Abstract: The invention provides for a method of encrypting and executing an executable image, comprising; flagging sections of the executable image to be encrypted using commands in source files and compiling said executable images so as to generate object files, linking one or more of said executable images using a linker to produce a final executable image, passing said linked executable images to a post-linker encryption engine to encrypt a relocation fix-up patch table and sections of executable images flagged for encryption, and at load time decrypting relocating and executing the executable images.

Abstract: Single-use authentication methods for accessing encrypted data stored on a protected volume of a computer are described, wherein access to the encrypted data involves decrypting a key protector stored on the computer that holds a volume-specific cryptographic key needed to decrypt the protected volume. Such single-use authentication methods rely on the provision of a key protector that can only be used once and/or that requires a new access credential for each use. In certain embodiments, a challenge-response process is also used as part of the authentication method to tie the issuance of a key protector and/or access credential to particular pieces of information that can uniquely identify a user.

Abstract: A system for security management for applications associated with multiple user registries can include an integrated console configured to host a one or more applications or resource objects in corresponding realms. The system also can include one or more roles mapped to different ones of the resource objects and also to different users permitted to access the integrated console. The system yet further can include a user relationship system having associations with multiple different ones of the roles. Finally, the system can include console security management logic programmed to manage authentication for the users using realm of the resource object while not requiring a separate user registry for the integrated console.

Abstract: A system and method for processor-based security is provided, for on-chip security and trusted computing services for software applications. A processor is provided having a processor core, a cache memory, a plurality of registers for storing at least one hash value and at least one encryption key, a memory interface, and at least one on-chip instruction for creating a secure memory area in a memory external to the processor, and a hypervisor program executed by the processor. The hypervisor program instructs the processor to execute the at least one on-chip instruction to create a secure memory area for a software area for a software module, and the processor encrypts data written to, and decrypts data read from, the external memory using the at least one encryption key and the verifying data read from the external memory using the at least one hash value. Secure module interactions are provided, as well as the generation of a power-on key which can be used to protect memory in the event of a re-boot event.

Abstract: A system may identify one or more attributes associated with traffic. The system may then determine that at least one attribute, of the one or more attributes, matches an attribute of a set of attributes that correspond to a set of categories of traffic. Based on determining that the at least one attribute matches the attribute of the set of attributes, the system may identify a category, of the set of categories, that corresponds to the attribute. The system may associate the category with the traffic, and process the traffic based on the associated category.

Abstract: A system includes a memory configured to store executable code and a processor operably coupled to the memory. The processor is configured to execute the code to receive a request from a developer of a first web application to provide a notification corresponding to the first web application, authenticate the developer using a client identifier, after authenticating the developer, receive a content of the notification and a first user identifier, and provide the content of the notification to at least one of a plurality of computing devices associated with the first user identifier, based on an account associated with the first user identifier.

Abstract: A computationally implemented method includes, but is not limited to: determining that a computing device that was presenting one or more portions of one or more items and that was in possession of a first user has been transferred from the first user to a second user; and marking, in response to said determining, the one or more portions of the one or more items to facilitate the computing device in returning to the one or more portions upon the computing device being at least transferred back to the first user. In addition to the foregoing, other method aspects are described in the claims, drawings, and text forming a part of the present disclosure.

Abstract: Architecture that addresses security concerns while still providing transparent user experience with ability to perform tasks. When a user machine is considered incompliant or compromised due to, for example, a suspected infection, the user machine can be blocked from further access to a network or other computing hosts until the incompliance is resolved. A notification is presented that indicates the nature of the problem, and a way to access an automatically configured isolated environment via which to continue working. The user can be automatically routed to use the alternative isolated environment for temporary access to network resources. Once the user finishes activities in the isolated environment, the system hosting the isolated environment is reverted back to a known good state.

Abstract: An embodiment of the invention provides a data encryption method for an electrical device. The method comprises: generating an identification code corresponding to the electrical device; generating a temporary key according to the identification code; encrypting first data to generate a first secret key according to the temporary key and a first encryption mechanism; and encrypting the first secret key by a second encryption mechanism to generate an encrypted key.

