Abstract: The invention provides a method, a hardware circuit and a hardware device for enabling a software application to be executed on a hardware device in dependence of the hardware circuit, while preventing the execution of a binary copy of the application in another hardware device. Challenge data originating from the software application is input to a hardware circuit of the hardware device, wherein the hardware circuit is configured to perform a deterministic function. Response data is generated by the hardware device, which is used to manipulate at least a part of the software application to thereby enable the software application to be executed.

Abstract: Automatically classifying security vulnerabilities in computer software applications by identifying candidate security vulnerabilities in a learning set including at least a first computer software application, classifying each of the candidate security vulnerabilities using predefined classifications, determining, for each of the candidate security vulnerabilities, values for predefined properties, creating a set of correlations between the property values and the classifications of the candidate security vulnerabilities, identifying a candidate security vulnerability in a second computer software application, determining, for the candidate security vulnerability in the second computer software application, values for the predefined properties, and using the set of correlations to classify the candidate security vulnerability in the second computer software application with a classification from the predefined classifications that best correlates with the property values of the candidate security vulnerabili

Abstract: Systems, methods, computer programs, and devices are disclosed herein for deploying a local trusted service manager within a secure element of a contactless smart card device. The secure element is a component of a contactless smart card incorporated into a contactless smart card device. An asymmetric cryptography algorithm is used to generate public-private key pairs. The private keys are stored in the secure element and are accessible by a trusted service manager (TSM) software application or a control software application in the secure element. A non-TSM computer with access to the public key encrypts and then transmits encrypted application data or software applications to the secure element, where the TSM software application decrypts and installs the software application to the secure element for transaction purposes.

Abstract: A method for handling an encrypted message received on an electronic device that has not been encrypted using a current public key. The portable electronic device automatically generates a reply message to the sender in response to determining that the message has not been encrypted with the current public key. The reply message may contain the current public key of the recipient device, and may request the sender to resend the message encrypted with the current public key.

Abstract: A router is placed between a protected computer and devices with which the computer communicates, including peripherals and other computers. The router includes a list of authorized devices that are permitted to send data to the protected computer, against which requests to send data are checked. The router also communicates with a remote authentication service to authenticate devices requesting such permission. The authentication service may be a cloud-based identity service.

Abstract: A method of an aspect includes receiving an instruction. The instruction indicates a first source of a first packed data including state data elements ai, bi, ei, and fi for a current round (i) of a secure hash algorithm 2 (SHA2) hash algorithm. The instruction indicates a second source of a second packed data. The first packed data has a width in bits that is less than a combined width in bits of eight state data elements ai, bi, ci, di, ei, fi, gi, hi of the SHA2 hash algorithm. The method also includes storing a result in a destination indicated by the instruction in response to the instruction. The result includes updated state data elements ai+, bi+, ei+, and fi+ that have been updated from the corresponding state data elements ai, bi, ei, and fi by at least one round of the SHA2 hash algorithm.

Abstract: According to an example embodiment, a device provides cryptographic processing functions using secret data. The device can include protection from differential power analysis (DPA). The encryption processing circuit and its memory can be decoupled from external power source(s) during encryption-related computations. A local power storage element, such as a capacitive element, can provide power while the encryption processing circuit is decoupled from the external power source(s). The local power storage element can then be reconnected and charged once the encryption-related computations are completed or paused.

Abstract: An information processing system has a power supply section which detects a predetermined potential applied to a USB terminal and supplying the potential as a source potential, an information detection section which detects the predetermined information supplied to the USB terminal, and a processing section which executes, subsequent to the detection of the predetermined potential, the encoding process or the decoding process in accordance with at least the operating information supplied from the operation key arranged on the body and in accordance with the predetermined information supplied to the USB terminal after detection of the predetermined information. The recording and reproducing operation can be performed with the operating key on the body with power supplied only from the USB terminal.

Abstract: Anonymous information sharing systems and methods enable communication of information to parties in a privacy-preserving manner such that no one other than the designated parties can know the source, recipient, and content of the information. Furthermore, the communication can be accomplished without requiring trial decryption, and protection can be provided against of sharing of privileges.

Abstract: A method for protecting software of a mobile terminal is provided in the disclosure, wherein an encryption chip is mounted in the mobile terminal. The method includes: when the mobile terminal is turned on, whether or not the encryption chip is invalid is detected; when it is not invalid, the encryption chip authenticates the software of the mobile terminal through interaction with a main chip; when the authentication is not passed, the encryption chip controls a functional module of the mobile terminal through a hardware protection circuit. An apparatus for protecting software of a mobile terminal is also provided in the present disclosure. The solution of the disclosure can prevent the software of the mobile terminal from being cracked and protect the functions of the mobile terminal from illegal usage, thus the security of the mobile terminal is greatly improved and the interests of operators and manufacturers are protected.

