Abstract: A method and apparatus for initiating secure operations in a microprocessor system is described. In one embodiment, one initiating logical processor initiates the process by halting the execution of the other logical processors, and then loading initialization and secure virtual machine monitor software into memory. The initiating processor then loads the initialization software into secure memory for authentication and execution. The initialization software then authenticates and registers the secure virtual machine monitor software prior to secure system operations.

Abstract: A method for operating a cloud gateway is provided. The method includes generating a plurality of rules relating users and groups to data access at a plurality of cloud service providers. The method includes encrypting, at one of a plurality of connectors, outgoing data that is moving through a cloud gateway en route from a proxy server to one of the plurality of cloud service providers, responsive to a data write request associated with a first user, the encrypting in accordance to one of the plurality of rules as related to the first user. The method includes decrypting, at one of the plurality of connectors, incoming data that is moving through the cloud gateway en route from one of the plurality of cloud service providers to the server, responsive to a data read request associated with a second user, the decrypting in accordance to one of the plurality of rules as related to the second user.

Abstract: A computer system, includes a crypto mechanism that decrypts and integrity-checks Secure Object information as the Secure Object information moves into the computer system from an external storage and encrypts and updates an integrity value for Secure Object information as the Secure Object information moves out of the computer system to the external storage.

Abstract: A method and apparatus for initiating secure operations in a microprocessor system is described. In one embodiment, one initiating logical processor initiates the process by halting the execution of the other logical processors, and then loading initialization and secure virtual machine monitor software into memory. The initiating processor then loads the initialization software into secure memory for authentication and execution. The initialization software then authenticates and registers the secure virtual machine monitor software prior to secure system operations.

Abstract: A file security management apparatus and method which protect various types of systems for executing files, entering from the outside, from malicious code, and which prevent data from being divulged from the systems and also prevent the systems from operating erroneously, thereby ultimately protecting the systems. The file security management apparatus includes a conversion module configured to convert an incoming file, received by a system, into a monitoring target file; a search module configured to identify a selection for the execution of the monitoring target file, and to output incoming files, configured in the monitoring target file, into a search window; and a security module configured to decrypt the monitoring target file to the incoming file, and to perform processing so that the incoming file is executed via a corresponding application program in an isolated drive set as an isolated environment.

Abstract: Trusted firmware on a host server is used for managing access to a hardware security module (HSM) connected to the host server. The HSM stores confidential information associated with an operating system. As part of access management, the firmware detects a boot device identifier associated with a boot device configured to boot the operating system on the host server. The firmware then receives a second boot device identifier from the HSM. The boot device identifier and the second boot device identifier are then compared by the firmware. Based on the comparison, the firmware determines that the boot device identifier matches with the second boot device identifier. Based on this determination, the firmware grants the operating system access to the HSM.

Abstract: Systems and methods of contact center data integration with customer relationship management (CRM) applications on client computing devices in contact center environments are provided. A workspace routing connector application, responsive to an actuation command, can integrate the contact center enterprise with the different enterprise. A configuration component of the workspace routing connector application can select a contact center parameter from a contact center enterprise server. The workspace routing connector application can display, in a graphical user interface, an available CRM application and a CRM script based on the contact center parameter, and can receive an indication of selection of the CRM application. Responsive to selection of the CRM application, the CRM script can provide, from the contact center enterprise server via the computer network, for display by a client computing device in a contact center environment, contact center data related to the contact center parameter.

Abstract: Systems and methods for reducing problems and disadvantages associated with traditional approaches to encryption and decryption of data are provided. An information handling system may include a processor, a memory communicatively coupled to the processor, and a computer-readable medium communicatively coupled to the processor.

