Abstract: Techniques for achieving tenant data confidentiality in a cloud environment are presented. A daemon process within a Tenant Storage Machine (TSM) manages a key store for a particular tenant of a cloud storage environment having multiple other tenants. Just TSM storage processes are given access to the key store. Data is decrypted for the particular tenant when access is needed and data is encrypted using encryption keys of the key store when written in the cloud storage environment.

Abstract: Methods, system, and computer storage media are provided for moderating actions performed on shared data objects. Rule enforcement logic is received for an application that is associated with one or more data objects shared between various clients. The rule enforcement logic is stored at a data server that also stores data associated with data objects. A moderator, also stored on the data server, is used to enforce the rule enforcement logic corresponding to the application when a client attempts to perform an action to a data object associated with the application.

Abstract: Efficient architecture for a secure access enforcement proxy is described. The proxy interfaces with multiple subsystems and multiple shared resources. The proxy identifies an original transaction command being sent from one of the subsystems to one of the shared resources, identifies a policy corresponding to the subsystem, performs an action pertaining to the original transaction command based on the policy, and sends a response to the subsystem based on the action.

Abstract: Systems and methods are provided that enable probabilistic application of data traffic scanning in an effort to catch malicious software or code being carried by the data traffic. The methodology and systems operate by monitoring data traffic in an data network via an interface with the data network, calculating a first conditional probability that content in first given data traffic being monitored is malicious, calculating a second conditional probability that content in second given data traffic being monitored is malicious, ranking the first and second conditional probabilities resulting in ranked conditional probabilities, and performing at least one of anti-virus (AV) or anti-malware (AM) scanning of the content of the first or second given data traffic depending on whose conditional probability is ranked higher in the ranked conditional probabilities.

Abstract: The processing device is intended to be connected to a network of the second domain so as to receive data encrypted according to an encryption method specific to the first domain. It comprises: a memory for containing a first secret specific to the first domain; means of decryption of the data encrypted with the aid of the first secret so as to obtain decrypted data; means of encryption of the data decrypted according to an encryption method specific to the second domain, so that the data encrypted by said means of encryption cannot be decrypted other than with the aid of a second secret specific to the second domain. The invention also relates to the method for transmitting data encrypted with the aid of the secret specific to the first domain in the network of the second domain.

Abstract: A method, system, apparatus, and computer program product are provided for facilitating advanced authentication techniques. For example, a method is provided that includes receiving at least one request to access at least one resource and receiving at least one composite authentication credential, the composite authentication credential comprising a first credential component and a second credential component. The method further includes determining whether the first credential component is valid, determining whether the second credential component is valid and, in an instance in which it is determined that the first and second credential components are valid, causing access to the at least one resource to be permitted.

Abstract: A method and apparatus for using a non-volatile storage device includes reading device identification information from the non-volatile storage device, application identification information corresponding to a content application related to a type of content to be protected or utilized among a plurality of content applications is acquired, usage identification information is generated using the device identification information and the application identification information, and protecting or utilizing content using the usage identification information.

Abstract: A method is used in using spatial diversity with secrets. A spatially diverse presentation is presented. A reaction of a user to the spatially diverse presentation is received and analyzed. The analysis is used as a basis for helping to determine whether the user has knowledge of a secret.

Abstract: An apparatus and a method for a certificate-based distributed policy system is described. A policy server receives over a communication channel a data structure associated with an object to be managed across a communication boundary between a client and the policy server. The policy server generates an object certificate upon validation of the object and validation of an initiator of the object. The data structure includes a serialized representation of public properties of the object, a hash of the object in a canonical serialized form, and a signature of the public properties and hash using the initiator's private key.

Abstract: The present invention relates to the field of computers, and disclosed are a method, device, and system for encrypting and decrypting an image. The method for encrypting an image includes: encrypting a preset size of header data of a to-be-encrypted image, and obtaining an encrypted data corresponding to the header data; determining a storage location for saving the encrypted data, saving the encrypted data in the storage location, and acquiring an offset for saving the encrypted data; and placing the encryption identifier and the offset in a storage area of the preset size of the to-be-encrypted image, so as to encrypt the to-be-encrypted image. The system includes: a device for encrypting an image and a device for decrypting an image. The present invention is capable of improving the speed and efficiency of encrypting and decrypting an image.

