Abstract: Aspects of the present invention disclose a method, computer program product, and system for management and usage of shared authentication credentials. The method includes one or more processors updating usage information associated with an authentication credential with a media access control address (MAC address) that corresponds to a computing device that corresponds to using the authentication credential. The method further includes one or more processors receiving a login request that includes the authentication credential from a computing device. The method further includes one or more processors fetching a MAC address of the computing device that sent the login request. The method further includes one or more processors validating the authentication credentials and the MAC address.

Abstract: Systems and methods are disclosed for cross-platform token exchange. One method comprises receiving a primary token exchange request from an upstream entity, generating an ancillary detokenization request based on the primary token exchange request, and transmitting the ancillary detokenization request to an input token vault. An ancillary detokenization response comprising sensitive data may then be received from the input token vault, and one or more ancillary tokenization requests may be generated based on the ancillary detokenization response and the primary token exchange request. The one or more ancillary tokenization requests may be transmitted to one or more output token vaults. Subsequently, one or more ancillary tokenization responses may be received from the one or more output token vaults, each ancillary tokenization response comprising an output token.

Abstract: Lawful intercept is supported by providing a network communications device target identifiers in encrypted form. Received encrypted target identifiers are stored in a non-volatile storage device. Before communications interception occurs, one or more encrypted target identifiers are loaded into active memory which is secure and not accessible by a network device operating system administrator. A decryption request is sent to a security device and the result loaded into the secure active memory. Plain text target identifier(s) returned by the security device are loaded directly into the active memory without being stored in the operating system administrator accessible storage device. In the case of a reset resulting in the contents of the active memory being lost, the active memory is repopulated by sending decryption requests using the stored encrypted target identifiers to indicate to the security device the target identifiers which need to be decrypted and reloaded into active memory.

Abstract: Methods and systems are described that secure application data being maintained in transient data buffers that are located in a memory that is freely accessible to other components, regardless as to whether those components have permission to access the application data. The system includes an application processor, a memory having a portion configured as a transient data buffer, a hardware unit, and a secure processor. The hardware unit accesses the transient data buffer during execution of an application at the application processor. The secure processor is configured to manage encryption of the transient data buffer as part of giving the hardware unit access to the transient data buffer.

Abstract: A system and technique for a Request Forwarder as for a computer network architecture is disclosed to provide selective access to one or more cloud services. In some implementations, a computer system may receive a request for access to a cloud service, the request including a container credential. The computer system may determine an identification of the container using the container credential. The computer system may verify that the container requesting access to the cloud service is authorized based at least in part on stored policies. Based at least in part on the determination that the container requesting access to the cloud service is authorized: receiving instance credential from a metadata service. The computer system may include the instance credential with the request. The computer system may send the request to the cloud service. In various examples, the Request Forwarder can be provided as a service.

Abstract: According to some example embodiments, a method for providing security to a storage device includes receiving, by the storage device, a public key via a network; sending, by the storage device, the received public key and a proposed configuration corresponding to the storage device to a security manager that resides in a control plane of the network; determining, by the security manager, whether the public key received from the storage device matches a private key available to the security manager; downloading, by the security manager, the proposed configuration to the storage device; determining, by the security manager, if the proposed configuration is successfully downloaded to the storage device; operating the storage device according to the downloaded configuration; and granting, by the security manager, a request to lease the storage device operating in the downloaded configuration for a time interval.

Abstract: The device capability model (DCM) sharing system disclosed herein includes one or more computer implemented instructions including receiving a request from a device for access to the DCM, generating a request to a token issuing authority to request a device identification token; evaluating the device identification token to determine the device's DCM access level; communicating the device identification token with the device's capability model access level to a DCM repository; receiving the DCM from the DCM repository; and providing the device an access to the DCM.

Abstract: An improved data storage system and apparatus including an improved storage controller that provides storage compute functionality that enables the acceleration of datacenter software, and that enables easier deployment of application software portions onto storage devices, in a manner that supports runtime performance acceleration of network-latency-throttled applications. Mechanisms and methods are provided for server hosted applications to initiate deployment of, initiate execution of, and interoperate with a multitude of softwares on a multitude of storage devices, where these softwares execute proximate to storage contents on the storage devices.

Abstract: A data dictionary generation system utilizes a background service that is programmed to automatically populate and update a data dictionary for listings offering shared data. A data dictionary includes metadata describing the shared data overall as well as the individual objects included in the listing, such as the individual tables, schemas, views, and functions. To generate the data dictionary, the data dictionary generation system analyzes the shared data to identify objects, identifies a set of data fields associated with each identified object and populates the set of data fields associated with each identified object based on the shared data offered by the listing. To ensure that a data dictionary for each listing remains up to date, the data dictionary generation system periodically scans the listings to identify any changes to share access granted to the listings.

Abstract: An enhanced device and method for anonymization also offering improved security properties of data exchanged bidirectionally between a client and a server in a communication network. A protocol in respect of data exchange between client and server which relies on a two-level third-party servers architecture as well as on a system for bidirectional communication between the client and the server through these two levels of third-party servers.

