Abstract: In accordance with embodiments, there are provided methods and systems for providing communication authentication between cloud applications and on-premise applications. A method of embodiments includes receiving, from a cloud application at a cloud computing device, a first message at an application server of a server computing system, and parsing, at the application server, the first message to determine first identification information contained within the first message. The method further includes authenticating, at the application server, the first message by verifying the first identification information, and forwarding the first authenticated message to an on-premise application at a remote computing device.

Abstract: A device that includes a first processor, a second processor, and an encryption module in communication with the first processor and the second processor may be used to accept conditions for access to the network. The first processor may receive condition data, and in response, may send an acceptance signal via the encryption module to the second processor. The second processor may receive the acceptance signal and, in response, may send acceptance data to a gatekeeper. The encryption module may block unencrypted data other than the acceptance signal from being communicated from the first processor to the second processor. The encryption module may support type 1 encryption.

Abstract: A system and methods for facilitating secure communications on a website are presented. The system comprising a security server configured to receive a secure message from a creator device is disclosed. The security server encodes the received message and sends the encoded message or a representation of the encoded message for posting on the website so that one or more users of the website have the ability to request that the security server make the message available after the encoded message has been decoded.

Abstract: A data encryption service is provided over the Internet. Users specifying only authorized users' identity information can share encrypted information without sharing passwords or accessing public key certificates. A user sends data to be encrypted to a trusted EWS, along with authorization information. An encrypted data envelope including signed encrypted data blocks, authorization information, and a digital signature is returned to the user. When a second user attempts to access the data inside the encrypted data envelope, it is transmitted to the EWS. If the EWS authenticates the second user, determines that tampering has not occurred, and verifies the second user's identity against the authorization information in the data envelope, then the data are returned. The encrypted data envelope can be expressed as a raw byte stream or encoded within an HTML file to enable browser-based data envelope submission and retrieval.

Abstract: A terminal includes an acquisition unit to acquire sensor data, a storage unit to store a policy table which defines a management policy for each sensor data or each service using the sensor data, and a control unit to acquire the management policy corresponding to the sensor data or the service with reference to the policy table and to manage the sensor data on a basis of the management policy.

Abstract: Embodiments of the invention provide a solution for securing information within a Cloud computing environment. Specifically, an encryption service/gateway is provided to handle encryption/decryption of information for all users in the Cloud computing environment. Typically, the encryption service is implemented between Cloud portals and a storage Cloud. Through the use of a browser/portal plug-in (or the like), the configuration and processing of the security process is managed for the Cloud computing environment user by pointing all traffic for which security is desired to this encryption service so that it can perform encryption (or decryption in the case of document retrieval) as needed (e.g., on the fly) between the user and the Cloud.

Abstract: In a node (110) communicating with other nodes in a network (150), a system and method for performing cryptographic-related functions is provided. The node (110) receives and transmits inputs and outputs requiring cryptographic-related processing. When cryptographic processing is required, the node (110) transmits a predefined message to a cryptographic processing component in the node (110) that then performs the desired cryptographic-related processing.

Abstract: A method includes controlling security in a communication system that involves a node capable of routing traffic according to one or more security algorithms with respective security levels. The node is adapted to estimate at least one safety degree relating to the node, to select at least one security algorithm of the one or more security algorithms, depending on the estimated safety degree; and to activate the at least one security algorithm.

Abstract: There is provided a system and method of selectively directing collected security data that may be displayed concurrently at a first security station and at a supervisor station, and providing a communication link between such first security station and such supervisor station so that a supervisor may assist a security operator in the evaluation of the collected security data and in making a decision about such collected data. There is further provided a system and method of determining the height of a part of a body by capturing an image of such part with a camera at a known height and known distance from such body, computing an angle of a horizontal line from a lens of such camera and a line from such camera to such part of such body, and calculating the distance between the height of such camera and the height of such part of such body.

Abstract: Methods and apparatuses for private electronic information exchange are described herein. In one embodiment, when electronic information is received to be delivered to a recipient, the electronic information is transmitted over an electronic network with a private routing address. The private routing address is routable within a private domain, which is a subset of the electronic network. Other methods and apparatuses are also described.

Abstract: A ciphering key management technique for use in a WLAN receiver is provided where a hash table is stored that has a first and a second table portion. The first table portion stores transmitter address data and the second table portion stores at least one cipher key. It is determined whether a transmitter address matches transmitter address data in the first table portion, and if so, a corresponding cipher key stored in the second table portion is determined for use in decrypting the received data. The hash table technique allows for a fast search for the correct cipher key. Embodiments are described that allow for dynamically adding and removing keys without blocking the search.

