Abstract: A method and system are adapted to provide telephony services to aggregate endpoints on an Internet Protocol Multimedia Subsystem (IMS) network. The method includes assigning one or multiple PUIDs for surrogate registration purposes during the provisioning of the aggregate endpoint, performing reliable surrogate registration on behalf of the aggregate endpoint, allowing multiple SBCs to perform surrogate registrations independently for the same aggregate endpoint to achieve reliability, and providing reliable connection from an IMS core to the aggregate endpoints via multiple S/BCs. The system includes one or more Session Border Controllers (S/BC), at least one set of Call/Session Control Functions (CSCF), and an HSS operatively coupled together.

Abstract: A user device generates a social graph-based user certificate that conveys a trust level to other users of the social network. A user certificate for a user is obtained, the user having a user public key and corresponding user private key. A plurality of potential signers is identified within one or more social networks. The certificate is then sent to the identified plurality of potential signers. One or more signed versions of the user certificate may be received from at least some of the plurality of potential signers. The user device may assign a signer weight to each signed version of the user certificate, each corresponding signer weight associated with the signer of each signed version of the certificate. The user certificate, the user signature, one or more signed versions of the user certificate, and the user-assigned signer weights are distributed to one or more recipients.

Abstract: Distribution of a certificate and a private key via a network includes a certificate/private key storage unit by which a certificate and a private key prepared for distribution to one or more devices are stored; a security level storage unit by which a security level for each device belonging to a device group is stored; and a display/instruction unit by which a selection screen prompting a user to select one or more devices from the device group is displayed. An instruction for the selection made by the user is received; and a certificate/private key distribution unit by which, via the network, the certificate and the private key for each device are distributed to the one or multiple devices for which the instruction for selection was made. For each device, the selection screen displays the device security level.

Abstract: A method for providing a data binding abstraction. The method includes serving an interactive document via a digital data communications network using a server. The method includes generating, with intelligence in the document, a data binding request to resolve a data value placeholder that has no static data location or source reference. With a data binding web service, the method includes generating a data dictionary request that includes a placeholder identifier. The method includes using the data binding web service to process a data dictionary response which includes placeholder content for the placeholder to determine a source of the data value. The method includes the data binding web service accessing the determined data source to obtain the data value and providing the interactive document with a response including the placeholder identifier and the resolved placeholder data value. The interactive document then replaces the placeholders with the returned data value.

Abstract: According to one embodiment, an apparatus may store a first and second subject token that indicate a first authentication method performed by the user and a second authentication method performed by the user respectively. The apparatus may detect at least one new subject token indicating at least one different authentication method performed by the user. The apparatus may then determine that a particular combination of subject tokens in the first subject token, second subject token, and the at least one new subject token indicates a privilege should be granted to the user, and facilitate the granting of the privilege to the user.

Abstract: Implementations of the present disclosure include methods, systems, and computer-readable storage mediums for receiving, from a computing device used by an authenticated user, a validation request, the validation request including a first hash value and a first validation token, the first hash value being generated based on restricted content of a workflow object and the first validation token being associated with a first state of the workflow object, and determining that the authenticated user is authorized to request validation of the workflow object and, in response: decrypting the validation token to provide a second hash value, and determining that the second hash value is equal to both the first hash value and a third hash value and, in response, transmitting a validation response to the computing device, the validation response indicating that the workflow object is valid.

Abstract: Managing validity status of at least one associated credential includes providing a credential manager that selectively validates associated credentials for at least one device, the device invalidating a corresponding associated credential, and the device requesting that the credential manager validate the corresponding associated credential after invalidating the associated credential. The associated credential may be invalidated based on an external event, such as a user invalidating the associated credential from a UI of the device, a user improperly entering a pin value, a user indicating that a corresponding device is lost, the device entering sleep mode, the device locking a user interface thereof, the device shutting down, and a particular time of day. The at least one associated credential may be provided on an integrated circuit card (ICC) that may be part of a mobile phone and/or a smart card.

