Class / Patent application number | Description | Number of patent applications / Date published |
713166000 | Security levels | 46 |
20080209211 | SECURITY, SAFETY, AND REDUNDANCY EMPLOYING CONTROLLER ENGINE INSTANCES - The claimed subject matter provides a system and/or method that facilitates employing safety within an industrial environment. An enhancing component can implement at least one of a security level, authentication, authorization, or an access right to a validated action to at least one of the controller or the controller engine instance. The enhancing component can further separate two or more entities within the industrial environment, the first entity related to process control and the second entity related to process safety. Additionally, the enhancing component can employ at least one of a backup controller or a backup controller engine instance in the event of at least one of a software error or a hardware error within the industrial environment. | 08-28-2008 |
20080215882 | Assigning Security Levels to a Shared Component - Security levels are assigned to a shared component. A workflow manager receives a workflow request that corresponds to a plurality of workflow steps. For each workflow step, the workflow manager determines whether the workflow step uses a shared component or an unshared component for execution. If the workflow step uses a shared component, the workflow manager invokes the step, and stores the step and its corresponding security level in a security tracking table. When the workflow manager encounters a shared component, the workflow manager uses the security tracking table entries in order to determine a security level to assign the shared component. The workflow manager assigns the determined security level to the shared component, and invokes the shared component to execute the corresponding process step. | 09-04-2008 |
20090125717 | Methods and Apparatus for Secure Data Processing and Transmission - Methods and apparatus provide for placing an apparatus into at least one of a plurality of operational modes, wherein: the apparatus includes a local memory, a bus operable to carry information to and from the local memory, one or more arithmetic processing units operable to process data and operatively coupled to the local memory, and a security circuit operable to place the apparatus into the operational modes; and the plurality of operational modes includes: (i) a first mode whereby the apparatus and an external device are operable to initiate a transfer of information into or out of the memory over the bus, (ii) a second mode whereby neither the apparatus nor the external device are operable to initiate a transfer of information into or out of the memory over the bus, and (iii) a third mode whereby the apparatus is operable to initiate a transfer of information into or out of the local memory over the bus, but the external device is not operable to initiate a transfer of information into or out of the local memory over the bus. | 05-14-2009 |
20090259846 | Exception types within a secure processing system - An apparatus for processing data includes a processor operable in a plurality modes including at least one secure mode being a mode in a secure domain and at least one non-secure mode being a mode in a non-secure domain. When the processor is executing a program in a secure mode the program has access to secure data which is not accessible when the processor is operating in a non-secure mode. The processor is responsive to one or more exception conditions for triggering exception processing using an exception handler. The processor is operable to select the exception handler from among a plurality of possible exception handlers in dependence upon whether the processor is operating in the secure domain or the non-secure domain. | 10-15-2009 |
20090319787 | MULTIPLE INDEPENDENT LEVELS OF SECURITY CONTAINING MULTI-LEVEL SECURITY INTERFACE - Methods and systems for enabling security in transferring data from a single level MILS partition to the multiple level LAN. When a frame is received from an external stack via a network interface card, the frame contains a security classification, which is compared to the security classifications assigned to a plurality of internal stacks. Once a match is obtained, the frame is forwarded to the internal stack corresponding to the security classification in the frame assigned by the external stack. When a frame is received from one of the plurality of internal stacks, no security classification exists within the frame. A determination of the security classification assigned to the internal stack, which is then written into a security label in the frame. Once the security label is attached to the frame, the frame is sent to the external stack via a network interface card. | 12-24-2009 |
20100011209 | SECURE EXECUTION OF A COMPUTER PROGRAM - Hijacking of an application is prevented by securing execution of a computer program on a computing system. Prior to execution of the computer program, the computer program is analyzed to identify permitted targets of all indirect transfers. An application-specific policy based on the permitted targets is created. When the program is executed on the computing system, the application-specific policy is enforced such that the program is prohibited from executing indirect transfer instructions that do not target one of the permitted targets. | 01-14-2010 |