Abstract: The number of devices installed in an Authorized Domain is controlled by a master device functionality. This master devices stores ceiling values for the total number Totaljimit of devices to be installed in the AD; the total number Localjimit of devices to be installed in a local proximity with the master device and the total number Remotejimit of devices to be installed remotely from said master device. The master device also stores current values of the number Local_count of devices installed in the AD in local proximity with the master device; and the number Remote_count of devices installed in the AD remotely from said master device. When a new device is to be installed in the AD, the ceiling values are checked with respect to the current values and it is checked whether the device is in local proximity with the master device to authorize or not its installation in the AD, either locally or remotely.

Abstract: Secured communications between patient portable communicators (PPC) and a central authority (CA) via an unsecured network are implemented using software implemented by a communications device. The communications device provides for detecting, using a multiplicity of disparate communication protocols, presence of entities requesting a network connection and determining whether or not each of the entities is a PPC, establishing, only for the entities determined to be PPCs, a connection to the CA via the unsecured network using the disparate communication protocols, authenticating only the PPCs to the CA, and facilitating communication of PPC data between the PPCs and the CA via the communications device and the unsecured network upon successful PPC authentication. The PPC data comprises at least some patient implantable medical device data acquired by the PPCs.

Abstract: A computer or microchip securely controlled-through a private network and including a secure private unit that is protected by an inner hardware-based access barrier or firewall that denies access to the private unit from a network of computers including the Internet, an unprotected public unit including a network connection, a separate private network connection for the private network in the private unit, a general purpose microprocessor, core or processing unit in the public unit, a master controlling device for the computer or microchip in the private unit; and a secure control bus connecting the master controlling device with the microprocessor, core or processing unit and isolated from input from the network and components of the public unit. The master controlling device securely controls an operation executed by the microprocessor, core or processing unit through the private network to the additional private network connection via the secure control bus.

Abstract: A distributed computing environment utilizes a cryptography service. The cryptography service manages keys securely on behalf of one or more entities. The cryptography service is configured to receive and respond to requests to perform cryptographic operations, such as encryption and decryption. The requests may originate from entities using the distributed computing environment and/or subsystems of the distributed computing environment.

Abstract: The application discloses an improved method of transmitting encrypted emails by prompting the user to select at least one attachment for attaching with the email, prompting the user to select an encryption option from among several encryption options, causing an application to encrypt the selected attachment using the selected encryption option while retaining the original format of the attachments, attaching the encrypted attachment to the email, transmitting the email containing the encrypted attachment to at least one recipient address using the email application, and transmitting a second email containing at least one password to the recipient address using the email application.

Abstract: An apparatus for analyzing traffic is provided. The apparatus may precisely identify and analyze web traffic through 5 tuple-, HTTP-, and request/response pair-based packet analysis by monitoring the correlation between sessions.

Abstract: Systems, methods, and other embodiments associated with authentication via monitoring are described. One example method includes detecting a data flow in which indicia of identity (DFWIOI) travel between a first endpoint and a second endpoint. The DFWIOI may be partially encrypted. The example method may also include collecting an identity data associated with the DFWIOI from the DFWIOI, the first endpoint, the second endpoint, and so on. The example method may also include making an authentication policy decision regarding the DFWIOI based, at least in part, on the identity data. The example method may also include controlling a networking device associated with the DFWIOI based, at least in part, on the authentication policy decision.

Abstract: Methods and apparatus to generate and use content-aware watermarks are disclosed herein. In a disclosed example method, media composition data is received and at least one word present in an audio track of the media composition data is selected. The word is then located in a watermark.

Abstract: An e-mail firewall applies policies to e-mail messages between a first site and second sites in accordance with administrator selectable policies. The firewall includes a simple mail transfer protocol relay for causing the e-mail messages to be transmitted between the first site and selected ones of the second sites. Policy managers enforce-administrator selectable policies relative to one or more of encryption and decryption, signature, source/destination, content and viruses.

Abstract: A method includes receiving a policy via a network connection, wherein the policy includes at least one signature. Receiving a data communication message from a processor of a computing device via a system bus. Identifying a class, and selectively forwarding the data communication message based in part on the received policy and the identified class.

Abstract: Described are a secure obfuscation network (SON) and ingress nodes, transit nodes and egress nodes used in such a network. Also described is a method for implementing such a network.

