Abstract: Systems and methods are provided for proving plaintext knowledge of a message m, encrypted in a ciphertext, to a verifier computer. The method includes, at a user computer, encrypting the message m via a predetermined encryption scheme to produce a ciphertext u, and generating a plurality l of challenges ci, i=1 to l, dependent on the ciphertext u. For each challenge ci, the user computer generates a cryptographic proof ?2i comprising that challenge ci and a zero-knowledge proof of plaintext knowledge of the message m encrypted in the ciphertext u. The user computer sends the ciphertext u and the l proofs ?2i to the verifier computer. Each challenge ci is constrained to a predetermined challenge space C permitting identification, by searching the challenge space C, of an element ci? such that the message m can be obtained via a decryption operation using the ciphertext u, the element ci?, and a decryption key of said encryption scheme.

Abstract: Provided is an apparatus for generating digital values to provide a random digital value. The apparatus may generate the digital value based on a semiconductor process variation. The apparatus may include a generating unit to generate a plurality of digital values, based on the semiconductor process variation, and a processing unit to process the digital values and to provide a first digital value. The generating unit may include a plurality of physically unclonable functions (PUFs). A parameter may be differently applied to the PUFs, and the PUFs may generate the digital values.

Abstract: Embodiments of the present disclosure relate to a method for determining a path computation element and a communications device, where location information and transmission capability information of a PCE are carried in a route advertisement message and are advertised to a PCC, so that the PCC can select, according to the transmission capability information of the PCE in the route advertisement message, a PCE that meets a transmission capability of the PCC, to perform path computation; therefore, a problem that a transmission capability mismatch between the PCC and the PCE causes a failure in establishing a PCEP session is avoided.

Abstract: A wireless relay device for relaying encrypted data via a wireless network according to one aspect of the present invention includes a relay controller and an encryption processor. The relay controller is configured to relay a first data to a predetermined relay destination as a second data via the wireless network. The first data is transmitted to the wireless relay device via the wireless network and is addressed to the wireless relay device. The encryption processor is configured to decrypt the first data into a decrypted first data and to input the decrypted first data into the relay controller, and encrypt the second data to be relayed by the relay controller.

Abstract: A client application performs certificate pinning as a means of authenticating the identity of a server. A proxy is interposed in the communications path of the client and the hosting server and provides a proxy security certificate to the client. In response to the client extracting a proxy authentication component from the proxy security certificate, operation of the client is paused and a hosting server authentication component is extracted from a hosting server security certificate. The client operation is resumed, providing the extracted hosting server authentication component to the client, in substitution for the proxy authentication component. Based on receiving the extracted hosting server authentication component, the client authenticates the proxy to receive communications directed to the hosting server.

Abstract: Techniques for malicious content detection using code injection are described herein. In one embodiment a first code section of a target program is loaded into a first memory page of a virtual machine (VM) hosted by a virtual machine monitor (VMM). The target program to receive code injection. The VMM injects a second code section into the target program by replacing the first code section with a second code section loaded in a second memory page. Determining a behavior of a content specimen using the injected second code section instead of the first code section, and the second code section is injected after the target program.

Abstract: Systems and methods for securing a computer system are described herein. The systems and methods, which are computer-implemented, involve receiving, by a computing device, a name of a software vulnerability. The computing device measures a lexical similarity distance between the vulnerability name and each name in a list of names of software systems and components of the computer system. The computing device further identifies the software system and component names that are within a predetermined similarity distance of the vulnerability name as corresponding to software systems and components having the software vulnerability. Once the vulnerabilities are detected and mapped to corresponding software systems and components, the systems and methods can generate derivative works (e.g., reports, charts, and other derivative data) for further data processing, storage or analysis by different stake holders and/or other computing devices.

Abstract: Facilitation of management and utilization of domain-specific anonymous customer references (ACRs) for protection of subscriber privacy across different domains is disclosed herein. In one aspect, on receiving user authorization, an ACR services (ACRS) component can generate an ACR that is to be inserted in a communication or message transmitted from a user equipment to an untrusted entity. The ACR can be generated based on address data associated with the untrusted entity and/or a unique subscriber identifier associated with the user equipment. As an example, the ACR creation component can generate the ACR based on a cryptographic hash, a static encryption key, and/or a dynamic encryption key. If the ACR is forwarded to a trusted entity, the trusted entity can calculate the unique subscriber identifier based on evaluating the ACR and/or exchange the ACR for the unique subscriber identifier via a secure communication with the ACRS component.

Abstract: A client application performs certificate pinning as a means of authenticating the identity of a server. A proxy is interposed in the communications path of the client and the hosting server and provides a proxy security certificate to the client. In response to the client extracting a proxy authentication component from the proxy security certificate, operation of the client is paused and a hosting server authentication component is extracted from a hosting server security certificate. The client operation is resumed, providing the extracted hosting server authentication component to the client, in substitution for the proxy authentication component. Based on receiving the extracted hosting server authentication component, the client authenticates the proxy to receive communications directed to the hosting server.