Abstract: A system and method of providing universal digital rights management system protection is described. One feature of the invention concerns systems and methods for repackaging and securing data packaged under any file format type, compression technique, or digital rights management system. Another feature of the invention is directed to systems and methods for securing data by providing scalability through the use of modular data manipulation software objects.

Abstract: A data storage device that can be reversibly associated with one or more of a plurality of hosts. A “trusted” host on which the device is mounted is allowed access to a secure data area of the device automatically, without the user having to enter a password. Ways in which a host is designated as “trusted” include storing the host's ID in a trusted host list of the device, storing a representation of the host's ID that was encrypted using a trust key of the device in a cookie in the host, or storing a storage password of the device in a password list of the host. Alternatively, an untrusted host is allowed access to the secure data area if a user enters a correct user password.

Abstract: Systems and methods are described which utilize a recursive security protocol for the protection of digital data. These may include encrypting a bit stream with a first encryption algorithm and associating a first decryption algorithm with the encrypted bit stream. The resulting bit stream may then be encrypted with a second encryption algorithm to yield a second bit stream. This second bit stream is then associated with a second decryption algorithm. This second bit stream can then be decrypted by an intended recipient using associated keys.

Abstract: Technologies are generally described for data filtering for communication devices. In one example, a method of receiving data from a data source on a communication device is disclosed. The method includes determining, at the communication device, a domain name of the data source. The method also includes determining, at the communication device, one or more communication networks the communication device is connected to. The method further includes processing, at the communication device, the domain name for acceptance based on the one or more connected communication networks. The method also includes receiving the data from the data source, at the communication device, if the domain name is accepted.

Abstract: This document describes techniques for detection of code-based malware. According to some embodiments, the techniques utilize a collection of known malicious code and know benign code and determine which features of each type of code can be used to determine whether unclassified code is malicious or benign. The features can then be used to train a classifier (e.g., a Bayesian classifier) to characterize unclassified code as malicious or benign. In at least some embodiments, the techniques can be used as part of and/or in cooperation with a web browser to inspect web content (e.g., a web page) to determine if the content includes code-based malware.

Abstract: Techniques for providing storage for electronic records are described herein. According to one embodiment, a command is received from a client through an interface of a storage system. An approval is received from an authorization agent associated with the storage system for the received command. In response to the approval received from the authorization agent for the received command, an operation associated with the received command is performed. Other methods and apparatuses are also described.

Abstract: The invention relates to a method for identifying compromised nodes in a ZigBee network comprising a general trust center, divided in at least two security domains, each security domain corresponding to a spatial or temporal area, and being associated with a different root keying material, and each node being identified by an identifier, the method comprising: upon detection of a node (U1) entering into a security domain (SD), the general trust center (TC) distributing to the node at least one keying material share corresponding to the entered security domain, and upon detecting corruption of at least two security domains, determining, for each security domain, based on information registered by the base station (BTS), a respective set of nodes having received keying material corresponding to said security domain,—comparing the respective sets of nodes and identifying the common nodes as being compromised.

Abstract: A method, article of manufacture, and apparatus for efficiently processing information are disclosed. In some embodiments, a first signature index is received. The first signature index is compared to a second signature index. A negative signature match is based on the comparison. A file is flagged based on the negative match.

Abstract: A fetch unit fetches a sequence of blocks of encrypted instructions of an encrypted program from an instruction cache at a corresponding sequence of fetch address values. While fetching each block of the sequence, the fetch unit generates a decryption key as a function of key values and the corresponding fetch address value, and decrypts the encrypted instructions using the generated decryption key by XORing them together. A switch key instruction instructs the microprocessor to update the key values in the fetch unit while the fetch unit is fetching the sequence of blocks. The fetch unit inherently provides an effective decryption key length that depends upon the function and amount of key values used. Including one or more switch key instructions within the encrypted program increases the effective decryption key length up to the encrypted program length.

Abstract: An SOC implements a security enclave processor (SEP). The SEP may include a processor and one or more security peripherals. The SEP may be isolated from the rest of the SOC (e.g. one or more central processing units (CPUs) in the SOC, or application processors (APs) in the SOC). Access to the SEP may be strictly controlled by hardware. For example, a mechanism in which the CPUs/APs can only access a mailbox location in the SEP is described. The CPU/AP may write a message to the mailbox, which the SEP may read and respond to. The SEP may include one or more of the following in some embodiments: secure key management using wrapping keys, SEP control of boot and/or power management, and separate trust zones in memory.

