Abstract: Systems and methods configuring a process that uses IPv4 communication without associating the IPv4 process with an IP loopback address are disclosed. Embodiments may include receiving a message to configure an IPv4 process. Embodiments may also include determining if a configuration parameter associated with the received message is set to indicate that one or more default IP loopback addresses are to be used as IP loopback addresses to associate with the IPv4 process. Embodiments may further include completing the configuration of the IPv4 process without associating an IP loopback address with the IPv4 process when the configuration parameter is determined to not be set to indicate that one or more default IP loopback addresses are to be used as IP loopback addresses to associate with the IPv4 process.

Abstract: It is provided a method, comprising configuring a first internet protocol address and a second internet protocol address different from the first internet protocol address for a connection between an apparatus performing the method and a packet data network; assigning the first internet protocol address to a first data path for the connection and to assign the second internet protocol address to a second data path for the connection, wherein at least a part of the first data path belongs to a radio access technology; at least a part of the second data path belongs to the radio access technology; and the part of the first data path is different from the part of the second data path.

Abstract: A first computing system may identify a security threat located at least at a first virtual server. The first virtual server may be within a second computing system. The first computing system may provision, in response to the identifying, a first firewall associated with the first virtual server. The first firewall may include a rule to deny all communication transmitted from the first virtual server. The first computing system may execute, in response to the provisioning, a first repair operation to repair the first virtual server.

Abstract: A method communicates between secured computer systems in a computer network infrastructure. Data packets are transmitted between a plurality from a group of processing computer systems, wherein such a transmission is performed by at least one broker computer system. The data packets are advantageously routed via at least one relay system connected upstream or downstream of the broker computer system in a transmission path of the data packets. All from the group of processing computer systems keep predetermined network ports at least temporarily closed so that access to a respective processing computer system via a network by the network ports is prevented. The relay system keeps predetermined network ports closed at least to the broker computer system, which has the relay system connected downstream so that access to the relay system via a network by the network ports is prevented.

Abstract: A method of defining distributed firewall rules in a group of datacenters is provided. Each datacenter includes a group of data compute nodes (DCNs). The method sends a set of security tags from a particular datacenter to other datacenters. The method, at each datacenter, associates a unique identifier of one or more DCNs of the datacenter to each security tag. The method associates one or more security tags to each of a set of security group at the particular datacenter and defines a set of distributed firewall rules at the particular datacenter based on the security tags. The method sends the set of distributed firewall rules from the particular datacenter to other datacenters. The method, at each datacenter, translates the firewall rules by mapping the unique identifier of each DCN in a distributed firewall rule to a corresponding static address associated with the DCN.

Abstract: Disclosed are various embodiments for malware detection by way of proxy servers. In one embodiment, a proxied request for a network resource from a network site is received from a client device by a proxy server application. The proxied request is analyzed to determine whether the proxied request includes protected information transmitted in an unsecured manner. It is then determined whether the network resource comprises malware based at least in part on an execution of the network resource or whether the proxied request includes the protected information transmitted in the unsecured manner. The proxy server application refrains from sending data generated by the network resource to the client device in response to the proxied request when the network resource is determined to comprise the malware.

Abstract: A network security device (NSD) is connected between a network and an endpoint device configured to host a client application. The client application communicates with the network through the network security device using a request-response protocol. The NSD receives from the client application a request destined for the network and that seeks a response from the network. The request has a context header including context information about the client application. The NSD determines whether the client application or a file accessed thereby has a suspicious nature based on the context information. If it is determined that the client application or the file accessed thereby has a suspicious nature, the NSD blocks the request from the network, and sends to the client application a response indicating the block.

Abstract: Decoding a partially encrypted data stream may include receiving and scanning the partially encrypted data stream. Scanning the partially encrypted data stream may include identifying an encrypted portion sentinel in the partially encrypted data stream subsequent to a first portion, identifying an encrypted portion in the partially encrypted data stream subsequent to the encrypted portion sentinel, and generating a decrypted data portion by decrypting the encrypted portion. Decrypting the encrypted portion may include identifying an encrypted data portion in the encrypted portion, the encrypted data portion omitting an end encrypted portion sentinel, decrypting the encrypted data portion, and identifying an end encrypted portion sentinel in the encrypted portion subsequent to the encrypted data portion.

