Abstract: Systems and methods for selective authorization of code modules are provided. According to one embodiment, a whitelist containing cryptographic hash values of code modules that are approved for loading into memory of a computer system and execution on the computer system is maintained by a kernel mode driver of the computer system. At least a subset of the cryptographic hash values has been included within the whitelist based upon results of application of one or more behavior analysis techniques to a corresponding subset of code modules. The kernel mode driver monitors a set of events occurring within one or more of a file system accessible by the computer system and an operating system that manages resources of the computer system. The kernel mode driver causes a cryptographic hash value of a code module relating to an observed event of the set of events to be authenticated with reference to the whitelist.

Abstract: A method for playing DRM-protected contents, the protected contents being downloaded by a user device from a media server in the form of protected segments, comprises executing a DRM proxy inside the user device, the DRM proxy interfacing the media server and a player configured to implement the HLS protocol; executing an HLS server in the DRM proxy; registering the DRM proxy to handle HTTP requests; producing by the DRM proxy a playlist in HLS format including a list of URLs locating the individual protected segments on the user device; processing the playlist in the player; in the DRM proxy, acquiring a license to access the protected segment identified by the URL of a current request; decrypting the protected segment in the DRM proxy based on the license; and returning a segment based on the decrypted segment to the player in response to the current URL request.

Abstract: The systems and methods disclosed herein transparently provide data security using a cryptographic file system layer that selectively intercepts and modifies (e.g., by encrypting) data to be stored in a designated directory. The cryptographic file system layer can be used in combination with one or more cryptographic approaches to provide a server-based secure data solution that makes data more secure and accessible, while eliminating the need for multiple perimeter hardware and software technologies.

Abstract: Behavioral analysis of a mobile application is performed to determine whether the application is malicious. During analysis, various user interactions are simulated in an emulated environment to activate many possible resulting behaviors of an application. The behaviors are classified as hard or soft signals. A probability of the application being malicious is determined through combining soft signals, and the application is classified as malicious or non-malicious. Users of the application, the developer of the application, or a distributor of the application are notified of the application classification to enable responsive action.

Abstract: The storage system includes a host computer; a management computer coupled to the host computer; a first storage device coupled to the host computer and the management computer, and including first port management information; and a second storage device coupled to the host computer, the management computer and the first storage device, and including second port management information. The first port management information and the second port management information include an identifier of a port on each storage device, an identifier of a volume in each storage device, an access restriction and an identifier of a port permitted access from the host computer to each storage device.

Abstract: The various embodiments herein provide a method for securing electronic data using an automatic key management technique to manage cryptographic keys. The method for securing electronic data comprises providing a data to a writer module, embedding a data usage policy, encrypting the data through a symmetric key encryption, creating a secure data file format for the data, accessing the secure data file format through a reader module, checking for a data file usage policy, dynamically updating the data file usage policy, if there is a change in the file usage policy on an application server, authenticating a user as per the file usage policy, decrypting the secure data file format, invoking one or more adapters and enforcing the data file usage policy. The secure data file format herein comprises data encrypted with a layered structure, instructions for computation of keys along with randomized data and instructions for de-randomizing of data.

Abstract: Embodiments provide a method and device for distributing an electronic document. The electronic document possesses first authorized copies information used to record a first number of authorized copies for the electronic document a local user may distribute. Every time the electronic document is distributed to a user, second authorized copies information is sent to the user, which second authorized copies information is used to record a second number of authorized copies for the electronic document the user may distribute, and the second number of authorized copies is less than or equal to the first number of authorized copies currently recorded in the first authorized copies information.

Abstract: Behavioral analysis of a mobile webpage is performed to determine whether the webpage is malicious. During analysis, the webpage is visited by an emulated mobile device to cause behaviors to occur which may be malicious. The behaviors occurring after accessing the webpage are stored. The behaviors are classified as hard or soft signals. A probability of the webpage being malicious is determined through combining soft signals, and the webpage is classified as malicious or non-malicious. Users of the webpage, the developer of the webpage, or a distributor of the webpage are notified of the webpage classification to enable responsive action.

