Abstract: A vehicle black box technique guarantees the integrity of vehicle data stored in a black box in real time by forming input data streams as block data and performing a signature using a signing key and nested hashing. Each vehicle black box includes a reliable unique signing key supporting a non-repudiation function. An error correction function is provided by a unique algorithm for generating integrity verification data even when an error occurs from the vehicle data.

Abstract: A request for network access is received from a client device at a network entry device of a network infrastructure. The network infrastructure determines a physical location of the client device and determines authorization of the client device based on the physical location. The approach can include providing the physical location along with other user credentials to an authorizing device. The method can also include determining a level of service based on the physical location. Communication for the approach can make use of the IEEE 802.1X protocol.

Abstract: A computer implemented method, a data processing system, and a computer program publish an audio annotation of a media signal. A media player plays a media signal. The media player then records an audio annotation to the media signal. Responsive to recording the audio annotation to the media signal, the media player records an identifier to be associated with the media signal. The audio annotation is then published to a social networking host.

Abstract: A computer security system comprises a secure platform adapted to receive sensitive data from an agent. The secure platform is also adapted to cooperate with a trusted platform module (TPM) to encrypt the sensitive data via a TPM storage key associated with the agent.

Abstract: An information processing device includes: a local memory unit storing data including encrypted content; a memory storing data including key information to be used in a process of reproducing the encrypted content; and a data processing unit selectively reproducing encrypted content stored in a disk or the local memory unit, wherein the data processing unit reads a medium ID from the disk when the content to be reproduced is stored in the disk and reads a medium ID from the memory when the content to be reproduced is stored in the local memory unit.

Abstract: Methods and circuits for undiscoverable physical chip identification are disclosed. Embodiments of the present invention provide an intrinsic bit element that comprises two transistors. The two transistors form a pair in which one transistor has a wide variability in threshold voltage and the other transistor has a narrow variability in threshold voltage. The wide variability is achieved by making a transistor with a smaller width and length than the other transistor in the pair. The variation of the threshold voltage of the wide variability transistor means that in the case of copies of intrinsic bit elements being made, some of the “copied” wide variability transistors will have significantly different threshold voltages, causing some of the intrinsic bit elements of a copied chip to read differently than in the original chip from which they were copied.

Abstract: An exemplary system that includes a computing device that stores an abstraction and unification module, the abstraction and unification module being executable by a processor of the computing device to receive from a frontend component a request for information located within a backend component of the computing device and validate that the frontend component is authorized to receive the information specified in the request. The abstraction and unification module may further pass the request to an abstraction engine that extracts the information from the backend component and provides the information extracted from the backend component to frontend component.

Abstract: One feature pertains to generating a unique identifier for an electronic device by combining static random access memory (SRAM) PUFs and circuit delay based PUFs (e.g., ring oscillator (RO) PUFs, arbiter PUFs, etc.). The circuit delay based PUFs may be used to conceal either a challenge to, and/or response from, the SRAM PUFs, thereby inhibiting an attacker from being able to clone a memory device's response.

Abstract: In one embodiment of the present invention, a method includes verifying a master processor of a system; validating a trusted agent with the master processor if the master processor is verified; and launching the trusted agent on a plurality of processors of the system if the trusted agent is validated. After execution of such a trusted agent, a secure kernel may then be launched, in certain embodiments. The system may be a multiprocessor server system having a partially or fully connected topology with arbitrary point-to-point interconnects, for example.

Abstract: Embodiments of the present invention are directed to a computer-implemented method for author verification and authorization of object code. In one embodiment, program object code is linked with a plurality of data blocks to create linked object code and a MAP file. Thereafter, author verification is performed by executing a plurality of comparisons between the linked object code and the MAP file. In another embodiment, a digital signing procedure is performed on linked object code by creating a signature data block. The signature data block is then encrypted and written to the linked object code to create digitally-signed object code. In another embodiment, an application program embodied in linked object code generates a data packet. The data packet is then compared to a previously-generated signature data packet from the linked object code to determine if the linked object code is authorized.

Abstract: Systems and methods are described for delegating permissions to enable account access. The systems utilize a delegation profile that can be created within a secured account of at least one user. The delegation profile includes a name, a validation policy that specifies principals which may be external to the account and which are permitted to assume the delegation profile, and an authorization policy that indicates the permitted actions within the account for those principals which are acting within the delegation profile. Once the delegation profile is created, it can be provided to external principals or services. These external principals or services can use the delegation profile to obtain credentials for performing various actions in the account using the credentials of the delegation profile.

