Abstract: In an information management system, policies are deployed to targets and targets can evaluate the policies whether they are connected or disconnected to the system. The policies may be transferred to the target, which may be a device or user. Relevant policies may be transferred while not relevant policies are not. The policies may have policy abstractions.

Abstract: Mechanisms are disclosed that allow for execution of unsigned content and the securing of resources in a closed system when such unsigned content is executing on the system. For example, an access layer is used between an operating system layer of the closed system and the actual unsigned content. This access layer may contain various sub-layers, such as a graphics layer, an audio layer, an input layer, and a storage layer. These layers can control access that the unsigned content can have to the native operating system layers and the associated resources of the closed system. By providing such an access layer, unsigned content, e.g., video games, can run on the closed system that is typically designed to run only signed content.

Abstract: A 3D object is protected by a first device that receives the 3D object, generates translation vectors that are added to the points of the 3D object to obtain a protected 3D object, and outputs the protected 3D object. The protected 3D object is unprotected by a second device by receiving the protected 3D object, generating translation vectors that are subtracted from the points of the protected 3D object to obtain an unprotected 3D object, and outputting the unprotected 3D object. Also provided are the first device, the second device and computer readable storage media.

Abstract: A method or system of receiving an electronic file containing content data in a predetermined data format, the method comprising the steps of: receiving the electronic file, determining the data format, parsing the content data, to determine whether it conforms to the predetermined data format, and if the content data does conform to the predetermined data format, regenerating the parsed data to create a regenerated electronic file in the data format.

Abstract: A computer receives an electronic document that includes a group of terms. The computer sends the electronic document to an information extraction program that extracts specific terms from the group of terms. Each of the specific terms that match to a certain extent with one of the attribute values in an electronic dictionary is identified. A value associated with the electronic document is generated based on the specific terms that match, and on an end-user that is attempting to access the electronic document.

Abstract: A computer system having at least first and second documents, a plurality of decryption keys, and a plurality of data segments stored therein, is provided. Each of the plurality of data segments is decryptable by a selected one of the decryption keys. The decryption keys include a first set of decryption keys associated with the first document and not associated with the second document, a second set of decryption keys associated with the second document and not associated with the first document, and a third set of decryption keys associated with the first document and the second document. The first document is deleted, and in response, the first set of decryption keys is rendered unusable, and the second set of decryption keys and the third set of decryption keys are not rendered unusable.

Abstract: A system and method for delivering content to end users encrypted within a content delivery network (CDN) for content originators is disclosed. CDNs transport content for content originators to end user systems in a largely opaque manner. Caches and origin servers in the CDN are used to store content. Some or all of the content is encrypted within the CDN. When universal resource indicators (URIs) are received from an end user system, the CDN can determine the key used to decrypt the content object within the CDN before delivery. Where there is a cache miss, an origin server can be queried for the content object, which is encrypted in the CDN.

Abstract: Methods and systems provide secure functions for a mobile client. A circuit may include a memory configured to store a server access key and a first function authentication key. The circuit may also include authentication circuitry configured to access the server access key to authenticate access to a server to download a function capsule comprising a first function and to access the first function authentication key to authenticate use of the first function of the function capsule.

Abstract: Disclosed is a method of transmitting a data set using encryption, wherein the method comprises the steps of: selecting a first encryption technique, wherein said first encryption technique comprises a first encryption algorithm for encrypting plain data into cipher data, and a first decryption algorithm for on provision of a specific key, decrypting cipher data and reproduce plain data; encrypting the first data package comprising plain data, using a first encryption program implementing the first encryption algorithm of said first encryption technique, creating a first encrypted data package comprising cipher data; obtaining a first decryption program; and transmitting said first decryption program and said first encrypted data package to a receiver, wherein the first decryption, upon provision of the specific key and the first encrypted data package, will decrypt the cipher data in the first encrypted data package and reproduce the plain data of the first data package.