Abstract: A mobile terminal including a communication unit configured to communicate with at least one external terminal; a memory configured to store at least first and second operating systems including at least first and second modes, respectively; and a controller configured to execute the first operating system and activate the first mode corresponding to the first operating system, display a first information screen on a display unit of the mobile terminal corresponding to the activated first mode, display an application execution history for the first mode and the second mode on a prescribed region of the first information screen of the first mode, and identifiably display whether applications included in the application execution history were executed in the first mode or the second mode.

Abstract: A method includes receiving a policy via a network connection, wherein the policy includes at least one signature. Receiving a data communication message from a processor of a computing device via a system bus. Identifying a class, and selectively forwarding the data communication message based in part on the received policy and the identified class.

Abstract: An electronic data sharing device configured to exchange a first tag with a corresponding tag from a further electronic data sharing device, wherein the first and second tags provide information that enables respective users of the electronic data sharing devices to share information via a server enabled internet-connected software system associated with the electronic data sharing devices, wherein the electronic data sharing device is either configured with a pre-shared key or is able to encrypt a session key, wherein the pre-shared key or session key are used to generate tags to ensure that: the electronic data sharing device and tags can only be made use of by the server.

Abstract: Embodiments of the present invention provide for a method, system, and apparatus for creating a policy compliant environment on a computer. In an embodiment of the invention, an encrypted file can be loaded into memory of a computing. The encrypted file can define a security policy for the computing device. The method can further include validating the encrypted file to ensure an authenticity of the encrypted file and updating the security policy of a target computing device in response to a successful validation of the encrypted file according to the validated encrypted file.

Abstract: Provided is a tampering monitoring system that can identify a monitoring module that has been tampered with among a plurality of monitoring modules. A management apparatus is provided with an acquisition unit that acquires a new monitoring module that has not been tampered with, a generation unit that generates a decoy monitoring module by modifying the acquired monitoring module, a transmission unit that transmits the decoy monitoring module to the information security device and causes the information security device to install the decoy monitoring module therein, a reception unit that receives from the information security device, after the decoy monitoring module has been installed, monitoring results generated by the monitoring modules monitoring other monitoring modules, and a determination unit that identifies, by referring to the received monitoring results, a monitoring module that determines the decoy monitoring module to be valid and determines the identified monitoring module to be invalid.

Abstract: Some of the embodiments herein provide a seamless cloud of storage. This storage may be content-addressable storage. An end application may or may not be exposed to the fact that content-addressable storage is used. Various embodiments herein provide event notification, which may allow applications or users to subscribe to particular events (such as storage of an X-ray by a particular entity). Some embodiments provide for a shared archive. A shared archive may provide homogeneous access to medical data, etc. that was previously stored into the CAS cloud by heterogeneous applications, varied data types, etc. Additionally, embodiments herein allow for the creation and distribution of virtual packages. For example, a user may create a virtual package for all images related to a patient so that she may have a virtual package of all of her medical data to present to a referring physician.

Abstract: Systems and methods that process and protect content are provided. In one example, a system may include, for example, a first device coupled to a second device. The first device may include, for example, an integrated circuit that may include a content processing system and a security system. The security system may include, for example, a digital rights manager. The first device and the second device may be part of a network. The network receives content and control information via the first device. The content processing system processes incoming content based upon at least the control information. The integrated circuit protects the content before placing the content on the network.

Abstract: Systems and methods for managing multiple keys for file encryption and decryption may provide an encrypted list of previously used keys. The list itself may be encrypted using a current key. To decrypt files that are encrypted in one or more of the previous keys, the list can be decrypted, and the appropriate previous key can be retrieved. To re-key files, an automated process can decrypt any files using previous keys and encrypt them using the current key. If a new current key is introduced, the prior current key can be used to decrypt the list of keys, the prior current key can be added to the list, and the list can be re-encrypted using the new current key.

Abstract: An encryption endpoint (EE) receives, via a storage I/O stack (having a key controller module (KCM)), encryption metadata identifying an encryption key and a set of region entries. Each region entry includes an identification of a region within a storage device subject to encryption with the encryption key and an identification of a correlation between the region and a corresponding region on a logical volume (LV) managed by the KCM. The EE receives, via the stack, a storage command to process a block having a first address on the storage device. It corresponds to a second address located within the corresponding region of the LV. The EE determines the second address within the LV and then cryptographically processes the block using an address-dependent cryptographic algorithm and (a) data of the block, (b) the determined second address, and (c) the encryption key.

