Abstract: Data security access and management may require a server dedicated to monitoring document access requests and enforcing rules and policies to limit access to those who are not specifically identified as having access to the data. One example of operation may include selecting data to access via a user device, applying at least one policy to the data that limits access to the data to user profiles assigned privileges to the policy, encrypting the data, generating metadata indicating the policy and pairing the metadata with the data, and storing the data and the metadata in a policy server.

Abstract: Methods and apparatus, including computer program products, implementing and using techniques for enhancing the security of content in a records management system. A document is received to be stored as a record in the records management system. A unique combination of an encryption key and encryption parameters is selected for the document. The encryption key and encryption parameters are stored on a server that is different from a server upon which the document is to be stored in the records management system. The document is encrypted using the selected unique combination of encryption key and encryption parameters. The encrypted document is stored in the records management system.

Abstract: Methods for enhancing the security of content in a records management system. A document is received to be stored as a record in the records management system. A unique combination of an encryption key and encryption parameters is selected for the document. The encryption key and encryption parameters are stored on a server that is different from a server upon which the document is to be stored in the records management system. The document is encrypted using the selected unique combination of encryption key and encryption parameters. The encrypted document is stored in the records management system.

Abstract: Disclosed is a content management system comprising: a server; a content database, configured within the server, within which are stored one or more channels, each channel comprising one or more stories, each story comprising a title and one or more files; and one or more user devices connected to the network, each user device being associated with a user, each user device being configured to allow the associated user to view one or more stories from a channel to which the associated user has viewing rights. The title of each story and the names of the files contained in the story are stored obfuscated in the content database, and the files are stored encrypted in the content database.

Abstract: A method is provided in one example embodiment and may include sharing an access key from a control-plane serving gateway (SGW-C) to a plurality of user-plane serving gateways (SGW-Us); allocating a plurality of Fully Qualified Tunnel Endpoint Identifiers (FQTEIDs) associated with a user equipment (UE) session; generating an access token for the UE session based, at least in part, on the access key and the plurality of FQTEIDs; and appending the access token to user-plane packets for the UE session. The method can further include receiving a data packet for the UE session by a particular SGW-U, wherein the uplink packet is appended with the access token for the UE session; determining FQTEIDs associated with the UAT; and routing the uplink packet from the particular SGW-U based on the FQTEIDs.

Abstract: A method may include, based on a set of capabilities, requesting access to data, metadata or both protected by a composite wrapper comprising a first wrapper and a second wrapper. The wrappers are each defined by different mathematical transformations performed by a component separate from the computing device. Based on an access privilege for the data, the metadata or both determined from the set of capabilities, visibility may be granted through at least one of the first or second wrapper based on independent evaluations of the first and second wrappers relative to the access privilege.

Abstract: A digital escrow pattern for data services can include selective access for obscured data at a remote site or in a cloud service, distributing trust across multiple entities to avoid a single point of data compromise. Based on the pattern, a “trustworthy envelope” for any kind of payload enables curtained access through a variety of decorations or seals placed on the envelope that allow for a gamut of trust ranging with guarantees such as, but not limited to, confidentiality, privacy, anonymity, tamper detection, integrity, etc. For instance, XML tags can be applied or augmented to create trust envelopes for structured XML data. Some examples of mathematical transformations or ‘decorations’ that can be applied to the XML data include, but are not limited to, size-preserving encryption, searchable-encryption, or Proof(s) of Application, blind fingerprints, Proof(s) of Retrievability, etc.

Abstract: A method and technique for protecting against denial of service attacks includes maintaining a window over a sequence number space that includes sequence numbers that are sequentially assigned to challenge messages where the window has a leading edge and a trailing edge. Responsive to receiving a request from a client, the leading edge of the window is advanced and a leading edge sequence number is selected as a challenge sequence number. A challenge message including the challenge sequence number is sent to a client. Responsive to receiving a response message from the client, it is verified that a challenge sequence number included with the response message is within the window and does not correspond to a marked sequence number within the window.

