Abstract: An authentication system, a mobile electronic device, an instantiating unit and a method, as well as a computer program product are disclosed for the authentication of a patient against a central registry which exchanges data with a repository for the storage of medical data records. In an embodiment, an individualized application is loaded and installed on the mobile radio device in order to sign messages to the registry with a signature. The signature can be triggered in the registry to check the authenticity of the remote patient in order to provide data access.

Abstract: An account registration method for a network attached storage system is provided. The method includes transmitting an open ID and network attached storage information to a cloud management server; transmitting the open ID to a social network service server to perform a verification procedure on the open ID; if the verification procedure is passed, receiving security information corresponding to the open ID from the social network service server and recording the open ID, the security information, and the network attached storage information in the cloud management server; transmitting the open ID to a network attached storage; transmitting login information corresponding to the network attached storage to the user terminal, wherein the login information is generated by the network attached storage according to the open ID; and recording the open ID and the login information in the user terminal.

Abstract: Methods that can facilitate more optimized relocation of data associated with a memory are presented. In addition to a memory controller component, a memory manager component can be employed to increase available processing resources to facilitate more optimal execution of higher level functions. Higher level functions can be delegated to the memory manager component to allow execution of these higher level operations with reduced or no load on the memory controller component resources. A uni-bus or multi-bus architecture can be employed to further optimize data relocation operations. A first bus can be utilized for data access operations including read, write, erase, refresh, or combinations thereof, among others, while a second bus can be designated for higher level operations including data compaction, error code correction, wear leveling, or combinations thereof, among others.

Abstract: Techniques for securing communications between fixed devices and mobile devices. A mobile device management server mediates communications between the fixed device and mobile device. The mobile device management server enrolls mobile devices and then assists with pairing the mobile devices to fixed devices in an out-of-band manner. This enrollment, coupled with out-of-band pairing, improves the speed and security of authenticating communication between fixed and mobile devices. If the mobile device has appropriate capabilities, the mobile device management server may request that the mobile device obtain and verify biometric data from a user prior to enrollment and performing authentication procedures.

Abstract: This application discloses a computing system implementing tools and mechanisms that can incorporate an optical physical uncloneable function (PUF) device in a circuit design. The optical physical uncloneable function device can generate at least a portion of a key. The tools and mechanisms can interconnect the optical physical uncloneable function device with a security control device in the circuit design, wherein the security control device is configured to initiate a security action when the key matches an expected key in the security controller.

Abstract: A method, apparatus, and system is provided for establishing communication between a wireless communication device (WCD) and one of a plurality of serving nodes (SNs). Each of the SNs is configured to perform mobility management and session management. The WCD determines information that identifies which WCD-SN protocol type is supported by or is being used by the WCD. Each of the WCD-SN protocol types is a version, subset, or variant of a protocol used to support mobility and session management. The identified protocol type is compatible with one or more of the SNs and is not compatible with another one or more of the SNs. The WCD transmits, to a base station controller, a message that includes the information on which WCD-SN protocol type is supported by the WCD or is being used by the WCD. The controller selects, based on the protocol type, one of the SNs.

Abstract: A method and system are provided that may centralize the management of applications that access the data of social networks via API calls. A central service may generate tokens at a generation rate that permit an application to access an API. The tokens may be distributed to queues associated with certain content types. The relative distribution of tokens to each queue may be determined by rules. A queue may release tokens to applications that function to access the content type associated with the queue. The token generation rate and rules may be selected to prevent violation of the rate limits for the API.

Abstract: In order to manage stale data on a network of computer systems, a file harvester agent may be configured with a list of stale data files to be deleted. The file harvester agent may be deployed to the computer systems of a network. When executed in a computer system, the file harvester agent searches the file system of the computer system to locate any files or data indicated in the file list. Any located data files are deleted. Once the agent has finished processing the file list on a computer system, the agent can copy or replicate itself to other computer systems of the network in accordance with a pre-configured itinerary.