Abstract: A method and a system for collecting and maintaining historical party reputation data and for using the historical party reputation data to calculate an access decision rating and recalculating the access decision rating when the historical party reputation data has changed has a reputation updater for updating a reputation when a party's reputation has changed, a reputation storer for storing the party's reputation, an access decision rating maker for making a rating on a party's access abilities based upon the party's reputation and reputation history storage for storing a party's reputation having access decision rating storage for storing previous and present access decision storage ratings.

Abstract: A method and system for encrypted file access are provided. The method includes the steps of: receiving (502, 552) an access request for an encrypted file (401-403) by an application (110); determining (503, 553) the application (110) making the access request; checking (505, 555) if the application (110) is authorized for access; and if authorized, allowing the access request. The access request may be a read or write access by a destination or source application (110). If the application (110) is authorized for access, the method checks (508, 558) if the application (110) is authorized for unencrypted access; and if so, allowing unencrypted file access.

Abstract: To improve a communication system including two communication apparatuses in order to reduce a possibility of having communication thereof decrypted by a third party. The communication system includes a first communication apparatus and a second communication apparatus, where one of the communication apparatuses encrypts transmission subject data to generate encrypted data and transmits it to the other communication apparatus which then decrypts received encrypted data. Before performing encryption, each of the communication apparatuses cuts the transmission subject data by a predetermined number of bits to generate transmission subject cut data. In this case, each of the communication apparatuses varies the number of bits of the transmission subject cut data, and mixes dummy data of a size of which number of bits matches with the largest number of bits out of the numbers of bits of the transmission subject cut data into the transmission subject cut data other than that of the largest number of bits.

Abstract: Enabling a client computer to perform an operation is disclosed. Login information is received from a client computer. The login information is confirmed by querying a trusted agent on the client computer.

Abstract: Using a secure portable reference to medical information, stored on a portable storage medium, various embodiments allow a patient to give to their doctor an easy-to-use access key that will enable access to desired medical information stored on a computer network. The secure portable reference provides greater transportability of medical records to a patient or medical data repository including a doctor's office, clinic, or hospital, while maintaining data security to satisfy medical data privacy regulations and expectations. Some described embodiments use encrypted information inside the secure portable reference to hide, for example, who is allowed access to the stored medical information, and the network location of the stored information. Some embodiments use a secret PIN to authenticate the user attempting access to the referenced medical information.

Abstract: A method and system for effective utilization of free space in electronic devices with a non-volatile memory, across an enterprise is disclosed. The enterprise distributed free space file system disclosed herein comprises a central server and multiple nodes with an agent in each node. The agent creates hidden blocks of configurable sizes in the free spaces of each electronic device and reports the availability of blocks to the central server. The central server encrypts the content to be stored in the blocks and generates an encryption key for each block. The encryption keys are randomly generated and stored in the database of the central server. The encrypted content is invisible to the owner of the electronic device. The encryption key is not shared with nodes or any other system. Further, the stored content in the free spaces can be accessed only through the central server.

Abstract: A virtual storage system in data communication with a user computing device via a communication network and file encryption methods for encrypting electronic documents to be uploaded into a virtual storage system where the virtual storage system includes at least one processor which captures a data stream corresponding to an electronic document retrieved from an external system, to be uploaded to the virtual storage system, and creates at least one encryption parameter and encrypts the data stream captured using the at least one encryption parameter created. The virtual storage system further includes a plurality of redundant physical storage devices in data communication with the at least one processor and each configured to store the encrypted data stream corresponding to the electronic document.

Abstract: A method includes receiving a request by a second user through a uniform resource locator (URL) for a user key of a shared file of a first user. The second user is a legitimate user authorized by the first user through a trust center to access the shared file. The shared file is a shared file encrypted by using the user key of the first user. A file description of the corresponding shared file is obtained from a cloud server according to the URL. The file description is a file description obtained by encrypting the user key by using a public key of the trust center. The file description is decrypted using a private key corresponding to the public key of the trust center to obtain the user key of the first user. The user key is sent to the second user.