Abstract: An access data collector collects access assignment data characterizing active access assignment operations of a hypervisor in assigning host computing resources among virtual machines for use in execution of the virtual machines. Then, a capacity risk indicator calculator calculates a capacity risk indicator characterizing a capacity risk of the host computing resources with respect to meeting a prospective capacity demand of the virtual machines, based on the access assignment data.

Abstract: A network address includes a predefined portion that identifies a hostname, where the predefined portion is less than all of the network address. A request is received for a secure session at the network address. The hostname is identified from the predefined portion of the network address and a secure session negotiation is made including returning a digital certificate for the identified hostname.

Abstract: An unencrypted media access control layer (MAC) protocol data unit (MPDU) having a header is received at a wireless network interface device. The header includes a sequence number. The wireless network interface device uses the sequence number to encrypt data in the unencrypted MPDU to generate an encrypted MPDU, and transmits the encrypted MPDU.

Abstract: A mechanism to facilitate a private network (VPN)-as-a-service, preferably within the context of an overlay IP routing mechanism implemented within an overlay network. A network-as-a-service customer operates endpoints that are desired to be connected to one another securely and privately using the overlay IP (OIP) routing mechanism. The overlay provides delivery of packets end-to-end between overlay network appliances positioned at the endpoints. During such delivery, the appliances are configured such that the data portion of each packet has a distinct encryption context from the encryption context of the TCP/IP portion of the packet. By establishing and maintaining these distinct encryption contexts, the overlay network can decrypt and access the TCP/IP flow. This enables the overlay network provider to apply one or more TCP optimizations. At the same time, the separate encryption contexts ensure the data portion of each packet is never available in the clear at any point during transport.

Abstract: Aspects of the disclosure relate to providing type safe secure logging. A computing platform may receive application code comprising one or more calls to one or more logging methods. Subsequently, the computing platform may compile the application code comprising the one or more calls to the one or more logging methods to produce a compiled software application. During the compiling of the application code comprising the one or more calls to the one or more logging methods, the computing platform may enforce one or more type-based secure logging rules on the application code comprising the one or more calls to the one or more logging methods. Thereafter, the computing platform may store the compiled software application. In some embodiments, enforcing the one or more type-based secure logging rules may include allowing logging of one or more predetermined classes of objects.

Abstract: An example method performed by one or more processing devices includes: generating encrypted content at a sender device using one or more first keys that are available from a key provider; and outputting the encrypted content to a recipient device over one or more channels; where the key provider enables access, following authorization, by the recipient device to one or more second keys for decrypting the encrypted content; and where an entity that enables the channel is unaffiliated with the key provider.

Abstract: The invention relates to a system and method of re-programming memory, and in particular, to wirelessly re-programming software, such as the application code, residing in memory of a trainable transceiver. The wireless re-programming of memory allows for software in the trainable transceiver to be updated or replaced from a remote location, where a direct or wired connection to the product is not otherwise available.

Abstract: In a compression processing storage system, using a pool of encryption processing cores, the encryption processing cores are assigned to process either encryption operations, decryption operations, and decryption and encryption operations, that are scheduled for processing. A maximum number of the encryption processing cores are set for processing only the decryption operations, thereby lowering a decryption latency. A minimal number of the encryption processing cores are allocated for processing the encryption operations, thereby increasing encryption latency. The encryption operations, the decryption operations, and the decryption and encryption operations are scheduled between the pool of the plurality of processing cores according to a thread weight value (TWV) that is assigned to each one of the plurality of processing cores having a difference in processing power.

Abstract: Systems and methods are disclosed for assigning a quality of service to a data packet in a communications network by mapping a Wi-Fi access layer identifier such as an SSID to a value in a datagram header, and subsequently using the datagram header to assign an appropriate data bearer for the datagram, the data bearer having a quality of service class identifier appropriate for the type of traffic expected to be sent over the particular Wi-Fi access layer.

