Abstract: Systems and methods are disclosed for securely passing context information from a server to a client device. In particular, in one or more embodiments, the disclosed systems and methods embed an identifier in a digital file provided to a client device. In one or more embodiments, the disclosed systems and methods utilize the embedded identifier to securely pass context information between a client device and server, such that the client device can utilize the context information with regard to the digital file. In particular, one or more embodiments include systems and methods that securely pass login credentials from a remote server to a client device such that the client device can utilize a digital file to access one or more features of a native software application.

Abstract: In order to configure an access point, the access point requests information specifying an associated cloud-based controller when the access point is first turned on at a user location. In particular, the access point may provide, to a configuration device, a controller query requesting information specifying a unique network address of a cloud-based controller associated with the access point. This controller query may include an identifier of the access point (such as a serial number). Then, the access point receives, from the configuration device, the information specifying the unique network address of the cloud-based controller, such as a fully qualified domain name of the cloud-based controller. Note that the cloud-based controller may be one of multiple cloud-based controllers from different providers, and the access point may be associated with the cloud-based controller based on the received information specifying unique network address.

Abstract: Technology for migration of a computing instance is provided. In one example, a method may include receiving instructions to initiate migration of the computing instance from a first host to a second host. A first message for sending to the first host may be generated which includes instructions to send data representing the computing instance to the second host. The first message may further include encryption information for use in deriving at least one key for encrypting communications to the second host from the first host. A second message for sending to the second host may be generated which includes instructions to receive the data representing the computing instance from the first host. The second message may further include information for use in deriving at least one key for decrypting communications from the first host. The first and second messages may be sent to the respective first and second hosts.

Abstract: A device may identify a ticket associated with an issue, a user associated with resolving the issue, and a particular business process including a particular business process step associated with the issue. The device may present information regarding a particular business process workflow, corresponding to the particular business process, associated with a business process steps. The device may identify the particular business process step from the business process steps, and may identify a particular technical solution corresponding to the particular business process step. The device may present information regarding a particular technical solution workflow, corresponding to the particular technical solution, associated with technical solution steps. The device may identify a particular technical solution step, from the technical solution steps, associated with resolving the issue.

Abstract: Methods and systems for verifying the identity and trustworthiness of a user of an online system are disclosed. In one embodiment, the method comprises receiving online and offline identity information for a user and comparing them to a user profile information provided by the user. Furthermore, the user's online activity in a third party online system and the user's offline activity are received. Based on the online activity and the offline activity a trustworthiness score may be calculated.

Abstract: A continuous glucose monitor for wirelessly transmitting data relating to glucose value to a plurality of displays is disclosed, as well as systems and methods for limiting the number of display devices that can connect to a continuous glucose transmitter. In addition, security, including hashing techniques and a changing application key, can be used to provide secure communications between the continuous glucose transmitter and the displays. Also provided is a continuous glucose monitor and techniques for authenticating multiple displays, providing secure data transmissions to multiple displays, and coordinating the interaction of commands and data updates between multiple displays.

Abstract: A portable encryption format wraps encrypted files in a self-executing container that facilitates transparent, identity-based decryption for properly authenticated users while also providing local password access to wrapped files when identity-based decryption is not available.

Abstract: A message sending method, a mobile broadband (MBB) device, and a host, where the method includes receiving, by an MBB device, authentication information sent by a host, requesting, by the MBB device, authentication from a notification server according to the authentication information, to establish a transmission path between the MBB device and the notification server, determining, by the MBB device, a message required to be transmitted to the host, and sending, by the MBB device, the message to the notification server using the transmission path such that the notification server sends the message to the host. The message can be actively pushed to the host when the message required to be transmitted to a host is determined such that signaling overheads can be significantly reduced, and power consumption can be reduced.

Abstract: A method for transferring authorization information, a relay device, and a server are provided. The method includes: receiving, by a DHCPv6 relay device, authorization information delivered by an AAA server; and inserting an option into a DHCPv6 Relay-Forward message, encapsulating the authorization information in the option, and sending the option to a DHCPv6 server. By using the technical solutions of the present application, a DHCPv6 relay device sends authorization information delivered by an AAA server to a DHCPv6 server, so that the DHCPv6 server can provide a correct configuration for a DHCPv6 client according to the authorization information delivered by the AAA server.

