Abstract: Various embodiments are disclosed relating to performing a trusted copy and paste operations between a source application and a target application. For example, a trust system may receive a paste request for pasting copied source content, and may compare a source trust level associated with the source content to a target trust level associated with a target application. In this way, for example, harmful or disruptive code may be prevented from being pasted into the target application.

Abstract: In some embodiments, a method includes receiving a modifiable electronic document. The method includes generating a new version of the modifiable electronic document. The method also includes encrypting the new version of the modifiable electronic document using an encryption key that is used to encrypt the modifiable electronic document and different versions of the modifiable electronic document. The method includes saving the new version of the modifiable electronic document.

Abstract: According to one embodiment, there is provided a an information processing apparatus, including: a program acceptance portion; a program storage portion; a first function type storage portion; a function type extraction portion; a second function type storage portion; a first alternate function type storage portion; an alternate function type extraction portion; a second alternate function type storage portion; a selection portion; a judging portion; an updating portion; and a protection attribute determination portion.

Abstract: Secure marshaling of data via one or more intermediate processes is provided. A source process may create a named shared memory section resulting in a first handle to the shared memory section. The source process may populate the shared memory section with information. An access control list may secure the shared memory section by preventing the one or more intermediate processes from accessing content of the shared memory section, while allowing a target process to access the content. The first handle and a name of the shared memory section may be marshaled to a first intermediate process resulting in a respective new handle to the shared memory section. A last intermediate process may marshal the name to a target process, which may use the name to obtain access to the content of the shared memory section.

Abstract: A method and an apparatus provide for operating a user interface of a device to receive from a user, for individual ones of a plurality of user privacy categories, a user privacy setting; to map each user privacy setting to one or more device sensors to form a sensor policy for the user privacy category; and to monitor application program accesses to device sensors to detect a violation of a sensor policy. An aspect of the exemplary embodiments of this invention is the user interface that can represent privacy levels of each application program to the user in a “user-friendly” format. Another aspect of the exemplary embodiments is to provide the user device with an ability to detect and act on or at least report privacy violations by the application programs.

Abstract: The described embodiments of invention comprises a method and an apparatus for regulating access to objects by authorized entities. Authorized entities are entities authorized for access by either an owner entity of the regulated object or an entity authorized to authorize access to the regulated object. Each user, which may be a physical person or another information system, is identified using standard user validation techniques. When an object is first created or introduced to the system, that information is associated with an owner, who is one user on the system. The present embodiment allows the owner to define relationships with other users, either generally or regarding a particular object. The owner may or may not have trusted relationships with other users. A second user that has a trusted relationship with the owner automatically has access to the object without additional intervention by the owner. In addition, the second user may have a trusted relationship with another user.

Abstract: The invention provides secure and private communication over a network, as well as persistent private storage and private access control to the stored information, which is accomplished by imposing mechanisms that separate a user's actions from their identity. The system provides (i) anonymous network browsing, in which event the anonymity system is unaware of both the user's identity and browsing activities, (ii) private network storage and retrieval of data such as passwords, profiles and files in a manner such that the data can be stored into the system and later retrieved without the system knowing the contents or owners of the data, and (iii) the ability of the user to control and manage access to the remotely stored data without the system knowing the contents, owners, or accessors of the data.

Abstract: Rather than downloading each content document on demand from the publisher location to the user site, at the publisher location, each content document is encrypted and then multiple encrypted documents are assembled into a distribution archive that is itself encrypted with a scheduled key. The distribution archive is then downloaded into a content server at the user site. When the content server receives the distribution archive, it decrypts the archive file and unpacks the encrypted documents. The scheduled key used to decrypt an archive file is included with an archive file that was sent previously to the user site in accordance with the subscription service. The scheduled key to decrypt the first archive file sent to the user is sent from the publisher to the user over a communication channel different from the communication channel used to send the archive file from the publisher to the user.

Abstract: The present disclosure relates to an advantageous system and related methods for distributed deduplication of encrypted chunks. One embodiment relates to a method for storing encrypted chunks in which an encryption key is generated independently from a chunk payload. With this method, two encrypted chunks are identifiable as having identical chunk payloads even when the chunk payloads are encrypted with different encryption keys. Other embodiments, aspects and features are also disclosed.

Abstract: A system and method to ensure trustworthiness of a remote service provided by a service provider. The method includes monitoring runtime dependencies invoked during execution of a service transaction associated with the remote service, the service transaction being requested by a service requester. The method further includes determining whether a deviation exists between the runtime dependencies and a trusted list of dependencies associated with the remote service. The method also includes blocking execution of the service transaction based on determining that the deviation between the runtime dependencies and the trusted list of dependencies exists.

