Abstract: One exemplary embodiment involves receiving, from an administrator device, a first request to provide a set of privileges to at least one of a set of users and a set of user groups to access private resources referenced by a path of a networked hierarchical repository, the set of privileges including at least one authorized access privilege. The embodiment also involves modifying a metadata associated with the private resources to indicate the set of privileges to provide to the at least one of the set of users and the set of user groups, the metadata associated with the private resources being modified to at least indicate the authorized access privilege. Additionally, the embodiment involves receiving a second request for authorized access to a set of resources associated with the networked hierarchical repository and providing the authorized access based on whether the metadata associated with the set of resources indicates to provide the authorized access.

Abstract: A method of validating the authenticity of a ticket including a unique ticket identifier generated at an issuing terminal in accordance with a confidential algorithm is provided. The method includes receiving one or more identification variable values expressed with respect to a first coordinate measurement domain, the one or more identification variable values enabling the location of ticket verification information within the unique ticket identifier to be determined, using a coordinate transform function configured to map coordinate values from the first coordinate measurement domain to a second coordinate measurement domain to calculate one or more values of the one or more received identification variable values with respect to the second coordinate measurement domain, extracting the verification information from the unique ticket identifier on the basis of the calculated identification variable values, and verifying the authenticity of the ticket on the basis of the extracted verification information.

Abstract: In various aspects, code-based indicia contain secured network access credentials. In some aspects, a computer processor receives user input that specifies secured network access credentials, and the computer processor creates or modifies credentials for establishing a secured network connection. In these aspects, the computer processor generates code-based indicia that contain at least part of the secured network access credentials. In other aspects, a computer processor scans the code-based indicia and extracts the network access credentials. In these aspects, the computer processor employs the network access credentials to establish the secured network connection. In additional aspects, a network router apparatus renders the code-based indicia to an active display. In further aspects, a network router apparatus conditions grant of network access to a device on receipt from the device of an answer to a security question included in the secured network access credentials.

Abstract: A method for providing encrypted data for searching of information includes generating a number of distinct key triples each comprising a public key, a corresponding secret key, and a corresponding evaluation key based on searchable information and files to be searched. Information indicating whether the searchable information is included within the files is encrypted with a key of the generated key triples. The secret keys are merged to obtain a single secret key for an entirety of the searchable information within respective ones of the files for each of the files. The encrypted information is provided with the merged secret keys for each of the files as encrypted data for searching of information within the files. The generating of the distinct key triples and the encrypting of the information are performed based on a multikey homomorphic encryption scheme.

Abstract: Disclosed herein are systems, methods, and non-transitory computer-readable storage media for erasing user data stored in a file system. The method includes destroying all key bags containing encryption keys on a device having a file system encrypted on a per file and per class basis, erasing and rebuilding at least part of the file system associated with user data, and creating a new default key bag containing encryption keys. Also disclosed herein is a method of erasing user data stored in a remote file system encrypted on a per file and per class basis. The method includes transmitting obliteration instructions to a remote device, which cause the remote device to destroy all key bags containing encryption keys on the remote device, erase and rebuild at least part of the file system associated with user data, and create on the remote device a new default key bag containing encryption keys.

Abstract: A method and an apparatus of verifying a terminal are provided in the field of computer technology. In the method, the terminal establishes a secure channel with a server through a secure element in the terminal. The terminal sends original terminal hardware parameters in the secure element to the server through the secure channel by using the secure element, where the server is configured to feed back identification information according to the terminal hardware parameters. The terminal then determines a verification result of an authenticity of the terminal according to the identification information fed back by the server. The apparatus includes: a channel establishing module, a parameter sending module and a result determining module.

Abstract: A method for allowing a first party and a second party to obtain shared secret information is provided. The method comprises the steps of: obtaining, by the first party, a sequence of values A=X+NA where X is a sequence of values and NA is a random sequence associated with the first party; obtaining, by the second party, a sequence of values B=X+NB where NB is a random sequence associated with the second party; performing, by the first and second parties, a data matching procedure to identify corresponding pairs of values, a, b, in respective sequences A and B that match, wherein sequences A and B are discrete-valued sequences equal to, derived from, or derived using, sequences A and B; wherein the shared secret information is equal to, or derived from, or derived using, the matching values in sequences A and B.

Abstract: A network authentication system includes a client terminal, an authentication server authenticating connection of the client terminal with an external network, and a plurality of authentication switches controlling communication of the client terminal with the external network. The authentication switch includes an authentication server processing unit notifying the authentication server of authentication terminal information, and a receiving port filter receives a specific packet. The authentication server, includes a terminal management storing unit storing the authentication terminal information, and an authentication switch management processing unit which, in order that the authentication switch authenticate the client terminal, determines filter information, that is set in the receiving port filter, based on the authentication terminal information, and notifies the authentication switch of the filter information.

Abstract: A computer-implemented method for securing a trusted transaction using a biometric identity verification system comprising a peripheral device, a vendor server, and a verification server. The method may comprise the steps of receiving a biometric indicator at the peripheral device, and forwarding the biometric indicator to the vendor server. The method may further comprise forwarding the biometric indicator to the verification server which may verify the biometric indicator by translating the biometric indicator into an encryption value, and computing an identity verification flag, defined as a pulse upon detecting a match of the encryption value and a stored cypher record. The vendor server may execute the trusted transaction by receiving the pulse signifying a match of the encryption values found by the verification server.

