Abstract: A method for cryptographic material management is provided. The method includes receiving into a computing device, through an API of the computing device, a designation of which of a plurality of key-producing cloud services sources each of a plurality of keys and which of a plurality of key-consuming cloud service providers uses each of the plurality of keys for encrypting or decrypting data. The method includes directing, from the computing device through a first plurality of end modules each interfaced to a specific API of a specific one of the plurality of key-producing cloud services, production of one or more of the plurality of keys. The method includes directing, from the computing device through a second plurality of end modules each interfaced to a specific API of a specific one of the plurality of key-consuming cloud service providers usage of one or more of the plurality of keys.

Abstract: A system and method for single authentication to a multi-tenancy single-page application hosted in a plurality of different datacenters. The method comprises: receiving, from a client device, a login request to access the single-page application; receiving an access token in response to an authentication of a user of the client device, wherein the access token designates at least tenant identification data; determining a datacenter of the plurality of different datacenters executing an instance of the single-page application supporting a tenant of the authenticated user; retrieving, from the determined datacenter, a single web page of the single-page application, wherein the retrieved signal web page includes at least references to resources pointing to a location of the determined datacenter; and serving the web single page to the client device.

Abstract: Computing systems, devices, and associated methods of operation of filtering packets at virtual switches implemented at hosts in a distributed computing system are disclosed herein. In one embodiment, a method includes receiving, at the virtual switch, a packet having a header and a payload and processing, at the virtual switch, the received packet based on multiple match action tables arranged in a hierarchy in which first and second layers individually contain one or more match action tables that individually contain one or more entries each containing a condition and a corresponding processing action.

Abstract: Methods and systems for a device identification system may be provided. The device identification system may determine an identity of a user device associated with a transaction. The identity may be determined by network address information, hard link information, soft link information, and/or other such information. The network address information may include IPv4 information, IPv6 information, a device ID, and/or other such information. The identity of the user device may be determined and a transaction conducted from the user device may be assigned a fraudulent transaction risk score according to the information. Transactions that are determined to be at a high risk of fraud may be reviewed or otherwise flagged and/or canceled.

Abstract: A home network system using a Z-Wave network includes a wired/wireless Z-Wave bridge having a Z-Wave communication unit to which a plurality of home automation devices are accessed through the Z-Wave network and an Ethernet communication unit which is accessed to a main server through the Internet, and a main server providing an application for a remote control of the home automation device, and performing MAC authentication to allow access to the wired/wireless Z-Wave bridge upon request by the portable terminal, in which the MAC authenticated portable terminal of the wired/wireless Z-Wave bridge is accessed to the home automation devices to perform remote control.

Abstract: A method of transferring information between subscribers associated with a communication service is disclosed. The method includes receiving a first handle address associated with a first subscriber device, in which the first subscriber device transfers information to a group of subscriber devices, each of the group of subscriber devices is linked to different handle addresses, and each of the different handle addresses is included in a group of handle addresses. The method also includes determining whether the first handle address is included in the group of handle addresses, transferring information from the first subscriber device to the group of subscriber devices in response to the first handle address being included in the group of handle addresses, and verifying that the transferred information was received by the group of subscriber devices. A corresponding system and computer-readable device are also disclosed.

Abstract: Example implementations relate to a security information sharing platform that enables sharing of security information among a plurality of members. For example, in an implementation, a system may determine that a first member of a community of a security information sharing platform is entitled access to a first set of encrypted information shared by a second member of the community. The system may also receive a request, from the first member, to access the first set of encrypted information, the request including a masked parameter. The system may also determine that the masked parameter matches an access parameter for accessing the first set of encrypted information and provide the first member access to the first set of encrypted information in response to determining that the masked parameter matches the access parameter.