Abstract: There is provided a method for use by a client device having a client address in a network for communication with a host device having a host address in the network. The method includes retrieving a first subset of a plurality of images, displaying the first subset of the plurality of images, receiving a selection of a second subset of the first subset of the plurality of images from a user of the client device, determining a number based on the second subset of the first subset of the plurality of images, replacing a portion of the client address with the number to obtain the host address, and connecting to the host device using the host address obtained by the replacing of the portion of the client address with the number.

Abstract: A computer-implemented method of obfuscating communication traffic patterns may include detecting, at a first communications device, data communication sessions with a second communications device via the computer server using a network protocol. At the first device, a first traffic pattern is accessed based on the data communication sessions over a first predefined time period. At the first communications device, a second traffic pattern is accessed based on the data communication sessions over a second predefined time period that occurs after the first predefined time period. At the first communications device, based on a randomization process, a dummy data communication pattern is generated for transmission to the second communication devices, whereby the dummy data communication pattern is appended to the second traffic pattern for obfuscating a traffic pattern change between the first and the second traffic pattern at the computer server used to establish the communication sessions.

Abstract: A method for managing unlinkable database user identifiers includes distributing to a first database a first encrypted user identifier, a first database identifier, and a first database user identifier; distributing to a second database a second encrypted user identifier, a second database identifier, and a second database user identifier; receiving from the first database a third encryption and a fourth encryption, the third encryption being formed from the first encrypted user identifier, the second database identifier, and a message comprised in the fourth encryption; decrypting the third encryption thereby obtaining a decrypted value; deriving a blinded user identifier from the decrypted value; and sending the encrypted blinded user identifier and the fourth encrypted value to the second server thereby enabling the second server to compute the second database user identifier from the encrypted blinded database user identifier and the decrypted fourth encrypted value.

Abstract: A method of a mesh network is disclosed. The method comprises generating by a source node a random token to be comprised in a query packet comprising a query for a destination node; transmitting the query packet comprising the random token, a source ID and the query to the destination node through a relay node; receiving at the destination node the query packet; adding, by the destination node, the random token to a response packet for the source node; and transmitting the response packet comprising the random token to the source node through the relay node. Also disclosed are arrangement for a source node, relay node and destination node, as well as a mesh network.

Abstract: A data acquisition platform in which self-configuring devices communicate with a database through an intermediate wireless access point. The database may store data acquired by and uploaded from self-configuring devices and store information that may be downloaded to self-configuring devices and used to self-configure. In a fleet management embodiment, self-configuring devices include OBD data capture devices installed in a motor vehicle that is part of an entity's vehicle fleet. The platform may support an auto-connect feature in which wireless network access information needed by self-configuring devices to login to a wireless LAN is encrypted and wirelessly broadcasted by the access point. The network identifier may comply with formatting protocol that enables self-configuring devices to recognize encrypted network identifiers. In WiFi embodiments, the network identifier may be an encrypted SSID or an SSID that includes unencrypted and encrypted parts.

Abstract: Methods and systems are provided for selectable data transmissions. An electronic key may be assigned to authenticated data associated with a particular user, electronic data may be encrypted, using at least part of the electronic key, to generate encrypted data, and a program code that must be executed to decrypt the encrypted data may be incorporating into the encrypted data. The encrypted data may be transmitted to a communications terminal identified by the user, and at least part of the electronic key may be transmitted to the communications terminal to cause decrypting the encrypted data using the at least part of the electronic key. The program code may be configured to cause checking one or more validation criteria associated with the encrypted data, at the communications terminal, during execution of the program code.

Abstract: Systems and methods for decryption of payloads are disclosed herein. In various embodiments, systems and methods herein are configured for decrypting thousands of transactions per second. Further, in particular embodiments, the systems and methods herein are scalable, such that many thousands of transactions can be processed per second upon replicating particular architectural components.

Abstract: A non-transitory computer-readable storage medium comprising instructions stored thereon. When executed by at least one processor, the instructions may be configured to cause a computing system to at least receive a message, the message including a header, an encrypted symmetric key, and an encrypted body, decrypt the encrypted symmetric key using a private key to generate a decrypted symmetric key, decrypt the encrypted body using the decrypted symmetric key to generate a decrypted body, and store the header, the decrypted symmetric key, and the decrypted body in long-term storage.

