Abstract: A data input is divided into two segments. The second segment is raised to a power of a function of the first segment, the power being relatively prime to a function of a predefined modulus. The modulus is then applied to the result. The transformed data is assembled from the first segment and the remainder modulo the modulus. This data transformation can be applied in combination with a key derivation algorithm, a key wrapping algorithm, or an encryption algorithm to enhance the security of these other applications.

Abstract: An intercepting proxy server processes traffic between an enterprise user and a cloud application. The intercepting proxy server provides interception of real data elements in communications from the enterprise to the cloud and replacing them with obfuscating tokens. Tokens included in results returned from the cloud, are intercepted by the intercepting proxy server, and replaced with the corresponding real data elements. In order for the sort order of the tokens to correspond to the sort order of the corresponding real data elements, a sort order preserving data compression is performed on parts of the real data elements, and the compressed values concatenated with the obfuscated tokens, thus producing sortable tokens which, even though they are obfuscated, appear in the correct sort order in the cloud application.

Abstract: A security framework for a host computer system which allows a host to control access to a compliant security token by ensuring enforcement of established security policies administered by a middleware application. Processing between the host computer system and the security token is performed using one or more modular security application agents. The modular security application agents are counterpart applications to security applications installed in the security token and may be retrieved and installed upon to ensure compatibility between counterpart token and host security applications. The security policies are a composite of host security policies and token security policies which are logically combined by the middleware application at the beginning of a session.

Abstract: Proposed is a Capability Management System (CMS) in a distributed computing environment that controls access to multiple objects by multiple subjects based upon a specified access order. A capability is dynamically constructed when the capability is needed. After the capability is used to access an object, a new capability is generated. In the alternative, multiple capabilities for enforcing an access order are generated independently of each other. The new capability is then employed by the same or another subject to access the object according to a prescribed access sequence. In this manner, at any particular time there is one capability valid to access the object by the appropriate subject. In addition, the capability includes information for verifying the authenticity of the capability and for specifying an expiration time associated with the capability. The technology may also be enhanced by providing a linkage between capabilities intended for use in a sequence.

Abstract: A computer hardware-implemented method, system, and/or computer program product determines an applicability of a data privacy regulation when transmitting data used with an enterprise project. A data privacy regulation describes regulatory restrictions on data being transmitted from a first geopolitical entity to a second geopolitical entity. A set of categorized data is used by an enterprise project, and the data privacy regulation establishes limitations on a transmission of at least one category of data, from the set of categorized data, from the first geopolitical entity to the second geopolitical entity. A first set of binary data and a second set of binary data are processed to determine if transmission of said at least one category of data from the first geopolitical entity to the second geopolitical entity is regulated by the data privacy regulation.

Abstract: Method to detect security vulnerabilities includes: interacting with a web application during its execution to identify a web page exposed by the web application; statically analyzing the web page to identify a parameter within the web page that is constrained by a client-side validation measure and that is to be sent to the web application; determining a server-side validation measure to be applied to the parameter in view of the constraint placed upon the parameter by the client-side validation measure; statically analyzing the web application to identify a location within the web application where the parameter is input into the web application; determining whether the parameter is constrained by the server-side validation measure prior to the parameter being used in a security-sensitive operation; and identifying the parameter as a security vulnerability.

Abstract: In accordance with certain aspects, data is received from a calling program. Ciphertext that includes the data is generated, using public key encryption, in a manner that allows the data to be obtained from the ciphertext only if one or more conditions are satisfied. In accordance with another aspect, a bit string is received from a calling program. Data in the bit string is decrypted using public key decryption and returned to the calling program only if one or more conditions included in the bit string are satisfied.

Abstract: A method and system for transmission of digital content via e-mail with point of use digital rights management is disclosed. The secured access rights to the digital content may be customized for individual recipients by the sender, and may evolve over time. The access rights are enforced according to a time-dependent scheme. A key server is used to arbitrate session keys for the encrypted content, eliminating the requirement to exchange public keys prior to transmission of the digital content. During the entire process of transmitting and receiving e-mail messages and documents, the exchange of cryptographic keys remains totally transparent to the users of the system. Additionally, electronic documents may be digitally signed with authentication of the signature.

Abstract: A method of elliptic curve cryptography (ECC) using the enhanced window-based mutual opposite form (EW-MOF) on scalar multiplication. First, an elliptic curve and a base point on the elliptic curve are selected. Next, essential pre-computed points for a selected window size are calculated. Then, a private key is randomly generated and the mutual opposite form (MOF) is used to convert the private key's binary representation into a signed binary representation. Finally, a public key is calculated by using the enhanced window (EW) method. By greatly reducing the number of essential pre-computed points, the EW-MOF reduces average key generation time (including pre-computation time).