Abstract: A system and method for data storage and removal includes providing databases and providing encryption keys. Each database is associated with a database time period and each encryption key is associated with an encryption time period. Data items are received and each data item is encrypted using the encryption key associated with the encryption time period that corresponds to a time associated with the data item. Each encrypted data item is stored in the database associated with the database time period that corresponds to the time associated with the data item. Each encryption key is deactivated at a predetermined time after the associated encryption time period ends. Each database is made irretrievable upon a determination that all of the encryption keys associated with the data items stored in that database have been deactivated.

Abstract: A system for managing license files comprises a memory operable to store a socket module. The system further comprises a processor communicatively coupled to the memory and operable to receive a command to open a license file, wherein the command is associated with a first user identifier. The license file is stored in a first remote node and is associated with a second user identifier. If the second user identifier matches the first user identifier, the processor is further operable to use the socket module to establish a socket connection with the first remote node. The processor is further operable to, using the socket connection, retrieve from the first remote node a file descriptor associated with the license file. The processor is further operable to apply an update to the license file, wherein the update is addressed according to the file descriptor. If the second user identifier does not match the first user identifier, the processor is further operable to prevent the updating of the license file.

Abstract: An electronic authorization system comprising a data source system configured to transmit transaction data. A secure data system is coupled to the data source system over an open network, the secure data system is configured to receive the transaction data from the data source system, generate a unique encrypted identifier for the transaction data and to transmit the unique encrypted identifier to the data source system. The data source system is configured to receive the unique encrypted identifier and replace payment card data associated with the transaction data in a database with the unique encrypted identifier.

Abstract: Methods, a client entity, network entities, a system, and a computer program product perform authentication between a client entity and a network. The network includes at least a bootstrapping server function entity and a network application function entity. The client entity is not able to communicate with both of the network entities in a bidirectional manner. The 3GPP standard Ub reference point between the client entity and the bootstrapping server function entity is not utilized for authentication purposes, such as authentication using GAA functionality for unidirectional network connections.

Abstract: A method and apparatus for detecting data modification in a layered operating system is disclosed. Outbound content indicators at different layers are compared to detect potential outbound data modifications. Likewise, inbound content indicators at different layers are compared to detect potential inbound data modifications. Content indicators include checksum, cryptographic hash, signature, and fingerprint indicators. Embodiments of the present invention enable detection of data modifications across an operating system's kernel and user mode spaces, prevention of modified outbound data from reaching a network, prevention of modified input data from reaching a user application, and detection of malware and faults within an operating system.

Abstract: Collaboratively editing a document in a system of sharee clients includes creating a document change, generating a document token for encrypting the document change, encrypting the document change with the document token, making the encrypted document change available to the other sharee clients, and generating a plurality of copies of the sharee document token. Each sharee document token is encrypted with a respective sharee's public key. Each encrypted sharee document token is distributed to respective sharee clients. Each sharee client is configured to: decrypt a sharee document token using a respective private key, decrypt the encrypted document change using the share document token, and consolidate the document change into a document.

Abstract: A method for providing a document using a secure bar code includes encrypting the document to generate an encrypted document, and mixing together bits for a security credential with bits for the encrypted document to generate a set of mixed bits having a predetermined order. The security credential is for decrypting the encrypted document. The method further includes inserting the set of mixed bits into the secure bar code and outputting the secure bar code. A bar code reader knows the predetermined order and is configured to read the secure bar code. The bar code reader may also be configured to un-mix the mixed bits based on the predetermined order, and decrypt the encrypted document with the security credential.

