Abstract: A method and system are provided for securing messages within a communication network of an industrial process control system, such as a substation automation system. A multi-block message to be transmitted via a communication network is secured by a block-based authentication, encryption and/or integrity information. Only residue of the previous block in the form of block-based information is needed to generate the block based information of the next block. Therefore, the previous block can already be transmitted while block-based information of the next block is generated. The method and system of the present disclosure enable on-the-fly authentication of the multi-block message and authentication at an increased rate.

Abstract: A system for generating a digital signature may include a record management facility configured to group a first record with a second record and to generate a first digital signature based at least in part on the first record and the second record.

Abstract: A system and method for writing a new or replacement public key to a bootloader stored in a memory segment in the memory of a vehicle ECU without having to rewrite the entire bootloader. The method includes defining a key table in the bootloader memory segment includes a number of vacant memory slots that are available to store replacement public keys if they are needed. The key table is a separate section of the bootloader memory segment so that the key table memory slots are not used by the bootloader code.

Abstract: According to one embodiment of the invention, a method for setting permission levels is described. First, an application and digital signature is received by logic performing the permission assessment. Then, a determination is made as to what permission level for accessing resources is available to the application based on the particulars of the digital signature. Herein, the digital signature being signed with a private key corresponding to a first public key identifies that the application is assigned a first level of permissions, while the digital signature being signed with a private key corresponding to a second public key identifies the application is assigned a second level of permissions having greater access to the resources of an electronic device than provided by the first level of permissions.

Abstract: Provided are methods and a validation system that includes a signature device and a verification device for verifying a content. The signature device may generate verification information for each segment of a divided content and may generate signature information to verify the integrity of each segment and whether a corresponding segment is a part of a content. When a segment is received, the verification device may verify integrity of the segment and whether the segment is a part of the content, based on the verification information and the signature value received from the signature device.

Abstract: The computer system includes a first memory to store an executable file of a first application platform owner (APO). The executable file includes an owner identification object and an encrypted secure object payload. The computer system includes a key store having one nonvolatile key slot for each of two or more APOs. Each key slot stores one or more keys of a respective APO. The computer system further includes a processor configured upon receiving the executable file to identify a first key slot in the key store corresponding with the owner identification object. The first key slot is associated with the first APO. The processor is configured to determine whether the executable file is authentic using an APO key. Furthermore the processor decrypts the encrypted secure object payload using a first key of the first APO if the executable file is determined to be authentic.

Abstract: A system and method for embedding a written signature into a secure electronic document is disclosed. In certain embodiments, a user views the electronic document on a first computing device and creates an electronic digital signature on a mobile computing device. The user is securely certified by a system created alphanumeric code and the identification of the mobile device. The signature is then embedded into the electronic document and stored securely on a central server.

Abstract: An authenticated RFID system is provided that uses elliptic curve cryptography (ECC) to reduce the signature size and read/write times when compared to traditional public key implementations such as RSA. Either ECDSA or ECPVS can be used to reduce the signature size and ECPVS can be used to hide a portion of the RFID tag that contains sensitive product identifying information. As a result, smaller tags can be used or multiple signatures can be written at different stages in a manufacturing or supply chain. A key management system is used to distribute the verification keys and aggregate signature schemes are also provided for adding multiple signatures to the RFID tags, for example in a supply chain.

Abstract: The invention relates to a method for granting an inquirer querying a repository access to the repository, a communication protocol between a client and a server, and a system for controlling access of at least one inquirer to a repository. The repository typically stores event data relating to traceable products. The aspects according to teaching disclosed herein may be for example implemented as security extensions for existing repositories providing a finer granularity of access rights and means to prevent an exposure of data sets considered sensitive. The security extensions disclosed herein may be implemented to protect access to any kind of client/server application wherein the server is exposing sensitive data.

Abstract: Techniques for verifying the transfer from a content provider of a selected data file selected by a client device using a proxy server is disclosed. By creating a local set of characteristics of the selected data file, network traffic sent between the client device and the content provider can be monitored. A local record of a transfer session is then created, and a download request from the client device is received and forwarded, thus initiating the transfer of the selected data file to the content provider. A data file is then received from the content provider and forwarded to the client device. The characteristics of the received data file are evaluated, thus allowing verification that the characteristics of the received data file match the local set of characteristics of the selected data file to take place. Finally, the received data file is forwarded to the client device.