Abstract: Dynamic application adaptation in software-as-a-service platform, in one aspect, may receive an access permission associated with a published shared data management data object in the software-as-a-service platform having shared data management and a plurality of applications deployed, look up one or more rules associated with one or more features of an application deployed on the software-as-a-service platform, based on the received access permission, and activate or deactivate said one or more features associated with said plurality of applications based on said one or more rules.

Abstract: Apparati, methods, and computer-readable media for strengthening a one-time pad encryption system. A method embodiment of the present invention comprises the steps of encrypting plaintext (1) with an OTP key (2) in an XOR operation to produce ciphertext (3); and obfuscating the ciphertext (3) with an AutoKey (4) in an XOR operation to produce AutoKeyed ciphertext (5), wherein the AutoKey (4) is a reusable key.

Abstract: An embodiment of the invention is directed to a data processing system having a plurality of users, a portion of which were previously assigned permissions respectively corresponding to system resources. The embodiment includes acquiring data from a first data source, containing information pertaining to the portion of users and their permissions, and further includes acquiring data from a second data source, containing information pertaining to attributes of each user of the plurality. A set of permissions is determined for a given role, from both first and second data sources. First and second criteria are determined for assigning users to the given role, from information in the first and second data sources, respectively. A particular user is selected for admission to the given role only if the particular user is in compliance with both the first criterion and second criterion.

Abstract: A tracer may obfuscate trace data such that the trace data may be used in an unsecure environment even though raw trace data may contain private, confidential, or other sensitive information. The tracer may obfuscate using irreversible or lossy hash functions, look up tables, or other mechanisms for certain raw trace data, rendering the obfuscated trace data acceptable for transmission, storage, and analysis. In the case of parameters passed to and from a function, trace data may be obfuscated as a group or as individual parameters. The obfuscated trace data may be transmitted to a remote server in some scenarios.

Abstract: Systems, methods, and instrumentalities are disclosed to provide secure operations in an M2M device. An M2M device may receive an indication that an operation to be performed is security sensitive. The M2M device may determine that the operation is to be performed in a secure environment on the M2M device. The secure environment may be a logically distinct portion of the M2M device. The determination may be made in in accordance with a policy. For example, the M2M device may determine that the operation meets a requirement specified in the policy indicating that the operation is to be performed in the secure environment. The M2M device may perform the operation in the secure environment on the M2M device. The M2M device may store a result relating to the operation in the secure environment.

Abstract: Electronic documents corresponding to executed paper documents are certified. A certifying agent receives an electronic document and a corresponding paper document that had been executed pursuant to some transaction. The certifying agent compares the information contained in the paper to that in the electronic mortgage document. If the paper adequately corresponds to the electronic document and is otherwise sufficient, then the certifying agent certifies the electronic document so that other parties can reliably engage in transactions involving the electronic document without having to possess or otherwise inspect the executed paper document. Certification involves application of some form of indicia of certification to the electronic document, such as updating the value of a field corresponding to certification in the electronic document and/or applying a digital or electronic signature corresponding to the certifying agent to the electronic document.

Abstract: A system and method for securing private health information collected by a covered entity. The system and method comprises a key generation module configured to generate a public key and a private key compatible with a fully homomorphic encryption scheme. The patient's private health information, having been encrypted using the public key, can be processed by business associates without decrypting it, yielding an encrypted result. Only the holder of the unencrypted private key can decrypt the encrypted private health information and the encrypted result. The invention ensures that business associates can process private health information and return a result without accessing the private health information.

Abstract: With a terminal apparatus that includes an authentication method deciding unit that selects one of two or more authentication methods according to acquired position information, an authentication screen output unit that outputs a screen corresponding to the one authentication method, an accepting unit that accepts authentication information that is input on that screen, an authentication information sending unit that sends an authentication method identifier that identifies an authentication method and the authentication information to a server, an output information receiving unit that receives, from the server, one or more pieces of output information corresponding to the authentication method identification information in the case of success of authentication, and an output information output unit that outputs output information, information necessary for medical practice can be acquired while appropriately securing the privacy of a patient.

Abstract: Systems and methods are provided for transmitting data for secure storage. For each of two or more data sets, a plurality of shares are generated containing a distribution of data from an encrypted version of the data set. The shares are then stored in a shared memory device, wherein a data set may be reconstructed from a threshold number of the associated plurality of shares using an associated key. Also provided are systems and methods for providing access to secured data. A plurality of shares containing a distribution of data from an encrypted version of a data set are stored in a memory device. A client is provided with a virtual machine that indicates the plurality of shares, and the capability to reconstruct the data set from the plurality of shares using an associated key.