Abstract: An electronic circuit (200) includes one or more programmable control-plane engines (410, 460) operable to process packet header information and form at least one command, one or more programmable data-plane engines (310, 320, 370) selectively operable for at least one of a plurality of cryptographic processes selectable in response to the at least one command, and a programmable host processor (100) coupled to such a data-plane engine (310) and such a control-plane engine (410). Other processors, circuits, devices and systems and processes for their operation and manufacture are disclosed.

Abstract: Techniques and mechanisms to exchange sensor information between devices. In one embodiment, sensor data and corresponding metadata are stored, respectively, to a first buffer and a second buffer of a first device that is coupled to a host device via a hardware interface of the first device and serial bus. The sensor data and metadata are communicated to the host using a protocol that is compatible with a bidirectional, serial command interface standard. Communication of sensor information between the devices is according to a priority of the second buffer over the first buffer. In another embodiment, the metadata includes a token indicating to the host device a risk of sensor data being overwritten at the first buffer or a risk of the first buffer being starved of sensor data.

Abstract: A method for communication between femto access points (Aps) and a femto AP is presented. The method includes creating, by a first femto AP with a key server (KS), a first tunnel between the first femto AP and the KS, and downloading, by the first femto AP, a key as a first key and an access control list (ACL) from the KS through the first tunnel, wherein the ACL is configured to indicate a data flow access rule between the first femto AP and a second femto AP; encrypting, by the first femto AP, first data using the first key to obtain encrypted first data, and sending the encrypted first data to the second femto AP according to the data flow access rule indicated by the ACL, so that the second femto AP decrypts the encrypted first data using a second key.

Abstract: Methods and systems for facilitating exchanges of keys between individuals across multiple locations are provided. Each key set is assigned a unique key identifier. The key identifier is encoded on a key chain attached to the key set. A key set is picked up or dropped off at a key exchange center and is scanned to read the key identifier. The key identifier is relayed to a key exchange server which tracks key locations. The key exchange server verifies that an individual is authorized to pick up a key set and provides instructions to a device at the key exchange center to enable access to the key set. The key exchange server coordinates drop-off of a key set by updating the key location associated with the key identifier at drop-off and providing instructions to a device at the key exchange center for storage of the key set.

Abstract: A method for secure data storage in a cloud storage infrastructure comprises providing a set of first upload files to be stored in the cloud storage infrastructure, providing a set of first random noise files, splitting each file of the two sets into a group of fragments, recombining the fragments by randomly intermixing fragments from different groups thus generating a set of second upload files, encrypting each second upload file with a first encryption key and storing each first encryption key in a secure storage location, storing reconstruction information about the set of first upload files, the splitting, the recombining and the first encryption keys in the secure storage location, uploading each second upload file to a respective temporary cloud storage location, repeatedly moving each uploaded second upload file to a new temporary cloud storage location in predetermined intervals of time.

Abstract: Management of user profiles in a cloud-based service environment is provided. Upon completion of a profile change such as password change, password creation, or account deletion for a user, an administrator (or user with administrator privileges) may be presented with an option to provide the changed or created password, or other information directly to the user through messaging, thus, avoiding a multi-layered and/or manual process of the administrator copying the information to a message and sending to the user. The message may be text message, audio message, or video message.

Abstract: A method and apparatus are provided for protecting security credentials (e.g., username/password combinations) and/or other sensitive data in a “password vault.” A password vault device may be or may be incorporated into a portable (or even wearable) electronic device, such as a smart phone, smart watch, smart glasses, etc. When a security credential is requested during a user's operation of the password vault device or some other computing/communication device, such as when the user is accessing an online site or service via a browser program, the request is passed to the password vault, and the appropriate security credential is retrieved, delivered, and entered into the requesting interface.

Abstract: The present invention relates to a method to manage a One Time Password key, referenced OTP key, used in an OTP algorithm in a user device having access to an unsafe storage including the steps of retrieving a Personal Identification Number, named PIN, of a user of the user device, deriving a symmetric key from the PIN, encrypting the OTP key using the derived symmetric key, storing the encrypted OTP key in the unsafe storage, decrypting the OTP key using the derived symmetric key, and generating a next OTP key using an incremental parameter, wherein the start value of the incremental parameter of the OTP key generation is random.

