Abstract: A method and apparatus for secure generation of a short-term key SK for viewing information content in a Multicast-broadcast-multimedia system are described. A short-term key is generated by a memory module residing in user equipment (UE) only when the source of the information used to generate the short-term key can be validated. A short-term key can be generated by a Broadcast Access Key (BAK) or a derivative of BAK and a changing value with a Message Authentication Code (MAC) appended to the changing value. A short-term key (SK) can also be generated by using a private key and a short-term key (SK) manager with a corresponding public key distributed to the memory module residing in the user equipment (UE), using a digital signature.

Abstract: A method that includes receiving a first request for video content from a user of a user device; retrieving an identifier for the user device using an application programming interface; sending a second request to receive the video content that includes the identifier; receiving an instruction to provide payment to rent or purchase the video content; sending the payment in response to the instruction; receiving the video content and a token, where the video content is encrypted based on a key and where the token indicates that the payment was processed; sending a third request to obtain a license associated with the video content that includes the token and the identifier; receiving the license, which includes the key and terms under which the video content is to be processed; decrypting the video content, using the key, when the decrypting is performed in a manner permitted by the terms; and playing the decrypted video content.

Abstract: A technique provides wireless communications security. The technique involves providing a mobile wireless communications apparatus (e.g., a smart phone) having DLP circuitry, and configuring the DLP circuitry to perform DLP scanning operations. The technique further involves conducting, after the DLP circuitry is configured to perform the DLP scanning operations, wireless communications sessions (e.g., a mobile phone calls) between the mobile wireless communications apparatus and external devices (e.g., wireless access points) while the DLP circuitry performs the DLP scanning operations. In some arrangements, the DLP circuitry is configured by a user to (i) allow only authorized apps to send sensitive information and/or (ii) block retransmission of the sensitive information (e.g., in the event an application containing spyware attempts to send the sensitive information to an attacker after the user has completed a legitimate transaction).

Abstract: In some embodiments, a filter may filter web graphics library code executing on the graphics processing unit. As a result the web graphics library code may be prevented from accessing memory or other resources that are not allocated specifically for the web graphics library module. Likewise web graphics library code may not access any shared resources that have been explicitly assigned to the process specific web graphics library module.

Abstract: A hijack-protected, secure storage device requires proof that the user has actual physical access to the device before protected commands are executed. Examples of protected commands include attempts to change storage device security credentials of the device, erasure of protected portions of the device, and attempts to format, sanitize, and trim the device. Various techniques for proving the actual physical possession include manipulating a magnet to control a magnetic reed switch located within the device, operating a momentary switch located within the device, altering light reaching a light sensor located within the device (such as by opening or shutting a laptop cover to change ambient light reaching the sensor), and manipulating a radio-transmitting device (such as a cell phone) near the storage device for detection of the manipulation by a compatible radio receiver located within the device.

Abstract: The present invention relates to data rights management and more particularly to a secured system and methodology and production system and methodology related thereto and to apparatus and methodology for production side systems and are consumer side systems for securely utilizing protected electronic data files of content (protected content), and further relates to controlled distribution, and regulating usage of the respective content on a recipient device (computing system) to be limited strictly to defined permitted uses, in accordance with usage rights (associated with the respective content to control usage of that respective content), on specifically restricted to a specific one particular recipient device (for a plurality of specific particular recipient devices), or usage on some or any authorized recipient device without restriction to any one in specific, to control use of the respective content as an application software program, exporting, modifying, executing as an application program, viewing,

Abstract: An video receiving apparatus which reduces waiting time till image is displayed on a monitor include: a plurality of authentication executing units which perform respectively an authentication process to the external devices connected to each of the plurality of input terminals; a terminal selecting unit which selects one of the plurality of input terminals as a video input terminal based on an operation input from outside; an video receiving unit which receives the video information through one of the authentication executing units corresponding to the selected input terminal from the external devices connected through the selected input terminal; and a display control unit which outputs the received video information to a monitor.