Abstract: An Enterprise Service Bus (ESB) system includes a shared storage that stores data corresponding to files, a file system, and ESB infrastructure functions. The ESB system includes a metadata registry storing metadata associated with the ESB infrastructure functions, separate from the ESB infrastructure functions, and includes storage location information of the ESB infrastructure functions. The ESB system includes a processor configured to receive a request for access to the file system. The processor sends a portion of the metadata registry to a client device, the portion including a portion of the metadata and a directory structure identifying a set of the ESB infrastructure functions that the client device is authorized to access, the portion of the metadata allowing the client device to access a first infrastructure function of the set based on the storage location information. The processor further provides the first infrastructure function to the client device.

Abstract: A client receives sensitive data to be tokenized. The client queries a token table with a portion of the sensitive data to determine if the token table includes a token mapped to the value of the portion of the sensitive data. If the mapping table does not include a token mapped to the value of the portion of the sensitive data, a candidate token is generated. The client queries a central token management system to determine if the candidate token collides with a token generated by or stored at another client. In some embodiments, the candidate token includes a value from a unique set of values assigned by the central token management system to the client, guaranteeing that the candidate token does not cause a collision. The client then tokenizes the sensitive data with the candidate token and stores the candidate token in the token table.

Abstract: In embodiments of the present invention, improved capabilities are described for securely sharing computer data content between business entities as managed through an intermediate business entity, where the secure sharing process utilizes encryption provided by the intermediate business entity but where the encryption keys used in the encryption are at least in part managed through one of the business entities as customer managed keys.

Abstract: A system performs Real-Time Communications (“RTC”). The system establishes a signaling channel between a browser application and a rich communications services (“RCS”) endpoint. The system then queries RCS capabilities of the RCS endpoint via the signaling channel, and initiates the RTC between the browser application and the RCS endpoint via the signaling channel.

Abstract: In a general aspect, a method can include: installing in a non-secure device a customized module for managing communications with a secure element, transmitting to the secure element first authentication data for authenticating the customized module, the customized module generating and transmitting to the secure element second authentication data for authenticating the customized module, if the secure element determines that the first and second authentication data are consistent with each other, establishing a secure communication link between the customized module and the secure element, by using the first or second authentication data, the non-secure device transmitting a command to the secure element, for an application installed in the secure element, and the secure element executing the command only if the command is sent via the secure communication link.

Abstract: Disclosed are various embodiments relating to bootstrapping user authentication. A first application is authenticated based at least in part on a first security credential received via the first application in a first authentication request. A second security credential is generated. The second security credential is sent to the first application that is authenticated. The second application is authenticated based at least in part on the second security credential being received via the second application.

Abstract: A proxy is integrated within an F-SSO environment and interacts with an external identity provider (IdP) instance discovery service. The proxy proxies IdP instance requests to the discovery service and receives responses that include the IdP instance assignments. The proxy maintains a cache of the instance assignment(s). As new instance requests are received, the cached assignment data is used to provide appropriate responses in lieu of proxying these requests to the discovery service, thereby reducing the time needed to identify the required IdP instance. The proxy dynamically maintains and manages its cache by subscribing to updates from the discovery service. The updates identify IdP instance changes (such as servers being taken offline for maintenance, new services being added, etc.) occurring within the set of geographically-distributed instances that comprise the IdP service. The updates are provided via a publication-subscription model such that the proxy receives change notifications proactively.

Abstract: A proxy is integrated within an F-SSO environment and interacts with an external identity provider (IdP) instance discovery service. The proxy proxies IdP instance requests to the discovery service and receives responses that include the IdP instance assignments. The proxy maintains a cache of the instance assignment(s). As new instance requests are received, the cached assignment data is used to provide appropriate responses in lieu of proxying these requests to the discovery service, thereby reducing the time needed to identify the required IdP instance. The proxy dynamically maintains and manages its cache by subscribing to updates from the discovery service. The updates identify IdP instance changes (such as servers being taken offline for maintenance, new services being added, etc.) occurring within the set of geographically-distributed instances that comprise the IdP service. The updates are provided via a publication-subscription model such that the proxy receives change notifications proactively.