Abstract: A storage device has a storage medium and a processor. The processor is disposed within the storage device and is adapted to receive multiple commands as a command block over an interface. The processor is adapted to extract each of the multiple commands from the single block for execution on the storage device.

Abstract: A system of screening servers, screener client computers, and screening kiosks distribute an applicant screening process among multiple sites and multiple participants. To facilitate and secure communications of screening results and applicant actions, a personal identification code is provided that identifies individual sets of screening results. In this manner, the applicant is authenticated and can then enter appropriate applicant profile data into a secure screening account, such as via a screening kiosk. Screening results may be generated for the applicant in association with a unique personal identification code. This code can then be communicated to the screener, who can access the screening results along with a recommendation, if desired, by sending the code to a screening server. The screener can also enter appropriate screening information into another secure screening account.

Abstract: A method and apparatus for secure distribution of digital content is provided. In accordance with at least one embodiment, an intermediate device maintains an authorized content sink list which it uses to allow reauthorization of a first content sink for access to first content from a first content source when the first content sink has a first content sink entry on the authorized content sink list. In accordance with at least one embodiment, reauthorization is conditioned upon a first content sink entry currency status having not yet expired. In accordance with at least one embodiment, the intermediate device allows authentication of the first content sink by the first content source when no first content sink entry exists on the authorized content sink list or when the first content sink entry currency status has expired.

Abstract: An approach is provided for requesting access to content associated with a resource identifier. A system receives a first request to access content associated with a resource identifier. The system then determines to generate a second request for validating the content based, at least in part, on the resource identifier and to transmit the second request to a validation service. The system receives validation information based, at least in part, on the second request. In one embodiment, the validation information includes a preview of the content.

Abstract: Systems and methods of ensuring a predetermined quality of playback of media content are provided. The predetermined quality is determined by an encoder placing a passive flag or data field within a media file having a predetermined quality. The contents of the media file in which the passive flag or data field is located is not encrypted or designated within a particular standard. A decoder plays the media content within the media file upon detection of the passive flag or data field or in accordance with a value within the passive flag or data field and the certification of the device.

Abstract: A system of screening servers, screener client computers, and screening kiosks distribute an applicant screening process among multiple sites and multiple participants. To facilitate and secure communications of screening results and applicant actions, a personal identification code is provided that identifies individual sets of screening results. In this manner, the applicant is authenticated and can then enter appropriate applicant profile data into a secure screening account, such as via a screening kiosk. Screening results may be generated for the applicant in association with a unique personal identification code. This code can then be communicated to the screener, who can access the screening results along with a recommendation, if desired, by sending the code to a screening server.

Abstract: In accordance with certain aspects, data is received from a calling program. Ciphertext that includes the data is generated, using public key encryption, in a manner that allows the data to be obtained from the ciphertext only if one or more conditions are satisfied. In accordance with another aspect, a bit string is received from a calling program. Data in the bit string is decrypted using public key decryption and returned to the calling program only if one or more conditions included in the bit string are satisfied.

Abstract: An outer COM object can be provided with privileged access to protected functionality in an inner COM object. An inner COM object can offer a custom protected interface to an outer COM object by creating a new inner internals COM object that is not available to a calling application or by creating a new extension IUnknown interface that can be used to access the protected content. An outer COM object can override behavior in an inner COM object. An inner COM object can offer access to custom behavior to an outer COM object by creating a new inner internals COM object that is not available to a calling application. The new inner internals COM object can implement a new interface that provides access to the customized (override) content or can create a new extension IUnknown interface that can be used to provide access to the customized (override) content.

Abstract: In accordance with certain aspects, data is received and a digital signature is generated and output. The digital signature can be a digital signature of the data and one or more conditions that are to be satisfied in order for the data to be revealed, or a digital signature over data generated using a private key associated with a bound key that is bound to one or more processors.

Abstract: Access to content may be administered by storing content, the content comprising one or more selections, accessing a passive optical out-of-band token associated with the content, determining an access right for the content based on the passive optical out-of-band token, and enabling access to the content in accordance with the access right.

Abstract: A system for eliminating false reports of security vulnerabilities when testing computer software, including a taint analysis engine configured to identify a tainted variable v in a computer application, a data mapping identification engine configured to identify a variable x within the application that holds data derived from v, where x is in a different format than v, an AddData identification engine configured to identify an AddData operation within the application that is performed on x, a signature identification engine configured to identify a Sign operation within the application that is performed on the results of the AddData operation on x, a signature comparison identification engine configured to identify an operation within the application that compares the results of the Sign operation with another value.