Abstract: Testing a Web-based application for security vulnerabilities. At least one client request including a payload having a unique identifier can be communicated to the Web-based application. Response HTML and an associated Document Object Model (DOM) object can be received from the Web-based application. Content corresponding to the payload can be identified in the DOM object via the unique identifier. A section of the DOM object including the payload can be identified as un-trusted.

Abstract: A system and method for modifying material related to computer software. The system receives an original disclosure for a software system. A masquerading algorithm is applied to the original disclosure to generate a new disclosure. The subject matter of the new disclosure is different from the original disclosure but has the same functionality. The system also receives original source code for the software system and applies a camouflaging algorithm to the original source code to generate modified source code and conversion data for converting between the modified source code and the original source code.

Abstract: A method for implementing a mandatory access control model in operating systems which natively use a discretionary access control scheme. A method for implementing mandatory access control for a plurality of computers, the system comprising information assets, stored as files on the computers, and a network communicatively connecting the computers, wherein each of the computers includes an operating system that uses a discretionary access control policy, and wherein each of a subset of computers includes a software agent component operable to intercept a request for a file operation on a file from a user of one of the computers including the software agent, determining whether the file is protected, if the file is protected, altering ownership of the file from the user to another owner, and providing access based on a mandatory access control policy.

Abstract: A fetch unit (a) fetches a block of instruction data from an instruction cache of the microprocessor; (b) performs an XOR on the block with a data entity to generate plain text instruction data; and (c) provides the plain text instruction data to an instruction decode unit. In a first instance the block comprises encrypted instruction data and the data entity is a decryption key. In a second instance the block comprises unencrypted instruction data and the data entity is Boolean zeroes. The time required to perform (a), (b), and (c) is the same in the first and second instances regardless of whether the block is encrypted or unencrypted. A decryption key generator selects first and second keys from a plurality of keys, rotates the first key, and adds/subtracts the rotated first key to/from the second key, all based on portions of the fetch address, to generate the decryption key.

Abstract: In accordance with some embodiments, a single trusted platform module per platform may be used to handle conventional trusted platform tasks as well as those that would arise prior to the existence of a primary trusted platform module in conventional systems. Thus one single trusted platform module may handle measurements of all aspects of the platform including the baseboard management controller. In some embodiments, a management engine image is validated using a read only memory embedded in a chipset such as a platform controller hub, as the root of trust. Before the baseboard management controller (BMC) is allowed to boot, it must validate the integrity of its flash memory. But the BMC image may be stored in a memory coupled to a platform controller hub (PCH) in a way that it can be validated by the PCH.

Abstract: A hardware TPM has a plurality of registers, and performs data protection by encryption of data associated with the value of one of the plurality of registers. A register number manager manages, for each application, a register number used for the data protection. During execution of an application, an application executor issues a data protection request that designates a register number preset in the application. A software TPM transfers, to the hardware TPM, the data protection request in which the register number designated in the data protection request has been replaced with the register number managed by the register number manager.

Abstract: A system may include a memory having a unique identifier that uniquely identifies the memory. A package may be communicatively coupled to the memory. The package may include a processor, an identifier storage, and a boot storage. The identifier storage may store the unique identifier from the memory. The boot storage may include instructions to control booting of the processor based on the unique identifier in the identifier storage.

Abstract: In one embodiment, a picture signature password system may use a picture signature password to determine access to a computing device or service. A display screen 172 may display a personalized digital image 310. A user input device 160 may receive a user drawing set executed by a user over the personalized digital image 310. A processor 120 may authenticate access to the user session if the user drawing set matches a library drawing set associated with the user.

Abstract: A branch target address cache (BTAC) caches history information associated with branch and switch key instructions previously executed by a microprocessor. The history information includes a target address and an identifier (index into a register file) for identifying key values associated with each of the previous branch and switch key instructions. A fetch unit receives from the BTAC a prediction that the fetch unit fetched a previous branch and switch key instruction and receives the target address and identifier associated with the fetched branch and switch key instruction. The fetch unit also fetches encrypted instruction data at the associated target address and decrypts (via XOR) the fetched encrypted instruction data based on the key values identified by the identifier, in response to receiving the prediction. If the BTAC predicts correctly, a pipeline flush normally associated with the branch and switch key instruction is avoided.

Abstract: Methods and apparatus are provided for implementing a system such as a programmable chip system having hardware and software usage limitations and restrictions. Usage limitation circuitry is integrated onto a device. A usage limitation function is integrated into software, such as an operating system for the device. The usage limitation function can be configured to interact with the usage limitation circuitry. The usage limitation circuitry and the usage limitation function are operable to disable the device and the associated software.

