Entries |
Document | Title | Date |
20080244265 | MOBILITY DEVICE MANAGEMENT SERVER - A mobility device management server (MDMS) for use as part of a mobility device platform allowing for secure mobile computing is provided. In an illustrative implementation, an exemplary mobility device platform (MDP) comprises a mobility device (MD) operable to communicate with at least one computing environment through a communications interface and wherein the MD is operable to process and store secure web services, a communications network operable to communicate data and computing applications using web services, and a MDMS operable to generate, process, store, communicate and encrypt web services to the MD. Further, the MDMS is operable to perform one or more mobility device management functions to provide encryption keys to cooperating MDs and to authenticate and verify cooperating MDs requesting web services from the MDMS. The MDMS further may operate to perform metering functions and may operate to support intermittent connections between itself and cooperating MDs. | 10-02-2008 |
20080294892 | METHOD AND SYSTEM FOR A KERNEL LOCK VALIDATOR - An embodiment relates generally to a method of preventing resource access conflicts in a software component. The method includes intercepting a lock operation in the software component and testing an associated lock type of the lock operation against a set of rules. The method also includes determining an action based on the associated lock type conflicting one of the rules of the set of rules. | 11-27-2008 |
20080294893 | DEVICE AND METHOD FOR SECURITY RECONFIGURATION - A security reconfigurable device is adapted for use in an integrated wireless network integrating at least two wireless networks, and includes a plurality of security modules and a control unit. The security modules are used to respectively realize security mechanisms related to the wireless networks. According to security requirements, the control unit selects one of the security modules for operation. The security reconfigurable device can reduce time and cost for updating the security mechanisms. A method for security reconfiguration is also disclosed. | 11-27-2008 |
20080301440 | Updateable Secure Kernel Extensions - A method, computer program product, and data processing system for providing an updateable encrypted operating kernel are disclosed. In a preferred embodiment, secure initialization hardware decrypts a minimal secure kernel containing sensitive portions of data and/or code into a portion of the processor-accessible memory space, from which the kernel is executed. Most system software functions are not directly supported by the secure kernel but are provided by dynamically loaded kernel extensions that are encrypted with a public key so that they can only be decrypted with a private key possessed by the secure kernel. The public/private key pair is processor-specific. Before passing control to a kernel extension the secure kernel deletes a subset of its sensitive portions, retaining only those sensitive portions needed to perform the task(s) delegated to the kernel extension. Which sensitive portions are retained is determined by a cryptographic key with which the kernel extension is signed. | 12-04-2008 |
20090006847 | Filtering kernel-mode network communications - Some embodiments of the invention are directed to techniques for determining whether a process on a computer system that is sending or receiving data, or is attempting to send or receive data, with another computer system is executing in kernel mode or user mode and providing an indicator of this determination to a security engine. In some embodiments, such an indication is provided to a security engine (e.g., a firewall) that implements a security policy based at least in part on whether the sending or receiving process is in kernel mode or user mode, and filter communications based on a process' operating mode. This enables a security engine to maintain security policies of greater specificity and thus improve security of a computer system. | 01-01-2009 |
20090013179 | Controlling With Rights Objects Delivery Of Broadcast Encryption Content For A Network Cluster From A Content Server Outside The Cluster - Methods, systems, and products are disclosed for delivering broadcast encryption content. Embodiments of the present invention typically include receiving in a cluster broadcast encryption content; receiving in a cluster a rights object defining device-oriented digital rights for broadcast encryption content; and administering the broadcast encryption content on one or more network devices in the cluster in dependence upon the digital rights. In some embodiments, administering the broadcast encryption content on one or more network devices in the cluster in dependence upon the digital rights include mapping the device-oriented digital rights to digital rights supported in the cluster, excluding device-oriented rights not supported in the cluster. In some embodiments, mapping the device-oriented digital rights to digital rights supported in the cluster includes supporting in the cluster only those device-oriented digital rights having direct analogs in the cluster. | 01-08-2009 |
20090031128 | TRANSPARENT AWARE DATA TRANSFORMATION AT FILE SYSTEM LEVEL FOR EFFICIENT ENCRYPTION AND INTEGRITY VALIDATION OF NETWORK FILES - A mechanism for enabling efficient encryption and integrity validation of network files. When a request to read a file stored in a local network file system is received, the local network file system examines cryptographic attributes associated with the file to determine if the file is encrypted or integrity-verified. If the cryptographic attributes indicate the file is encrypted, the local network file system omits the encryption of the file by the local network file system prior to passing the file to the remote network file system. If the cryptographic attributes indicate the file is integrity-verified, the local network file system omits the integrity-verification of the file by the local network file system prior to passing the file to the remote network file system. The local network file system then transmits the file to the remote network file system. | 01-29-2009 |
20090063857 | METHOD AND SYSTEM FOR PROVIDING A TRUSTED PLATFORM MODULE IN A HYPERVISOR ENVIRONMENT - A method is presented for implementing a trusted computing environment within a data processing system. A hypervisor is initialized within the data processing system, and the hypervisor supervises a plurality of logical, partitionable, runtime environments within the data processing system. The hypervisor reserves a logical partition for a hypervisor-based trusted platform module (TPM) and presents the hypervisor-based trusted platform module to other logical partitions as a virtual device via a device interface. Each time that the hypervisor creates a logical partition within the data processing system, the hypervisor also instantiates a logical TPM within the reserved partition such that the logical TPM is anchored to the hypervisor-based TPM. The hypervisor manages multiple logical TPM's within the reserved partition such that each logical TPM is uniquely associated with a logical partition. | 03-05-2009 |
20090089579 | Secure Policy Differentiation by Secure Kernel Design - A method, computer program product, and data processing system are disclosed for ensuring that applications executed in the data processing system originate only from trusted sources are disclosed. In a preferred embodiment, a secure operating kernel maintains a “key ring” containing keys corresponding to trusted software vendors. The secure kernel uses vendor keys to verify that a given application was signed by an approved vendor. To make it possible for users to execute software from independent software developers, an administrative user may disable the above-described vendor key-checking as an option. | 04-02-2009 |
20090094455 | Frequency Managed Performance - A computer or other electronic device may use a security module to securely control a system or processor clock to set a predetermined performance level. In an exemplary embodiment, the performance level may be high, medium, or low, supporting a range of application performance requirements. Changes to the performance level may be authorized by a third party presenting cryptographic rights to alter the performance level. Alternatively, postpaid ro pre-paid value may be accumulated at a rate corresponding to the predetermined performance level set by the security module. | 04-09-2009 |
20090125716 | COMPUTER INITIALIZATION FOR SECURE KERNEL - Dynamic Root of Trust for Measurement (DRTM) mechanisms can be initiated, not by CPU-manufacturer-specific instructions, but by the execution of code in System Management Mode (SMM) that can modify the values stored in specific Platform Configuration Registers (PCRs) of a Trusted Platform Module (TPM). The SMM code can be verified prior to execution and it can be trusted based on the secure mechanisms used to update such code. The SMM code can restore a known, trusted state of the computing device and can initiate the measuring of subsequently executed code. In such a manner the Trusted Computing Base (TCB) can be limited. | 05-14-2009 |
20090132815 | Systems and methods for secure transaction management and electronic rights protection - The present invention provides systems and methods for secure transaction management and electronic rights protection. Electronic appliances such as computers equipped in accordance with the present invention help to ensure that information is accessed and used only in authorized ways, and maintain the integrity, availability, and/or confidentiality of the information. Such electronic appliances provide a distributed virtual distribution environment (VDE) that may enforce a secure chain of handling and control, for example, to control and/or meter or otherwise monitor use of electronically stored or disseminated information. Such a virtual distribution environment may be used to protect rights of various participants in electronic commerce and other electronic or electronic-facilitated transactions. Distributed and other operating systems, environments and architectures, such as, for example, those using tamper-resistant hardware-based processors, may establish security at each node. These techniques may be used to support an all-electronic information distribution, for example, utilizing the “electronic highway.” | 05-21-2009 |
20090132816 | PC on USB drive or cell phone - Disclosed are virtual, personal computers implemented on USB drive, cell phone platforms, or other small portable computing platform. Exemplary personal computers include a nanokernel or minikernel configured to boot when connected to a host computer. A memory is provide for storing the nanokernel or minikernel, along with encrypted data, secure keys and certificates, and one or more software applications. The nanokernel or minikernel is configured to allow selected stored software applications to run on the host computer and execute on the user data stored in the memory when the computing apparatus is connected to the host computer and booted. The nanokernel or minikernel is also configured to prevent any other application from executing on user data stored in the memory. The TPM provides the mechanism to seal and authenticate the compute environment of the host computer its components and/or the USB drive et al itself. The contents of the virtual, personal computer are meant to execute on the host computer, but have persistent, encrypted storage on the USB drive, cell phone platforms, or other small portable computing platform which may have additional biometric identification. | 05-21-2009 |
20090158036 | PROTECTED COMPUTING ENVIRONMENT - A method of establishing a protected environment within a computing device including validating a kernel component loaded into a kernel of the computing device, establishing a security state for the kernel based on the validation, creating a secure process and loading a software component into the secure process, periodically checking the security state of the kernel, and notifying the secure process when the security state of the kernel has changed. | 06-18-2009 |