Abstract: Aspects of the subject matter described herein relate to delegating application invocation back to a client. In aspects, a server hosts an application that has a user interface that is presented on a client. User interaction on the user interface is encoded and sent to the server to give to the application. When the user uses the application such that another application is to be executed, a server delegator determines whether to execute the other application on the server or the client. If the application is to be executed on the client, the server delegator instructs a component that executes on the client to execute the application on the client. Otherwise, the application is executed on the server and data representing the user interface of the application is sent to the client so that the client may present the user interface to a user.

Abstract: To control privileges and access to resources on a per-process basis, an administrator creates a rule that may be applied to modify a token of a process. The rule may include an application-criterion set and changes to be made to the groups and/or privileges of the token. The rule may be set as a policy within a group policy object (GPO), where a GPO is associated with one or more groups of computers or users. When a GPO containing a rule is applied to a computer, a driver installed on the computer may access the rule(s) anytime a logged-on user executes a process. If the executed process satisfies the criterion set of a rule, the changes contained within the rule are made to the process token, and the user has expanded and/or contracted access and/or privileges for only that process.

Abstract: Disclosed are a method and apparatus for a data storage library comprising a plurality of drives and a combination bridge controller device adapted to direct and make compatible communication traffic between a client and the plurality of drives. The combination bridge controller device is further adapted to encrypt a first data package received from the client. The combination bridge controller device is further adapted to transmit the encrypted first data package, a first moniker and a first message authentication code to one of the plurality of drives for storage to a cooperating mobile storage medium. The combination bridge controller device is further adapted to decrypt the first data package when used in combination with a first key associated with the first moniker and guarantee the decryption of the first data package was successfully accomplished with authentication of the first message authentication code.

Abstract: A computer system having at least first and second documents, a plurality of decryption keys, and a plurality of data segments stored therein is provided. Each of the plurality of data segments is decryptable by a selected one of the decryption keys. The decryption keys include a first set of decryption keys associated with the first document and not associated with the second document, a second set of decryption keys associated with the second document and not associated with the first document, and a third set of decryption keys associated with the first document and the second document. The first document is deleted, and in response, the first set of decryption keys is rendered unusable, and the second set of decryption keys and the third set of decryption keys are not rendered unusable.

Abstract: Example embodiments disclosed herein relate to a storage device. The storage device may include a mechanism that monitors for receipt of cached authentication data from a host computing device upon resuming operation from a standby mode of the host computing device. The storage device may further include a mechanism that unlocks the storage device in response to receipt of the cached authentication data from the host computing device. In addition, the storage device may include a mechanism that monitors for receipt of re-authentication data and a mechanism that locks the storage device when a predetermined period of time has passed since resuming operation from the standby mode without receipt of the re-authentication data. Related computing devices, methods, and machine-readable storage media are also disclosed.

Abstract: A Flash advertisement is provided, and access to sensitive data associated with the Flash advertisement is restricted. First library code is stored at a first security domain, the first library code to control playback of the Flash advertisement; and second library code is stored at a second security domain, the second library code to access the sensitive data. An application at a third security domain is permitted to access the first library code, and only code residing at the first security domain is permitted to access the second library code.

Abstract: Embodiments of apparatus, systems and methods facilitate deployment of distributed computing applications on hybrid public-private infrastructures by facilitating secure access to selected services running on private infrastructures by distributed computing applications running on public cloud infrastructures. In some embodiments, a secure tunnel may be established between proxy processes on the public and private infrastructures and communication between the distributed computing application and the selected services may occur through the proxy processes over the secure tunnel.

Abstract: A technique and system protects documents at rest and in motion using declarative policies and encryption. Encryption in the system is provided transparently and can work in conjunction with policy enforcers installed at a system. A system can protect information or documents from: (i) insider theft; (ii) ensure confidentiality; and (iii) prevent data loss, while enabling collaboration both inside and outside of a company.

