Abstract: Methods and apparatus relating to constrained boot techniques in multi-core platforms are described. In one embodiment, a processor may include logic that controls which specific core(s) are to be powered up/down and/or which power state these core(s) need to enter based, at least in part, on input from OS and/or software application(s). Other embodiments are also claimed and disclosed.

Abstract: Requests submitted to a computer system are evaluated for compliance with policy to ensure data security. Plaintext and associated data are used as inputs into a cipher to produce ciphertext. Whether a result of decrypting the ciphertext can be provided in response to a request is determined based at least in part on evaluation of a policy that itself is based at least in part on the associated data. Other policies include automatic rotation of keys to prevent keys from being used in enough operations to enable cryptographic attacks intended to determine the keys.

Abstract: A method for securely transferring a service from a first mobile device to a second mobile device, the service being associated with a server configured for facilitating provisioning of services to mobile devices over a wireless communications network. The method includes generating in the first mobile device a shared key, the shared key being generated using a master key unique to the server and to the first mobile device, the master key being accessible by the server and by the first mobile device; and sending said shared key from the first mobile device to the second mobile device using an alternate communication mechanism independent from the server.

Abstract: A distributed storage system that dispatches an input/output request is described. In an exemplary embodiment, a storage controller client receives the input/output request, wherein the distributed storage system includes the storage controller client, a plurality of storage controller servers, a plurality of virtual nodes distributed among a plurality of physical nodes, and each of the plurality of physical nodes is hosted on one of the plurality of storage controller servers. The storage controller client further computes a target virtual node for the input/output request, where the target virtual node is one of the plurality of virtual nodes. Using the computed target virtual node, the storage controller client determines a target physical node that corresponds to the target virtual node, where the target physical node is one of the plurality of physical nodes.

Abstract: The present disclosure discloses a method and system for displaying an HTTPS block page without SSL inspection. Specifically, a network device snoops a first message transmitted between a client device and a network resource. The first message is transmitted as part of a SSL Handshake between the client device and the network resource to establish a SSL session. Moreover, the network device determines whether the client device is authorized to access the network resource. If not, the network device blocks the establishment of a SSL session between the client device and the network resource, and spoofs the network resource for establishing the SSL session between the client device and the network device instead of establishment of the SSL session between the client device and the network resource. Otherwise, the network device refrains from blocking the establishment of the SSL session between the client device and the network resource.

Abstract: To control access to a source storage device shared by a plurality of host systems, methods and systems include confirming a presence of an application on each host system of the plurality of host systems accessing the storage device. After confirming the presence of the application on each host system accessing the storage device, the application is run allowing each host system to access the storage device. A request is received from a new host system to access the storage device. A presence of the application is verified on the new host system. If the presence of the application is verified on the new host system, the new host system is provided with access to the storage device. If the presence of the application is not verified on the new host system, the new host system is denied access to the storage device.

Abstract: A system for providing a secure management agent for high-availability continuity for cloud systems includes a computer processor and logic executable by the computer processor. The logic is configured to implement a method. The method includes receiving operating parameters and threshold settings for a plurality of computing clouds. Secure relationships are established with the plurality of computing clouds based on the operating parameters. Data is mirrored across the plurality of computing clouds. Threshold data is then monitored for the plurality of computing clouds to maintain a continuity of resources for the plurality of computing clouds.

Abstract: A method and system for verifying the integrity of virtual machines and for verifying the integrity of discrete elements of the virtual machines throughout the lifecycle of the virtual machines. A virtual machine manager capable of managing one or more virtual machine images is installed on a physical hardware platform. An integrity verification component can be communicatively coupled to the virtual machine manager and an integrity reference component so that the integrity verification component can compare digests of the virtual machine image or discrete virtual machine image elements to virtual machine integrity records accessible from the integrity reference component.

Abstract: A method for providing a secure management agent for high-availability continuity for cloud systems includes receiving operating parameters and threshold settings for a plurality of computing clouds. Secure relationships are established with the plurality of computing clouds based on the operating parameters. Data is mirrored across the plurality of computing clouds. Threshold data is then monitored for the plurality of computing clouds to maintain a continuity of resources for the plurality of computing clouds.