Abstract: The present invention relates to an augmented data structure representing the availability of resources in a communication device, such as an augmented Bloom filter. A method of generating and using the augmented data structure comprises: providing first and additional groups of resources available in the same communication device; providing one or more hash functions for each of the first and additional groups, and calculating one or more hash values for each resource using the one or more corresponding hash functions; mapping each obtained hash value onto one entry of a data structure, wherein the hash values obtained from a resource of the first group are mapped onto a first subpart of the data structure only, such as a conventional Bloom array, and the hash values obtained from a resource of an additional group are mapped onto a portion of the data structure including the first subpart and an additional subpart.

Abstract: Embodiments include a method comprising loading a software class containing class information for a lock state. The method includes allocating an instance of a software object derived from the software class, wherein the allocating includes allocating of a lock word as part of the instance of the software object. The lock word defines whether the object is locked by a thread of multiple threads. The method includes observing activity relative to the instance of the software object. The method also includes, responsive to observing the activity relative to the instance of the software object that indicates that the lock state of the instance of the object is non-locking, removing the lock word from the instance of the object.

Abstract: There is provided an information processing device including a public key setter that sets a public key corresponding to a public-key authentication scheme in an access area defined as a given area of an object of access, and a device authentication processor that authenticates access to the access area against a secret key paired with the public key.

Abstract: A secure storage appliance is disclosed, along with methods of storing and reading data in a secure storage network. The secure storage appliance is configured to present to a client a virtual disk, the virtual disk mapped to the plurality of physical storage devices. The secure storage appliance is capable of executing program instructions configured to generate a plurality of secondary data blocks by performing splitting and encrypting operations on a primary data block received from the client for storage on the virtual disk. For security, the secondary data blocks are stored at geographically-distributed locations. The secure storage appliance is also capable of executing program instructions configured to reconstitute the primary data block from at least a portion of the plurality of secondary data blocks stored in shares on corresponding physical storage devices in response to a request from the client.

Abstract: Methods and systems of presenting data in a secure data storage network are disclosed. One method includes defining a community of interest capable of accessing data stored in a secure data storage network, the community of interest including a plurality of users desiring access to a common set of data. The method also includes associating the community of interest with a workgroup key. and, upon identification of a client device as associated with a user from among the plurality of users in the community of interest, presenting a virtual disk to the client device, the virtual disk associated with the workgroup key and a volume containing the common set of data, the volume including a plurality of shares stored on a plurality of physical storage devices.

Abstract: Techniques for automatic management of file system encryption drivers are disclosed.

Abstract: A first cryptographic device is configured to determine at least a key for a current epoch and a key for a subsequent epoch, and to transmit the keys for the current and subsequent epochs over a secure channel to a second cryptographic device. The second cryptographic device utilizes the key for the current epoch to decrypt an additional key that was encrypted for storage in a previous epoch, performs at least one cryptographic function using the decrypted additional key, utilizes the key for the subsequent epoch to encrypt the additional key for storage, and erases at least the key for the current epoch and the decrypted additional key. In such an arrangement, the additional key is initially locked under the key for the current epoch, then unlocked to perform the cryptographic function, and then locked again under the key for the subsequent epoch.

Abstract: A method and apparatus for enabling a cloud server to provide screen information data indicating a screen to be displayed on a client device are provided. The method of enabling a cloud server to provide screen information data relating to a screen to be displayed on a client device includes: generating the screen information data; determining whether or not to protect the generated screen information data based on characteristics of an object configuring the screen; encrypting the provided screen information data based on the determining; and transmitting the encrypted the screen information data to the client device.

Abstract: A security system includes an interface, a main computer, and an application server. The interface enables a user to access a remote document related to a product. The main computer stores documents related to the product and generates a pair of localized encryption keys. The encryption keys include a first key that encrypts data and second key that decrypts the data. An application server that is remote from the interface transmits and receives the document from the interface. The main computer authenticates the integrity of the document in a local operation by signing the document with the first key before it is transmitted to the interface and by signing the document with the second key after it is received from the interface.