Abstract: Systems and methods for publishing datasets are provided herein. According to some embodiments, methods for publishing datasets may include receiving a request to publish a dataset to at least one of an internal environment located within a secured zone and an external environment located outside the secured zone, the request comprising at least one selection criteria, selecting the dataset based upon the at least one selection criteria, the dataset being selected from an index of collected datasets, and responsive to the request, publishing the dataset to at least one of the internal environment and the external environment.

Abstract: Embodiments of the present invention provide verification and/or authentication service engines that provide a customizable solution that can be “dialed” based on the risk level assigned to individual or grouped applications. The systems can also incorporate internal and external sources of data used to verify information provided by the user. It is dynamic and can pull information from a myriad of sources during the verification process, enabling credit reporting agencies (e.g., Equifax and others), FSPs, and other service providers to facilitate real-time approval and access to products and services.

Abstract: Systems and methods for encrypting a plaintext logical data object for storage in a storage device operable with at least one storage protocol, creating, reading, writing, optimization and restoring thereof. Encrypting the plaintext logical data object comprises creating in the storage device an encrypted logical data object comprising a header and one or more allocated encrypted sections with predefined size; encrypting one or more sequentially obtained chunks of plaintext data corresponding to the plaintext logical data object thus giving rise to the encrypted data chunks; and sequentially accommodating the processed data chunks into said encrypted sections in accordance with an order said chunks received, wherein said encrypted sections serve as atomic elements of encryption/decryption operations during input/output transactions on the logical data object.

Abstract: Methods and devices for NFC-tap file encryption, decryption and access via Near Field Communication (NFC) are disclosed. A user can select an unencrypted file stored in a computing device for encryption. Upon encryption, the file name of the selected file and the encryption key used to encrypt the selected file are transmitted to an NFC-enabled wireless device for storage. The user can select an encrypted file stored in the computing device for access. As the user taps the computing device with the wireless device, the file name of the selected file is transmitted to the wireless device, which in turn transmits a decryption key for decrypting the selected file to the computing device. The computing device decrypts the selected file with the decryption key. The user can now access the decrypted file.

Abstract: The method provides encoding digital information by assigning encoding values from a plurality of collectives of encoding values to the message symbols. The collectives are unbound from each other, are selected randomly, and setting a correspondence between the symbols and encoding values of the selected collectives is random. Elements of the encoded message can be further assigned encoding values of further selected collectives. The method can be implemented both in virtual form using Cloud Computing technology and in a physical form, where encryption and decryption blocks are implemented in one environment physically protected against unauthorized access, writing and copying. Performing encoding and decoding in a user-inaccessible environment and providing the user only with the results of encoding and decoding processes prevents unauthorized access thereto from occurring. The technical result is widening the field of use, improved reliability and security of the digital and analog information.

Abstract: Systems, methods, software, computer implemented methods, and file formats that allow for the creator of a file to place constraints on a file prior to transmitting it which generally allow the owner to have greater control over the use of their data after it has left their possession. These systems and methods also allow for ongoing control of digital data which allow for a sender to delete files that have been sent, to delete copies, and to generally control data that has left their private machine through the use of multi-layer encryption.

Abstract: A method for detecting if a digital document (e.g. an HTML document) is changed by others than authenticated script code (e.g. JavaScript code) is presented. The method includes loading the authenticated script code into a trusted computer application and storing a snapshot of the digital document in the trusted computer application. Before the authenticated script code is executed, the snapshot of the digital document is compared with the document to verify if the digital document is still authentic. After executing the authenticated script code, the snapshot of the digital document is replaced with an up-to-date copy reflecting eventual changes made to the digital document by the executed script code. The digital document can then at any time be compared with the most recent snapshot to verify if it is authentic.

Abstract: When a data processing device is disconnected from a computer system after mutual authentication has been completed between the computer system and the data processing device, the data processing device cancels an authenticated state, and is not able to transfer data to a device other than a specific computer system. Therefore, even when the data processing device is connected to a device other than the specific computer system after the connection of a cable supporting hot swapping has been changed, the data processing device maintains the confidentiality of data.

