Abstract: In accordance with an embodiment, described herein is a system and method for reusing JavaScript code in a service orchestration process in a SOA middleware environment. The system can include a unified runtime environment on an application server, wherein the unified runtime environment includes a process execution engine with an embedded JavaScript engine, and an executable process defined by a process execution language executing on the process execution engine. The system can further include a plurality of JavaScript libraries, each defining JavaScript variables with one of a SOA server scope, a component scope, or a process scope. These scopes and an execution scope of a JavaScript variable can form a JavaScript scope chain. When a JavaScript variable in an executable process is being resolved, the JavaScript engine can start in an execution scope of the JavaScript variable, and searches down the scope chain until the variable is resolved or the scope chain is exhausted.

Abstract: Concepts and technologies are disclosed herein for event-based security challenges. A computer can execute a security application. The computer can receive a request for authentication information associated with a user device. The computer can access event data corresponding to the user device. The computer can generate, based upon the event data, a challenge question and a response to the challenge question. The computer can provide data indicating the challenge question and the response to a requestor associated with the request.

Abstract: A method, computer system, and computer program product for generating state-driven role-based landing pages. An enterprise application user in a secure enterprise application environment provides user-specified content relevant to the user's role in the enterprise, and when the user invokes an enterprise application, initial screens displayed by the enterprise application are displayed as landing pages using the user-specified content. The method commences by validating an enterprise application user using a user profile and a security model where the security model serves to distinguish permitted or allowed enterprise application user activities from denied enterprise application activities. Once validated, then the method identifies a user's role or roles, and further, identifies the user's selection of subscriptions (e.g., subscriptions pertaining to content related to the user's role).

Abstract: A method for validating a set of payload data by means of said servers. The method includes validating information related to a set of payload data, based on which a check code has been calculated and encrypted by means of an asymmetric cryptographic key pair (A). The encrypted check code (1.11) has been stored at the archive server and associated with a time stamp, which can be used for validation of the set of payload data. The method may enable a selective revocation of certificates that have been used for signing the set of payload data.

Abstract: A registry apparatus is provided for maintaining a device registry of agent devices for communicating with application providing apparatus. The registry comprises authentication information for uniquely authenticating at least one trusted agent device. In response to an authentication request from an agent device, the authentication information for that device is obtained from the registry, and authentication of the agent device is performed. If the authentication is successful, then application key information is transmitted to at least one of the agent device and the application providing apparatus.

Abstract: A system and method can support consistent handling of internal ID space for different partitions in an InfiniBand (IB) network. A plurality of partitions can be provided for a subnet with a plurality of hosts, wherein each partition of the subnet includes one or more hosts and each host can be associated with one or more physical HCA instances. Each partition in the subnet can be associated with a separate internal ID space, and a single physical HCA instance is prevented from being shared by different tenants that use a same internal ID value in different partitions.

Abstract: A method includes: deploying at least one shadow system in association with each of one or more components of a network environment; periodically recording a state map of each active component of the network environment and a corresponding state map of the shadow system(s) associated therewith; periodically comparing the recorded state map of each active component with the corresponding recorded state map of the shadow system(s) associated therewith; determining whether a deviation exists with respect to the recorded state map of each active component and the corresponding recorded state map of the shadow system(s) associated therewith; determining whether the deviation is greater than a predetermined deviation threshold; and declaring a security breach regarding the active component(s) for which the deviation was determined to be greater than the predetermined deviation threshold. Corresponding systems and computer program products are also disclosed.

Abstract: Techniques are provided to ensure isolation of trusted input/output devices using a Secure Crypto-Processor. Secure IO lines may be used to drive devices that have a higher integrity requirement and to do attestation of sensor readings. Enhanced authorization policies may be used to enforce policies on interaction with IO devices. A bus master controller may also be provided in a Secure Crypto-Processor. Individual devices on an isolated Secure Crypto-Processor bus may be mapped to Indices so that read and write operations can be associated with Secure-Crypto-Processor-enforced authorization policies. The Secure Crypto-Processor may further provide means of attestation for complex data read from an input/output device that may be signed with the device identity to show strong origination proof of that data.