20090177883 | METHOD AND DEVICE FOR ONLINE SECURE LOGGING-ON - The invention discloses a method for an online secure logging-on, comprises steps of: determining a correlation between at least one of processes and a logging-on operation; sorting the at least one of processes to two classes, that is, processes related to the logging-on operation and processes unrelated to the logging-on operation; running at least one of the processes related to the logging-on operation, when the logging-on operation is performed and a number of the processes related to the logging-on operation is one or more; and suspending at least one of the 1o processes unrelated to the logging-on operation, when the logging-on operation is performed and a number of the processes unrelated to the logging-on operation is one or more. The scheme of the present invention utilizes a real-time protection, needs less monitoring on the operating system and is easy to guarantee the stability. Since most processes of the operating system are suspended, the protection is more reliable. Corresponding to the method, the present invention also provides a device for an online secure logging-on. | 07-09-2009 |
20090193251 | SECURE REQUEST HANDLING USING A KERNEL LEVEL CACHE - The present invention discloses a system, method, apparatus, and computer usable product code for handling requests. The invention can include a kernel level cache, a request handling service, and a transport layer security service. The kernel level cache can store request handling data. The request handling service can handle secure requests at a transport layer of a kernel when request handling data is present in the kernel level cache. The transport layer security service can handle encryption/decryption operations for the secure requests and request responses at the transport layer. | 07-30-2009 |
20090249064 | SYSTEM AND METHOD OF AUTHORIZING EXECUTION OF SOFTWARE CODE BASED ON A TRUSTED CACHE - Embodiments include systems and methods for authorizing software code to be executed on a device based on a trusted cache. When receiving a request to execute software, this software may be checked for a digital signature by at least one trusted authority. According, a digest value indicative of at least a portion of the software module may be determined. A cache stored in trusted space of the device is then accessed for a matching digest value. If an entry is found, the device may allow execution of the software module; if an entry is not found, then the device may continue with the cryptographic operations for verifying the software's digital signature, or may be configured to block execution of the software. | 10-01-2009 |
20090249065 | SYSTEM AND METHOD OF AUTHORIZING EXECUTION OF SOFTWARE CODE BASED ON AT LEAST ONE INSTALLED PROFILE - Embodiments include systems and methods for authorizing software code to be executed or access capabilities in secure operating environments. Profiles may be issued by trusted entities to extend trust to other entities to allow those other entities to provide or control execution of applications in a secure operating environment such as on particular computing devices. The profiles allow entities to add software code to the device without reauthorizing each distribution by a trusted authority such as testing, quality assurance, or to limited groups of devices controlled or authorized by the other entities. | 10-01-2009 |
20090249066 | Method for Safe Operation and A System Thereof - The present invention relating to computer security field provides a method for safe operation and a system thereof. The method includes: loading the compressed kernel of a safe operating system to a memory of a computer, decompressing the driver of a security device to the memory of the computer; a security master process inquiring the security device and determining whether the security device is legitimate, and if so, the safe operating system creates a security sub-process with which the safe operating system performing information interaction with the security device; verifying whether a user is legitimate, if so, permitting the safe operating system to run properly; otherwise, performing exception handling. The system includes an operating system storage device, a security device and a computer. The presented invention provides a solution that a kernel program of a safe operating system is cooperated with a security device by starting the safe operating system. In the whole process of the computer operation, the kernel of the safe operating system works with the security device, and the security device completes the verification of the user ID and the processing of file data encryption/decryption, which assures the security of the computer operation. | 10-01-2009 |
20090259845 | System and method for execution of a secured environment initialization instruction - A method and apparatus for initiating secure operations in a microprocessor system is described. In one embodiment, one initiating logical processor initiates the process by halting the execution of the other logical processors, and then loading initialization and secure virtual machine monitor software into memory. The initiating processor then loads the initialization software into secure memory for authentication and execution. The initialization software then authenticates and registers the secure virtual machine monitor software prior to secure system operations. | 10-15-2009 |
20090265549 | PREVENTING UNAUTHORIZED DISTRIBUTION OF MEDIA CONTENT WITHIN A GLOBAL NETWORK - One embodiment of the invention is a method for providing media content while preventing its unauthorized distribution. The method includes transmitting from a client to an administrative node a request for delivery of an instance of media content (IMC); determining which content source (CS) of a plurality of CSs to provide delivery of the IMC, provided the client is authorized to receive the IMC; transmitting to the client an access key and a location of the IMC; transmitting from the client to the CS a second request and the access key; in response to receiving the second request and the access key, transferring the IMC from the CS to the client; transmitting from the client to the administrative node an indicator indicating a successful transfer of the IMC; and generating a transaction applicable to the client and associated with the transfer of the IMC to the client. | 10-22-2009 |
20090271619 | External storage apparatus and method of preventing information leakage - Proposed is an apparatus and method of preventing the leakage of information from an external storage apparatus even when such external storage apparatus is stolen or accessed from an unauthorized host computer. This external storage apparatus accessible from a host computer or another external storage apparatus via a network encrypts or decrypts data written from a host computer to be stored in the storage area, sends a request for existence confirmation to the host computer or the other external storage apparatus every predetermined period of time, and zeroizes an encryption key to be used in the encryption calculation for encrypting or decrypting data to be performed by the encryption calculation unit based on the result of a response from the host computer or the other external storage apparatus in reply to the request. | 10-29-2009 |
20090271620 | TECHNIQUES FOR SECURE DATA MANAGEMENT IN A DISTRIBUTED ENVIRONMENT - Techniques for secure data management in a distributed environment are provided. A secure server includes a modified operating system that just allows a kernel application to access a secure hard drive of the secure server. The hard drive comes prepackaged with a service public and private key pair for encryption and decryption services with other secure servers of a network. The hard drive also comes prepackaged with trust certificates to authenticate the other secure servers for secure socket layer (SSL) communications with one another, and the hard drive comes with a data encryption key, which is used to encrypt storage of the secure server. The kernel application is used during data restores, data backups, and/or data versioning operations to ensure secure data management for a distributed network of users. | 10-29-2009 |
20100115273 | SYSTEM AND METHOD FOR FINDING KERNEL MEMORY LEAKS - The invention provides a system and method for tracking memory information associated with dynamically loaded kernel modules with the help of a tracking system. The tracking system defines its own kernel memory allocation functions. Whenever, a dynamic kernel module is loaded/unloaded into/from the kernel space, these newly defined functions are called in response to kernel memory allocation/de-allocation requests from the kernel module. The newly defined functions are responsible for allocating and de-allocating kernel memory, as well as, keeping track of information relating to the kernel memory allocations/de-allocations. The tracked information may be used to identify the source of kernel memory leaks. | 05-06-2010 |
20100146267 | Systems and methods for providing secure platform services - Systems and methods for providing secure platform services using an information handling system, and which may be implemented to sequester or otherwise isolate sensitive cryptographic processes, as well as the keys used during such decryption and encryption processes. The systems and methods may be implemented as a set of secure services that are available to an operating system or to a Hypervisor executing on an information handling system, and the processing environment may be provided as a closed environment, thus preventing malicious code from infiltrating the processing environment. Dedicated and secure memory space may be employed to prevent key detection through memory scans. | 06-10-2010 |
20100161975 | PROCESSING SYSTEM WITH APPLICATION SECURITY AND METHODS FOR USE THEREWITH - A processing system includes an interface for receiving application data at the processing system corresponding to an application, the application data including authentication data. A one-time programmable memory stores at least one application key. A processing module executes an operating system that includes a security routine to authenticate the application data based on the authentication data and the at least one application key. The security routine permits the execution of the application by the processing module when the authentication data is authenticated, and prevents the execution of the application by the processing system when the authentication data is not authenticated. | 06-24-2010 |
20100161976 | SYSTEM AND METHOD FOR HANDLING CROSS-PLATFORM SYSTEM CALL WITH SHARED PAGE CACHE IN HYBRID SYSTEM - A system and associated method for handling a cross-platform system call with a shared page cache in a hybrid system. The hybrid system comprises a first computer system and a second computer system. Each computer system has a respective copy of the shared page cache, and validates an entry in the respective copy of the shared page cache for pages available in the respective computer system. The cross-platform system call is invoked by a first kernel to provide a kernel service to a user application in the first computer system. The cross-platform system call has a parameter referring to raw data in the first computer system. The cross-platform system call is converted to be executed in the second computer system and the raw data is copied to the second computer system only when a page fault for the raw data occurs while executing the cross-platform system call. | 06-24-2010 |
20100169642 | Remote virtual medical diagnostic imaging viewer - A medical image and data application service provider system provides a way of remotely viewing and manipulating medical images and data for diagnostic and visualization purposes by users unconstrained by geography. Medical images and data are stored on one or more servers running application service provider software along with meta-data such as access control information, origin of information and references to related data. A set of medical data consisting related information is sent as an encrypted stream to a viewing station running client software in a secure execution environment that is logically independent of the viewing station's operating system. | 07-01-2010 |
