Abstract: A storage device and method for providing a partially-encrypted content file to a host device are provided. In one embodiment, the storage device retrieves a content file from memory in the storage device and partially-encrypts the content file by encrypting some portions of the content file. The storage device sends the partially-encrypted content file to a host device and informs the host device of which portions of the partially-encrypted content file are encrypted. In one embodiment, the remaining portions of the content file are in clear text form and do not need to be decrypted. Because the host device only needs to decrypt the portions of the content file that are encrypted—and not the entire content file—the host device can decrypt the partially-encrypted content file, even if it does not have the processing power to decrypt a fully-encrypted version. In another embodiment, at least some of the remaining portions of the content file are encrypted with at least one additional key.

Abstract: A digital content management system (1) includes a digital watermark embedding device (100) which generates a file having a file name used as a digital watermark, and embeds it into a digital content to be managed; a digital watermark information storage device (140) which stores, as digital watermark information, the file name used as the digital watermark embedded in the digital content by the digital watermark embedding device (100), while correlating it with identification information of the digital content having the digital watermark embedded therein; and a digital watermark detection device (150) which detects the file name used as the digital watermark, stored in the digital watermark information storage device (140), from the digital content to be verified, referring to the digital watermark information stored in the digital watermark information storage device (140).

Abstract: According to one embodiment, a method for setting a trap to detect that an intruder has compromised a client end station (CES) in an attempt to gain unauthorized access to enterprise data provided by a server is described. The method includes causing a honey token to be placed on the CES secluded within a configuration repository, wherein the honey token is metadata and/or instructions indicating how applications can seemingly access the enterprise data but that is actually invalid, and the honey token is placed on the CES and not on the server. The method also includes causing attribute values to be installed on a security gateway for a security rule causing the security gateway to monitor network traffic for attempted use of the honey token, and to generate an alert when a set of one or more packets that include the honey token are received.

Abstract: A digital file is associated with a security attribute related to watermarking criteria. The digital file content is encrypted, and may not be decrypted by a receiving computer unless the watermarking criteria is met. The receiving computer may decrypt only the encrypted portion of the security attribute unless the watermarking criteria are continuously met at the receiving computer. Improved security and reduction of pirating of the digital content is therefore provided.

Abstract: Disclosed is an appliance, system, method and corresponding software application for encrypting and processing data. A symbol based encryption module may be adapted to encrypt data on a symbol basis such that some or all of the encrypted data remains processable.

Abstract: Various technologies and techniques are disclosed for creating and managing persistent document collections. A data store is used for storing one or more persistent document collections. A content management application is used for managing documents for users, for creating one or more persistent document collections of a sub-set of the documents upon user request, and for storing the one or more persistent document collections in the data store. Users can create one or more persistent document collections from a sub-set of the documents. Users can also modify the one or more persistent document collections. A requested portion of one or more persistent document collections can be output upon request from an external application so that the external application can download one or more of the documents that are represented by the persistent document collection for further modification by the user.

Abstract: Embodiments provide data in-flight (DIF) services to software applications such as virtual machines (VMs) at an application level without requiring modification to established storage protocols. In exemplary embodiments, a software application is associated with a DIF services policy indicating one or more DIF services to apply to the software application. Data transmitted by the software application to a destination is tagged based on the DIF services policy associated with the software application and transmitted to the destination.

Abstract: Methods, software and devices for scoring privacy protection processes implemented by an organization are disclosed. Implementation metrics and evidence indicators are received from units of the organization. Implementation metrics represent extent of implementation of one of the privacy protection processes. Evidence indicators each identify an electronic document providing evidence of extent of implementation of one of the privacy protection processes. Each electronic document is associated with at least one of the implementation metrics for which it provides supporting evidence. For each particular privacy protection process, unit, applicable privacy protection rules are identified and a user interface is provided to facilitate assessing compliance of that organizational unit with applicable privacy protection rules. The user interface presents applicable privacy protection rules, implementation metrics, and the electronic documents associated with those implementation metrics.

Abstract: Improved privacy preservation techniques are disclosed for use in accordance with data mining. By way of example, a technique for preserving privacy of data records for use in a data mining application comprises the following steps/operations. Different privacy levels are assigned to the data records. Condensed groups are constructed from the data records based on the privacy levels, wherein summary statistics are maintained for each condensed group. Pseudo-data is generated from the summary statistics, wherein the pseudo-data is available for use in the data mining application.

Abstract: A method and system for synchronizing an encrypted file with a remote storage is disclosed. According to one embodiment, a computer-implemented method comprises providing a user with a user application and an encryption key in a portable memory device. The user runs the user application to securely access to a storage on a cloud storage system. A file is encrypted with the encryption key stored in the portable memory device and synchronized with the cloud storage system.