Abstract: Embodiments of the systems and methods described herein facilitate the transmitting, receiving, and processing of encoded messages wherein the header fields in the message header are protected. In one embodiment, the contents of the header fields to be protected are inserted into the message body as one or more additional lines of text, for example, prior to encoding and transmitting the message to a message recipient. Upon receipt of the message, the message recipient processes the encoded message such that the contents of the protected header fields can be extracted from the message body. Accordingly, by inserting the contents of the header fields to be protected into the message body, the header fields may be protected using existing standards and protocols for facilitating secure message communication.

Abstract: According to an embodiment, an information processing device includes an event processor and a first determining unit. The event processor includes an event detecting unit. The event detecting unit is configured to detect an event and suspend execution of the event. The first determining unit registering unit is configured to register the first determining unit when stored first identification information and identification information of the first determining unit match with each other. The first determining unit includes a second determining unit. The second determining unit registering unit is configured to register a second application as a second determining unit when the verification of a signature of the second application is successful. The event detecting unit cancels suspending of the event and executes the event when the result of determination indicates permission of the execution.

Abstract: Disclosed are various embodiments for centrally managed use case-specific entity identifiers. An identifier translation service receives an identifier translation request from a requesting service. The request specifies a first use case-specific entity identifier, which is specific to a first use case. An actual entity identifier is obtained by decrypting the first use case-specific entity identifier. A second use case-specific entity identifier is generated based at least in part on encrypting the actual entity identifier. The second use case-specific entity identifier is sent to the requesting service in response to the identifier translation request.

Abstract: A system and method for updating a system that controls files executed on a workstation. The workstation includes a workstation management module configured to detect the launch of an application. A workstation application server receives data associated with the application from the workstation. This data can include a hash value. The application server module can determine one or more categories to associate with the application by referencing an application inventory database or requesting the category from an application database factory. The application database factory can receive applications from multiple application server modules. The application database factory determines whether the application was previously categorized by the application database factory and provides the category to the application server module. Once the application server module has the category, it forwards a hash/policy table to the workstation management module.

Abstract: The disclosed computer-implemented method for discovering website certificate information may include (1) receiving, from a plurality of computing devices within a community of users, information that identifies the certificate statuses of websites visited by the computing devices, (2) identifying, by analyzing the information, at least one issue with the certificate status of at least one website visited by at least one of the computing devices, and (3) performing at least one remedial action in an attempt to correct the issue with the certificate status of the website. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: Systems and methods for provisioning and managing of certificates in a network are described. In one implementation, a signing certificate is generated by a network device based on a root certificate of the network device. Based on the signing certificate of the network device, a client-device certificate is signed for a client device. The signed client-device certificate is provided to the client device for allowing the client device to access a secure service provided by the network device.

Abstract: The present disclosure is generally related to embedding public key infrastructure information to a system-on-chip (SOC). The method includes generating a key pair including a public key and a private key. The method includes creating a digital certificate corresponding to the public key. The method includes signing the digital certificate with a unique signature. The method includes extracting the public key and the unique signature into a key file, wherein the key file is to be stored in a plurality of silicon fuses on the SOC.

Abstract: A service request apparatus includes a storage unit and a processor coupled to the storage unit, wherein the processor executes a process including: storing in the storage unit source session information and destination session information in association with a user identifier, the source session information indicating information on a session used by a service source that is requested by the user for provision of a service, and the destination session information indicating information on a session used by a service destination; determining whether the user identifier of the user who requests the service source for provision of the service is stored in the storage unit; and requesting, when the user identifier is stored, the service source for provision of the service in cooperation with the service destination connected using the destination session information associated with the source session information, the service source being connected using the source session information.