Abstract: Managing Security Parameter Information (SPIs) to prevent race condition failures begins where a system negotiates SPIs along with associated expiration times, and re-negotiates new SPIs as necessary. The system prevents race conditions that would otherwise occur when both an old SPI and a new SPI are active at the same time. The system accomplishes this by managing the storage and deletion of old SPIs such that only active SPIs are stored on the system for use by a User Equipment (UE) or Proxy Call Session Control Function (P-CSCF).

Abstract: A system and methods are provided for establishing an authenticated and encrypted communication connection between two devices with at most two round-trip communications. During establishment of an initial authenticated, encrypted communication connection (or afterward), a first device (e.g., a server) provides the second device (e.g., a client) with a token (e.g., a challenge) that lives or persists beyond the current connection. After that connection is terminated and the second device initiates a new connection, it uses the token as part of the handshaking process to reduce the necessary round-trip communications to one.

Abstract: An apparatus, method, system, and computer-readable medium are provided for maintaining contact information associated with a contact. In some embodiments a request associated with a contact may be received. Contact information may be obtained from one or more external or internal sources. One or more confidence scores may be generated for the obtained contact information and for one or more values received with the request. Based on the confidence score(s), one or more values associated with the contact may be incorporated in one or more data stores. In some embodiments, suggestions for contact related information may be generated. Responses to the suggestions may be used to update the generated confidence score(s).

Abstract: One embodiment provides a system for efficiently and securely encrypting, transmitting, and decrypting video data, including selective encryption of image frames. During operation, the system obtains by a content-transmitting device, an image frame which is used to form a video stream. In response to determining that the image frame satisfies a predetermined condition for encryption, the system encrypts the image frame based on an encryption algorithm. The system encapsulates the encrypted image frame based on encapsulation information. The system includes encryption identification information for the image frame in the encapsulation information.

Abstract: Techniques for code block (CB) segmentation and rate matching in wireless deployments that may use CB-level feedback may provide that a transport block group (TBG) may include one or more CBs from multiple transport blocks (TBs). Such TBGs may support retransmissions of one or more CBs from different TBs within a TBG transmission. In certain examples, a TBG size may be determined, and a retransmission size associated with any CBs to be retransmitted are determined. Based at least in part on the TBG size and retransmission size, it may be determined whether a new TB may be included in the TBG.

Abstract: Disclosed are systems and methods for improving interactions with and between computers in content communicating, rendering, generating, hosting and/or providing systems supported by or configured with personal computing devices, servers and/or platforms. The systems interact to identify and retrieve data within or across platforms, which can be used to improve the quality of data used in processing interactions between or among processors in such systems. The disclosed systems and methods The disclosed systems and methods enable the seamless, and adaptable implementation of digital rights management technology on a client device despite variations in the version, languages, programs executing on differing linked devices. The disclosed systems and methods enable the rendering of content via encryption and decryption of the content, which protects the digital media content on the client end.

Abstract: In general, techniques for sharing of network session data are described. The techniques may enable security devices to leverage application classification information in a federated manner. An example security device includes a memory and one or more processors. The processor(s) are configured to receive data representative of an application classification for a first packet flow from a second security device, to receive data of a second packet flow, and, when the second packet flow corresponds to the first packet flow, to monitor the data of the second packet flow based on the application classification for the first packet flow without determining an application classification for the second packet flow.

Abstract: Generally, this disclosure describes a method and system for authenticating to a network via a device-specific one-time password. A method in an embodiment may include generating a first one-time password (OTP) based at least in part on a plurality of client device attributes; and providing the first OTP to an authenticator associated with a private network during a first session, wherein the authenticator is configured to authenticate the client device to at least one of the private network and protected content included in the private network for a second session following the first session based on the provided first OTP.

Abstract: Provided is a wireless communication device for packet communication. When power is applied, in a case where a packet data is received before receiving a message notifying that packet communication starts, the other party is urged to transmit a message saying that the packet communication starts and a packet number is initialized in accordance with transmission and reception of the message that the packet communication starts.