Abstract: The present invention relates to a distributed storage scheme, the distributed storage scheme, every file is encrypted, interleaved and fragmented, and the various fragments are stored on different constituent physical file systems.

Abstract: Systems and methods for encrypting a plaintext logical data object for storage in a storage device operable with at least one storage protocol, creating, reading, writing, optimization and restoring thereof. Encrypting the plaintext logical data object comprises creating in the storage device an encrypted logical data object comprising a header and one or more allocated encrypted sections with predefined size; encrypting one or more sequentially obtained chunks of plaintext data corresponding to the plaintext logical data object thus giving rise to the encrypted data chunks; and sequentially accommodating the processed data chunks into said encrypted sections in accordance with an order said chunks received, wherein said encrypted sections serve as atomic elements of encryption/decryption operations during input/output transactions on the logical data object.

Abstract: A method and system for segmented architecture for managing access to electronic documents having private data and public data is disclosed herein. A request for an electronic document is sent to a segmentation server, and the request becomes two queries: one for the public or non-confidential data of the electronic document and one for the private or confidential data of the electronic document. The segmentation server determines if the request is made over a private network or a public network to determine whether private data should be sent in response to the request.

Abstract: A method is provided for transferring data linked to an application installed on a security module associated with a mobile terminal, the data being stored in a first secure memory area of the security module, suitable for receiving a request to access the data, to read the data, and to transmit or store the data after encryption. A method is also provided for accessing these data suitable for transmitting a request to access, to receive and to decrypt the encrypted data. A security module, a management server, and a system implementing the transfer and access methods are also provided.

Abstract: A network storage system for a download intensive environment is provided. The network storage comprises at least a data storage server (DSS) that includes an interface enabling connection of the DSS to a network at a location that enables at least a view of network transactions performed by a plurality of clients; a storage unit; and a system adapted to monitor the network transactions occurring on the network and identification of the network transactions as belonging to a registered client of the DSS, and storing in the storage the transactions with an identification corresponding to the registered client.

Abstract: A mobile device is configured to execute encrypted source files and includes a transceiver configured to receive an archive file comprising encrypted source files. The mobile device also includes a storage unit configured to store the received archive file. A local web server in the mobile device is configured to interpret a format of the received archive file, retrieve at least one source file from the archive file in response to a request from a device browser, decrypt the retrieved source file, and forward unencrypted information associated with the decrypted source file to the device browser. The device browser in the mobile device is configured to display the unencrypted information.

Abstract: Disclosed are systems, methods and computer program products for controlling access to encrypted files. In one aspect, the system detects a request from an application to access an encrypted file. The system identifies the application that requested access to the encrypted file and one or more file access policies associated with the application. The file access policy specifies at least a file access method associated with the application. The system then controls access to the file based on the identified one or more file access policies.

Abstract: The present invention relates to an apparatus and a method for managing digital rights using virtualization technique, and more particularly to an apparatus and a method for enabling a user to access a desired text file in an independent area through a virtual machine corresponding to a licensed right for accessing the text file. The present invention comprises a virtual machine (VM) management unit for controlling a user access authorization function for accessing the text file in the area to which the virtualization technique is applied.

Abstract: Systems and methods for encrypting a plaintext logical data object for storage in a storage device operable with at least one storage protocol, creating, reading, writing, optimization and restoring thereof. Encrypting the plaintext logical data object includes creating in the storage device an encrypted logical data object including a header and one or more allocated encrypted sections with predefined size; encrypting one or more sequentially obtained chunks of plaintext data corresponding to the plaintext logical data object thus giving rise to the encrypted data chunks; and sequentially accommodating the processed data chunks into the encrypted sections in accordance with an order the chunks are received, wherein the encrypted sections serve as atomic elements of encryption/decryption operations during input/output transactions on the logical data object.

Abstract: A host system integrity monitor for monitoring memory, operating systems, applications, domain manager, and other host system's structures of interest is isolated and independent of the CPU and operating system of commodity systems. The system requires no modifications to the protected (monitored) host's software, and operates correctly even when the host system is compromised. Either arranged as a stand-alone computer on the add-in card which communicates with the monitored host system through the PCI bus, or as the co-processor based monitor located on the motherboard of the host system, or residing on one of the virtual CPU while the monitored system resides on another virtual CPU, or residing within the domain manager of the host system, the monitor monitors the integrity of the examined structure by calculating hash values of the structure, comparing them with expected hash values, and sending error reports once the discrepancy between these values is detected.