Abstract: In an approach to user authorization by mobile-optimized CAPTCHA, a computing device detects information suggesting a risk level. The computing device displays one or more prompts based on the risk level. The computing device receives a user response in the form of touchless, gesture-based input. The computing device makes a CAPTCHA determination based on the user response.

Abstract: The present disclosure relates to a method, apparatus and system for providing and for performing remote authentication of a user. The apparatus may include a transceiver to establish a communication link with a remotely located device operated by a user and to receive a request from the user that requires user-authentication while communicating via the communication link, and a controller to automatically determine a user-authentication technique from among a plurality of user-authentication techniques based on the request from the user that requires user-authentication. The transceiver transmits, to the remotely located device, a command requiring that the user perform user-authentication on the remotely located device using the automatically determined user-authentication technique prior to the controller processing the written request from the user.

Abstract: A JBoss application may allow for a distributed application hosted on a JBoss application server to connect to a hierarchical type database. Additionally, the JBoss application may communicate via IMS Connect and Open Database Manager Common Service Layers in order to retrieve the data from the IMS databases. A Java framework may be installed on the JBoss application server.

Abstract: An example computer implemented method to create an authenticated server view includes sending a client secret to an online-synchronized content management system and receiving an authentication key. The example method can then include generating a server view of the online-synchronized content management system using instantiation data. The instantiation data can include a resource address and the authentication key. The server view can be configured to request server elements from the online-synchronized content management system using the instantiation data and render the server elements.

Abstract: The present disclosure presents a method and apparatus for processing an authentication request message in a social network. In order to resolve the problems of the inefficiency in confirming request to establish social relationship by a user and inadequacy of parameter provided for authentication under existing technologies, the present disclosure provides a method. The method includes: receiving, by a social network server, the authentication request message sent by a first client to a second client to establish a social relationship with the second client; determining, by the social network server, a relationship chain information indicative of an indirect social network relationship between the first client and the second client; and forwarding, by the social network server, the authentication request message and the obtained relationship chain information to the second client, the relationship chain information being used by the second client to authenticate the authentication request message.

Abstract: A system of ??2 servers is provided. The server system comprises an access control server for communication with user computers via a network and controlling access by the user computers to a resource in dependence on authentication of user passwords associated with respective user IDs, and a set of authentication servers for communication with the access control server via the network. In this system, at least each authentication server stores a respective key-share Ki of a secret key K which is shared between a plurality of the ? servers. The access control server is adapted, in response to receipt from a user computer of a user ID and an input password, to produce a hash value h via a first hash function operating on the input password. The access control server blinds the hash value h to produce a blinded hash value u, and sends the blinded hash value u via the network to at least a subset of the set of authentication servers.

Abstract: Systems and methods of securely storing and retrieving data are disclosed. A database may include a table of data with rows and columns and encrypted at rest. The data may be desired to be accessed by users. However, each user may have different access permissions and each row or column may have different characteristics, such as encryption, data type, and/or the like. As such, access to the data may be controlled in according to the characteristics of the data, the access permissions of the user, and/or the encryption of the data.

Abstract: A method of enabling applications to reference user information is provided, including receiving a request for a user identifier that references a user of the application and sending a second request for the user identifier to a server. The second request may include a second user identifier that references the user and a second authentication token for the second user identifier. Furthermore, the second user identifier and the second authentication token are not accessible by the user. The method includes receiving the user identifier and an authentication token for the first user identifier. The user identifier corresponds to the second identifier; and providing the user identifier and authentication token to the application. A method of enabling an application to identify users associated with a user of the application is provided; the method may include receiving, from the server, user identifiers that reference one or more users scoped to the application.

Abstract: Provided is a system and method for managing network access with a Certificate having Soft Expiration. The system includes an Authentication System structured and arranged to receive from a User by way of a first device having at least one processor, a request for certificate based network access, the request including a Certificate having a Soft Expiration Date. A validation hardware system having at least one processor and being in communication with the authentication hardware system is structured and arranged to receive a request for validation of the Certificate, the validation hardware system evaluating the Certificate having the Soft Expiration Date to a current date by querying a Certificate invalidity source to provide a positive or negative evaluation of the Certificate. In response to a positive evaluation of the soft expiration date to the current date, the authentication hardware system permitting certificate based network access to the user's first device.