Abstract: Identity management, user authentication, and/or user access to services on a network may be provided in a secure and/or trustworthy manner, as described herein. For example, trustworthy claims may be used to indicate security and/or trustworthiness of a user or user device on a network. Security and/or trustworthiness of a user or a user device on a network may also be established using OpenID and/or local OpenID, a secure channel between a service and the user device, and/or by including a network layer authentication challenge in an application layer authentication challenge on the user device for example.

Abstract: A method and system are provided for securely storing and retrieving live off-disk media programs. Events delineate media segments, each of which are encrypted with a different key so as to be streamable to a remote device via digital living network alliance (DLNA) or HTTP live streaming protocols. Media segments and identifiers for managing the storage and retrieval of such media segments are compatible with live streaming data structures, obviating the need to re-encrypt data streams.

Abstract: Certain aspects and features of the present disclosure relate to providing access control using groups that can be dynamically controlled by group owners, such access control hereinafter referred to as group access control. Group access control can be used to control the transmission of packets on a network layer, or for other access control. A network administrator can provide users with permissions, such as using user roles. Users can then establish groups to share permissions with other users. A group is established by a group owner, who can modify the member list of that group and modify what permissions will be passed on to group members all without the involvement of a network administrator. Members of a group can include users, devices, and network resources. Additionally, data path entities (e.g. routers and access points) can facilitate delivery of packets between group members across multiple logical networks.

Abstract: A method includes affiliating an authentication token with user information of a user. The method further includes generating a private/public key pairing associated with the user information. The method further includes applying a share encoding function on a private key of the private/public key pairing to produce a set of encoded shares. The method further includes generating a set of random numbers and generating a set of hidden passwords based on the user information. The method further includes generating a set of encryption keys based on the set of hidden passwords and the set of random numbers. The method further includes encrypting the set of encoded shares utilizing the set of encryption keys to produce a set of encrypted shares. The method further includes outputting the set of encrypted shares to the authentication token for storage therein and outputting the set of random numbers to a set of authenticating units.

Abstract: Methods of securing a cryptographic device against implementation attacks, are described. A disclosed method comprises the steps of obtaining a key (230) from memory of the cryptographic device; providing the key and a constant input (210) to an encryption module (240); deriving an output (250) of encrypted data bits using the encryption module (240); providing the output (250), the key (230) and an input vector (270) to a key update module (260); and using said key update module (260) to modify the key based on at least a part (270a) of the input vector (270) to derive an updated key (230a). This prevents the value of the key from being derived using the updated key or by using side-channel attacks because the input is constant for all keys. Additionally, by altering the input vector, the updated key is also altered.

Abstract: A node in a first network domain and a method performed thereby for transmitting a data packet to a VPN client in a second network domain, the node and the VPN client being part of a VPN, wherein the first and second network domain are connected by means of a third network domain are provided. The method comprises receiving, from an application server, a first packet comprising a first IP header and a payload; and determining a DCSP. The method further comprises adding a second header comprising the determined DCSP and an IP address of a VPN client resulting in a second packet and encrypting the second packet. Further the method comprises adding a third header to the encrypted second packet resulting in a third packet, the third header comprising a destination address of a node in the second network domain, and transmitting the third packet in an IP tunnel terminating at the node in the second network domain.

Abstract: A method of relicensing digital encrypted radio media content transmitted via a network and received by a user electronic device includes receiving a request to relicense an encrypted digital media data file included within digital encrypted radio media content. The encrypted digital media data file is retrieved from the digital encrypted radio media content stored in a memory of the user electronic device. The encrypted digital media data file is decrypted using a radio encryption key to generate an unbound digital media data file. The unbound digital media data file is bound with the user electronic device to generate, a bound encrypted digital media data file. The bound encrypted digital media data file is stored in the memory of the user electronic device.