Abstract: Methods and apparatus for secure proxying using network intermediaries. A system may include one or more servers and a network intermediary. The network intermediary may generate security metadata associated with a client request, comprising an identification of a source of the client request, and transmit an encoded version of the security metadata and a backend request to a server. The server may determine whether the security metadata is valid. If the security metadata is validated, the server may perform one or more operations in accordance with the backend request and the security metadata.

Abstract: Systems and methods for managing multiple keys for file encryption and decryption may provide an encrypted list of previously used keys. The list itself may be encrypted using a current key. To decrypt files that are encrypted in one or more of the previous keys, the list can be decrypted, and the appropriate previous key can be retrieved. To re-key files, an automated process can decrypt any files using previous keys and encrypt them using the current key. If a new current key is introduced, the prior current key can be used to decrypt the list of keys, the prior current key can be added to the list, and the list can be re-encrypted using the new current key.

Abstract: The present invention relates generally to systems, methods and software applications for securely transmitting information. More particularly, the present invention relates to providing a system, method and software application for securely transmitting information using multiple transmission methods. An exemplary method of the present invention comprises the steps of: providing data for transmission to a recipient; selecting and addressing a first set of data for transmission to said recipient via a first transmission method, and selecting and addressing a second of data for transmission to said recipient via a second transmission method.

Abstract: A method for secure communication of a message. The method includes providing a message including a plurality of message packets, providing a nodal network including a plurality of nodes, where nodal operations are capable of execution on the message packets at the nodes, gaining, by a first node of the network, a first message packet, processing the first message packet by the first node, relinquishing the first message packet as processed by the first node, gaining, by any other node of the network, at least one other message packet, processing the other message packet by the other node, relinquishing the other message packet as processed by the other node, receiving, by a message destination node of the network, a first message packet, receiving, by the message destination node, at least a second message packet, and processing the first message packet and the second message packet to provide a reproduced message.

Abstract: Architecture that provides additional data that can be obtained and employed in security models in order to provide security to services over the service lifecycle. The architecture automatically propagates security classifications throughout the lifecycle of the service, which can include initial deployment, expansion, moving servers, monitoring, and reporting, for example, and further include classification propagation from the workload (computer), classification propagation in the model, classification propagation according to the lineage of the storage location (e.g., virtual hard drive), status propagation in the model and classification based on data stored in the machine.

Abstract: Systems and methods for communicating private information from a browser to a driver are presented. The private information communication method can comprise: performing a private information communication process in which private information is communicated through a private information communication plug-in of a browser to a driver; and performing a driver process based upon the private communication information communicated in the private information communication process. The private information communication process can comprise determining private information content; communicating the private information to the private information communication plug-in coupled to a private communication channel; calling a graphics driver from the private information communication plug-in using the private communication channel; and forwarding the private information from the private information communication plug to the driver via the private communication channel.

Abstract: A network authentication method, a client and a device are provided. The method includes: receiving SYN data sent by a client, where the SYN data includes a sequence number SEQ1 and a network parameter comprising an ID in the header of the SYN data; sending SYN_ACK data to the client, where the SYN_ACK data includes an acknowledgment number ACK2 obtained by carrying out a function transformation according to the network parameter; receiving RST data sent by the client, where the RST data includes a sequence number SEQ3 or an acknowledgment number ACK3, and the RST data further includes a network parameter the same as that of the SYN data; carrying out the function transformation according to the network parameter of the RST data to obtain a check value CHK; and passing the authentication of the client if CHK matches SEQ3 or ACK3.

Abstract: A system adapted to condition access to a network over an IPsec session to clients providing a proper one-time-password, even though the network access control uses IKEv1, which does not support one-time-passwords. An authentication service receives from a client an access request including the one-time-password, and provides the one-time-password to a service that checks the password. The one-time-password service returns a cookie when the password is successfully validated and the client is properly authenticated. The cookie is passed on to the client computer, which uses the cookie as part of a request for a certificate. A certificate authority generates a certificate if a request for a certificate is received from an authenticated client, which in turn may be used to form the IPsec session for access to the network.

Abstract: A system and method for monitoring secure digital data on a network are provided. An exemplary network monitoring system may include a network device in communication with a user and a network. Further, a server may be in communication with the network. A browser and monitoring program may be stored on the network device, and the network device may receive secure digital data from the network. The browser may convert the secure digital data or a portion thereof into source data, and the monitoring program may transfer the source data or a portion thereof to the server. In an exemplary embodiment, the monitoring program may include a service component and an interface program.