Abstract: A system and method for configuring authentication of a mobile communications device entail detecting user context and device context factors and determining whether a current authentication mode is impractical or unfeasible in view of such factors. User context information of interest includes any indication that the user is driving or in a meeting for example. Context factors of interest include for example such factors as light, noise, or user activities such as driving. Based on this user context and device context, if the currently set authentication mode is impractical or unfeasible, then the device may select an available alternative authentication mode and reconfigure the device for that mode.

Abstract: Methods and systems for executing a copy-offload operation are provided. The method includes determining if content of a source data container can be changed, after the source data container is opened for a copy-offload operation to copy the source data container from a source location to a destination location. The method further includes using a direct copy mode for generating a token for the copy-offload operation, without taking a point in time image of the source data container, when the content cannot be changed based on a mode in which the source data container is opened; and selecting a point in time copy mode by taking the point in time image of the source data container for generating the token, when the content can be changed.

Abstract: A system, apparatus, method, and machine readable medium are described for enhanced security during registration. For example, one embodiment of a method comprises: receiving a request at a relying party to register an authenticator; sending a code from the user to the relying party through an authenticated out-of-band communication channel; and verifying the identity of the user using the code and responsively registering the authenticator in response to a positive verification.

Abstract: A workflow executing device executes the steps of: specifying a workflow; executing processes defined by the specified workflow; specifying an external process to be processed by a first external device from among the processes; specifying a device that stores account information requested by the first external device as a second external device in order to allow the first external device to execute the external process; generating a sub-workflow that defines a login process of logging into the first external device, a request process of allowing the first external device to execute the external process, and an execution result output process of transmitting the execution result to the workflow executing device; and changing the external process in the workflow to a workflow transmitting process of transmitting the sub-workflow to the second external device and an execution result receiving process of receiving the execution result from the second external device.

Abstract: A device may receive an authentication request generated based on a request to access a service. The authentication request may include a user identifier. The device may identify a mobile device associated with the user identifier. The device may authenticate the mobile device, and may generate an access notification based on authenticating the mobile device. The access notification may include information relating to the request to access the service. The device may provide the access notification to the mobile device, and may receive an access response from the mobile device. The access response may indicate whether to permit access to the service. The device may cause access to the service to be permitted when the access response indicates to permit access to the service, or may cause access to the service to be denied when the access response indicates to deny access to the service.

Abstract: A system includes a first physical chassis comprising a first chassis management unit (“CMU”). The first CMU is configured to communicate with a second CMU in an additional physical chassis. The first CMU is also configured to communicate for the first physical chassis and the additional physical chassis as one logical chassis.

Abstract: A user who is authenticated to a system or service across a network can receive a token that includes a device fingerprint. The fingerprint can include information that is obtained from the client device through which the user supplied authentication credentials. The client device can be configured to include that token with subsequent requests. When a request is received, the information in the fingerprint can be extracted from the token and compared to information obtained from the device submitting that request. If the information matches within at least an allowable match threshold, for example, the request can be processed. If the information in the fingerprint does not match the current values of the device from which the request was received, the request can be denied or a remedial action performed.

Abstract: A network connection configuration method for a multimedia player includes establishing a Wireless Fidelity (Wi-Fi) connection between a mobile device and a network connection device, such that the mobile device obtains a service set identification (SSID) and a password thereof of the network connection device; utilizing an image capture module of the mobile device to capture an optical image corresponding to the multimedia player, so as to establish a Wi-Fi Direct connection between the mobile device and the multimedia player; and establishing another Wi-Fi connection between the multimedia player and the network connection device according to the Wi-Fi connection between the mobile device and the network connection device as well as the Wi-Fi Direct connection between the mobile device and the multimedia player.

Abstract: According to an aspect of the invention, a security token for facilitating access to a remote computing service via a mobile device is conceived, said security token comprising an NFC interface, a smart card integrated circuit and a smart card applet stored in and executable by said smart card integrated circuit, wherein the smart card applet is arranged to support a cryptographic challenge-response protocol executable by the mobile device.

Abstract: The present disclosure is directed to systems and methods for performing single sign on by an intermediary device for a remote desktop session of a client. A first device intermediary to a plurality of clients and a plurality of servers authenticates a user and establishes a connection to the user's client device. The device provides a homepage including links to one or more remote desktop hosts associated with the user. The device receives a request to launch an RDP session with a remote desktop host via the homepage and generates RDP content, including a security token, for the user. The device receives a second request that includes the security token to launch the RDP session. The device validates the user using the security token and establishes a connection to the remote desktop host. The device signs into the desktop host using session credentials.