Abstract: A method of data transfer in an electronic device including a secure module, which includes a processor and a secure element, an application processor, and a sensor, may include: switching an operation mode of the processor to a bypass mode; performing a cross-authentication, by the application processor and the secure element; generating a session key, by the application processor and the secure element, when the cross-authentication is succeeded; switching the operation mode of the processor to a normal mode; encrypting, by the secure module, sensing data provided by the sensor using the session key; transferring the encrypted sensing data from the processor to the application processor; and/or acquiring, by the application processor, the sensing data by decrypting the encrypted sensing data using the session key.

Abstract: Trusted firmware on a host server is used for managing access to a hardware security module (HSM) connected to the host server. The HSM stores confidential information associated with an operating system. As part of access management, the firmware detects a boot device identifier associated with a boot device configured to boot the operating system on the host server. The firmware then receives a second boot device identifier from the HSM. The boot device identifier and the second boot device identifier are then compared by the firmware. Based on the comparison, the firmware determines that the boot device identifier matches with the second boot device identifier. Based on this determination, the firmware grants the operating system access to the HSM.

Abstract: Embodiments include a method, a computing device, and a computer program product. An embodiment provides a method implemented in a computing environment. The method includes receiving a designation of an individualized digital identifier. The method also includes associating a human-perceptible form of the designated individualized digital identifier with each element of a group of human-perceivable elements displayed by the computing environment.

Abstract: The instruction code including an instruction code stored in the area where the encrypted instruction code is stored in a non-rewritable format is authenticated using a specific key which is specific to the core where the instruction code is executed or an authenticated key by a specific key to perform an encryption processing for the input and output data between the core and the outside.

Abstract: A secure password generation method and system is provided. The method includes enabling by a processor of a computing system, password translation software. The computer processor generates and stores the random translation key. A first password is received and a second associated password is generated. The computer processor associates the second password with a secure application. The computer processor stores the random translation key within an external memory device and disables a connection between the computing system and the external memory device.

Abstract: Approaches are described for enabling a host computing device to store credentials and other security information useful for recovering the state of the host computing device in a secure store, such as a trusted platform module (TPM) on the host computing device. When recovering the host computing device in the event of a failure (e.g., power outage, network failure, etc.), the host computing device can obtain the necessary credentials from the secure store and use those credentials to boot various services, restore the state of the host and perform various other functions. In addition, the secure store (e.g., TPM) may provide boot firmware measurement and remote attestation of the host computing devices to other devices on a network, such as when the recovering host needs to communicate with the other devices on the network.

Abstract: An automated process collects and organizes field data from an inspection of a building or other structure such as pipe supports, bridges, buildings, over head supports, and smoke stacks.

Abstract: A protection mechanism for the execution of an encryption algorithm is disclosed. In the mechanism the encryption algorithm has its execution preceded by an update of a counter stored in a reprogrammable non-volatile memory. Storing the value of the counter into the memory corresponds with the execution of the algorithm.

Abstract: In one embodiment, a computer system provides a process for executing software that cannot be executed in a first configuration. The computer system determines source media for the software stored in a first data store, the source media being in the first configuration. The computer system retrieves metadata relating to executing the software from the source media. The computer system next transforms the retrieved metadata to generate a second configuration of the source media according to a transformation rule set, where the software can be executed in the second configuration, and stores the transformed metadata in a second data store. Next, the computer system presents the second configuration of the source media based on the transformed metadata. Thereafter, the computer system satisfies a request relating to executing the software using the transformed metadata in the second data store, wherein the request is satisfied based on the second configuration.

Abstract: Systems and methods for managing jobs to be scanned based on existence of processing nodes are described. One of the methods includes obtaining identification information regarding operation of a first set of the processing nodes from an inventory and creating a job for scanning the processing nodes of the first set for security vulnerability. The job includes the identification information. The method further includes verifying the inventory to determine the first identifying information of the first set of processing nodes for removal from the job and loading the job having second identifying information for a second set of processing nodes that remain after the verifying operation.