Abstract: A method and system for software package auditing is described. A processing device receives user input that identifies one or more software packages to be included in a software product release. The one or more identified packages are imported into a package audit tool executable by the processing device and the package audit tool automatically validates that the imported packages comply with a set of one or more requirements specified for the software product release using the package audit tool.

Abstract: Systems and methods are provided for the detection and prevention of intrusions in data at rest systems such as file systems and web servers. The systems and methods regulate access to sensitive data with minimal dependency on a communications network. Data access is quantitatively limited to minimize the data breaches resulting from, e.g., a stolen laptop or hard drive.

Abstract: A method and an apparatus for configuring a key stored within a secure storage area (e.g., ROM) of a device including one of enabling and disabling the key according to a predetermined condition to execute a code image are described. The key may uniquely identify the device. The code image may be loaded from a provider satisfying a predetermined condition to set up at least one component of an operating environment of the device. Verification of the code image may be optional according to the configuration of the key. Secure execution of an unverified code image may be based on a configuration that disables the key.

Abstract: The invention discloses a platform authentication method suitable for trusted network connect (TNC) architecture based on tri-element peer authentication (TePA). The method relates to a platform authentication protocol of tri-element peer authentication, and the protocol improves network security as compared with prior platform authentication protocols; in the platform authentication protocol of the TNC architecture based on TePA, a policy manager plays a role as a trusted third party, which is convenient for concentrated management, thus enhancing manageability; the invention relates to the platform authentication protocol of the TNC architecture based on TePA, has different implementation methods and is beneficial for different dispositions and realizations.

Abstract: The present invention provides an encryption/decryption approach to protect valuable information from being represented in a clear-text form when an application processes the valuable information. The present invention processes a structured input file to create internal data structures and generates an encrypted output file from the extracted internal data structures. The encrypted file of internal data structures can be decrypted to enable further processing of the valuable information without representing the valuable information as clear-text in memory. Further, the decrypted internal data structures are stored at different locations in memory.

Abstract: A cloud service access and information gateway receives, from a user device, a request to access a cloud service. The cloud service access and information gateway determines an identity of a user making the request to access the cloud service and compares the identity of the user to a password vault control policy. The cloud service access and information gateway determines, based on the comparing, one or more sections of a split password vault to which the user has access. The split password vault comprises a first section storing a first set of log-in credentials and a second section storing a second set of log-in credentials.

Abstract: System and methods for access control in a Universal Plug and Play (UPnP) network are based on a user identity. A control point has an identity assertion capability for identifying a user. The control point is configured to declare a value of an attribute associated with the identity assertion capability. A device is communicatively coupled to the control point via the UPnP network. The device has a first access control list and a trusted-to-identify access control list (TIA). The device is configured to permit the user to perform one or more actions based upon whether the user identity appears as a subject in the first access control list.

Abstract: An embodiment of the invention provides a method for security classification applying social norming. More specifically, content is received from a user via an interface; and, a data repository connected to the interface stores the content. A portal connected to the data repository identifies an attempt to access the content from a non-user. A program processor connected to the portal determines whether the content includes a security classification. When the content does not include a security classification, a communications module connected to the program processor sends an alert to the user. The alert includes a request to assign a security classification to the content. When the content includes a security classification, the communications module sends a message to the user, wherein the message includes a request to verify the security classification.

Abstract: A program (MC), which can be executed by a programmable circuit, is protected in the following manner. An instruction block (IB) is provided on the basis of at least a portion (MC-P) of the program. A protective code (DS) is generated that has a predefined relationship with the instruction block (IB). The instruction block (IB) is analyzed (ANL) so as to identify free ranges (FI) within the instruction block that are neutral with respect to an execution of the instruction block. The free ranges comprise at least one of the following types: bit ranges and value ranges. The free ranges that have been identified are used for embedding (SEB) the protective code (DS) within the instruction block (IB).