Abstract: A network arrangement that employs a cache having copies distributed among a plurality of different locations. The cache stores state information for a session with any of the server devices so that it is accessible to at least one other server device. Using this arrangement, when a client device switches from a connection with a first server device to a connection with a second server device, the second server device can retrieve state information from the cache corresponding to the session between the client device and the first server device. The second server device can then use the retrieved state information to accept a session with the client device.

Abstract: An interception-proof authentication and encryption system and method is provided that utilizes passcodes with individual pins that are made up of symbols from a set of symbols, and tokens that contain at least two symbols from the set of symbols used for the passcode. Multiple tokens (a “token set”) are presented to a user, with some or all of a user's pre-selected pins (symbols) randomly inserted into some or all of the tokens. The user selects a token from the token set for each pin position in the passcode. The user is authenticated based on the selected tokens. Because each selected token may or may not contain one of the pre-selected pins in the user's passcode, and also contains other randomly generated symbols that are not one of the pre-selected pins in the user's passcode, someone that observes which tokens the user has chosen cannot determine what the user's actual passcode is.

Abstract: The present disclosure provides method, system, and computer readable medium for shared execution of software. The present disclosure relates to method, system, and computer readable recording medium for shared execution of software involving identifying the main modules of a specific software by analyzing its control flow, data flow, and modular structure through a static binary analysis and a runtime profiling, i.e. dynamic analysis, separating the modules from the main software body to store them in a secure environment of a smart card, and storing the main body in a user terminal with the identified modules removed and replaced by an interface code, whereby a co-processing the software at the user's end by the smart card in engagement with the user terminal exclusively enables an execution of the software.

Abstract: A system and method that includes receiving a first device profile and associating the first device profile with a first application instance that is assigned as an authentication device of a first account; receiving a second device profile for a second application instance, wherein the second application instance is making a request on behalf of the first account; comparing the second device profile to the first device profile; and completing the request of the second application instance according to results of comparing the second device profile and the first device profile.

Abstract: Systems and methods of managing pairing information associated with peer-to-peer device pairings are disclosed herein. The pairing information can include link keys or other configuration data associated with eh peer-to-peer device pairing. The system can detect that a first electronic device has paired with a second electronic device via a peer-to-peer device pairing connection. The first electronic device can store pairing information associated with the peer-to-peer device pairing. The system can determine when the peer-to-peer device pairing terminates. For example, the system can determine that a peer-to-peer activity has terminated, that a timeout period has elapsed, or any other event indicative of a termination of a peer-to-peer device pairing. In response to the determination that the peer-to-peer device pairing terminates, the system can delete the pairing information, thereby efficiently utilizing the storage medium of the first computing device.

Abstract: A SIM provider apparatus is disclosed that is configured to generate a first service provider key (SPK) based on master attributes at the SIM provider apparatus. The master attributes, including a master key, are shared by both the SIM provider apparatus and a SIM container. The SIM provider apparatus is further configured to verify a second SPK, received from the SIM container and generated based on the master attributes in the SIM container, is the same as the first SPK. The SIM provider apparatus then stores the first SPK in response to the first SPK being the same as the second SPK.

Abstract: Techniques provided herein may facilitate set-up of an audio system with audio content services that have been previously registered on a second system. An example technique involves a computing device maintaining data representing a list of audio services from which an audio system can receive streaming music and data indicating that a first audio service is registered with the audio system. The device receives data indicating a second audio service added to the list of audio services. An application on the computing device may be configured to receive streaming music from the second audio service using particular authentication information. The device causes display of a graphical representation of the second service indicating that the particular authentication information is available from the application. The device may detect a selection of the second service and cause the audio system to receive streaming music from the second service using the particular authentication information.