Abstract: A method for information flow tracking is provided using, for example, a functional programming language based on lambda calculus, ?I. The method provides a unified information-tracking framework that supports multiple, interdependent dimensions of information. An expressive policy-specification system is separated from the underlying information-flow tracking mechanism. Arbitrary domain-specific policies are supported that can be developed and enforced independent of information flow tracking. Information-flow metadata is treated as a first-class entity, and information flow is correctly tracked on the metadata itself. Classes of information flow polices are defined using multiple dimensions that are application to both information flow data and to the information flows themselves. These classes of polices accurately model more realistic security policies, based on partial trust relations.

Abstract: Systems and methods that can facilitate the utilization of a memory as a slave to a host are presented. The host and memory can provide authentication information to each other and respective rights can be granted based in part on the respective authentication information. The host can determine the available functionality of the memory. The host can activate the desired functionality in the memory and can request memory to perform the desired function(s) with regard to data stored in the memory. An optimized controller component in the memory can facilitate performing the desired function(s) associated with the data to generate a result. The result can be provided to the host, while the data and associated information utilized to generate the result can remain in the memory and are cannot be accessed by the host.

Abstract: A document process system, which includes: an authentication section that authenticates an operator of an operation target document; an extraction section that extracts specific information for setting operation restriction information of the document; a setting section that sets the operation restriction information of the document based on authentication information of the operator authenticated by the authentication section and the specific information extracted by the extraction section; and a generation section that generates a protected document to which the operation restriction information is set by the setting section based on the operation target document.

Abstract: A method and device for securely displaying web content with secure web objects across untrusted channels includes downloading web content from a web server. The web content includes tags that a web browser uses to authenticate the current user and identify encrypted web objects packaged in the web content. The computing device authenticates the current user using a biometric recognition procedure. If the current user is authenticated and determined to be authorized to view the decrypted web object, the encrypted web object is decrypted and displayed to the user. If the user is unauthenticated, the encrypted web object is displayed in place of the encrypted web object such that the decrypted web object is displayed for only authorized persons physically present at the computing device. The biometric recognition procedure and web object decryption processes are protected through secure media path circuitry and secure memory.

Abstract: Techniques to explain authorization origins for protected objects in an object domain are disclosed. In one embodiment, for example, an apparatus may comprise a processor circuit, a request processor component operative on the processor circuit to receive and process a request for an authorization origin of a resource object, the authorization origin comprising an access control with a permission arranged to control access to the resource object based on an identity, and a resource origin component operative on the processor circuit to identify the authorization origin of the resource object from a set of interrelated resource objects and associated access controls, retrieve authorization origin information for the authorization origin, and present the authorization origin information in a user interface view. Other embodiments are described and claimed.

Abstract: A new and improved operating system comprising a series of self-contained interconnected modules and service layers for connecting proprietary systems together and extracting and translating data therefrom enables existing software systems to operate and cooperate in an existing software ecosystem while allowing flexible connections with both existing and new applications.

Abstract: A method of preventing a customer programmable device from causing security threats to itself or to a communication system is provided. The method includes establishing one or more thresholds by programming or configuring of the device, detecting whether one or more of the thresholds have been exceeded using one or more detection mechanisms, and taking action in response to each threshold that has been exceeded.

Abstract: A cryptographic calculation is executed in an electronic component, according to a cryptographic algorithm including at least one application of a one-way function which is disabled upon an intrusion into the electronic component. The one-way function is based on a first affine operation corresponding to a first secret key. The one-way function is applied, by obtaining (11) first and second random values (r, r?), then, by obtaining a first result (13) by applying a second affine operation (?K1), which corresponds to a second secret key, to a first combination (12) of the first and second random values, and, by obtaining (14) thereafter a second result by applying a third affine operation (?K2) which corresponds to a third secret key to said first result.

Abstract: Whenever a drawing command is executed, a computer system having a graphic user interface such as a multi-window system determines, from the logical operation pattern of the drawing command, what kind of information is inherited by a drawing result from the drawing command, preferably without performing a complicated step such as an image process. At the same time, the computer system controls information flow of an image outputted to a screen by managing labeled area maps which correspond one to one to images on the screen and in a memory.