Abstract: Computer-implemented methods are provided for communicating message data from a sender computer to a receiver computer via a network. The sender computer encrypts the message data in dependence on a cryptographic key to produce a ciphertext, and establishes an access password for the ciphertext with a host computer connected to the network. The sender computer sends the ciphertext via the network to the host computer, and sends an email, containing the cryptographic key in cleartext, to the receiver computer via the network. The cryptographic key comprises a random cryptographic value which is independent of the access password. The host computer receives the ciphertext from the sender computer and stores the ciphertext in association with the access password. The receiver computer receives the email from the sender computer and sends an access request for the ciphertext, and an input password, to the host computer via the network.

Abstract: Some embodiments provide a method for configuring a logical middlebox in a hosting system that includes a set of nodes. The logical middlebox is part of a logical network that includes a set of logical forwarding elements that connect a set of end machines. The method receives a set of configuration data for the logical middlebox. The method uses a stored set of tables describing physical locations of the end machines to identify a set of nodes at which to implement the logical middlebox. The method provides the logical middlebox configuration for distribution to the identified nodes.

Abstract: A platform, apparatus and method for Internet of Things Implementations. For example, one embodiment of a system comprises: an Internet of Things (IoT) hub comprising a network interface to couple the IoT hub to an IoT service over a wide area network (WAN), and programming logic to program an identification device with one or more encryption keys usable to establish encrypted communication with an IoT device; and at least one IoT device interfacing with the identification device following programming of the identification device by the IoT hub; wherein once the identification device is programmed and interfaced with the IoT device, the IoT device uses the one or more keys to establish a secure communication channel with the IoT hub and/or the IoT service.

Abstract: Various techniques described herein relate to electric vehicle power management system for managing a plurality of battery modules in a battery pack. Such electric vehicle power management system may include a plurality of battery management systems corresponding to a plurality of battery modules, and an energy management system for managing the plurality of battery management systems. The energy management system and the plurality of battery management systems may adopt master-slave wireless communication, and may use a single wireless frequency channel or a plurality of assigned wireless frequency channels.

Abstract: A data processing device includes a first packet communication interface for communication with at least one host processor via a network interface controller (NIC) and a second packet communication interface for communication with a packet data network. A memory holds a flow state table containing context information with respect to multiple packet flows conveyed between the host processor and the network via the first and second interfaces packet communication interfaces. Acceleration logic, coupled between the first and second packet communication interfaces, performs computational operations on payloads of packets in the multiple packet flows using the context information in the flow state table.

Abstract: Methods, systems, and apparatus for performing recursive embedding by URL parameterization are provided. Recursive embedding by URL parameterization may be performed by receiving a display parameter for defining a window display area within a portion of a first document associated with a first application having a first format, and a URL-based identifier specifying a portion of a second document associated with a second application having a second format. The first and second formats are different from each other. A display of the portion of first including the window display area is generated. The specified portion of the second document is displayed within the window display area, and the first and second documents are independently executable with respect to each other.

Abstract: This application discloses a GNSS reference apparatus having a vector error generator and a reference data server. The vector error generator generates one or more sequences of keyed intentional errors made confidential with confidential error keys, and then combines the sequences to generate a sequence of reference erroneous positions. The reference data server issues GNSS position-determination reference data based on the reference erroneous positions where the keyed intentional errors for at least one of the confidential sequences are reversible with confidential access to the corresponding confidential error key for determining a GNSS-based position.

Abstract: Systems and methods for management of persistent cookies in a corporate web portal are described. A plurality of zones may be defined and stored in memory. Each zone may be associated with a zone property indicative of whether cookies are allowed. A resource request may be received from a user device over a network where access to the requested resource may require a cookie. The user device may be classified into a zone from the plurality of zones based on the attributes of the user device. The cookie may be automatically installed on the user device based on a zone property for the zone and for those resources that have been configured to require installation of a cookie installed without requiring further user interaction following the request.