Abstract: Systems and methods are disclosed herein for a user to use a trusted device to provide sensitive information to an identity provider via QR (Quick Response) code for the identity provider to broker a website login or to collect information for the website. A user may securely transact with the website from unsecured devices by entering sensitive information into the trusted device. The identity provider may generate the QR code for display by the website on an unsecured device. A user running an application from the identity provider on the trusted device may scan the QR code to transmit the QR code to the identity provider. The identity provider may validate the QR code and may receive credential information to authenticate the user or may collect information for the website. Advantageously, the user may perform a safe login to the website from untrusted devices using the trusted device.

Abstract: Apparatus, systems and methods for providing a limited capabilities computer which may operate on a network and be controlled, monitored and/or administered by a central network authority such as a VDI server.

Abstract: Embodiments of a method for redirecting, by a network device, a host to a captive portal are disclosed. The method includes receiving an incoming frame originating from the host. The incoming frame has a payload specifying information associated with an external server. A user of the host has not been authenticated by the captive portal at a time when the incoming frame is received by the network device. The network device matches at least a portion of the incoming frame to a custom redirect rule of a unified access control list (ACL) implemented by the network device. In response to the matching, the network device forwards the incoming frame towards an internal redirection server executing on the network device. The network device receives a redirection frame from the internal redirection server. The payload of the redirection frame is generated by the internal redirection server using at least a portion of the incoming frame. The redirection frame is transmitted towards the host.

Abstract: Carrier secure communications are provided by receiving, by a service provider device from an application interacting with a user device over a carrier network, an encrypted first request for user information. The carrier network intercepted a first request from the application based on a service provider identifier in the first request, and encrypted the first request to provide the network carrier encrypted first request to the service provider device. The service provider device may decrypt the encrypted first request to provide the first request and process the first request. The first request may include a carrier injected header that includes information about the user and/or user device that provided the first request. The information in the injected header may be used by the service provider device in processing the first request such as retrieving secure information without user credentials or storing data provided in the first request.

Abstract: In one aspect, the present disclosure provides a system and method for distributed data storage and delivery using blockchain. For example, a file can be received from a participant and split into constituent files. A hash value for the received file and each of the constituent files can be generated, and the constituent files can be encrypted using one or more predetermined or user selected encryption keys. The encrypted files can be stored in at least one storage location. Upon receiving a file retrieval request, each file of the plurality of encrypted files can be retrieved and decrypted using the one or more predetermined or user selected encryption keys. A hash value for each decrypted file can be generated and compared to hash values for the corresponding files of the plurality of constituent files, or a hash value for the recombined constituent files can be generated and compared to the hash value for the original file. Other aspects also are described.

Abstract: A key management system includes a managed system coupled to a management system through a network. The managed system includes managed device locking subsystem(s) coupled to a managed device and a key storage. The managed device locking subsystem(s) retrieve, through the network from the management system, a managed device locking key that is configured to unlock the managed device. The managed device locking subsystem(s) then encrypt the managed device locking key to provide an encrypted managed device locking key, and store the encrypted managed device locking key in the key storage. Subsequent to storing the encrypted managed device locking key, the managed device locking subsystem(s) retrieve the encrypted managed device locking key from the key storage, and decrypt the encrypted managed device locking key to provide a decrypted managed device locking key. The managed device locking subsystem(s) then use the decrypted managed device locking key to unlock the managed device.

Abstract: A coordinating network element manages a protocol that makes attestations of off-platform-resolved data and decisions available for use on a blockchain platform or on another decentralized-execution-based platform operational within a multi-tenant environment. By one approach, these teachings provide for off-platform-verified data pertaining to individual-, group- or machine-based users to be blinded from access by the coordinating network element and by the platform while utilizing a tokenized form of such data to enable user-initiated queries that involve solely on-platform vetting of users as a condition of fulfilling user requests for service.

Abstract: Memory devices, systems including memory devices, and methods of operating memory devices are described, in which security locks are implemented to control access to secure functions of the memory devices. In one embodiment, the memory device detects a predetermined signal directed to the memory device. The predetermined signals may include one or more commands directed to the memory device, an operating parameter of the memory device, or both. The memory device may track instances of the predetermined signals to compare with a threshold stored in the memory device. If the memory device determines that the predetermined signals satisfy the threshold, the memory device prohibits access to the secure functions.

Abstract: A method includes enabling, by a tethering device that is tethered to a tethered device, a firewall to redirect network traffic from the tethered device to an authentication application executing on the tethering device. The method also includes receiving, by the tethering device from the tethered device, a user certificate of the tethered device during an authentication process. The method further includes verifying, by the tethering device, the user certificate of the tethered device using a certificate authority (CA) certificate of the tethered device that is installed on the tethering device. In addition, the method includes, in response to successful verification of the user certificate of the tethered device, disabling the firewall to allow the network traffic to and from the tethered device.

Abstract: A communication device provides secure inter-device authentication that ensures certainty of processes. The communication device includes a control section configured to execute a process related to transmission or reception of a first authentication signal and a second authentication signal that are necessary for a first authentication process for authentication between the communication device and another communication device. The control section further controls a second authentication process for different authentication from the first authentication process, and starts a process related to transmission or reception of first information that is necessary for the second authentication process after transmission or reception of the second authentication signal.