Abstract: A policy device grants access to a client device, without authenticating the client device, when the client device provides a session identifier to the policy device that was previously granted to the client device by a second policy device upon authenticating the client device by the second policy device. In one example, a policy device includes a network interface that receives a session identifier from a client device, wherein the policy device comprises an individually administered autonomous policy server, and an authorization module that grants the client device access to a network protected by the policy device based on the session identifier without authenticating the client device by the policy device. In this manner, the client device need not provide authentication information multiple times within a short time span, and the policy device can deallocate resources when a session migrates to a second policy device.

Abstract: A device includes a storage unit that stores generated challenges which are challenges previously generated, a determination unit that determines whether a newly generated challenge matches any of the generated challenges or not, an output unit that outputs the newly generated challenge as an unused challenge when the determination unit determines that the newly generated challenge does not match any of the generated challenges, and a registration unit that stores the newly generated challenge as a new generated challenge in the storage unit when the determination unit determines that the newly generated challenge does not match any of the generated challenges.

Abstract: A method and device for acquiring information of a relay router are provided. The method includes: sending a first broadcasting message to a relay router in a broadcasting monitoring mode; receiving a second broadcasting message from the relay router when the first broadcasting message satisfies a predefined condition, the second broadcasting message containing address information of the relay router; and when the second broadcasting message satisfies the predefined condition, acquiring the address information of the relay router from the second broadcasting message.

Abstract: Devices may be grouped into teams by a team identifier configured for each device. Within the team, one device may be selected as a control device for handling requests made to the team. A team address is assigned to the team for directing communications from the client. The control device parses messages addressed to the team address and forwards requests to slave devices in the team. The control device may perform load balancing of the slave devices when directed messages to the slave devices. Device teams may be used to assign dynamic licenses to the clients.

Abstract: A first access key, which is provided by a key server for decrypting a file and the encrypted file is published on a public network by a first user. Every time the secured file is accessed by a second user, the first access key is provided by the key server to decipher the file. The first user can control access to the file by deleting the first access key on the key server, thus denying the second user access to the access key preventing de-encryption of the secured file.

Abstract: A system may be configured to allow for storage of location information regarding a set of user devices. The location information may be updated relatively frequently, and without introducing additional traffic into a wireless telecommunications network associated with the user devices. The location information may be made available to internal devices associated with the wireless telecommunications network and/or to external third party devices (such as banks, payment card processors, or advertisers) with user consent. Since the information is obtained and stored prior to requests, the location information may be provided, in response to requests, relatively quickly.

Abstract: An electronic door lock management method and system are provided. The method includes: setting electronic keys, including: acquiring lock ID card information having a first user ID through an induction zone, and binding the first user ID to a door lock; acquiring join-in card information having a second user ID through the induction zone, and confirming that the first user ID is the same as the second user ID; acquiring access card information through the induction zone and acquiring file card information through the induction zone, wherein the access card information comprises an access card ID, and the file card information comprises a file card ID; and setting a binding relationship between the access card ID and the file card ID, and taking the access card ID and the file card ID as the electronic keys.

Abstract: Disclosed are various examples for multi-party authentication and authentication. In one example, a user who forgets a password can gain access to secured data stored by a managed device by way of an authorization by one or more other users. This access can be granted even if the managed device is in an off-line mode or if a management server cannot be reached. In another example, access to secured data can depend upon authorization by a minimum quantity of other users. The authorization can involve an explicit approval or disapproval. Alternatively, the authorization can correspond to the presence of the minimum quantity of other users within a threshold proximity of the user who desires access.

Abstract: Aspects of the subject disclosure may include, for example, generating a digital certificate responsive to an authentication of a user according to a dynamic biometric process, associating the digital certificate with a transaction record for the transaction, storing information associated with authentication conditions of the dynamic biometric process, receiving an access request associated with the transaction, and providing access to the transaction record, the information associated with the authentication conditions of the dynamic biometric process or a combination thereof responsive to the access request, where granting of the access is according to transmitting an access acknowledgement to equipment of the user, or obtaining another authentication to allow permission to access or a combination thereof. Other embodiments are disclosed.