Abstract: A method for securing an environment. The method includes obtaining a two-dimensional (2D) representation of a three-dimensional (3D) environment. The 2D representation includes a 2D frame of pixels encoding depth values of the 3D environment. The method further includes identifying a set of foreground pixels in the 2D representation, defining a foreground object based on the set of foreground pixels. The method also includes classifying the foreground object, and taking an action based on the classification of the foreground object.

Abstract: An electronic data sharing device configured to exchange a first tag with a corresponding tag from a further electronic data sharing device, wherein the first and second tags provide information that enables respective users of the electronic data sharing devices to share information via a server enabled internet-connected software system associated with the electronic data sharing devices, wherein the electronic data sharing device is either configured with a pre-shared key or is able to encrypt a session key, wherein the pre-shared key or session key are used to generate tags to ensure that: the electronic data sharing device and tags can only be made use of by the server.

Abstract: A method for configuring a device is performed at a target device with a processor and memory storing instructions for execution by the processor. In some implementations, the target device is a media presentation device, such as a WiFi enabled speaker system. Connection information is received from a configuration device, such as a laptop computer or mobile telephone, via an analog audio interface. The connection information includes first account credentials. In some implementations, the connection information also includes network configuration data such as a name of wireless network and a security key. The target device connects to a server system remote from the target device using the first account credentials.

Abstract: Context captured with sensors of an information handling system is applied to selectively lock access to currently unlocked information, with conditions for locking access based upon the context. Nervous states enforce locking of selected information based upon the confidence of the security of the information under sensed external conditions. Increased sensitivity for locking access includes reduced timeouts to a lock command, increased response to sensed conditions, and more rapid response where unlocked access is to sensitive information.

Abstract: A framework, which conforms to the OAuth standard, involves a generic OAuth authorization server that can be used by multiple resource servers in order to ensure that access to resources stored on those resource servers is limited to access to which the resource owner consents. Each resource server registers, with the OAuth authorization server, metadata for that resource server, indicating scopes that are recognized by the resource server. The OAuth authorization server refers to this metadata when requesting consent from a resource owner on behalf of a client application, so that the consent will be of an appropriate scope. The OAuth authorization server refers to this metadata when constructing an access token to provide to the client application for use in accessing the resources on the resource server. The OAuth authorization server uses this metadata to map issued access tokens to the scopes to which those access tokens grant access.

Abstract: A system, apparatus, method, and machine readable medium are described for performing authentication using environmental data. For example, one embodiment of a method comprises: collecting environmental sensor data from one or more sensors of a client device; using a geographical location reported by the device to collect supplemental data for the location; comparing the environmental sensor data with the supplemental data to arrive at a correlation score; and responsively selecting one or more authentication techniques for authenticating a user of the client device based on the correlation score.

Abstract: A method, system, and computer program product for providing protected remote access from a remote access client to a remote access server over a computer network through a plurality of inspections. A remote access configuration file is created for the remote access client. A digital hash of the configuration file is then generated. The digital hash is compared with a configuration file stored at a predefined web location. If the comparison results in a match between the digital hash and the stored configuration file, a digital hash comparison is performed between an encrypted remote access configuration file and an encrypted configuration file stored at the predefined web location. If the plurality of inspections are passed, the remote access client is released from a quarantine state and a virtual private network (VPN) connection to the remote access server is established.

Abstract: A method and system for securing access to configuration information stored in universal plug and play data models are provided. The method includes receiving a request to operate on at least one node of a data model from a Control Point (CP), where the data model includes a plurality of nodes and each of the plurality of nodes represents configuration information, determining a role associated with the CP, determining whether the role of CP is in a recommended role list, allowing, if the role is present, the CP to operate on the at least one node, and determining, if the role is not present, whether the CP has a role appropriate for operating on the at least one node based on ACL data associated with the at least one node. Accordingly, the CP is allowed to operate on the at least one node or an error message is returned on a display of the CP.

Abstract: Improved copy protection systems including copy once, personal computer (PC) buffer copy protection, and identifying different copy control systems are provided. A “copy once” protection system uses memory in a recording device to remember content or physical media IDs so that the same original content or media is not copied twice. A PC buffer copy protection system determines if there is a relationship between input and output buffers on a PC, or networked PCs, to determine if the content can be copied. Different copy control systems, such as DVD systems and Conditional Access (CA) TV systems, can use different copy control watermark keys or payloads to identify which type of copy control system should be implemented.