Abstract: A method of protecting use of an entity's identity is provided. The method comprises setting a status of the identity to a first state, the first state defining a scope of permitted use of the identity, changing, in advance of an intended use of the identity, the status to a second state defining a scope of permitted use of the identity that is different from the first state, requesting use of the identity after the changing; and returning, after the requesting, the state back to the first state.

Abstract: The invention relates to a computer implemented method for generating a pseudonym for a user comprising entering a user-selected secret, storing the user-selected secret in memory, computing a private key by applying an embedding and randomizing function onto the secret, storing the private key in the memory, computing a public key using the private key, the public key and the private key forming an asymmetric cryptographic key, erasing the secret and the private key from the memory, and outputting the public key for providing the pseudonym.

Abstract: A storage device in which file data is divided into multiple blocks for storage on a recording medium is provided. The storage device includes an additional data storing section for storing additional data to be recorded on the recording medium in association with the data to be written, a position determining section for determining recording positions on the recording medium where the blocks should be respectively written, based on the additional data, and a block writing section for writing the respective blocks on the recording positions on the recording medium determined by the recording position determining section. The additional data this defines a gap length between blocks of recorded data. During a read operation, if the gap length does not comport with the additional data, then an error is assumed.

Abstract: A method of access by at least one second user, to at least one service offered by a first user is provided, which includes transmitting by the first user to the second user at least one invitation comprising an access level defined by the first user to allow said at least one second user to access said at least one service; verifying the content of said at least one invitation, delivering to the second user an access authorization to said at least one service, dependent on the access level; and requesting access to said at least one service by the second user, on the basis of the access authorization.

Abstract: Systems and methods are disclosed for preventing tampering of a programmable integrated circuit device. Generally, programmable devices, such as FPGAs, have two stages of operation; a configuration stage and a user mode stage. To prevent tampering and/or reverse engineering of a programmable device, various anti-tampering techniques may be employed during either stage of operation to disable the device and/or erase sensitive information stored on the device once tampering is suspected. One type of tampering involves bombarding the device with a number of false configuration attempts in order to decipher encrypted data. By utilizing a dirty bit and a sticky error counter, the device can keep track of the number of failed configuration attempts that have occurred and initiate anti-tampering operations when tampering is suspected while the device is still in the configuration stage of operation.

Abstract: According to one embodiment, a processor accesses a storage module upon a request from a processor module, which selectively switches between a secure mode and a non-secure mode and performs predetermined data processing in each mode. In this case, the access to a protected area of the storage module is permitted only when the processor module is in the secure mode based on a report indicative of an own mode, which is output from the processor module.

Abstract: A system for securely authenticating software Application Program Interfaces (APIs) includes a handshake protocol that enables promulgation of licensing rights controlling Intellectual Property (IP) to multiple Actors. The Actors include components of a cable system that can include a Conditional Access System, Middleware, a Browser for a Set-Top-Box, a Guide and a Guide Data Provider. The handshake is a Challenge-Response protocol that includes a Challenge issued by one Actor who controls IP rights to verify a second Actor has Licensed IP rights when the second Actor Response includes a Hook IP function IPF1. Other Actors who wish to use software functions F that the first Actor provides will be encouraged to acquire rights to the IP License to obtain the function IPF1 for access. Subsequent Actors who have IP rights controlled by another function IPF2 can be pulled into the same IP Licensing system, or another IP License that becomes part of the same ecosystem with the system controlled using function IPF1.

Abstract: A data transfer method performed at a proxy server includes intercepting a data request from a client computer that is directed to a target server, encrypting profile information, augmenting the data request by adding the encrypted profile information to the data request, and sending the augmented data request to the target server. A data transfer method that is performed at an information server includes receiving a data request from a proxy server, extracting profile information added to the data request by the proxy server, using the extracted profile information to generate a response, and sending the response to the proxy server.

Abstract: A data transfer method performed at a proxy server includes intercepting a data request from a client computer that is directed to a target server, encrypting profile information, augmenting the data request by adding the encrypted profile information to the data request, and sending the augmented data request to the target server. A data transfer method that is performed at an information server includes receiving a data request from a proxy server, extracting profile information added to the data request by the proxy server, using the extracted profile information to generate a response, and sending the response to the proxy server.

