Abstract: A user device stores first authentication information used to grant access to a resource associated with a first application, and configuration information relating to a second application. The user device receives an authentication request from the second application requesting second authentication information. Based on the configuration information relating to the second application, the user device determines whether the first authentication information contains some or all of the requested second authentication information. The user device generates an authentication response to the authentication request, using the first authentication information, and sends the authentication response to the second application in order to permit access to a resource associated with the second application.

Abstract: A method to enforce watermarking instructions by a security module in a receiving device, comprising the steps of receiving a security message by—a security module, comprising at least a content key, watermark instructions and security message signature, said watermark instruction activates or deactivates a watermarking module, decrypting—a security message with a transmission key, verifying—a security message signature, and in case of successful verification, reading a watermarking data from the watermarking module, verifying the authenticity of the watermarking data, and in case of successful verification, transmitting the watermark instructions to the watermark module and the content key to a descrambling module.

Abstract: Space-efficient key allocations in broadcast encryption systems are provided. In some embodiments, a key bundle is read. The key bundle includes a first cryptographic key, an associated first key identifier, and an associated first cryptographic function identifier. Encrypted content is received. A plurality of encrypted keys is received. Each encrypted key has an associated identifier. A first encrypted key is selected from the plurality of encrypted keys such that the key identifier of the first encrypted is equivalent to the first key identifier. A first cryptographic function is determined corresponding to the first cryptographic function identifier. The first cryptographic function is applied to the first encrypted key using the first cryptographic key to obtain a first intermediate cryptographic key. A content cryptographic key is determined using the first intermediate cryptographic key. The content cryptographic key is applied to the encrypted content to obtain decrypted content.

Abstract: A method implemented in an edge router, the method comprising receiving an authentication request from a device, forwarding the authentication request to an authentication and policy server, receiving an authentication response and an indication of a device tag from the authentication and policy server, wherein the device tag is based on a characteristic of the device, a location, a destination, or a user of the device, forwarding the authentication response to the device, receiving a policy associated with the device tag from the authentication and policy server, receiving a packet from the device, embedding the device tag in the packet to form a tagged packet, and executing the policy.

Abstract: Methods and systems are provided for creation and implementation of firewall policies. Method of the present invention includes enabling a firewall device to maintain a log of network traffic flow observed by the device. The method further includes enabling firewall device to receive an administrator request for a customized report to be generated based on log of network traffic and generating the report by extracting information from the log based on report parameters, where the report includes desired network traffic items that are associated with one or more action objects. The method further provides for firewall device to receive a directive to implement an appropriate firewall policy on one or more network traffic items responsive to interaction of administrator with one or more action objects corresponding to the network traffic items. Based on the directive and information from log, the firewall then defines and/or establishes appropriate firewall policy.

Abstract: An image viewing system includes: a first mobile terminal having an image transmitting unit which transmits image data; an ID transmitting unit which transmits, to an image server, a viewing-allowed-terminal ID that identifies a mobile terminal allowed for viewing of the image data; the image server having an obtaining unit which obtains the viewing-allowed-terminal ID and viewing allowance information indicating whether a state of the image data transmitted by the transmitter mobile terminal is a viewing-available state or a viewing-unavailable state and a server memory unit which stores the viewing allowance information and the viewing-allowed-terminal ID; and a second mobile terminal having a first receiving unit which receives the image data and an inquiry unit which makes an inquiry, to the image server, as to whether or not the image data is available for viewing.

Abstract: Techniques for generating and enforcing document visibility rights associated with a document in use with an electronic signature service are described. Consistent with embodiments of the invention, document visibility rights can be established for each person designated to sign and/or receive a copy of a document, and on a per-page, per-document section, or per-source document basis. Additionally, visibility rights may be conditional, such that various events (including the signing of a document) may modify visibility rights making a previously un-viewable page or document section viewable to a particular person.

Abstract: A method and/or system for using a file whitelist may include receiving a request to approve an application for release in an application store. The request may comprise application data. The application data may comprise a resource manifest and/or a file whitelist. The resource manifest may comprise, for example, one or more resource items. The file whitelist may comprise, for example, one or more file items. The request may be analyzed based on application data. A determination may be made whether the applications may be released in the application store based on the analyzing of the applications data. A request to access a particular file may be received. A determination of whether to grant the request may be based on a resource manifest and/or a file whitelist associated with the application.

Abstract: Disclosed herein are systems, methods, and software for facilitating application forensics. In least one implementation, the identity of a user associated with an attempt to access an application program that resides in a development environment is determined. Information is generated with which to encode the identity of the user in a various views of the application program rendered in a runtime environment. A reply to the attempt is communicated that includes the information and at least a portion of the application program.