Abstract: The invention is a method of communicating between a server and a distant secure element through a point-to-point link. The server is provided with a set comprising a plurality of data and a plurality of identifiers, each of the data is associated with one of the identifiers. The plurality of data comprises a first data compatible with the distant secure element and a second data incompatible with the distant secure element. The whole set is sent from the server to the distant secure element through the point-to-point link. A control operation is run with respect to a reference value stored in the distant secure element for each identifier. The data associated with the identifiers for which the control operation failed is discarded.

Abstract: To solve the problems that may occur due to the leakage of user account information, the present disclosure may manage the security using the device token that is used independently of that of the server, that is generated by a home device, and that can be used for device authentication when a smart phone controls home appliances. With the use of the device token, the present disclosure may solve the problems that the status information of home appliances is exposed by another person or the home appliances are controlled by another person, even though the user account information is leaked.

Abstract: Various systems, mediums, and methods herein describe aspects of an authentication system. The system may receive a request from a user device to authenticate a user. The system may determine a route traveled by the user. The route can be determined based at least on data retrieved from the user device of the user. The system may determine one or more objects viewable along the route. At least one image of the one or more objects can be selected. The system may communicate the at least one image and at least one other image to the user device to be displayed on the user device. The system may receive a selection of the at least one image by the user through a display of the user device. The authentication of the user can be based, at least in part, on the user selection of the at least one image.

Abstract: A method is described for revoking a group of certificates, each of which includes a key, for an authenticated communication between one first subscriber and at least one second subscriber, one first key and one revocation value, with the aid of which the keys of the group of certificates may be calculated from the first key, being transmitted for the purpose of revocation to the at least one second subscriber.

Abstract: There is provided a system and method for creating a local social network, based on a user's location and a user's virtual social profile (e.g. a facebook profile, a myspace profile) on a virtual social network (e.g. facebook, myspace). The method includes the steps of: (1) associating a communication device with a user's virtual profile, (2) detecting a communication device within an interactive region, (3) extracting unique parameters of the communication device, (4) retrieving data associated with the communication device and with the user's virtual profile, and (5) initiating data transfer based on the retrieved data.

Abstract: Systems and methodologies for accessing resources associated with a Web-based application in accordance with one or more embodiments disclosed herein may include a browser that obtains at least first resources from a first domain and second resources from a second domain and a resource management component that facilitates controlled communication between the first resources and the second resources and prevents the first resources and the second resources from accessing other resources that the first resources and the second resources are not permitted to access. The resource management component may be further operable to contain restricted services in a sandbox containment structure and/or to isolate access-controlled resources in a service instance. In addition, the resource management component may be operable to facilitate the flexible display of resources from disparate domains and/or controlled communication therebetween.

Abstract: A video content system includes a head end server module and a content-sharing server coupled to a video content network. Also included is a converged premises gateway module coupled to the video content network at a location remote from the head end server module and the content-sharing server. The converged premises gateway module includes a processor and a video content network interface coupled to the processor and the video content network and configured for communication with the head end server module over the video content network. The gateway module also includes a memory module having a predetermined storage location for content to be shared with the content-sharing server and a local area network configured at least for distribution of video content within the remote location. The system further includes an upload module configured to cause the content in the predetermined storage location to be uploaded to the content-sharing server.

Abstract: In the present invention, a control section of a CRM server performs editing processing for TPO (the time, the place, and the occasion) requirements. Next, a control section of a TPO server registers the TPO requirements in order to convert the same to TPO definitions. Then, the control section performs setting processing for the TPO definitions. A portable terminal identifies the current location and the current time. Then, a control section verifies TPO definition state transitioning. If transitioning of the TPO definition state is detected, the control section performs TPO definition state transition notification processing. The control section of the portable terminal performs individual control processing on the basis of the TPO definitions.