Abstract: A content server is provided for storing and distributing digital content to a client. The content server includes a content database configured to electronically store the digital content and a DRM packager for adding a universal DRM layer to the digital content stored at the content database. The universal DRM layer is able to access digital content in conformance with a plurality of different DRM implementations, the digital content being in conformance with one of the plurality of different DRM implementations. The universal DRM layer can access the content by a variety of means, such as with a universal key, for example, that can decrypt content from many different DRM technologies. In this way the client only needs to have a DRM controller that is compatible with this higher-level, universal DRM implementation rather than with the individual, underlying DRM implementations.

Abstract: The present invention provides systems and methods for secure transaction management and electronic rights protection. Electronic appliances such as computers equipped in accordance with the present invention help to ensure that information is accessed and used only in authorized ways, and maintain the integrity, availability, and/or confidentiality of the information. Such electronic appliances provide a distributed virtual distribution environment (VDE) that may enforce a secure chain of handling and control, for example, to control and/or meter or otherwise monitor use of electronically stored or disseminated information. Such a virtual distribution environment may be used to protect rights of various participants in electronic commerce and other electronic or electronic-facilitated transactions. Distributed and other operating systems, environments and architectures, such as, for example, those using tamper-resistant hardware-based processors, may establish security at each node.

Abstract: A method of managing a domain, a method of extending a domain, and a method of selecting a reference point controller are provided. The method of operating the domain includes: receiving a request for authenticating a reference point controller from a reference point controller candidate; invalidating a membership of the stored reference point controller; generating a unique reference point controller membership for verifying that the reference point controller candidate is a new reference point controller; and transmitting the generated reference point controller membership to the reference point controller candidate. Accordingly, even when an error occurs in the reference point controller, the function of the reference point controller can be rapidly replaced by using the reference point controller candidate.

Abstract: A computer platform is provided that comprises a processor and a cryptographic co-processor coupled to the processor. The computer platform further comprises a platform entity coupled to the processor. The platform entity establishes a secure relationship with the cryptographic co-processor that enables the platform entity to utilize cryptographic functions provided by the cryptographic co-processor.

Abstract: The present invention provides a computer implemented method, system, and computer program product for selective encryption of a data transmission. A data transmission is received. When the data transmission is received, the data transmission is unmarshaled. When the transmission is unmarshaled, objects and a set of sensitive fields within the data transmission are identified by referencing a metadata database. Only the set of sensitive fields within the data transmission are encrypted to form a partially encrypted data transmission. The partially encrypted data transmission is marshaled to form a marshaled data transmission. The marshaled data transmission is transmitted to a recipient.

Abstract: A method begins by a dispersed storage (DS) processing module receiving an access request regarding a data object, where the access request includes a data object identifier, requestor information, and addressing information. The method continues with the DS processing module determining a base key identifier based on the access request and determining content specific information based on the access request. The method continues with the DS processing module retrieving a set of base key slices utilizing the base key identifier and decoding the set of base key slices in accordance with an error encoding function to recover a base key. The method continues with the DS processing module generating an access specific key based on the recovered base key and the content specific information and executing the access request regarding the data object utilizing the access specific key.

Abstract: A cloud deployment appliance includes a key stored internally and that is used during restore to decrypt encrypted backup images. That key is not available to an administrator of the appliance; instead, the administrator receives a “value” that has been generated externally to the appliance and, in particular, by applying a public key of a public key pair to the key. The value is possessed by the administrator, but it does not expose the key. Upon a given occurrence, such as a disk failure in the appliance, the administrator uses the value to obtain” the key, which is then used to restore an encrypted backup image. The key is obtained by having the administrator provide the value to an entity, e.g., the appliance manufacturer, who then recovers the key for the administrator (by applying the private key of the public key pair).

Abstract: Text containing files are encrypted by first formatting the files for display. The display-formatted files are then coded to form files indicating the information. The files are encrypted. The coding can determine a distance of a transition between a first color and a second color in the display file, and code that distance to form coded distance information and encrypt the coded distance information.