Abstract: Some embodiments provide a method of operating several logical networks over a network virtualization infrastructure. The method defines a managed physical switching element (MPSE) that includes several ports for forwarding packets to and from a plurality of virtual machines. Each port is associated with a unique media access control (MAC) address. The method defines several managed physical routing elements (MPREs) for the several different logical networks. Each MPRE is for receiving data packets from a same port of the MPSE. Each MPRE is defined for a different logical network and for routing data packets between different segments of the logical network. The method provides the defined MPSE and the defined plurality of MPREs to a plurality of host machines as configuration data.

Abstract: A system and computer program product for implementing a method for restricting access to information transmitted over a computing network. A computer receives a resource request for a resource to be located. The resource request contains a universal resource locator (URL). The computer determines that the requested resource is available and in response, the computer locates the requested resource contained in the resource request. The computer determines whether encryption of the contained. URL is required. The computer may determine whether encryption is required for a return URL of the requested resource that is to be returned to a location of the resource request. After the computer determines that the requested resource is available, the computer may: determine that encryption of the requested resource is required and in response, determine an encrypted value of the requested resource.

Abstract: A system may include a point-of-sale system that gathers payment card track data from a payment card and a payment card gateway that processes the track data to authorize purchase transactions. The point-of-sale system may remove sensitive data such as a portion of a primary account number from the track data and may compress the removed data. The compressed version of the data may be appended to a discretionary field in the track data. The discretionary field may be encrypted following insertion of the compressed data. Track data that has been modified in this way may be conveyed to the payment gateway for processing.

Abstract: A technology is described for making a decision based on identifying without disclosing the identifying information. The method may include receiving a mapping value that represents identifying information that has been converted into a mapping value. A request for data associated with the identifying information may be made by providing the mapping value as a proxy for the identifying information whereby the data associated with the identifying information may be located using the mapping value and returned to a requesting client or service.

Abstract: Systems and techniques for secure wireless low-power wake-up are described herein. A low-power wake-up receiver (LP-WUR) of a wireless device may receive a wake-up signal. The LP-WUR may extract a receiver ID token from the wake-up signal. The LP-WUR may then verify the receiver ID token and enable a main transceiver, different than the LP-WUR, when the verification passes to engage in wireless communications.

Abstract: A method of communicating in a secure communication system, comprises the steps of assembling as message at a sender, then determining a security level, and including an indication of the security level in a header of the message. The message is then sent to a recipient.

Abstract: A system that validates a native code module. During operation, the system receives a native code module comprised of untrusted native program code. The system validates the native code module by: (1) determining that code in the native code module does not include any restricted instructions and/or does not access restricted features of a computing device; and (2) determining that the instructions in the native code module are aligned along byte boundaries such that a specified set of byte boundaries always contain a valid instruction and control flow instructions have valid targets. The system allows successfully-validated native code modules to execute, and rejects native code modules that fail validation. By validating the native code module, the system facilitates safely executing the native code module in the secure runtime environment on the computing device, thereby achieving native code performance for untrusted program binaries without significant risk of unwanted side effects.

Abstract: A method for operating a secure device having a plurality of mutually exclusive circuit zones, including a first circuit zone having a first level of security and a second circuit zone having a second level of security less than the first level of security, the method including unpacking a key exchange package including receiving a key exchange package in the second circuit zone, the key exchange package including encrypted key data and processing the encrypted key data using a content key in the first circuit zone to generate decrypted key data and storing the decrypted key data in the first circuit zone without disclosing the decrypted key data into the second circuit zone.

Abstract: A storage count verification system is provided in which a client can verify the number of identical data items stored by a server without the server being notified of the results. A storage count verification system verifies whether a user device and a server device have identical data where search data requested by a user device is used to search data to be searched on a server device. The server device generates a public parameter for searching the data to be searched and transmits the generated public parameter to the user device. The user device is provided with a user generation unit for generating, on the basis of the public parameter received from the server device, a secret parameter that is for the search data and corresponds to the public parameter and a user encryption unit for encrypting the search data on the basis of the generated secret parameter.