Abstract: Software applications are analyzed to determine if they are legitimate applications and warnings are provided to users to avoid installation and/or purchases of unnecessary and/or potentially harmful software based on comparisons of user-interface characteristics of the software applications to visual characteristics of authentic applications to determine to what extent they match (or do not match) or are attempting to mirror the legitimate application.

Abstract: Described is a technology by which a signature used by network traffic intrusion prevention/detection systems includes logic that helps a prevention/detection engine detect that signature. A signature to detect is compiled into executable logic that is executed to communicate with an engine that evaluates network traffic. The signature logic provides an expression set (such as group of regular expressions) for the engine to match against a token corresponding to the network traffic. When matched, the engine notifies the logic and receives a further expression set to match, or a communication indicative that that the signature was detected. The signature thus directs the analysis, facilitating a lightweight, generic engine. Safety of the signature logic is described as being accomplished through layers, including by publisher signing, and by compilation and execution (e.g., interpretation) in safe environments.

Abstract: A system and method for providing a variety of medium access and power management methods are disclosed. A defined frame structure allows a hub and a node to use said methods for secured or unsecured communications with each other. Contended access is available during a random access phase. The node uses an alternate doubling of a backoff counter to reduce interference and resolve collisions with other nodes attempting to communicate with the hub in the random access phase. Non-contended access is also available, and the hub may schedule reoccurring or one-time allocation intervals for the node. The hub and the node may also establish polled and posted allocation intervals on an as needed basis. The node manages power usage by being at active mode at times during the beacon period when the node is expected to transmit or receive frames.

Abstract: Disclosed herein are methods, systems, and software for handling secure transport of data between end users and content serving devices. In one example, a method of operating a content server includes identifying a content request from an end user device. The method further includes, responsive to the user request, determining a transmission control protocol window size and a secure layer protocol block size. The method also provides scaling the secure layer protocol block size to match the transmission control protocol window size, and transferring secure layer protocol packets to the end user device using the scaled secure layer protocol block size.

Abstract: A method and apparatus for detecting malware transmission through a web portal is provided. In one embodiment, a method for detecting malicious software transmission through the web portal comprises accessing a security scan history that comprises information regarding a plurality of executables that are scanned upon executable creation and comparing current executable creation activity with the security scan history to identify at least one executable that is not scanned.

Abstract: A user apparatus connected to database apparatus via network comprises: unit that manages key information in order to encrypt and decrypt; storage unit that stores security configuration information of data and/or metadata; application response unit that determines whether or not encryption is necessary for database operation command, and if encryption is necessary, selects encryption algorithm corresponding to data and/or metadata, performs encryption, and transmits result to database control unit to cause database control unit to execute database operation, if encryption is not necessary, transmits database operation command to database control unit to cause database control unit to execute database operation, and receives processing result transmitted by database control unit, and if decryption or conversion of data and/or metadata of processing result is necessary, performs necessary decryption or conversion, and returns response to database operation command; and security configuration unit that configur

Abstract: Certain aspects of the present disclosure provide methods and apparatus for secure transmission of packets with short headers. The methods may include temporarily suspending the use of packets that use a short MAC header (that lack a Key ID field) during re-keying procedures and resuming the use of such packets after a new default Key ID is established via the re-keying procedures.

Abstract: A method of operating a security token to authenticate a user in a multi-factor authentication system is disclosed. The method includes: monitoring user custody of the token, the token having an identifying characteristic representing a possession factor for use through possession factor authentication; during a period of continuous user custody of the token based on the monitoring, obtaining a knowledge factor from a user having the continuous user custody; caching the knowledge factor in a memory of the token; and in response to a second authentication request, retrieving the knowledge factor from the memory to demonstrate to an authentication system knowledge of the knowledge factor, during the period of the continuous user custody.

Abstract: Software applications are analyzed to determine if they are legitimate applications and warnings are provided to users to avoid installation and/or purchases of unnecessary and/or potentially harmful software based on comparisons of user-interface characteristics of the software applications to visual characteristics of authentic applications to determine to what extent they match (or do not match) or are attempting to mirror the legitimate application.

Abstract: Web content is displayed concurrently with application content of an application that is hosting the web content. The web content includes at least some content that can be executed or run, such as a script. Performance of the web content is monitored, such as by monitoring the amount of time the web content has been executing and/or an amount of memory used by the web content. Feedback regarding the performance of the web content is provided to the application hosting the web content, and the application can determine whether and/or how to alter execution of the web content based on the performance of the web content. Execution of the web content can be altered in various manners, such as by throttling execution of the web content or ceasing execution of the web content.