Abstract: A terminal to assign permission to an application includes a storage device to store an application list including information of applications authorized to receive manager permission, and an application processor to receive a request for the manager permission from the application and to determine to allow the manager permission to the application in response to a determination that the application is included in the application list. A method that uses a processor to assign permission to an application includes receiving a request for manager permission from the application, determining, using the processor, whether the application is included in an application list including information of applications authorized to receive manager permission, and determining whether to allow the manager permission to the application if the application is included in the application list.

Abstract: A proxy server creates an index of keywords, receives an encrypted record, decrypts the received encrypted record as decrypted data and, when a keyword in the index is encountered in the decrypted data, associates in the index an encrypted record location identifier with the encountered keyword. The proxy server receives a search query and uses the keyword index to retrieve encrypted records from the server. The encrypted records are decrypted and sent as search results in response to the search query.

Abstract: A method comprises receiving a first cryptographic token for one search term and a second cryptographic token is generated using the one search term and at least another search term. A first search is conducted using the first cryptographic token to generate a first result set, and the second cryptographic token is used for computing a subset of results of the first result set.

Abstract: A proxy server creates an index of keywords, receives at least a portion of a file, and, when a keyword in the index is encountered in the at least a portion of the file as the at least a portion of the file is being encrypted, associates in the index an encrypted record location identifier with the encountered keyword. The proxy server receives a search query and uses the keyword index to retrieve encrypted records from the server. The encrypted records are decrypted and sent as search results in response to the search query.

Abstract: Network-based service content protection techniques are described. In one or more implementations, content is edited locally by a computing device. The edited content is automatically encrypted without any user intervention by the computing device using an encryption credential, e.g., encryption key or other secret. The automatic encryption is performed responsive to a request to store the content at a network-based service provider such that the encrypted content can only be decrypted and accessed with the encryption credential and the encrypted content is uploaded to the network-based service provider.

Abstract: A system for handling an LDAP service request to an LDAP server for an LDAP service comprises a client program executable on a client system and a handler program executable on a handler system. The client program is operable to generate LDAP service request data corresponding to the LDAP service and provide the LDAP service request data for transmission from the client system, and further operable to receive LDAP service reply data in response to the LDAP service request data. The handler program is operable to receive the LDAP service request data transmitted from the client system and execute the LDAP service request to the LDAP server, receive LDAP service reply data from the LDAP server during one or more passes, and upon completion of the LDAP service, provide the LDAP service reply data for transmission to the client system in a single pass.

Abstract: A device for manipulating a computer file or program includes a processor. The device includes a network interface which receives commands. The device includes a receiver which receives the commands from the network interface and provides the commands to the processor. The device includes storage having a computer file or program in a memory. Wherein the processor, based on the commands, makes changes to the computer file or program in the memory and suspends and reestablishes user intervention to the computer file or program. A device for manipulating a computer file or program.

Abstract: Systems, methods, and machine-readable media for controlling an upload of a block of data associated with an upload command are described. In certain aspects, an interface module may be configured to obtain a cryptographic checksum for the block of data associated with the upload command. A checksum module may configured to compare the cryptographic checksum for the block of data associated with the upload command to a cryptographic checksum in an index storing cryptographic checksums identifying blocks of data previously uploaded to a server. If the cryptographic checksum for the block of data associated with the upload command matches the cryptographic checksum in the index, an upload module may be configured to cancel the upload of the block of data associated with the upload command.

Abstract: A system includes a server with an access manager configured to restrict access to files of an organization and maintain at least encryption keys for internal and external users and an external access server connected to the server and coupled between the server and a data network. The data network is configured to allow the external users use of the external access server. The external access server is also configured to permit file exchange between the internal users and the external users via the server.

Abstract: A system encrypts a private key with a master key and includes a storage device for storing a protected private key at a site location, a processor that determines a plurality of derivatives by selecting an order of site characteristics from a plurality of disjoint sets of site characteristics unique to a software installation or site location, wherein the processor applies a hash algorithm to each site characteristic. The system further includes a buffer storage device for storing an order of random selections of the site characteristics for the derivatives. The system encrypts the master key with the derivatives and additionally stores the encrypted form of the master key in a storage device.

Abstract: A method and system for access-controlled decryption in big data stores is provided. In an implementation, a system provides a method for encryption that stores meta-information about sensitive data elements being encrypted in a big data store, such as a Hadoop system, in which the bulk of the data may remain unencrypted. In an implementation, the system reads the stored meta-information at decryption time to determine where the encrypted data is within a large and unencrypted file system, and to determine whether or not an individual user has access rights to decrypt a given element of sensitive data. The system allows fine-grain control over access rights to sensitive data during decryption.