Abstract: In a method of temporarily registering a second device with a first device, in which the first device includes a temporary registration mode, the temporary registration mode in the first device is activated, a temporary registration operation in the first device is initiated from the second device, a determination as to whether the second device is authorized to register with the first device is made, and the second device is temporarily registered with the first device in response to a determination that the second device is authorized to register with the first device, in which the temporary registration requires that at least one of the second device and the first device delete information required for the temporary registration following at least one of a determination of a network connection between the first device and the second device and a powering off of at least one of the first device and the second device.

Abstract: A method and device for securing data transmission via an embedded system that is operationally coupled to a local device and a remote computing system using a network is provided. The method includes, determining if data received from the remote computing system is secured, handshaking with the remote computing system if the data received is from a new connection; decrypting the secured data; and transmitting the decrypted data to the local device. The method also includes, determining if the data received from the local device is from a new connection, handshaking with the remote computing system if the data received is from a new connection; encrypting the data; and transmitting the encrypted data to the remote computing system. A receiving module determines whether input data needs to be encrypted or decrypted; a processing module for encrypting and/or decrypting input data; and an output module for transmitting encrypted and/decrypted data.

Abstract: A method for accessing a protected file system includes receiving a request from a process to access the file system, the request including a requesting process identification and a requesting process name; decrypting an ACL to obtain ACL process names, ACL process identifications, and ACL process file checksums; allowing the process access to the file system if the requesting process name matches a corresponding ACL process name and the requesting process identification matches a corresponding ACL process identification; or allowing the process access to the file system if the requesting process identification does not match a corresponding ACL process identification but a calculated process file checksum matches a corresponding ACL process file checksum. In one embodiment, the ACL information can be stored in a key ring.

Abstract: In one embodiment, a computer-implemented method comprises determining, by a controller, whether a first data store is in an initialization mode. The first data store stores client data. A second data store stores credential data of the first user and credential data of a second user. An application server includes a first secret key store. An in-memory database server includes a second secret key store. The method further comprises, if the first data store is in the initialization mode, receiving, by the controller, from the second user a secret key for encrypting the client data stored in the first data store; and storing, in the first key store, the secret key. The method further comprises, in an operational mode, authenticating the first user based on the credential data of the first user; if the first user is authenticated, processing, in the application server, a user request from the first user.

Abstract: A system, method, and apparatus for securing a date file or a cognitive encryption key data file stored in a storage medium or memory device. The date file or encryption key file having stored instructions for an embedded autonomous executable program which is executed each time there is an attempt to access, control, or manipulate the encryption key file includes querying a user of the date file or encryption key file, the user environment of the date file or encryption key file, or both, for information required for analyzing a computational environment in relation to required security parameters for the cognitive date file or encryption key file. The information in relation to the security parameters is received and analyzed. The computational environment of the user is determined and analyzed in relation to the required security parameters. Access to and/or use of the date file or encryption key file is either permitted or denied based on the analysis of the user and computational environment.

Abstract: Systems and methods for providing sensitive data protection in a virtual computing environment. The systems and methods utilize a sensitive data control monitor on a virtual appliance machine administering guest virtual machines in a virtual computing environment, wherein each of the guest virtual machines may include a local sensitive data control agent. The sensitive data control monitor generates encryption keys for each guest virtual machine which are sent to the local sensitive data control agents and used to encrypt data locally on a protected guest virtual machine. In this manner the data itself on the virtual (or physical) disc associated with the guest virtual machine is encrypted while access attempts are gated by a combination of the local agent and the environment-based monitor, providing for secure yet administrable sensitive data protection.

Abstract: Method and apparatus for securing confidential data related to a user in a computer is described. In one example, rules are obtained that provide a representation of the confidential data. A storage system in the computer is searched using the rules to detect a file having at least a portion of the confidential data. The file is encrypted the in-place within the storage system using symmetric encryption based on a secret associated with the user.