Abstract: An information processing apparatus able to normally unmount a memory and disconnect communication with a first external apparatus when receiving a processing request from a second external apparatus in a state that the first external apparatus mounts the memory connected to the apparatus. A multi-function peripheral as the processing apparatus (20) includes a controller OS. When receiving a processing request from a second host PC (10B) as the second external apparatus in a state where the multi-function peripheral is in communication with a first host PC (10A) as the first external apparatus (S3100), the controller OS requests the first host PC to unmount the memory (S3201), if the memory is mounted thereon. When receiving an unmount instruction from the first host PC (S3004), the controller OS unmounts the memory, disconnects the connection with the first host PC (S3005), and starts communication with the second host PC (S3101).

Abstract: A technique for intelligent automated consent is described by which a client may be automatically authorized to access a resource owner's protected information (e.g., a profile) based on the owner's previous authorization decisions and/or other client classifications. Using this approach to granting consent, the resource owner is not required to intervene during the authorization step for each client that is requesting access. Clients may be categorized, and authorization given to individual clients based on the category to which they belong and/or the scope of the access request. The technique may be implemented with user-centric identity protocols, as well as with delegated authorization protocols. The technique provides for policy-based consent grants.

Abstract: An apparatus and method for limiting sharing of reproduction information of a data authorized for only a specific user when a video and audio reproduced from a portable terminal are shared with a peripheral second terminal. The apparatus preferably includes an application analyzer, and a sharing information generator. Sharing information of the reproduced data is replaced with non-shared information when it is verified that the data which is not authorized to be shared is reproduced. A controller transmits the sharing information or the sharing information replaced with the non-shared information to the peripheral second terminal. The sharing information includes picture information and voice information of the reproduced data and wherein the non-shared information is replacement information for limiting viewing of the voice and audio information.

Abstract: The application testing system and method provide an efficient and effective way to test multiple application variants of an application on at least one mobile device. The application testing system may cause a first application variant selection indication to be transmitted to at least one mobile device having the application. The first application variant selection indication may be configured to cause the mobile device to interact with the application according to a first application variant of the plurality of application variants. The application testing system may analyze data corresponding to the usage of the first application variant by the at least one mobile device, and cause a second application variant selection indication to be transmitted to the mobile device, wherein the second application variant selection indication is configured to cause the mobile device to interact with the application according to a second application variant of the plurality of application variants.

Abstract: Embodiments of the invention provide systems and methods for a cipher then segment approach in a Power Line Communication (PLC). A node or device generates frames to be transmitted to a destination node in the PLC network. A processor in the node is configured to generate a data payload comprising data to be sent to the destination node. The processor divides the data payload into two or more payload segments and encrypts the payload segments. The processor creates a frame for each of the encrypted payload segments, wherein each frame comprises a message integrity code. The processor creates a segment identifier for each frame using the message integrity code and an authentication key that is shared with the destination PLC node. The segment identifier is added to each frame.

Abstract: Systems and methods embedding a guest module within an embedder module are disclosed. According to some aspects, an embedder module is executed at a computer. A request to access a guest module is received via the embedder module. The request comprises a tag in a programming language. The tag identifies the guest module. An event is provided, using information associated with the tag, to an executing instance of the guest module responsive to the request to access the guest module. Processing of the event at the executing instance of the guest module is signaled.

Abstract: Systems, methods, and other embodiments associated with tracking packet identifiers are described. According to one embodiment, a method includes receiving a packet of data that includes an encoded packet identifier and decoding the encoded packet identifier into a decoded packet identifier. The method further includes estimating a reliability of the decoded packet identifier and determining a packet identifier of the received packet based, at least in part, on the estimated reliability of the decoded packet identifier.

Abstract: A security command protocol provides secure authenticated access to an auxiliary security memory within a SCSI storage device. The auxiliary security memory acts as an authenticated separate secure storage area that stores sensitive data separately from the user data area of the SCSI storage device. The security command protocol is used to access the auxiliary security memory. The security command protocol allows a trusted execution environment to transport sensitive data to and from storage in the auxiliary security memory. The regular execution environment does not have access to the security command protocol or the auxiliary security memory. The security command protocol and auxiliary security memory eliminate the need for additional secure storage components in devices that provide the security features of firmware TPM.

