Abstract: Provided is a system and method for providing a certificate by way of a Browser Extension. More specifically, provided is a Server System having at least one processor adapted to provide web pages to Browsers of user devices, the Server System further adapted to include at least one pattern and at least one identifier in at least one web page provided to a user device, the Server System further structured and arranged to receive from a Browser extension upon a user's device that has recognized the pattern and extracted the identifier a certificate request (CSR) and the extracted identifier, and upon verification of the identifier and the CSR, generating a certificate based at least in part on the CSR and returning the certificate to the Browser extension for installation upon the user device. An associated method is also provided.

Abstract: A system is provided to deliver an application, hosted by a private application provider system, over a network to a user device, comprising: an application delivery system that includes a first network interface, a network security interface and a second network interface; wherein the network security interface is configured to determine whether a user or device request for access to an application is valid, and in response to determining that the user or device request for access to the first application is valid, to send the user or device request to the application agent.

Abstract: Data security access and management may require a server dedicated to monitoring document access requests and enforcing rules and policies to limit access to those who are not specifically identified as having access to the data. One example of operation may include selecting data to access via a user device, identifying a user profile associated with the user device, retrieving at least one user policy associated with the user profile, determining whether the user policy permits the user device to access the data, matching the user policy to a data policy associated with the data, receiving an encryption key at the user device, applying the encryption key to the data, and unwrapping the data from a wrapped data format to access the data.

Abstract: A wireless device having processor circuitry; and a hardware circuit configured to implement, during an active steady-state of a Medium Access Control/Link Layer (MAC/LL) with scheduled channel access, a MAC/LL function without processor circuitry intervention, wherein the steady-state is a state that is control packet transmission free for managed connections in connection oriented communications or a continuous broadcast or scan operation in connectionless communications.

Abstract: A user authentication technique that allows a user to access a protected resource such as an account on a web site or secure files on a computing device such as a smartphone, personal computer, tablet computer, and the like, employs a shared secret that employs a state machine to sequentially transition between a series of states during which the user is requested to enter predefined information that is also a part of the shared secret. That is, the shared secret includes user-specific data that must be provided and the particular sequence or manner in which the user-specific data or credentials are to be provided. The authentication technique may supplement the user of conventional one or two factor authentication techniques requiring, e.g., a password or both a username and password, which are commonly used to gain access to a resource.

Abstract: In some examples, a method includes assigning, with an Access Point (AP) in a wireless network, a value for an Authentication Control Threshold (ACT) field in an advertisement packet that allows devices having a predetermined access control role to immediately attempt to associate with the AP. The method can further include transmitting, with the AP, the advertisement packet including the value for the ACT field for devices having the predetermined access control role.

Abstract: Aspects of the subject disclosure may include, for example, a method comprising transmitting, by a controller comprising a processor, a request to a server to enable initiation of a virtual private network session on behalf of devices other than the controller. The controller transmits authentication information to enable the server to validate the request, and receives a first list of computing devices. The controller transmits a first selection of a target device from the first list to cause the server to initiate the virtual private network session between the target device and a service node providing services to the target device via the virtual private network session. The controller receives a second list of applications executable on each of the computing devices, and transmits to the server a second selection of an application from the second list that is executable by the target device. Other embodiments are disclosed.

Abstract: A centralized framework for managing the data encryption of resources is disclosed. A data encryption service is disclosed that provides various services related to the management of the data encryption of resources. The services may include managing application policies, cryptographic policies, and encryption objects related to applications. The encryption objects may include encryption keys and certificates used to secure the resources. In an embodiment, the data encryption service may be included or implemented in a cloud computing environment and may provide a centralized framework for effectively managing the data encryption requirements of various applications hosted or provided by different customer systems. The disclosed data encryption service may provide monitoring and alert services related to encryption objects managed by the data encryption service and transmit the alerts related to the encryption objects via various communication channels.

