Abstract: System for authorization and authentication comprises a server and at least one level of transit terminals. The server transmits digital content, server's identifier, and business pattern to the transit terminal. The transit terminal transmits to a lower level transit terminal the digital content, the server's identifier, the business pattern, and identifiers of respective transit terminals through which the digital content passes, and returns the above identifiers to the server. The server performs a match verification on the returned identifiers; if matched, the transit terminal is permitted to parse the business pattern and authorize a client to use the digital content based on privilege in the business pattern.

Abstract: Various embodiments of a system and method for digital rights management using a secure end-to-end protocol with embedded encryption keys are described. A DRM framework may implement a secure end-to-end protocol configured to protect messages sent between trusted endpoints by encrypting and decrypting the messages within software applications executing on each trusted endpoint. An encryption key embedded within a binary representation of a DRM client may be used by the DRM client to encrypt and decrypt messages sent over the secure protocol. The DRM client may request authentication using the secure protocol and receive an authentication token used by the DRM client to acquire a license to view protected content. The encryption key may be chosen from a pool of encryption keys and embedded in the DRM client during the software build process for the DRM client. The secure protocol may be designed according to Representational State Transfer guidelines.

Abstract: An audio-video display device can download from a third party server a licensable component on which a royalty is to be paid. Various methods are disclosed for accounting for royalties associated with downloading the licensable component to the client device between the third party server and a client device manufacturer server.

Abstract: A computer implemented method, a data processing system, and a computer program publish an audio annotation of a media signal. A media player plays a media signal. The media player then records an audio annotation to the media signal. Responsive to recording the audio annotation to the media signal, the media player records an identifier to be associated with the media signal. The audio annotation is then published to a social networking host.

Abstract: A request for network access is received from a client device at a network entry device of a network infrastructure. The network infrastructure determines a physical location of the client device and determines authorization of the client device based on the physical location. The approach can include providing the physical location along with other user credentials to an authorizing device. The method can also include determining a level of service based on the physical location. Communication for the approach can make use of the IEEE 802.1X protocol.

Abstract: An isolation execution environment provides an application with limited resources to execute an application. The application may require access to secured resources associated with a particular trust level that are outside of the isolation execution environment. A trust activation engine determines the trust level associated with a request for a resource and operates differently based on the trust level. A broker process may be used to execute components providing access to resources having a partial trust level in an execution environment that is separate from the isolation execution environment.

Abstract: Systems and methods for authenticating a user request for authentication are provided. An authentication device that may be part of such a system includes a network interface component coupled to a network and configured to receive at least one data packet having authentication information including at least a username of a user and user credentials. The device also includes a memory coupled to the network interface component and configured to store the received authentication information, one or more instructions for authenticating the user, and account information of the user. The device further includes one or more processors configured to analyze the received information, calculate a score based on the received information, determine a threshold, compare the calculated score with the determined threshold, and authenticate the user and a device from which the data packet is received if the calculated score is greater than or equal to the determined threshold.

Abstract: A two-factor network authentication system uses “something you know” in the form of a password/Pin and “something you have” in the form of a key token. The password is encrypted in a secure area of the USB device and is protected from brute force attacks. The key token includes authentication credentials. Users cannot authenticate without the key token. Four distinct authentication elements that the must be present. The first element is a global unique identifier that is unique to each key. The second is a private credential generated from the online service provider that is stored in a secure area of the USB device. The third element is a connection profile that is generated from the online service provider. The fourth element is a credential that is securely stored with the online service provider. The first two elements create a unique user identity. The second two elements create mutual authentication.

Abstract: A method, system, and computer program product for controlling consumption of a distributed network service in accordance with rights expression information associated with the distributed network service and specifying a manner of use of the distributed network service, including interpreting the rights expression information associated with the distributed network service, the rights expression information indicating a manner of use of the distributed network service; and controlling consumption of the distributed network service based on the rights expression information.

Abstract: Systems and methods are described for delegating permissions to enable account access. The systems utilize a delegation profile that can be created within a secured account of at least one user. The delegation profile includes a name, a validation policy that specifies principals which may be external to the account and which are permitted to assume the delegation profile, and an authorization policy that indicates the permitted actions within the account for those principals which are acting within the delegation profile. Once the delegation profile is created, it can be provided to external principals or services. These external principals or services can use the delegation profile to obtain credentials for performing various actions in the account using the credentials of the delegation profile.