Abstract: Media content is delivered to a variety of mobile devices in a protected manner based on client-server architecture with a symmetric (private-key) encryption scheme. A media preparation server (MPS) encrypts media content and publishes and stores it on a content delivery server (CDS), such as a server in a content distribution network (CDN). Client devices can freely obtain the media content from the CDS and can also freely distribute the media content further. They cannot, however, play the content without first obtaining a decryption key and license. Access to decryption keys is via a centralized rights manager, providing a desired level of DRM control.

Abstract: A technique for enabling a client to provide a server entity is disclosed. In method aspects, a first method is performed in the client and comprises the steps of providing the client with a secure trusted environment, the environment being trusted by the client and by at least one third party, and accommodating, in the secure trusted environment, at least a local portion of the server entity, the server entity being configured to handle one or more server requests from the client, and data required by the server entity so as to handle the server request. A second method is performed in a server and comprises the steps of providing, for the secure trusted environment of the client, the environment being trusted by the client and by the at least one third party the at least local portion of the server entity, and the data.

Abstract: Techniques for securing name resolution technologies and for ensuring that name resolution technologies can function in modern networks that have a plurality of overlay networks accessible via a single network interface. In accordance with some of the principles described herein, a set of resolution parameters may be implemented by a user to be used during a name resolution process. In some implementations, when an identifier is obtained for a network resource, the identifier may be stored in a cache with resolution parameters that were used in obtaining the identifier. When a new name resolution request is received, the cache may be examined to determine whether a corresponding second identifier is in the cache, and whether resolution parameters used to retrieve the second identifier in the cache match the resolution parameters for the new resolution request. If so, the second identifier may be returned from the cache.

Abstract: A network-based appliance includes a mechanism to enable the appliance to extract itself from man-in-the-middle (MITM) processing during a client-server handshake and without interrupting that connection. The mechanism enables the appliance to decide (e.g., based on a rule match against a received server certificate) to stop performing MITM during the handshake and thus to de-insert itself transparently, i.e., without interfering or signaling to either end of the session that this operation is occurring. Once the connection is abandoned in the manner, the appliance ignores additional traffic flow and thus can free up processing resources (CPU, memory, and the like) that would otherwise be required to decrypt the connection (even if no further inspection or rewrite processing would be expected to occur).

Abstract: Methods and systems for selectively blocking, allowing and/or reformatting IPv6 headers by traversing devices are provided. According to one embodiment, reputation information regarding observed senders of Internet Protocol (IP) version 6 (IPv6) packets and packet fragments is maintained by a traversing device based on conformity or nonconformity of extension headers contained within the IPv6 packets with respect to a set of security checks performed by the traversing device. When an IPv6 packet or packet fragment is received from a particular source IP address indicated by the reputation information to be associated with one or more nonconformity issues, then dropping, rate limiting or quarantining, by the traversing device, the IPv6 packet or the packet fragment.

Abstract: A management server (110) encrypts storage target data and transmits the encrypted storage target data to mobile terminals (120a, 120b). Thereafter, the management server (110) receives and decrypts the encrypted storage target data stored in the mobile terminals (120a, 120b).

Abstract: Techniques are described for managing virtual machines using input/output (I/O) device logging. For example, a system bus or other interface to a device may be monitored for traffic data elements. The traffic data elements may include, for example, transaction layer packets (TLPs) for communication across a PCI Express interface, or TCP/IP packets for communication over a network. These traffic data elements may be logged in an I/O device logging buffer. The I/O device logging buffer can then be used to ensure that all memory relating to a virtual machine is copied when transferring the virtual machine to another computing device. In addition, the I/O device logging buffer can be used to stop a virtual machine without waiting for the virtual machine to complete I/O processing.

Abstract: Disclosed is a method for protecting message data. In the method, the message data is padded with padding bits generated based on a deterministic function performed on the message data. The padded message data is compressed to generate compressed data. A length of the compressed data is dependent on the padding bits. The compressed data is encrypted to generate encrypted message data.