Abstract: Determining ranked candidate media in response to media query data corresponding to a query media includes receiving the media query data including feature data of the query media, coordinate data, and boundary data, matching the features with corresponding features of an media database using the feature data to identify features in the media database within a predetermined hamming distance in a hash table from the corresponding features of the query media to obtain matched features in the media database, determining candidate media whose number of matched features exceeds a matched feature threshold, generating a geometry similarity score between the query media and each candidate media using the feature data and the coordinate data, generating a boundary similarity score between the query media and each candidate media using the boundary data, ranking the candidate media based on the numbers of matched features, the geometry similarity scores and the boundary similarity scores.

Abstract: Methods, systems, and apparatus are disclosed which enable flexible insertion of forensic watermarks into a digital content signal using a common customization function. The common customization function flexibly employs a range of different marking techniques that are applicable to a wide range of forensic marking schemes. These customization functions are also applicable to pre-processing and post-processing operations that may be necessary for enhancing the security and transparency of the embedded marks, as well as improving the computational efficiency of the marking process. The common customization function supports a well-defined set of operations specific to the task of forensic mark customization that can be carried out with a modest and preferably bounded effort on a wide range of devices. This is accomplished through the use of a generic transformation technique for use as a “customization” step for producing versions of content forensically marked with any of a multiplicity of mark messages.

Abstract: A system for detecting file upload vulnerabilities in web applications is provided. The system may include a black-box tester configured to upload, via a file upload interface exposed by a web application, a file together with a signature associated with the file. An execution monitor may be configured to receive information provided by instrumentation instructions within the web application during the execution of the web application. The execution monitor may be configured to recognize the signature of the uploaded file as indicating that the uploaded file was uploaded by the black-box tester. The execution monitor may also be configured to use any of the information to make at least one predefined determination assessing the vulnerability of the web application to a file upload exploit.

Abstract: In various embodiments, a computerized method includes receiving electronic content to be archived. The electronic content comprises a digital signature. The method may include archiving the digital signature, by determining a validity status of the digital signature and storing the validity status in the electronic content. The method may also include archiving the electronic content after the validity status has been stored in the electronic content.

Abstract: A digital signature generation (DSG) process which provides resistance against white box attackers is disclosed. This is done by applying specially selected data transformations to the inputs, outputs and internal parameters of the algorithm. In particular, the signatory's private key does not appear in the clear in our protected implementation. Our new white box implementation produces signatures that are compatible with signatures created by conventional implementations; thus our solution facilitates interoperability and can be used as a drop-in replacement for conventional implementations. In particular, we describe transformations to the key (d) and the generator domain parameter (usually denoted G or g) of the digital signature generation processes, such that embodiments of the invention can produce signed messages which appear to a verifier as if the key (d) was used, without actually ever using the key (d).

Abstract: A manufacturing entity provides a blinded signature to a secure device and associates a time with the blinded signature. If a signing key is compromised, the manufacturing entity provides a time of the compromise and the time associated with the blinded signature to the replacement authority.

Abstract: A system that incorporates the subject disclosure may perform, for example, operations including receiving an encrypted secure token from a secure token application function that is remote from the communication device, storing the encrypted secure token in a secure element memory of the secure element, accessing user input requesting the encrypted secure token where the secure device processor is separate from the secure element and is in communication with the secure element, generating a modified secure token by adding identification information to the encrypted secure token and by performing a second encryption of the encrypted secure token with the identification information, receiving the modified secure token from the secure element, and providing the modified secure token to a receiving device. Other embodiments are disclosed.

Abstract: The present invention provides methods and apparatus, including computer program products, implementing techniques for searching and ranking linked information sources. The techniques include receiving multiple content items from a corpus of content items; receiving digital signatures each made by one of multiple agents, each digital signature associating one of the agents with one or more of the content items; and assigning a score to a first agent of the multiple agents, wherein the score is based upon the content items associated with the first agent by the digital signatures.

Abstract: A method for processing an operating sequence of instructions of a program in a processor, wherein each instruction is represented by an assigned instruction code which comprises one execution step to be processed by the processor or a plurality of execution steps to be processed successively by the processor, includes determining an actual signature value assigned to a current execution step of the execution steps of the instruction code representing the instruction of the operating sequence; determining, in a manner dependent on an address value, a desired signature value assigned to the current execution step; and if the actual signature value does not correspond to the desired signature value, omitting at least one execution step directly available for execution and/or an execution step indirectly available for execution.