20100180114 | PROCESSING PACKET STREAMS - Systems and methods are disclosed that include a data-bus, system memory, a first processor arranged to receive an input stream, and a second processor programmed to apply one or more security algorithms to secure packets of the input stream to generate at least partially security-processed packets. | 07-15-2010 |
20100191961 | METHOD AND SYSTEM ACHIEVING INDIVIDUALIZED PROTECTED SPACE IN AN OPERATING SYSTEM - Aspects for achieving individualized protected space in an operating system are provided. The aspects include performing on demand hardware instantiation via an ACE (an adaptive computing engine), and utilizing the hardware for monitoring predetermined software programming to protect an operating system. | 07-29-2010 |
20100262823 | Launching A Secure Kernel In A Multiprocessor System - In one embodiment of the present invention, a method includes verifying an initiating logical processor of a system; validating a trusted agent with the initiating logical processor if the initiating logical processor is verified; and launching the trusted agent on a plurality of processors of the system if the trusted agent is validated. After execution of such a trusted agent, a secure kernel may then be launched, in certain embodiments. The system may be a multiprocessor server system having a partially or fully connected topology with arbitrary point-to-point interconnects, for example. | 10-14-2010 |
20100281255 | Launching A Secure Kernel In A Multiprocessor System - In one embodiment of the present invention, a method includes verifying a master processor of a system; validating a trusted agent with the master processor if the master processor is verified; and launching the trusted agent on a plurality of processors of the system if the trusted agent is validated. After execution of such a trusted agent, a secure kernel may then be launched, in certain embodiments. The system may be a multiprocessor server system having a partially or fully connected topology with arbitrary point-to-point interconnects, for example. | 11-04-2010 |
20100318793 | Permission-Based Dynamically Tunable Operating System Kernel - A server includes a central processing unit and electronic memory communicatively coupled to the central processing unit. The memory stores a dynamically tunable operating system kernel that includes at least one tunable implemented as a plurality of states. Each application managed by the operating system is assigned to one of these states according to a permission level association with the application. Each state defines a range of automated tuning of the tunable that is authorized to applications assigned to the state. | 12-16-2010 |
20100318794 | System and Method for Providing Security Aboard a Moving Platform - A system for providing network security on a vehicle information system and methods for manufacturing and using same. The security system comprises an all-in-one security system that facilitates security system functions for the vehicle information system. Exemplary security system functions include secure storage of keys used to encrypt and/or decrypt system data, security-related application programming interfaces, a security log file, and/or private data. The security system likewise can utilize antivirus software, anti-spyware software, an application firewall, and/or a network firewall. As desired, the security system can include an intrusion prevention system and/or an intrusion detection system. If the information system includes a wireless distribution system, the security system can include an intrusion prevention (and/or detection) system that is suitable for use with wireless network systems. Thereby, the security system advantageously can provide a defense in depth approach by adding multiple layers of security to the information system. | 12-16-2010 |
20110035586 | SYSTEM AND METHOD FOR SECURING A COMPUTER COMPRISING A MICROKERNEL - A method of securing a computer comprising a microkernel and a system for interfacing with at least one virtualized operating system are presented. The microkernel includes a clock drive, a scheduler and an inter-process communication manager. The system for interfacing forms at least one virtual machine associated with each operating system and allows execution of the latter without modification. The method includes, at the level of the system for interfacing, the steps of:—intercepting any communication between a means external to the operating system and the operating system,—verifying that predefined rules of access to said external means are validated by said communication;—transmitting the communication to the recipient if the rules are validated. | 02-10-2011 |
20110047376 | METHOD AND APPARATUS FOR SECURE EXECUTION USING A SECURE MEMORY PARTITION - A processor capable of secure execution. The processor contains an execution unit and secure partition logic that secures a partition in memory. The processor also contains cryptographic logic coupled to the execution unit that encrypts and decrypts secure data and code. | 02-24-2011 |
20110093699 | COMMUNICATION BETWEEN KEY MANAGER AND STORAGE SUBSYSTEM KERNEL VIA MANAGEMENT CONSOLE - System, computer program product, and method embodiments for communication between a kernel operational on a storage subsystem and a key manager (KM) through a hardware management console (HMC) to provide encryption support are provided. In one embodiment, an event request is initiated by the kernel to the KM to execute an event flow. Pursuant to a communication request by the kernel to the HMC, a socket of the HMC is opened along a communication path between the KM and the kernel according to an event flow type selected by the KM for the event flow. Pursuant to a data request by the kernel to the KM, data including a data payload is sent by the KM to the kernel, the data payload corresponding to the selected event flow type. | 04-21-2011 |
20110093700 | METHOD AND APPARATUS FOR SECURE EXECUTION USING A SECURE MEMORY PARTITION - A processor capable of secure execution. The processor contains an execution unit and secure partition logic that secures a partition in memory. The processor also contains cryptographic logic coupled to the execution unit that encrypts and decrypts secure data and code. | 04-21-2011 |
20110154030 | Methods and apparatus for restoration of an anti-theft platform - Embodiments of methods for restoration an anti-theft platform are generally described herein. Other embodiments may be described and claimed. | 06-23-2011 |
20110161666 | DIGITAL CONTENT RETRIEVAL UTILIZING DISPERSED STORAGE - A method begins by a processing module obtaining a unique retrieval matrix based on an identity of the playback device and sending a request for retrieval of a set of encoded broadcast data slices to a dispersed storage network (DSN) memory, wherein the request includes the unique retrieval matrix and identity of the set of encoded broadcast data slices. The method continues with the processing module receiving a subset of the set of encoded broadcast data slices from the DSN memory, wherein the subset of the set of encoded broadcast data slices is based on the unique retrieval matrix. The method continues with the processing module storing the subset of the sets of encoded broadcast data slices. | 06-30-2011 |
20110167259 | SOFTWARE LICENSE ENFORCEMENT - Systems and methods for performing software license enforcement are provided. According to one embodiment, file or operating system activity relating to a code module are intercepted by a kernel mode driver of a computer system. The kernel mode driver causes a cryptographic hash value of the code module to be authenticated with reference to a local whitelist containing cryptographic hash values of approved code modules known not to contain malicious code. The local whitelist also contains licensing control information. If the cryptographic hash value matches a cryptographic hash value of an approved code module, then (i) authority to execute the code module is further validated if the licensing control information so indicates by performing a license check regarding the code module; and (ii) the code module is allowed to be loaded and executed within the computer system if the authority is affirmed by the license check. | 07-07-2011 |
20110202762 | METHOD AND APPARATUS FOR CARRYING OUT SECURE ELECTRONIC COMMUNICATION - The present invention provides a system, method and device, for carrying out secure electronic communication over a computer network via a computer susceptible of being virus infected or eavesdropped by means of a personal apparatus comprising processing means, one or more memory devices, one or more interfacing means suitable for exchanging information with the insecure computer, and a communication software having cryptographic capabilities stored in the one or more memory means, wherein the personal apparatus is adapted to establish a secure channel with a remote computer over the computer network, by means of the insecure computer machine. | 08-18-2011 |
20110246767 | SECURE VIRTUAL MACHINE MEMORY - Apparatus, systems, and methods may operate to allocating encrypted memory locations to store encrypted information, the information to be encrypted and decrypted using a single hypervisor. Further activity may include permitting access to a designated number of the encrypted memory locations to a single application executed by an associated virtual machine (VM) subject to the hypervisor, and denying access to the designated number of the encrypted memory locations to any other application executed by the associated VM, or any other VM. In some embodiments, the operational state of the associated VM may be restored using the encrypted information. Additional apparatus, systems, and methods are disclosed. | 10-06-2011 |
20110296175 | SYSTEMS AND METHODS FOR SOFTWARE LICENSE DISTRIBUTION USING ASYMMETRIC KEY CRYPTOGRAPHY - Methods and computer readable media for distributing a software license based on asymmetric cryptography via a network. An application publisher generates an asymmetric key-pair having an encryption key and a decryption key. The publisher assembles a software application embedded with the decryption key and releases the software application on an application storefront while keeping the encryption key as secret. A user of a device downloads the software application via a public network. To activate the software application in the device, the user sends a request for a license key to the publisher (or a distribution service provider) via the network. Upon validation of the request, the license key encrypted using the encryption key is sent to the device to thereby activate the software application in the device. Based on the cryptographic technique, the user may surrender the license key to get back the credit for the surrendered license key. | 12-01-2011 |
20120084560 | REBOOT CONTROLLER TO PREVENT UNAUTHORIZED REBOOT - A method, computer program product and system of preventing the unauthorized rebooting of a server having a change record, reboot password and valid reboot key. The method includes authenticating that rebooting is authorized by the change record; responsive to entering a reboot password, authenticating that a valid reboot password has been entered; and responsive to entering a reboot key, authenticating by a computer processor that a valid reboot key has been entered. | 04-05-2012 |