Abstract: Embodiments herein provide, for example, a method that includes generating a shared symmetric key to exchange authentication information among a communications group; distributing the generated shared symmetric key to each communicating party in the communications group; exchanging authentication information among members of the communications group, where each communicating party: encrypts the authentication information using the generated shared symmetric key and sends the encrypted authentication information to other members of the communications group, and receives encrypted authentication information from another communicating party in the communications groups and decrypts the received encrypted authentication information using the generated shared symmetric key.

Abstract: A permissions management system is disclosed for enabling a user to securely authorize a third-party system to access user account data and initiate transactions related to a user account, without disclosing to the third-party system account credentials. The system enables the user to also securely de-authorize the third-party system. For example, records may be automatically generated that securely store account information, including one or more permissions related to the account and/or the third-party. A token associated with a record may be shared with the third-party system, but neither the record itself, nor the user account credentials, may be shared with the third-party. Accordingly, the third-party may request user account data and/or initiate transactions by providing the token, but does not itself know, e.g., the user account credentials. Further, the user may set various permissions related to the token, and may also revoke the token (e.g.

Abstract: Systems, computer program products, and methods are described herein for a mobile device data security system. The present invention is configured to establish a communication link with the mobile device; receive, via the established communication link, information associated with one or more third-party applications stored on the mobile device; initiate a scan, via the established communication link, to determine whether the one or more third-party applications are associated with a malicious code; transmit control signals, via the established communication link, configured to cause the data security application to begin running in the background of the mobile device in response to determining that the one or more third-party applications are associated with the malicious code; and initiate, via the data security application, one or more actions to be executed on the mobile device of the user, wherein the one or more actions limit one or more functionalities of the mobile device.

Abstract: Technologies are generally described for a data synchronization scheme. In some examples, a method performed under control of a client device may include connecting to a server based at least in part on user account login information; receiving, from the server, a data file stored in connection with the user account; storing the received data file in a local data storage; receiving a request to logout the client device; determining that the client device is disconnected from the server and/or that the data file stored on the local data storage is not synchronized with the data file stored in connection with the user account; and encrypting the data file stored on the local data storage.

Abstract: Tracking, identifying and article management systems and methods for reliably and repeatedly determining one or more physically uncopiable attribute instances (of the same or varying types) from or inherent in an article of manufacture, using the selected physical uncopiable attribute(s) to produce an unforgeable identity for the article, and then integrating that unforgeable identity into computer-based tracking systems in a way that permits the tracking system to track and monitor articles for which identity information is known. Applications include documents, fashion accessories, artwork, and other objects.

Abstract: A security device (6) is provided for facilitating management of secret data items such as cryptographic keys which are used by a remote server (2) to authenticate operations of the server (2). The device (6) has a user interface (13), control logic (16) and a computer interface (11) for connecting the device (6) to a local user computer (5) for communication with the remote server (2) via a data communications network (3). The control logic is adapted to establish via the user computer (5) a mutually-authenticated connection for encrypted end-to-end communications between the device (6) and server (2). In a backup operation, the secret data items are received from the server (2) via this connection. The control logic interacts with the user via the user interface (13) to obtain user authorization to backup secret data items and, in response, stores the secret data items in memory (10).

Abstract: The invention relates to a method for authenticating a device, comprising a network communication unit and tagging circuit, in a mobile communication network, using a mobile entity comprising a tagging circuit and being authenticated to the mobile communication network. The method comprises the following steps; the mobile entity establishing a connection with the device, using said tagging circuit, exchanging authentication data between the mobile entity and the device using the tagging circuit and authenticating the device to the mobile communication network by submission of exchanged authentication data in the mobile communication network. Thereby, the permissions of a mobile entity may be shared with another device by tagging. The invention also relates to a corresponding mobile entity, device, node and computer program product.

Abstract: Disclosed is a method and system for utilizing an Internet Protocol Multimedia Subsystem (IMS) to authenticate an HTTP session between a communication device and an online application program. The method includes registering a communication device on an IMS, and generating an authorization token which is sent to the communication device. The communication device then embeds the authorization token in HTTP request communication directed to the IMS. The IMS, after verifying the authorization token, forwards the HTTP request and token to a selected Web server that hosts an online application to authenticate an HTTP session.