Abstract: A radio is authenticated at the site and unique authentication information for the radio is stored at the site. A subsequent non-authentication message from the radio is received at the site and authentication information in the non-authentication message is identified. The unique authentication information stored at the site is compared with authentication information identified in the non-authentication message. If there is a match, the non-authentication message is authenticated with an authentication code included in the non-authentication message, wherein a predefined portion of the authentication code is obtained from at least one of a header portion or a data portion of the non-authentication message. Upon successfully completing authentication, the site repeats the non-authentication message towards destination radios indicated in non-authentication message.

Abstract: A new approach is proposed that contemplates systems and methods to support the operation of a Virtual Media Room or Virtual Meeting Room (VMR), wherein each VMR can accept from a plurality of participants at different geographic locations a variety of video conferencing feeds of audio and video streams from video conference endpoints and enables a multi-party video conferencing session in real time among the plurality of participants. Each of the participants is offered a rich set of conferencing and collaboration interaction hitherto not experienced by video conferencing participants and a moderator of the video conference is further offered with in-meeting management and control over a plurality of security and privacy settings during the video conference. These interactions encompass controlling of a video conferencing session, its configuration, privacy, security, the visual layout of the participants, customization of the VMR and adaptation of the room to different vertical applications.

Abstract: The invention relates to a P2P communication method for multi-subscriber networks, which is protected from deception, eavesdropping and hacking, and wherein the communication carried out in an interval is predominantly carried out in separate rooms, allocated to the P2P communication, and with separate reference data allocated to the P2P communication. At least part of the separate random reference data and/or random data is generated in at least one unit that participates in the P2P communication and is exchanged within the P2P communication in the form of relative data. The separate P2P communication is initiated with respect to at least one global random reference date valid for the time of the P2P communication, the random reference date being valid for a randomly determined time range and being stored in all units that carry out the P2P communications in a secret and non-deceivable manner.

Abstract: The present invention relates to the field of information security. Disclosed are a system and method for communication between a dynamic token and a tool, the system comprising a tool part and a dynamic token part; the tool part comprises a control module and a tool radio frequency communication module; the dynamic token part comprises an MCU and liquid crystal module and an OTP radio frequency communication module. The method comprises: the tool part transmits a modulated wake-up command signal to the dynamic token part in the form of an electromagnetic wave; when a wake-up response command signal returned by the dynamic token part is correctly received, the tool part transmits the modulated command signal to the dynamic token part in the form of an electromagnetic wave; and the tool part detects the amplitude variation of the generated carrier signal, judges whether the response signal is correctly received, and operates correspondingly.

Abstract: A server apparatus having a one-time scan code issuing function, a user terminal having a one-time scan code recognizing function, and a method for processing a one-time scan code are provided so as to safely and conveniently transmit one-time information used for key-exchange-scheme-based encryption, using a scan code such as a bar code and a QR code.

Abstract: The present invention relates to key management in a secure microcontroller, and more particularly, to systems, devices and methods of automatically and transparently employing logic or physical address based keys that may also be transferred using dedicated buses. A cryptographic engine translates a logic address to at least one physical address, and processes a corresponding data word based on at least one target key. The target key is selected from a plurality of keys based on the logic or physical address. A universal memory controller stores each processed data word in the corresponding physical address within a memory. Each key is associated with a memory region within the memory, and therefore, the logic or physical address associated with a memory region may be used to automatically identify the corresponding target key. A dedicated secure link may be used to transport key request commands and the plurality of keys.

Abstract: A mobile platform security apparatus and method is provided. The apparatus may perform a security setting by generating a first authentication key, a second authentication key, and a third authentication key for each function called by an application program. The apparatus may store the first authentication key and an identifier for identifying the application program in a first storage unit, the second authentication key and the identifier in a secret domain of a second storage unit, and register the third authentication key and the identifier as a function parameter in the application program. Subsequently, if the function is called by the application program, the apparatus may determine values for the first authentication key, the second authentication key, and the third authentication key corresponding to the called function, and may perform authentication processing using the three authentication key values.