Abstract: A computationally implemented method includes, but is not limited to: determining that a computing device used by a first user has been transferred from the first user to a second user; ascertaining, in response to said determining, which of one or more items that are at least conditionally accessible through the computing device are active; and providing one or more selective levels of access to the one or more items based, at least in part, on said ascertaining. In addition to the foregoing, other method aspects are described in the claims, drawings, and text forming a part of the present disclosure.

Abstract: A system that includes an account management module configured to maintain protected accounts. For instance, a particular protected account includes a protected data set that is not readable outside of the system, and perhaps not even readable outside of the account. The particular data set corresponds to a particular entity assigned to the particular account and that includes keys corresponding to the particular entity. A security processor uses at least some of the plurality of keys to perform cryptographic processes in response to one or more trusted execution environment commands received from the particular entity.

Abstract: An image forming apparatus receives authentication information about a user who requests a function and determines whether the user needs to be authenticated before executing the requested function. The image forming apparatus then transmits the authentication information to an authentication device that performs authentication of the user, and receives an authentication result from the authentication device indicative of whether the user is authentic. The image forming apparatus executes the function specified in the request only when the authentication result shows that the user is authentic.

Abstract: In one embodiment of the invention, a server may send encrypted material to a client. The client processor may decrypt and process the material, encrypt the results, and send the results back to the server. This sequence of events may occur while the execution or processing of the material is restricted to the client processor. Any material outside the client processor, such as material located in system memory, will be encrypted.

Abstract: A computationally implemented method includes, but is not limited to: determining that a computing device used by a first user has been transferred from the first user to a second user; ascertaining, in response to said determining, which of one or more items that are at least conditionally accessible through the computing device are active; and providing one or more selective levels of access to the one or more items based, at least in part, on said ascertaining. In addition to the foregoing, other method aspects are described in the claims, drawings, and text forming a part of the present disclosure.

Abstract: Generating a cryptographic key, for example using a received external key. A system to generate a cryptographic key may include a first data store which may store an authorization key. A system may include a second data store which may store a secure key and/or a public key. A system may include an access controller, which may allow access to a secure key, for example to an access request which may be accompanied by a digital signature. A system may include a key generator, which may generate a private key, for example using a received external key, a stored authorization key and/or a mapping function. A system may include an access request signal generator which may generate a digital signature and/or which may transmit an access request, for example including a generated digital signature, to an access controller to retrieve a secure key.

Abstract: A system that enables a cloud-based data repository to function as a secure ‘drop-box’ for data that corresponds to a user is provided. The ‘drop box’ can be facilitated through the use of cryptographic keying technologies. For instance, data that is ‘dropped’ by or on behalf of a particular user can be encrypted using a public key that corresponds to a user-specific private key. Thus, although the data resides within the large pool of ‘cloud-based’ data, it is protected since it can only be decrypted by using the private key, which is kept secret. The innovation can further facilitate user-centric secure storage by partitioning the cloud-based repository into multiple partitions, each of which corresponds to specific indexing criteria.

Abstract: The invention relates to a method for secure piecemeal execution of a program code. In the method, the program code is split to a number of pieces in a first electronic device. The pieces are provided one after another to a second electronic device, which computes a message authentication code from the pieces and returns the authenticated pieces back to the first electronic device. In order to execute the program, the authenticated pieces are provided for execution to the second electronic device, which verifies the message authentication codes in the pieces to allow the execution of the pieces in the second electronic device.

Abstract: Enforcing data sharing policy through shared data management, in one aspect, may include extracting data access rights from the one or more data policies based on a user role, data purpose, an object set and a constraint identification; extracting a data domain from the one or more data policies based on the data purpose and the object set; associating the data access rights and the data domain with data attributes of the shared data; automatically responding to application-based offers and requests for the shared data within a Software-as-a-Service platform based on the data access rights.

Abstract: Hardware virtualization support is used to isolate kernel extensions. A kernel and various kernel extensions are executed in a plurality of hardware protection domains. Each hardware protection domain defines computer resource privileges allowed to code executing in that hardware protection domain. Kernel extensions execute with appropriate computer resource privileges to complete tasks without comprising the stability of the computer system.