Abstract: Computational complexity, specifically, cryptographic operations, is removed from the IKE(Internet Key Exchange) process in a VPN gateway appliance, thereby enabling scaling of the number of datapaths that can be managed by a single IKE process. A two-tier cache configuration enables necessary cryptographic operations on packets in the gateway but does so without placing additional computational burdens on the IKE process. One cache containing security association data is local to the IPSec component of the datapath instance. The second cache is higher level and is populated by IKE with security association data upon completion of IKE Phase 2 negotiations. The local cache is searched first for security policy data and if found is used to encrypt/decrypt the data packet. If not found locally, the IKE centralized cache is searched and if found, the local cache is updated with the security association data.

Abstract: An SOC implements a security enclave processor (SEP). The SEP may include a processor and one or more security peripherals. The SEP may be isolated from the rest of the SOC (e.g. one or more central processing units (CPUs) in the SOC, or application processors (APs) in the SOC). Access to the SEP may be strictly controlled by hardware. For example, a mechanism in which the CPUs/APs can only access a mailbox location in the SEP is described. The CPU/AP may write a message to the mailbox, which the SEP may read and respond to. The SEP may include one or more of the following in some embodiments: secure key management using wrapping keys, SEP control of boot and/or power management, and separate trust zones in memory.

Abstract: A method to defend effectively against cold-boot attacks includes checking state data stored in a state memory to which the system software has access. At least two of the state data items are checked (111; 112) to determine deviations from parameters that are defined for a normal state of the computer. If deviations from the parameters are determined for at least two of the checked state data items, at least subareas of the main memory are cleared or overwritten (120); otherwise, the main memory is not cleared or overwritten (130); then, the system startup of the computer is carried out by means of the configured system software (140).

Abstract: In accordance with some embodiments, a single trusted platform module per platform may be used to handle conventional trusted platform tasks as well as those that would arise prior to the existence of a primary trusted platform module in conventional systems. Thus one single trusted platform module may handle measurements of all aspects of the platform including the baseboard management controller. In some embodiments, a management engine image is validated using a read only memory embedded in a chipset such as a platform controller hub, as the root of trust. Before the baseboard management controller (BMC) is allowed to boot, it must validate the integrity of its flash memory. But the BMC image may be stored in a memory coupled to a platform controller hub (PCH) in a way that it can be validated by the PCH.

Abstract: In one implementation, flash memory chips are provided with an operating power supply voltage to substantially match a power supply voltage expected at an edge connector of a dual inline memory module. The one or more of the flash memory chips and a memory support application integrated circuit (ASIC) may be mounted together into a multi-chip package for integrated circuits. The one or more flash memory chips and the memory support ASIC may be electrically coupled together by routing one or more conductors between each in the multi-chip package. The multi-chip package may be mounted onto a printed circuit board (PCB) of a flash memory DIMM to reduce the number of packages mounted thereto and reduce the height of the flash memory DIMM. The number of printed circuit board layers may also be reduced, such as by integrating address functions into the memory support ASIC.

Abstract: An intelligent electronic cryptographic cloud computing system can include a computing cloud. The computing cloud can include one or more data storages and one or more processers, one of which is an enterprise server. The computing cloud can be configured to provide at least one service with shared hardware and software resources.

Abstract: Systems and methods for reducing problems and disadvantages associated with traditional approaches to encryption and decryption of data are provided. An information handling system may include a processor, a memory communicatively coupled to the processor, and an encryption accelerator communicatively coupled to the processor. The encryption accelerator may be configured to encrypt and decrypt information in accordance with a plurality of cryptographic functions, receive a command from the processor to perform an encryption or decryption task upon data associated with an input/output operation, and in response to receiving the command, encrypt or decrypt the data associated with the input/output operation based on a particular one of the plurality of cryptographic functions.

Abstract: Decryption apparatus includes an input memory (48), which is coupled to receive encrypted data, and an output transducer (28), for presenting decrypted data to a user. A decryption processor (50) is coupled to read and decrypt the encrypted data from the input memory but is incapable of writing to the input memory, and is coupled to convey the decrypted data to the output transducer for presentation to the user.