Abstract: A security software comprises administrative module for configuring access levels and creating types of accounts and application server for domain filtering by checking against friendly and unfriendly inbound, outbound and exception lists. Hard filtering either approves, terminates requests or re-routes request without the user's knowledge. Soft filtering passes disapproved requests and sends an e-mail alert to authorized recipients. Content filtering includes checking a content of a requested document against a friendly, unfriendly list and exception list. Hard filtering passes or rejects the requested document. Soft filtering passes the requested document or rejects or approves by highlighting its content. Options include e-mail filtering that checks subject, sender's address and domain against an unfriendly, friendly and exception list.

Abstract: A user terminal comprises an encryption apparatus, a tamper detection system associated with the encryption apparatus and means for triggering the tamper detection system in response to tampering with the encryption apparatus, at least one further component, and further means for triggering the tamper detection system, wherein the further means for triggering the tamper detection system is configured to trigger the tamper detection system in response to tampering with the at least one further component.

Abstract: Generation of a message m of order ?(n) for a test of the integrity of the generation of a pair of cryptographic keys within the multiplicative group of integers modulo n=p·q, including: —key pair generation including, to generate p and q: a random selection of candidate integers; and a primality test; —a first search of the multiplicative group of integers modulo p for a generator a; —a second search of the multiplicative group of integers modulo q for a generator b; —a third search for a number y, as message m, verifying: 1???n?1, where ?=a mod p and ?=b mod q, the first or second search being performed during the primality test.

Abstract: A method, an apparatus, and a system for data protection. A specific solution is: a proxy server receives outgoing data from a user terminal, where the outgoing data carries an identifier of a user; acquires a user grade and a credit value of the user from a credit server according to the identifier, where the credit value is a violation percentage of historical outgoing data of the user; sends the outgoing data, the user grade, and the credit value to a DLP server so that the DLP server inspects security of the outgoing data according to the user grade and the credit value, and further generates a message including an inspection result; and receives, from the DLP server, the message including the inspection result and uses a policy corresponding to the inspection result to process the outgoing data. The present invention is used during a protection process of outgoing data.

Abstract: A method for protecting data on a mass storage device. The device has a security module and a data storage area configured to be switched between a protected state, in which accessing the data storage area is forbidden and an unprotected state, in which accessing the data storage area is authorized. Switching the data storage area from the protected state to the unprotected state by sending a request to a remote server, receiving a one-time password on a communication device, in response to the sent request, providing the received one-time password to the security module, authorizing access to the data storage area by the security module, once the provided one-time password is deemed valid by the security module.

Abstract: There is provided mechanisms for configuration of liveness check using Internet key exchange messages. A method is performed by a user equipment. The method comprises transmitting, to a core network node, a first Internet key exchange message comprising a configuration attribute indicating support of receiving a timeout period for liveness check. The method comprises receiving, from the core network node, a second Internet key exchange message comprising a configuration attribute indicating a timeout period for said liveness check.

Abstract: The invention relates to a first network unit (See) which comprises a secure hardware component (HK) for saving and running software. A second network unit (P) comprises a secure software component (SK) for saving and running software. A method for secure communication comprises: saving a first common secret, a first algorithm and a second algorithm on the network units; sending a first date from the second network unit to the first network unit; running the first algorithm on the first network unit and on the second network unit wherein the input is in each case formed by the second common secret and the first date; sending of a second date from the first network unit to the second network unit; running the second algorithm on the first network unit and on the second network unit; wherein the input is formed in each case by the second common secret and the second date; and use of the third common secret for a secure communication.

Abstract: A method for device authentication comprises receiving, by processing hardware of a first device, a message from a second device to authenticate the first device. The processing hardware retrieves a secret value from secure storage hardware operatively coupled to the processing hardware. The processing hardware derives a validator from the secret value using a path through a key tree, wherein the path is based on the message, wherein deriving the validator using the path through the key tree comprises computing a plurality of successive intermediate keys starting with a value based on the secret value and leading to the validator, wherein each successive intermediate key is derived based on at least a portion of the message and a prior key. The first device then sends the validator to the second device.

Abstract: A method includes receiving a plurality of data sets. Each data set includes a customer identifier field specifying a unique customer identifier associated with each entry in each data set. The plurality of data sets includes a first group of data sets and a second group of data sets. The method further includes storing the plurality of data sets, and generating a key map including the customer identifier field including unique customer identifiers of the first group of data sets of the plurality of data sets, and an anonymous identifier field including unique anonymous identifiers. Each anonymous identifier corresponds to a customer identifier of the key map. The method further includes replacing each unique customer identifier in the second group of data sets with the corresponding anonymous identifier.

Abstract: A streams manager determines which portions of a streaming application process sensitive data, and when performance of the streaming application needs to be increased, selects based on the sensitive data which portion(s) of the streaming application can be moved to a public cloud. The streams manager then interacts with the public cloud manager to move the selected portion(s) of the streaming application to the public cloud. By taking sensitive data into account, the streams manager protects the integrity of sensitive data while still taking advantage of the additional resources available in a public cloud.

Abstract: A network device (110) is provided which is configured to determine a shared cryptographic key of key length (b) bits shared with a second network device (120) from a polynomial and an identity number of the second network device. A reduction algorithm is used to evaluate the polynomial in the identity number of the second network device and reduce module a public modulus and modulo a key modulus. The reduction algorithm comprises an iteration over the terms of the polynomial. In at least the iteration which iteration is associated with a particular term of the polynomial are comprised a first and second multiplication. The first multiplication is between the identity number and a least significant part of the coefficient of the particular term obtained from the representation of the polynomial, the least significant part of the coefficient being formed by the key length least significant bits of the coefficient of the particular term.