Abstract: Media content is delivered to a variety of mobile devices in a protected manner based on client-server architecture with a symmetric (private-key) encryption scheme. A media preparation server (MPS) encrypts media content and publishes and stores it on a content delivery server (CDS), such as a server in a content distribution network (CDN). Client devices can freely obtain the media content from the CDS and can also freely distribute the media content further. They cannot, however, play the content without first obtaining a decryption key and license. Access to decryption keys is via a centralized rights manager, providing a desired level of DRM control.

Abstract: A system (101) for implementing redaction rules in compliance with an organization's privacy policy, where the system intercepts messages between an information source (103) and an information destination (102), modifies the message contents based on redaction rules (106) and forwards the redacted contents over to the client. The system also maintains a record of the redacted information and updates the contents of any message submitted by the client (102) in order to maintain database integrity.

Abstract: A data processing system, method and computer program product are provided. In use, data on a network is identified. In addition, a policy is identified. Further, the data is processed based on the policy for maintaining a confidentiality of the data.

Abstract: An embodiment of the invention is a program for dynamically managing files to comply with security requirements. In one embodiment, changing security requirements require that the computer system identifies the current storage locations of files along with the files' respective security levels. Files containing changed security levels due to the changed security requirements are relocated to storage locations clustered with storage locations containing files of the same security level. In another embodiment, the computer system receives a file having a certain security level, identifies current storage locations of files with the files' respective security levels, and finally allocates the new file to a storage location clustered with storage locations containing files of the same security level.

Abstract: An approach is provided to receive a request at a first computer system from a second system. The first system generates an encryption key, modifies retrieved source code by inserting the generated encryption key into the source code, and compiles the modified source code into an executable. A hash value of the executable program is calculated and is stored along with the encryption key in a memory area. The executable and the hash value are sent to the second system over a network. The executable is executed and it generates an encrypted result using the hash value and the embedded encryption key. The encrypted result is sent back to the first system where it is authenticated using the stored encryption key and hash value.

Abstract: An apparatus for providing a framework for supporting a context resource description language may include at least one processor and at least one memory including computer program code. The at least one memory and the computer program code may be configured to, with the at least one processor, cause the apparatus to perform at least receiving an indication of content loaded at a browser, parsing the content for context resource description language providing an identification of properties requested in association with a service from which the content was loaded, and providing property management with respect to the identified properties for provision to the service. A corresponding method and computer program product are also provided.

Abstract: A method, capable of being implemented in executable instructions or programmes in device(s), including computer system(s) or computer-controlled device(s) or operating-system-controlled device(s) or system(s) that is/are capable of running executable code, providing for the creation in Device(s) of executable code, such as boot code, programmes, applications, device drivers, or a collection of such executables constituting an operating system, in the form of executable code embedded or stored into hardware, such as embedded or stored in all types of storage medium, including read-only or rewriteable or volatile or non-volatile storage medium, such as in the form of virtual disk in physical memory or internal Dynamic Random Access Memory or hard disk or solid state flash disk or Read Only Memory, or read only or rewriteable CD/DVD/HD-DVD/Blu-Ray DVD or hardware chip or chipset etc.

Abstract: An improper communication detection system that acquires packets that are circulated through a plant network by mirroring and detects improper communication includes a storage unit configured to prestore a session whitelist, which is a list of sessions that can be generated in the plant network; a session determination/separation unit configured to make a determination as to a success or failure of session approval on the basis of the acquired packet and configured to generate session information indicating an approved session; and a first improper communication detection unit configured to compare the session information generated by the session determination/separation unit with the session whitelist, and configured to detect communication related to the relevant session as improper communication when the session information does not match any session in the session whitelist.

Abstract: A method of one-way access authentication is disclosed. The method includes the following steps. According to system parameters set up by a third entity, a second entity sends an authentication request and key distribution grouping message to a first entity. The first entity verifies the validity of the message sent from the second entity, and if it is valid, the first entity generates authentication and key response grouping message and sends it to the second entity, which verifies the validity of the message sent from the first entity, and if it is valid, the second entity generates the authentication and key confirmation grouping message and sends the message to the first entity. The first entity verifies the validity of the authentication and key conformation grouping message, and if it is valid, the authentication succeeds and the key is regarded as the master key of agreement.

Abstract: An information processing apparatus includes a memory that stores command execution right information including execution right information indicating whether a command is executable, and a command determination unit that determines whether an entered command is a target of a command execution determination where it is determined that whether a command is executable based on whether the entered command is invoked by a user command or a system command, and determines whether the entered command is executable with reference to the command execution right information stored in the memory when the entered command is determined as the target of the command execution determination.

