Abstract: Embodiments include methods, systems and computer program products for storing graph data for a directed graph in a relational database. Aspects include creating a plurality of relational tables for the graph data, using a processor on a computer, the plurality of relational tables including adjacency tables and attribute tables. Each row of the attribute tables is dedicated to a subject of the graph data in the dataset and stores a JavaScript Object Notation (JSON) object corresponding to the subject. Each row of the adjacency tables includes a hashtable containing properties and values of the subject for that row.

Abstract: A method and proxy device for on-demand generation of cryptographic certificates. The method includes receiving, by a proxy device, a request to access a cloud application; identifying a domain name designated in the received request; determining if the identified domain name is signed by a valid cryptographic certificate saved locally in the proxy device; and sending, to a certificate generator system, a certification request to issue a new cryptographic certificate to sign the identified domain name, when the identified domain name is not a signed domain name.

Abstract: Embodiments include methods, systems and computer program products for storing graph data for a directed graph in a relational database. Aspects include creating a plurality of relational tables for the graph data, using a processor on a computer, the plurality of relational tables including adjacency tables and attribute tables. Each row of the attribute tables is dedicated to a subject of the graph data in the dataset and stores a JavaScript Object Notation (JSON) object corresponding to the subject. Each row of the adjacency tables includes a hashtable containing properties and values of the subject for that row.

Abstract: The present disclosure discloses a method and device for invoking a JAVA card object. The method comprises: receiving, by a JCRE, a service request message transmitted by an application Applet1; acquiring, by the JCRE, interaction information between the Applet1 and the Applet2 according to an ID of the Applet1 and an ID of the Applet2; acquiring, by the JCRE, a trust degree between the Applet1 and the Applet2 according to the interaction information between the Applet1 and the Applet2, information about one interaction comprising service class information for this interaction and information about whether a service request task of the Applet1 succeeds after this interaction; and determining, by the JCRE, that the Applet1 invokes a shared interface service of the Applet2, when the trust degree reaches a trust degree threshold.

Abstract: A method for communicating by a terminal, includes transmitting, to an MME, an attach request message including a public safety indication and/or a group communication indication; receiving, from the MME, an attach accept message including at least one type of information from among a ProSe identifier, a ProSe group identifier, and a ProSe group for performing a ProSe, ProSe-related functions of the terminal, and a proximity-related security key (ProSe key) The method further includes transmitting a ProSe registration request to a ProSe function server and receiving, from the ProSe function server, a ProSe registration response message pending authentication of the terminal.

Abstract: Segregated cores or virtual processors within a processor establish at least two separate encryption paths via software virtualization. Guest operating systems and encryption applications operate on input data with an enforced level of synchronicity. Output is compared to determine if each encryption path arrives at the same encrypted output. If the outputs are identical, the encrypted data is passed on; if not, an error report is generated. No individual vulnerability may produce a single point of failure to produce erroneously encrypted or unencrypted output.

Abstract: Systems and methods are provided for securely storing information of a user in a user profile to prevent access to the information and minimize the amount of information disclosed during a security breach. Information pertaining to a user is obtained from one or more sources and organized into a user profile and securely stored in a database. The user profile may be stored remotely in a cloud-based system at a remote encrypted server, with portions of the profile stored in separate locations with separate encryption to minimize the risk of unauthorized access to one portion of the information. The fields of data in the user profile may also be separately encrypted with separate encryption keys and separately stored in separate databases to minimize the amount of information which could be disclosed by the unauthorized access to a single encryption key or a single database.

Abstract: A client and server negotiate a secure communication channel using a pre-shared key where the server, at the time the negotiation initiates, lacks access to the pre-shared key. The server obtains the pre-shared key from another server that shares a secret with the client. A digital signature or other authentication information generated by the client may be used to enable the other server to determine whether to provide the pre-shared key.

