Abstract: An embodiment may include circuitry to be included, at least in part, in a host. The host may include at least one host central processing unit (CPU) to execute, at least in part, at least one host operating system (OS). The circuitry may perform, at least in part, at least one operation in isolation both from interference from and control by the at least one host CPU and the at least one host OS. The at least one operation may include user authorization determination and user presence determination. The authorization determination may be in response, at least in part, to indication of physical presence of at least one user in proximity to the host. The user presence determination may determine, at least in part, whether, after the indication has been provided, the physical presence of the at least one user in the proximity to the host has ceased.

Abstract: A system and method for providing secure communications between remote computing devices and servers. A network device sends characteristics of a client computing device over the network. A network device receives characteristics of a client computing device over the network. A plurality of credentials are generated where at least one of the plurality of credentials based on both the received characteristics of the client computing device and a unique client key, and at least one of the plurality of credentials based on both the received characteristics of the client computing device and a generic key. A network device sends the plurality of credentials over the network. A network device receives the plurality of credentials via the network.

Abstract: The described implementations relate to trusted platform module (TPM) security. One configuration that is implemented on a computing device includes a TPM configured to generate a key pair utilizing a factor stored on the TPM and an external cofactor that is not stored on the TPM. The computing device also includes a communication device configured to receive the external cofactor and convey the external cofactor to the TPM.

Abstract: Methods of the present inventions allow for determining website secure certificate status via a partner browser plugin. An exemplary method may comprise storing, on a server communicatively coupled to a network, a plugin configured to determine the secure certificate status of a website browsed in the browser. A request for the plugin, from a partner having a unique identifier, may be received at the server. The plugin may be coded with the partner's unique identifier and transmitted to the partner. The server subsequently may receive, from the plugin, the website's uniform resource locator and secure certificate status along with the partner's unique identifier, which may be used to identify the source of the data.

Abstract: The present invention discloses a method for anonymous entity identification, which comprises the following steps: an entity A transmits an RA and an IGA to an entity B; the entity B returns an RB, an IGB and a TokenBA to the entity A; the entity A sends an RA?, the RB, the IGA and the IGB to a credible third-party TP; the credible third-party TP checks the validity of a first group and a second group according to the IGA and the IGB; the credible third-party TP returns an RESGA, an RESGB, and a TokenTA to the entity A, or returns the RESGA, the RESGA, a TokenTA1 and a TokenTA2 to the entity A; and the entity A performs a verification after receiving them; the entity A sends a TokenAB to the entity B; and the entity B performs the verification after receiving it. In the present invention, there is no need to send the identity information of the entity to be identified to an opposite terminal, so that anonymous identity identification is realized.

Abstract: A system and method for protecting streams in a mixed infrastructure includes determining processing elements that are to access a data stream in a stream processing environment and determining a security level for each processing element. Keys are generated per stream per processing element in accordance with the security level. The keys are associated with processing elements in an access control list in a location accessible by producing and consuming processing elements. The stream is decrypted for processing using keys released upon authenticating processing elements in accordance with the access control list. At security boundaries, the stream is re-encrypted in accordance with a next processing element.

Abstract: A method is provided for generating a human readable passcode to an authorized user including providing a control access datum and a PIN, and generating a unique machine identifier for the user machine. The method further includes modifying the controlled access datum, encrypting the controlled access datum using the PIN and/or a unique machine identifier to camouflage the datum, and generating a passcode using the camouflaged datum and the PIN and/or the unique machine identifier. A mobile user device may be used to execute the method in one embodiment. The passcode may be used to obtain transaction authorization and/or access to a secured system or secured data. The unique machine identifier may be defined by a machine effective speed calibration derived from information collected from and unique to the user machine.

Abstract: In a method for limiting access to a digital item, a count for the digital item is stored, wherein the count is a number of accesses permitted for the digital item. A password for accessing the digital item is received. A one-way hash function is performed on the password based on the number of accesses of the count to generate a password hash based on the count. The password hash is stored as the stored password hash.