Abstract: A computer implemented method to identify one or more parameters of a configuration of a target virtual machine (VM) in a virtualized computing environment used in a security attack against the target VM, the security attack exhibiting a particular attack characteristic, is disclosed.

Abstract: A computer implemented method to determine a configuration of a target virtual machine (VM) in a virtualized computing environment to protect against a security attack exhibiting a particular attack characteristic.

Abstract: A computing device includes an interface configured to interface and communicate with a dispersed storage network (DSN), a memory that stores operational instructions, and processing circuitry operably coupled to the interface and to the memory. The processing circuitry is configured to execute the operational instructions to perform various operations and functions. The computing device receives (e.g., via the DSN and from a first other computing device) a storage request that is based on data object. The computing device extracts a remote address (associated with the first other computing device) from the storage request. The computing device processes the storage request to determine whether any principals are associated with the storage request, wherein the principals include DSN system entities.

Abstract: Technologies for counter with CBC-MAC (CCM) mode encryption include a computing device that performs a CBC-MAC authentication operation on a message with an encryption key, using a 64-bit block cipher to generate a message authentication code. The computing device generates a first 64-bit authentication block including an 8-bit flag field and a length field of between 11 and 32 bits. The flag field indicates the length of the length field. Performing the CBC-MAC authentication operation includes formatting the message into one or more 64-bit authentication blocks. The computing device performs a counter mode encryption operation on the message with the encryption key using the 64-bit block cipher to generate a cipher text. Performing the counter mode encryption includes generating multiple 64-bit keystream blocks. The computing device generates an authentication tag based on the message authentication code and a first keystream block of keystream blocks. Other embodiments are described and claimed.

Abstract: A distributed computing environment utilizes a cryptography service. The cryptography service manages keys securely on behalf of one or more entities. The cryptography service is configured to receive and respond to requests to perform cryptographic operations, such as encryption and decryption. The requests may originate from entities using the distributed computing environment and/or subsystems of the distributed computing environment.

Abstract: Data security access and management may require a server dedicated to monitoring document access requests and enforcing rules and policies to limit access to those who are not specifically identified as having access to the data. One example of operation may include selecting data to access via a user device, applying at least one policy to the data that limits access to the data to user profiles assigned privileges to the policy, encrypting the data, generating metadata indicating the policy and pairing the metadata with the data, and storing the data and the metadata in a policy server.

Abstract: Methods for enhancing the security of content in a records management system. A document is received to be stored as a record in the records management system. A unique combination of an encryption key and encryption parameters is selected for the document. The encryption key and encryption parameters are stored on a server that is different from a server upon which the document is to be stored in the records management system. The document is encrypted using the selected unique combination of encryption key and encryption parameters. The encrypted document is stored in the records management system.

Abstract: Methods and apparatus, including computer program products, implementing and using techniques for enhancing the security of content in a records management system. A document is received to be stored as a record in the records management system. A unique combination of an encryption key and encryption parameters is selected for the document. The encryption key and encryption parameters are stored on a server that is different from a server upon which the document is to be stored in the records management system. The document is encrypted using the selected unique combination of encryption key and encryption parameters. The encrypted document is stored in the records management system.

Abstract: Disclosed is a content management system comprising: a server; a content database, configured within the server, within which are stored one or more channels, each channel comprising one or more stories, each story comprising a title and one or more files; and one or more user devices connected to the network, each user device being associated with a user, each user device being configured to allow the associated user to view one or more stories from a channel to which the associated user has viewing rights. The title of each story and the names of the files contained in the story are stored obfuscated in the content database, and the files are stored encrypted in the content database.

Abstract: A method is provided in one example embodiment and may include sharing an access key from a control-plane serving gateway (SGW-C) to a plurality of user-plane serving gateways (SGW-Us); allocating a plurality of Fully Qualified Tunnel Endpoint Identifiers (FQTEIDs) associated with a user equipment (UE) session; generating an access token for the UE session based, at least in part, on the access key and the plurality of FQTEIDs; and appending the access token to user-plane packets for the UE session. The method can further include receiving a data packet for the UE session by a particular SGW-U, wherein the uplink packet is appended with the access token for the UE session; determining FQTEIDs associated with the UAT; and routing the uplink packet from the particular SGW-U based on the FQTEIDs.