Abstract: Methods and apparatus enabling programming of electronic identification information of a wireless apparatus. In one embodiment, a previously purchased or deployed wireless apparatus is activated by a cellular network. The wireless apparatus connects to the cellular network using an access module to download operating system components and/or access control client components. The described methods and apparatus enable updates, additions and replacement of various components including Electronic Subscriber Identity Module (eSIM) data, OS components. One exemplary implementation of the invention utilizes a trusted key exchange between the device and the cellular network to maintain security.

Abstract: In some embodiments a secure permit request to change a hardware configuration is created. The secure permit request is sent to a remote location, and a permit sent from the remote location in response to the permit request is received. The hardware configuration is changed in response to the received permit. Other embodiments are described and claimed.

Abstract: Verification of trustworthiness of a computing platform is provided. The trustworthiness of the computing platform is dynamically assessed to determine whether a root of trust exists on the computing platform. Responsive to determining existence of the root of trust, data is unsealed from a sealed storage facility. The sealed storage facility is unsealed responsive to a root of trust being determined to exist on the computing platform. The data can be used to attest to the trustworthiness of the computing platform to other device on a network.

Abstract: A third party is configured to establish a virtual secure channel between a source SSD and a destination SSD via which the third party reads protected digital data from the source SSD and writes the protected digital data into the destination SSD after determining that each party satisfies eligibility prerequisites. An SSD is configured to operate as a source SSD, from which protected data can be copied to a destination SSD, and also as a destination SSD, to which protected data of a source SSD can be copied.

Abstract: A method is provided for authenticating an entity having a plurality of keys in a digital form residing on a claimant computing device. The method comprises: generating a first code word by applying a hash function to a first key residing on the claimant computing device; encoding the first code word into an array of bits having a Bloom filter format; generating a second code word by applying a hash function to a second key residing on the claimant computing device; encoding the second code word into the array of bits; and broadcasting an authentication message having the array of bits therein from the claimant computing device.

Abstract: Systems, methods, and program products are provided for selectively restricting the transmission of copy protected digital media content from a computer system, over a network, and to a remote display. In one embodiment, a method includes the steps of capturing digital media content rendered on the local display by a media player application executed by the computer system; determining whether the media player application is accessing copy protected digital media content; and, if the media player application is not accessing copy protected digital media content, converting the captured digital media content to a media stream and transmitting the media stream over a network for presentation on a remote display.

Abstract: A computing device analyzes digital certificates received from various different sites (e.g., accessed via the Internet or other network) in order to automatically detect fraudulent digital certificates. The computing device maintains a record of the digital certificates it receives from these various different sites. A certificate screening service operating remotely from the computing device also accesses these various different sites and maintains a record of the digital certificates that the service receives from these sites. In response to a request to access a target site the computing device receives a current digital certificate from the target site. The computing device determines whether the current digital certificate is genuine or fraudulent based on one or more of previously received digital certificates for the target site, confirmation certificates received from the certificate screening service, and additional characteristics of the digital certificates and/or the target site.

Abstract: A method and apparatus for provisioning a mobile application that is related to a desktop software application comprising capturing a code using a mobile device, where the desktop software application generates and displays the code for capture by the mobile device; decrypting the code using the mobile device; validating the code; validating a user based on the code; and enabling functionality of the mobile application for use by the mobile device based on the validation of the user.

Abstract: Technologies are described herein for providing out-of-band authentication of an e-mail message. A recipient of an e-mail message purporting to be from an organization forwards the e-mail message or submits its content to that organization for authentication. The authenticity of the e-mail message is determined based on authentication data, such as outgoing message logs or authentication keys, maintained at the source of the e-mail message. Upon authenticating the e-mail message, the recipient is informed of the authenticity of the e-mail message.

Abstract: A method and a device for data processing are provided comprising a first instance comprising at least one local trusted unit (LTU) and a local trust manager (LTM), the method comprising the step: The local trust manager provides a policy related information to the at least one local trusted unit and/or to a second instance.

Abstract: Techniques for injecting encryption keys into a meter as a part of a manufacturing process are discussed. Since various encryption keys injected into meters may be specific to each individual meter, a utility company customer may require a copy of the injected encryption keys associated with each individual meter. The techniques may include providing a copy of keys injected into each meter to a utility company customer. In some instances, the meter manufacturer may not store or persist various encryption keys that are injected into the meters during the manufacturing process.