Abstract: A network security system that employs space-time separated and jointly-evolving relationships to provide fast network access control, efficient real-time forensics capabilities, and enhanced protection for at-rest data in the event of a network breach. The network security system allows, in part, functionality by which the system accepts a request by a user to access the data stored in the database, identifies a sequence of security agents to participate in authenticating and protecting the access of the data by the user, generates a sequence of pseudorandom IDs and space-time varying credentials, checks at each one of the security agents a corresponding one of the credentials, determines that the user is permitted to access the data using access control logs if all the security agents accept the corresponding credentials, and varies the credentials based on a space-time relationship.

Abstract: An embodiment of the invention includes determining a first security status for first information and a second security status for second information, the second security status being more secure than the first security status; establishing a first communication path between the system and a first local computing node via a first wireless path; conveying the first information to the first local computing node via the first wireless path based on the first security status; and withholding the second information from the first local computing node based on the second security status; wherein the first and second information are stored on at least one of the system and a remotely located computing node. Other embodiments are described herein.

Abstract: A mobile activation server has a secure network port to receive requests from mobile end-user devices operating on a cellular access network with a set of pre-activation credentials. The server contains a database with a stored set of pre-activation credentials for multiple such devices. An authorization engine compares one or more of the stored pre-activation credentials to those of a requesting device to determine whether the device is authorized to receive offers from the server. An offer engine supplies to authorized devices via the cellular access network a set of multiple cellular network service options, including for each of multiple cellular network service carriers at least one option for activating service on that carrier.

Abstract: A method and apparatus for personalizing a smart card coupled with a communication device of a user who is a subscriber of a first telecommunication network and wishes to become a subscriber of a second telecommunication network is disclosed. A first authentication key is stored in both the smart card and in an first application server included in the first telecommunication network. A secure session is established with a second application server included in the second telecommunication network via the first telecommunication network by negotiating with the first application server and the second application server in order that the smart card and the second application server agree on an second authentication key. Shared values and shared functions according to a secure multiparty computation protocol are used to compute a second authentication key which replaces the first authentication key in the smart card.

Abstract: An access specific key is provided for securing of a data transfer between a mobile terminal and a node of an access net. For authentication of the mobile terminal, a authentication server generates a session key, from which a basic key is derived and transferred to an interworking-proxy-server. The interworking-proxy-server derives the access specific key from the transferred basis key and provides the key to the node of the access net.

Abstract: A cloud access security system provides security to data stored in the cloud. The cloud access security system maintains version service information that indicates servers that service web services calls to particular versions of a cloud application service. Upon detection of a web service call to an unknown version of the cloud application service, the cloud access security system redirects the web service call to a known good server that services web service calls that are made to a previous version of the cloud application service. The cloud access security system may employ an encryption scheme that allows for partial decryption.

Abstract: A networked computer device can be provisioned by customizing the computer device to contain a specification of a particular provisioning server. For example, a network interface device can be pre-configured and installed in the computer device. The pre-configuration of the network interface device may include embedding a provisioning service identification in the network interface device. The network interface device may be further configured to perform provisioning from a provisioning service indicated by the embedded provisioning service identification. In addition, or alternatively, the network interface device, or the computer within which it is installed, may be configured to authenticate with a provisioning server based on authentication information that has been embedded within firmware of the computer or network interface device.

Abstract: Disclosed are various embodiments of Bluetooth low energy (BLE) modules and methods implemented therein. An embodiment of the disclosure can obtain in a BLE module an advertiser packet transmitted by a BLE advertiser. An advertiser cache can be checked to determine whether the advertiser cache in the BLE module contains an entry associated with an advertiser address from the advertiser packet. The BLE module can determine whether a payload value of the advertiser packet has changed relative to a previous advertiser packet associated with the advertiser address. The BLE module can then suppress forwarding of the packet to a host processor and/or on-board processor executing firmware. The BLE module can also suppress sending a scan request packet back to the BLE advertiser.