Abstract: A method and system for generating and processing an authenticity certificate. A request for a step certificate is received from a requester entity. The step certificate authenticates an involvement of the requester entity about an object. The request includes an object identifier, a requester entity type of the requester entity, and a requester identity certificate of the requester entity. The object identifier is hashed. A signature is created and includes the hashed object identifier, the requester entity type, a certifier identity certificate, and the requester identity certificate. A hashing result is generated by hashing a concatenation of the object identifier, the requester entity type, the certifier entity certificate, the requester identity certificate, and the signature. The step certificate is generated and includes the hashing result. The step certificate is encrypted. The encrypted step certificate is sent to the requester entity for subsequently storing the step certificate on a media.

Abstract: The invention relates to a system and a method for authenticating a user. A removable storage medium (12) has at least one storage area in which identification data for identifying the removable storage medium (12) are stored, in this storage area or in a further storage area of the removable storage medium (12) data of a digital certificate (14) being stored. Further, a data processing system (18) is provided to which the removable storage medium (12) is connected via a data transfer connection. The identification data and the data of the digital certificate (14) are transferred from the removable storage medium to the data processing system (18). The data processing system (18) processes the identification data and the data of the digital certificate (14) and authenticates the user.

Abstract: A computer-implemented method for authenticating devices may include (1) identifying a request from a device for a credentialing service to issue a credential to the device, the request including an application identifier encrypted with a first encryption key, the first encryption key having been derived by the device based on a token provisioned to the device by a vendor of the device, (2) transmitting the request to the credentialing service, (3) receiving, from the credentialing service, the credential encrypted using a second encryption key, the second encryption key having been derived by the device based on the token, and (4) providing the encrypted credential to the device. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A method for provisioning digital certificates in a compute service environment may include authorizing a customer entity for using and/or controlling a network resource in the compute service environment. Upon completing the authorization, a digital certificate may be issued to the customer entity. The digital certificate may be associated with the network resource and may be issued for a limited duration period. The use and/or control of the network resource by the customer entity may be monitored. Reissuance of the digital certificate may be conditioned on whether the customer entity is still using and/or controlling the network resource in the compute service environment. If the customer entity is still using and/or controlling the network resource in the multi-tenant environment, the digital certificate may be automatically reissued for another limited duration period. The automatically reissuing may take place without receiving a certificate reissue request from the customer entity.

Abstract: Authorization data is sent to radio stations so that the radio stations are temporarily authorized, by way of the authorization data, to communicate using radio access technology. Messages can be transmitted between a first radio station and a second radio station via a path that runs via one or more additional radio stations. The authorization data is sent such that, while a message is transmitted via the path using radio access technology, at any point in time a subset of adjacent radio stations on the path are authorized to communicate using radio access technology.

Abstract: Techniques are disclosed for evenly distributing certificate status validity messages across multiple response servers. A certificate authority (CA) may partition subsets of online certificate status protocol (OCSP) responses to each be handled by OCSP response servers. The partitions are based on serial numbers of the underlying digital certificates of the OCSP responses. For example, to determine which OCSP response server is assigned to distribute a particular OCSP response, a modulo operation may be performed between the last octet value of the underlying certificate serial number and the total number of available OCSP response servers of the CA. The result yields a partition number that may be used to identify the corresponding OCSP response server.

Abstract: A system, methods and devices for the secure notification of an identity in a communications network. The methods include sending or receiving a communication including a hash of a certificate of a device to notify or detect the presence of the device in a network. Each certificate is associated with an identity which is excluded from the communication of the hash of the certificate. The received hash is compared to hashes of certificates stored in an electronic device to determine an identity. The identity may represent an electronic device or a user of the electronic device.

Abstract: Plural modes of operation may be established on a mobile device. Specific modes of operation of the mobile device may be associated with specific spaces in memory. By associating the existing certificate store structure and key store structure with a mode of operation, certificates and keys can be assigned to one space among plural spaces. Furthermore, management (viewing/importation/deletion) of certificates associated with specific modes of operation may be controlled based on the presence or absence of a mobile device administration server and the status (enabled/disabled) of an IT policy.