Abstract: A system for proactive intrusion protection comprises a memory operable to store data identifying a plurality of compromising entities, comprising at least one of a device identifier or a contact identifier, and a processor communicatively coupled to the memory and operable to receive, from a remote application associated with a remote device and with the system, information regarding a destination of the outgoing communication. The processor is further operable to determine an entity associated with the destination of the outgoing communication and to determine that the entity associated with the destination matches at least one of the plurality of compromising entities based on comparing the data identifying the plurality of compromising entities and the entity associated with the destination of the outgoing communication. Furthermore, the processor is operable to send to the remote application, before the outgoing communication is sent, a signal configured to block the outgoing communication.

Abstract: Exemplary embodiments relate to techniques for introducing asynchronous messaging concepts into a synchronous messaging system. As a conversation is carried out, different topics may be identified and highlighted as separate threads within the conversation. A new thread may be identified based on a number of factors, including (for example) time between messages, questions raised in a communication, discussions of dates, the inclusion of links, and any mentions of specific names. Further embodiments relate to techniques for navigating in asynchronous message threads. For example, a synchronous message alias may be created that redirects a display to a location of an asynchronous message. An indication may be displayed to designate that the asynchronous message is displayed out-of-order.

Abstract: In existing mobile implementations, there is a disconnect between the mobile device accessing the network and the applicative services inasmuch as the entity responsible for network access, such as the VPN Gateway, differs from the entity governing access to applications, such as email servers and SharePoint repositories. Therefore existing solutions typically employ two authentication methods. Of these, the first may be used to authenticate the mobile device to the VPN Gateway, while the second may be used to authenticate the mobile device towards the applications server. In order to facilitate strong authentication it is often desired to utilize a mechanism that uses or combines two different factors, e.g. “something you have” (such as but not limited to a smart card) and “something you know” (such as but not limited to a password). Most currently available mobile devices offer limited options to connect external devices to them, rendering most “Something you have” solutions irrelevant.

Abstract: Policy enforcement via attestations is provided. A principal operates within an environment and assumes roles having certain access rights to resources and the principal takes actions while assuming those roles. The roles and actions are monitored and attestations are raised under the proper set of circumstances. The attestations trigger policy restrictions that are enforced against the principal. The policy restrictions circumscribe the access rights to the resources.

Abstract: A service providing method, the method comprises transmitting, by a first information processing device, a certification token including a first role information on a service provided by the first information processing device to a terminal device when a certification is successful in response to a certification demand from the terminal device, receiving, by the first information processing device, the certification token and a first address information, that identifies a service providing device and indicates the first information processing device, from the terminal device, and transmitting, by the first information processing device, a first token including the first role information indicated by the certification token which is received and a second address information, that identifies the service providing device and indicates a second information processing device, to the second information processing device which is either one of the service providing device or a way device to the service providing dev

Abstract: A method of operating an electronic device and an electronic device are provided. The method includes generating biometric information using at least one sensor of the electronic device, and storing the generated biometric information in a memory of the electronic device, generating access right information relating to the biometric information, determining whether an external electronic device is connected to the electronic device, and when the external electronic device is connected to the electronic device, transmitting the generated access right information to the external electronic device.

Abstract: A system, medium and method for dynamically constructing a service principal name is disclosed. A client request from a user to access a service is received at a network traffic management device which identifies an internet protocol (IP) address of a selected backend server to provide the requested service to the client. The network traffic management device identifies a hostname of the selected backend server based at least on the identified IP address and dynamically generates a service principal name (SPN) of the selected backend server based on the determined host name. The network traffic management device obtains a service ticket from a domain controller server using at least the generated SPN of the selected backend server. The network traffic management device uses the obtained service ticket along with the client request to provide the user access to the selected backend server for the client request.

Abstract: In a method for enabling support for backwards compatibility in a User Domain, in one of a Rights Issuer (RI) and a Local Rights Manager (LRM), a Rights Object Encryption Key (REK) and encrypted REK are received from an entity that generated a User Domain Authorization for the one of the RI and the LRM and the REK is used to generate a User Domain Rights Object (RO) that includes the User Domain Authorization and the encrypted REK.