Abstract: A first information handling system receives a security challenge and forwards it to a second information handling system. The second information handling system retrieves a private key from a public/private encryption key pair and satisfies the challenge with the private key. The second information handling system forwards the satisfied challenge without divulging the private key. The second information handling system is in a more secure environment than the first information handling system. The challenge may be satisfied by signing the challenge with the private key. Satisfying the challenge may be a step in creating a secure shell connection between the first information handling system and an organization maintaining the first information handling system and the second information handling system.

Abstract: A system and method for unified password processing is provided. According to an aspect, a device can receive a unified passcode. The unified passcode can be a passcode for unlocking access to the device, or can be the basis for generating additional passwords or both. The unified passcode can also be used for generating additional passcodes for unlocking additional features of the device. The generated passcodes can also be used for unlocking modules that are connected to a device such as a universal integrated circuit card (UICC). In cases where a generated passcode can be used to unlock a UICC, the generated passcode is converted to a personal identification number (PIN). The mobile interface to the UICC can be extended to include alphanumeric passwords, in addition to PINs.

Abstract: In some embodiments, techniques for computer security comprise receiving request data, wherein the request data includes identity-related information relating to a provider of the request data and information relating to an input specification; requesting authentication from a second computing device via a network, wherein requesting the authentication includes transmitting the information related to the provider of the request data and the information relating to the input specification; and receiving authentication data from the second computing device, wherein the authentication data is associated with the input specification, wherein the authentication data is encrypted, and wherein a key used for the encryption is associated with the identity-related information.

Abstract: A client device requests permission from a network access device to access a network associated with the network access device. The client device sends credentials of a user associated with the client device for authenticating with the network access device. The client device receives from the network access device permission to access the network along with a session certificate and an associated key. The session certificate and the key are associated with the credentials of the user. The client device establishes a network session using the network based on receiving the permission. During the network session, the client device establishes a secure communications channel with a website. The client device authenticates the user to the website by sending the session certificate to the website over the secure communications channel. The client device then receives permission from the website to access contents of the website.

Abstract: Signature generation key sk_s is randomized with random number r to calculate randomized signature generation key sk?_s=SigningKeyRandomize(sk_s, r). The random number r is encrypted with public encryption key pk_e to calculate an encrypted random number R=Enc(pk_e, r)). A message m is signed with the randomized signature generation key sk?_s to calculate signed message s?=Sign(sk?_s, m). The signed message s? and the encrypted random number R are sent to a recipient, where sk_s represents the secret signature generation key of a sender of the message m, pk_e represents the public encryption key of the recipient, r represents the random number, s represents a signature, Sign represents a signature generation function, s=Sign(sk_s, m) represents a signature for the message m, SigningKeyRandomize represents a function for randomizing the secret signature generation key sk_s, and Enc represents an encryption function.

Abstract: System, method, computer program product embodiments and combinations and sub-combinations thereof for protection of encryption keys in a database are described herein. An embodiment includes a master key and a dual master key, both of which are used to encrypt encryption keys in a database. To access encrypted data, the master key and dual master key must be supplied to a database server by two separate entities, thus requiring dual control of the master and dual master keys. Furthermore, passwords for the master and dual master keys must be supplied separately and independently, thus requiring split knowledge to access the master and dual master keys. In another embodiment, a master key and a key encryption key derived from a user password is used for dual control. An embodiment also includes supplying the secrets for the master key and dual master key through server-private files.

Abstract: In one aspect, a method to manage encrypted data includes configuring a first portion of a storage medium to store encrypted data. The encrypted data is encrypted using a time-based encryption key. The method also includes configuring a second portion of the storage medium to include metadata identifying the time-based encryption key and storing the time-based encryption key in a location other than the storage medium.

Abstract: Disclosed is a system for accessing data of a cloud database via transparent technology, and the system includes at least one channel server and at least one cloud database end. When a connection notice is outputted from an application end, the user channel unit detects a first server address and a first database address in a HTTP data format, and connects to a corresponding channel server via the HTTP tunnel to send a database request, so that the channel server can convert the first database address in the HTTP data format into a TCP/IP data format and then connect to a corresponding database end. Therefore, the application end can access data from the database behind the firewall via the Internet without modifying any program code.