Abstract: A system and methods for coordinating the operation of a client security module and a host security module on a mobile electronic device. The modules communicate with each other through a platform abstraction layer using application programming interfaces to coordinate their activities. In particular, the client security module instructs the host security module when to lock and unlock the device, and the host security module alerts the client security module to attempts by the user to lock or unlock the device.

Abstract: Techniques for controlling the use of data stored on a media or integrated circuit sample are provided. A sample identifier is created at the point of sample use. The type of sample could range from storage media, such as a Digital Video Disc, or DVD, on which, for example, data representing a motion picture is recorded, to an integrated circuit in which computer code is stored. The sample identifier is stored at a location that is different from where the data is to be employed, and compared with other sample identifiers. The use of the data is controlled based on the results of the comparison.

Abstract: A system and method are provided for validating executable program code operating on at least one computing device. Program instructions that include a request for access to sensitive information are executed on a first computing device. An authentication request for access to the electronic information is sent from the first computing device to a second computing device. In response to the authorization request, a challenge is sent from the second computing device to the first computing device. The first computing device executes the challenge and generates an authentication response that includes at least one memory object associated with the program instructions.

Abstract: Embodiments enable recovery of push notification channels via session information associated with user identifiers. A proxy service creates session information describing push notification channels (e.g., subscriptions) for a user and associates the session information with a user identifier. The session information is stored in a cloud service or other storage area separate from the proxy service. After failure of a user computing device or the proxy service, the session information is obtained via the user identifiers and the push notification channels are re-created with the session information. In some embodiments, the proxy service enables delivery of the same notification to multiple computing devices associated with the user identifier.

Abstract: A computationally-implemented method, for certain example embodiments, may include, but is not limited to: determining that a first user of a computing device is associated with the computing device; and determining a level of authentication associated with the first user via the computing device, the level of authentication at least partially based on a behavioral fingerprint. A level of authentication determination may additionally/alternatively include at least determining a behavioral fingerprint via establishing a statistical predictability of one or more future actions of an authorized user of a computing device. A level of authentication determination may additionally/alternatively include at least determining an authentication level with respect to a computing device at least partially based on a behavioral fingerprint determined from interaction(s) with another device.

Abstract: Methods and systems for dynamically bundling portions into secured destination files are provided. Example embodiments provide a Dynamic Digital Rights Bundling System (“DDRBS”), which dynamically bundles a set of portions each variously containing digital rights management components, user interface controls, and content, into a secured destination file in response to a designated content request. In one embodiment, the DDRBS comprises a bundling engine, a translation engine, a merging engine, and an assortment of data repositories. These components cooperate to dynamically assemble and provide customized secured destination files comprising the requested content together with specialized user interface and digital rights management controls. This abstract is provided to comply with rules requiring an abstract, and it is submitted with the intention that it will not be used to interpret or limit the scope or meaning of the claims.

Abstract: A mobile IPTV system enables authenticating and off-loading of IPTV operations from a mobile device to an external fixed viewing device. The mobile device performs authentication to an IPTV network to receive decryption key(s) for use in decrypting IPTV content and provides the decryption key to the viewing device. The viewing device uses the decryption key to decrypt and render IPTV content thereon.

Abstract: The present invention comprises a digital media delivery system with a physical authorization device for downloading media files to a digital media player. The physical authorization device is most preferably an indicia-bearing card, containing at least one of an NFC circuit with the NFC circuit comprising a reusable media authorization code, and/or a Quick Response code with a reusable media authorization code embedded in the QR code, and/or an eye-legible version of the reusable media authorization code. By touching or tapping the indicia-bearing card on the NFC enabled media player, or scanning the QR code, or entering the eye-legible media authorization code from the authorization device into a digital media player, the reusable media authorization code is transmitted to a file server on the Internet via an application on the digital media player and one or more media files will be downloaded to the digital media player or otherwise enabled for accessing on the digital media player.

