Abstract: A method of and apparatus for installing software for using digital content and are provided. The method of installing software for using digital content includes: transmitting a request for the software; transmitting security information indicating a security status of a device in which the software is to be installed; and receiving the software from an external apparatus that received the request and security information. According to the method and apparatus, the software can be dynamically securely installed, thereby allowing a variety of digital contents to be used and enhancing the utilization of the device.

Abstract: A method, system and non-transitory computer-readable medium product are provided for functionality watermarking and management. In the context of a method, a method is provided that includes identifying a request to establish an association between a watermark template and a function of at least one user device and determining whether the request to establish the association between the watermark template and the function of the at least one user device is authorized. The method further includes authorizing the request to establish the association between the watermark template and the function of the at least one user device in response to a determination that the request to establish the association between the watermark template and the function of the at least one user device is authorized.

Abstract: A security mechanism provided by a server protects files in data storage from untrusted clients. In one embodiment, the server generates a filename in response to a request from a client for creating a filename. The filename is associated with a file to be stored in the data storage managed by the server. The server manages a directory that contains the filename, and hides the directory contents from the client. The client is granted access to the file when the client provides the filename associated with the file.

Abstract: Partial access to electronic documents and aggregation for secure document distribution is disclosed. The embodiments herein relate to providing access to electronic documents and, more particularly, to providing access to portions of electronic documents and aggregating such portions in secure document distribution environment. Existing document distribution mechanisms do not provide means to access partial documents based on the attributes such as roles of the agents within an organization, location of access, time of access, device ID and so on. The disclosed method allows agents to access partial contents of documents based on the attributes. Meta data tags are attached to the documents in order to control the access of the documents by the defined attributes.

Abstract: A machine, such as a mobile device having telephony features, such as a voice over Internet Protocol (VoIP) telephony application, is configured with a secure environment in which a location provider within (more reliable) or external to (less reliable) the machine may determine location data for the machine and securely provide it to a telephony application program for incorporation into a call setup for calling a callee. The secure environment may be created through use of one or more of Intel's LaGrande Technology™ (LT), Vanderpool Technology (VT), or a Trusted Platform Module (TPM). The LT and VT allow defining secure independent components within the machine, such as by instantiating them as Virtual Machines, and the TPM allows components to cryptographically sign data, such as to facilitate ensuring the location data is not tampered with. A recipient of a telephone call setup including cryptographically secured location data may validate the location data and accept the call.

Abstract: An access control method for a wireless client in a wireless communication system is disclosed. The access control method comprises receiving a distinguish signal from a wireless key distributor when the wireless client approaches the wireless key distributor; activating a application unit of the wireless client upon reception of the distinguish signal, wherein the application unit is associated with the distinguish signal; sending an access information request to the wireless key distributor; receiving access information from the wireless key distributor; configuring the wireless client with the access information; and using the access information to access a wireless access appoint.

Abstract: The embodiments of the present invention relate to apparatuses, in terms of a client device (110) and a server (120) and to methods in the client device (110) and in the server (120) respectively for enabling a user to consume content provided by a content provider. According to the method in the client device (120) the method comprises: assembling a request for rights for consuming a content and indicating in the request which content to consume; determining if an upgrade key, associated with the content, is present in the client device; including, in such a case, in the request, an identifier of the upgrade key that is associated with the content, sending the request to the content provider; receiving, a response comprising an encrypted rights object; decrypting the encrypted rights object and starting to use the rights object for consuming the content.

Abstract: There is provided a system and method for a digital receipt for use with an interoperable keychest. There is provided a method for online registration of a digital receipt associated with a content, comprising performing a transaction to obtain from a first distributor the content encrypted by a title key and a first digital rights management (DRM) license usable with the first distributor to access the title key, receiving from the first distributor the digital receipt associated with the content including information relevant to the transaction, and transmitting the digital receipt to the interoperable keychest acting as a central key repository (CKR) for an online registration of the digital receipt associated with the content. Authorized media distributors may then generate new DRM licenses using the CKR, enabling interoperable content playback of the same universal file across different media distributors and clients.

Abstract: A method may include authenticating a node over layer 2 in a network based on authentication rules; sending a node authentication code to the node; and providing layer 3 network access based on the node authentication code.