Abstract: A method and system for restricting access to information transmitted over a computing network. A computer receives a resource request for a resource to be located. The resource request contains a universal resource locator (URL). The computer determines that the requested resource is available and in response, the computer locates the requested resource contained in the resource request. The computer determines whether encryption of the contained URL is required. The computer may determine whether encryption is required for a return URL of the requested resource that is to be returned to a location of the resource request. After the computer determines that the requested resource is available, the computer may: determine that encryption of the requested resource is required and in response, determine an encrypted value of the requested resource.

Abstract: A replaceable printer component includes a first memory device and a communication link. The first memory device is configured to store a first secret. The communication link is configured to communicatively link the first memory device to a printer controller when the replaceable printer component is installed in a printing system. The printing system comprises a second memory device storing a second secret. The second memory device is communicatively linked to the printer controller. The printer controller is configured to determine an authenticity of the replaceable printer component based on the first secret and the second secret.

Abstract: A system and method for managing access to content is provided. One example embodiment provides for a method including acts of identifying a filter of content based at least in part on the preferences a user and a subject presented in the content and presenting the content using the filter to the user. Another example embodiment provides for a system that includes a controller configured to identify a filter of content based on preferences of a user, to present content using the identified filter and to update the preferences of the user based on feedback from the user and the subjects presented in the content.

Abstract: A computer-based system and method for secured privacy preservation scheme while data aggregation in a non-hierarchical wireless sensor network that lacks peer-to-peer communication between the communicating sensor nodes is disclosed. The method and system adopts formation of self-adaptive efficient cluster formation for robust privacy preservation in the network by grouping the multiple sensor nodes in the network to form multiple clusters that enables low computation overhead and high scalability in the network. The method and system of the invention discloses an effective twin-key management scheme that provides establishment of secure communication among the sensor nodes and the secure communication between at least one sensor node with the sever node performing the function data aggregation of the data collected by the sensor nodes.

Abstract: A computer system includes a data network connection, a reading device, an input component and a security device, wherein the security device establishes a data network link via the data network connection as the computer system is starting up and said security device further receives access data either via the data network link or via the reading device and the input component, and said security device compares the received access data with a data record stored in a firmware on a memory element and boots the computer system if the comparison was successful.

Abstract: A device management system includes an electronic device and a remote maintenance server. The electronic device displays an operation screen to a user. The remote maintenance server includes a transparent panel management portion that draws a guide image on a virtual transparent panel based on an operation of a service person performed on a service terminal device, and causes the electronic device to overlay and display the virtual transparent panel on the operation screen.

Abstract: A device and method associates a certificate with a first recipient identity. The method comprises receiving the first recipient identity of a user. The method comprises associating the first recipient identity of the user with a second recipient identity of the user. The second recipient identity is associated with a certificate so that subsequent transmissions of data to the first recipient identity encrypts the data according to specifications of the certificate.

Abstract: A method and apparatus are provided to enable the remote management of software that is otherwise limited to using local input/output (I/O) only. According to the method and apparatus, a microcontroller is installed on a system board of a server and configured to listen to write requests directed to a first I/O interface. When such requests are detected, data that is part of such requests is intercepted and transmitted over a second I/O interface that is different from the first I/O interface.

Abstract: A replaceable printer component includes a first memory device and a communication link. The first memory device is configured to store a first secret. The communication link is configured to communicatively link the first memory device to a printer controller when the replaceable printer component is installed in a printing system. The printing system comprises a second memory device storing a second secret. The second memory device is communicatively linked to the printer controller. The printer controller is configured to determine an authenticity of the replaceable printer component based on the first secret and the second secret.