Abstract: Portable on-line identity verification technology includes, for example, portable widgets with an identity rating, and other on-line identification verification icons and identity rating scores.

Abstract: A system, method, and computer program product are provided for selecting a wireless network based on security information. In use, a plurality of wireless networks is identified. Further, security information associated with each of the wireless networks is collected, such that one of the wireless networks is selected based on the security information.

Abstract: A distributed operation is performed using at least one first and second computer-based object, wherein control information is used to influence or determine a property, a function of the first and/or second computer-based objects. The control information includes details of a parameter identifier, a value associated with the parameter identifier, a range of validity and a remote access attribute. The control information is provided in a retrievable manner, according to the included range of validity, in a memory organized according to ranges of validity and is associated with the first computer-based object. During a function or service call for performing the distributed operation, which is sent from the first computer-based object to the second, the control information is transmitted to the second computer-based object, provided in a retrievable manner in the memory organized according to the ranges of validity and associated with the second computer-based object.

Abstract: According to one embodiment, a storage system includes a host device and a secure storage. The host device and the secure storage produce a bus key which is shared only by the host device and the secure storage by authentication processing, and which is used for encoding processing. The host device produces a message authentication code including a message which can be stored in the secure storage based on the bus key, and sends the produced message authentication code to the secure storage. The secure storage stores the message included in the message authentication code in accordance with instructions of the host device. The host device verifies whether the message stored in the secure storage is intended contents.

Abstract: A storage controller and program product is provided for performing double authentication for controlling disruptive operations on storage resources generated by a system administrator. A first request is received from a first user for generation of a first key. A first key is generated, provided to the first user and associated with the storage resource. An input is received from the administrator, the input comprises a second key and a command for performing the disruptive operation. The second key and the first key are compared. It is verified that the administrator is authorized as an administrator of the storage resource. The disruptive operation is performed on the storage resource if the second key and the first key match and the administrator is authorized. Otherwise, the performance of the disruptive operation is denied.

Abstract: A device and method for forming a portable network environment outside a managed network environment for sharing content is provided. A portable network device enables authorized consumption of content outside a managed environment. The portable network device may have an internal rechargeable battery and support wireless protocols such as Wi-Fi. The portable network device may act as a Wi-Fi base station allowing access to authorized Wi-Fi clients via a mesh network.

Abstract: A system includes a virtual machine (VM) server and a policy engine server. The VM server includes two or more guest operating systems and an agent. The agent is configured to collect information from the two or more guest operating systems. The policy engine server is configured to: receive the information from the agent; generate access control information for a first guest OS, of the two or more guest operating systems, based on the information; and configure an enforcer based on the access control information.

Abstract: Method for providing a mesh key which can be used to encrypt messages between a first node and a second node of a mesh network, wherein a session key is generated when authenticating the first node in an authentication server, the first node and the authentication server or an authentication proxy server using a predefined key derivation function to derive the mesh key from said session key, which mesh key is transmitted to the second node.

Abstract: Generally, this disclosure describes devices, methods and systems for securely providing context sensor data to mobile platform applications. The method may include configuring sensors to provide context data, the context data associated with a mobile device; providing an application programming interface (API) to a sensor driver, the sensor driver configured to control the sensors; providing a trusted execution environment (TEE) operating on the mobile device, the TEE configured to host the sensor driver and restrict control and data access to the sensor driver and to the sensors; generating a request for the context data through the API, the request generated by an application associated with the mobile device; receiving, by the application, the requested context data and a validity indicator through the API; verifying, by the application, the requested context data based on the validity indicator; and adjusting a policy associated with the application based on the verified context data.

Abstract: Methods and systems are provided for fine tuning access control by remote, endpoint systems to host systems. Multiple conditions/states of one or both of the endpoint and host systems are monitored, collected and fed to an analysis engine. Using one or more of many different flexible, adaptable models and algorithms, an analysis engine analyzes the status of the conditions and makes decisions in accordance with pre-established policies and rules regarding the security of the endpoint and host system. Based upon the conditions, the policies, and the analytical results, actions are initiated regarding security and access matters. In one described embodiment of the invention, the monitored conditions include software vulnerabilities.