Abstract: A system and method for secure content delivery is provided. The system and method has a content system that verifies a device with a media player based on one or more properties of the device with the media player wherein the content system delivers content to the device with the media player only when the device with the media player is verified.

Abstract: Techniques involving detection of misuse of digital licenses pertaining to application use. An identification of unsigned applications or other use-protected applications enabled for use at a user device is obtained. The identification of such applications is directed to a licensing authority to seek digital license renewal for using the applications. A renewed digital license is received if the provided identification of use-protected applications corresponds to what is authorized by the licensing authority for use at the user device. In other embodiments, verification information may be provided to protect the identification of unsigned applications from tampering, such as information indicative of whether the identification of unsigned applications originated at the user device in which the use-protected applications are used, and indicative of whether the identification of the unsigned applications is a copy of a previous identification of the unsigned applications.

Abstract: An automated method and apparatus is provided for deterring unauthorized use or theft of electronic devices, or other sorts of items into which a tracking device has been installed, particularly those in a distribution channel.

Abstract: Techniques for representing extensible markup language (XML) in an executable format are presented. An XML document is parsed into its components and content. The components and content are packaged as an executable. Some portions of the executable include authentication logic or policy logic that is subsequently enforced when the executable is processed. The executable is subsequently distributed to recipient machines. The machines process the executable and produce memory loaded versions of the components and content representing the XML document on the machines. The memory loaded versions of the components and content include conditionally added authentication logic of policy logic.

Abstract: A computer-implemented method for authenticating devices may include (1) identifying a request from a device for a credentialing service to issue a credential to the device, the request including an application identifier encrypted with a first encryption key, the first encryption key having been derived by the device based on a token provisioned to the device by a vendor of the device, (2) transmitting the request to the credentialing service, (3) receiving, from the credentialing service, the credential encrypted using a second encryption key, the second encryption key having been derived by the device based on the token, and (4) providing the encrypted credential to the device. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A gateway device and methods performed therein to prevent unauthorized client devices from connecting to the host network of the gateway device is described. The gateway device does not respond right away to an individual client message sent to the gateway device. Instead, the gateway device only responds to a predetermined sequence of the client messages, which is only known to the gateway device and authorized client devices. Because the gateway device will not respond to random client messages and the likelihood that an unauthorized client device can correctly guess the predetermined sequence of the client messages is low, the risk of a malicious party being able to hack into the host network, for example, by using port scanning techniques, can be mitigated.

Abstract: Embodiments are described for a system and method of controlling access to information in an organization by defining a hierarchical organizational structure of boxes, and security configuration comprising user records, security roles, rules to map users to boxes, and rules to grant roles to users via mapped boxes. Access control is applied in the context of a defined organizational structure using the effective set of access control policies computed in real time per each data access request from any given user.

Abstract: Embodiments of the invention may provide for systems and methods for secure authentication. The systems and methods may include receiving, by a constrained device, a random string transmitted from a server; determining, by the constrained device, a responsive output by evaluating a first deterministic function based upon the received random string, a locally generated string and a first private key stored on the constrained device; and transmitting at least one portion of the responsive output and the locally generated string from the constrained device to a server.

Abstract: Computer-readable media, computerized methods, and computer systems for alerting a user that an operating system has entered a secure mode is provided. Initially, inputs are received at an operating system residing in a default mode. Typically, the default mode allows applications running on the operating system to access the inputs. If the inputs are identified as a call to perform a protected operation, the operating system is transitioned from the default mode to the secure mode. Typically, the secure mode restricts the applications from intercepting the inputs. The transition to the secure mode is automatically communicated to the user via an indicator device. Generally, automatic communication includes providing a message from the operating system to the indicator device over a secure pathway that triggers the indicator device to generate a user-perceivable output. Accordingly, the operating system exerts exclusive control over the operation of the indicator device.

Abstract: In an example, a method of securing content is described. The method may include instantiating a content server on a client device. The method may also include operating the content server to retrieve content identified by a Uniform Resource Identifier (URI). The method may also include serving the content from the content server to a content renderer on the client device. The content renderer may be configured to render the content at the client device and to prohibit saving the content in the clear on the client device.

Abstract: A method including: receiving a client application for distribution to user devices; receiving a secret authentication key associated with the client application; securing with digital rights management technology the secret authentication key associated with the client application; and providing an application package comprising the client application and the secured secret authentication key for distribution to user devices.