Abstract: A method may include, based on a set of capabilities, requesting access to data, metadata or both protected by a composite wrapper comprising a first wrapper and a second wrapper. The wrappers are each defined by different mathematical transformations performed by a component separate from the computing device. Based on an access privilege for the data, the metadata or both determined from the set of capabilities, visibility may be granted through at least one of the first or second wrapper based on independent evaluations of the first and second wrappers relative to the access privilege.

Abstract: A digital escrow pattern for data services can include selective access for obscured data at a remote site or in a cloud service, distributing trust across multiple entities to avoid a single point of data compromise. Based on the pattern, a “trustworthy envelope” for any kind of payload enables curtained access through a variety of decorations or seals placed on the envelope that allow for a gamut of trust ranging with guarantees such as, but not limited to, confidentiality, privacy, anonymity, tamper detection, integrity, etc. For instance, XML tags can be applied or augmented to create trust envelopes for structured XML data. Some examples of mathematical transformations or ‘decorations’ that can be applied to the XML data include, but are not limited to, size-preserving encryption, searchable-encryption, or Proof(s) of Application, blind fingerprints, Proof(s) of Retrievability, etc.

Abstract: A method and technique for protecting against denial of service attacks includes maintaining a window over a sequence number space that includes sequence numbers that are sequentially assigned to challenge messages where the window has a leading edge and a trailing edge. Responsive to receiving a request from a client, the leading edge of the window is advanced and a leading edge sequence number is selected as a challenge sequence number. A challenge message including the challenge sequence number is sent to a client. Responsive to receiving a response message from the client, it is verified that a challenge sequence number included with the response message is within the window and does not correspond to a marked sequence number within the window.

Abstract: An access data collector collects access assignment data characterizing active access assignment operations of a hypervisor in assigning host computing resources among virtual machines for use in execution of the virtual machines. Then, a capacity risk indicator calculator calculates a capacity risk indicator characterizing a capacity risk of the host computing resources with respect to meeting a prospective capacity demand of the virtual machines, based on the access assignment data.

Abstract: A network address includes a predefined portion that identifies a hostname, where the predefined portion is less than all of the network address. A request is received for a secure session at the network address. The hostname is identified from the predefined portion of the network address and a secure session negotiation is made including returning a digital certificate for the identified hostname.

Abstract: An unencrypted media access control layer (MAC) protocol data unit (MPDU) having a header is received at a wireless network interface device. The header includes a sequence number. The wireless network interface device uses the sequence number to encrypt data in the unencrypted MPDU to generate an encrypted MPDU, and transmits the encrypted MPDU.

Abstract: A mechanism to facilitate a private network (VPN)-as-a-service, preferably within the context of an overlay IP routing mechanism implemented within an overlay network. A network-as-a-service customer operates endpoints that are desired to be connected to one another securely and privately using the overlay IP (OIP) routing mechanism. The overlay provides delivery of packets end-to-end between overlay network appliances positioned at the endpoints. During such delivery, the appliances are configured such that the data portion of each packet has a distinct encryption context from the encryption context of the TCP/IP portion of the packet. By establishing and maintaining these distinct encryption contexts, the overlay network can decrypt and access the TCP/IP flow. This enables the overlay network provider to apply one or more TCP optimizations. At the same time, the separate encryption contexts ensure the data portion of each packet is never available in the clear at any point during transport.

Abstract: Aspects of the disclosure relate to providing type safe secure logging. A computing platform may receive application code comprising one or more calls to one or more logging methods. Subsequently, the computing platform may compile the application code comprising the one or more calls to the one or more logging methods to produce a compiled software application. During the compiling of the application code comprising the one or more calls to the one or more logging methods, the computing platform may enforce one or more type-based secure logging rules on the application code comprising the one or more calls to the one or more logging methods. Thereafter, the computing platform may store the compiled software application. In some embodiments, enforcing the one or more type-based secure logging rules may include allowing logging of one or more predetermined classes of objects.