Abstract: Verification of trustworthiness of a computing platform is provided. The trustworthiness of the computing platform is dynamically assessed to determine whether a root of trust exists on the computing platform. Responsive to determining existence of the root of trust, data is unsealed from a sealed storage facility. The sealed storage facility is unsealed responsive to a root of trust being determined to exist on the computing platform. The data can be used to attest to the trustworthiness of the computing platform to other device on a network.

Abstract: A method of operating a virtual computing system includes receiving at a security controller security data corresponding to a candidate virtual machine that is proposed to be included in a virtualization environment managed by a virtualization environment manager, comparing the security data of the candidate virtual machine to security data of other virtual machines in the virtualization environment, and in response to the comparison, recommending that the virtualization environment manager exclude the candidate virtual machine from the virtualization environment. Related systems and computer program products are disclosed.

Abstract: Methods and apparatus enabling programming of electronic identification information of a wireless apparatus. In one embodiment, a previously purchased or deployed wireless apparatus is activated by a cellular network. The wireless apparatus connects to the cellular network using an access module to download operating system components and/or access control client components. The described methods and apparatus enable updates, additions and replacement of various components including Electronic Subscriber Identity Module (eSIM) data, OS components. One exemplary implementation of the invention utilizes a trusted key exchange between the device and the cellular network to maintain security.

Abstract: Private information can be displayed using alternate frame sequencing to prevent unauthorized viewing. The private information can be ascertained by an authorized user using an active shutter viewing device synchronized to the alternate frame sequencing display. Private information can be displayed on a portion of the display, while public information, including a basic user interface, can be displayed on a second portion visible to authorized and unauthorized users. For enhanced security, alternate frame sequencing synchronization parameters can be encrypted and exchanged between a display device and the viewing device. When and where to display private information using alternate frame sequencing can be determined using environmental sensors. A single display screen can be configured to simultaneously present private information to multiple users, each user permitted to view a portion of the private information according to the unique synchronization parameters employed by a user's viewing device.

Abstract: A third party is configured to establish a virtual secure channel between a source SSD and a destination SSD via which the third party reads protected digital data from the source SSD and writes the protected digital data into the destination SSD after determining that each party satisfies eligibility prerequisites. An SSD is configured to operate as a source SSD, from which protected data can be copied to a destination SSD, and also as a destination SSD, to which protected data of a source SSD can be copied.

Abstract: In one aspect, this application describes a method for determining a license status of a software application. The method includes receiving a license status request to obtain an indication of whether a software application is licensed for use on a client computing device. The method also includes identifying identity information that corresponds to user identity information, device identity information, or both. The method also includes sending a communication generated from the license status request and the identity information to a licensing service, the communication being used by the licensing service to generate the indication based at least in part on the identity information and licensing information associated with the software application. The method also includes receiving a license status response from the licensing service that includes the indication. The method also includes sending the license status response to the software application for processing by the software application.

Abstract: A display control system includes: a display information acquisition section that acquires display information by using given account information; and a corrected display information creation section that, based on first display information acquired by the display information acquisition section using first account information and second display information acquired by the display information acquisition section using second account information different from the first account information, determines whether the display contents shown by the first display information are included in display contents shown by the second display information or not, selects part or all of the display contents shown by the first display information in accordance with a result of the determination, and creates corrected display information which includes the selected part of the display contents shown by the first display information.

Abstract: Techniques for injecting encryption keys into a meter as a part of a manufacturing process are discussed. Since various encryption keys injected into meters may be specific to each individual meter, a utility company customer may require a copy of the injected encryption keys associated with each individual meter. The techniques may include providing a copy of keys injected into each meter to a utility company customer. In some instances, the meter manufacturer may not store or persist various encryption keys that are injected into the meters during the manufacturing process.

Abstract: A system, method, and computer program product are provided for selecting a wireless network based on security information. In use, a plurality of wireless networks is identified. Further, security information associated with each of the wireless networks is collected, such that one of the wireless networks is selected based on the security information.

Abstract: According to one embodiment, a storage system includes a host device and a secure storage. The host device and the secure storage produce a bus key which is shared only by the host device and the secure storage by authentication processing, and which is used for encoding processing. The host device produces a message authentication code including a message which can be stored in the secure storage based on the bus key, and sends the produced message authentication code to the secure storage. The secure storage stores the message included in the message authentication code in accordance with instructions of the host device. The host device verifies whether the message stored in the secure storage is intended contents.

Abstract: A distributed operation is performed using at least one first and second computer-based object, wherein control information is used to influence or determine a property, a function of the first and/or second computer-based objects. The control information includes details of a parameter identifier, a value associated with the parameter identifier, a range of validity and a remote access attribute. The control information is provided in a retrievable manner, according to the included range of validity, in a memory organized according to ranges of validity and is associated with the first computer-based object. During a function or service call for performing the distributed operation, which is sent from the first computer-based object to the second, the control information is transmitted to the second computer-based object, provided in a retrievable manner in the memory organized according to the ranges of validity and associated with the second computer-based object.