20120102321 | SECRET INFORMATION DISTRIBUTION SYSTEM, SECRET INFORMATION DISTRIBUTION METHOD AND PROGRAM - Secret information is encoded/distributed into distributed information according to access structure, a random number sequence corresponding to number of pieces into which the secret information is distributed is generated by randomly selecting polynomial coefficients, the coefficients are encoded/distributed into random number information according to access structure, a hash function whose hash values correspond to the random number sequence is generated, keys for which the hash function applies are selected so as to individually set data for checking whether restored secret information is being manipulated as number of pieces of check data corresponding to number of pieces into which the secret information is distributed, the distributed information is read, the secret information is restored; the random number information is read, the random number sequence is restored, the check data is read, and the restored secret information is judged as not being manipulated when the read check data satisfies the hash function. | 04-26-2012 |
20120131335 | Collaborative Agent Encryption And Decryption - A method for securely transmitting data from a sender computer system to a receiver computer system comprises receiving a cleartext message by a first intelligent agent environment; splitting said message into a plurality of message fragments; creating an intelligent agent for each message fragment; generating a key for each message fragment; encrypting each said message fragment to produce a respective encrypted message fragment; and transmitting each intelligent agent with said respective encrypted message fragment as a data payload. The method may further comprise receiving each intelligent agent with its respective encrypted message fragment as a data payload by a second intelligent agent environment at the receiver computer system; locating each of a set of agents; decrypting each encrypted respective message fragment to produce a respective cleartext message fragment; and collaborating by the set of agents to recombine cleartext message fragments to form a cleartext message. | 05-24-2012 |
20120226903 | SECURE PLATFORM VOUCHER SERVICE FOR SOFTWARE COMPONENTS WITHIN AN EXECUTION ENVIRONMENT - Apparatuses, articles, methods, and systems for secure platform voucher service for software within an execution environment. An embodiment includes the ability for a Virtual Machine Monitor, Operating System Monitor, or other underlying platform capability to restrict memory regions for access only by authenticated, authorized and verified software components. A provisioning remote entity or gateway only needs to know a platform's public key or certificate hierarchy to receive verification for any component. The verification or voucher helps assure to the remote entity that no malware running in the platform or on the network will have access to provisioned material. The underlying platform to lock and unlock secrets on behalf of the authenticated/authorized/verified software component provided in protected memory regions only accessible to the software component. | 09-06-2012 |
20120260089 | SYSTEM AND METHOD FOR SECURING DATA TRANSACTION - A secure messaging channel is necessary especially when the message involves confidential transactions, for example a bank transaction which involves funds transfer and other additional information. The present disclosure describes securing message. The method of securing a message comprises providing a personal identification number by the user, wherein the personal identification number is associated to a unique number of a user. The unique number can be a mobile number. The correct personal identification number invokes the one-time password generator. The one time password generator accesses a metadata which comprises a value stored. The value stored in the metadata is retrieved to generate a dynamic key. The dynamic key is converted to a symmetric encryption key to encrypt the data. The dynamic key can also be converted to a symmetric decryption key to decrypt the data. | 10-11-2012 |
20120265987 | COMMUNICATION BETWEEN KEY MANAGER AND STORAGE SUBSYSTEM KERNEL VIA MANAGEMENT CONSOLE - System, computer program product, and method embodiments for communication between a kernel operational on a storage subsystem and a key manager (KM) through a hardware management console (HMC) to provide encryption support are provided. In one embodiment, an event request is initiated by the kernel to the KM to execute an event flow. Pursuant to a communication request by the kernel to the HMC, a socket of the HMC is opened along a communication path between the KM and the kernel according to an event flow type selected by the KM for the event flow. Pursuant to a data request by the kernel to the KM, data including a data payload is sent by the KM to the kernel, the data payload corresponding to the selected event flow type. | 10-18-2012 |
20120272059 | SYSTEM AND METHOD FOR SECURE EXCHANGE OF INFORMATION IN A COMPUTER SYSTEM - A system and method for secure exchange of information in a computing system is described. In one embodiment, the method includes receiving a request to switch to a safe mode from a target application. Encryption/decryption keystring is generated based on the request. The target application is responded with the decryption keystring. A key-stroke is encrypted using the encryption keystring. The encrypted key-stroke is stored in a keyboard buffer. The target application retrieves the encrypted key-stroke and decrypts the encrypted key-stroke using the decryption keystring. | 10-25-2012 |
20130019095 | Data services outsourcing verificationAANM Cohen; Alexander J.AACI BellevueAAST WAAACO USAAGP Cohen; Alexander J. Bellevue WA USAANM Jung; Edward K. Y.AACI BellevueAAST WAAACO USAAGP Jung; Edward K. Y. Bellevue WA USAANM Levien; Royce A.AACI LexingtonAAST MAAACO USAAGP Levien; Royce A. Lexington MA USAANM Lord; Robert W.AACI SeattleAAST WAAACO USAAGP Lord; Robert W. Seattle WA USAANM Malamud; Mark A.AACI SeattleAAST WAAACO USAAGP Malamud; Mark A. Seattle WA USAANM Mangione-Smith; William HenryAACI KirklandAAST WAAACO USAAGP Mangione-Smith; William Henry Kirkland WA USAANM Rinaldo, JR.; John D.AACI BellevueAAST WAAACO USAAGP Rinaldo, JR.; John D. Bellevue WA USAANM Tegreene; Clarence T.AACI BellevueAAST WAAACO USAAGP Tegreene; Clarence T. Bellevue WA US - A method and system for verifying outsource data and providing a certification system includes but is not limited to a method including receiving one or more deposits of one or more data elements in connection with an outsourcing transaction from or on behalf of a third party, verifying an identification of the third party, maintaining a transaction log to provide a validation record acknowledging receipt of the one or more deposits, and performing a cryptographic action against one or more aspects of the outsourcing transaction to provide a certified version of the transaction log to confirm the outsourcing transaction. | 01-17-2013 |
20130031365 | INFORMATION PROTECTION SYSTEM AND METHOD - An information protection system includes a mobile terminal and an encryption module. The mobile terminal requests a key sequence by transmitting a message including a Personal Identification Number (PIN) number input by a user, and encrypts or decrypts one or more communication signals, including voice signals and data signals, based on the key sequence when the key sequence is received. The encryption module is connected to the mobile terminal. The encryption module encrypts a security key using the identifier and the PIN number of the mobile terminal, decrypts the encrypted security when requested by the mobile terminal, and transmits the key sequence generated based on the decrypted security key to the mobile terminal. | 01-31-2013 |
20130073848 | ENABLING USERS TO SELECT BETWEEN SECURE SERVICE PROVIDERS USING A KEY ESCROW SERVICE - Systems and methods are described herein for enabling users to select from available secure service providers (each having a Trusted Service Manager (“TSM”)) for provisioning applications and services on a secure element installed on a device of the user. The device includes a service provider selector (“SPS”) module that provides a user interface for selecting the secure service provider. In one embodiment, the SPS communicates with a key escrow service that maintains cryptographic keys for the secure element and distributes the keys to the user selected secure service provider. The key escrow service also revokes the keys from deselected secure service providers. In another embodiment, the SPS communicates with a central TSM that provisions applications and service on behalf of the user selected secure service provider. The central TSM serves as a proxy between the secure service providers and the secure element. | 03-21-2013 |
20130073849 | ANTI-KEYLOGGER COMPUTER NETWORK SYSTEM - An anti-keylogger computer network system includes a servo-side host computer, with a servo software which requires the user to enter confidential data. An application-side host computer is provided and a keyboard is connected to the application-side host computer. The keys on the keyboard are divided into a data key and control key. An application software is installed in the application-side host computer to receive the instructions from the servo software, and to determine when the anti-keylogger function of the keyboard module shall he started and closed. A connection network is provided for connecting the servo-side host computer to the application-side host computer. A Translate Table program is installed in the application-side host computer and a Translate Table translation program is installed in the servo software of servo-side host computer. | 03-21-2013 |
20130103941 | METHOD FOR UPDATING DATA IN A SECURITY MODULE - A method for updating operating data in a security module associated to a user unit for processing digital data broadcast in a transport stream, said unit being connected to a conditional access system transmitting, in said transport stream, to the security module a first stream comprising management messages includes: broadcasting a second stream of operating data patch messages, adding to the first stream of management messages, a trigger message to direct the security module to a conditional access system transmitting a second stream transporting suitable operating data patch messages if a current version of the operating data in the security module requires an update, updating the operating data of the concerned security module with the operating data patch messages from the second stream, directing the security module towards the conditional access system transmitting another stream based on an identifier of the conditional access system in the security module. | 04-25-2013 |
20130111207 | WRITING APPLICATION DATA TO A SECURE ELEMENT | 05-02-2013 |
20130117562 | SECURITY METHOD, ASSOCIATED CHIP CARD, MODULE AND TERMINAL - A security method in a terminal comprising a chip card offering secure functions, a user interface, a module for interfacing with the chip card and suitable for shutting down or introducing the electrical supply to the chip card. After shutdown of the chip card with the terming being kept on, the interface module introduces the electrical supply to the chip card, encrypts a command for resumption of utilization of the secure functions with a negotiated key stored by the interfacing module, and dispatches the encrypted command to the chip card. The interface module utilizes the secure functions of the chip card when the resumption command decrypted by the chip card is recognized as a resumption command by the chip card. | 05-09-2013 |
20130124860 | Method for the Cryptographic Protection of an Application - A method is provided for cryptographic protection of an application associated with an application owner and executed in an external data processing center having a security module that stores private cryptographic material of the application owner. A first secure channel between the security module and application owner and a second secure channel between the application owner and the application are used for transmitting a cryptographic key. The cryptographic key is automatically made available to the secure module and the application via the secure channels, without the data processing center service operator being able to access said key. The application can authenticate itself using the key so that the cryptographic material can be transmitted to the application via a channel protected by the cryptographic key. The application data can be encrypted using the cryptographic material such that the application data cannot be accessed by the data processing center service operator. | 05-16-2013 |