Abstract: Systems and methods provide multiple partitions hosted on an isolation technology such as a hypervisor where at least one of the partitions, a local secure service partition (LSSP), provides security services to other partitions. The service partitions (LSSPs) host those high assurance services that require strict security isolation, where the service can be shared across partitions and accessed even when the user is not connected to a network. The LSSP also can certify the results of any computation using a key signed by a TPM attestation identity key (AIK), or other key held securely by the hypervisor or a service partition. The LSSPs may be configured to provide trusted audit logs, trusted security scans, trusted cryptographic services, trusted compilation and testing, trusted logon services, and the like.

Abstract: A method for evaluating security during an interactive service operation by a mobile communications device includes launching, by a mobile communications device, an interactive service configured to access a server over a network during an interactive service operation, and generating a security evaluation based on a plurality of trust factors related to a current state of the mobile communications device, to a security feature of the application, and/or to a security feature of the network. When the security evaluation is generated, an action is performed based on the security evaluation.

Abstract: Embodiments of the disclosure can include systems and methods for secure file transfers. The onsite monitoring system secure file transfer solution can allow for transferring operational data by an onsite system behind a firewall to a central monitoring and diagnostic infrastructure by sending asynchronous, concurrent, parallel files over a port using a previously opened connection.

Abstract: A wireless communications system mitigates the threat of a man-in-the-middle attack when sharing network credentials with a new device. A new wireless device signals that it needs credentials if no other devices are signaling that they need credentials. The new device provides a visible or audible indicator when requested to do so by a device with credentials. Either in response to approval by a user or automatically in response to the indicator, the device with credentials shares credentials with the new device, which can then establish a connection to the network.

Abstract: Generally, this disclosure describes technologies for restoring and/or synchronizing templates such as biometric templates to/among one or more client devices. In some embodiments one or more client devices may register with a synchronization server and provide encrypted copies of their reference templates to the server. In a restoration operation, the synchronization server may provide an encrypted copy of a client's reference template(s) to the client, which may decrypt them in a protected environment. In a synchronization operation, the synchronization server may provide encrypted copy of a first client's template(s) to a plurality of second clients. The second clients may then decrypt the encrypted template(s) within a protected environment using an appropriate decryption key.

Abstract: Described are techniques and systems for providing service account credentials to a media device. A remote control configured to control the media device may include a remote identifier, service account credentials, or both to the media device. The media device may acquire the service account credentials, and configure the media device to perform one or more operations using the service account credentials. As different remote controls associated with different service account credentials are used, the media device is reconfigured according to the inputs from those remote controls.

Abstract: A method for registering a computing device to a user account using at least one user-selected fingerprintable device externally accessible to the computing device including transmitting a registration information request to the computing device, receiving at least one device fingerprint of the at least one user-selected fingerprintable device accessible by the computing device, and primary identification data of the computing device, generating a skeleton key, recording the primary identification data, and associating the skeleton key and the primary identification data with the user account.

Abstract: Embodiments relate to managing authentication policies for users on a network of an organization. A computer-implemented method for managing an authentication policy for a user on a network of an organization is provided. The method maintains a current risk assessment score of the user based on an organizational role of the user within the organization and a history of security violations on the network. The method determines the authentication policy for the user based on the current risk assessment score.

Abstract: Techniques are described to provide revocable object access. In an implementation, a user may provide content and an object (e.g., a picture) to be published with the content. The object is uploaded to a storage location, and a uniform resource locator (URL) that includes a token is generated for the object. The token is registered in an access control list (ACL), and token permission settings in the ACL are utilized to control access to the object. The URL may be embedded in the content. When a viewer requests the content, the object may be retrieved from the storage location using the URL. The user may revoke access to the object by changing the token permission settings in the ACL.

Abstract: A system and method for employing a mechanism for unlocking a vehicle ECU. The ECU stores a unique ECU identification value that identifies the particular ECU and a secure server stores the ECU identification value and a unique ECU security key value, where the identification value identifies the security key value in the server, and where the secure server stores the unique ECU identification value and the unique security key value for many ECUs. A service tool that wants to gain access to the ECU for software reprogramming or service requests the ECU identification value and a challenge from the ECU and sends them to the secure server, which then identifies the security key value associated with that ECU identification value and the response for the challenge. The secure server then sends the response to the service tool, which provides it to the ECU to unlock it for programming.

Abstract: Methods and structure for Digital Rights Management (DRM) are provided. An exemplary system includes a Digital Rights Management (DRM) licensing server. The DRM licensing server is able to receive authentication information generated by a DRM module of a client device, and to receive a device identifier that uniquely distinguishes the client device from other client devices, wherein the device identifier has been generated by the DRM module. The DRM licensing server is further able to authenticate the DRM module based on the authentication information, to create a signed identifier based on the device identifier responsive to authenticating the DRM module, and to transmit the signed identifier to the client device. The system also includes an application server able to register the client device with an account at the application server, based on the signed identifier.