Abstract: In one embodiment, source data for a communication session may be split into an audio portion for transmission on a phone channel and a non-audio portion for transmission on a data channel. A server and a phone may accordingly establish an audio portion of a communication session on the phone channel. In response to a trigger, the server may provide a push notification on the data channel to the phone, where the push notification is associated with an application executing on the phone that is configured to participate in the non-audio portion of the communication session on the data channel with the server. Upon obtaining the push notification on the data channel during the audio portion on the phone channel, the application may correspondingly activate on the phone to participate in the non-audio portion of the communication session during the phone's participation in the audio portion (e.g., merging the portions).

Abstract: An encryption processing method includes: generating, by a device itself, a key pair, where the key pair includes a first key used for encryption and a second key used for decryption; storing, by the device, the key pair in a first storage space; performing, by the device, digest calculation on device running data to obtain a digest of the device running data, where the device running data is stored in a second storage space; and reading, by the device, the first key from the first storage space, and encrypting a digest of the device running data with the first key to obtain a first digital signature.

Abstract: Provided is a management server system that accepts a transition instruction for transition between tenants of an agent device, generates symmetric keys consisting of a first key and a second key, responds the second key to the agent device, and verifies signature information included in a transition request using the first key when the agent device makes a tenant transition request. Upon successful verification of signature information, the management server system transmits new authentication information for communication between the management server system and the agent device to the agent device. After transition of the tenant, the agent device communicates with the management server system using the new authentication information.

Abstract: A system and method for validating an application and for controlling execution of an application. A plurality of parameters may be computed for an authenticated object and for a tested object. A plurality of comparison and other metrics may be computed based on the computed plurality of parameters. Control of an execution of programs may be based on said metrics. Other embodiments are described and claimed.

Abstract: Systems and methods of token-based protection for links to media streams are disclosed. For example, a computing device may generate a first token based on a private key and an encryption algorithm. The first token may be inserted into a link to a media stream. When the link is selected at a client device, a media request including the first token may be sent to a server. The server may generate a second token based on the private key and the encryption algorithm. The server may grant or deny the media request based on a comparison of the first token and the second token.

Abstract: Systems and methods are provided to allow a smart phone or any terminal to reserve and activate an electric vehicle charger using a web site or server computer system. An access control system is provided that includes a server and an access device. The access device includes an electrical vehicle charger. A reservation request is accepted from a first terminal using the server. A reservation certificate is provided to a portable second terminal in response to the request using the server. The reservation certificate is accepted from the portable second terminal using the access device. The reservation certificate is determined to be authentic using the access device. The electric vehicle charger is activated in response to accepting an authentic reservation certificate using the access device.

Abstract: Systems and methods for configuring browser policy settings on client computing devices are provided. In some aspects, a method includes receiving login credentials from a client computing device. The client computing device includes a browser. The method also includes transmitting browser policy data associated with the login credentials to the client computing device. The browser policy data identifies browser policy settings to be installed on the browser. The browser policy settings identified by the browser policy data include four or more of: compliance settings, behavioral settings, browser/software applications, permission to access one or more websites, restrictions on accessing one or more websites, read permission in a remote document storage unit accessible via the browser, or write permission in a remote document storage unit accessible via the browser.

Abstract: A method for authorizing an access to a table of address correspondence between a multitask CPU and at least one memory containing several programs, consisting of calculating, on each task change of the CPU, a signature of at least part of the program instruction lines, and checking the conformity of this signature with a signature recorded upon previous execution of the involved program.

Abstract: Software activation and revalidation.

Abstract: Malware that is signed with multiple, valid credentials is detected. A central computer such as a server receives secure hashes of signed application bodies and immutable portions of corresponding digital signatures for a plurality of signed applications from a plurality of client computers. Received secure hashes of signed application bodies are compared. Multiple instances of a single signed application are identified based on the comparing of multiple received secure hashes of signed application bodies. Responsive to identifying multiple instances of the single signed application, received secure hashes of immutable portions of digital signatures corresponding to identified multiple instances of the single signed application are compared. Responsive to the results of this comparing, a potential maliciousness of the signed application is adjudicated.

Abstract: A client application, when executed by a processor, is operative to create a HyperText Transfer Protocol (HTTP) request containing a target header that includes a confidential value. The HTTP request is to be sent over a Secure Sockets Layer (SSL) 3.0 connection or a Transport Layer Security (TLS) 1.0 connection to a web server. The client application implements at its HTTP layer a countermeasure to a blockwise chosen-boundary attack. The client application generates an additional header having a header name that is not recognizable by the web server and inserts the additional header into the HTTP request ahead of the target header, thus creating a modified HTTP request. The modified HTTP request is to be sent, instead of the unmodified HTTP request, over the SSL 3.0 connection or the TLS 1.0 connection to the web server.