Abstract: Provided is a system and method for managing certificate based secure network access based on a buffer period prior to the expiration of the Certificate. The system includes an authentication hardware system structured and arranged to receive from a User by way of a first device having at least one processor, a request for certificate based network access, the request including a Certificate having a lifespan incorporating a buffer period. A validation hardware system having at least one processor and being in communication with the authentication hardware system is structured and arranged to receive a request for validation of the Certificate, the validation hardware system evaluating the Certificate having a lifespan incorporating the buffer period to a current date to provide a positive or negative evaluation of the Certificate. In response to a positive evaluation of the buffer period to the current date, the Certificate is validated and the user is provided certificate based network access.

Abstract: Methods are provided for instantiating multiple electronic subscriber identity modules (eSIMs) to an electronic universal integrated circuit card (eUICC) using a manufacturer-installed data binary large object (data blob). An eSIM package including the data blob in encrypted form is securely installed in the eUICC in a manufacturing environment. A key encryption key (KEK) associated with the eSIM package is separately provided to an original equipment manufacturer (OEM) wireless device factory. The OEM wireless device factory provides the KEK to the eUICC within a given wireless device. The eUICC uses the KEK to decrypt the eSIM package and provide the data blob. The eUICC can receive a request to instantiate a first eSIM. The eUICC can instantiate the first eSIM using data from the data blob. A user can then access network services using the wireless device. Subsequently, a second eSIM can be instantiated by the eUICC using the data blob.

Abstract: A self-authenticating chip includes first and second memory regions storing, respectively, first and second authentication codes. The second memory region is adapted to be unreadable and unmodifiable by the chip or a chip reader. The chip also includes a comparator for providing an indicator of whether given input matches the second authentication code. The chip also includes an authentication circuit that is operable to read the first authentication code from the first memory region, present the first authentication code to the comparator, and in response to receiving an indicator from the comparator indicating that the first and second authentication codes match, unlock at least one of (i) a communication interface of the chip to allow data to be transmitted therethrough to a chip reader and (ii) a third memory region of the chip to allow data to be read therefrom.

Abstract: A method of processing a ciphertext, the method includes: acquiring a part of a plurality of encrypted elements included in the ciphertext, each of the plurality of encrypted elements being an encrypted element in which values of a plurality of elements in a multidimensional determination target vector are respectively encrypted by homomorphic encryption; decrypting the acquired part of the plurality of encrypted elements; and determining validity of the determination target vector based on a relationship between at least one value obtained by the decrypting and both of 0 and 1.

Abstract: Embodiments are provided for mutually authenticating a pair of electronic devices. According to certain aspects, the electronic devices may connect to each other via an out-of-band communication channel. The electronic devices may each output audio signals and detect audio signals output by the other electronic devices. Based on timestamps associated with audio output and detection events, each of the electronic devices may calculate relevant time and distance parameters, and transmit the calculated parameters to the other electronic device via the out-of-band communication channel. The electronic devices may compare the calculated parameters to determine mutual authentication.

Abstract: A system for securely providing a mobile device application on a mobile device access to a fleet operator datacenter for the mobile device application to obtain fleet data therefrom for use by a mobile device user. A verification server facilitates one or more fleet operator datacenters to authenticate a mobile device user, via configurable authentication requirements, before a mobile device user is able to communicate directly with the fleet operator datacenter.

Abstract: In one embodiment, a request may be received from a first cloud network of a hybrid cloud environment to transmit data to a second cloud network of the hybrid cloud environment, wherein the request can include a security profile related to the data. The security profile may be automatically analyzed to determine access permissions related to the data. Based at least in part on the access permissions, data can be allowed to access to the second cloud network.

Abstract: A plurality of users connect to an application sending requests over a transport and receiving responses from an application that contain sensitive data. For each user request, the application runs one or more data requests and commands to various data sources or other information systems which return the sensitive data. The application then processes the data and returns is to the user as is or processed based on some business logic. The application includes a run-time environment—where the application logic is executed.