20130151848 | CRYPTOGRAPHIC CERTIFICATION OF SECURE HOSTED EXECUTION ENVIRONMENTS - Implementations for providing a persistent secure execution environment with a hosted computer are described. A host operating system of a computing system provides an encrypted checkpoint to a persistence module that executes in a secure execution environment of a hardware-protected memory area initialized by a security-enabled processor. The encrypted checkpoint is derived at least partly from another secure execution environment that is cryptographically certifiable as including another hardware-protected memory area established in an activation state to refrain from executing software not trusted by the client system. | 06-13-2013 |
20130151849 | DEVICE, METHOD, AND SYSTEM FOR PROCESSING COMMUNICATIONS FOR SECURE OPERATION OF INDUSTRIAL CONTROL SYSTEM FIELD DEVICES - A device, method, and system for processing communications for secure operation of industrial control system field devices, includes: a processing device to be placed in-line between a Master Telemetry Unit (MTU) and a field device. A software verified microkernel includes instructions for the processing device to provide a secure partitioning of memory between a communication network interface address space, a security cell address space, and a field device interface address space. The security cell address space includes instructions to: receive communication messages from the MTU via the communication network interface address space; authenticate a user identification of each communication message; verify that an operation requested in each message is authorized for the user identification; and send each communication message having an authenticated user identification and a verified operation to the field network interface address space for communication with the field device. | 06-13-2013 |
20130159707 | Host Device and Method for Super-Distribution of Content Protected with a Localized Content Encryption Key - In one embodiment, a host device creates a super-distribution token by encrypting a content encryption key with a super-distribution key and stores the super-distribution token and encrypted content retrieved from a source storage device in a target storage device. In another embodiment, a host device provides a super-distribution token to a server, wherein the server is configured to generate an activation token from the super-distribution token, receive the activation token from the server, retrieve a content encryption key from the activation token, and decrypt encrypted content received from a storage device using the content encryption key retrieved from the activation token. | 06-20-2013 |
20130191634 | Resource Restriction Systems and Methods - Resource restrictions are associated with a user identifier. A resource restriction agent receives operating system calls related for resources and provides resource request data to a resource agent. The resource agent determines whether the resource is restricted based on the resource request data and resource restriction data and generates access data based on the determination. The resource restriction agent grants or denies the system call based on the access data. | 07-25-2013 |
20130212384 | ENABLING USERS TO SELECT BETWEEN SECURE SERVICE PROVIDERS USING A KEY ESCROW SERVICE - Systems and methods are described herein for enabling users to select from available secure service providers (each having a Trusted Service Manager (“TSM”)) for provisioning applications and services on a secure element installed on a device of the user. The device includes a service provider selector (“SPS”) module that provides a user interface for selecting the secure service provider. In one embodiment, the SPS communicates with a key escrow service that maintains cryptographic keys for the secure element and distributes the keys to the user selected secure service provider. The key escrow service also revokes the keys from deselected secure service providers. In another embodiment, the SPS communicates with a central TSM that provisions applications and service on behalf of the user selected secure service provider. The central TSM serves as a proxy between the secure service providers and the secure element. | 08-15-2013 |
20130246787 | MESSAGE STORAGE AND TRANSFER SYSTEM - An electronic content exchange system includes a communications medium and at least two storage media. Each storage media includes an interface configured to send and receive messages, a memory storing a current content, a respective unique identifier, and a log of content transfers; and a controller. The controller receives a content transfer message including at least a message content to be transferred, and executes a Transfer-in process to increase the current content by the message content to be transferred and record information of the transfer in the log. The controller receives, via the interface, a content transfer request message including at least a message content to be transferred, and executes a Transfer-out process to generate and send a content transfer message including the message content to be transferred, decreasing the current content by the message content to be transferred; and recording information of the transfer in the log. | 09-19-2013 |
20130246788 | Efficient Delivery of Structured Data Items - A configurable device and a method associated with the device is described, the device including. a cryptographic engine, a seed receiver operative to receive a seed, a part seed generator operative to receive a part number, and the seed from the seed receiver, and to generate a part seed based, at least in part, on the seed and the part number, a part generator operative to receive the part seed produced by the part seed generator to produce a crypto data item part based, at least in part, on the part seed, and a cryptosystem integrator operative to integrate the produced crypto data item part into the cryptographic engine, thereby producing a crypto product wherein the cryptographic engine uses the produced crypto product as an auxiliary input into a crypto graphic algorithm used to protect the digital content. Related methods, systems, and apparatus is also described. | 09-19-2013 |
20130283047 | SYSTEM AND METHOD FOR SECURELY USING MULTIPLE SUBSCRIBER PROFILES WITH A SECURITY COMPONENT AND A MOBILE TELECOMMUNICATIONS DEVICE - System and method for allowing a mobile telecom device to use multiple profiles. The system and method includes operating a security function to perform a cryptographic operation on a profile using a cryptography key of the security function thereby producing a cryptographically protected profile, storing the cryptographically protected profile, and activating the cryptographically protected profile by operating the security function to verify that the cryptographically protected profile has been cryptographically protected using the cryptography key of the security function, and upon verifying that the cryptographically protected profile has been protected using the cryptography key of the security function, activating the cryptographically protected profile. | 10-24-2013 |
20130326216 | METHODS AND ARRANGEMENTS TO LAUNCH TRUSTED, COEXISTING ENVIRONMENTS - Methods and arrangements to launch trusted, distinct, co-existing environments are disclosed. Embodiments may launch trusted, distinct, co-existing environments in pre-OS space with high assurance. A hardware-enforced isolation scheme may isolate the partitions to facilitate storage and execution of code and data. In many embodiments, the system may launch a partition manager to establish embedded and main partitions. Embedded partitions may not be visible to the main OS and may host critical operations. A main partition may host a general-purpose OS and user applications, and may manage resources that are not assigned to the embedded partitions. Trustworthiness in the launch of the embedded partition is established by comparing integrity metrics for the runtime environment against integrity measurements of a trusted runtime environment for the embedded partition, e.g., by sealing a cryptographic key with the integrity metrics in a trusted platform module. Other embodiments are described and claimed. | 12-05-2013 |
20130339728 | SECURE PRODUCT-SUM COMBINATION SYSTEM, COMPUTING APPARATUS, SECURE PRODUCT-SUM COMBINATION METHOD AND PROGRAM THEREFOR - The efficiency of multiplication in secure function computation is increased to make the secret function computation faster than before. Three or more computing apparatuses cooperate to generate a secret value of a random number, perform secure function computation for secret values of arbitrary values by using a function including addition and multiplication to compute concealed function values, and compute a secret value. If the secret value is [0], a concealed function value is output; otherwise, information indicating that tampering has been detected is output. | 12-19-2013 |
20140025947 | SINGLE COMMAND FUNCTIONALITY FOR PROVIDING DATA SECURITY AND PREVENTING DATA ACCESS WITHIN A DECOMMISIONED INFORMATION HANDLING SYSTEM - A computer-implemented method comprises a service processor: establishing a kill switch encryption key (KSEK) to provide data security for data within storage devices of configurable components within a system; automatically encrypting, with the KSEK, data that is written to one of the storage devices; configuring the configurable components to prevent access to the stored data unless a valid copy of the KSEK is received from the service processor along with the request for the data; automatically decrypting, with the KSEK, the KSEK-encrypted data that is read from storage device; and in response to receiving a verified request to decommission the system, performing the decommissioning by deleting/erasing the KSEK from a secure storage at which the only instance of the KSEK is maintained. Deletion of the KSEK results in a permanent loss of access to the stored encrypted data within the system because the stored encrypted data cannot be decrypted without the KSEK. | 01-23-2014 |
20140040614 | SECURE FUNCTION EVALUATION FOR A COVERT CLIENT AND A SEMI-HONEST SERVER USING STRING SELECTION OBLIVIOUS TRANSFER - Methods and apparatus are provided for secure function evaluation for a covert client and a semi-honest server using string selection oblivious transfer. An information-theoretic version of a garbled circuit C is sliced into a sequence of shallow circuits C | 02-06-2014 |
20140040615 | MONITORING ENCRYPTED SESSION PROPERTIES - The present disclosure includes methods and systems for monitoring encrypted session properties. A number of embodiments include receiving a number of encrypted session properties at a real user monitor (RUM) on a real user monitoring (RUM) system and decrypting the number of encrypted session properties using an identity and access management (IAM) agent on the RUM system. | 02-06-2014 |
20140047235 | LOCAL TRUSTED SERVICE MANAGER - A method for managing a secure element which is embedded into a host unit. The described method comprises (a) transmitting a request for a management script from the host unit to a program element of the secure element, (b) at the program element, generating a management script in accordance with the request and encrypting the generated management script, (c) transmitting the encrypted management script from the program element to the host unit, (d) transmitting the encrypted management script from the host unit to a secure domain of the secure element, and (e) at the secure domain, decrypting and executing the management script. | 02-13-2014 |
20140068253 | METHOD FOR REPRODUCING CONTENT DATA AND METHOD FOR GENERATING THUMBNAIL IMAGE - A content data reproducing method includes: decrypting encrypted data to generate plain-text data; dividing the plain-text data into decrypted content data and reproduction management information; sending the reproduction management information to a user space; storing the decrypted content data in a secret buffer; obtaining the decrypted content data as reproduction target data from the secret buffer and transmitting the reproduction target data to a decoder; and decoding the reproduction target data by the decoder. | 03-06-2014 |