Abstract: A method and apparatus for transmitting rights object information between a device and a portable storage are provided. The method includes transmitting a predetermined request from the device to the portable storage, generating a current permission status format including information of a rights object designated by the request, using the portable storage, and transmitting the current permission status format from the portable storage to the device. According to the method and apparatus, overhead is reduced and information transmission speed is increased when the rights object information is transmitted between the device and the portable storage.

Abstract: The present invention relates to an apparatus and a method for managing digital rights using virtualization technique, and more particularly to an apparatus and a method for enabling a user to access a desired text file in an independent area through a virtual machine corresponding to a licensed right for accessing the text file. The present invention comprises a virtual machine (VM) management unit for controlling a user access authorization function for accessing the text file in the area to which the virtualization technique is applied.

Abstract: A terminal to assign permission to an application includes a storage device to store an application list including information of applications authorized to receive manager permission, and an application processor to receive a request for the manager permission from the application and to determine to allow the manager permission to the application in response to a determination that the application is included in the application list. A method that uses a processor to assign permission to an application includes receiving a request for manager permission from the application, determining, using the processor, whether the application is included in an application list including information of applications authorized to receive manager permission, and determining whether to allow the manager permission to the application if the application is included in the application list.

Abstract: Systems, methods, routines and/or techniques for limiting the functionality of a software program based on a security model are described. One or more embodiments may include limiting the functionality of a software program (e.g., a widget) based on one or more operations that the widget intends to take. One or more embodiments may include limiting the functionality of a widget that is located on and/or accessible via a lock screen of a mobile device. One or more embodiments may include preventing a widget from causing an application to perform sensitive actions when a system is in an un-authenticated state. One or more embodiments may include preventing a widget from installing and/or displaying on a particular screen of a mobile device (e.g., a lock screen) if the widget includes a function that indicates that a sensitive operation will be taken.

Abstract: A method for authentication of a high-security client and a low-security client in a high-security mobile radio network includes: transmitting a request for authentication from a base station to the high-security client, wherein the request for authentication comprises a random number as a challenge; receiving a response from the high-security client at the base station, wherein the response from the high-security client comprises a generated number generated by performing a keyed cryptographic function on the challenge; providing a fixed number to the low-security client; and receiving a response from the low-security client at the base station, wherein the response from the low-security client comprises the fixed number. Limited access to the mobile radio network is granted for the low-security client relative to an access of the high-security client.

Abstract: A device is configured to determine that the device is to activate a privacy mode, obscure information displayed by a display of the device, detect a user interaction with a first portion of the display, the first portion being less than an entirety of the display, and reveal first information obscured by the first portion of the display, without revealing information obscured by a remaining portion of the display, the first portion and the remaining portion comprising the entirety of the display.

Abstract: An approach is provided to provide privacy control in a social network. In the approach, a first post is posted from a first user to a second user in the social network with the first post including private data belonging to the first user. Subsequent postings are monitored for the first user's private data. When the monitoring detects a second post of the first user's private data with the second post being from the second user to a third user in the social network, privacy controls are performed. The privacy controls mask the first user's private data from the third user so that the first user's private data inaccessible (not visible) to the third user.

Abstract: In one example, a platform device includes a control unit configured to receive a first software package signed by a first software development entity with a first certificate of a first certificate hierarchy associated with the first software development entity, execute the first software package only after determining that a root of the first certificate hierarchy corresponds to a certificate authority of a developer of the platform device, receive a second software package signed by a second software development entity with a second certificate of a second certificate hierarchy associated with the second software development entity, wherein the second certificate hierarchy is different than the first certificate hierarchy, and execute the second software package only after determining that a root of the second certificate hierarchy corresponds to the certificate authority of the developer of the platform device.

Abstract: A method of generating a time managed challenge-response test is presented. The method identifies a geometric shape having a volume and generates an entry object of the time managed challenge-response test. The entry object is overlaid onto the geometric shape, such that the entry object is distributed over a surface of the geometric shape, and a portion of the entry object is hidden at any point in time. The geometric shape is rotated, which reveals the portion of the entry object that is hidden. A display region on a display is identified for rendering the geometric shape and the geometric shape is presented in the display region of the display.