Abstract: Examples related to secure computing systems are disclosed. In one example, a method includes, at a local agent computing device, sending to a remote work scheduling computing device a work context of the local agent computing device, the work context describing a set of work that the local agent is configured to execute, and polling a remote work depository for work compatible with the work context. The method further includes receiving a response from the remote work depository identifying a job within the work context, the job being requested by a computing device other than the remote work scheduling computing device, and executing the job.

Abstract: Systems and methods for automatically obtaining WiFi profile data from an NFC device are provided. According to one embodiment, a client security application obtains a WiFi profile of a WiFi network via a near-field communication (NFC) device of the WiFi client device and establishes a WiFi connection with the WiFi network using the WiFi profile.

Abstract: Provided are an apparatus, system, and method authenticating a system to access diagnostic interface in a storage device. The storage device includes a computer readable storage medium implemented to store data and a controller. The controller receives a request from the computer system to initiate a cryptographic nonce to access diagnostic interface in the storage device. The controller generates a nonce and returns to the computer system. Upon receiving an unlock request from the computer system to access the diagnostic interface including a signed nonce comprising at least the nonce encrypted with a private key by the authorized unlock system, the controller uses a public key that is a cryptographic pair with the private key to decrypt the signed nonce to determine whether to grant the computer system access to the diagnostic interface in the storage device.

Abstract: In an embodiment, a communication device receives a request to establish a media session with a remote endpoint. In response to receiving the request, the communication device exchanges media-session control data with the remote endpoint on behalf of a local endpoint to establish the requested media session between the local endpoint and the remote endpoint. The communication device is communicatively connected to the local endpoint via a Personal Area Network (PAN) communication link. The communication device relays media-session payload data between the local and remote endpoints. The media-session payload data (i) is associated with the media session and (ii) is encrypted based on at least one payload-data cryptographic key that is not accessible to the communication device.

Abstract: The invention relates to a communication system for an air control center, comprising a first public communication channel, a second secure communication channel, at least one voice communication device for exchanging voice data on each of the two communication channels, at least one management station comprising a control interface and a display interface and designed to manage the voice data exchanges and to control the branching of the voice data into each of the two communication channels, a first stand-alone processing module and a second stand-alone processing module for generating a display in a secure manner on said display interface.

Abstract: Embodiments are directed to storing encrypted data in a data store and to securely providing access to the encrypted data according to a predefined policy. A data storage system receives encrypted data. The data is encrypted using a private key. The data storage system stores the received encrypted data according to a predefined policy. The encryption and the policy prevents the storage system from unencrypting the encrypted data, while the policy allows the encrypted data to be released upon receiving a threshold number of requests from verified third parties. The data storage system implements a verifiable secret sharing scheme to verify that the encrypted data can be reconstituted without the data storage system decrypting the encrypted data. The data storage system can acknowledge that the received encrypted data has been verified and successfully stored.

Abstract: Computationally implemented methods and systems are described herein that are designed to, among other things, receiving a level-two encrypted output of a surveillance device; decrypting at least a part of the level-two encrypted output of the surveillance device with a level-two decryption key that is practicably inaccessible by a level-two encryption entity; and transmitting a level-one encrypted output of the surveillance device.

Abstract: Disclosed are methods, devices, systems, apparatus, servers, media, and other implementations, including a method, performed at a first wireless device, for secure range determination that includes transmitting a first signed message at a first time instance, with the first signed message, including a first payload, configured to be received by a second wireless device at a second time instance, and receiving at a fourth time instance a verifiable acknowledgement message transmitted from the second wireless device at a third time instance in response to the first signed message. The method further includes verifying that the verifiable acknowledgement message originated from the second wireless device, and, responsive to a verification that the verifiable acknowledgement message originated from the second wireless device, transmitting a second signed message including a second payload with at least timing information for the first time instance and the fourth time instance.