Abstract: A system includes a virtual machine (VM) server and a policy engine server. The VM server includes two or more guest operating systems and an agent. The agent is configured to collect information from the two or more guest operating systems. The policy engine server is configured to: receive the information from the agent; generate access control information for a first guest OS, of the two or more guest operating systems, based on the information; and configure an enforcer based on the access control information.

Abstract: Disclosed herein are systems, methods, and non-transitory computer-readable storage media for asset lease management. The system receives, from a client device associated with a user profile, a lease start request for an asset for which the user profile is authorized. The system identifies a number of available slots for progressively downloading content. If the number of available slots is greater than zero, the system assigns an available slot from the number of available slots to the client device to yield an assigned slot. The system transmits security information, a lease key, and a lease duration associated with the assigned slot to the client device in response to the lease start request, wherein the security information and lease key allow the client device to start a progressive download of the asset for the lease duration. At the end of the lease, the system terminates the lease and releases the assigned slot.

Abstract: A storage controller and program product is provided for performing double authentication for controlling disruptive operations on storage resources generated by a system administrator. A first request is received from a first user for generation of a first key. A first key is generated, provided to the first user and associated with the storage resource. An input is received from the administrator, the input comprises a second key and a command for performing the disruptive operation. The second key and the first key are compared. It is verified that the administrator is authorized as an administrator of the storage resource. The disruptive operation is performed on the storage resource if the second key and the first key match and the administrator is authorized. Otherwise, the performance of the disruptive operation is denied.

Abstract: A network storage system for a download intensive environment is provided. The network storage comprises at least a data storage server (DSS) that includes an interface enabling connection of the DSS to a network at a location that enables at least a view of network transactions performed by a plurality of clients; a storage unit; and a system adapted to monitor the network transactions occurring on the network and identification of the network transactions as belonging to a registered client of the DSS, and storing in the storage the transactions with an identification corresponding to the registered client.

Abstract: A method and apparatus for controlling document access and application usage using centrally managed rules. The rules are stored and manipulated in a central rule database via a rule server. Policy enforcers are installed on client systems and/or on servers and perform document access and application usage control for both direct user document accesses and application usage, and application program document accesses by evaluating the rules sent to the policy enforcer. The rule server decides which rules are required by each policy enforcer. A policy enforcer can also perform obligation and remediation operations as a part of rule evaluation. Policy enforcers on client systems and servers can operate autonomously, evaluating policies that have been received, when communications have been discontinued with the rule server.

Abstract: Method for providing a mesh key which can be used to encrypt messages between a first node and a second node of a mesh network, wherein a session key is generated when authenticating the first node in an authentication server, the first node and the authentication server or an authentication proxy server using a predefined key derivation function to derive the mesh key from said session key, which mesh key is transmitted to the second node.

Abstract: A method and system for a content provider to enable the consumption of content by properly entitled consumers (e.g., end-users, clients, customers) within a cloud provider network. A first certificate checkin service (CCS) executed by a processing device deployed in the cloud provider network receives a first set of usage data relating to content of a content provider consumed by a client of the cloud provider network. The first CCS provides the usage data to a communicatively coupled parent CCS. The first CCS provides the parent CCS with a request for entitlement data relating to the cloud provider, and stores the entitlement data received from the parent CCS. The entitlement data may be used by the first CCS to determine if the client is entitled to consume the content.

Abstract: A method for authentication of a high-security client and a low-security client in a high-security mobile radio network includes: transmitting a request for authentication from a base station to the high-security client, wherein the request for authentication comprises a random number as a challenge; receiving a response from the high-security client at the base station, wherein the response from the high-security client comprises a generated number generated by performing a keyed cryptographic function on the challenge; providing a fixed number to the low-security client; and receiving a response from the low-security client at the base station, wherein the response from the low-security client comprises the fixed number. Limited access to the mobile radio network is granted for the low-security client relative to an access of the high-security client.

Abstract: Systems, methods, routines and/or techniques for limiting the functionality of a software program based on a security model are described. One or more embodiments may include limiting the functionality of a software program (e.g., a widget) based on one or more operations that the widget intends to take. One or more embodiments may include limiting the functionality of a widget that is located on and/or accessible via a lock screen of a mobile device. One or more embodiments may include preventing a widget from causing an application to perform sensitive actions when a system is in an un-authenticated state. One or more embodiments may include preventing a widget from installing and/or displaying on a particular screen of a mobile device (e.g., a lock screen) if the widget includes a function that indicates that a sensitive operation will be taken.