20140095867 | DEVICE, METHOD, AND SYSTEM FOR SECURE TRUST ANCHOR PROVISIONING AND PROTECTION USING TAMPER-RESISTANT HARDWARE - A method and device for securely provisioning trust anchors includes generating a database wrapper key as a function of computing device hardware. The database wrapper key encrypts a key database when it is not in use by a trusted execution environment and may be generated using a Physical Unclonable Function (PUF). A local computing device establishes a secure connection and security protocols with a remote computing device. In establishing the secure connection, the local computing device and remote computing device may exchange and/or authenticate cryptographic keys, including Enhanced Privacy Identification (EPID) keys, and establish a session key and device identifier(s). One or more trust anchors are then provisioned depending on whether unilateral, bilateral, or multilateral trust is established. The local computing device may act as a group or domain controller in establishing multilateral trust. Any of the devices may also require user presence to be verified. | 04-03-2014 |
20140108791 | Secure Communication Architecture Including Sniffer - Secure communication of user inputs is achieved by isolating part of an endpoint device such that certificates and encryption keys are protected from corruption by malware. Further, the communication is passed through a trusted data relay that is configured to decrypt and/or certify the user inputs encrypted by the isolated part of the endpoint device. The trusted data relay can determine that the user inputs were encrypted or certified by the protected certificates and encryption keys, thus authenticating their origin within the endpoint device. The trusted data relay then forwards the inputs to an intended destination. In some embodiments, the isolated part of the endpoint device is configured to detect input created by auto-completion logic and/or spell checking logic. | 04-17-2014 |
20140122875 | CONTAINER-BASED MANAGEMENT AT A USER DEVICE - An approach for facilitating container-based management at a user device is disclosed. In some embodiments, a request to establish a session between the user device and a network service may be provided to the network service. One or more session keys associated with the session and associated with a container at the user device may be obtained from the network service responsive to the session request. Storage, access, or a combination thereof of data at the user device may be effectuated, via the container at the user device, based on the session keys. | 05-01-2014 |
20140189347 | VIRTUAL PAD - A system and method for communicating information over an insecure communications network include one or more computing devices that may access a first server via the communication network. In operation the first server displays an authentication Web page having a virtual pad with a plurality of characters that may be selected directly from a display of the computing device. | 07-03-2014 |
20140208100 | PROVISIONING AN APP ON A DEVICE AND IMPLEMENTING A KEYSTORE - A keystore is installed on a mobile app where the keystore is created and provisioned on a server, such as an app wrapping server, under the control of an enterprise. A generic (non-provisioned) wrapped app is installed on a device. The app prompts the user to enter a passphrase. When the user does this, an app keystore is created. It has a user section and a table of contents. The keystore files are hashed, creating “first” keystore hash values. The first keystore hash values are stored in the TOC. The TOC is then hashed, creating a TOC hash value. The passphrase entered by the user is then combined with the TOC hash value. This creates a “first” master passphrase for the keystore. The keystore is then transmitted to the device where it is installed in the generic (non-provisioned) wrapped app. | 07-24-2014 |
20140208101 | CONFIDENTIAL COMPUTATION SYSTEM, CONFIDENTIAL COMPUTATION METHOD, AND CONFIDENTIAL COMPUTATION PROGRAM - A client executes processing for data encryption by adding an error vector to plaintext, the error vector being not larger than a predetermined criterion and processing for sending limitation information to a server, the limitation information being formed from a sublattice basis of a lattice generated by a secret key. The server executes processing for receiving the limitation information and storing it in a storage device and in the homomorphic computation processing on the encrypted data received from the client, processing for, when a bit length of ciphertext which is a result of the homomorphic computation processing is equal to or larger than a predetermined value, reducing the bit length of the ciphertext to a value not larger than a predetermined threshold by translating a vector of the ciphertext to an inside of a region formed from the sublattice basis corresponding to the stored limitation information. | 07-24-2014 |
20140258716 | TOTAL HYPERVISOR ENCRYPTOR - Embodiments are directed towards providing cryptographic services to protect guest operating system (OS) images in virtualized computing environments. A hypervisor may trap privileged operations initiated by guest OS images. These trapped operations may be intercepted by a cryptographic module. A hypervisor may trap a write operation made by a guest OS image, and cryptographic module may encrypt the write buffer and return it the hypervisor. A hypervisor may trap a read operation made by a guest OS image, and provide the encrypted data to the cryptographic module for decrypting. If the data is decrypted, the cryptographic module may provide the decrypted data to the hypervisor which provides the decrypted data to the guest OS image. Also, guest OS image context information may be decrypted and encrypted as the guest OS image is scheduled and de-scheduled on physical CPU(s). Further, if necessary entire guest OS images may be encrypted. | 09-11-2014 |
20140281509 | TECHNIQUES FOR SECURE DATA EXTRACTION IN A VIRTUAL OR CLOUD ENVIRONMENT - Techniques for secure data extraction in a virtual or cloud environment are presented. Desired data from a Virtual Machine (VM) or an entire VM is extracted and encrypted with a key. This key is sealed to a machine or a group of machines. The encrypted data is then migrated and successfully used on startup for instances of the VM by having the ability to access the sealed key (and unsealing it) to decrypt the encrypted data. | 09-18-2014 |
20140281510 | DECRYPTION OF DATA BETWEEN A CLIENT AND A SERVER - Technologies for securing communication may include monitoring a secured network connection between a client and a server. The secured network connection may be secured using a symmetric cryptographic key. The technologies may also include detecting a transmission of secured information between the client and the server, copying the transmission, forwarding the transmission to an intended recipient, decrypting the transmission using the symmetric cryptographic key, and determining whether the transmission is indicative of malware. | 09-18-2014 |
20140281511 | SECURE DATA PROCESSING ON SENSITIVE DATA USING TRUSTED HARDWARE - The subject disclosure is directed towards using trusted hardware to achieve secure data processing over a network. For a given set of data store operations, some operations are directed to sensitive data (e.g., encrypted data fields). These operations are compiled into a set of expressions invoking trusted hardware code configured to evaluate these expressions using corresponding data centric primitive programs. Because the trusted hardware is configured to maintain key data for encrypting/decrypting the sensitive data, the sensitive data is not accessible by an untrusted component while the sensitive data is decrypted. | 09-18-2014 |
20140317405 | SECURED COMMUNICATIONS ARRANGEMENT APPLYING INTERNET PROTOCOL SECURITY - A secure communications arrangement including an endpoint is disclosed. The endpoint includes a computing system. The computing system includes a user level services component and a kernel level callout driver interfaced to the user level services component and configured to establish an IPsec tunnel with a remote endpoint. The computing system also includes a filter engine storing one or more filters defining endpoints authorized to communicate with the endpoint via the IPsec tunnel. The computing system also includes a second kernel level driver configured to establish a secure tunnel using a second security protocol different from IPsec. | 10-23-2014 |
20140325212 | DISTRIBUTION OF ENCRYPTED INFORMATION IN MULTIPLE LOCATIONS - A method, system, and/or computer program product stores information in a distributed data-processing environment. The method comprises: encrypting, by one or more processors, a piece of information; splitting, by one or more processors, the encrypted piece of information into at least one first encrypted block and at least one second encrypted block, at least part of said at least one first encrypted block being required for decrypting said at least one second encrypted block; distributing, by one or more processors, said at least one first encrypted block for storing in at least one first location; and distributing, by one or more processors, said at least one second encrypted block for storing in at least one second location. | 10-30-2014 |
20140344569 | PROTECTING DATA - Protecting data is disclosed, including: analyzing, using one or more processors, a set of scripting resource source data to determine a plurality of semantic units; determining a tree-structured source data based at least in part on mapping values of the plurality of semantic units to respective ones of a plurality of semantic structures; selecting an obfuscation strategy to apply to the tree-structured source data, wherein the selected obfuscation strategy includes one or more obfuscation techniques; determining an obfuscated tree-structured source data based at least in part by applying the selected obfuscation strategy to the tree-structured source data; and converting the obfuscated tree-structured source data into a set of obfuscated scripting resource source data. | 11-20-2014 |
20140351584 | METHOD AND SYSTEM FOR PROTECTED TRANSMISSION OF FILES - To protect a software to be transferred to programmable electronic devices, a management system for programmable electronic devices is provided, comprising: a plurality of electronic devices ( | 11-27-2014 |
20140351585 | INFORMATION STORAGE DEVICE, INFORMATION PROCESSING SYSTEM, INFORMATION PROCESSING METHOD, AND PROGRAM - There is provided a device and a method for preventing using of illegitimate content or manufacturing of the illegitimate media that uses illegitimate media. In a system that has an information storage device, a license management apparatus that generates a media key set (MKS) that is stored in the information storage device, and a content provision apparatus, at the time of manufacturing of the information storage device, the license management apparatus compares an MKS version that is set in the MKS that is stored in the information storage device, and an allowance minimum MKS version that is recorded in a controller of the information storage device, and thus records key information stored in the MKS, in a storage unit under the condition that it is confirmed that the MKS version is equal to or greater in value than the allowance minimum MKS version. | 11-27-2014 |
20140351586 | CRYPTOGRAPHIC METHOD AND SYSTEM - In the field of security for electronic data and/or communications, a method of providing data security and/or privacy in a distributed and/or decentralised network environment. Private collaboration and/or information sharing between users, agents and/or applications is enabled, as well as the sharing of key(s) and/or content between a first user and/or agent and a second user and/or agent. The sharing may be of encrypted information via information sharing services. | 11-27-2014 |
