Abstract: A method for detecting a cache-based side-channel attack includes utilizing a timer thread that continuously increments a variable in code of an application. The code has been instrumented such that the instrumented code uses the variable incremented by the timer thread to infer an amount of time taken for running a part of the code. A number of cache misses during execution of the part of the code is determined based on the amount of time. It is determined whether the application is experiencing the cache-based side-channel attack using a classifier which uses as input the number of cache misses.

Abstract: A solution recommendation (SR) tool can receive vulnerabilities identified by a vulnerability scanner and/or penetration testing tool. The SR tool can determine various approaches for remediating or mitigating the identified vulnerabilities, and can prioritize the various approaches based on the efficiency of the various approaches in remediating or mitigating the identified vulnerabilities. The SR tool can recommend one or more of the prioritized approaches based on constraints such as cost, effectiveness, complexity, and the like. Once the one or more of the prioritized approaches are selected, the SR tool can recommend the one or more prioritized approaches to third-party experts for evaluation.

Abstract: Systems and methods for authentication generate keys from secret credentials shared between authenticating parties and authenticators. Generation of the keys may involve utilizing specialized information in the form of parameters that are used to specialize keys. Keys and/or information derived from keys held by multiple authorities may be used to generate other keys such that signatures requiring such keys and/or information can be verified without access to the keys. Keys may also be derived to form a hierarchy of keys that are distributed such that a key holder's ability to decrypt data depends on the key's position in the hierarchy relative to the position of a key used to encrypt the data. Key hierarchies may also be used to distribute key sets to content processing devices to enable the devices to decrypt content such that sources or potential sources of unauthorized content are identifiable from the decrypted content.

Abstract: A system is disclosed that includes components and features for enabling enterprise users to securely access enterprise resources (documents, data, application servers, etc.) using their mobile devices. An enterprise can use some or all components of the system to, for example, securely but flexibly implement a BYOD (bring your own device) policy in which users can run both personal applications and secure enterprise applications on their mobile devices. The system may, for example, implement policies for controlling mobile device accesses to enterprise resources based on device attributes (e.g., what mobile applications are installed), user attributes (e.g., the user's position or department), behavioral attributes, and other criteria.

Abstract: Various aspects of a method and system for digital rights management of encrypted digital content are disclosed herein. The method includes determination of a seed value from a pre-stored vault file that corresponds to a registered user. The determination of the seed value is based on biometric information provided by the registered user. The method further includes generation of a set of intermediate values based on the determined seed value. The generation of the set of intermediate values is based on a pre-determined rule. The method further includes determination of a content key based on the generated set of intermediate values.

Abstract: The present invention provides a method of calculating a hash value, the method making it possible to generate one or more hash functions by changing a predetermined position for selecting a bit, the length of an input key being L bits, the length of a hash value being N bits, and N?L, the method including a computer performing calculation of a generated certain one hash function by selecting one bit present in a certain predetermined position among lower N bits of the input key, assigning the selected one bit to a bit in a certain predetermined position among N bits of the hash value, and repeating the selecting and the assigning a bit not selected yet in the selecting among the lower N bits of the key to the hash value until all bits not assigned yet of the hash value are assigned.

Abstract: A method and system for creating a composite security rating from security characterization data of a third party computer system. The security characterization data is derived from externally observable characteristics of the third party computer system. Advantageously, the composite security score has a relatively high likelihood of corresponding to an internal audit score despite use of externally observable security characteristics. Also, the method and system may include use of multiple security characterizations all solely derived from externally observable characteristics of the third party computer system.

Abstract: A system and method for multimedia content protection on elastic cloud infrastructures is presented. The system can be used to protect various multi-media contents, including regular 2D videos, new 3D videos, animated graphics, images, audios clips, songs, and music clips. The system can run on private clouds, public clouds, or any combination of public-private clouds. The system is scalable and cost effective.

Abstract: Systems, apparatus, methods, and computer program products are provided for determining a user's authentication requirements/credentials for a specific network access session based on the current location of the user in comparison to predetermined boundaries of location that have altered authentication requirements, in the form of, increased or decreased authentication requirements/credentials that differ from the standard authentication requirements.

Abstract: There is described a method for enabling a user of a client computer to securely access a remote server via a network, which is preferably the Internet, by authenticating the user. The method comprises providing a portable apparatus to the user which may communicate with the client computer. It further involves storing on the portable apparatus user credentials required to enable the user to be authenticated at the server and performing an authentication protocol between the client and the server. The authentication protocol includes the transmission to the server of a digest based at least partially on the user credentials; and the user credentials are stored on the portable apparatus in the form of a digest.