Abstract: A method and system for processing a data request from a watcher for a target at a server, the method receiving a request for information; searching through a policy for rules to be applied based on the watcher; applying any rules found by the searching, the rule causing a transformation of the information into at least one aspect interpretable by the watcher, the applying utilizing a presence information data format transformation; and returning the at least one aspect incorporated in a presence information data format.

Abstract: A system, method and computer program product are provided. In use, code is executed in user mode. Further, the execution of the code is intercepted. In response to the interception, operations are performed in kernel mode.

Abstract: A virtual security coprocessor is created in a first processing system. The virtual security coprocessor is then transferred to a second processing system, for use by the second processing system. For instance, the second processing system may use the virtual security coprocessor to provide attestation for the second processing system. In an alternative embodiment, a virtual security coprocessor from a first processing system is received at a second processing system. After receiving the virtual security coprocessor from the first processing system, the second processing system uses the virtual security coprocessor. Other embodiments are described and claimed.

Abstract: A named object view of a report is generated from an electronic data file. Objects in the file to be published are identified in the file. A named object view of the report associated with the file is generated by displaying published identified objects according to associated viewing rights. A viewer at a client is presented with the named object view of the report, according to the viewing rights, such that the viewer's attention is focused on the published objects.

Abstract: Techniques are provided for adjusting the number of devices allowed to use a digital product (e.g., software) under a license. In one embodiment, the technique may involve setting the allowed number of devices to a first upper/lower limit for a first time period, and, after the first time period has expired, increasing/lowering the allowed number of devices to a second upper/lower limit for a second time period. The technique may involve, readjusting the allowed number for a third time period, thereby allowing for a changing number of device installations of the digital product.

Abstract: Various techniques and procedures related to encryption key versioning and rotation in a multi-tenant environment are presented here. One approach employs a computer-implemented method of managing encrypted data and their associated encryption keys. In accordance with this approach, a key splitting process securely stores a master key used to encrypt tenant-level encryption keys, a key versioning process is used to securely track updated encryption keys, and a key rotation process is used to rotate encrypted data to an updated version of a tenant-level encryption key.

Abstract: To control privileges and access to resources on a per-process basis, an administrator creates a rule that may be applied to modify a process's token. The rule includes an application-criterion set and changes to be made to the groups and/or privileges of a token. The rule is set as a policy within a group policy object (GPO), where a GPO is associated with one or more groups of computers. When a GPO containing a rule is applied to a computer, a driver installed on the computer accesses the rule(s) anytime a logged-on user executes a process. If the executed process satisfies the criterion set of a rule the changes contained within the rule are made to the process token, and the user has expanded and/or contracted access and/or privileges for only that process.

Abstract: One embodiment of the present invention provides a system for performing secure multiparty cloud computation. During operation, the system receives multiple encrypted datasets from multiple clients. An encrypted dataset associated with a client is encrypted from a corresponding plaintext dataset using a unique, client-specific encryption key. The system re-encrypts the multiple encrypted datasets to a target format, evaluates a function based on the re-encrypted multiple datasets to produce an evaluation outcome, and sends the evaluation outcome to the multiple clients, which are configured to cooperatively decrypt the evaluation outcome to obtain a plaintext evaluation outcome.

Abstract: To provide an information processing apparatus, a server apparatus, a method of an information processing apparatus, a method of a server apparatus, and an apparatus executable program. An information processing apparatus uses signed integrity values unique to software configuration and asserting integrity of initial codes of a networked server. The server apparatus generates keys used for certifying the server apparatus (S810, S820, S830). One of the keys are certified by a third party to generate a digital signature (S840). The digital signature is attached to the integrity values and the signed integrity values are transmitted to the information processing apparatus for allowing the information processing apparatus to have secure services through the network (S850, S860).

Abstract: A rules evaluation engine that controls user's security access to enterprise resources that have policies created for them. This engine allows real time authorization process to be performed with dynamic enrichment of the rules if necessary. Logging, alarm and administrative processes for granting or denying access to the user are also realized. The access encompasses computer and physical access to information and enterprise spaces.

Abstract: A managing method for an application program is disclosed, which includes that: a first terminal converts a file of a specified application program stored by the first terminal per se into an intermediate file in a predetermined intermediate format, wherein the intermediate format can be identified by other terminals having a running environment of the application program (S101); and the first terminal performs backup management on the specified application program by storing the intermediate file into a specified storage location, so as to enable a second terminal to recover the application program that has been made a backup, wherein both the second terminal and the first terminal have the running environment of the application program (S103). A managing device for an application program and a terminal are further disclosed.