Abstract: Methods and systems integrating sensitive or private data with cloud computing resources while mitigating security, privacy and confidentiality risks associated with cloud computing. In one embodiment, a computer network system includes a firewall separating a public portion of the computer network from an on-premises portion of the computer network, a database storing private data behind the firewall, and a user device connected with the computer network. The user device accesses an application hosted in the public portion of the computer network. In response, the application generates return information. The user device receives the return information and generates a request for private data based on at least a portion of the returned information. The request is transmitted to the database which generates a response including the requested private data. The response is transmitted in an encrypted form from the database via the computer network to the user device.

Abstract: A display apparatus including an image processor which processes a video signal is provided. The display apparatus includes; a display which displays an image based on a processed video signal; a receiver which receives a key signal input by a user; a storage which stores a password key; and a controller which receives a user's first key signal which comprises an arrow key signal when a password is set up for the display apparatus, sets up and stores the password key which corresponds to the received first key signal, receives a user's second key signal when access is attempted, and allows the access in response to the received second key signal and the stored password key matching each other through a comparison.

Abstract: Within a secure messaging environment, a determination is made that a request to send a message has been generated by a user. A message protection policy configured to process the message within the secure messaging environment is identified. The message protection policy specifies that, within the secure messaging environment, a secured digital certificate, other than a user-assigned digital certificate of the user, is configured with an associated private key to digitally sign the message on behalf of the user. Based upon the message protection policy, a determination is made to digitally sign the message using the private key of the secured digital certificate. The message is signed on behalf of the user using the private key of the secured digital certificate.

Abstract: A method to distribute policies may include transmitting one of an identification (ID) assigned to a policy template or the policy template associated with each policy to an enforcement point or selected enforcement points for enforcement. The method may also include transmitting one set of parameters to be used in each policy template to the enforcement point.

Abstract: Security language constructs may be translated into logic language constructs and vice versa. Logic resolution may be effected using, for example, the logic language constructs. In an example implementation, translation of a security language assertion into at least one logic language rule is described. In another example implementation, translation of a proof graph reflecting a logic language into a proof graph reflecting a security language is described. In yet another example implementation, evaluation of a logic language program using a deterministic algorithm is described.

Abstract: Systems and methods are presented for distributed validation of a digitally signed electronic document. A computing device accesses both a representation of the electronic document and a digital signature for the electronic document that includes a digest generated by the digital signature's creator by applying a one-way function to the electronic document. The computing device applies the same one-way function to the accessed representation of the electronic document to generate a new digest, and includes both the digital signature and the new digest in a request sent to a separate validation server. The request does not include the electronic document. The validation server generates validation results that depend on comparing the digest from the digital signature with the new digest, and that do not depend on having the electronic document available to the validation server. The computing device receives the validation results from the separate validation server.

Abstract: Within a secure messaging environment, a determination is made that a request to send a message has been generated by a user. A message protection policy configured to process the message within the secure messaging environment is identified. The message protection policy specifies that, within the secure messaging environment, a secured digital certificate, other than a user-assigned digital certificate of the user, is configured with an associated private key to digitally sign the message on behalf of the user. Based upon the message protection policy, a determination is made to digitally sign the message using the private key of the secured digital certificate. The message is signed on behalf of the user using the private key of the secured digital certificate.

Abstract: The disclosed computer-implemented method for managing security certificates through email may include (1) receiving an encrypted email that contains both identifying information that identifies a security certificate for authenticating a website and a management command relating to the security certificate, (2) determining whether authentication of the encrypted email succeeded such that the management command is authorized, and (3) when a determination is made that authentication of the encrypted email succeeded, identifying the security certificate using the identifying information and executing the management command with respect to the identified security certificate. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: Disclosed herein are methods and systems for automated activation and configuration of broadband LTE IANs. A mobile IAN base station, an activated mode and a dormant mode, determines at least one location in a local region of the mobile IAN base station while in the dormant mode. An activation-permission request is submitted to a geo-location-database (GDB) function, and the mobile IAN base station receives an activation-permission response. The response is based on an expected level of wide-area-network (WAN) coverage associated with the determined location. Responsive to receiving an activation-permission grant, the mobile IAN base station transitions to the activated mode. Responsive to not receiving an activation-permission grant, the mobile IAN base station remains in the dormant mode.