Abstract: The present invention relates to an apparatus and a method for managing digital rights using virtualization technique, and more particularly to an apparatus and a method for enabling a user to access a desired text file in an independent area through a virtual machine corresponding to a licensed right for accessing the text file. The present invention comprises a virtual machine (VM) management unit for controlling a user access authorization function for accessing the text file in the area to which the virtualization technique is applied.

Abstract: Secure information flow may include a service receiving a request for data from a caller. The service may respond to the request with the requested data via a secure flow container. The secure flow container may then send the information to the caller component. Before the secure flow container receives or sends the information, a monitoring environment may permit the secure flow container to receive or send the information, respectively.

Abstract: A device is configured to determine that the device is to activate a privacy mode, obscure information displayed by a display of the device, detect a user interaction with a first portion of the display, the first portion being less than an entirety of the display, and reveal first information obscured by the first portion of the display, without revealing information obscured by a remaining portion of the display, the first portion and the remaining portion comprising the entirety of the display.

Abstract: Providing authorized copies of encrypted media content including: receiving application for authentication to make copies of the media content; providing forensic decryption tools to process the media content; transmitting a permission to make copies of the media content using the forensic decryption tools; performing authorized decryption of the media content; and making and forensically marking copies of the decrypted media content.

Abstract: A terminal to assign permission to an application includes a storage device to store an application list including information of applications authorized to receive manager permission, and an application processor to receive a request for the manager permission from the application and to determine to allow the manager permission to the application in response to a determination that the application is included in the application list. A method that uses a processor to assign permission to an application includes receiving a request for manager permission from the application, determining, using the processor, whether the application is included in an application list including information of applications authorized to receive manager permission, and determining whether to allow the manager permission to the application if the application is included in the application list.

Abstract: An approach is provided to provide privacy control in a social network. In the approach, a first post is posted from a first user to a second user in the social network with the first post including private data belonging to the first user. Subsequent postings are monitored for the first user's private data. When the monitoring detects a second post of the first user's private data with the second post being from the second user to a third user in the social network, privacy controls are performed. The privacy controls mask the first user's private data from the third user so that the first user's private data inaccessible (not visible) to the third user.

Abstract: A method of securely providing postal address data to a requesting client device includes storing, at a server, a plurality of number items each associated with at least one respective address item. Each number item is indicative of a mobile telephone number and each address item is indicative of postal address data. A requesting client device sends an address item request, to the server, and the address item request includes a target key indicative of a mobile telephone number. The address item request is received at the server. A respective address item associated with a number item indicative of the mobile telephone number indicated by the target key is identified at the server. A data package including at least a part of the postal address data indicated by the respective address item identified at the server is sent from the server to the requesting client device.

Abstract: Methods and systems are provided for fine tuning access control by remote, endpoint systems to host systems. Multiple conditions/states of one or both of the endpoint and host systems are monitored, collected and fed to an analysis engine. Using one or more of many different flexible, adaptable models and algorithms, an analysis engine analyzes the status of the conditions and makes decisions in accordance with pre-established policies and rules regarding the security of the endpoint and host system. Based upon the conditions, the policies, and the analytical results, actions are initiated regarding security and access matters. In one described embodiment of the invention, the monitored conditions include software vulnerabilities.

Abstract: Generally, this disclosure describes devices, methods and systems for securely providing context sensor data to mobile platform applications. The method may include configuring sensors to provide context data, the context data associated with a mobile device; providing an application programming interface (API) to a sensor driver, the sensor driver configured to control the sensors; providing a trusted execution environment (TEE) operating on the mobile device, the TEE configured to host the sensor driver and restrict control and data access to the sensor driver and to the sensors; generating a request for the context data through the API, the request generated by an application associated with the mobile device; receiving, by the application, the requested context data and a validity indicator through the API; verifying, by the application, the requested context data based on the validity indicator; and adjusting a policy associated with the application based on the verified context data.

Abstract: A method of generating a time managed challenge-response test is presented. The method identifies a geometric shape having a volume and generates an entry object of the time managed challenge-response test. The entry object is overlaid onto the geometric shape, such that the entry object is distributed over a surface of the geometric shape, and a portion of the entry object is hidden at any point in time. The geometric shape is rotated, which reveals the portion of the entry object that is hidden. A display region on a display is identified for rendering the geometric shape and the geometric shape is presented in the display region of the display.