Abstract: Systems and methods are disclosed to authenticate and authorize a user for web services using user devices. In various embodiments, a method may comprise: identifying, by a user device security manager executing at a user device corresponding to a user of a web service, a first request issued from an application to access remote resources associated with the web service, the application executing at the user device and separate from the user device security manager; acquiring, by the user device security manager, security information of the application in response to the identifying of the first request, the security information including at least one of an application identification, an access scope or a nonce of the application; and transmitting a second request from the user device security manager to the web service to authenticate the application by the web service based, at least in part, on the application identification.

Abstract: An example method is provided and includes intercepting an action request from an entity for an action to be performed with respect to a resource in a cloud environment, where the action request comprises a resource facet that controls access to the resource. The method also includes determining whether the resource facet is valid for the action by evaluating a policy associated with the resource; and allowing the action.

Abstract: Systems and methods of performing link setup and authentication are disclosed. A method includes receiving, at a mobile device, a first access point nonce (ANonce) from an access point and generating a first pairwise transient key (PTK) using the first ANonce. The mobile device sends an authentication request including a station nonce (SNonce) to the access point, where the authentication request is protected using the first PTK. The mobile device receives an authentication response including a second ANonce from the access point, where the authentication response is protected using a second PTK. The mobile device generates the second PTK using the second ANonce and the SNonce and uses the second PTK to protect at least one subsequent message to be sent from the mobile device to the access point.

Abstract: A method and system for identity management certificate operations is described.

Abstract: A system and methods are provided for establishing an authenticated and encrypted communication connection between two devices with at most two round-trip communications. During establishment of an initial authenticated, encrypted communication connection (or afterward), a first device (e.g., a server) provides the second device (e.g., a client) with a token (e.g., a challenge) that lives or persists beyond the current connection. After that connection is terminated and the second device initiates a new connection, it uses the token as part of the handshaking process to reduce the necessary round-trip communications to one.

Abstract: The various aspects provide a method for recognizing and preventing malicious behavior on a mobile computing device before it occurs by monitoring and modifying instructions pending in the mobile computing device's hardware pipeline (i.e., queued instructions). In the various aspects, a mobile computing device may preemptively determine whether executing a set of queued instructions will result in a malicious configuration given the mobile computing device's current configuration. When the mobile computing device determines that executing the queued instructions will result in a malicious configuration, the mobile computing device may stop execution of the queued instructions or take other actions to preempt the malicious behavior before the queued instructions are executed.

Abstract: An access point sends an indication or message to a network entity to indicate whether the network entity is to perform access control for an access terminal. In some implementations the indication/message may comprise an explicit indication of whether or not that network entity is to perform the access control. In some implementations, the inclusion of information (e.g., a CSG identifier) in the message or the exclusion of information from the message indicates whether the network entity is to perform the access control.

Abstract: To provide key management layered on a quasi-out-of-band authentication system, a security server receives a request for activation of a user interface window for a particular user from a network device via a communication channel. It then transmits an activation PIN to an out of band authentication system for forwarding to the user's telephone via a voice or text message. It next receives the previously transmitted PIN from the network device via the communication channel, and authenticates the user based on the received PIN. After authenticating the user, it establishes a secure, independent, encrypted communication channel between the user interface window and the security server on top of the original communication channel. It then generates and transmits to the user interface window and/or receives from the user interface window via the secure communication channel, key material and certificate material for public key and/or symmetric key cryptography based operations.

Abstract: An access specific key is provided for securing of a data transfer between a mobile terminal and a node of an access net. For authentication of the mobile terminal, a authentication server generates a session key, from which a basic key is derived and transferred to an interworking-proxy-server. The interworking-proxy-server derives the access specific key from the transferred basis key and provides the key to the node of the access net.

Abstract: Embodiments of apparatuses, articles, methods, and systems for protecting software components using transition point wrappers are generally described herein. In one embodiment, an apparatus includes a first component, a wrapper component, and a management module. The wrapper component is to transform a transition point between the first component and a second component. The management module is to control access to the first component through the transformed transition point. Other embodiments may be described and claimed.