Abstract: Embodiments provide application and/or resource access control features of an online computing environment, but are not so limited. In an embodiment, a computer-implemented method provides access control features for an online application environment based in part on the use of a number of directory service instances isolated from direct customer access and deployed in a defined datacenter architecture. In one embodiment, a computing environment uses web-based access control features and a number of directory service instances having organizational units and corresponding mappings to maintain a support infrastructure as part of providing features of online application services to customers. Other embodiments are included and available.

Abstract: A code authentication architecture is used to sign code by adding one or more digital signatures to it. The digital signatures identify what authority signed the code, what the code contains, what type of program the code is, or other identifying information. When the signed code is later executed on a computer system, its identity is obtained by accessing encrypted information of the code stored on disk. The architecture then determines whether the identity satisfies at least one requirement imposed on the code for some purpose. If the code has been altered from when it was signed or it fails to satisfy a requirement imposed, the code will not have a valid identity. In addition to verifying the identity of the code, the architecture also validates executing code immediately responsible for managing the code and additional executing code in a chain of hosts responsible for managing one another.

Abstract: A system and method for sharing data is provided. A request is received from a mobile device to transfer a set of data to a recipient. The set of data is stored by a server and controlled by a user of the mobile device. The request is authenticated, and the data is encrypted. The set of data is transmitted to a recipient specified by the user via the mobile device.

Abstract: A system, method, and computer program product are provided for conditionally allowing access to data on a device based on a location of the device. In use, a location of a device storing data is identified. Furthermore, access to the data is conditionally allowed, based on the location.

Abstract: A server establishes a secure session with a client device where a private key used in the handshake when establishing the secure session is stored in a different server. During the handshake procedure, the server receives a premaster secret that has been encrypted using a public key bound with a domain for which the client device is attempting to establish a secure session with. The server transmits the encrypted premaster secret to another server for decryption. The server receives the decrypted premaster secret and continues with the handshake procedure including generating a master secret from the decrypted premaster secret and generating one or more session keys that are used in the secure session for encrypting and decrypting communication between the client device and the server.

Abstract: A method and system for encrypting a plaintext logical data object for storage in a storage device operable with at least one storage protocol, creating, reading, writing, optimization and restoring thereof. Encrypting the plaintext logical data object comprises creating in the storage device an encrypted logical data object comprising a header and one or more allocated encrypted sections with predefined size; encrypting one or more sequentially obtained chunks of plaintext data corresponding to the plaintext logical data object thus giving rise to the encrypted data chunks; and sequentially accommodating the processed data chunks into said encrypted sections in accordance with an order said chunks received, wherein said encrypted sections serve as atomic elements of encryption/decryption operations during input/output transactions on the logical data object.

Abstract: Text containing files are encrypted by first formatting the files for display. The display-formatted files are then coded to form files indicating the information. The files are encrypted.

Abstract: Embodiments are directed towards enabling cryptographic key rotation without disrupting cryptographic operations. If key rotation is initiated, a transitional key may be generated by encrypting the current key with a built-in system key. A new key may be generated based one at least one determined key parameter. Next, the new key may be activated by the one or more key holders. If the new key is activated, it may be designated as the new current key. The new current key may be employed to encrypt the transitional key and store it in a key array. Each additional rotated key may be stored in the key array after it is encrypted by the current cryptographic key. Further, in response to a submission of an unencrypted query value, one or more encrypted values that correspond to a determined number of rotated cryptographic keys are generated.

Abstract: A method and apparatus for enabling consumers to scan RFID tags using home based endpoint devices that can transmit the scanned information to network based services are disclosed. Using the RFID scanned information, consumers can then access, retrieve and view additional information regarding products, in which RFIDs are embedded, on video display devices, such as televisions or video display monitors. This product related information can include interactive technical support, companion product information, or instructional guidelines.

Abstract: A system may include reception of a request for an encryption key pair including a first private encryption key and a first public encryption key, the encryption key pair associated with a future event, generation of the encryption key pair, transmission of the first public encryption key to a second device, reception, from the second device, of a file encrypted using the first public encryption key and using a second public encryption key of an intended recipient, transmission of the file to a third device associated with the intended recipient, detection of the future event, and, in response to the detection of the future event, transmission of the first private encryption key to the third device.