Abstract: A system for establishing a connection between a first device and a wireless network includes a first control module, located on the first device, that receives encoded digital data. The encoded digital data corresponds to a plurality of images displayed sequentially on a display of a second device. Each of the plurality of images corresponds to a different portion of the encoded digital data. A decoder module, located on the first device, converts the encoded digital data into configuration data. The configuration data includes at least one of an identifier of the wireless network, an encryption key associated with the wireless network, and a password associated with the wireless network. The first control module uses the configuration data to establish the connection with the wireless network.

Abstract: The present invention provides cost efficient two way authentication method in which the authentication module can be provided as a Plug and Play (PnP) architecture enabling dual layer security with reduced cost where the actions are initiated by a server and user input is received through an audio session for added security. The second level authentication can be carried out with mobile as client device making it cost efficient. The invention can be hosted as an independent service or can be integrated with existing authentication mechanisms, making it elegant for usage.

Abstract: A method and apparatus for detecting data modification in a layered operating system is disclosed. Outbound content indicators at different layers are compared to detect potential outbound data modifications. Likewise, inbound content indicators at different layers are compared to detect potential inbound data modifications. Content indicators include checksum, cryptographic hash, signature, and fingerprint indicators. Embodiments of the present invention enable detection of data modifications across an operating system's kernel and user mode spaces, prevention of modified outbound data from reaching a network, prevention of modified input data from reaching a user application, and detection of malware and faults within an operating system.

Abstract: The invention relates to a client computer for querying a database stored on a server via a network, the server being coupled to the client computer via the network, wherein the database comprises first data items and suffix items, wherein each suffix item describes a suffix of at least one first data item of the first data items, wherein for each suffix item a first referential connection exists in the database assigning said suffix item to the at least one first data item comprising the suffix of said suffix item, wherein each suffix item is encrypted with a suffix cryptographic key in the database, wherein each first data item is encrypted with a first cryptographic key in the database, wherein the client computer has installed thereon an application program, the application program being operational to: receiving a search request, the search request specifying a postfix search on a search criterion, determining the suffix item matching the search criterion, providing to the database a request for provi

Abstract: An image forming apparatus performs a direct printing function. A selecting section selects at least two files from a plurality of files stored in at least one of an internal storage medium and an external storage medium. A human interface receives passwords form a user. A password determining section determines whether the selected files are protected by passwords. A file extracting section extracts the selected files from an internal storage medium or external storage medium. A password verifying section determines whether passwords contained in the selected files and the passwords inputted through the human interface coincide. A printer prints the selected files. A printing controller controls the printer, causing the printer to print at least one of selected files if the password verifying section has determined that the password contained in the at least one selected file and the password inputted by the user coincide.

Abstract: An information handling system includes a memory and a detector circuit. The memory is configured to store a first electrocardiogram measurement. The detector circuit is configured to receive a second electrocardiogram measurement in response to a specific combination of keys of a keyboard being pressed for a specific period of time, wherein each key in the specific key combination includes an electrocardiogram sensor on a top surface of the key, to authorize a user and log the user onto the information handling system when the second electrocardiogram measurement matches the first electrocardiogram measurement, and otherwise: to deny access to the information handling system; to increase a counter; to determine whether the counter has exceeded a threshold; and to request that an input window is displayed when the counter has exceeded the threshold.

Abstract: A security command protocol provides secure authenticated access to an auxiliary security memory within a SCSI storage device. The auxiliary security memory acts as an authenticated separate secure storage area that stores sensitive data separately from the user data area of the SCSI storage device. The security command protocol is used to access the auxiliary security memory. The security command protocol allows a trusted execution environment to transport sensitive data to and from storage in the auxiliary security memory. The regular execution environment does not have access to the security command protocol or the auxiliary security memory. The security command protocol and auxiliary security memory eliminate the need for additional secure storage components in devices that provide the security features of firmware TPM.

Abstract: The present disclosure provides a way for an enciphering party to protect data by ciphering the data, and establishing conditions upon which that data can be deciphered (or accessed) by a deciphering party, without requiring the enciphering party or the deciphering party to share a cipher key, or any other information that in-and-of-itself may be used to decipher the transmitted data; without requiring a System to store the cipher key, or any information that, in isolation, may be used to produce the key; or without requiring that the enciphering party share private data, in any form, with the System.