Abstract: Embodiments of the invention are directed to systems, methods and computer program products for using a device identification program. In some embodiments, a system is configured to: receive device identification information from a mobile device, search a database of records based on the identification information, and in response to determining a match between information associated with a record in the database and the identification information, enable first access to an application initiated on the mobile device.

Abstract: Methods and systems for providing an enterprise license registrar anchor point are provided. More particularly, an enterprise license registrar is established within an enterprise system using license files and a certificate provided by an external license authority. The enterprise license registrar operates within the enterprise system to maintain a record of allocations of license rights by license manager servers to application instances. The enterprise license registrar logs the report data. The log files are digitally signed or encrypted to prevent tampering by the enterprise system, and are delivered to the external license authority, without requiring a persistent connection between the external license authority and the enterprise system. The enterprise system can comprise a virtualized environment.

Abstract: An exemplary method includes receiving data representative of a content instance over a network from an access device associated with a user, storing the content instance, encrypting the content instance in response to a command initiated by the user, providing a key configured to facilitate decryption of the encrypted content instance, transmitting data representative of the encrypted content instance to a requesting access device, receiving data representative of a request to access the key from the requesting access device over the network, and performing a predefined action related to the key in response to the request and in accordance with at least one access rule, the at least one access rule based on at least one of a user profile and an access device profile.

Abstract: Methods, apparatus, and computer-accessible storage media for controlling export of snapshots to external networks in service provider environments. Methods are described that may be used to prevent customers of a service provider from downloading snapshots of volumes, such as boot images created by the service provider or provided by third parties, to which the customer does not have the appropriate rights. A request may be received from a user to access one or more snapshots, for example a request to export the snapshot or a request for a listing of snapshots. For each snapshot, the service provider may determine if the user has rights to the snapshot, for example by checking a manifest for the snapshot to see if entries in the snapshot manifest belong to an account other than the customer's. If the user has rights to the snapshot, the request is granted; otherwise, the request is not granted.

Abstract: In a method of temporarily registering a second device with a first device, in which the first device includes a temporary registration mode, the temporary registration mode in the first device is activated, a temporary registration operation in the first device is initiated from the second device, a determination as to whether the second device is authorized to register with the first device is made, and the second device is temporarily registered with the first device in response to a determination that the second device is authorized to register with the first device, in which the temporary registration requires that at least one of the second device and the first device delete information required for the temporary registration following at least one of a determination of a network connection between the first device and the second device and a powering off of at least one of the first device and the second device.

Abstract: In a communication system, a wireless communication device receives and processes a text message including a location request code and a communication code. In response to the location request code, the wireless communication device transfers a location query indicating the communication code. An authorization computer system receives the location query and processes the communication code to determine if the location request should be authorized. If the location request should be authorized, the authorization computer system transfers a location authorization. The wireless communication device processes the location authorization, and in response, transfers geographic location information using the communication code to control delivery of the geographic location information to a location receiving system.

Abstract: According to one embodiment, an apparatus may store a plurality of tokens indicating a user is requesting access to a resource over a network. The apparatus may determine a condition associated with accessing the resource based on the plurality of tokens. The condition may be determined in addition to a determination to grant or deny access to the resource. The condition may include an obligation to be fulfilled and a message providing instruction regarding how to fulfill the obligation. The apparatus may generate a decision token representing the condition, and communicate the decision token to a resource provider to facilitate enforcement of the condition.

Abstract: A method for transmitting data confirmed by at least one person (KND), wherein data (TOR) to be transmitted are received and/or generated by an input device (BSW), wherein the input device (BSW) can be operated by the person (KND). A configuration for performing the method and a computer program for implementing the steps are also provided.

Abstract: Methods and systems described herein relate to enhancing security on a device by configuring one or more software functions in a trusted zone of a processor using object firewalls, IPC mechanisms, and/or a policy engine. An inter-process communication mechanism and inter-process communication bus enable secure inter-process communication between inter-process communication applications within the trusted zone and inter-process communication applications external to the trusted zone. Adapting, filtering, blocking, redirecting, or otherwise modifying inter-process communications is enabled by the inter-process communications mechanism. Modifications may be controlled by a policy engine within the trusted zone.