Abstract: A virtualization system supports secure, controlled execution of application programs within virtual machines. The virtual machine encapsulates a virtual hardware platform and guest operating system executable with respect to the virtual hardware platform to provide a program execution space within the virtual machine. An application program, requiring license control data to enable execution of the application program, is provided within the program execution space for execution within the virtual machine. A data store providing storage of encrypted policy control information and the license control data is provided external to the virtual machine. The data store is accessed through a virtualization system including a policy controller that is selectively responsive to a request received from the virtual machine to retrieve the license control data dependent on an evaluation of the encrypted policy control information.

Abstract: A non-transitory computer readable medium may include executable instructions which, when executed by a processor, cause the processor provide for a repository of digital content and to create a first license based on the digital content. The instructions further cause the processor to transmit the first license and the digital content to a non-destructive testing (NDT) device, and wherein the digital content is configured to be executed by, used by, or displayed by the NDT device, or a combination thereof, based on the first license.

Abstract: A web page running on a client computing device accesses a web application hosted by a remote server. The local application receives data from the web application. The client computing device uses a data loss prevention (DLP) policy to determine whether the web application is a sensitive web application. In response to determining that the web application is a sensitive web application, the client computing device restricts a capability of at least one of the local application or the client computing device to perform one or more operations associated with the data received from the web application.

Abstract: An authentication system receives encrypted terminal identification information and terminal identification information, from a transmission terminal, and determines whether decrypted identification information decrypted using a terminal public key obtained by the authentication system matches the terminal identification information received from the transmission terminal.

Abstract: A system and a computer-implemented methods for email management are disclosed. The method includes storing messages for electronic mail accounts provided by remote electronic mail server systems. The method further includes determining that the remote electronic mail server systems each have a different hostname than the others of the remote electronic mail server systems. The method further includes displaying messages from a first one of the electronic mail accounts and displaying a hostname of a first remote electronic mail server system providing the first one of the electronic mail accounts. The method further includes receiving a request to view messages from a second one of the electronic mail accounts. The method further includes displaying messages from the second one of the electronic mail accounts and displaying a hostname of a second remote electronic mail server system providing the second one of the electronic mail accounts.

Abstract: A method, system and apparatus for controlling access to a media server are provided. A browse request is received at a computing device, from a remote computing device to browse a memory structure including content files. Authentication of the remote computing device is initiated. Prior to the remote computing device being authenticated, a response is transmitted to the remote computing device indicative that the memory structure is empty of the content files, regardless of actual content of the memory structure. After the remote computing device is authenticated, a further response is transmitted to the remote computing device indicative of the actual content of the memory structure.

Abstract: Data are accessed securely in a data storage device that includes a non-volatile solid-state storage device integrated with a magnetic storage device. An identical copy of drive security data, such as an encrypted version of a drive access password, is stored in both the non-volatile solid-state storage device and in the magnetic storage device. In response to receiving a command from a host device that results in access to the magnetic storage device, access is granted to the magnetic storage device if the copy of drive security data stored in the non-volatile solid-state storage device matches the copy of drive security data stored in the magnetic storage device. Furthermore, encrypted drive-unique identification data associated with the drive may be stored in both the non-volatile solid-state storage device and the magnetic storage device, and access is granted if both copies of the encrypted drive-unique identification data match.

Abstract: Enforcing access control to individual extensions of services in a multi-tenant cloud environment by initializing objects for the extension based on public and private configuration files with service access rules that are merged is described. This allows third party vendors to specify payment rules for their own extensions while securely keeping the core extension configuration files. Tenants of the multi-tenant cloud environment can pick and choose which services to purchase, and the cloud environment automates the process of accessing the service using the third-party developer's tenant access list rules.

Abstract: Systems, methods, and devices for displaying digital content. In one embodiment, a method of simulating digital content includes providing information corresponding to a plurality of pixels of displayable content at an electronic device; and simulating the displayable content at the electronic device by displaying a representation of a first subset of the plurality of pixels during a first time period and displaying a representation of a second subset of the plurality of pixels during a second time period.

Abstract: Embodiments of the invention provide a method a authenticating a transaction at the point of transaction. In some embodiments of the invention, a unique signature is created based at least in part on a hardware profile of the system. In some embodiments, a request is received from a user to perform a transaction using the system. In some embodiments, in response to receiving the request the system may determine whether malware has compromised the signature creation algorithm, and if so, prevent the signature creation algorithm from creating a key based on the unique signature. Alternatively, if not, the system may allow the signature creation algorithm to create a key based on the unique signature.