Abstract: A secure password generation method and system is provided. The method includes enabling by a processor of a computing system, password translation software. The computer processor generates and stores the random translation key. A first password is received and a second associated password is generated. The computer processor associates the second password with a secure application. The computer processor stores the random translation key within an external memory device and disables a connection between the computing system and the external memory device.

Abstract: A protected graphics module can send its output to a display engine securely. Secure communications with the display can provide a level of confidentiality of content generated by protected graphics modules against software and hardware attacks.

Abstract: Systems and methods for reducing problems and disadvantages associated with traditional approaches to encryption and decryption of data are provided. A method for encryption and decryption of data, may include encrypting or decrypting data associated with an input/output operation based on at least one of an encryption key and a cryptographic function, wherein at least one of the encryption key and the cryptographic function are selected based on one or more characteristics associated with the data to be encrypted or decrypted. Another method may include encrypting an item of data based on at least one of a first-layer encryption key and a first-layer cryptographic function to produce first-layer encrypted data and encrypting the first-layer encrypted data based on at least one of a second-layer encryption key and a second-layer cryptographic function to produce second-layer encrypted data.

Abstract: A client device that is coupled to a host device sends a parent public key and an associated certificate to the host device. The parent public key, the certificate and a corresponding parent private key are stored in secure persistent storage included in a secure device associated with the client device. The client device receives instructions from the host device for generating a child private and public key pair. In response to receiving the instructions, the client device generates a child private key based on a first random number produced within the secure device, and a child public key associated with the child private key. The client device computes a first signature on the child public key using the parent private key. The client device sends the child public key and the first signature to the host device.

Abstract: Systems and methods for reducing problems and disadvantages associated with traditional approaches to encryption and decryption of data are provided. An information handling system may include a processor, a memory communicatively coupled to the processor, and a computer-readable medium communicatively coupled to the processor. The computer-readable medium may have instructions stored thereon, the instructions configured to, when executed by the processor: (i) periodically store, during an encryption or decryption operation performed on the computer-readable medium, one or more variables indicative of an encryption status of a volume of the computer-readable medium; (ii) determine, based on the one or more variables, whether the volume is in a partially encrypted or decrypted state; and (iii) in response to a determination that the volume is in a partially encrypted or decrypted state, boot from the volume and continue the encryption or decryption operation.

Abstract: A computer system storing parameters pertaining to the regulatory restrictions placed on a for-hire vehicle compares the parameters to a current operating environment of the for-hire vehicle. In some embodiments, the computer system acts as the meter (such as a taximeter) of the for-hire vehicle. The operating parameters may include expiration or exclusion parameters that define the scope of operation of the for-hire vehicle stemming from the for-hire vehicle's medallion or certificate of public convenience and necessity. The expiration or exclusion parameters may also correspond to a driver's permit or any general regulation enacted by the regulatory agency. If the current operating environment does not comply with the expiration or exclusion parameters, the computer system shuts down, or enters a standby mode, and may not accept additional passenger fares until the current operating environment complies with the expiration and exclusion parameters.

Abstract: Storage associated with a virtual machine or other type of device may be migrated between locations (e.g., physical devices, network locations, etc.). To maintain the security of the storage, a system may manage the encryption of the storage area such that a storage area is encrypted with a first encryption key that may be maintained through the migration. A header of the storage area, on the other hand, may be encrypted using a second encryption key and the first encryption key may be stored therein. Upon transfer, the header may be re-encrypted to affect the transfer of security.

Abstract: A computational system is configured to protect against integrity violation. The computational system includes a processing unit and a critical resource, the critical resource being controllable by the processing unit so as to be locked or unlocked. The critical resource is configured to intermittently transmit a polling value to the processing unit, and the processing unit is configured to apply a transformation onto the polling value so as to obtain a response value and send the response value back to the critical resource. The critical resource is configured to check the response value on correctness so as to obtain a check result, and subject the controllability to a dependency on the check result.