Abstract: Managing Security Parameter Information (SPIs) to prevent race condition failures begins where a system negotiates SPIs along with associated expiration times, and re-negotiates new SPIs as necessary. The system prevents race conditions that would otherwise occur when both an old SPI and a new SPI are active at the same time. The system accomplishes this by managing the storage and deletion of old SPIs such that only active SPIs are stored on the system for use by a User Equipment (UE) or Proxy Call Session Control Function (P-CSCF).

Abstract: A method and system for testing the cryptographic integrity of data m comprises at least the following elements: a module transmitting a message M, said module comprising a memory for storing the parameters used to execute the steps of the method, such as the key, the public data, a transmission medium, a receiver module also comprising storage means for storing at least the same parameters as in transmission. The system may comprise storage means for storing confidential data such as the secret keys, a processor suitable for executing the steps.

Abstract: Disclosed is a method for protecting message data. In the method, the message data is padded with padding bits generated based on a deterministic function performed on the message data. The padded message data is compressed to generate compressed data. A length of the compressed data is dependent on the padding bits. The compressed data is encrypted to generate encrypted message data.

Abstract: A first electronic device transmits first configuration information of the first electronic device collected by a tamper-resistant chip mounted thereon and approved by a third-party device to a second electronic device over a short-distance network. The second electronic device transmits second configuration information of the second electronic device collected by a tamper-resistant chip mounted thereon and approved by the third-party device to the first electronic device over the short-distance network. The first electronic device transmits the first configuration information and the second configuration information to the second electronic device over a network. The second electronic device controls connection between the first electronic device and the second electronic device over the network based on the first configuration information and the second configuration information received from the first electronic device.

Abstract: A method and system for distributing digital content to customers at a plurality of points of transaction that allows each content provider to use its own method of digital rights management. A master digital catalog is used to load product data from a plurality of different content providers. The catalog contents are provided to retailers and other points of transaction. A digital activation broker processes customer orders from the points of transaction and provides information that allows the customer access to the content. The content may be provided by the digital activation broker or through a third-party website. In some embodiments, a payment processor is used to process payments submitted by the customers. The digital activation broker may also void transactions and look up lost authorization codes.

Abstract: A method for routing IP packets with IPSec AH authentication is disclosed. The method includes locating overlay edge routers between private domains and their associated NAT routers. Outbound packets from a source private domain are modified by its overlay edge router to include IPSec AH authorization data computed using IP source and destination addresses that match a packet's final source and destination IP address upon final NAT translation immediately prior to delivery to a host of a destination private domain.

Abstract: A method and an apparatus for transmitting and receiving packets in a broadcasting system are provided. The present disclosure allocates a padding size field by using padding octets, and thus can increase transmission efficiency. Also, the present disclosure does not restrict the number of padding octets while maintaining compatibility with existing disclosures, and thus can carry out as much padding as desired and as necessary. In addition, the present disclosure variably allocates the padding size field depending on the number P of padding octets, and thus can increase header efficiency. Furthermore, since the number of padded octets in a header is immediately known, the size of an actual payload is known in advance, and thus rapid transmission is possible.

Abstract: Methods and systems for selectively blocking, allowing and/or reformatting IPv6 headers by traversing devices are provided. According to one embodiment, reputation information regarding observed senders of Internet Protocol (IP) version 6 (IPv6) packets and packet fragments is maintained by a traversing device based on conformity or nonconformity of extension headers contained within the IPv6 packets with respect to a set of security checks performed by the traversing device. When an IPv6 packet or packet fragment is received from a particular source IP address indicated by the reputation information to be associated with one or more nonconformity issues, then dropping, rate limiting or quarantining, by the traversing device, the IPv6 packet or the packet fragment.

Abstract: A network address includes a predefined portion that identifies a hostname, where the predefined portion is less than all of the network address. A request is received for a secure session at the network address. The hostname is identified from the predefined portion of the network address and a secure session negotiation is made including returning a digital certificate for the identified hostname.