Abstract: According to an embodiment, an information processing device includes a conversion unit, an encryption unit, and a transmission unit. The conversion unit converts a first encryption key to be used for generation of a master key to be shared with a server device by using a second conversion rule to generate a third encryption key to be a new master key. The second conversion rule is different from a first conversion rule used for generation of a second encryption key that is the master key currently used for encrypted communication with the server device. The encryption unit generates a ciphertext so that the server device derives the third encryption key on a basis of the second encryption key and the third encryption key. The transmission unit transmits the ciphertext to the server device.

Abstract: Technology is described for sharing device capabilities between a plurality of Internet of Things (IoT) devices. A first IoT device within a localized network may identify a desired device capability that is capable of augmenting device capabilities of the first IoT device. The first IoT device may identify a second IoT device within the localized network that possesses the desired device capability. The first IoT device may identify the second IoT device using a registry of device capabilities stored in the localized network. The first IoT device may obtain access to the desired device capability of the second IoT device to augment the device capabilities of the first IoT device.

Abstract: A method of increasing communication security may include receiving, at a first computer system, a first message including a first data portion and a second data portion, wherein the first data portion is associated with a security token, wherein the first data portion includes a first instance of a session key, and wherein the second data portion includes a second instance of the session key. The method may also include performing, at the first computer system, message validation associated with the first message. The method may further include generating, if the first message is valid, a second message including the first data portion. The method may also include communicating, if the first message is valid, the second message from the first computer system for delivery to a second computer system.

Abstract: A system and method for authenticating data files using a block chain network. An exemplary method includes identifying data files in electronic data storage, computing hash values for files, adding pairs of the hash values and computing hash values for each resulting pair, continuing this process to a root level of a hash tree, and sending the root hash to a blockchain network in which one or more nodes in the blockchain network adds the hash value as one or more blocks in a blockchain.

Abstract: Ensuring the fair utilization of system resources using workload based, time-independent scheduling, including: receiving an I/O request associated with an entity; determining whether an amount of system resources required to service the I/O request is greater than an amount of available system resources in a storage system; responsive to determining that the amount of system resources required to service the I/O request is greater than the amount of available system resources in the storage system: queuing the I/O request in an entity-specific queue for the entity; detecting that additional system resources in the storage system have become available; and responsive to detecting that additional system resources in the storage system have become available, issuing an I/O request from an entity-specific queue for an entity that has a highest priority among entities with non-empty entity-specific queues.

Abstract: Some implementations may provide a machine-assisted method for determining a trustworthiness of a requested transaction, the method including: receiving, from a relying party, a request to determine a trustworthiness of a particular transaction request, the transaction request initially submitted by a user to access data managed by the relying party; based on the transaction request, summarizing the particular transaction request into transactional characteristics, the transactional characteristics devoid of source assets of the transaction, the source assets including credential information of the user, the credential information of the relying party, or information content of the requested transaction; generating first machine-readable data encoding transactional characteristics of the underlying transaction as requested, the transactional characteristics unique to the particular transaction request; submitting a first inquiry at a first engine to determine an access eligibility of the user submitting the t

Abstract: Techniques for coercing users to encrypt synchronized content stored at their personal computing devices. In some aspects, one or more computing devices receive, from a personal computing device, an indication of whether data stored in at least a portion of a storage device of the personal computing device is protected by disk encryption. In response to determining, based on the indication, that the portion of the storage device is not protected by encryption, synchronization data for synchronizing a copy of one or more synchronized content items stored in the portion of the storage device with another copy of the synchronized content items stored at one or more server computing devices is withheld from the personal computing device until disk encryption on the personal computing device is enabled so as to coerce the user to enable disk encryption on the personal computing device.

Abstract: A one-time passcode authentication system includes an application server, an authentication server, and an access device, wherein the access includes an authentication engine configured to receive an authentication request from the authentication server and automatically, or in response to a single user input, initiate an access request to the application server, wherein the access request includes a token extracted from the authentication request, and the application server is configured to receive the access request, query the authentication server to authenticate the token, and enable access to an application if the token is authenticated.