Abstract: Techniques are disclosed for dynamically generating a digital certificate for a customer server. A customer server creates a certificate profile and receives an associated profile identifier from a certificate authority (CA). The customer server installs an agent application received from the CA. The agent application generates a public/private key pair and an identifier associated with the customer server. The agent application sends a signed request to the CA that includes the profile identifier, server identifier, and the public key corresponding to the key pair. Upon receiving the credentials, the CA generates a dynamically updatable certificate. Thereafter, if the customer changes information associated with the certificate (or if external conditions require a change to the certificate, such as a key compromise or change in security standards), the CA may generate an updated certificate based on the certificate profile changes and the public key.

Abstract: A system and method for issuing an authorization token and performing real time multi-factor authentication using a unique device or devices to enable authorization to perform secure services for an online service based on desired on demand level of assurance. The level of assurance of the authentication may be on a distributed and dynamic authenticated system. This dynamic system delivers on-demand level of assurance depending on the Relying Party's (RP) requirements, orchestrated by policies set by the RP and/or the consumer (or user agent), and possibly augmented by other regulatory requirement based on a fine-grain control requirement of the authentication token(s). The level of assurance throttles up and down depending each transaction authentication requirement.

Abstract: A method and system for a configurable security and surveillance system are provided. A configurable security and surveillance system may comprise at least one programmable sensor agent and/or at least one programmable content analysis agent. A plurality of processing features may be offered by the configurable security and surveillance system by programming configurable hardware devices in the programmable sensor agents and/or the programmable content analysis agents via a system manager. Device programming files may be utilized to program the configurable hardware devices. The device programming files may be encrypted and decryption keys may be requested to enable the programming of different processing features into the programmable sensor agents and/or the programmable content analysis agents. The device programming files and/or the decryption keys may be received via a network transfer and/or via a machine-readable media from an e-commerce vendor.

Abstract: The present disclosure relates generally to communication with payment terminals via TCP/IP protocol. Using network technology and novel processes, in particular embodiments, the present systems and methods facilitate local network discovery and communication between a payment terminal and an electronic cash register (“ECR”) via a browser. For example, in certain embodiments, the present systems and methods leverage TCP/IP network technology to securely facilitate communications between SaaS ECR software running in a browser environment and one or more payment terminals.

Abstract: A method includes after determining that a first type of communication path to a self-organizing network controller is not available at an access point that supports a first wireless local area network, selecting, by an agent application at the access point, a second type of communication path to the self-organizing network controller from a prioritized set of communication paths. The method also includes attempting to establish a communication connection to the self-organizing network controller using the second type of communication path.

Abstract: Embodiments of the present invention may involve providing security to a computing device. The providing security to a computing device may involve performing crypto-operations. A security system may include a central processing unit and a pre-processing unit. The pre-processing unit may be configured for receiving an incoming encapsulated request, parsing header infrastructure information of the encapsulated request, decapsulating the request, and providing the decapsulated request to the central processing unit for further processing.

Abstract: A device may receive a message associated with initiating a secure socket layer session or a transport layer security session (SSL/TLS session). The device may identify a decryption profile associated with managing encrypted traffic associated with the SSL/TLS session. The device may determine a server indicator included in the message. The device may determine whether the decryption profile includes information associated with the server indicator. The device may selectively manage the encrypted traffic associated with the SSL/TLS session using a first decryption technique or a second decryption technique based on determining whether the decryption profile includes information associated with the server indicator, where the first decryption technique may be different from the second decryption technique.

Abstract: Systems and methods for securing or encrypting data or other information arising from a user's interaction with software and/or hardware, resulting in transformation of original data into ciphertext. Generally, the ciphertext is generated using context-based keys that depend on the environment in which the original data originated and/or was accessed. The ciphertext can be stored in a user's storage device or in an enterprise database (e.g., at-rest encryption) or shared with other users (e.g., cryptographic communication). The system generally allows for secure federation across organizations, including mechanisms to ensure that the system itself and any other actor with pervasive access to the network cannot compromise the confidentially of the protected data.