Abstract: Technologies related to shared secret identification for secure communication are generally described. In some examples, devices may exchange hashes, such as file deduplication hashes, to identify a matching hash. The identified matching hash represents a shared data item which may be used as a shared secret to encrypt and/or decrypt subsequent secure communications between the devices. Each device retrieves the shared data item from its respective secure memory and may use the shared data item to encrypt and/or decrypt subsequent secure communications. An eavesdropper may observe the hash exchange, but will not be able to decrypt the secure communications without access to the shared data item, because hashes may be effectively non-invertible.

Abstract: Requests are pre-generated to include a cryptographic key to be used in fulfilling the requests. The requests may be encoded in uniform resource locators and may include authentication information to enable a service provider to whom the requests are submitted to determine whether the requests are authorized. The requests may be passed to various entities who can then submit the requests to the service provider. The service provider, upon receipt of a request, can verify the authentication information and fulfill the request using a cryptographic key encoded in the request.

Abstract: Methods and apparatus for identifying media are described. An example method includes determining application identification information for a media presentation application executing on a media device, determining a first watermark for the application identification information from a lookup table, requesting media identification information for media from the media presentation application, determining a second watermark for the media identification information from the lookup table, inserting the first watermark in the media prior to output of the media by the media device, and inserting the second watermark in the media prior to the output of the media by the media device.

Abstract: A method includes generating a first sequence of data words for sending over an interface. A second sequence of signatures is computed and interleaved into the first sequence, so as to produce an interleaved sequence in which each given signature cumulatively signs the data words that are signed by a previous signature in the interleaved sequence and the data words located between the previous signature and the given signature. The interleaved sequence is transmitted over the interface.

Abstract: An apparatus for electronic signature verification, including a grouping unit to group, into at least one group, a plurality of kernels included in an application to which electronic signature verification is to be performed, and an electronic signature verification unit to perform electronic signature verification with respect to the at least one group.

Abstract: Systems and methods are provided for using a hidden audio signal. In one exemplary embodiment, the method includes registering, at a central database, one or more of an identifier and a destination resource associated with the identifier, and encoding the one or more of the identifier and the destination resource in a hidden audio signal. The method further includes transmitting the hidden audio signal, including the one or more of the identifier and the destination resource, in connection with an acoustic signal, and receiving the acoustic signal at a user device. In addition, the method includes decoding the encoded one or more of the identifier and the destination resource at the user device; and requesting, from the central database, information associated with the one or more of the identifier and the destination resource. Further, the method includes receiving, at the user device, the requested information.

Abstract: Systems and methods for providing information security in an unobtrusive manner are presented herein. An authentication component can enable a primary user of a multi-user communications device, based on an authentication process initiated by the primary user, to classify information stored in the multi-user communications device as invisible to other users of the device. The information classified as invisible to the other users can include phone number(s), phone message(s), email address(es), email(s), electronic message(s), call history, email history, and/or personal data. In addition, an information access component can enable the primary user to access the information classified as invisible to the other users of the multi-user communications device upon authentication of the primary user's identity.

Abstract: A method for authenticating video content includes: receiving a digital signature, an unsecured video fingerprint, and an unsecured video content from a transmitting node at a receiving node in a communication network; determining if the digital signature is consistent with the unsecured video fingerprint at the receiving node to verify the unsecured video fingerprint; and determining if the unsecured video fingerprint is consistent with the unsecured video content at the receiving node to verify the unsecured video content in a manner that tolerates a predetermined measure of loss in the unsecured video content. If the unsecured video fingerprint and the unsecured video content are verified, the unsecured video content is authenticated for subsequent use at the receiving node. A receiving node associated with the method includes an input module, a fingerprint verification module, a content verification module, and a controller module.

Abstract: Disclosed is a system and method by which a multimedia source device communicates with a display device, allowing the multimedia devices to securely confirm the identity of the devices and confirm their trustworthiness through a trust authority.

Abstract: Embodiments relate to methods and apparatus for facilitating the protection from tampering of an electronic document to which an electronic signature is applied. In non-limiting examples, techniques may relate to the handling of document appearance data, dynamic signature biometric data, digital footprints data, pixel history data, and camera-acquired image data.