Abstract: Systems and methods providing a key management platform that generates and distributes demand-based encryption and decryption keys are described.

Abstract: In one embodiment, a Manufacturer Installed Certificate (MIC) and a personal identification number are sent to a call controller to request a configuration profile. When the configuration file is received, the IP phone is provisioned according to the configuration profile.

Abstract: A roaming company makes payments to an aggregator of independent WLAN operators in exchange for providing Internet access services to subscribers of the roaming company. Independent WLAN operator accounts are maintained at the aggregation company.

Abstract: An apparatus for managing software versions may include a processor. The processor may be configured to determine whether a security identifier of a first security certificate matches a trusted security identifier. In this regard, the first security certificate may include software version criteria. The processor may also be configured to determine whether a software version of a software application satisfies software version criteria of the first security certificate. The processor may be configured to make this determination in response to determining that the security identifier of the first certificate matches the trusted security identifier. Further, the processor may also be configured to permit execution of the software application, in response to determining that the software version satisfies the software version criteria. Associated methods and computer program products may also be provided.

Abstract: A computing device is disclosed for securely sharing restricted content. The computing device includes a memory storing computer readable instructions, and one or more processors configured to execute the computer readable instructions. The computer readable instructions configure the one or more processors to, collectively, receive a share request to share the restricted content; in response to the share request, encode a link with encrypted access information, the access information including a first password and identifying the restricted content; receive an access request for access to the restricted content from a client device executing the link, the access request including the encrypted access information; receive a second password from the client device in association with the access request; and grant the client device access to the restricted content in response to determining the first password matches the second password. A method and a computer readable medium are also disclosed.

Abstract: A method and apparatus for an system and process for sharing a secret over an unsecured channel in conjunction with an authentication system. A client computes a message authentication code based on a hashed password value and a first random string received from the server. The client sends a response to the server that includes authentication data including a second random string. Both the client and server concatenate the first random string, second random string and username. Theses values are processed to generate as a shared master secret to further generate shared secrets or keys to establish a secured communication channel between the client and server. The secured communication can be based on stateless messaging where the decryption key associated with the message is identified by the message authentication code, which is placed within the message.

Abstract: A method for creating customer-specific tools for generating certificate signing requests may include (1) identifying a request from a customer for a tool for generating a certificate signing request for a digital certificate, (2) creating, in response to the request, a customer-specific version of the tool that is unique to the customer by injecting information into the customer-specific version of the tool that (a) uniquely identifies the customer and (b) identifies a desired encryption algorithm for the digital certificate and/or a desired certificate authority for the digital certificate, (3) configuring the customer-specific version of the tool to generate the certificate signing request using the injected information, and (4) providing the customer-specific version of the tool to the customer to enable the customer to generate, using the customer-specific version of the tool, the certificate signing request without having to manually provide the injected information.

Abstract: Described herein are techniques and apparatuses for scanning a computing device for malware and/or viruses. In various embodiments, a trusted operating environment, which may include a trusted operating system and/or a trusted antivirus tool, may be utilized with respect to a computing device. More particularly, the trusted operating system may be used to boot the computing device. Moreover, the trusted antivirus tool may search the computing device for malware definition updates (e.g., virus signature updates) and use the trusted operating system to scan the computing device for malware. In other embodiments, the trusted antivirus tool may scan the computing device and remove any viruses detected by the trusted antivirus tool. The trusted operating system may then reboot the computing device into a clean environment once any detected viruses are removed.