Abstract: Systems and methods for selective authorization of code modules are provided. According to one embodiment, file system or operating system activity relating to a code module is intercepted by a kernel mode driver of a computer system. The code module is selectively authorized by the kernel mode driver by authenticating a content authenticator of the code module with reference to a multi-level whitelist. The multi-level whitelist includes (i) a global whitelist database remote from the computer system that contains content authenticators of approved code modules that are known not to contain viruses or malicious code and (ii) a local whitelist database containing content authenticators of at least a subset of the approved code modules. The activity relating to the code module is allowed when the content authenticator matches one of the content authenticators of approved code modules within the multi-level whitelist.

Abstract: Systems, methods and media are provided for selective decryption of files. One method includes monitoring a secure file storage area including at least one file using a selective decryption process associated with the secure file storage area. Content of each of the at least one file is protected with an encryption. The method also includes detecting a request by an application program for one of the at least one file. The method further includes determining whether the application program needs to access the content of the requested file. The method also includes, when it is determined that the application program does not need to access the content of the requested file, allowing the application program to access the file content without decrypting the encryption.

Abstract: A system and method for exchanging data among partitions of a storage device is disclosed. For example, data stored in a first partition is exchanged with an application included in the first partition or with a second application included in a second partition. In one embodiment, the second application is associated with a global certificate while the first application is associated with a different platform certificate. A verification module included in the first partition receives a request for data and determines if the request for data is received from the first application. If the request for data is not received from the first application, the verification module determines whether the request is received from the second application and whether the global certificate is an authorized certificate. For example, the verification module determines whether the global certificate is included in a listing of authorized certificates.

Abstract: A system and method for using a declarative approach to enforce instance based security in a distributed environment is presented. The invention described herein includes security logic in declarative specifications that, in turn, decouples the security logic from distributed object administration logic. An access manager identifies access requirements by combining object name property keys included in a distributed object with property key specifications included in a declarative specification. In turn, the access manager compares a caller's access attributes with the access requirements to determine whether to create a distributed object instance and allow the caller to invoke a method on the distributed object instance. The access requirements may also include role specifications and method parameter specifications.

Abstract: A unified security management system and related apparatus and methods for protecting endpoint computing systems and managing, providing, and obtaining security functions is described. Various forms of the system, apparatus and methods may be used for improved security, security provisioning, security management, and security infrastructure.

Abstract: A method comprising encrypting an original plain text file and making it available to a user as a protected file, and issuing to said user a user program and a user license to enable said user to decrypt the protected file and view an image of the original file while preventing the image of the original file from being copied to any file, other than as a further protected file. The image is preferably stored in a memory not backed up to the computer swap file. Preferably, the user program comprises an editor program and the user saves editorial changes to the original image in an encrypted difference file, separate from the original file. Both files are then used to re-create the edited image using the editor program and user license. The user program may comprise any computer tool including compilers.

Abstract: At the time of marker attachment (at the time of encryption), for example, image conversion in which pixels to be overwritten by a marker are selected and pruned in a distributed manner and the pruning positions are moved to a marker attachment position is performed, and the marker is attached to the marker attachment position obtained as a result. At the time of marker elimination (at the time of decryption), for example, image reverse conversion in which each pixel of the marker is moved to the original position before the marker attachment is performed, each moved pixel of the marker is recovered, and the marker is eliminated.

Abstract: A method and apparatus for preventing a user from interpreting optional stored data information even when the user extracts the optional stored data, by managing data associated with a flash memory in a flash translation layer, the method comprising searching at least one page of the flash memory when writing data to the flash memory, determining whether authority information corresponding to respective searched pages includes an encryption storage function, generating, corresponding to respective searched pages, a page key according to an encrypting function when the authority information includes the encryption storage function encrypting the data using the generated page key and storing the encrypted data in the respective searched pages, and storing the data in the respective searched pages without encryption when the authority information does not include the encryption storage function.

Abstract: Extensions to the Fragment Mapping Protocol are introduced which protect a disk array from malicious client access by exporting file system access information to the storage device. FMP requests received at the storage device can be authorized at a block granularity prior to completion, thereby limiting the exposure of the disk array to malicious clients. Client authorizations can be cached at the storage device to enable the permissions to be quickly extracted for subsequent client accesses to pre-authorized volumes.