Abstract: A mashup service support method includes externally receiving a mashup service application, acquiring and managing an authentication key corresponding to the received mashup service application, and executing the received mashup service application using the acquired authentication key. A user can use a variety of web services by normally operating a mashup service application through Open API due to the storing and managing of an authentication key.

Abstract: An authentication device is used to authenticate a component to a product using a secret key. The life cycle of the authentication device is controlled by selective deletion of the secret key. An attestation message is sent by the authentication device upon deletion of the secret key. Authentication devices from faulty components or over supply of the authentication devices ma}? be rendered inoperable and audited.

Abstract: Executable applications on a gaming machine are verified before they can be executed, for security purposes and to comply with jurisdictional requirements. Unlike in prior systems for authenticating the executable applications, embodiments allow for new executable applications to be provided and verified over time with different private and public key pairs, even after the operating code of the gaming machine is certified by the jurisdiction and deployed in the field.

Abstract: Methods, systems, apparatus and articles of manufacture for secure recoverable offline storage of a shared secret are provided herein. A method includes establishing a connection with a cryptographic device to access a first item of encrypted information maintained by the cryptographic device, wherein the first item of encrypted information comprises an item of cryptographic information encrypted with a first item of key information, decrypting the first item of encrypted information with a second item of key information to retrieve the item of cryptographic information, and encrypting the item of cryptographic information with a third item of key information to create a second item of encrypted information, wherein the third item of key information is associated with the cryptographic device.

Abstract: An SP's default user authentication is automatically augmented. An access request from a user is redirected from the SP to an authentication augmentation system. The SP also sends an augmentation request. The augmentation system redirects the access request to an IdP, and receives back an authenticated user identity. The default authentication is automatically augmented with additional techniques such as identity proofing and/or multifactor authentication, without the SP or the IdP modifying their code to implement or integrate the augmented authentication. Responsive to successfully authenticating the user according to the additional techniques, an augmented authenticated user identity is redirected to the SP. The augmentation system can use an identity management protocol such as SAML to communicate with the SP and IdP. Authentication performed by a third party and extended to the SP can be augmented, in which case a session id can be used to access third party services.

Abstract: Embodiments are directed to authenticating a user to a remote application provisioning service. In one scenario, a client computer system receives authentication credentials from a user at to authenticate the user to a remote application provisioning service that provides virtual machine-hosted remote applications. The client computer system sends the received authentication credentials to an authentication service, which is configured to generate an encrypted token based on the received authentication credentials. The client computer system then receives the generated encrypted token from the authentication service, stores the received encrypted token and the received authentication credentials in a data store, and sends the encrypted token to the remote application provisioning service. The encrypted token indicates to the remote application provisioning service that the user is a valid user.

Abstract: A method for assembling authorization certificate chains among an authorizer, a client, and a third party allows the client to retain control over third party access. The client stores a first certificate from the authorizer providing access to a protected resource and delegates some or all of the privileges in the first certificate to the third party in a second certificate. The client stores a universal resource identifier (URI) associated with both the first certificate and the third party and provides the second certificate and the URI to the third party. The third party requests access to the protected resource by providing the second certificate and the URI, without knowledge or possession of the first certificate. When the authorizer accesses the URI, the client provides the first certificate to the authorizer, so that the client retains control over the third party's access.

Abstract: A system and method are provided for using a mobile device to authenticate access to a private network. The mobile device may operate to receive a challenge from an authentication server, the challenge having being generated according to a request to access a private network; obtain a private value; use the private value, the challenge, and a private key to generate a response to the challenge; and send the response to the authentication server. An authentication server may operate to generate a challenge; send the challenge to a mobile device; receive a response from the mobile device, the response having been generated by the mobile device using a private value, the challenge, and a private key; verify the response; and confirm verification of the response with a VPN gateway to permit a computing device to access a private network.