Abstract: An example method performed by one or more processing devices includes: generating encrypted content at a sender device using one or more first keys that are available from a key provider; and outputting the encrypted content to a recipient device over one or more channels; where the key provider enables access, following authorization, by the recipient device to one or more second keys for decrypting the encrypted content; and where an entity that enables the channel is unaffiliated with the key provider.

Abstract: The invention relates to a system and method of re-programming memory, and in particular, to wirelessly re-programming software, such as the application code, residing in memory of a trainable transceiver. The wireless re-programming of memory allows for software in the trainable transceiver to be updated or replaced from a remote location, where a direct or wired connection to the product is not otherwise available.

Abstract: In a compression processing storage system, using a pool of encryption processing cores, the encryption processing cores are assigned to process either encryption operations, decryption operations, and decryption and encryption operations, that are scheduled for processing. A maximum number of the encryption processing cores are set for processing only the decryption operations, thereby lowering a decryption latency. A minimal number of the encryption processing cores are allocated for processing the encryption operations, thereby increasing encryption latency. The encryption operations, the decryption operations, and the decryption and encryption operations are scheduled between the pool of the plurality of processing cores according to a thread weight value (TWV) that is assigned to each one of the plurality of processing cores having a difference in processing power.

Abstract: Systems and methods are disclosed for assigning a quality of service to a data packet in a communications network by mapping a Wi-Fi access layer identifier such as an SSID to a value in a datagram header, and subsequently using the datagram header to assign an appropriate data bearer for the datagram, the data bearer having a quality of service class identifier appropriate for the type of traffic expected to be sent over the particular Wi-Fi access layer.

Abstract: Managing Security Parameter Information (SPIs) to prevent race condition failures begins where a system negotiates SPIs along with associated expiration times, and re-negotiates new SPIs as necessary. The system prevents race conditions that would otherwise occur when both an old SPI and a new SPI are active at the same time. The system accomplishes this by managing the storage and deletion of old SPIs such that only active SPIs are stored on the system for use by a User Equipment (UE) or Proxy Call Session Control Function (P-CSCF).

Abstract: A system and methods are provided for establishing an authenticated and encrypted communication connection between two devices with at most two round-trip communications. During establishment of an initial authenticated, encrypted communication connection (or afterward), a first device (e.g., a server) provides the second device (e.g., a client) with a token (e.g., a challenge) that lives or persists beyond the current connection. After that connection is terminated and the second device initiates a new connection, it uses the token as part of the handshaking process to reduce the necessary round-trip communications to one.

Abstract: An apparatus, method, system, and computer-readable medium are provided for maintaining contact information associated with a contact. In some embodiments a request associated with a contact may be received. Contact information may be obtained from one or more external or internal sources. One or more confidence scores may be generated for the obtained contact information and for one or more values received with the request. Based on the confidence score(s), one or more values associated with the contact may be incorporated in one or more data stores. In some embodiments, suggestions for contact related information may be generated. Responses to the suggestions may be used to update the generated confidence score(s).

Abstract: One embodiment provides a system for efficiently and securely encrypting, transmitting, and decrypting video data, including selective encryption of image frames. During operation, the system obtains by a content-transmitting device, an image frame which is used to form a video stream. In response to determining that the image frame satisfies a predetermined condition for encryption, the system encrypts the image frame based on an encryption algorithm. The system encapsulates the encrypted image frame based on encapsulation information. The system includes encryption identification information for the image frame in the encapsulation information.

Abstract: Techniques for code block (CB) segmentation and rate matching in wireless deployments that may use CB-level feedback may provide that a transport block group (TBG) may include one or more CBs from multiple transport blocks (TBs). Such TBGs may support retransmissions of one or more CBs from different TBs within a TBG transmission. In certain examples, a TBG size may be determined, and a retransmission size associated with any CBs to be retransmitted are determined. Based at least in part on the TBG size and retransmission size, it may be determined whether a new TB may be included in the TBG.