Abstract: Secure processing systems providing host-isolated security are provided. An exemplary secure processing system includes a host processor and a virtual machine instantiated on the host processor. A virtual unified security hub (USH) is instantiated on the virtual machine to provide security services to applications executing on the host processor. The virtual USH may further include an application programming interface (API) operable to expose the security services to the applications. A further exemplary secure processing system includes a host processor running a windows operating system for example, a low power host processor, and a USH processor configured to provide secure services to both the host processor and the low power host processor isolating the secure services from the host processor and the low power processor. The USH processor may also include an API to expose the security services to applications executing on the host processor and/or the low power host processor.

Abstract: A memory device includes a plurality of memory chips, including one or more memory chips that store authentication information, and a controller including a first register that stores information indicating a representative memory chip, from among the one or more memory chips that store the authentication information, that stores valid authentication information.

Abstract: Database management and security is implemented in a variety of embodiments. In one such embodiment, data sets containing sensitive data elements are analyzed using aliases representing sensitive data elements. In another embodiment, the sensitive data elements are stored in an encrypted form for use from a secure access, while the alias is available for standard access.

Abstract: An input content data managing system, includes a first electronic storing apparatus that stores encoded content data generated by encoding content data with a cryptographic key; a electronic second storing apparatus that stores the cryptographic key with corresponding digest-value data of the encoded content data capable of identifying sameness of the encoded content data; a matching unit that determines a matched cryptographic key stored in the second storing apparatus for the encoded content data stored in the first storing apparatus, the matching using, as a matching key, at a predetermined time, digest-value data of the encoded content data obtained from the encoded content data stored in the first storing apparatus to match with the digest-value data of the encoded content data stored in the second storing apparatus, in order to obtain the content data by decoding the encoded content data using the matched cryptographic key.

Abstract: Disclosed is a cryptographic device that may automatically configure its traffic interfaces and cryptographic modes when it is inserted into an electrically keyed receptacle in a host system. Such automatic configuration may enable a single cryptographic module to support a range of input/output interfaces, such as SPI, Ethernet, RS-232 Serial, and RS-485 Serial, for example, and also to support a range of cryptographic modes, such as Cipher Block Chaining, Galois Counter Mode, or Long Cycle Mode, for Communications Security (COMSEC) and Transmission Security (TRANSEC) purposes. In addition, such automatic configuration may include parameters that affect power consumption, such as device clock rate or other power management features.

Abstract: A memory system comprises an encryption engine implemented in the hardware of a controller. In starting up the memory system, a boot strapping mechanism is implemented wherein a first portion of firmware when executed pulls in another portion of firmware to be executed. The hardware of the encryption engine is used to verify the integrity of at least the first portion of the firmware. Therefore, only the firmware that is intended to run the system will be executed.

Abstract: The present invention relates to a method of controlling the download of anti-virus software updates to a device. The device is configured to transmit an update query to a network device requesting information on whether any updates are available for the anti-virus software. When the device receives the response it stores the response in the cache. The cache can then be queried following a trigger and, if the cache indicates an update to the anti-virus software is available the device downloads an update to the anti-virus software. In an alternative embodiment the device may download and install an update upon receiving the response to the query if the response to the query indicates that an update is available. The query may be transmitted during a scan or upon determining a change in a connection at a device.

Abstract: The pureness of a connection between an external device and a host computer can be inspected or monitored to determine the status: connected or disconnected. When it is determined that a disconnection state is entered, an indication can be sent to the host and, in parallel, the data transportation from and/or to the external device may be manipulated. In some embodiments an exemplary connection protector device (CPD) may be added to the connection in between the external device and the host. The CPD can have two connectors one for the host and one for the cable of the external device. The CPD can be adapted to identify any disconnection in the connection with the host and/or the connection with the external device on the other side of the CPD.

