Abstract: According to one embodiment, a system featuring one or more processors and memory that includes monitoring logic. In operation, the monitoring logic monitors for a notification message that identifies a state change event that represents an activity has caused a change in state of a data store associated with a storage system. The notification message triggers a malware analysis to be conducted on an object associated with the state change event.

Abstract: A one-time passcode authentication system includes an application server, an authentication server, and an access device, wherein the access includes an authentication engine configured to receive an authentication request from the authentication server and automatically, or in response to a single user input, initiate an access request to the application server, wherein the access request includes a token extracted from the authentication request, and the application server is configured to receive the access request, query the authentication server to authenticate the token, and enable access to an application if the token is authenticated.

Abstract: Described is a system for mobile proactive secure multiparty computation using commitments. The system generates, at each server, secret sharings for each of its input gates using a Secret-Share protocol. Thereafter, sharings of inputs are generated for random gates using a GenPoly protocol. Sharings of multiplication triples are then generated for multiplication gates using a Multiplication-Triple protocol. Affine gates are then evaluated. Multiplication gates can then be evaluated using the multiplication triples and implementing a Secret-Open protocol. A Secret-Redistribute protocol is used to re-randomize the secret sharing. The Secret-Open protocol is implemented after a sharing for an output gate has been computed to reveal the secret.

Abstract: Examples of the present disclosure describe systems and methods for enhancing the privacy of a personal search index. In some aspects, a personal cleartext document may be used to generate an encrypted document digest and an encrypted document on a first device. A second device may decrypt the document digest, build a personal search index based on the decrypted document digest, and store the encrypted document in a data store. The first device may subsequently receive a cleartext search query that is used to query the personal search index on the second device for encrypted documents.

Abstract: Techniques are disclosed relating to relating to a public key infrastructure (PKI). In one embodiment, an integrated circuit is disclosed that includes at least one processor and a secure circuit isolated from access by the processor except through a mailbox mechanism. The secure circuit is configured to generate a key pair having a public key and a private key, and to issue, to a certificate authority (CA), a certificate signing request (CSR) for a certificate corresponding to the key pair. In some embodiments, the secure circuit may be configured to receive, via the mailbox mechanism, a first request from an application executing on the processor to issue a certificate to the application. The secure circuit may also be configured to perform, in response to a second request, a cryptographic operation using a public key circuit included in the secure circuit.

Abstract: A streams manager determines which portions of a streaming application process sensitive data, and when performance of the streaming application needs to be increased, selects based on the sensitive data which portion(s) of the streaming application can be moved to a public cloud. The streams manager then interacts with the public cloud manager to move the selected portion(s) of the streaming application to the public cloud. This may include cloning of processing elements or operators to a public cloud, then splitting tuple attributes so tuple attributes that do not include sensitive data can be processed in the public cloud while tuple attributes that include sensitive data are processed in a secure system. The tuple attributes are then recombined into full tuples in the secure system. The streams manager thus protects the integrity of sensitive data while still taking advantage of the additional resources available in a public cloud.

Abstract: A technique is disclosed to manage password setup such as may be integrated within a login authentication setup process. In response to an initiated password setup process associated with an active client account, a password manager determines whether at least two functional keyboard layouts are associated with the active client account. If at least two functional keyboard layouts are associated with the active client account, the password manager retrieves character position mappings for the at least two functional keyboard layouts. The password manager identifies character position inconsistencies among the at least two functional keyboard layouts based, at least in part, on the retrieved character position mappings. The password manager restricts utilization during password setup of at least one keyboard character based, at least in part, on the identified character position inconsistencies.

Abstract: Web-based single sign-on can enable a user to log in to a single interface (such as through a web browser or thin client) and then provide SSO services to the user for one or more web applications. The web-based SSO system can be extended to support one or more different access control methods, such as form-fill, Federated (OIF), SSO Protected (OAM), and other policies. The web-based SSO system can include a user interface through which the user can access different web applications, systems, etc. and manage their credentials. Each SSO service can be associated with a web interface allowing the SSO services to be accessed over the web. The web interfaces can provide CRUD (create, read, update, delete) functionality for each SSO service. To support different access policy types, the web-based SSO system can include an extensible data manager that can manage data access to different types of repositories transparently.

Abstract: The embodiments set forth systems and techniques to authenticate a user device for device services, such as by transferring or extending a trusted device status from a separate and trusted associated user device, which can be paired with the user device. This can be done automatically without requiring the user to sign in at or on behalf of the user device, and the automated process can include verifying a trusted status for the associated user device, receiving data items from both devices, evaluating the data items, and facilitating an authentication of the user device when the evaluating returns a favorable result. Data items can include provisioned machine identifiers, temporally limited one-time user passwords, and a provisioned password reset key. Authentication or trusted device status transfer can be achieved by way of an authentication token that is given to the user device.

Abstract: A streams manager determines which portions of a streaming application process sensitive data, and when performance of the streaming application needs to be increased, selects based on the sensitive data which portion(s) of the streaming application can be moved to a public cloud. The streams manager then interacts with the public cloud manager to move the selected portion(s) of the streaming application to the public cloud. This may include cloning of processing elements or operators to a public cloud, then splitting tuple attributes so tuple attributes that do not include sensitive data can be processed in the public cloud while tuple attributes that include sensitive data are processed in a secure system. The tuple attributes are then recombined into full tuples in the secure system. The streams manager thus protects the integrity of sensitive data while still taking advantage of the additional resources available in a public cloud.