20140380044 | ACCESSING LOCAL APPLICATIONS WHEN ROAMING USING A NFC MOBILE DEVICE - A method of accessing local applications when roaming on a NFC mobile device may include creating a first partition and a second partition on a secure element (SE) of a subscriber identification module (SIM) of a near field communication (NFC) enabled device. The home TSM separates the first partition and the second partition by public key encryption. The home TSM generates cryptographic keys in response to a request by a roaming TSM for access to the second partition of the SIM. Following the exchange of security keys, the home TSM delegates to the roaming TSM access to the second partition of the SIM. | 12-25-2014 |
20140380045 | SYSTEM AND METHOD FOR WIPING AND DISABLING A REMOVED DEVICE - A system and method implemented at a server system, for securely wiping a remote mobile device after the device registration has been removed from the server system. Prior to removal of the device registration from the server system, a “pre-packaged” command is created and stored at the server system. In the event that it is determined, after removal of the registration, that the device should be wiped or disabled, means are provided for an administrator to issue the previously stored command to the target mobile device. | 12-25-2014 |
20150074392 | SECURE PROCESSING ENVIRONMENT FOR PROTECTING SENSITIVE INFORMATION - A processor-implemented method for a secure processing environment for protecting sensitive information is provided. The processor-implemented method may include receiving encrypted data and routing the encrypted data to the secure processing environment. Then the encrypted data may be decrypted and fields containing sensitive information may be found. The method may also include obfuscating the sensitive information and returning, by the secure processing environment, the decrypted data and obfuscated data. | 03-12-2015 |
20150082029 | SHARED PORTAL CONTEXT SESSION - The present disclosure involves systems, software, and computer implemented methods for sharing session state between portal application portlets associated with different domains. One example method includes setting a cookie for use in a portal environment. The cookie is encrypted with a key and stores at least a portion of a session state associated with a current portal session. The encrypted cookie is provided for storage at a client associated with the portal session. Execution of a portal application is initiated within the portal environment. The portal application is provided with a copy of the encrypted cookie. A copy of the key is provided to the portal application. The provided copy of the key is used to decrypt the cookie at the portal application. The session state stored in the cookie is used to set at least a portion of the session state of the portal application. | 03-19-2015 |
20150113269 | HIGHLY ACCURATE SECURITY AND FILTERING SOFTWARE - A security software comprises administrative module for configuring access levels and creating types of accounts and application server for domain filtering by checking against friendly and unfriendly inbound, outbound and exception lists. Hard filtering either approves, terminates requests or re-routes request without the user's knowledge. Soft filtering passes disapproved requests and sends an e-mail alert to authorized recipients. Content filtering includes checking a content of a requested document against a friendly, unfriendly list and exception list. Hard filtering passes or rejects the requested document. Soft filtering passes the requested document or rejects or approves by highlighting its content. Options include e-mail filtering that checks subject, sender's address and domain against an unfriendly, friendly and exception list. e-mail alert for hard filtering, inbound privacy shield, a pop up blocker, the application server acts as proxy server with proxy chaining capabilities and an encryption function can encrypt part of e-mail message. | 04-23-2015 |
20150121070 | FIRMWARE SECURITY - One embodiment provides an apparatus adapted to perform a secure firmware upgrade. The apparatus includes a first memory and a second memory. The first memory stores a private key for use in decrypting content and a unique identifier corresponding to the apparatus. The second memory includes a first version of firmware for the apparatus. The apparatus further includes a controller configured to perform an operation that includes receiving a first request to perform a firmware update operation for the apparatus. The operation also includes transmitting a second request for a second version of firmware to a remote server, the second request specifying the unique identifier corresponding to the apparatus. Additionally, in response to transmitting the second request, an encrypted firmware package is received from the remote server. The operation further includes decrypting the encrypted firmware package using the private key and installing the decrypted firmware package on the apparatus. | 04-30-2015 |
20150127936 | USER TERMINAL DEVICE AND ENCRYPTION METHOD FOR ENCRYPTING IN CLOUD COMPUTING ENVIRONMENT - The present invention provides a user terminal device and an encryption method for encrypting in a cloud computing environment. In the user terminal device used by a user to access a management server that stores data desired to be shared in a cloud computing environment, a hooking module injection unit injects a hooking module for encrypting secure data into a process of transmitting data to the management server before transmitting the secure data requiring security from among the data. A secure data detection unit runs the hooking module to monitor if secure data is input by a user, and detects the secure data. A secure data encryption unit generates encryption data in which the detected secure data is encrypted. According to the present invention, when using a file sharing cloud service, important data in a company or personal information can be prevented from being leaked by using encryption. | 05-07-2015 |
20150134952 | SECURE VAULT SERVICE FOR SOFTWARE COMPONENTS WITHIN AN EXECUTION ENVIRONMENT - Embodiments of apparatuses, articles, methods, and systems for secure vault service for software components within an execution environment are generally described herein. An embodiment includes the ability for a Virtual Machine Monitor, Operating System Monitor, or other underlying platform capability to restrict memory regions for access only by specifically authenticated, authorized and verified software components, even when part of an otherwise compromised operating system environment. The underlying platform to lock and unlock secrets on behalf of the authenticated/authorized/verified software component provided in protected memory regions only accessible to the authenticated/authorized/verified software component. Other embodiments may be described and claimed. | 05-14-2015 |
20150143111 | METHODS AND DEVICES FOR SECURING KEYS FOR A NONSECURED, DISTRIBUTED ENVIRONMENT WITH APPLICATIONS TO VIRTUALIZATION AND CLOUD-COMPUTING SECURITY AND MANAGEMENT - The present invention discloses methods and devices for securing keys for a non-secure computing-environment. Methods include the steps of: providing a security-key framework which is adapted, upon receiving an encryption request for protecting a secret item, for repetitively encrypting the secret item with each of a set of N location-specific secure-keys, wherein each location-specific secure-key corresponds to a respective encryption location, to create an encrypted item; wherein the locations are regions of memory located in computing resources operationally connected to the computing-environment; and concealing through encryption at least one location-specific secure-key such that the concealing is configured: to prevent at least one location-specific secure-key from ever being known in an unconcealed form on any computing resource in any computing-environment during the encrypting; and to allow mathematical operations, performed as part of the encrypting and concealing, to be performed while at least one location-specific secure-key is in its concealed form. | 05-21-2015 |
20150324604 | TRUSTED AND PRIVACY-PRESERVING MECHANISM FOR ELECTRICITY USAGE DATA DISCLOSURE USING VERIFIABLE NOISE - A method of energy usage data privacy preservation is described. The method includes downloading energy usage data and a signature from a repository. The method includes determining whether the signature is that of a utility. When the signature is not that of the utility, the method includes rejecting the energy usage data. When the signature is that of the utility, the method includes generating noisy data, encrypting a message-signature pair, constructing a proof, and communicating the noisy data, the encrypted message-signature pair, and the proof to a third party. The noisy data is generated by adding random noise to the energy usage data. The message-signature pair includes the energy usage data and a verified signature. The proof is configured to establish that the encrypted message-signature pair and the noisy data are members of a corresponding proof language. | 11-12-2015 |
20150332064 | MANAGING UNLINKABLE IDENTIFIERS FOR CONTROLLED PRIVACY-FRIENDLY DATA EXCHANGE - A method for managing unlinkable database user identifiers includes distributing to a first database a first encrypted user identifier, a first database identifier, and a first database user identifier; distributing to a second database a second encrypted user identifier, a second database identifier, and a second database user identifier; receiving from the first database a third encryption and a fourth encryption, the third encryption being formed from the first encrypted user identifier, the second database identifier, and a message comprised in the fourth encryption; decrypting the third encryption thereby obtaining a decrypted value; deriving a blinded user identifier from the decrypted value; and sending the encrypted blinded user identifier and the fourth encrypted value to the second server thereby enabling the second server to compute the second database user identifier from the encrypted blinded database user identifier and the decrypted fourth encrypted value. | 11-19-2015 |
20150347779 | METHOD FOR FACILITATING TRANSACTIONS, COMPUTER PROGRAM PRODUCT AND MOBILE DEVICE - There is disclosed a method for facilitating transactions carried out by a mobile device, wherein: the mobile device executes a smart card application; the smart card application receives a cryptographic algorithm from a transaction server external to the mobile device; the smart card application further receives transaction data from said transaction server; the cryptographic algorithm encrypts said transaction data and stores the encrypted transaction data in a storage unit of the mobile device. Furthermore, a corresponding computer program product and a corresponding mobile device for carrying out transactions are disclosed. | 12-03-2015 |
20150356305 | SECURE DATA ACCESS IN A DISPERSED STORAGE NETWORK - A method begins by a processing module of a dispersed storage network (DSN) dividing data into a plurality of data units and generating a plurality of encryption keys from a master key associated with the data and a data identifier associated with the data. The method continues with the processing module encrypting the plurality of data units using the plurality of encryption keys to produce a plurality of encrypted data units and sending the plurality of encrypted data units to a first set of storage units of the DSN for storage. The method continues with the processing module encoding the master key to produce a plurality of encoded master key units and sending the plurality of encoded master key units to a second set of storage units of the DSN for storage. | 12-10-2015 |