Abstract: Controlling access to computational features includes: preparing a computational resource for execution by an execution system that has been provided a primary descriptor containing an identity value and that has associated a feature indicator with the primary descriptor; accessing a secondary descriptor containing the identity value and cryptographically assigned to the computational resource; and granting the computational resource access to a computational feature of the execution system based on the feature indicator.

Abstract: An entertainment device comprises communication means operable to receive media data from a media data source, storage means operable to store the received media data, in which the storage means limits the duration of access to the media data which was received from the media data source.

Abstract: A method is performed at a computer system having one or more processors and memory storing one or more programs executed by the one or more processors. The method includes receiving a first data transmission from a first client system, where the first data transmission including a first document, the first document having one or more portions that are marked as private; encrypting the marked portions of the first document using a key; and sending a second data transmission to a destination system, where the second data transmission includes a second document, the second document including the encrypted marked portions of the first document and a remainder of the first document that is not marked as private. The key is unavailable to the destination system. The second document is stored at the destination system.

Abstract: A system and method that maintains a secure chain of trust from domain name owner to publication by extending the trust placed in existing cryptographic identity systems to the records published in the Internet's Domain Name System (DNS) and secured by its DNS Security Extensions (DNSSEC) infrastructure. Automated validation and processing occur within a secured processing environment to capture and preserve the cryptographic security from the source request.

Abstract: Techniques for distributed license management are provided. Three or more services or servers cooperate and negotiate with one another to establish primary, secondary, and tertiary licensing services. Initially, the primary is designated as a master licensing service and manages a license for a plurality of users over a network. If the primary fails to respond within a configurable period of time to both the secondary and tertiary licensing services, then the secondary dynamically assumes a master licensing service role for purposes of managing the license.

Abstract: A device receives enterprise information associated with enterprises supported by a network, and determines enterprise identifiers for one or more enterprises identified in the enterprise information. The device also receives information associated with devices and subscribers of the network, and determines security key parameters based on the information associated with the devices and the subscribers of the network. The device further generates, based on the security key parameters, a security key for each of the enterprise identifiers.

Abstract: A remote user persona is received at a computing device. The computing device includes a local user persona having a plurality of subsets relating to preferences of a user of the computing device. The remote user persona is synchronized with the local user persona at the computing device and, accordingly, the behavior of the computing device is adjusted.

Abstract: A system for executing trusted applications with a reduced trusted computing base. In one embodiment, the system includes a processor to dynamically instantiate an application protection module in response to a request by a program to be executed under a trusted mode. The system further includes memory to store the program which is capable of interacting with a remote service for security verification. In one embodiment, the application protection module includes a processor-measured application protection service (P-MAPS) operable to measure and to provide protection to the application.

Abstract: A method is performed at a computer system having one or more processors and memory storing one or more programs executed by the one or more processors. The method includes generating a document, including marking one or more portions of the document as private; and sending the document to an intermediary system for transmission to a destination system. Prior to the document being transmitted to the destination system, the marked portions of the document are encrypted by the intermediary system using a key that is unavailable to the destination system.

Abstract: Embodiments of the present invention provide a method for voice approval, where the method includes: receiving voice approval request information sent by an enterprise application server; establishing a voice communication connection with the terminal according to the contact information of the approver terminal; sending approval content audio information corresponding to the voice approval request information to the approver terminal; receiving feedback information, and obtaining approval result information according to the feedback information; and sending the approval result information to the enterprise application server. Embodiments of the present invention also provide a device and system for voice approval. In the embodiments of the present invention, the enterprise application server and the enterprise gateway are combined and improved to enable an approver to approve, in voice mode, an approval request raised by an applicant, thereby increasing the approval efficiency.

Abstract: In a network comprising a plurality of network resources and at least one directory server, the directory server containing information with a predetermined level of trust about the network resources, a method for automatically providing a user device with information about a network resource in communication with the user device. The communication includes address information about the network resource. The method comprises: automatically retrieving information from the directory server about the network resource in communication; and automatically executing at least one of a set of predetermined actions based on the retrieved information.

Abstract: A system and method for providing a unique encryption key including a receiver, at a Voice over Internet Protocol (VoIP) adapter, configured to receive a configuration file, a processor, at the VoIP adapter, configured to decrypt the configuration file using a default key stored in the VoIP adapter, update one or more profile parameters of the configuration file, and install an encryption key at the VoIP adapter using the configuration file, and a transmitter, at the VoIP adapter, configured to register, with a network element, for network service using the updated configuration file such that the receiver is configured to receive network service from the network element when the updated configuration file is authenticated by the network element.