Abstract: Embodiments are described for logging in to a location-specific user account on a host system. An example method includes sending, by a user device, as part of a login request, an authentication image. The method further includes receiving an authentication response from the host system based on determining whether the login request is sent from an authorized login-location, which is based on a comparison of the authentication image with a reference image captured at the authorized login-location. The method further includes, in response to the authentication image matching the reference image within a predetermined threshold range, receiving access to the user account based on the authentication response.

Abstract: It is provided a method for managing stream in home media network having home gateway and a plurality of devices comprising; building converged home media index at a home gateway by synchronizing local media index of each of the devices; receiving by a source device a request from a user to play a media stored on the source device at the first render device; assigning a multicast IP and port for streaming of the media by the source device or the home gateway; sending by the source device hash value of the media, the multicast IP and port, and the streaming ID to the first render device, in addition to source device IP and render device IP to the home gateway; checking the media file's metadata and corresponding management policy stored on the converged home media index; notifying the source device that the steam can be transmitted to the first render device when receiving authentication and authorization from the gateway; sending security keys to the source device and the first render device to encrypt and de

Abstract: A processing device of a server executing an application establishes a network connection to a client device having a smart card, detects a program call directed to a smart card application programming interface (API) to authenticate a user of the client device for accessing the application, and determines, based on the program call, whether the smart card is a remote smart card for the server. Responsive to determining that the smart card is the remote smart card, the processing device redirects the program call to the client device via a separate communication channel of the network connection and authenticates, by the server, the user of the client device in view of data returned by the program call, as if the remote smart card were local to the server.

Abstract: Embodiments are directed to a computer system for securing an electronic device. The system includes at least one processor configured to receive at least one communication from an entity seeking to access the device. The at least one processor is further configured to generate a graph of the at least one communication from the entity seeking access to the device. The at least one processor is further configured to determine a difference between a cognitive trait of the entity seeking access to the device, and a cognitive identity of an entity authorized to access the device. The at least one processor is further configured to, based at least in part on a determination that the difference is greater than a threshold, deploy a security measure of the device.

Abstract: Embodiments are directed to a computer system for securing an electronic device. The system includes at least one processor configured to receive at least one communication from an entity seeking to access the device. The at least one processor is further configured to generate a graph of the at least one communication from the entity seeking access to the device. The at least one processor is further configured to determine a difference between a cognitive trait of the entity seeking access to the device, and a cognitive identity of an entity authorized to access the device. The at least one processor is further configured to, based at least in part on a determination that the difference is greater than a threshold, deploy a security measure of the device.

Abstract: The disclosed computer-implemented method for detecting gadgets on computing devices may include (i) identifying, on a computing device, a process containing multiple modules, (ii) identifying, within the process, each module that does not implement a security protocol that randomizes, each time the module executes, a memory location of at least one portion of data accessed by the module, (iii) copying each module that does not implement the security protocol to a section of memory dedicated to security analyses, (iv) determining, based on detecting at least one gadget-specific characteristic within at least one copied module, that the process contains a gadget that is capable of being maliciously exploited, and then (v) performing a security action on the computing device to prevent the gadget from being maliciously exploited. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: Disclosed are a method and device for generating a digital signature. The method comprises: a device generating a digital signature parameter r that meets an effective determining condition; generating a digital signature parameter s according to the following formula s=((1+dA)?1·(r+k)?r)mod n, by using a private key dA, a random number k, r, and an elliptic curve parameter n, a value range of k being [1, n?1]; determining if the generated s is 0; if s is 0, regenerating r that meets the effective determining condition, and regenerating s by using dA, the regenerated k with the value range of [1, n?1] and the regenerated r and n, until s is not 0; converting data types of r and s that is not 0 into byte strings, to obtain a digital signature (r, s).

Abstract: A storage device capable of fingerprint identification includes a first storage, a first controller and a second storage. The first storage is configured to store a registered fingerprint. The first controller is configured to compare the registered fingerprint with an input fingerprint, wherein the input fingerprint is obtained in response to a touch event. The second storage is configured to store a data. The data is, in response to a fingerprint comparison result, selectively allowed to be accessible or prohibited from being accessible to a host.

Abstract: One embodiment provides a method, including: utilizing at least one processor to execute computer code that performs the steps of: receiving motion sensor information from a plurality of sensors on a wearable device; identifying, based on the motion sensor information, a motion pattern corresponding to an activity of a user; comparing the motion pattern to a plurality of stored motion patterns; determining, based on the comparing, if the motion pattern matches one of the stored motion patterns that is identified as a motion pattern of a sensitive activity; and modifying, whether the motion pattern matches one of the stored motion pattern identified as a motion pattern of a sensitive activity. Other aspects are described and claimed.

Abstract: A key fob device, in one embodiment, includes a transceiver that receives and sends signals, a memory that stores a public key and a certificate of authenticity associated with the key fob device, and a processor coupled to the transceiver and memory. The processor is configured to execute instructions causing the key fob device to transmit the public key and the certificate of authenticity, execute a public key agreement protocol to generate a common secret encryption key, and receive an operation key encrypted with the common secret encryption key.