Abstract: Methods, systems and apparatuses for an originator publishing an attestation of a statement are disclosed. One method includes obtaining information, wherein the information includes the attestation of the statement, wherein the statement includes at least a portion of the information to be attested to, and wherein the attestation includes a context describing conditions of the attestation, and wherein the attestation includes a cryptographic signature of the context and the statement. The method further includes validating the information. The method further includes communicating after validating the information the information to a destination while maintaining at least one of data privacy or data provenance, including creating a new statement by transforming the statement to a form suitable for the destination, creating, by the computing device, a new attestation by signing the new statement with a new context specific to the computing device, and making available the new attestation to the destination.

Abstract: An access component sends an access request to an intermediary component, the access request being a request to access a service or resource without credentials of a current user of the intermediary component being revealed to the access component. The intermediary component obtains user credentials, for the current user, that are associated with the service or resource. The access request and the user credentials are sent to the service or resource, and in response session state information is received from the service or resource. The session state information is returned to the access component, which allows the access component and the service or resource to communicate with one another based on the session state information and independently of the first component.

Abstract: A method for device driver self authentication is provided. The method includes accessing a device driver having encrypted authentication parameters therein including, for instance, a vendor identification, a device identification, a serial number, an expiration date and a filename. The method includes executing an authentication portion of the device driver to generate a message digest of these parameters and comparing the message digest to a stored digest for a match thereof. The method further includes loading the device driver only if the authentication portion successfully authenticates the device driver, e.g., there is a match. The method can be applied to USB device drivers and peripherals.

Abstract: An image processing apparatus includes: an extractor to extract colors used in input data; a converter to convert signals of the extracted colors into intermediate color signals each including three color signal components including brightness; an evaluator to evaluate recognizabilities of the colors based on the intermediate color signals; a generator to generate additional image data to be added to data for ordinary image formation based on a result of the evaluation and the input data; and a color convertor to convert the input data into the data for ordinary image formation.

Abstract: Systems, methods, and media for classifying messages are disclosed. A plurality of fraud indicators are identified in the message. A signature of the message is generated. The generated signature of the message is compared to a stored signature. The stored signature is based on a statistical analysis of fraud indicators in a second message associated with the stored signature. A determination as to whether the message is fraudulent is made based on the comparison. The message is processed based on the determination that the message is a fraudulent message.

Abstract: A security system provides a defense from known and unknown viruses, worms, spyware, hackers, and unwanted software. The system can implement centralized policies that allow an administrator to approve, block, quarantine, and log file activities. The system can extract content of interest from a file container, repackage the content of interest as another valid file type, perform hashes on the content of interest, associate the hash of the container with the hash of the repackaged content, transfer the repackaged content, and store the hash with other security-related information.

Abstract: In a method for managing access to a secure content-part of a PPCD, a key reset point of the secure content-part during a workflow among workflow participants is determined. In addition, key-map files comprising subsets of access keys that provide access to the secure content-part during respective content access sessions are generated, in which at least one of the key-map files corresponds to the key reset point and comprises a first decryption key, a first verification key, a second encryption key, and a second signature key, in which the first decryption key does not correspond to the second encryption key, and in which the first verification key does not correspond to the second signature key. In addition, the plurality of key-map files are supplied to at least one of the participants.

Abstract: A relay device includes a memory and a processor coupled to the memory. The processor executes a process including storing association relationship information in which a session identifier for identifying a session established between a server and a client by a program running on the server is associated with a server identifier for identifying the server. The process includes determining whether a session identifier contained in a message received from a distributing device is contained in the association relationship information stored at the storing. The process includes selecting a relay system used when the received message is transferred to the server in accordance with a program that has established a session indicated by the session identifier contained in the message. The process includes transferring the message by using the relay system selected at the selecting.

Abstract: The invention provides a method and apparatus for transmitting data securely using an unreliable communication protocol, such as User Datagram Protocol. In one variation, the invention retains compatibility with conventional Secure Sockets Layer (SSL) and SOCKS protocols, such that secure UDP datagrams can be transmitted between a proxy server and a client computer in a manner analogous to conventional SOCKS processing. In contrast to conventional SSL processing, which relies on a guaranteed delivery service such as TCP and encrypts successive data records with reference to a previously-transmitted data record, encryption is performed using a nonce that is embedded in each transmitted data record. This nonce acts both as an initialization vector for encryption/decryption of the record, and as a unique identifier to authenticate the record.

Abstract: This specification describes technologies relating to applying electronic signatures to content items. In general, one aspect of the subject matter described in this specification can be embodied in methods that include receiving a content item and receiving a request to electronically sign the content item by a user by associating the content item with a credential associated with the user, the request comprising data identifying the credential from among a set of credentials that are associated with the user. The method may further include generating a package comprising the content item and data for the identified credential.