Abstract: Mobile network services are performed in a mobile data network in a way that is transparent to most of the existing equipment in the mobile data network. The mobile data network includes a radio access network and a core network. A breakout appliance in the radio access network breaks out data coming from a basestation, and performs one or more mobile network services at the edge of the mobile data network based on the broken out data. The breakout appliance includes multiple states that support manufacturing, testing, production, tamper detection and end of life, and the functions of the breakout appliance vary according to its state.

Abstract: Embodiments of information processing systems and associated components can include logic operable to perform operations in a virtualized system including a plurality of guest operating systems using descriptors. The descriptors specify a set of commands defining the operations in a plurality of security domains and specify permission to a plurality of resources selectively for the plurality of guest operating systems.

Abstract: An apparatus and method for preventing an anomaly of an application program are provided. More particularly, an apparatus and method for preventing an anomaly of an application program that detect and stop an anomaly on the basis of a behavior profile for an application program are provided. The apparatus includes a behavior monitor that detects behavior of an application program in operation, an anomaly detector that determines whether the detected behavior of the application program is an anomaly on the basis of a behavior profile of the application program in operation, and an anomaly stopper that stops the behavior of the application program determined as an anomaly by the anomaly detector.

Abstract: Methods and systems for operation upon one or more data processors for biasing a reputation score. A communication having data that identifies a plurality of biasing characteristics related to a messaging entity associated with the communication is received. The identified plurality of biasing characteristics related to the messaging entity associated with the communication based upon a plurality of criteria are analyzed, and a reputation score associated with the messaging entity is biased based upon the analysis of the identified plurality of biasing characteristics related to the messaging entity associated with the communication.

Abstract: A system is provided for detecting, analyzing and quarantining unwanted files in a network environment. A host agent residing on a computing device in the network environment detects a new file introduced to the computing device and sends the new file to a network service for analysis. The network service is accessible to computing devices in the network environment. An architecture for the network service may include: a request dispatcher configured to receive a candidate file for inspection from a given computing device in the network environment and distribute the candidate file to one or more of a plurality of detection engines, where the detection engines operate in parallel to analyze the candidate file and output a report regarding the candidate file; and a result aggregator configured to receive reports from each of the detection engines regarding the candidate file and aggregates the reports in accordance with an aggregation algorithm.

Abstract: A portable apparatus is capable of switching between a plurality of smart cards and associated circuits to provide a user various independent electronic wallet functions via a single portable apparatus, thereby increasing utilization flexibility and convenience. The portable apparatus includes at least a first smart card and a second smart cart, a near-field communication (NFC) unit, and a control circuit. The first smart card and the second smart card respectively include a first interface and a second interface. The NFC unit is coupled to the first smart card and the second smart card via the first interface and the second interface, respectively. The NFC unit is capable of performing NFC with external apparatuses. The control circuit controls the NFC unit to communicate with either the first smart card or the second smart card using control signals.

Abstract: A network switch automatically detects undesired network traffic and mirrors the undesired traffic to a security management device. The security management device determines the source of the undesired traffic and redirects traffic from the source to itself. The security management device also automatically sends a policy to a switch to block traffic from the source.

Abstract: A network based installation management system that dynamically manages secure software installation on a client. The server is configured to determine the software required and prepare an appropriated response containing the list of software and an information file containing the respective attributes of the list of software. The server encoded this response and the encoded response is transmitted to the client. The client on receiving the response is configured to authenticate the response and install the encoded response after authentication. Highly accurate and reliable software installation using the network based installation management system may be achieved using a respective hardware element on the client and the server, which is configured to encode and decode a request and/or response suitably thereby providing a high level of security and trust in an un-trusted network environment.

Abstract: In one embodiment of the invention, a server may send encrypted material to a client. The client processor may decrypt and process the material, encrypt the results, and send the results back to the server. This sequence of events may occur while the execution or processing of the material is restricted to the client processor. Any material outside the client processor, such as material located in system memory, will be encrypted.

Abstract: A removable drive such as a USB drive or key is provided for connecting to computer devices to provide secure and portable data storage. The drive includes a drive manager adapted to be run by an operating system of the computer device. The drive manager receives a password, generates a random key based on the password, encrypts a user-selected data file in memory of the computer device using the key, and stores the encrypted file in the memory of the removable drive. The drive manager performs the encryption of the data file without corresponding encryption applications being previously loaded on the computer system. The drive manager may include an Advanced Encryption Standard (AES) cryptography algorithm The drive manager generates a user interface that allows a user to enter passwords, select files for encryption and decryption, and create folders for storing the encrypted files on the removable drive.