Abstract: A client application performs certificate pinning as a means of authenticating the identity of a server. A proxy is interposed in the communications path of the client and the hosting server and provides a proxy security certificate to the client. In response to the client extracting a proxy authentication component from the proxy security certificate, operation of the client is paused and a hosting server authentication component is extracted from a hosting server security certificate. The client operation is resumed, providing the extracted hosting server authentication component to the client, in substitution for the proxy authentication component. Based on receiving the extracted hosting server authentication component, the client authenticates the proxy to receive communications directed to the hosting server.

Abstract: A time check method and a base station are provided. The base station receives an authentication interaction message sent by an authentication interaction device; extracts time information in the authentication interaction message; and uses the time information to check local time. Before an Internet Key Exchange (IKE) connection is set up between the base station and a security gateway, relatively accurate time is obtained from an external authentication interaction device and is used for aligning the local time. Therefore, the cost of installing a clock component and a battery is saved, the time on the base station is trustworthy, and the security gateway is authenticated securely.

Abstract: The invention discloses a method and device for recognizing an IP address of a specified category, a defense method and system, wherein the method for recognizing an IP address of a specified category comprises the following steps: collecting behavior record data of several IP addresses (S101); extracting preprocessing data from the collected behavior record data, the extracted preprocessing data comprising at least address information of an IP address and time information of a behavior (S102); analyzing the extracted preprocessing data to obtain behavior-time distribution data of a user using the IP address (S103); and recognizing an IP address of a specified category at least according to the behavior-time distribution data of a user using the IP address (S104). By employing the invention, an IP address of a certain category can be located more accurately locate and the accuracy for recognizing an IP address is improved.

Abstract: An access restriction device as well as an on-board communication system and a method for communication restriction, which prevent outside leakage of information caused by unauthorized access of malicious programs to an in-car network. The communication between the in-car network of the vehicle and an external device is performed by a security controller. The security controller can perform addition or update of a program involving processing for transmission and reception of the information. The security controller performs processing for restricting access to information of the in-car network performed by program execution according to an access authorization level of each program and an access permission level of each type of information. The security controller restricts the transmission depending on the access authorization level of each program and the access permission level of each type of information in case of transmitting the information to the in-car network by the program execution.

Abstract: The disclosed embodiments include a method for disarming malicious code in a computer system having a processor. The method comprises accessing, by the computer system, input content, wherein the input content includes a plurality of data units having a value representing media content, and adjusting, by the processor, a data unit value of at least a portion of the data units, wherein the portion of the data units and an adjustment of the data unit value are determined so as to render any malicious code included in the plurality of data units inactive for its intended malicious purpose while not interfering with an intended use of the input content.

Abstract: Automatically generating audit logs is provided. Audit log statement insertion points are identified in components of an application based on a static code analysis identifying start and end operations on sensitive data in the components of the application. The application is instrumented with audit log statements at the audit log statement insertion points in the components of the application. Audit logs of monitored sensitive data activity events in the application are generated using the audit log statements at the audit log statement insertion points in the components of the application.

Abstract: A big data processing system includes a features permutations testing function that separates out from among a set of identified compound features, those compound feature permutations that have better capabilities for distinguishing between anomalies observed in respective multi-dimensional feature spaces having as their axes the features of the identified compound features.

Abstract: Techniques are described for providing enhanced security for electronic communications, such as by including in a message sent between two services a digital signature that is generated by using secret information known to the services, so that the recipient receives assurance regarding the sender's identity if the recipient can replicate the received digital signature using the secret information known to the recipient. In some situations, the enhanced security is used in communications to and/or from an access manager system that provides single sign-on functionality and other functionality to other services for use with those services' users, such as to prevent malicious phishers from inappropriately gaining access to user information. Various services may use the enhanced security techniques when interacting with the access manager system at various times, such as to initiate sign-on for a user and/or to take subsequent action on behalf of a signed-on user.

Abstract: Methods, systems, and computer-readable media for providing an application store are presented. In some embodiments, a request for a software application may be received at an application store. Subsequently, the software application may be configured, at the application store, based on a single sign-on credential. The configured software application then may be provided, by the application store, to at least one recipient device associated with the single sign-on credential.

Abstract: A client device is authenticated in a wireless local area network using a pairwise master key when the client device associates to a first access point. A set of neighbor devices to the client device is generated. The set includes less than a total number of access points in the wireless local area network. The pairwise master key is distributed to the neighbor devices such that the pairwise master key is not distributed to access points outside of the set of neighbor devices. Data representing the set of neighbor devices for the client device is maintained.

Abstract: Securely authenticating a user of a device for a service during a session including a transaction between a client and a connected server connected to a Behaviometric-server.