Abstract: Techniques for accessing enterprise resources while providing denial-of-service attack protection may include receiving, at a gateway from a client device, a request for a resource, the request including a location identifier associated with the resource. Techniques may further include redirecting, by a redirection message, the request to an authentication device that requests credentials for authentication, the redirection message including the location identifier. Techniques may also include retrieving, after authentication of the credentials, the location identifier from the client device. Techniques may additionally include providing access to the resource based on the location identifier.

Abstract: A host agnostic integration and interoperation system. The host agnostic integration and interoperation system includes an open platform interface and the associated conventions that define the roles of and direct operations between a host and a service application running on an external application server and allow the host to discover and integrate the functionality provided by the service application. The open platform interface employs a limited number of easily implemented semantic methods allowing a host to expose and integrate the ability to view, edit, or otherwise manipulate a document using the host supported functionality of the service application from a standard user agent. The host agnostic integration and interoperation system handles user authentication at the host using an access token and establishes a trust relationship between the host and the external application server using a lightweight but secure proof key system.

Abstract: Systems and methods are provided for accessing and managing a virtual desktop. In some examples a desktop access manager may be provided to enable and communicatively link a virtual desktop key such that a user may access a linked desktop virtually over a second computing device. The systems and methods provide increased security when accessing a virtual desktop and enable customization of access to the virtual desktop.

Abstract: Embodiments of the present invention provide a method and a device for link aggregation control protocol (LACP) link switch. The method includes: monitoring state changes of interfaces in an LACP link aggregation group; when monitoring a state change occurs on an active interface in the aggregation group, determining whether the number of active interfaces in the aggregation group is smaller than a preset minimum active link number, if yes, keeping states of N interfaces among the interfaces on which a state change occurs being an active state, so that the number of active interfaces in the aggregation group is greater than or equal to the preset minimum active link number; and when monitoring a state change occurs on an inactive interface in the aggregation group, adjusting states of M interfaces among the N interfaces kept in the active state into an inactive state M being smaller than or equal to N.

Abstract: A network management device connects to a device on the network, receives a trigger for an operation command, supplies to the device a command line interface command for the operation command, wherein a randomly generated string is included at the end of the command line interface command. The network management device receives the output of the operation command from the device, detects the end of the operation command output and parses the output using an XML-based parser. XML based configuration files are used for configuration of different network devices. XML based report files are used to generate different network reports.

Abstract: Attesting a virtual machine that is migrating from a first environment to a second environment includes in response to initiation of migration of the virtual machine from the first environment to the second environment, accessing one or more stored trust values generated during the trusted boot of the virtual machine in the first environment, determining if the accessed trust values define a security setting sufficient for the second environment, and if the accessed trust values do not define a security setting sufficient for the second environment, performing a predetermined action in relation to the migration of the virtual machine to the second environment.

Abstract: Methods, systems, and computer-readable media are provided. Some embodiments include receiving, at a computing device, a security token identifier and a request to access one or more resources of the computing device. The computing device obtains information that identifies one or more domains each having a trust relationship with the domain associated with the computing device. The computing device determines that an entry in a first data store associated with a first domain of the one or more domains matches the security token identifier. In response to the determining that an entry in the first data store matches the security token identifier, the computing device updates a local data store such that, in the local data store, the security token identifier is associated with first domain information that identifies the first domain. The computing device grants the requested access to one or more resources of the computing device.

Abstract: Approaches described herein manage security restrictions on a resource in a defined environment to provide authorization and access. Specifically, a security system maintains a security restriction on the resource (e.g., an information technology (IT) account of a user, or an apparatus) in a defined environment. The presence of a plurality of users is continuously monitored throughout the defined environment and, based on a detection of a pre-specified set of users from the plurality of users in the defined environment, the security restriction is managed (e.g., removed or maintained). In one embodiment, the system removes the security restriction from the resource to allow at least one of: access to the IT account of the user, and operation of the apparatus. The security restriction on the resource may then be reinstated in the case that the pre-specified set of users from the plurality of users is no longer present in the defined environment.