Abstract: The present invention relates to methods and apparatus that enable device management to be performed via broadcast/multicast transmission. A server may receive a request, for example, from a device owner, to update settings in deployed devices. The deployed devices may be identified by at least one group ID. The server may initiate broadcast/multicast transmission to the identified devices by transmitting a settings update message to a communication server. The communication server may then transmit the settings update message to the identified devices via broadcast/multicast transmission.

Abstract: A method and apparatus for verifying data for use on an aircraft. A plurality of digital certificates associated with the data is received by a processor unit. The processor unit verifies the data for use on the aircraft using a selected number of the plurality of digital certificates.

Abstract: Exposure of sensitive information to users is controlled using a first security token containing user identity and user credentials to represent the user who requests services, and a second security token containing two other identities, one identifying the token issuer and the other identifying the owning process. When requesting services, the token-owning process sends a security token to indicate who is making the request, and uses its key to digitally sign the request. The token-owning process signs the request to indicate that it endorses the request.

Abstract: A certificate grant list is provided. The certificate grant list may be stored in a memory, at the network device. The certificate grant list may store information associated with a client-device certificate, where the client-device certificate permits the client-device access to a secure service.

Abstract: A method is provided in one example embodiment and includes storing secure boot variables in a baseboard management controller; and sending the secure boot variables to a basic input/output system (BIOS) during a power on self-test, where the BIOS utilizes the secure boot variables during runtime to authenticate drivers and an operating system loader execution. In particular embodiments, the secure boot variables may be included in a white list, a black list, or a key list and, further, stored in erasable programmable read only memory.

Abstract: A system can comprise a memory to store computer readable instructions and a processing unit to access the memory and to execute the computer readable instructions. The computer readable instructions can comprise a certificate manager configured to request generation of N number of random values, where N is an integer greater than or equal to one. The certificate manager can also be configured to request a digital certificate from at least one certificate authority of at least two different certificate authorities. The request can include a given one of the N number of random values. The certificate manager can also be configured to generate a private key of a public-private key pair, wherein the private key is generated based on a private key of each of the least two certificate authorities.

Abstract: A network access system, e.g. a network hotspot, requires a mobile network access device, e.g. a smart phone or WiFi only device, to provide a network access standard designation and/or a device identification datum to gain access to network services. The network access standard designation may be provided by the mobile network access device to an online signup server via a EKU_key_purpose field of a PKCS10 certificate signing request. The device identification datum may be provided to the OSU via a subject field of the signing request. The OSU may require that the device identification datum be the same as a device identification datum provided by the mobile network access device prior to the mobile network access device requesting a signed network access certificate.

Abstract: A system and method for notification management includes collecting information for a number of objects within a management tool for security assets. The display of the information is displayed on a window of a graphical user interface of the management tool. In response to user interaction with the graphical user interface, a notification tool window of a notification tool is displayed. The notification tool window is layered over at least a portion of the window of the graphical user interface. In response to user interaction with the notification tool window, notification instructions are created for at least one of the number of objects based on a portion of the information of the window of the graphical user interface. The notification instructions are operable to cause the notification tool to communicate at least one notification communication to at least one recipient concerning at least one object.

Abstract: Embodiments of the present invention address deficiencies of the art in respect to deep tagging of media content and provide a method, system and computer program product for coordinating deep tagging of media content with chat postings. In an embodiment of the invention, a method for coordinating deep tagging of media content with chat postings can be provided. The method can include monitoring a group chat of participants co-browsing media content, identifying a token in the group chat appearing a threshold number of times within a temporal window, and creating a deep tag in the media content in association with a portion of the media content played back concurrently with the temporal window.

Abstract: Embodiments of the present application relate to a method of controlling user risk, a system for controlling user risk, and a computer program product for controlling user risk. A method is provided. The method includes retrieving association data of a first user and association data of a second user, the association data including multidimensional data, and data relating to each dimension identifying a user and serving as an association dimension, based on the association data, computing an association value between the first user and the second user for an association dimension, gathering the association value to obtain a degree of real association, and determining that the other user is malicious.