Abstract: Disclosed are systems and methods for improving interactions with and between computers in content communicating, rendering, generating, hosting and/or providing systems supported by or configured with personal computing devices, servers and/or platforms. The systems interact to identify and retrieve data within or across platforms, which can be used to improve the quality of data used in processing interactions between or among processors in such systems. The disclosed systems and methods The disclosed systems and methods enable the seamless, and adaptable implementation of digital rights management technology on a client device despite variations in the version, languages, programs executing on differing linked devices. The disclosed systems and methods enable the rendering of content via encryption and decryption of the content, which protects the digital media content on the client end.

Abstract: Generally, this disclosure describes a method and system for authenticating to a network via a device-specific one-time password. A method in an embodiment may include generating a first one-time password (OTP) based at least in part on a plurality of client device attributes; and providing the first OTP to an authenticator associated with a private network during a first session, wherein the authenticator is configured to authenticate the client device to at least one of the private network and protected content included in the private network for a second session following the first session based on the provided first OTP.

Abstract: In general, techniques for sharing of network session data are described. The techniques may enable security devices to leverage application classification information in a federated manner. An example security device includes a memory and one or more processors. The processor(s) are configured to receive data representative of an application classification for a first packet flow from a second security device, to receive data of a second packet flow, and, when the second packet flow corresponds to the first packet flow, to monitor the data of the second packet flow based on the application classification for the first packet flow without determining an application classification for the second packet flow.

Abstract: Provided is a wireless communication device for packet communication. When power is applied, in a case where a packet data is received before receiving a message notifying that packet communication starts, the other party is urged to transmit a message saying that the packet communication starts and a packet number is initialized in accordance with transmission and reception of the message that the packet communication starts.

Abstract: Identity management, user authentication, and/or user access to services on a network may be provided in a secure and/or trustworthy manner, as described herein. For example, trustworthy claims may be used to indicate security and/or trustworthiness of a user or user device on a network. Security and/or trustworthiness of a user or a user device on a network may also be established using OpenID and/or local OpenID, a secure channel between a service and the user device, and/or by including a network layer authentication challenge in an application layer authentication challenge on the user device for example.

Abstract: A method and system are provided for securely storing and retrieving live off-disk media programs. Events delineate media segments, each of which are encrypted with a different key so as to be streamable to a remote device via digital living network alliance (DLNA) or HTTP live streaming protocols. Media segments and identifiers for managing the storage and retrieval of such media segments are compatible with live streaming data structures, obviating the need to re-encrypt data streams.

Abstract: Certain aspects and features of the present disclosure relate to providing access control using groups that can be dynamically controlled by group owners, such access control hereinafter referred to as group access control. Group access control can be used to control the transmission of packets on a network layer, or for other access control. A network administrator can provide users with permissions, such as using user roles. Users can then establish groups to share permissions with other users. A group is established by a group owner, who can modify the member list of that group and modify what permissions will be passed on to group members all without the involvement of a network administrator. Members of a group can include users, devices, and network resources. Additionally, data path entities (e.g. routers and access points) can facilitate delivery of packets between group members across multiple logical networks.

Abstract: A method includes affiliating an authentication token with user information of a user. The method further includes generating a private/public key pairing associated with the user information. The method further includes applying a share encoding function on a private key of the private/public key pairing to produce a set of encoded shares. The method further includes generating a set of random numbers and generating a set of hidden passwords based on the user information. The method further includes generating a set of encryption keys based on the set of hidden passwords and the set of random numbers. The method further includes encrypting the set of encoded shares utilizing the set of encryption keys to produce a set of encrypted shares. The method further includes outputting the set of encrypted shares to the authentication token for storage therein and outputting the set of random numbers to a set of authenticating units.