Abstract: Network devices, such as a router and a downstream multicast distribution device, may use multiple control channels when setting up a multicast stream for a multicast request. For example, first messages may be transmitted using a first protocol to an upstream device over a first channel, the first messages indicating when a first multicast media stream is being requested by at least one of a number of client devices. Second messages may be transmitted using a second protocol over a second channel, the second messages being transmitted on a per-client basis and each identifying a one of the client devices as requesting the first multicast media stream. By using two control channels to convey the multicast channel requests, the router may obtain visibility into the action of the subscriber and can consequently perform per-subscriber operations such as access-control, bandwidth based admission control, statistics, and QoS adjustment for multicast IPTV streams received by the subscriber.

Abstract: A gateway network device may establish secure connections to a plurality of remote network devices using tunneling protocols to distribute to the remote network devices multimedia content received from one or more content providers. The consumption of the multimedia content may originally be restricted to local network associated with the gateway network device. The secure connections may be set up using L2TP protocol, and the L2TP tunneling connections may be secured using IPSec protocol. Use of multimedia content may be restricted based on DRM policies of the content provider. DRM policies may be implemented using DTCP protocol, which may restrict use of the multimedia content based on roundtrip times and/or IP subnetting. Each content provider may use one or more VLAN identifiers during communication of the multimedia content to the gateway network device, and the gateway network device may associate an additional VLAN identifier with each secure connection.

Abstract: The present application is directed to methods and systems for redirecting write requests issued by trusted applications to a secure storage. Upon redirecting the write requests, the data included in those requests can be stored in the secure storage area of a client computer. In some embodiments, the methods and systems can include determining whether an application issuing the request is a trusted application that requires data to be stored in a secure storage repository. Upon making this determination, a filter driver can identify a secure storage area on a client computer and can redirect the write request to this secure storage. In other embodiments, the filter driver may deny requests of trusted applications to write to unsecure storage areas.

Abstract: According to one embodiment, a content playback apparatus which acquires desired content from a specific site accessed via a network and plays back the acquired content, comprises a determination module configured to determine, when a data input request is received from a currently accessed site, whether or not the site is at least a site included in the specific site, and a controller configured to generate, when the determination module determines that the currently accessed site is not included in the specific site, a warning that advises accordingly.

Abstract: Methods, devices, and systems for managing sensitive data are provided. The management tool may be provided on a user input device, as opposed to being provided in memory or in a peripheral that can be read from a program running on a computing platform. The management tool may be maintained in a read/write isolation mode where no data is transmitted outside of the management tool unless the user input device is disengaged from the computing platform, at which point data may be transmitted from the management tool for ultimate delivery to the computing platform.

Abstract: A programmable display device includes a communication driver, a file system process unit that accesses the portable storage medium storing backup/restore target information that includes a target control device and target setting information respectively specifying the control device on which the backup/restore process is performed out of the control devices connected to the programmable display device and setting information, and a setting-information obtaining/writing process unit that accesses the control device via the communication driver based on the backup/restore target information and performs the backup/restore process of the setting information by accessing the portable storage medium via the file system process unit.

Abstract: A system and methods for location authentication are presented. An estimated server signal is estimated based on a generated known code signal, and a client received satellite signal is received from a client device. The client received satellite signal is compared to the estimated server signal to provide a comparison result.

Abstract: An information processing apparatus includes a determination unit configured to determine whether user information has been input to a printing apparatus before a print instruction for printing document data is received, and a transmission unit configured to transmit, when the determination unit determines that the user information has been input to the printing apparatus before the print instruction for printing the document data is received, a print job to the printing apparatus to which the user information has been input.

Abstract: An apparatus connected to a license management apparatus, storing license status data with license identifiers, via a network, and includes a part for receiving a request to acquire a license corresponding to a license identifier, a part for receiving designation of at least one electronic device for acquiring the license, a part for obtaining a license file corresponding to the license identifier from the license management apparatus, updating the license status data corresponding to the license identifier, and recording the license file to a storage part with the electronic device, a part for executing acquirement, and a part for executing re-execution in a case where the acquiring of the license by the electronic device is determined as a failure according to the result. The re-execution includes displaying the failure of the acquirement on a screen and re-executing the acquirement with the license file based on data input to the screen.