Abstract: A system and method of enabling software features on apheresis machines and/or infusion pumps uses a license server disposed outside of a medical facility and a local server disposed at the medical facility. The method includes generating a software enabling indicator at the license server, the software enabling indicator comprising multiple letters and a numerical code, the numerical code representing a number of licenses to be allocated for a software feature. The method includes transmitting the software enabling indicator and a certificate signing request to a third party certificate authority. The method includes transmitting the electronic document from the license server to the local server, authenticating the license server at the local server, generating a plurality of second digital certificates, transmitting the second digital certificates to each of a plurality of the medical devices and enabling a software feature on the medical devices based on the second digital certificates.

Abstract: A method for controlling access to a system for supporting home control activities includes hierarchical authorization of the user. Access in an online mode, in which there is a connection between a central platform and a home control device, is granted by the central platform, in particular user rights are derived, and the user only has the right of access to the home control device if the right of access to the central platform is in place. In an offline mode, rights stored locally on the home control device control access. Access to the applications is granted by the home control device, in particular application-specific user rights are derived, and a user only has the right of access to the applications if the right of access to both the home control device and also to the central platform is in place.

Abstract: Systems and methods for processing, transmitting and displaying data received from an analyte sensor, such as a glucose sensor, are provided. The data can be displayed on a hand-held display device having a display such as a key fob device including a user interface, such as an LCD and one or more buttons 604 allows a user to view data, and a physical connector, such as USB port.

Abstract: A virtualized computing system includes a plurality of inventory objects and an access control subsystem that manages permissions to perform actions on the inventory objects using corresponding access control labels of the inventory objects. Permissions are managed by detecting a change in an association of a tag with an inventory object, where the tag defines one or more users and one or more privileges. In response to the detecting, an access control label of the inventory object is updated based on the users and privileges that are defined by the tag.

Abstract: A method for supporting change of the authentication means for secure booting with the change of the trust root (root of trust) of the readymade electronic device and the electronic device therefor is provided. The secure boot generation method of an electronic device of the present disclosure includes storing plural initial certificates including a first initial certificate and a second initial certificate, designating the first initial certificate as a root certificate for secure booting of the electronic device, and switching the initial certificate from the first initial certificate to the second initial certificate in response to a request. Various other embodiments are possible.

Abstract: A method, apparatus and computer program product for policy-based access control in association with a sorted, distributed key-value data store in which keys comprise n-tuple structure that includes a cell-level access control. In this approach, an information security policy is used to create a set of pluggable policies. A pluggable policy may be used during data ingest time, when data is being ingested into the data store, and a pluggable policy may be used during query time, when a query to the data store is received for processing against data stored therein. Generally, a pluggable policy associates one or more user-centric attributes (or some function thereof), to a particular data-centric label. By using pluggable policies, preferably at both ingest time and query time, the data store is enhanced to provide a seamless and secure policy-based access control mechanism in association with the cell-level access control enabled by the data store.

Abstract: An example peer-to-peer file sharing and collaboration method includes providing a user of a computing device with access to an electronic file via a sharing application, the electronic file being stored in a memory of the computing device. The method also includes receiving an input from the user indicative of a desire to share the electronic file using the sharing application and via a peer-to-peer communication protocol. The method further includes providing, via the communication protocol, a first transformed file generated by the first computing device based on the electronic file, and receiving, via the communication protocol, a second transformed file generated based on the electronic file. In such a method, the second transformed file is different from the first transformed file.

Abstract: Ad hoc communications are established between unknown contacts. For example, in today's mobile communications environment, there are many instances in which a user of smart phone may wish to send a message to an unknown user's smartphone. An ad hoc communication thus allows messaging with an unknown user.

Abstract: A system, apparatus, method, and machine readable medium are described for biometric device attestation. For example, one embodiment of an apparatus includes: a biometric device to read biometric authentication data from a user and determine whether to successfully authenticate the user based on a comparison with biometric reference data; and a cryptographic engine to establish communication with a relying party and to attest to the model and/or integrity of the biometric device to the relying party.