Abstract: A master encryption key is split at a key splitting server such that three key shares are required to reconstruct it, and is then destroyed. The key shares are distributed such that an encrypted remote management server key share is stored at a remote management server, an encrypted managed device key share is stored at a managed device, and a key splitting server key share is stored on the key splitting server. Incoming communications to the key splitting server from managed devices are prevented, and outgoing communications from the key splitting server are only allowed to managed devices. The managed device obtains the master encryption key at startup by sending its managed device key share to the remote management server, which sends the managed device key share and the remote management server key share to the key splitting server. The key splitting server reconstructs the master encryption key, encrypts it using a public key of the managed device, and sends it to the managed device.

Abstract: A computer system can send a secure request over a named-data network to a remote device by generating an Interest with encrypted name components. During operation, the computer system can receive or obtain a request for data, such as from a local user or from a local application. If the system cannot satisfy the request locally, the system can determine at least a routable prefix and a name suffix associated with the request. The system can generate the secure Interest for the request by determining an encryption key that corresponds to a session with the remote computer system, and encrypts the name suffix using the session encryption key. The system then generates an Interest whose name includes the routable prefix and the encrypted name suffix, and disseminates the Interest over a named-data network to send the request to the remote computer system.

Abstract: An extensible configuration system to allow a website to authenticate users based on an authorization protocol is disclosed. In some embodiments, the extensible configuration system includes receiving an identifier for an authentication provider; and automatically configuring a website to use the authentication provider for logging into the website.

Abstract: For personalizing a smart card (SC) coupled with a communication device (CD) of a user being a subscriber of a first telecommunication network (TN1) and wishing to become a subscriber of a second telecommunication network (TN2), a first international identity (IMSI_1) and a first authentication key (AK_1) being stored in the smart card (SC), the smart card receives a message (MesP) from an application server (AS) connected to the first telecommunication network and the second telecommunication network, the message (MesN) comprising a personalization command (ComP) and an admin code (ACas), after that the application server has received a request (Req) of subscription change comprising an identifier (1dMNO2) of the second telecommunication network (TN2) and has established a secured session with a personalization server (PS) of the second telecommunication network (TN2) identified by the identifier (1dMNO2), and interprets the personalization command (ComP) to establish a secure session with the personalizatio

Abstract: An email security system is described that allows users within different organizations to securely send email to one another. The email security system provides a federation server on the Internet or other unsecured network accessible by each of the organizations. Each organization provides identity information to the federation server. When a sender in one organization sends a message to a recipient in another organization, the federation server provides the sender's email server with a secure token for encrypting the message to provide secure delivery over the unsecured network.

Abstract: Systems, apparatuses and methods may provide for identifying a stack pointer associated with a sequence of code being executed on a computing system and counting a number of exchange updates to the stack pointer. Additionally, a hardware interrupt may be generated if the number of exchange updates reaches a threshold. In one example, the hardware interrupt is a performance monitoring interrupt.

Abstract: The method analyzes unauthorized intrusion into a computer network. Access is allowed to a virtualized operating system running on a hypervisor operating system hosted on a network device. A network attack is intercepted on the virtualized operating system using an introspection module with a virtual-machine-based rootkit module and its associated userland processes running on the hypervisor operating system. The network attack includes attack-identifying information. Forensic data is generated on the network attack from the attack-identifying information.

Abstract: An authenticity accuracy, corresponding to a personal identification number, is determined. A device presents a correct image (or group of images) and an incorrect image (or group of images). Selections from a user are received until a sufficient number of correct images are selected to satisfy the authenticity accuracy. For example, a counter may be incremented when the correct image is selected, and the user may be considered to be authenticated if the counter reaches a sufficient level.

Abstract: The invention provides a method, in a processor, for executing a cryptographic computation. Upon the execution of the computation there is applied a base masking through which intermediate values are incorporated into the computation as masked intermediate values. Upon the execution of the computation a secondary masking is additionally applied, wherein for each intermediate value masked by means of the base masking the one's complement of the masked intermediate value is formed, the masked intermediate value and the one's complement of the masked intermediate value are made available, and randomly the computation is executed either with the masked intermediate value or with the one's complement of the masked intermediate value.

Abstract: Methods, systems, and products verify an identity claimed by a person. A signature, representing the presence of a device, is acquired. The signature is compared to a reference signature. Should the signature favorably compare to the reference signature, then the identity is verified.