Abstract: Systems and methods are provided for authorizing third-party access to a specific service from a service provider. In an example embodiment, a server system identifies a shared service from multiple services provided by the server system. The shared service is specified by an authorizing entity. The server system provides a credential associated with the shared service and the authorizing entity. The server system receives a request to access the shared service from a requesting entity that is separate from the authorizing entity. The server system verifies that the request includes the credential and that the credential is associated with the shared service and the authorizing entity. The server system provides access to the shared service to the requesting entity based on verifying that the request includes the credential. The requesting entity is restricted to accessing the shared service identified by the credential as authorized by the authorizing entity.

Abstract: Disclosed are various approaches for implementing an application authentication wrapper. An authentication request, such as a Kerberos request, is created for authenticating the computing device. The authentication request is encrypted to generate an encrypted authentication request. The encrypted authentication request is then forwarded to a reverse proxy server. An encrypted authentication response is received from the reverse proxy server. The encrypted authentication response, such as a Kerberos response, is then decrypted to generate a corresponding authentication response, which is then forwarded to the computing device that generated the authentication request.

Abstract: Provided are techniques for generating a temporary data access token for a subset of data for a specific period of time for a non-registered user who did not register with a computer providing access to the subset of the data. In response to the non-registered user attempting to access the subset of data with the temporary data access token, it is determined whether the temporary data access token is valid for the subset of data based on the specified period of time. In response to the temporary data access token being valid, the subset of data is provided to the non-registered user. In response to the temporary data access token not being valid, access is denied to the subset of data by the non-registered user.

Abstract: A third party device is authorized to access data associated with a user account at a service provider, wherein the third party device and a user device are in data communication with the service provider, and are both NFC-enabled. The method comprises obtaining a request token generated by the service provider, transmitting the request token from the third party device to the user device via NFC, authorizing the request token at the user device, transmitting the authorized request token from the user device to the third party device via NFC, and obtaining an access token generated by the service provider, corresponding to the authorized request token, wherein the access token allows the third party device to access data associated with the user account at the service provider.

Abstract: A computer system includes a master controller that receives an HTTP request for a first URL. The URL indicates a first state of a first mobile application. A navigation controller navigates to the first state of the first mobile application within a device. A content scraper extracts content from the first state and identifies forward links to corresponding additional states of the first mobile application. The computer system includes an output formatter configured to package the content and the forward links into an HTTP response and transmit the HTTP response to a source of the first HTTP request. The HTTP response includes a forward URL for each additional state of the first mobile application reachable from the first state. For each additional state, the forward URL includes an indicator of the first mobile application and a path to reach the additional state within the first mobile application.

Abstract: Systems and methods of verifying a user are provided. In particular, a request to engage in a verification process to gain access to an online resource can be received. The request can be provided by a first user device associated with a user. A validation request associated with a second user device associated with the user can be received. The validation request can include a device profile associated with the second user device. It can then be determined whether to validate the second user device based at least in part on the device profile. When it is determined to validate the second user device, the first user device can be granted access to the online resource.

Abstract: In an example, a method of managing access to resources managed by heterogeneous resource servers having different policy document formats in a cloud services environment includes obtaining, at an identity and access management (IAM) service, a policy document describing privileges of an end user with respect to accessing at least one resource of the resources managed by a resource server of the heterogeneous resource servers; sending the policy document from the IAM service to an resource server endpoint designated by the resource server for validation; storing, by the IAM service, the policy document in a datastore in response to a determination by the resource server endpoint that the policy document is valid; and generating, by the IAM service, an indication that the policy document is invalid in response to a determination by the resource server endpoint that the policy document is invalid.

Abstract: A technique for distinguishing between a human user and a software robot. The technique includes: receiving a first communication from a device different from the at least one computer; identifying, from the first communication, a request to access a web resource; transmitting software code and location information to the device, wherein the location information specifies a plurality of locations encoding a visual representation of a challenge text, and wherein the software code, when executed by an Internet browser, causes a plurality of graphical elements to be displayed at the plurality of locations in a webpage so that the webpage displays the challenge text; receiving a second communication from the device; identifying, from the second communication, a response text; and providing the device with access to the web resource based on a comparison between the challenge text and the response text.