Abstract: Embodiments of the present invention include a method for providing a secure domain name system (DNS) for machine to machine communications. In one embodiment, the method includes storing policy information for machine to machine communications in a global DNS registry database server. The method further includes communicating the policy information for machine to machine communications from the global DNS registry database server to a machine DNS registry server located in an Internet service provider (ISP) network, wherein a control signaling gateway located in the ISP network is configured to utilize the policy information for machine to machine communications to allow only registered controllers associated with a machine to communicate with the machine.

Abstract: The present invention pertains to the field of Internet technologies, and discloses a method for establishing a network connection. The method includes: establishing a user plane connection to a terminal, where the terminal accesses a first WLAN; receiving, by using the established user plane connection, a connection selection request sent by the terminal, where the connection selection request includes connection selection information; determining, according to the connection selection information in the connection selection request, a service network selected by the terminal; and establishing a connection between the terminal and the service network selected by the terminal. In this way, the terminal can connect to different service networks, so that a network connection manner becomes more flexible, interaction between the terminal and a gateway is simplified, and a network connection range is expanded.

Abstract: In an approach to data protection and sharing, a computer retrieves social network data of a first user, and obtains a relationship grade between the first user and a second user, and a level associated with the personal data of the first user. Then it is determined whether the second user qualifies to access the personal data of the first user, based, at least in part, on the relationship grade and the level associated with the personal data. If it is determined that the second user qualifies to access the personal data of the first user, the second user is permitted to access the personal data.

Abstract: A span of responsibility access control system for use in plant process management and similar applications. The system leverages span-of-responsibility enabled user accounts and corresponding resource properties to assign, verify, and control access to assets and other resources in the plant process management system on a per user basis. Aspects of the system include configuration of properties for each monitored or controlled asset and association of a span of responsibility based on asset properties, such as asset type and location, with a user account. An access control module compares asset properties to the span of responsibility associated with the user account to determine whether the user is entitled to access any given asset, independent of determining permissions to act on such asset.

Abstract: A system, method, and computer-readable medium for performing an authentication operation comprising: identifying a plurality of user devices associated with a user of an information handling system; determining when at least some of the plurality of user devices are within a predetermined range of the information handling system; and, authenticating the user as an authorized user of the information handling system when at least some of the plurality of user devices are within the predetermined range of the information handling system.

Abstract: A computing device may parse a file into a plurality of nodes. The computing device may associate, based on the parsing, at least a first encryption policy with a first node of the plurality of nodes. The computing device may associate, based on the parsing, at least a second encryption policy with a second node of the plurality of nodes. Data may be encrypted, based on the associating at least the first encryption policy with a first node, within at least the first node. Data may be encrypted, based on the associating at least a second encryption policy with a second node, within at least the second node.

Abstract: Presentation devices and establishment of communications sessions by presentation devices. Embodiments include verification that a client device has access to an authentication token that is published by a presentation device. Embodiments also include the presentation device receiving a coordinate provided by the client system, which is usable by the presentation device for establishing a connection to a particular communications session at the communications provider. Embodiments also include, based at least on the client system having access to the published authentication token, the presentation device using the coordinate to establish the connection to the particular communications session at the communications provider.

Abstract: As provided herein, a user of a client device may navigate to a webpage using a browser. A browser window, populated with a verification image and/or details about the webpage, is generated and presented to the user. The verification image and/or details about the webpage differentiate a browser window generated by the browser, from the webpage, from a browser window generated by a malicious user. The browser window comprises a login box into which credentials for logging into the user account may be entered. Responsive to the user entering correct credentials into the login box and selecting a submit option based upon recognition of the verification image, the browser window may be submitted to a server and the user may be presented with a window comprising access to the user account.

Abstract: A bundle of public counters and a corresponding bundle of private counters are created and transmitted to a user device. The user device receives a request and processes the request without accessing a secure element processor on the user device. The user device calculates a security code using the private counter and a number. The user device transmits the calculated security code and one of the bundle of public counters in response to the request. A receiver of the response to the request determines the validity of the public counter and looks up the corresponding private counter using the public counter. The receiver determines the validity of the security code by recomputing it using the private counter and the number.