Abstract: A device for preventing logging of client input data in a computer system, characterized in that it includes a first transmission interface used to connect the smart electronic device, a second transmission interface used to connect the computer system, and a data encryption chip for encryption of the input data. The data encryption chip is set between the first and second transmission interfaces and is used to encrypt data input from the first transmission interface, and then transmit the encrypted data to the computer system via the second transmission interface. The device allows for the use of a smart electronic device as a real keyboard, and the computer system permits the data encryption chip to encrypt the data input by the smart electronic device, which are then sent to the computer system, helping to prevent logging of keying data with higher efficacy and applicability.

Abstract: A method for buffering SSL handshake messages prior to computing a message digest for the SSL handshake includes: conducting, by an appliance with a client, an SSL handshake, the SSL handshake comprising a plurality of SSL handshake messages; storing, by the appliance, the plurality of SSL handshake messages; providing, by the appliance to a message digest computing device in response to receiving a client finish message corresponding to the SSL handshake, the plurality of SSL handshake messages; receiving, by the appliance from the message digest computing device, a message digest corresponding to the provided messages; determining by the appliance, the message digest matches a message digest included in the SSL client finish message; and completing, by the appliance with the client, the SSL handshake. Corresponding systems are also described.

Abstract: An electronic device with a message encryption function that includes a message processing module for receiving or sending or reading encrypted messages. The message processing module is electrically connected to a configure interface module, a storage module and an encryption module. The message processing module checks whether an encryption code exists. Then the message processing module checks whether the message processing event is “reading a message”. If the processing module determines the processing event is “reading a message” the processing module determines whether the encrypted message has been read or not. If the encrypted message has been read the processing module directly transmits the encrypted message back and then displays the encrypted message. If the encrypted message has not been read the processing module decrypts the encrypted message to generate a decrypted message and transmits the decrypted message back and then displays the decrypted message in a clear-text manner.

Abstract: In a mobile communication system, a radio device is configured to transmit notification information transmitted from a distribution server, to a mobile station, by use of broadcast communication. The distribution server 10 includes a key transmitter unit 12 configured to transmit a public key of the distribution server 10 to the mobile station UE; the radio device RNC, Node B includes a notification information transmitter unit 22, 42, 42A configured to transmit, to the mobile station UE, the notification information transmitted from the distribution server 10; and the mobile station UE includes an authentication unit 36 configured to authenticate the validity of the received notification information in reference to an electronic signature for the notification information.

Abstract: A novel group key distribution and management scheme for broadcast message security is provided that allows an access terminal to send a single copy of a broadcast message encrypted with a group key. Access nodes that are members of an active set of access nodes for the access terminal may decrypt and understand the message. The group key is generated and distributed by the access terminal to the access nodes in its active set using temporary unicast keys to secure the group key during distribution. A new group key is provided every time an access node is removed from the active set of access nodes for the access terminal.

Abstract: A method for injecting a security token into an authentication protocol response is disclosed. An authentication protocol response from a node requesting access to a network is intercepted. It is determined if the node complies with a health policy of the network. A security token is inserted into the authentication protocol response based on the compliance node.

Abstract: Methods and apparatus for protecting user privacy in a shared key system. According to one aspect, a user generates a derived identity based on a key and a session variable, and sends the derived identity to an application. In one embodiment, a key server may be used to receive the derived identity from the application, and return a sub-key to the application to use for encrypting communications with the user.

Abstract: An Advanced Encryption Standard (AES) key generation assist instruction is provided. The AES key generation assist instruction assists in generating round keys used to perform AES encryption and decryption operations. The AES key generation instruction operates independent of the size of the cipher key and performs key generation operations in parallel on four 32-bit words thereby increasing the speed at which the round keys are generated. This instruction is easy to use in software. Hardware implementation of this instruction removes potential threats of software (cache access based) side channel attacks on this part of the AES algorithm.

Abstract: A general purpose distributed encrypted file system generates a block key on a client machine. The client machine encrypts a file using the block key. Then, the client encrypts the block key on the first client machine with a public key of a keystore associated with a user and associates the encrypted block key with the encrypted data block as crypto metadata. The client machine caches the encrypted data block and the crypto metadata and sends the encrypted data block and the crypto metadata to a network file system server. When the client machine receives a return code from the network file system server indicating successful writes of the encrypted data block and the crypto metadata, the client machine clears the cached encrypted data block and the crypto metadata.

Abstract: A method and system for server-side key generation for non-token clients is described.

Abstract: Techniques for securely providing cryptographic keys to trusted intermediate nodes or monitoring devices are described so that SSL, TLS, or IPSec communications can be monitored, compressed over a WAN, or otherwise used. In an embodiment, a trusted intermediate node establishes a secure connection to a key server; receiving session identification data for an encrypted session between a client and a content server during negotiation of the encrypted session, and storing a copy of the session identification data; requesting from the key server, over the secure connection, a decryption key associated with the encrypted session; receiving an encrypted message communicated between the client and the content server; forwarding the encrypted message without modification to a destination address in the encrypted message; and decrypting the encrypted message using the decryption key to result in decrypted data and using or storing the decrypted data in a storage unit.