20150358161 | SYSTEMS AND METHODS FOR SECURED BACKUP OF HARDWARE SECURITY MODULES FOR CLOUD-BASED WEB SERVICES - A new approach is proposed to support secured hardware security module (HSM) backup for a plurality of web services hosted in a cloud to offload their key storage, management, and crypto operations to the HSM. Each HSM is a high-performance, FIPS 140-compliant security solution for crypto acceleration of the web services. Each HSM includes multiple partitions isolated from each other, where each HSM partition is dedicated to support one of the web service hosts/servers to offload its crypto operations via a HSM virtual machine (VM) over the network. The HSM-VM is configured to export objects from the key store of a first HSM partition to a key store of a second HSM partition, wherein the second HSM partition is configured to serve the key management and crypto operations offloaded from the web service host once the objects exported from the key store of the first HSM partition are received. | 12-10-2015 |
20150358294 | SYSTEMS AND METHODS FOR SECURED HARDWARE SECURITY MODULE COMMUNICATION WITH WEB SERVICE HOSTS - A new approach is proposed that contemplates systems and methods to support security communication between a hardware security module (HSM) and for a plurality of web services hosted in a cloud to offload their key storage, management, and crypto operations to the HSM. Each of a plurality of HSM virtual machines (VMs) establishes a secure communication channel with a web service hosts/server to offload its key management and crypto operations to a HSM partition of the HSM dedicated to support the web service. An HSM managing VM can also be deployed to monitor and manage the operations of the HSM-VMs to support the plurality of web service hosts. | 12-10-2015 |
20150371062 | SERVER DEVICE, CONCEALED SEARCH PROGRAM, RECORDING MEDIUM, AND CONCEALED SEARCH SYSTEM - A server device | 12-24-2015 |
20160004866 | ENCRYPTION AND DECRYPTION METHODS APPLIED ON OPERATING SYSTEM - An encryption and decryption methods applied on an operating system kernel are disclosed, where a hash result is obtained from a computation between a booting program and the operating system kernel by using a definition table, the computation result is combined with the operating system kernel for encryption of the operating system kernel, and the operating system kernel may not be decrypted and thus booted whenever the booting program, the operating system kernel or the two combined are falsified or replaced, whereby the technical efficacy which the booting program and the operating system kernel are authenticated bilaterally for safety booting may be achieved. | 01-07-2016 |
20160021541 | INTERNAL SIGNAL DIVERSION APPARATUS AND METHOD FOR MOBILE COMMUNICATION DEVICES - A mobile communications device includes a display, a plurality of sources which may comprise at least one microphone and/or at least one camera, a wireless communications module, a main processor, and a secured processor inaccessible by the main processor. A housing of the device is configured for hand-held manipulation and to support the display, the sources, the communications module, the main processor, and the secured processor. A switch is actuatable by a user of the device and coupled to at least the sources, the main processor, and the secured processor. The switch is configured to divert signals produced by the sources away from the main processor when activated, and couple signals produced by the sources to the main processor when deactivated. | 01-21-2016 |
20160070890 | Federated Digital Rights Management Scheme Including Trusted Systems - Federated systems for issuing playback certifications granting access to technically protected content are described. One embodiment of the system includes a registration server connected to a network, a content server connected to the network and to a trusted system, a first device including a non-volatile memory that is connected to the network and a second device including a non-volatile memory that is connected to the network. In addition, the registration server is configured to provide the first device with a first set of activation information in a first format, the first device is configured to store the first set of activation information in non-volatile memory, the registration server is configured to provide the second device with a second set of activation information in a second format, and the second device is configured to store the second set of activation information in non-volatile memory. | 03-10-2016 |
20160072772 | Process for Secure Document Exchange - The present disclosure provides a computer security system with one-to-many relationship between the asymmetric key that encrypts one or more symmetric keys and the method of securing the database that manages said relationship. Further it has a one-to-one relationship between symmetric keys and its associated document and permissions, allows for control of delegation of said documents and permissions as it is transferred along compartments to a second user which is the receiver of the document. In addition has compartments comprising an interface that integrates with a document storage as well as a storage of permissions and key relations in a multi user environment and further provides for the control of the primary compartment in the emission and cancellation of privileges by revoking asymmetric as well as symmetric keys within the document management system. | 03-10-2016 |
20160078239 | DATA MANAGEMENT - An example method for managing data in accordance with aspects of the present disclosure includes receiving from a user in the computer network environment a policy about how a piece of data should be treated, an encryption of the piece of data, a signature of a cryptographic hash of the policy and a cryptographic key, requesting from a trust authority the cryptographic key to access the piece of data, transmitting an encryption of at least one share to the trust authority, wherein the at least one share is created by and received from the trust authority, receiving from the trust authority the cryptographic key, wherein the cryptographic key is recreated by a combiner using a subset of the at least one share, shares associated with the trust authority and shares associated with the combiner, and decrypting the encryption of the piece of data using the recreated cryptographic key. | 03-17-2016 |
20160087793 | METHOD AND SYSTEM FOR ENFORCING ACCESS CONTROL POLICIES ON DATA - A method for enforcing access control policies on data owned by a plurality of users includes evaluating the access control policies of users, applying a collusion resistant sharing scheme for generating key shares of an encryption key and delegating the key shares to one or more designated users based on a result of the evaluation. The data is securely dispersed by applying an encryption scheme on all parts of the data to be encrypted to produce encrypted data shares. The encryption scheme is provided such that for decryption of the encrypted data, the encryption key and at least a predetermined number of data shares are provided. Each data share is delegated to one or more designated users, and the data shares and the key shares are distributed to the respective designated users. | 03-24-2016 |
20160105402 | HOMOMORPHIC ENCRYPTION IN A HEALTHCARE NETWORK ENVIRONMENT, SYSTEM AND METHODS - A system and method for homomorphic encryption in a healthcare network environment is provided and includes receiving digital data over the healthcare network at a data custodian server in a plurality of formats from various data sources, encrypting the data according to a homomorphic encryption scheme, receiving a query at the data custodian server from a data consumer device concerning a portion of the encrypted data, initiating a secure homomorphic work session between the data custodian server and the data consumer device, generating a homomorphic work space associated with the homomorphic work session, compiling, by the data custodian server, a results set satisfying the query, loading the results set into the homomorphic work space, and building an application programming interface (API) compatible with the results set, the API facilitating encrypted analysis on the results set in the homomorphic work space. | 04-14-2016 |
20160125188 | CONFIDENTIAL EXTRACTION OF SYSTEM INTERNAL DATA - Secure extraction of state information of a computer system is provided. A method includes obtaining, by a security engine of a system, a public encryption key associated with a private decryption key; generating an extraction key that is inaccessible outside of the security engine; encrypting the extraction key with the public encryption key, to thereby obtain an encrypted extraction key; collecting state information of the system; encrypting the collected state information with the extraction key and storing the encrypted collected state information; and based on a request for access to the stored encrypted collected state information by a request for the extraction key, providing the extraction key to facilitate decryption of the stored encrypted state information. | 05-05-2016 |
20160162693 | AUTOMATED MANAGEMENT OF CONFIDENTIAL DATA IN CLOUD ENVIRONMENTS - A shared networked storage may be separated from a key vault system. A storage request with data to be stored and the storage request with a confidentiality rating may be received. The confidentiality rating may indicate a level of confidentiality the data is associated with. The storage request with the data and the confidentiality rating may be received via a shared networked storage access interface by a security layer. The data to be stored by the key vault system and the confidentiality rating may be encrypted on request of the security layer and into a data container. The shared networked storage may be categorized into Cloud zones. Each Cloud zone may be assigned a trust level. The data container may be stored in one of the Cloud zones of the shared networked storage. The trust level of the one of the Cloud zones may correspond to the confidentiality rating. | 06-09-2016 |
20160171212 | METHOD AND APPARATUS FOR RANDOMIZING COMPUTER INSTRUCTION SETS, MEMORY REGISTERS AND POINTERS | 06-16-2016 |
20160171238 | GEOLOCATION-BASED ENCRYPTION METHOD AND SYSTEM | 06-16-2016 |
20160180102 | Computer program, method, and system for secure data management | 06-23-2016 |
20160182471 | NETWORK SECURITY BROKER | 06-23-2016 |
20160196438 | VIRTUAL SERVICE PROVIDER ZONES | 07-07-2016 |
20160196452 | CLOUD KEY DIRECTORY FOR FEDERATING DATA EXCHANGES | 07-07-2016 |
20160204935 | SYSTEMS AND METHODS WITH CRYPTOGRAPHY AND TAMPER RESISTANCE SOFTWARE SECURITY | 07-14-2016 |
20160379005 | SYSTEMS AND METHODS FOR SECURING DATA IN MOTION - The systems and methods of the present invention provide a solution that makes data provably secure and accessible—addressing data security at the bit level—thereby eliminating the need for multiple perimeter hardware and software technologies. Data security is incorporated or weaved directly into the data at the bit level. The systems and methods of the present invention enable enterprise communities of interest to leverage a common enterprise infrastructure. Because security is already woven into the data, this common infrastructure can be used without compromising data security and access control. In some applications, data is authenticated, encrypted, and parsed or split into multiple shares prior to being sent to multiple locations, e.g., a private or public cloud. The data is hidden while in transit to the storage location, and is inaccessible to users who do not have the correct credentials for access. | 12-29-2016 |
20160379009 | Privacy Enhanced Personal Search Index - Examples of the present disclosure describe systems and methods for enhancing the privacy of a personal search index. In some aspects, a personal cleartext document may be used to generate an encrypted document digest and an encrypted document on a first device. A second device may decrypt the document digest, build a personal search index based on the decrypted document digest, and store the encrypted document in a data store. The first device may subsequently receive a cleartext search query that is used to query the personal search index on the second device for encrypted documents. | 12-29-2016 |
20180025168 | VIRTUAL SERVICE PROVIDER ZONES | 01-25-2018 |
20190149558 | A METHOD FOR MANAGING THE STATUS OF A CONNECTED DEVICE | 05-16-2019 |