Abstract: A method and apparatus are disclosed for sharing an integrity security module in a dual-environment computing device. The apparatus include an integrity security module, one or more processors, a detection module and a regeneration module. The one or more processors may have access to the integrity security module and may operate in two distinct operating environments of a dual-environment computing device. The detection module may detect, during an initialization sequence, a power state transition of an operating environment of the dual-environment computing device. The regeneration module may regenerate one or more integrity values from a stored integrity metric log in response to detecting the power state transition of the operating environment of the dual-environment computing device.

Abstract: An auditable cryptographic protected communication system for connecting an enterprise server to a plurality of industrial devices using messaging protocols for each industrial device enabling the industrial devices to receive commands and transmit status and measurement data using the individual device messaging protocols over a network.

Abstract: Described herein are devices and techniques related to implementation of a trustworthy electronic processing module. During fabrication, a manufacturer is provided with partial technical specifications that intentionally exclude at least one critical design feature. Fabrication of the electronic processing module is monitored from a trusted remote location; wherefrom, the intentionally excluded at least one critical design feature is implemented, thereby completing manufacture of the trustworthy electronic processing module. At least one of the acts of monitoring and implementing can be accomplished by instantiating executable software remotely from a trusted remote location and immediately prior to execution. It is the executable software that enables at least one of the acts of monitoring and implementing. Further, the instantiated executable software is removed or otherwise rendered inoperable immediately subsequent to execution.

Abstract: A technology is provided which ensures a high security without affecting a plant operation. A plant security managing device includes a determining unit that determines which one of control units multiplexed as a service system and a standby system associated with monitoring and controlling of a plant is the standby system, a security processing unit that performs a security process for detecting the presence/absence of a security abnormality on the control unit that is the standby system, and a change instructing unit that outputs an instruction for changing the control unit that is the standby system and the control unit that is the service system with each other after the completion of the security process by the security processing unit.

Abstract: An auditable cryptographic protected cloud computing communication system, wherein the system can include a plurality of industrial devices. Each industrial device can have an individualized messaging protocol enabling each industrial device to receive commands and transmit status and measurement data using the individualized messaging protocol for each industrial device. At least one industrial device is in communication with a computing cloud, wherein the computing cloud is configured to provide at least one service and shared hardware and software resources.

Abstract: A microprocessor includes an architected register having a bit. The microprocessor sets the bit. The microprocessor also includes a fetch unit that fetches encrypted instructions from an instruction cache and decrypts them prior to executing them, in response to the microprocessor setting the bit. The microprocessor saves the value of the bit to a stack in memory and then clears the bit, in response to receiving an interrupt. The fetch unit fetches unencrypted instructions from the instruction cache and executes them without decrypting them, after the microprocessor clears the bit. The microprocessor restores the saved value from the stack in memory to the bit in the architected register, in response to executing a return from interrupt instruction. The fetch unit resumes fetching and decrypting the encrypted instructions, in response to determining that the restored value of the bit is set.

Abstract: A memory system comprises: a memory device including an authentication data area storing authentication unit information and a verification value, and a contents data area storing contents; and a host device configured to receive the authentication unit information and the verification value from the memory device, and perform secure authentication of the memory device based on whether a result of decoding the verification value is equal to the authentication unit information.

Abstract: A removable drive such as a USB drive or key is provided for connecting to computer devices to provide secure and portable data storage. The drive includes a drive manager adapted to be run by an operating system of the computer device. The drive manager receives a password, generates a random key based on the password, encrypts a user-selected data file in memory of the computer device using the key, and stores the encrypted file in the memory of the removable drive. The drive manager performs the encryption of the data file without corresponding encryption applications being previously loaded on the computer system. The drive manager may include an Advanced Encryption Standard (AES) cryptography algorithm. The drive manager generates a user interface that allows a user to enter passwords, select files for encryption and decryption, and create folders for storing the encrypted files on the removable drive.