Abstract: A method and apparatus for determining whether a second computing system meets a minimum level of protection for a DLP policy of a first computing system are described. A DLP agent may monitor outbound data transfers performed by the first computing system, and determines a violation of a DLP policy in a current one of the outbound data transfers to a second computing system. The DLP agent initiates a handshake protocol with the second computing system to determine whether the second computing system meets a minimum protection level for the DLP policy. If the second computing system does not meet the minimum protection level for the DLP policy, the DLP agent prevents the current data transfer to the second computing system; otherwise, the DLP agent permits the current data transfer.

Abstract: The invention, related to information security field, discloses a method for protecting software, and device and system thereof. The method includes that a security device is connected with a terminal device; the security device receives service instruction, determines whether the clock inside the security device is activated, reads the current time of the clock and determines whether the current time is valid; if so, the security device executes the service instruction and returns the executing result to the terminal device; otherwise, the security device returns false result to the terminal device. The invention provides more secure service to the protected software, meanwhile, extends lifetime of the security device.

Abstract: A system and method that enables secure system boot up with a restricted central processing unit (CPU). The system includes a memory, a segmenting device, and a security sub-system. The memory is a NAND flash memory with a block structure that comprises a guaranteed block and non-guaranteed blocks. The guaranteed block is guaranteed to be useable. A boot code is segmented into boot code segments and the boot code segments are stored separately in the guaranteed and non-guaranteed blocks. The security sub-system is configured to locate the boot code segments stored in the non-guaranteed blocks and validate them independently based on data in the guaranteed block. The security sub-system is further configured to assemble the boot code segments into the boot code and execute the boot code.

Abstract: A first storage device provides a host device with access to a private memory area by communicating a password between the first storage device and a second storage device via the host device using a double-encryption scheme. In one embodiment, a host device receives a twice-encrypted password from a first storage device, sends the twice-encrypted password to a second storage device, receives a once-encrypted password from the second storage device, decrypts the once-encrypted password to obtain the password, and sends the password to the first storage device. In another embodiment, a first storage device sends a twice-encrypted password to a host device, receives the password from the host device after the twice-encrypted password is decrypted by a second storage device and the host device, and provides the host device with access to the private memory area only if the password matches one that is stored in the first storage device.

Abstract: A computer implemented method, apparatus, and computer usable program code for assuring data integrity is shown. A partition receives a request to execute an executable file from a source external to the partition. A memory region is created within the partition. The partition or service interface makes an authentication determination. The partition executes an executable file in the memory region based on the request, provided there is a positive authentication determination.

Abstract: A computer program product that includes a computer useable storage medium to store a computer readable program for proximity-based authentication for managing personal data that, when executed on a computer, causes the computer to perform operations. The operations include receiving a request for personal data from a data access device, determining a first location corresponding to a location of the data access device, and determining a second location corresponding to a location of an authentication device. The operations also include transmitting the personal data to the data access device if the first location is within a threshold distance of the second location.

Abstract: A computer program product that includes a computer useable storage medium to store a computer readable program for proximity-based authentication for managing personal data that, when executed on a computer, causes the computer to perform operations. The operations include receiving a request for personal data from a data access device, determining a first location corresponding to a location of the data access device, and determining a second location corresponding to a location of an authentication device. The operations also include transmitting the personal data to the data access device if the first location is within a threshold distance of the second location.

Abstract: Methods and systems to allow for the streaming of media from a file server to a client, where the streaming occurs concurrently with the execution of an information security protocol. The security protocol allows the client to securely receive one or more keys that allow the client to access the media. This permits a user to access the media sooner than would otherwise be possible, while allowing timely performance of security related processing.