Abstract: An information processing apparatus includes plural communication units, a determination unit, and a controller. The communication units are configured to conduct a wireless communication at different communication speeds. The determination unit is configured to determine a communication unit having a faster communication speed in order to transmit or receive an encrypted communication object. The controller is configured to perform a control to start a communication by the communication unit determined by the determination unit.

Abstract: The technology disclosed relates to non-intrusively enforcing security during federated single sign-on (SSO) authentication without modifying a trust relationship between a service provider (SP) and an identity provider (IDP). In particular, it relates to configuring the IDP to use a proxy-URL for forwarding an assertion generated when a user logs into the SP, in place of an assertion consumer service (ACS)-URL of the SP. It also relates to configuring an assertion proxy, at the proxy-URL, to use the SP's ACS-URL for forwarding the assertion to the SP. It further relates to inserting the assertion proxy in between the user's client and an ACS of the SP by forwarding the assertion to the SP's ACS-URL to establish a federated SSO authenticated session through the inserted assertion proxy.

Abstract: Disclosed is a platform for assessing queries related to a catalog entry. The platform is able to determine what attributes of the catalog entry the query is directed to using one or more language processing techniques. Once an attribute is identified, the platform may check for appropriate unit types and/or formats based on a category associated with the attribute. The platform then parses additional data associated with the catalog entry (or another catalog entry within the same browse node) to identify a set of potential values for the identified attribute. One or more rule sets may be used to filter the set of potential values to a single probable value, which may then be provided in a response to the query.

Abstract: Examples may include techniques to securely provision, configure, and de-provision virtual network functions for a software defined network or a cloud infrastructure elements. A policy for a virtual network function may be received, at a secure execution partition of circuitry, and the virtual network function configured to implement the policy by the secure execution partition of the circuitry. The secure execution partition may connect to the virtual network function through a virtual switch and may cause the virtual network function to implement a network function based on the policy.

Abstract: An example process includes breaking content into multiple fragments and transmitting at least two of the multiple fragments over different physical channels in order to isolate the at least two fragments during transmission. The example process may include generating session keys; encrypting at least some of the fragments using different session keys; and associating, with each fragment, a session key used to encrypt a different fragment to produce fragment/session key pairs.

Abstract: Embodiments of the present invention use a limited-use public/private key pair to encrypt and decrypt messages sent through an intermediary. The messages may contain sensitive information and may be transmitted between entities over one or more networks. In some embodiments, the entities and/or the networks may be untrusted. Nevertheless, the content of the messages may remain protected by virtue of the limited-use key pair infrastructure.

Abstract: A module such as an M2M device or a mobile phone can include a removable data storage unit. The removable data storage unit can include a nonvolatile memory, a noise amplifying memory, and a cryptographic unit. The nonvolatile memory can include (i) shared memory for access by both the module and the cryptographic unit, and (ii) protected memory accessible only by the cryptographic unit. The cryptographic unit can use a noise memory interface and noise amplifying operations in order to increase and distribute bit errors recorded in the noise amplifying memory. The cryptographic unit can (i) generate a random number using the noise amplifying memory and (ii) input the random number into a set of cryptographic algorithms in order to internally derive a PKI key pair. The private key can be recorded in protected memory and the public key signed by a certificate authority.

Abstract: Methods, systems, and computer programs are presented for automated detection and mitigation of Denial of Service (DoS) attacks. One method includes an operation for collecting traffic data from service network routers that provide users access to a service. The traffic data is applied to security rules to identify a blacklist of illegitimate users to be blocked. Further, the method receives from the one or more servers a whitelist with information regarding legitimate users and their geographical location. A safe blacklist is determined for each router based on the blacklist and the whitelist, and the respective safe blacklist is sent to each router. Legitimate users are not blocked from accessing the service, but an illegitimate user spoofing a legitimate user is blocked by the routers when trying to access the service from a geographic location that is not the geographic location of the legitimate user.