Abstract: Methods of securing a cryptographic device against implementation attacks, are described. A disclosed method comprises the steps of obtaining a key (230) from memory of the cryptographic device; providing the key and a constant input (210) to an encryption module (240); deriving an output (250) of encrypted data bits using the encryption module (240); providing the output (250), the key (230) and an input vector (270) to a key update module (260); and using said key update module (260) to modify the key based on at least a part (270a) of the input vector (270) to derive an updated key (230a). This prevents the value of the key from being derived using the updated key or by using side-channel attacks because the input is constant for all keys. Additionally, by altering the input vector, the updated key is also altered.

Abstract: A node in a first network domain and a method performed thereby for transmitting a data packet to a VPN client in a second network domain, the node and the VPN client being part of a VPN, wherein the first and second network domain are connected by means of a third network domain are provided. The method comprises receiving, from an application server, a first packet comprising a first IP header and a payload; and determining a DCSP. The method further comprises adding a second header comprising the determined DCSP and an IP address of a VPN client resulting in a second packet and encrypting the second packet. Further the method comprises adding a third header to the encrypted second packet resulting in a third packet, the third header comprising a destination address of a node in the second network domain, and transmitting the third packet in an IP tunnel terminating at the node in the second network domain.

Abstract: A method of relicensing digital encrypted radio media content transmitted via a network and received by a user electronic device includes receiving a request to relicense an encrypted digital media data file included within digital encrypted radio media content. The encrypted digital media data file is retrieved from the digital encrypted radio media content stored in a memory of the user electronic device. The encrypted digital media data file is decrypted using a radio encryption key to generate an unbound digital media data file. The unbound digital media data file is bound with the user electronic device to generate, a bound encrypted digital media data file. The bound encrypted digital media data file is stored in the memory of the user electronic device.

Abstract: Media content is delivered to a variety of mobile devices in a protected manner based on client-server architecture with a symmetric (private-key) encryption scheme. A media preparation server (MPS) encrypts media content and publishes and stores it on a content delivery server (CDS), such as a server in a content distribution network (CDN). Client devices can freely obtain the media content from the CDS and can also freely distribute the media content further. They cannot, however, play the content without first obtaining a decryption key and license. Access to decryption keys is via a centralized rights manager, providing a desired level of DRM control.

Abstract: A technique for enabling a client to provide a server entity is disclosed. In method aspects, a first method is performed in the client and comprises the steps of providing the client with a secure trusted environment, the environment being trusted by the client and by at least one third party, and accommodating, in the secure trusted environment, at least a local portion of the server entity, the server entity being configured to handle one or more server requests from the client, and data required by the server entity so as to handle the server request. A second method is performed in a server and comprises the steps of providing, for the secure trusted environment of the client, the environment being trusted by the client and by the at least one third party the at least local portion of the server entity, and the data.

Abstract: Techniques for securing name resolution technologies and for ensuring that name resolution technologies can function in modern networks that have a plurality of overlay networks accessible via a single network interface. In accordance with some of the principles described herein, a set of resolution parameters may be implemented by a user to be used during a name resolution process. In some implementations, when an identifier is obtained for a network resource, the identifier may be stored in a cache with resolution parameters that were used in obtaining the identifier. When a new name resolution request is received, the cache may be examined to determine whether a corresponding second identifier is in the cache, and whether resolution parameters used to retrieve the second identifier in the cache match the resolution parameters for the new resolution request. If so, the second identifier may be returned from the cache.

Abstract: A network-based appliance includes a mechanism to enable the appliance to extract itself from man-in-the-middle (MITM) processing during a client-server handshake and without interrupting that connection. The mechanism enables the appliance to decide (e.g., based on a rule match against a received server certificate) to stop performing MITM during the handshake and thus to de-insert itself transparently, i.e., without interfering or signaling to either end of the session that this operation is occurring. Once the connection is abandoned in the manner, the appliance ignores additional traffic flow and thus can free up processing resources (CPU, memory, and the like) that would otherwise be required to decrypt the connection (even if no further inspection or rewrite processing would be expected to occur).