Abstract: Computer-implemented systems, methods, and computer-readable media for generating and executing anti-reverse engineering software include receiving at least one of a set of input instructions and a set of input values; creating a deterministic environment; executing one or more functions corresponding to at least one of the set of input instructions and the set of input values while simultaneously generating a set of output values corresponding to the executed one or more functions, wherein the set of output values is generated based on a deterministic function of the computing device executing the one or more functions; and outputting the set of output values.

Abstract: A method, apparatus, and a computer readable storage medium having computer readable instructions to carry out the steps of the method for anonymous access to a database. Each record of the database has different access control permissions (e.g. attributes, roles, or rights). The method allows users to access the database record while the database does not learn who queries a record. The database does not know which record is being queried: (i) the access control list of that record or (ii) whether a user's attempt to access a record had been successful. The user can only obtain a single record per query and only those records for which he has the correct permissions. The user does not learn any other information about the database structure and the access control lists other than whether he was granted access to the queried record, and if so, the content of the record.

Abstract: Embodiments of the invention provide systems and methods for authenticating mobile device communications. A mobile device to which a message will be communicated may be identified. Based upon a shared secret between a service provider and the mobile device, a payload authentication code (“PAC”) may be generated, and the generated PAC may be associated with a payload for the message. The message and the generated PAC may then be communicated to the mobile device, and the mobile device may be configured to utilize the shared secret to verify the PAC and authenticate the message. In certain embodiments, the operations of the method may be performed by one or more computers associated with the service provider.

Abstract: Embodiments include methods, apparatus, and systems for managing host logins to storage systems.

Abstract: In an embodiment, a computing system, such as a monitoring computer, receives a request from a user to monitor an account of the user with an online service provider. The request may include personal information and user preferences for one or more protective actions. The system periodically monitors external data sources for indications of changes to personal information associated with the account, and detects changes or attempted changes to personal information associated with the account. The system may determine risk levels associated with detected changes or attempted changes, and transmit a notification to the user via a communication channel selected based on the determined risk level and/or the user preferences. The system may also initiate protective actions, so that further unauthorized access to the account may be prevented.

Abstract: Systems and methods can secure against cross-site request forgery using client-side token storage. A client browser can initiate an action associated with a first web service and generate a token. The token may be stored in client-side storage at the computing device. An indicator of the action may also be stored within the client-side storage. A return link, associated with a passed copy of the token, may be generated. The client may perform the redirect and return to the first web service according to the return link. The passed copy of the token can be extracted from the return link. The indicator of the action and the stored token may be loaded from the client storage. The passed copy of the token and the stored token may be compared. The action according to the indicator of the action may be performed in response to the comparison matching.

Abstract: Methods, media, and servers are provided for maintaining persistent sessions for a network device and providing quick authorization to a user of the network device. The network server maintains persistent sessions with network devices based on a usage profile associated with the network devices. The persistent sessions are maintained during time periods when the network device experience peak transaction activity. Additionally, during these time periods, the network device may provide quick authorizations to users of the network device. Quick authorizations allow a transaction to complete on the network device without waiting for authorization if the user is identified as a returning user.

Abstract: A credential store provides for secure storage of credentials. A credential stored in the credential store is encrypted with the public key of a user owning the credential. A first user may provide a credential owned by the first user to a second user. The first user may add credentials owned by the first user to the credential store. An administrator may manage users of the credential store without having the ability to provide credentials to those users.

Abstract: The invention relates to a terminal (3) for the strong authentication of a user, comprising:—a reader (31, 34) of a user's authentication parameters;—a receiver of a geolocation signal (33);—an interface (37) for communication with another apparatus;—and a processor (38), extracting the date and time of the geolocation signal, generating encrypted data comprising authentication parameters read by the reader and the date and time extracted, and ordering the transmission of said encrypted data by way of the communication interface (37).