Abstract: According to one embodiment, a memory being used to store a host identification key, a host constant (HC), and a first key, the first key being generated based on the host constant (HC); a first generator configured to decrypt a family key block read from an external device with the host identification key to generate a family key; a second generator configured to decrypt encrypted secret identification information read from the external device with the family key to generate a secret identification information; a third generator configured to generate a random number; a fourth generator configured to generate a session key by using the first key and the random number; a fifth generator configured to generate a first authentication information by processing the secret identification information with the session key in one-way function operation.

Abstract: A digital signature of a message originator of a message is validated by a processor on message retrieval by a message recipient as a first-tier validation of the message. In response to a successful first-tier validation of the digital signature of the message originator, a transaction token and a message originator identifier are extracted from a message payload of the message. Communication is initiated with a verification service within a secure messaging environment of the message originator as a second-tier validation of the message using the extracted transaction token and the extracted message originator identifier to confirm whether the secure messaging environment of the message originator generated the transaction token and inserted the transaction token into the message payload. Results of the second-tier validation of the message with the verification service within the secure messaging environment of the message originator are determined.

Abstract: Systems and methods for providing information security in an unobtrusive manner are presented herein. An authentication component can enable a primary user of a multi-user communications device, based on an authentication process initiated by the primary user, to classify information stored in the multi-user communications device as invisible to other users of the device. The information classified as invisible to the other users can include phone number(s), phone message(s), email address(es), email(s), electronic message(s), call history, email history, and/or personal data. In addition, an information access component can enable the primary user to access the information classified as invisible to the other users of the multi-user communications device upon authentication of the primary user's identity.

Abstract: A method for authenticating video content includes: receiving a digital signature, an unsecured video fingerprint, and an unsecured video content from a transmitting node at a receiving node in a communication network; determining if the digital signature is consistent with the unsecured video fingerprint at the receiving node to verify the unsecured video fingerprint; and determining if the unsecured video fingerprint is consistent with the unsecured video content at the receiving node to verify the unsecured video content in a manner that tolerates a predetermined measure of loss in the unsecured video content. If the unsecured video fingerprint and the unsecured video content are verified, the unsecured video content is authenticated for subsequent use at the receiving node. A receiving node associated with the method includes an input module, a fingerprint verification module, a content verification module, and a controller module.

Abstract: A system and method of encrypting digital content in a digital container and securely locking the encrypted content to a particular user and/or computer or other computing device is provided. The system uses a token-based authentication and authorization procedure and involves the use of an authentication/authorization server. This system provides a high level of encryption security equivalent to that provided by public key/asymmetric cryptography without the complexity and expense of the associated PKI infrastructure. The system enjoys the simplicity and ease of use of single key/symmetric cryptography without the risk inherent in passing unsecured hidden keys. The secured digital container when locked to a user or user's device may not open or permit access to the contents if the digital container is transferred to another user's device. The digital container provides a secure technique of distributing electronic content such as videos, text, data, photos, financial data, sales solicitations, or the like.

Abstract: A digital signature of a message originator of a message is validated by a processor on message retrieval by a message recipient as a first-tier validation of the message. In response to a successful first-tier validation of the digital signature of the message originator, a transaction token and a message originator identifier are extracted from a message payload of the message. Communication is initiated with a verification service within a secure messaging environment of the message originator as a second-tier validation of the message using the extracted transaction token and the extracted message originator identifier to confirm whether the secure messaging environment of the message originator generated the transaction token and inserted the transaction token into the message payload. Results of the second-tier validation of the message with the verification service within the secure messaging environment of the message originator are determined.

Abstract: A system and method for managing communication. The system and method applying to but not limited to settop boxes (STBs) and other devices used to interface services. The management including any number of features and processes associated with achieving Quality of Service (QoS) across different domains and according to network limitations associated with the same.

Abstract: A method for the secure transfer of a digital file from a first computerized system to one second computerized system, the method comprising the following steps: writing the digital file on a first file-management module of a secure transfer device, transferring the digital file to an internal verification module of the secure transfer device, verifying one portion of the transferred digital file in the verification module, and transferring the partially verified digital file to a second file-management module of the secure transfer device according to the result of the verification, in order to allow the file to be read by the one second computerized system according to the result of the verification.