Abstract: A system for controlling access includes a computing device, configured to: determine a first identifier associated with a first access point being used by the computing device to access a network; determine first access control data associated with the first identifier and a first application executing on the computing device; and control access to data over the network by the first application based on the first access control data.

Abstract: A method and an apparatus for storing a redeem code and a method and an apparatus for verifying a redeem code. The method for storing a redeem code includes generating a random value and determining an index of the random value according to an order in which the random value is generated, generating a number pair according to the random value and the index of the random value, mapping the number pair to a string and generating a redeem code according to the string, and determining a storage location of the random value according to the index of the random value, and saving the random value at the determined storage location.

Abstract: A method for a method for mapping an input message to an output message by a keyed cryptographic operation in a cryptographic system, including a plurality of rounds wherein each round has a substitution layer, wherein wide encoding is used on the substitution layer in the rounds that require protection from attacks.

Abstract: A construct having a plurality of distributed resources can include a portion of a second rack having a plurality of computing devices controlled by a second management node. The second management node can determine it contains insufficient construct data such as user data, group data, resource data, or authorization policy data to execute an operation associated with the construct. The second management node can synchronize at least a portion of construct data with a first management node. The first management node can be associated with the construct and a mutual trust relationship can exist between the first management node and the second management node. The first management node and the second management node can comprise autonomous management nodes capable of functioning independent of the network.

Abstract: A system for evaluating a target file includes an endpoint computer that receives similarity digests of legitimate files, receives a target file, and generates a similarity digest of the target file. The endpoint computer determines whether or not the target file is legitimate based on a comparison of the similarity digest of the target file against the similarity digests of the legitimate files. The system further includes a backend computer system that receives the legitimate files, generates the similarity digests of the legitimate files, and provides the similarity digests of the legitimate files to the endpoint computer.

Abstract: An example electronic device includes memory for storing a program for unlocking the first electronic device using a wearable electronic device; wireless communication circuitry; and one or more processors configured to execute the program stored in the memory to cause the electronic device to at least establish wireless communication, via the wireless communication circuitry, with the wearable electronic device when the wearable electronic device is in a wireless communication range of the first electronic device; determine whether the wearable second electronic device is authenticated for unlocking the first electronic device; determine whether the wearable electronic device is in a specific range of the first electronic device based on a signal transmitted from the wearable electronic device being worn; and unlock the first electronic device based on determining that the wearable electronic device is authenticated and is in the specific range of the electronic device.

Abstract: The present disclosure discloses a method of storing data in a distributed data storage system, the distributed data storage system including a plurality of server and client nodes. The method includes receiving unencrypted data from a client node for storing at a server node. The received data is split into one or more data chunks of one or more sizes. Further, each data chunk is encrypted using a key based on the content of corresponding data chunk, and each encrypted chunk is stored at a memory of a server node using a unique data reference. Furthermore, an index chunk is formed that contains one or more data references of one or more encrypted chunks in a predefined order, along with one or more corresponding encryption keys of one or more encrypted chunks, which after being encrypted and stored, the corresponding data reference of this encrypted index chunk is provided to the client node.

Abstract: Aspects disclosed in the detailed description include inline cryptographic engine (ICE) for peripheral component interconnect express (PCIe). In this regard, in one aspect, an ICE is provided in a PCIe root complex (RC) in a host system. The PCIe RC is configured to receive at least one transport layer packet (TLP), which includes a TLP prefix, from a storage device. In a non-limiting example, the TLP prefix includes transaction-specific information that may be used by the ICE to provide data encryption and decryption. By providing the ICE in the PCIe RC and receiving the transaction-specific information in the TLP prefix, it is possible to encrypt and decrypt data in the PCIe RC in compliance with established standards, thus ensuring adequate protection during data exchange between the PCIe RC and the storage device.

Abstract: A method for communication by a scanner is described. The method includes receiving a broadcast message from a broadcasting device in a connectionless mode. The method also includes performing back channel communication with the broadcasting device on a contention basis while maintaining the connectionless mode. The scanner may send a packet to the broadcasting device while maintaining a connectionless relationship with the broadcasting device.

Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, for secure data transmission using natural language. One of the methods includes: obtaining sensitive information for a user; obtaining a natural language key for the user, wherein the natural language key for the user includes one or more natural language tokens; generating decoding data for the sensitive information for the user, wherein generating the decoding data comprises: for each place in the sensitive information for the user: assigning a respective one of the natural language tokens in the natural language key for the user to the value at the place, and generating one or more respective dummy natural language tokens for each value of the respective set of possible values for the place other than the value at the place; and providing the decoding data for use in decoding the natural language key into the sensitive information.

Abstract: A business process framework (BPF) may be used to provide a vendor agnostic interface to allow one or more business users to design, deploy, test and/or monitor an operation of one or more business processes using a common user interface. The BPF may allow a user access to a business process management (BPM) system using a common interface, regardless of a vendor or version of BPM system being used by a business organization. The BPF may include a business process modeling interface allowing the business user to model, via the common user interface, regardless of the version or vendor of the BPM system product being used. The BPF may also include an execution interface capable of communicating with an execution engine included in different BRMS products. The execution interface may include a translator to translate a business model into a format compatible with each of a plurality of execution engines.

Abstract: The present invention discloses a method and apparatus for controlling an application to read verification information. The method comprises: setting, in a terminal, a safe application strategy for reading a verification information, wherein the verification information is a message for verifying identity or permission of the terminal or a user in the process of executing a specific service; after the terminal receives the verification information from a network device, the application requesting to acquire the verification information; judging whether the application satisfies the safe application strategy, and according to the judging result, allowing only the application that satisfies the safe application strategy to read the verification information; and using the verification information for verifying identity or permission of the terminal or a user in the process of executing the specific service.

Abstract: Methods and systems for delivering a segmented content item from a server to a first and second device are provided. A first key is used to encrypt the segmented content item into a first plurality of encrypted segments and a second key is used to encrypt the segmented content item into a second plurality of encrypted segments. The first and second keys are different. The first plurality of encrypted segments is delivered to the first device, and the second plurality of encrypted segments is delivered to the second device.

Abstract: According to embodiments of the invention, a first wireless access point discovers a second wireless access point, the first wireless access point tunes its radio and privacy settings, without user input, based upon parameters automatically exchanged in response to the discovery of the second wireless access point, and a secure direct wireless connection is established between the first and second wireless access points using the radio and privacy settings. Adding the first wireless to an existing mesh network includes a determination of the best available direct wireless connection.

Abstract: Provided is a process including: receiving a request to write a new version of a document to a tamper-evident, immutable data repository; determining that the new version of the document is different from the previous version of the document; and in response to determining, storing a difference between the previous version of the document and the new version of the document in the tamper-evident, immutable data repository.

Abstract: Exemplary embodiments for enabling planned network changes such as an upgrade or downgrade of a network device are disclosed. The systems and methods provide for planned upgrades and downgrades for network devices without impacting existing network sessions, by utilizing two network devices simultaneously, and creating a redirect network session for a predetermined period of time. In so doing, all network traffic may be gradually transferred to the second network device, until the sessions processed by the first network device time out. The first network device can then be taken offline for upgrade or downgrade, without any disruption to the network service or loss of network traffic.

Abstract: A system and method for providing or maintaining data and application continuity in a computer system. According to an embodiment, the system comprises a communication interface for a client system, a network layer for receiving data from the client system, a hardware infrastructure for creating instances of the client system for replicating data, and an applications module for executing one or more applications on the replicated data. According to a further aspect, the system includes a portal interface configured for providing a remote user with control, audit and other functions associated with the user's system configuration.

Abstract: A header section of a package may be downloaded from a server. The header section may be analyzed to determine if a data section of the package is secure and a correct version. The data section of the package is downloaded, if the data section is secure and the correct version. The package is a single file.