Abstract: One embodiment of the present invention relates to a system that enables a user of an application that runs natively on a client to obtain access to a web resource that is affiliated with the native application. First, the native application obtains an access token from a Central Authentication Service (CAS). Next, the native application sends a secure request for a one-time use session token to the CAS. If the CAS determines the request is valid, the CAS initializes a session token and sends the session token to the native application. After receiving the session token, the native application directs a browser to an endpoint server, appending the session token to the browser's request. Finally, the endpoint server initializes an authenticated session wherein the authenticated session is scoped to the desired web resource.

Abstract: A determination is made as to whether a user has been logged off from the web-based application accessed through a web browser on a computer. If it is determined that the user has been logged off from the web-based application, then a new user interface is provided through the web browser. The new user interface may enable the user to enter user credentials. The user credentials are received through the new user interface. A request to validate the user based on the user credentials is transmitted. Upon transmitting the request to validate the user, an instruction to remove the new user interface is received when the user is validated. Upon receiving the instruction, a display of the web-based application is transformed by removing the new user interface.

Abstract: In accordance with the exemplary embodiments of the invention there is at least a method, apparatus, and executable program of computer instructions to perform the operations of establishing and initializing a set of platform configuration registers, where a first subset of platform configuration registers is defined as being non-resettable, and a second subset of platform configuration registers is defined as being resettable, storing initial boot-up system state information in one or more non-resettable platform configuration registers, dynamically resetting (2) a value of a platform configuration register identified by a reference integrity metric to reflect a measurement value provided by the reference integrity metric, and responding to an attestation request (0) with an attestation response (5) including dynamic information from the platform configuration register that was reset and system state information from a non-resettable platform configuration register.

Abstract: A method for database access control includes receiving an access request from a requesting user, the access request identifying one or more data entries stored in a base table storing a plurality a data entries each associated with a data category. The identified one or more data entries from the base table are retrieved and a security table including one or more data categories to which the requesting user is authorized to access is generated based on an identity of the requesting user. The data entries associated with a data category included in the security table are outputted as a result table.

Abstract: One embodiment of a method for determining a username comprises obtaining a digital certificate from a first computer application requesting a service; authenticating the digital certificate of the first computer application; and retrieving the username from the digital certificate that is recognized by a second computer application performing the service as a user of the second computer application. Other methods and systems are also provided.

Abstract: A method, non-transitory computer readable medium, and apparatus for performing physically unclonable function (PUF) burn-in are disclosed. For example, the method identifies, by a processor, a natural output of an integrated circuit before the integrated circuit is initialized, identifies, by the processor, a physical characteristic of the integrated circuit associated with the physically unclonable function, and ages, by the processor, the physical characteristic of the integrated circuit to burn-in the natural output of the integrated circuit.

Abstract: According to an embodiment, a communication device includes a cryptographic communication unit, a first communicating unit, and a control unit. The cryptographic communication unit is configured to perform cryptographic communication with an external device via a first network. The first communicating unit is configured to perform communication with a key generating device via a second network, the key generating device being configured to generate a cryptographic key to be used in the cryptographic communication. The control unit is configured to perform control to transmit an address registration request containing address information to the key generating device via the first communicating unit when a predetermined specific request is issued from among requests used in the cryptographic communication.

Abstract: Customers accessing resources and/or data in a multi-tenant environment can obtain assurance that a provider of that environment will honor only requests associated with the customer. A multi-tenant cryptographic service can be used to manage cryptographic key material and/or other security resources in the multi-tenant environment. The cryptographic service can provide a mechanism in which the service can receive requests to use the cryptographic key material to access encrypted customer data, export key material out of the cryptographic service, destroy key material managed by the cryptographic service, among others. Such an approach can enable a customer to manage key material without exposing the key material outside a secure environment.

Abstract: A method and apparatus for generating a non-interactive key, and a method for communication security using the same. A event is detected, and keys are generated based on the detected event. Thus, keys are generated using a small number of calculating operations with a simple interface and thus a user may easily generate the keys, and the performance of an apparatus using the keys is improved. In addition, the keys are generated without wireless interaction between nodes, thereby improving communication security.