Abstract: A method and apparatus is provided for decrypting an encrypted transport stream, comprising. The method includes receiving the encrypted transport stream over a content delivery network. The encrypted transport stream is encrypted using a first control word that serves as an encryption/decryption key. A variable control word is received over the content delivery network. The variable control word is mathematically constrained to create a second control word. The encrypted transport stream is decrypted using the second control word if the second control word is the same as the first control word.

Abstract: A data leakage prevention system, method, and computer program product are provided for preventing a predefined type of operation on predetermined data. In use, an attempt to perform an operation on predetermined data that is protected using a data leakage prevention system is identified. Additionally, it is determined whether a type of the operation attempted includes a predefined type of operation. Furthermore, the operation on the predetermined data is conditionally prevented based on the determination to prevent circumvention of the protection of the data leakage prevention system.

Abstract: A method begins by a processing module receiving, from a user device, a request to access secure data, wherein the request includes a user identification code and at least one object name for the secure data. The method continues with the processing module processing the request to determine a security level associated with the user device and to determine security parameters associated with the secure data. The method continues with the processing module determining a level of access to the secure data based on the security level associated with the user device and the security parameters. The method continues with the processing module retrieving a set of encoded data slices from dispersed storage units, wherein the set of encoded data slices includes less than a reconstruction threshold number of encoded data slices and generating a response that includes the set of encoded data slices when the level of access is a partial access level.

Abstract: A first request is received, at a service application programming interface (API) of an authorization server, to change a permission of a first role for accessing a first resource. In response to the first request, a first role-based permission data structure associated with the first role is accessed to identify an entry associated with the first resource, where the first role-based permission data structure includes entries corresponding to resources, respectively. Each resource is associated with one or more permissions for a user of the first role to access the corresponding resource. One or more permissions are updated in the identified entry associated with the first resource.

Abstract: An improved technique involves creating a new lockbox mechanism which is configured to work on a new or upgraded operating platform having different operating platform parameters, and then storing confidential information within the new lockbox (e.g., a copy of credentials which are also stored at a main site). When the new lockbox is then moved to the new or upgraded operating platform, the new lockbox mechanism properly works. Such operation enables the maintained compatibility with applications, control and maintenance of lockbox security throughout, and can be performed automatically and/or remotely.

Abstract: The invention provides a method for accessing the mass memory of a data carrier with a mass memory and a chip. The data carrier has been or is personalized by an individual date of a use device which is or has already been stored in(to) the chip to a use device for accessing the data carrier, so that the data carrier can only be used with this use device.

Abstract: A system and method that regulates the various operations between computing stations and storage devices. Storage devices are the storage means that are contained upon devices that are able to have data stored upon them. Any operation that involves or may lead to the exchange or accessing of content (data) between a storage device and computing station may be regulated by means of a policy which comprise a set of rules. Rules may be defined according to specific criteria, including the type of storage device, the type of content, the attributes of the content, and other attributes associated with the storage device and/or the content. The policy will be dynamically installed upon a computing station for specific user(s) and will regulate the data operations that may take place between the computing stations and storage devices based on evaluation of the policy. Based on the evaluation of the policy, the requested operation is permitted, restricted in some areas, or denied.

Abstract: Embodiments of the invention are generally directed to systems, methods, devices, and machine-readable mediums for implementing gesture-based signature authentication. In one embodiment, a method may involve generating a data protection policy from an un-trusted software environment to govern access to protected data stored in memory in the local computer system. Then the method maps the data protection policy to an enforceable system-level data protection policy managed by an Information Flow and Tracking Protection (IFTP) logic. Next, the method flags the first memory page containing the protected data. Finally, the method enforces the generated data protection policy for the first memory page containing the protected data using the IFTP logic and the enforceable system-level data protection policy.

Abstract: A method of logging in a health information tele-monitoring device by using a personal portable device. The method includes issuing a security key embedded in a health information tele-monitoring device to a personal portable device, storing the security key issued by the health information tele-monitoring device in the user's personal portable device; requesting the user's personal portable device to authenticate the health information tele-monitoring device in order to connect the health information tele-monitoring device to a healthcare server; and authorizing access of the health information tele-monitoring device to the healthcare server.