Abstract: In various embodiments, methods and systems for managing wake-enabled transport connections of wake-enabled applications is provided. A set of ports is designated as a wake-enabled port set. An operating system (OS) of a computing device running applications plumbs the multiport wake pattern to the one or more network interface controllers (NIC) of the computing device. A wake-enabled application acquires a port from the wake-enabled port set. The OS makes a determination that the application is wake-enabled and as such, assigns a port, from the wake-enable port set, to the wake-enabled application. Upon receiving a packet at the NIC, a determination is made whether the packet corresponds to a wake-enabled transport connection based on comparing the packet to the multiport wake pattern. Upon matching the packet to the multiport wake pattern, the NIC communicates with the OS to wake a portion of the wake-enabled application associated with the wake-enabled transport connection.

Abstract: Font protection management is described. In one or more implementations, a font package is obtained for an application and includes fonts that are protected by obfuscation. When the application is launched, a request to determine whether use of the protected fonts is authorized in connection with the application may be communicated to a font protection service. A response that is indicative of authorization to use the protected fonts in connection with the application may be received from the font protection service. When the response indicates that use of the protected fonts is authorized, the protected fonts may be de-obfuscated and subsequently used in connection with the application. When the response indicates that use of the protected fonts is not authorized in connection with the application, however, default fonts may be used with the application instead.

Abstract: Providing authorization and authentication in a cloud for a user of a storage array includes: receiving, by a storage array access module from a client-side array services module, a token representing authentication of user credentials and authorized access privileges defining one or more storage array services accessible by the user, where the token is generated by a cloud-based security module upon authentication of the user credentials and identification of authorized access privileges for the user; receiving, by the storage array access module from the user, a user access request to one or more storage array services; and determining, by the storage array access module, whether to grant the user access request in dependence upon the authorized access privileges represented by the token.

Abstract: Methods, apparatus and systems for implementing run-time fabric reconfiguration are described herein. In accordance with one aspect, techniques are disclosed for implementing run-time fabric reconfiguration on a System on a Chip (SoC) via use of multiple endpoint fabric interfaces having routing logic that is dynamically reconfigured at run-time by a fabric control unit in response to system-state changes. The endpoint fabric interfaces may be coupled to or integrated in IP blocks that are coupled to a switch fabric, or may be implemented in the switch fabric itself. The run-time fabric reconfiguration techniques may be implemented to for various purposes and/or to address various events, such as node failures, security events, IP or design bugs, feature prototyping, and virtualization.

Abstract: Transponder (180) having stored a fixed identification number, which expands said identification number with a random number, encrypts said expanded number with a key, and sends it to a reader (160) on its request. Reader (160), which on request receives an encrypted number from a transponder (180), decrypts a received encrypted number with a key, which was also used by the transponder (180), and extracts a fixed identification number associated with the transponder (180).

Abstract: A system that validates a native code module. During operation, the system receives a native code module comprised of untrusted native program code. The system validates the native code module by: (1) determining that code in the native code module does not include any restricted instructions and/or does not access restricted features of a computing device; and (2) determining that the instructions in the native code module are aligned along byte boundaries such that a specified set of byte boundaries always contain a valid instruction and control flow instructions have valid targets. The system allows successfully-validated native code modules to execute, and rejects native code modules that fail validation. By validating the native code module, the system facilitates safely executing the native code module in the secure runtime environment on the computing device, thereby achieving native code performance for untrusted program binaries without significant risk of unwanted side effects.

Abstract: A system and a method is provided for managing the mobility of a mobile network in a Proxy Mobile Internet Protocol (PMIP) environment operating under the Dynamic Host Configuration Protocol (DHCP) protocol. The method is based on prefix allotment between a server DHCPv6 and a mobile router via an access gateway (MAG) and the exchanging of messages between the server and a point of attachment (LMA).

Abstract: One embodiment of a system for providing services to subscribers of a network supports the provision of a plurality of different services to multiple subscribers. A first processing unit provides a first execution environment for a first set of software applications and a second processing unit provides a second execution environment for a second set of software applications. A data structure is provided for storing data associated with subscribers of the system, the data structure providing a common identity for association with a subscriber which is recognized by all processing units of the system. This provides a common user repository which simplifies the provision of services and the authentication processes within the system.