Abstract: A method, system and non-transitory computer-readable medium product are provided for enterprise-specific functionality watermarking and management. In the context of a method, a method is provided that includes identifying a request to perform at least one function of a user device associated with an enterprise and identifying at least one watermark template associated with an enterprise. The method further includes applying the at least one watermark template associated with the enterprise to at least one function of the user device associated with the enterprise and authorizing the request to perform the at least one function of the user device associated with the enterprise.

Abstract: A system and method for providing a secure data container for an ambient intelligent environment are disclosed. A particular embodiment includes: collecting a set of information from a first digital network information endpoint associated with a vehicle; associating, by use of a data processor, a persistent digital identifier with the collected information, the persistent digital identifier being derived from information associated with the vehicle; enabling a user to specify a shared data set from the collected information; enabling the user to specify a set of sharing controls corresponding to the shared data set; combining information identifying the shared data set and the sharing controls in a secure container; and enabling to second digital network information endpoint to access the shared data set via the secure container upon presentation of a valid secure access token.

Abstract: Described in detail herein are systems and methods for managing connections in a data storage system. For example, the systems and methods may be used to manage connections between two or more computing devices for purposes of performing storage operations on the data of one of the computing devices. The data storage system includes at least two computing devices. A first computing device includes an unauthorized connection data structure and a connection manager component. The connection manager component receives a connection request from a second computing device. If the second computing device is not identified on the unauthorized connection data structure, the connection manager component can request that an authentication manager authenticate the second computing device and/or determine whether the second computing device is properly authorized. If so, the connection manager component can allow the second computing device to connect to the first computing device.

Abstract: An anti-malware approach uses a storage drive with the capability to lock selected memory areas. Platform assets such as OS objects are stored in the locked areas and thus, unauthorized changes to them may not be made by an anti-malware entity.

Abstract: Systems and methods are provided for challenge/response animation. In one implementation, a request for protected content may be received from a client, and the protected content may comprise data. A challenge phrase comprising a plurality of characters may be determined, and a computer processor may divide the challenge phrase into at least two character subsets selected from the characters comprising the challenge phrase. Each of the at least two character subsets may include less than all of the characters comprising the challenge phrase. The at least two character subsets may be sent to the client in response to the request; and an answer to the challenge phrase may be received from the client in response to the at least two character subsets. Access to the protected content may be limited based on whether the answer correctly solves the challenge phrase.

Abstract: In one embodiment, a method includes receiving authorization data at a local node of a network. The authorization data indicates a particular network address of a different node in the network and an authenticated user ID of a user of the different node. Resource profile data is retrieved based on the user ID. The resource profile data indicates all application layer resources on the network that the user is allowed to access. The particular network address is associated at the local node with the resource profile data for the user. A request from the particular network address for a requested application layer resource on the network is blocked based on the resource profile data associated with the particular network address.

Abstract: For establishing a VPN connection in the call-back type, a VPN server establishes an always-on connection through a unique protocol different from the electronic mail delivery system. A client generates a client authentication data used for the client authentication implemented by the VPN server, and establishes the relay server through the unique protocol to transmit the client authentication data. The relay server device relays the client authentication data to the VPN server through the unique protocol. The VPN server implements the client authentication based on the relayed data. The VPN server establishes the VPN connection with the client based on the result of the authentication.

Abstract: Invention embodiments are concerned with the problem of controlling access to a media storage device in response to, e.g., employees leaving or changing jobs. More specifically, embodiments provide a method of controlling access to a media storage device storing a plurality of media objects. Thus embodiments of the invention solve the afore-mentioned problem by providing a mechanism for updating the list of recipients based on data received from a user identification system after the media storage device has been dispatched.

Abstract: Invention embodiments are concerned with the problem of controlling access to a media storage device in response to, e.g., employees leaving or changing jobs. More specifically, embodiments provide a method of controlling access to a media storage device storing a plurality of media objects. Thus embodiments of the invention solve the afore-mentioned problem by providing a mechanism for updating the list of recipients based on data received from a user identification system after the media storage device has been dispatched.