Abstract: A method provides for associating reputation scores with policies, stacks and hosts within a network and upon receiving information about a newly provisioned entity (such as a host or a stack), recommending a policy scheme for the newly provisioned entity that will result in a particular reputation score of the reputation scores. The method further includes implementing the policy scheme for the newly provisioned entity.

Abstract: In some embodiments, a method includes sending an authentication request to a client device to obtain a utilization code in response to a request from the client device to access data. The utilization code is uniquely associated with the client device. The method includes obtaining an authentication response including the utilization code from the client device and authenticating the client device if the utilization code matches a utilization identifier stored in a database. The method includes generating an encryption key using a seed based at least in part on the utilization code and encrypting the data with the encryption key to generate encrypted data and sending, when the utilization code matches the utilization identifier stored in the database, the encrypted data to the client device without requiring a user of the client device to login.

Abstract: At least one of an HTTP request message and an HTTP response message is intercepted. A corresponding HTTP message model includes a plurality of message model sections. A representation of the at least one of an HTTP request message and an HTTP response message is parsed into message sections in accordance with the message model sections of the HTTP message model. A plurality of security rules are bounds to the message model sections. The plurality of security rules each specify at least one action to be taken in response to a given condition, which is based, at least in part, on a corresponding given one of the message sections. The at least one of an HTTP request message and an HTTP response message is processed in accordance with the plurality of security rules. Techniques for developing rules for a web application server firewall are also provided.

Abstract: A wireless relay serves User Equipment (UE) with hardware-trusted wireless data communications over Institute of Electrical and Electronics Engineers (IEEE) 802.11 links and Long Term Evolution (LTE) links. The wireless relay maintains hardware-trusted wireless backhaul links to a data network. The wireless relay broadcasts an IEEE 802.11 Service Set Identifier (SSID) and a Long-Term Evolution (LTE) Network Identifier (NID). The UE wirelessly transfers a hardware-trusted attachment request using the 802.11 SSID or the LTE NID. The wireless relay validates hardware-trust of the UE, and in response, establishes a hardware-trusted attachment of the UE. The wireless relay exchanges user data with the UE using hardware-trusted circuitry. The wireless relay exchanges the user data over hardware-trusted wireless backhaul links.

Abstract: Disclosed are various embodiments for synchronizing authentication sessions between applications. In one embodiment, a first authentication token is received from a first application in response to determining that the first application is authenticated with a service provider. A second authentication token is requested from a token exchange service associated with the service provider. The second authentication token is requested using the first authentication token. The second application is configured to use the second authentication token in order to access a resource of the service provider.

Abstract: The disclosure relates to technology for provisioning out-of-network user equipment with a network relay in a communications network. The network relay device receives an authentication key request message from user equipment including a user equipment identity and an authentication server identity, and communicates the authentication key request message to an authentication server having the authentication server identity. The network relay device communicates a relay authentication key response received from the authentication server to the user equipment such that a secure communication is established between the user equipment and the network. A relay authentication key is generated during establishment of the secure communication between the user equipment and authentication server, and a session with the user equipment is authenticated using a session key generated by the user equipment based on the relay authentication key.

Abstract: The present application provides an IPv6 address tracing method, apparatus, and system, where the method includes: receiving a to-be-traced target IPv6 address; selecting, in a longest match manner, IPv6 address information that matches the target IPv6 address, where the IPv6 address information includes an IPv6 address or IPv6 prefix information; and acquiring a user identifier corresponding to the IPv6 address information. The present application implements IPv6 address tracing.

Abstract: An internet-connected server comprising a first module for authorizing a user to access the server for: setting up, on the server, a given configuration for conducting a computer-executable experiment, wherein the given configuration comprises at least an executable instruction and a parameter or input data; executing, on the server, the computer-executable experiment with the given configuration so to produce a numerical result; certifying, on the server, the numerical result so to produce a certified result; and generating, on the server, a certification identifier of the certified result. The internet-connected server further comprises a second module for authorizing a reviewer for: providing the server with the certification identifier; and requesting and/or accessing, on the server, the certified numerical result on the basis of the provided certification identifier.