Abstract: A system and method for facilitating the entry by a signer user of information into a scaffold electronic document having multiple information entry fields, over the internet or similar network. The system includes a document summary server, in communication with a document execution server, and associated with a scaffold electronic document via network. The document summary server facilitates the entry by a signer user of information into one or more information entry fields in a scaffold document.

Abstract: A device and method are provided for a device that authenticates a server over a network. The device and method are operable to contact the server to initiate a handshaking operation. The device receives certificate information and handshaking information from the server. The device completes the handshaking operations to establish the connection with the server. The device downloads the content from the server through the connection before authenticating the server to establish a secure connection. In some aspects, the device may display a portion of the downloaded content before the server is authenticated.

Abstract: Systems and techniques are provided for the classification of risks associated with developers in an application ecosystem. Signals associated with a developer account for an application ecosystem may be received. Each of the signals may include one of an account signal, an application signal, and a financial signal, and each of the signals may be associated with a weight and a score. The signals may be combined using the weights and the scores associated with the signals to obtain a risk probability for the developer account. The risk probability may be scored.

Abstract: This application discloses a GNSS reference apparatus having a vector error generator and a reference data server. The vector error generator generates one or more sequences of keyed intentional errors made confidential with confidential error keys, and then combines the sequences to generate a sequence of reference erroneous positions. The reference data server issues GNSS position-determination reference data based on the reference erroneous positions where the keyed intentional errors for at least one of the confidential sequences are reversible with confidential access to the corresponding confidential error key for determining a GNSS-based position.

Abstract: A mobile communication device registers for data communication through a mobile communication network with a packet-based network. The device may or may not have a mobile device number, and registers using a fully-qualified-domain-name (FQDN) uniquely identifying the device in a domain-name-system (DNS) of the packet-based network. A packet-data-network gateway assigns a packet-based address for the device, and generates a request for registering the address with the FQDN in a DNS server. Alternatively, the device generates the packet-based address based on a received portion of the address, retrieves the FQDN from an identity module, and sends a DNS-Update message to the DNS server including the address and FQDN. Again alternatively, a DNS server receives an encrypted DNS update message including a FQDN and a packet-based address, and decrypts the message prior to registering the address and FQDN in a DNS database.

Abstract: A computer-implemented method is presented herein. The method obtains a first content item from an online source, and then generates a characterizing signature of the first content item. The method continues by finding a previously-saved instance of the characterizing signature and retrieving data associated with a second content item (the second content item is characterized by the characterizing signature). The method continues by analyzing the data associated with the second content item, corresponding data associated with the first content item, and decision criteria. Thereafter, either the first content item or the second content item is identified as an original content item, based on the analyzing. The other content item can be flagged as an aggregated content item.

Abstract: Strict transport security controls are arranged to detect a first navigation command of a network-enabled application to navigate from a secure connection established with a first network address and to navigate to a second network address using an unsecure reference. A filter is used to filter, in response to the detection of the first navigation command, referring information in a second navigation command used to establish a second address secure connection with a device having the second network address. The strict transport security controls service is optionally arranged to provide a warning signal upon detecting formation of the second navigation command.

Abstract: A method includes receiving a request for a device to replace a unique identifier associated with the device with a revocable identifier, generating a revocable identifier for the device, wherein the revocable identifier comprises at least a cryptographic representation of the unique identifier associated with the device and a counter value, checking the generated revocable identifier to determine that the generated revocable identifier has not previously been generated for the device and associating the generated revocable identifier with the device.

Abstract: The invention concerns the contact-less technology MIFARE, and describes a method to update a state by injecting an IV using a non-linear feedback shift register that makes use of only look-up tables and basic operations on 8-bit words.