Abstract: This disclosure provides techniques for processing an input signal while providing protection from differential power analysis. In one example, random delay units may receive the input signal, a random delay generator may generate random delay values, and the random delay units may add the random delay values to the input signal to generate delayed signals, such that each delayed signal is substantially desynchronized relative to one or more other delayed signals. Subsequently, processing units may process the delayed signals to generate delayed output signals, and random delay removal units may add additional delay values to the delayed output signals, such that each delayed output signal is substantially synchronized relative to other delayed output signals, to produce output signals. Finally, a combination unit may combine the output signals to generate a common output signal that corresponds to the input signal that is processed by any one of the processing units.

Abstract: The present invention relates to a method of enabling authentication of an information carrier, the information carrier comprising a writeable part and a physical token arranged to supply a response upon receiving a challenge, the method comprising the following steps; applying a first challenge to the physical token resulting in a first response, and detecting the first response of the physical token resulting in a detected first response data, the method being characterized in that it further comprises the following steps; forming a first authentication data based on information derived from the detected first response data, signing the first authentication data, and writing the signed authentication data in the writeable part of the information carrier. The invention further relates to a method of authentication of an information carrier, as well as to devices for both enabling authentication as well as authentication of an information carrier.

Abstract: A system and method for confirming an application change event associated with a device infrastructure of a mobile device, the method comprising the steps of: storing an application authorization list identifying a plurality of mobile applications, the application authorization list being remote from the mobile device over a communications network; receiving an application authorization request from the mobile device over the communications network, the application authorization request including application identification information; comparing the application identification information with one or more listed mobile applications of the plurality of mobile applications identified in the application authorization list; determining whether the application information matches any of the plurality of mobile applications to produce a decision instruction containing an authorization decision; and sending the decision instruction to the mobile device for subsequent processing of the decision instruction by a mobile

Abstract: Methods and circuits for undiscoverable physical chip identification are disclosed. Embodiments of the present invention provide an intrinsic bit element that comprises two transistors. The two transistors form a pair in which one transistor has a wide variability in threshold voltage and the other transistor has a narrow variability in threshold voltage. The wide variability is achieved by making a transistor with a smaller width and length than the other transistor in the pair. The variation of the threshold voltage of the wide variability transistor means that in the case of copies of intrinsic bit elements being made, some of the “copied” wide variability transistors will have significantly different threshold voltages, causing some of the intrinsic bit elements of a copied chip to read differently than in the original chip from which they were copied.

Abstract: Techniques have been developed to allow runtime extensions to a whitelist that locks down a computational system. For example, executable code (including e.g., objects such as a script or active content that may be treated as an executable) is not only subject to whitelist checks that allow (or deny) its execution, but is also subject to checks that determine whether a whitelisted executable is itself trusted to introduce further executable code into the computational system in which it is allowed to run. In general, deletion and/or modification of instances of code that are already covered by the whitelist are also disallowed in accordance with a security policy. Accordingly, an executable that is trusted may be allowed to delete and/or modify code instances covered by the whitelist. In general, trust may be coded for a given code instance that seeks to introduce, remove or modify code (e.g., in the whitelist itself).

Abstract: A method, a memory data carrier (30) as well as a terminal (10) are proposed for accessing a portable memory data carrier (30) having a standardized memory element (34) and an additional module (40). The method permits a data transmission selectively to the memory element (34) or to the additional module (40). According to the method application data intended for the additional module (40) are generated, routing information for the application data, with information about the application data, is generated and added to the application data (108), the resulting data stream is embedded in data blocks according to a transmission protocol adapted to the memory element (34) and transmitted, it is determined by the memory data carrier (30) whether a received data block contains routing information, and the data contained in the data block are routed to the additional module (40) if the data block contains routing information.

Abstract: A method, system and apparatus for controlling access to a media server are provided. A browse request is received at a computing device, from a remote computing device to browse a memory structure including content files. Authentication of the remote computing device is initiated. Prior to the remote computing device being authenticated, a response is transmitted to the remote computing device indicative that the memory structure is empty of the content files, regardless of actual content of the memory structure. After the remote computing device is authenticated, a further response is transmitted to the remote computing device indicative of the actual content of the memory structure.

Abstract: Extracting data from a source system includes generating an authorization model of the data protection controls applied to the extracted data by the source system. The authorization model is used to map the data protection control applied to the extracted data to generate corresponding data protection controls provided in target system. The extracted data is imported to the target system including implementing the corresponding data protection controls.

Abstract: The subject matter disclosed herein relates to distribution of media content.