Abstract: A computer system includes a master controller that receives an HTTP request for a first URL. The URL indicates a first state of a first mobile application. A navigation controller navigates to the first state of the first mobile application within a device. A content scraper extracts content from the first state and identifies forward links to corresponding additional states of the first mobile application. The computer system includes an output formatter configured to package the content and the forward links into an HTTP response and transmit the HTTP response to a source of the first HTTP request. The HTTP response includes a forward URL for each additional state of the first mobile application reachable from the first state. For each additional state, the forward URL includes an indicator of the first mobile application and a path to reach the additional state within the first mobile application.

Abstract: The present disclosure presents methods, systems, and devices for encrypting and comparing genomic data. The comparison of genomic data allows the owner of the data to ensure security of the data even when the party conducting the comparison is beyond the control of the owner of the data. The encryption of the genomic data enables the transmission, storage, and use of the genomic data in a secure media.

Abstract: A federated realm discovery system within a federation determines a “home” realm associated with a portion of the user's credentials before the user's secret information (such as a password) is passed to a non-home realm. A login user interface accepts a user identifier and, based on the user identifier, can use various methods to identify an account authority service within the federation that can authenticate the user. In one method, a realm list of the user device can be used to direct the login to the appropriate home realm of the user. In another method, an account authority service in a non-home realm can look up the user's home realm and provide realm information directing the user device to login at the home realm.

Abstract: A traffic on-boarding method is operative at an acceleration server of an overlay network. It begins at the acceleration server when that server receives an assertion generated by an identity provider (IdP), the IdP having generated the assertion upon receiving an authentication request from a service provider (SP), the SP having generated the authentication request upon receiving from a client a request for a protected resource. The acceleration server receives the assertion and forwards it to the SP, which verifies the assertion and returns to the acceleration server a token, together with the protected resource. The acceleration server then returns a response to the requesting client that includes a version of the protected resource that points back to the acceleration server and not the SP. When the acceleration server then receives an additional request from the client, the acceleration server interacts with the service provider using an overlay network optimization.

Abstract: Certain relationships representing material insights are identified from among a set of discovered relationships. Cognitive discovery of relationships in a knowledge base, or corpus, are ranked according to one or more metrics indicative of material insights, including recentness and degree of alignment.

Abstract: A method includes storing data generated in a source node by sending write requests to multiple destination nodes. The destination nodes are requested to create snapshots of the data. The write requests are marked at the source node with marks that indicate to each destination node which of the write requests are pre-snapshot write requests that were issued before a snapshot request for a snapshot that the destination node is currently storing, and which of the write requests are post-snapshot write requests that were issued after the snapshot request for the snapshot that the destination node is currently storing. The snapshots are synchronized with one another at the destination nodes based on the marks.

Abstract: Communications methods and appliances are described. According to one embodiment, a communications method includes prior to deployment of an appliance, establishing a trusted association between the appliance and a certificate authority, during deployment of the appliance, associating the appliance with a communications address of a communications medium, using the certificate authority, creating a signed certificate including the communications address of the appliance, announcing the signed certificate using the appliance, after the announcing, extracting the communications address of the appliance from the signed certificate, and after the extracting, verifying the communications address of the appliance.

Abstract: A method of increasing communication security may include determining, responsive to receiving a first message from a first computer system, whether said first computer system is authorized to communicate with a second computer system, wherein said determining is performed at a third computer system. The method may also include generating a first data portion associated with a security token, wherein said generating said first data portion includes accessing data, wherein said data includes a first instance of a session key, and wherein said generating said first data portion further includes encrypting, using a key associated with said second computer system, said data to generate said first data portion. The method may further include communicating, if said first computer system is authorized to communicate with said second computer system, a second message from said third computer system for delivery to said first computer system.

Abstract: Systems, methods and computer-readable media are disclosed for performing single sign-on processing between associated mobile applications. The single sign-on processing may include processing to generate an interaction session between a user and a back-end server associated with a mobile application based at least in part on one or more existing interaction sessions between the user and one or more back-end servers associated with one or more other mobile applications. In order to establish an interaction session with an associated back-end server, a mobile application may leverage existing interaction sessions that have already been established in connection with the launching of other associated mobile applications.