Abstract: In an approach, a secure boot process includes two phases. In the first phase an on premises device generates a data encryption key (DEK) with which to encrypt an operating system image and a key encryption key (KEK) with which to wrap the DEK. The on-premises device then utilizes a key management service to wrap the KEK with an account root key and writes the wrapped DEK and wrapped KEK onto a label of the encrypted operating system image. The encrypted operating system image is then uploaded to a virtual data center and merged with an intermediary guest manager image. When the encrypted machine image is used to generate a virtual machine instance, the intermediary guest manager utilizes the key management service to unwrap the KEK. The unwrapped KEK is then used to unwrap the wrapped DEK which is then used to launch the encrypted guest operating system.

Abstract: A method for assessing a message transmitted between at least: two parties via a previously unknown third party in a decentralized communication network, wherein all parties share a common trust architecture, includes publishing, on-behalf-of indication and public, security information of the third party; publishing, the message of the first party; evaluating the published information to extract published content of the first party by the second party as intended receiver of the message; verifying a real-world-identity of the third party and/or the signature of the third party based on the previously received trust information and/or based on the self-certifying name and the public security information of the third party; checking a trust information chain according to the common trust architecture from the second party to the third party; and assessing the content of the first party based on the checked trust chain.

Abstract: An enhanced certificate authority system and method allows for the enhanced security, validation and Multi-Factor Authentication of user's within a digital signature and transaction system through the creation and management of a user's Digital Identity certificate so that through an enhanced certificate authority a user's identity and bona fides may be both protected and established across a diversity of electronic devices and transactions.

Abstract: In some implementations, a system may control an environment in which biometric data is entered when a user enrolls data for a user account or authenticates after having enrolled user data. Enrollment and/or authentication may be required to occur under one or more conditions. In some implementations, data from an electronic device associated with a user may be used to determine whether conditions on enrollment and/or authentication have been satisfied.

Abstract: A wearable device conveys information to a user. The device includes a master soft circuit cell and a plurality of actuation soft circuit cells. These cells are physically interconnected to form a garment that is worn by a user and each of these cells includes an electrically non-conductive fabric covering. Each of the actuation cells is electrically connected to and operates under the control of the master cell. The master cell is configured to wirelessly receive actuation instructions and activate a combination of the actuation cells based on the received actuation instructions. Each of the actuation cells is configured to generate a particular actuation that is perceived by one or more senses of the user whenever the actuation cell is activated by the master cell. A system also conveys affective state information to a user.

Abstract: A client device for media playback includes a user-installable media client application which implements the client-side of a digital rights management (DRM) system. The client device employs secure boot and verifies the user-installed application. The application is hardened against reverse engineering, and it utilizes a special API provided by the client device to tie into the secure boot, bridging the gap between the secure boot and the client-side of the DRM system contained within the application.

Abstract: Systems, methods, and non-transitory computer-readable storage media for creating dynamic session maps. The method is discussed in terms of a system implementing the method. The system generates a dynamic session map token for a packet in a communication session, wherein the dynamic session map token instructs a node to send a copy of the packet to a specified destination. The dynamic session map token includes a unique dynamic session map identifier, a port number, and an IP address associated with the specified destination. Next, the system adds the dynamic session map token to the packet to yield a tracing packet. The dynamic session map token can be incorporated into the header portion of the packet, for example. Finally, the system transmits the tracing packet to the node. In one embodiment, the system also sends the copy of the packet to the specified destination.

Abstract: A computer program product for cross-site request forgery (CSRF) prevention is provided and includes a computer readable storage medium having program instructions embodied therewith. The program instructions are readable and executable by a processing circuit to cause the processing circuit to issue a server request for a certificate, which is associated with a user, responsive to a client request to visit a uniform resource indicator (URI) being received, validate the certificate upon receipt in fulfillment of the server request, compare a referrer listed in a header of the client request with a list of certificate elements in the certificate, authenticate the user in accordance with correlation between the referrer and at least one of the certificate elements and authorize the client request to visit the URI upon the user being authenticated.