Abstract: A distributed computing environment utilizes a cryptography service. The cryptography service manages keys securely on behalf of one or more entities. The cryptography service is configured to receive and respond to requests to perform cryptographic operations, such as encryption and decryption. The requests may originate from entities using the distributed computing environment and/or subsystems of the distributed computing environment.

Abstract: The embodiments of the present invention relate to apparatuses, in terms of a client device (110) and a server (120) and to methods in the client device (110) and in the server (120) respectively for enabling a user to consume content provided by a content provider. According to the method in the client device (120) the method comprises: assembling a request for rights for consuming a content and indicating in the request which content to consume; determining if an upgrade key, associated with the content, is present in the client device; including, in such a case, in the request, an identifier of the upgrade key that is associated with the content, sending the request to the content provider; receiving, a response comprising an encrypted rights object; decrypting the encrypted rights object and starting to use the rights object for consuming the content.

Abstract: Disclosed are various embodiments for providing limited versions of applications. A limited version of an application is automatically generated from a full version of the application based at least in part on an expected use of the application by a client computing device during a testing period. The limited version has a smaller data size than the full version. The limited version of the application is sent to the client computing device. The limited version of the application is configured to be executed in a secured environment of the client computing device. The secured environment denies the limited version of the application access to secured resources of the client computing device.

Abstract: Technology is provided for provisioning a user computer system with membership in a privilege set in order to execute a pre-release resource. Some examples of pre-release resources are alpha and beta versions of firmware or software which can be downloaded to user computer systems. The pre-release resources are associated with different privilege sets based on their security risk levels. In one example, a security risk level may represent a number of user computer systems at risk of an integrity failure of the pre-release resource. In other examples, the security risk may represent an operational layer of the user computer system affected by the resource or a level of security testing certification success for the pre-release resource. A privilege set identifier indicates membership in one or more privilege sets.

Abstract: Systems and methods for publishing datasets are provided herein. According to some embodiments, methods for publishing datasets may include receiving a request to publish a dataset to at least one of an internal environment located within a secured zone and an external environment located outside the secured zone, the request comprising at least one selection criteria, selecting the dataset based upon the at least one selection criteria, the dataset being selected from an index of collected datasets, and responsive to the request, publishing the dataset to at least one of the internal environment and the external environment.

Abstract: Systems and methods for encrypting a plaintext logical data object for storage in a storage device operable with at least one storage protocol, creating, reading, writing, optimization and restoring thereof. Encrypting the plaintext logical data object comprises creating in the storage device an encrypted logical data object comprising a header and one or more allocated encrypted sections with predefined size; encrypting one or more sequentially obtained chunks of plaintext data corresponding to the plaintext logical data object thus giving rise to the encrypted data chunks; and sequentially accommodating the processed data chunks into said encrypted sections in accordance with an order said chunks received, wherein said encrypted sections serve as atomic elements of encryption/decryption operations during input/output transactions on the logical data object.

Abstract: When a data processing device is disconnected from a computer system after mutual authentication has been completed between the computer system and the data processing device, the data processing device cancels an authenticated state, and is not able to transfer data to a device other than a specific computer system. Therefore, even when the data processing device is connected to a device other than the specific computer system after the connection of a cable supporting hot swapping has been changed, the data processing device maintains the confidentiality of data.

Abstract: Systems and methods are presented for automatically determining the security requirements of program code during the creation or modification of that program code and for presenting the necessary security permissions to a developer of the program code at the time of the creation or modification of the program code. A cache is established containing program code segments including library calls and application program interfaces that require security permissions at runtime. The cache also includes the security permissions associated with the stored program code segments. Program code editing is monitored in real time during the editing, and instances of edits that add, modify or delete the stored program code segments from the program code being edited are identified. The security permissions associated with the program code segments that are modified by the edits are retrieved from the cache.