Abstract: Content delivery networks may associate each WAN optimized network connection with a specific client-to-cloud-service connection using connection identifiers. When an edge node of a content delivery network receives or intercepts a network connection request from a client device including an auto-discovery indicator from an upstream WAN optimization module, the edge node stores a connection identifier for this network connection. The edge node sends a connection response back to the client device including an auto-discovery response indicator. In response, the WAN optimization module sends one or more inner connection setup messages including the connection identifier to a second WAN optimization module in the content delivery network to establish a direct connection, referred to as an inner connection. The connection identifier is matched with the previously stored connection identifier to associate an inner connection with the network connection between the client and the cloud service.

Abstract: A communication apparatus transmits an authentication frame to an authentication apparatus and receives a response frame for response to the authentication frame from the authentication apparatus so that an authentication process is performed for the communication apparatus by the authentication apparatus. In the communication apparatus, a transmitting section transmits an authentication frame to the authentication apparatus using a multicast address as a transmission destination address, and if a reception determining section determines that the response frame is not received from the authentication apparatus, a transmission destination address changing section changes the transmission destination address from the multicast address to a broadcast address, and the transmitting section transmits the authentication frame that has the transmission destination address changed to the broadcast address to the authentication apparatus.

Abstract: A system securely buffers hard disk drive data using a host side eXlusive OR (XOR) encryption engine. A host communicates with an encryption interface interposed between the host and a client. Communicatively coupled to the encryption interface is an external buffer for the collection and processing of data. A host side XOR encryption engine, using a random seed, encrypts data originating from the host and places it on the external buffer. Once collected at the buffer and ready for transmittal to the client, the encrypted data is retrieved by the encryption interface and decrypted using the same random seed. The clear data is then encrypted once again using a robust encryption means such as Advance Encryption Standard (AES) encryption by a client side device for conveyance to the client.

Abstract: Systems and methods are disclosed permitting a sender to send a secret and secure message to a recipient. An application on a sender device interfaces with known message generating tools to permit a user to generate a message. The local application encrypts the message (and optional attachments) based on public/private key pairing negotiated with the server given the recipient device id. The sender device transmits the cipher text to the server. The server generates a benign, text-based, context-appropriate message and delivers same to a recipient device by way of a known messaging service. The benign message provides a secret clue to the recipient that an encrypted message is available. Recipient may then access and decrypt the encrypted message, such as from the server in response to a successful challenge (e.g., password request).

Abstract: According to an aspect of the present invention there is provided a method of obtaining authentication information for use in a Generic Bootstrapping Architecture, GBA, employed in a network with one or more GBA-capable subscriber registers and one or more GBA-incapable subscriber registers. The method involves a selection function for determining whether the authentication information of a subscriber is stored at a GBA-capable subscriber register or at a GBA-incapable subscriber register, and an inter working function for translating between the Diameter messages of the Zh interface and the MAP messages of the Zh? interface.

Abstract: A system and methods for establishing a mutually authenticated secure channel between a client device and remote device through a remote access gateway server. The remote access gateway server forwards secure connection requests and acknowledgements between the client and the remote device such that the remote access gateway does not possess any or all session keys necessary to decrypt communication between the client device and remote device.

Abstract: Centralized authentication systems are provided. A representative system, among others, includes an authentication registration system, a content provider and an internet server. The mobile authentication registration system resides on a content provider, and is operable to receive a single identification number and password from a user independent of a platform the user is associated with, and determine that the identification number and password combination provided by the user is associated with a registered user. The content provider provides personalized content to any of a plurality of registered users on a plurality of platforms. The server receives a connection request from a wireless device, sends an authentication request to the authentication registration system, and provides a personalized content from the content provider to said at least one device. Methods and other systems for multiple access portals are also provided.

Abstract: A method is performed at a computer system having one or more processors and memory storing one or more programs executed by the one or more processors. The method includes receiving a first data transmission from a first client system, where the first data transmission including a first document, the first document having one or more portions that are marked as private; encrypting the marked portions of the first document using a key; and sending a second data transmission to a destination system, where the second data transmission includes a second document, the second document including the encrypted marked portions of the first document and a remainder of the first document that is not marked as private. The key is unavailable to the destination system. The second document is stored at the destination system.