Abstract: Systems, methods, and software for providing digital security to a child message transmitted from a mobile device to a messaging server, where the mobile device typically does not transmit the parent message with the child message to the messaging server. Whether to apply digital security, such as encryption or a digital signature, or both, is determined, and if the mobile device does not include a complete copy of a parent message for insertion into the child message, the mobile device selectively downloads the parent message from the messaging server prior to the computation of a digital signature or prior to encryption. The systems and methods may also provide a check of the child message size, when the child message includes inserted parent content, to ensure that the child message does not exceed any prescribed limits on message size.

Abstract: A content server precomputes a hash value corresponding to content stored by the server. The server receives a request for the hash value from a first client device and provides the hash value to the first client device. The server receives a request for the content corresponding to the hash value from the first client device and provides the content to the first client device. The server receives a request for the hash value from a second client device and provides the hash value to the second client device, wherein the second client device obtains the content from the first client device or a local cache over a higher bandwidth connection.

Abstract: A storage device contains a smart-card device and a memory device, which is connected to a controller. The storage device may be used in the same manner as a conventional smart-card device, or it may be used to store a relatively large amount of data. The memory device may also be used to store data or instructions for use by the smart-card device. The controller includes a security engine that uses critical security parameters stored in, and received from, the smart-card device. The critical security parameters may be sent to the controller in a manner that protects them from being discovered. The critical security parameters may be encryption and/or decryption keys that may encrypt data written to the memory device and/or decrypt data read from the memory device, respectively. Data and instructions used by the smart-card device may therefore stored in the memory device in encrypted form.

Abstract: A system and method of encrypting digital content in a digital container and securely locking the encrypted content to a particular user and/or computer or other computing device is provided. The system uses a token-based authentication and authorization procedure and involves the use of an authentication/authorization server. This system provides a high level of encryption security equivalent to that provided by public key/asymmetric cryptography without the complexity and expense of the associated PKI infrastructure. The system enjoys the simplicity and ease of use of single key/symmetric cryptography without the risk inherent in passing unsecured hidden keys. The secured digital container when locked to a user or user's device may not open or permit access to the contents if the digital container is transferred to another user's device. The digital container provides a secure technique of distributing electronic content such as videos, text, data, photos, financial data, sales solicitations, or the like.

Abstract: Data encryption systems and methods. The system includes a storage device storing data and an encryption/decryption module. The encryption/decryption module randomly generates a device key seed according to the occurrence time of a specific operation or the interval between two specific operations on the storage device, and applies the device key seed to data encryption.

Abstract: To provide a configuration in which a unit classification number corresponding to a content playback path is set based on various units. A unit classification number defining a playback path of content including encrypted data having different variations generated by encrypting a segment portion which forms the content by using a plurality of segment keys and encrypted content generated by encrypting a non-segment portion by a unit key is set based on various units, such as a content management unit and an index. In a CPS unit key file storing key generating information concerning CPS units as content management units, settings of unit classification numbers are indicated. Based on the CPS unit key file, a unit classification number to which content to be played back belongs can be obtained.

Abstract: Methods, systems and computer program products are provided for controlling the disclosure time of information by a publisher to one or more recipients. A trusted body generates an asymmetrical key pair for a specified date and time of disclosure with an encryption key and a decryption key. The trusted body provides a digital certificate signed with a private key of the trusted body providing the publisher with the encryption key prior to the specified date and time. The publisher uses the encryption key to encrypt data and a recipient obtains the encrypted data at any time prior to the specified date and time. The trusted body then makes the decryption key available to the recipient at or after the specified date and time.

Abstract: Various techniques, including a method, system and computer program product for restoring encrypted files are disclosed. The method includes accessing a file table record for an encrypted file. The file table record includes an encrypted file stream and extent information identifying a location of one or more portions of the encrypted file in a virtual machine image. In response to accessing the file table record a consecutive data stream is stored. Storing the consecutive data stream includes encapsulating the encrypted file stream and the one or more portions of the encrypted file.

Abstract: The present invention relates to a method for transferring content to a device, the method including the steps of: receiving a request for content from the device; delivering a uniquely identifiable, ephemeral player to the device; and transferring content to the device, for presentation on the device by the player. The invention has particular application to digital rights management in respect of the distribution of audiovisual content such as film and television programs, advertisements and live event broadcasts over communication networks such as the Internet.

Abstract: Described herein is an efficient, dynamic Symmetric Searchable Encryption (SSE) scheme. A client computing device includes a plurality of files and a dictionary of keywords. An index is generated that indicates, for each keyword and each file, whether a file includes a respective keyword. The index is encrypted and transmitted (with encryptions of the files) to a remote repository. The index is dynamically updateable at the remote repository, and can be utilized to search for files that include keywords in the dictionary without providing the remote repository with information that identifies content of the file or the keyword.