Abstract: A method and system for encrypting a plaintext logical data object for storage in a storage device operable with at least one storage protocol, creating, reading, writing, optimization and restoring thereof. Encrypting the plaintext logical data object comprises creating in the storage device an encrypted logical data object comprising a header and one or more allocated encrypted sections with predefined size; encrypting one or more sequentially obtained chunks of plaintext data corresponding to the plaintext logical data object thus giving rise to the encrypted data chunks; and sequentially accommodating the processed data chunks into said encrypted sections in accordance with an order said chunks received, wherein said encrypted sections serve as atomic elements of encryption/decryption operations during input/output transactions on the logical data object.

Abstract: The present invention includes a system and process for generating secured, marked digital files. A cryptographic token is inertly embedded in markup language tags of digital files.

Abstract: The embodiments relate to a method for providing at least one REL (Rights Expression Language) token, the REL-token or tokens being provided in a message by a MIME (Multipurpose Internet Mail Extension) protocol.

Abstract: A method of authorising a user in communication with a workstation is disclosed. According to the method, a system automatically determines a plurality of available user information entry devices in communication with the workstation. The system then determines predetermined user authorization methods each requiring data only from available user information entry devices. The user then selects one of the determined authorization methods for use in user authorization. Optionally, each authorization method is associated with a security level relating to user access to resources. Once the authorization method is selected, the user provides user authorization information in accordance with a determined user authorization method and registration proceeds.

Abstract: An anti-malware approach uses a storage drive with the capability to lock selected memory areas. Platform assets such as OS objects are stored in the locked areas and thus, unauthorized changes to them may not be made by an anti-malware entity.

Abstract: A cloud deployment appliance includes a key stored internally and that is used during restore to decrypt encrypted backup images. That key is not available to an administrator of the appliance; instead, the administrator receives a “value” that has been generated externally to the appliance and, in particular, by applying a public key of a public key pair to the key. The value is possessed by the administrator, but it does not expose the key. Upon a given occurrence, such as a disk failure in the appliance, the administrator uses the value to obtain” the key, which is then used to restore an encrypted backup image. The key is obtained by having the administrator provide the value to an entity, e.g., the appliance manufacturer, who then recovers the key for the administrator (by applying the private key of the public key pair).

Abstract: Systems and methods are provided for data protection across connected, disconnected, attended, and unattended environments. Embodiments of the inventions may include differential encryption based on network connectivity, attended/unattended status, or a combination thereof. Additional embodiments of the invention incorporate “trust windows” that provide granular and flexible data access as function of the parameters under which sensitive data is accessed. Further embodiments refine the trust windows concept by incorporating dynamic intrusion detection techniques.

Abstract: A networking system comprising an application service that runs on a cloud infrastructure and is configured to receive dual encrypted content from a content provider and re-encrypt the dual encrypted content to enable dynamic user group control for group-based user authorization, and a cloud storage service coupled to the application service and configured to store the dual encrypted content from the content provider and the re-encrypted dual encrypted content from the application service, wherein the application service and the storage service are configured to communicate and operate with a content delivery service that uses a content delivery network (CDN) to deliver the re-encrypted content to one or more users in a group authorized by the content provider.

Abstract: System and methods providing secure workspace sessions is described. In one embodiment a method for providing multiple workspace sessions for securely running applications comprises steps of: initiating a first workspace session on an existing operating system instance running on the computer system, the first workspace session having a first set of privileges for running applications under that session; while the first workspace session remains active, initiating a second workspace session on the existing operating system instance running on the computer system, the second workspace session having a second set of privileges for running applications under the second workplace session; and securing the second workspace session so that applications running under the second workplace session are protected from applications running outside the second workspace session.

