device in a locked or standby state. The application may perform different procedures and different times with the beaconing device or other devices including authorizing access to a secured resource when the mobile device is far away from the beaconing device, and confirming intent to access the secured resource when the mobile device is close to the beaconing device.

Abstract: Systems and techniques to identify and modify unused (or seldom used) access privileges are described. Group membership data may be correlated with access map data to create a user-resource access map identifying privilege levels associated with individual user accounts to access computing resources in a computing system. User activity event logs generated as a result of user accounts accessing the resources may be correlated with the user-resource access map to identify user accounts that do not use (or seldom use) particular privilege levels to access particular resources. The identified user accounts may be modified to remove the unused (or seldom used) privileges levels.

Abstract: Dynamic security questions. In an embodiment of the invention, a security question and one or more rules for generating an answer to the security question are received. The security question and the rules for generating and answer to the security question are associated with security credentials of a user. For authentication, a first answer to a security question associated with a user is received. One or more rules for generating an answer to the security question are retrieved. A second answer to the security question is generated, based on the retrieved rules. The first answer is compared with the second answer, and the user is authenticated, based on the first answer matching the second answer.

Abstract: According to one aspect of the present disclosure, resource requests between software containers are accepted or rejected based on whether the software containers are part of a same logical software application. According to another aspect of the present disclosure, a request to start a software container is accepted or rejected based on whether the software container is digitally signed. According to another aspect of the present disclosure, a request to perform a container operational action for a first software container is accepted or rejected based on whether a security registry includes a rule governing the requested container operational action for the first software container, and if the software container is already running, based also on what entity started the software container.

Abstract: For sharing of information in a virtual or online environment, methods and systems are provided which enable verifying attributes of an individual. An individual registered for participation in a virtual or online environment may provide evidence of the attributes from a verification source that exists outside the virtual or online environment. An administrator associated with the virtual or online environment verifies the attributes by receipt of the evidence. Alternatively, the attribute for the individual may be verified after receipt of one or more signals indicating individuals registered for participation in the virtual or online environment have corroborated the attributes. A verification indication for an attribute may be shared with other individuals in the virtual or online environment.

Abstract: Disclosed herein are methods and systems for authentication using zero-knowledge code. One embodiment takes the form of a process that includes detecting an accessory-access-request event associated with a trusted accessory. The process includes generating a seed sequence having a first number of seed-sequence elements. The process includes outputting an indication of at least one seed-sequence element. The process includes receiving at least one seed-sequence-element-modifier signal for at least one of the seed-sequence elements. The process includes modifying the generated seed sequence in accordance with the at least one received seed-sequence-element-modifier signal. The process includes comparing the modified seed sequence with a stored access sequence. The process includes granting operational access to the trusted accessory when the modified seed sequence matches the stored access sequence.

Abstract: The systems, methods and apparatuses described herein provide a computing device that is configured to attest itself to a communication partner. In one aspect, the computing device may comprise a communication port configured to receive an attestation request from the communication partner, and an application-specific integrated circuit (ASIC). The ASIC may be configured to receive the attestation request from the communication port. The attestation request may include a nonce generated at the communication partner. The ASIC may be further generate a verification value and send the verification value to the communication port to be transmitted back to the communication partner. The verification value may be a computation result of a predefined function taking the nonce as an initial value. In another aspect, the communication partner is configured to attest the computing device using speed of computation attestation.

Abstract: The systems, methods and apparatuses described herein provide a computing device that is configured to attest itself to a communication partner. In one aspect, the computing device may comprise a communication port configured to receive an attestation request from the communication partner, and an application-specific integrated circuit (ASIC). The ASIC may be configured to receive the attestation request, which may include a nonce. The ASIC may be further configured to generate a verification value, capture data representing a state of computation of the ASIC when the verification value is being generated, and send the verification value and captured data to the communication port to be transmitted back to the communication partner. The verification value may be a computation result of a predefined function taking the nonce as an initial value. In another aspect, the communication partner may be configured to attest the computing device using speed of computation attestation.

Abstract: A computing system record security architecture comprises, in one example, a record generation component configured to generate a record in a computing system, the record having an owner property that identifies a first user as an owner of the record, a record security component configured to control modification of the record based on the owner property of the record, and a record ownership transfer component configured to receive an indication of an ownership transfer of the record from the first user to a second user and to modify the owner property to identify the second user as the owner of the record.

Abstract: Systems and methods are provided for implementing a secure computing system with encryption, including a file system with a set of encryption zones. Each encryption zone includes encrypted data files. The secure computing system also includes a set of encrypted data encryption keys, each of which corresponds to one of the encrypted data files, such that unencrypted versions of the encrypted data encryption keys decrypt the corresponding encrypted data files. Further, the secure computing system includes an encryption zone key for each of the encryption zones. Each of the encryption zone keys corresponds to at least one of the encrypted data encryption keys, such that the encryption zone keys decrypt the corresponding encrypted data encryption keys to generate the unencrypted version of the encrypted data encryption key. Thusly, various implementations of the secure computing system may comply with one or more information security standards for sensitive data.

Abstract: A system for providing information server security in a distributed computing environment achieved by injecting a proprietary mediating entity into the solicitation of service request process via web server between application servers and information servers. The system comprises a computer apparatus, a mediating entity, solicitation for service requests and responses to the solicitations for service requests. The mediating entity is comprised of an application server hosting a proprietary mediating entity client and a mediating entity server, where the proprietary mediating entity client comprises industry-recognized business organization selected security protocols. The information server comprises a database server and a database, the database comprises data that is extracted or stored based on the service request.

Abstract: Technologies for secure server access include a client computing device that loads a license agent into a secure enclave established by a processor of the client computing device. The license agent receives a request from an application to access a remote server device. The license agent opens a secure connection with the server device and performs remote attestation of the secure enclave. The license agent authenticates the user and transmits a machine identifier and a user identifier to the server device. The machine identifier may be based on an enclave sealing key of the client computing device. The server device verifies that the machine identifier and the user identifier are bound to a valid application license. If the machine identifier and the user identifier are successfully verified, the application communicates with the server device using the secure connection. Other embodiments are described and claimed.