Abstract: Content is encoded with a watermark that associates it with a particular consumer. When presented for playback, the rendering equipment examines the watermark to confirm that the consumer with whom the content is associated, is also the consumer with whom the equipment is associated. If there is no watermark—or if the watermark is associated with a different consumer, then playback is refused. The equipment also desirably checks whether the content has a second watermark (or even a very feeble remnant thereof), indicating that the content has been derived from content earlier provided to a different consumer. If so, playback is again refused. Thus, this embodiment will refuse to play if there is no watermark; if there is one watermark not associated with the proprietor of the equipment; or if there are two or more watermarks.

Abstract: An authentication method for authenticating an article in a device includes the steps of (a) reading an identification number stored on the article, (b) reading an authentication number stored on the article, (c) determining an input number based at least in part on the identification number, (d) applying an authentication function to the input number to calculate an output number, (e) determining that the article is authentic only if the authentication number corresponds to the output number, and (f) permitting use of the article in the device if the article is authentic, and disabling use of the article in the device if the article is not authentic.

Abstract: A client is redirected by a relying party to the supporting entity (such as an identity or claims provider). The relying party also sends a cookie that includes a nonce, and another copy of the nonce in a redirection context (e.g., in a context string). The client then communicates with the supporting entity to facilitate the supporting service, whereupon the supporting entity sends a validation token back to the client evidencing completion of the supporting service. The supporting party also sends the nonce back as part of the redirection context (e.g., in a context string). The client then sends a followup service request that includes the cookie, the nonce returned by the supporting entity, and the validation token to the relying party. The relying party may compare the nonce in the cookie with the nonce returned by the supporting entity to verify that the request is valid.

Abstract: A device and a portable storage device which are capable of transferring a rights object (RO) and a method of transferring an RO are provided. The method includes enabling a device to transmit an installation request message to a portable storage device for installing a copy of an original RO present in the device in the portable storage device, enabling the device to install the copy of the original RO in the portable storage device, and enabling the device to receive an installation response message indicating that the copy of the original RO has been successfully installed in the portable storage device from the portable storage device.

Abstract: Systems and methods for secure control of a wireless mobile communication device are disclosed. Each of a plurality of domains includes at least one wireless mobile communication device asset. When a request to perform an operation affecting at least one of the assets is received, it is determined whether the request is permitted by the domain that includes the at least one affected asset, by determining whether the entity with which the request originated has a trust relationship with the domain, for example. The operation is completed where it is permitted by the domain. Wireless mobile communication device assets include software applications, persistent data, communication pipes, and configuration data, properties or user or subscriber profiles.

Abstract: In one example, a method includes intercepting, by a first security module, a request from a software application executing on the computing device to access a resource of the computing device. The first security module may include a first group of permissions received from a second security module included in an operating system. The second security module may control access by software applications executing on the computing devices to resources of the computing device based upon permissions granted to the software applications. The method may also include identifying a second group of permissions granted to the software application. The second group of permissions may be a subset of the first group of permissions. The method may also include determining, based upon the first group of permissions, whether the software application is allowed to access the resource. The method may also include controlling access to the resource, based on the determining.

Abstract: A method to facilitate securing of air-to-ground communications for an aircraft is provided. The method includes receiving security management information at the aircraft via at least one broadband data link prior to takeoff of the aircraft. The security management information is received for ground entities that can be communicatively coupled with the aircraft traveling on a flight path. The method of securing avionics also includes validating the security management information for the ground entities, and storing the validated security management information for the ground entities in the aircraft. The validating and storing of security management information occur prior to takeoff of the aircraft.

Abstract: A digital Rights Management (DRM), and particularly an apparatus and method of authentication between DRM agents for moving Rights Object (RO) is provided, whereby RO and contents can be moved between DRM agents after a simple authentication therebetween using specific authentication information received from a Rights Issuer (R1), in case where the RO is moved in a user domain or among a plurality of DRM agents.