Abstract: A system, including a processor to define opportunities for encoding a watermark into an audio stream having sections, each section, when represented in the frequency domain, including a signal of amplitude against frequency, the processor being operative to, for each one of the sections, identify a fundamental frequency, f being the frequency with the largest amplitude of the signal in the one section, the fundamental frequency f defining harmonic frequencies, each harmonic frequency being at a frequency f/2n or 2fn, n being a positive integer, and define the one section as an opportunity for encoding at least part of the watermark if the amplitude of the signal of the one section is less than a value v for all frequencies in one or more different frequency ranges, each of the different frequency ranges being centered around different ones of the harmonic frequencies. Related apparatus and methods are also described.

Abstract: Systems and methods for site-dependent embedded media playback manipulation whereby a media owner can enable limited embedding on non-owned or non-monetized websites to direct traffic to a more valuable location. The content owner can specify sets of internet locations with associated sets of rules governing content playback criteria as well as restrictions based upon user categorizations. A playback restriction system consists of a media delivery system and a playback rules system. The media delivery system controls the delivery of the media file with embedded restrictions. The playback rules system controls the nature of the restrictions and the rules of when they are applied. Users will be directed to the location of a more valuable website where the media can be viewed with a less restrictive set of rules.

Abstract: A computing device connects with a vision measuring machine (VMS). Then the computing device generates a one time password (OTP). A size of the OTP, the OTP are stored in a predefined file. The computing device obtains a size of measurement program codes of the VMS. The size of the OTP and the size of the measurement program codes are stored in the predefined file. The measurement program codes are encrypted by the OTP. If the measurement data includes image data of an object which is measured by the VMS, the computing device stores the encrypted program codes, a type of the image data, image data, and a size of the image data in the predefined file.

Abstract: Methods and systems for enabling content to be securely and conveniently distributed to authorized users are provided. More particularly, content is maintained in encrypted form on sending and receiving devices, and during transport. In addition, policies related to the use of, access to, and distribution of content can be enforced. Features are also provided for controlling the release of information related to users. The distribution and control of contents can be performed in association with a client application that presents content and that manages keys.

Abstract: Systems and methods for stateless system management are described. Examples include a method wherein a user sends the management system a request to act upon a managed system. The management system determines whether the user is authorized for the requested action. Upon authorization, the management system looks up an automation principal, which is a security principal native to the managed system. The management system retrieves connecting credentials for the automation principal, and connects to the managed system using the retrieved credentials. Once the managed system is connected, the management system performs the requested action on the managed system, and sends the result back to the user.

Abstract: Embodiments are directed towards providing interoperability by establishing a trust relationship between a provider of a media player usable by a consumer and a content provider. A trust relationship is verified through using a public-private key certification authority. When a request for content is received from a consumer, the request might indicate what content protection mechanisms are available in the consumer's device. When a trust relationship is determined to exist between the content provider and the media player providers, the content provider encrypts a license separately for each of a plurality of different content protection mechanisms available at the consumer's device. The encrypted licenses are provided to the consumer's device, where the media player may be selected to play the content based on a self integrity check the media player may perform, and its ability to use a private key associated with a corresponding public key to decrypt the license.

Abstract: A cryptographic method is provided of a type with public key over a non-supersingular elliptic curve E, determined by the simplified Weirstrass equation y2=x3+a·x2+b over a finite field GF(3n), with n being an integer greater than or equal to 1. The method includes associating an element t of said finite field with a point P? of the elliptic field. The step of associating includes: obtaining a pre-determined quadratic non-residue ? on GF(3n); obtaining a pre-determined point P=(zP, yP) belonging to a conic C defined by the following equation: a·?·z2?y2+b =0; obtaining a point Q=(zQ, yQ), distinct from the point P belonging to the conic C and a straight line D defined by the following equation: y=t·z+yP?t·zP; obtaining the element ? of GF(3n) verifying the following linear equation over GF(3): ??·?=(?2·zQ)/a; and associating, with the element t of the finite field, the point P? of the elliptic curve, for which the coordinates are defined by the pair (?·zQ/?, yQ).