Abstract: In some applications, it may be more convenient to the user to be able to log in the memory system using one application, and then be able to use different applications to access protected content without having to log in again. In such event, all of the content that the user wishes to access in this manner may be associated with a first account, so that all such content can be accessed via different applications (e.g. music player, email, cellular communication etc.) without having to log in multiple times. Then a different set of authentication information may then be used for logging in to access protected content that is in an account different from the first account, even where the different accounts are for the same user or entity.

Abstract: A method of coding a secret, a numerical value d, subdivided into a number N of secret elements [di]n1, a composition law () applied to the elements di giving the value d. The following are calculated: (A) a first image (TN) of the secret by iterative calculation and application of the law () between the first image Ti-1 of rank i?1 and of the product according to this law of the element (di) of next rank and of a random value (Ri) of a first set, (B) a first numerical value (S1) by application of the law () to the N random values (Ri), (C) a second numerical value (S2) by application of the law to the N?1 random values (Aj) of a second set, (D) a second image T? of the secret by application of the inverse law () to the first image (TN) and to the second numerical value (S2) so as to generate an intermediate image (Tx) and then application of the inverse law to the intermediate image (Tx) and to the second numerical value (S2).

Abstract: An encoding/decoding apparatus comprises a central processing unit and an encryption/decryption accelerator coupled to the central processing unit. The accelerator comprises an input for input data to be encrypted/decrypted, an arithmetic logic unit coupled to said input for performing selectable operations on data obtained from said input data and an output for encrypted/decrypted data coupled to said arithmetic logic unit.

Abstract: A networked Conditional Access Module provided on an IEEE 1394 network, by defining a Conditional Access Module as a Conditional Access Subunit of the IEEE 1394 network. There is provided an AV/C Conditional Access Commands to allow communication between the Conditional Access Subunit and other Subunits on the network. The Conditional Access Subunit is configured to receive AV/C Conditional Access Commands over the IEEE 1394 network from another subunit, and means to is also configured to transmit AV/C responses over the IEEE 1394 network in response to the received AV/C Conditional Access Commands.

Abstract: Computer-implemented systems and methods for identifying illegitimate messaging activity on a system using a network of sensors.

Abstract: A device is provided which includes: a processor that outputs a command signal or an address signal and includes a bus module which inputs or outputs a data signal; and an encryption circuit that encrypts or decrypts the data signal in an encryption method using a common key and the address signal, wherein the processor and the encryption circuit are provided in a chip.

Abstract: A communication management system includes: a normal signature list which stores a list of signatures of normal communication; a search circuit which acquires communication data and searches the normal signature list to check if the signature of the communication data appears in the list; and a warning unit which issues a warning when communication data does not match any signature in the normal signature list. An operator terminal includes: a determination result acquisition unit which indicates whether or not communication data against which a warning has been issued is normal; and a normal signature list update unit which, when communication data against which a warning has been issued is found to be normal, adds the signature of the communication data to the normal signature list.

Abstract: A system and method for protecting master transport encryption keys stored on a computing device. Master transport encryption keys are used to secure data communications between computing devices. In one example embodiment, there is provided a method in which a copy of a master transport encryption key is generated and stored in a volatile store of a first computing device (e.g. a mobile device). This copy of the master transport encryption key can be used to facilitate the decryption of data received at the first computing device from a second computing device (e.g. a data server), even while the first computing device is locked. The method also comprises encrypting the master transport encryption key, with a content protection key for example, and storing the encrypted master transport encryption key in a non-volatile store of the first computing device.

Abstract: Embodiments of an electronic circuit include a cryptographic engine which includes a key derivation function and encryption logic. The key derivation function combines a master secret key with a plurality of key modifiers including at least an operating system tag specific to an operating system, and derives an encryption key from the combined master secret key and plurality of key modifiers. The encryption logic is coupled to the key derivation function and encrypts data using the derived encryption key to generate a cryptographic binary large object (blob) for virtualized protected storage that is accessible only to the operating system specified by the operating system tag.

Abstract: The present invention relates to a content protection apparatus and method using binding of additional information to an encryption key. The content protection apparatus includes an encryption unit for creating an encryption key required to encrypt data requested by a user terminal and then generating encrypted data in which the data is encrypted. An additional information management unit manages additional information including authority information about the encrypted data. A White-Box Cryptography (WBC) processing unit generates a WBC table required to bind the encryption key corresponding to the encrypted data to the additional information. A bound data generation unit generates bound data in which the encrypted key is bound to the additional information, using a cipher included in the WBC table.