20100023761 | Systems and Methods Using Cryptography to Protect Secure Computing Environments - Secure computation environments are protected from bogus or rogue load modules, executables and other data elements through use of digital signatures, seals and certificates issued by a verifying authority. A verifying authority—which may be a trusted independent third party—tests the load modules or other executables to verify that their corresponding specifications are accurate and complete, and then digitally signs the load module or other executable based on tamper resistance work factor classification. Secure computation environments with different tamper resistance work factors use different verification digital signature authentication techniques (e.g., different signature algorithms and/or signature verification keys)—allowing one tamper resistance work factor environment to protect itself against load modules from another, different tamper resistance work factor environment. Several dissimilar digital signature algorithms may be used to reduce vulnerability from algorithm compromise, and subsets of multiple digital signatures may be used to reduce the scope of any specific compromise. | 01-28-2010 |
20100031035 | BLOCK-BASED MEDIA CONTENT AUTHENTICATION - A technique for security and authentication on block-based media includes involves the use of protected keys, providing authentication and encryption primitives. A system according to the technique may include a secure device having a security kernel with protected keys. A disk drive security mechanism may support authentication of data, secrecy, and ticket validation using the security kernel and, for example, a ticket services module (e.g., a shared service that may or may not be used by other storage devices like flash). | 02-04-2010 |
20100049974 | METHOD AND APPARATUS FOR VERIFICATION OF INFORMATION ACCESS IN ICT SYSTEMS HAVING MULTIPLE SECURITY DIMENSIONS AND MULTIPLE SECURITY LEVELS - We describe a model for multilevel information security. Information security is defined as combinations of confidentiality, integrity and availability. These three aspects are regarded as properties of a generic information object, and are treated as mutually independent. Each aspect is represented by an axis in an n-dimensional vector space, where n is the number of independent security aspects of interest. The model can ensure directed information flow along an arbitrary number of axes simultaneously. An information object is assigned a security label denoting the security level along an arbitrary number of axes. The model is role based. A role is assigned an access label along the same axes. Verification of a role's access to information is performed by comparing access label with security label. Since the aspects represented by each axis are mutually independent, each axis may be treated by itself. This enables a very efficient algorithm for verification of access. The model will therefore be suited for systems having low processing capacity. Based on this model, we describe a method and an apparatus to ensure confidentiality, integrity and availability for information from peripheral equipment in communications networks. Such peripheral equipment may be, but is not limited to personal terminals for rescue personnel, soldiers etc, sensors (detectors) for smoke, gases, motion, intrusion etc. The invention supports decision support systems in that the information has known confidentiality, integrity and availability even from inexpensive sensors, which do not include a processor or the like. The invention differs from prior art in that it, among other features: —Treats an arbitrary number of mutually independent aspects of information security, —Assumes that confidentiality, integrity and availability are mutually independent variables, —On this basis can verify access to information by means of simple binary operations, by a simple logic gate circuit or by a processor. | 02-25-2010 |
20100122085 | SYSTEM AND METHOD FOR PROVIDING VARIABLE SECURITY LEVEL IN A WIRELESS COMMUNICATION SYSTEM - A system and method for providing variable security levels in a wireless communication network. The present invention optimizes the often conflicting demands of highly secure wireless communications and high speed wireless communications. According to a preferred embodiment of the present invention, various security sensors are scanned to determine the likely presence of an intruder within a predetermined trust zone. If an intruder is likely present, the security level is changed to the highest setting, and consequently a lower data rate, while the intruder is identified. If the identified intruder is in fact a trusted node, the security level is returned to a lower setting. If the identified intruder is not a trusted node, the security level is maintained at an elevated state while the intruder is within the trust zone. | 05-13-2010 |
20100125732 | HOME NODE-B APPARATUS AND SECURITY PROTOCOLS - A Home Node B or Home evolved Node B (HN(e)B) apparatus and methods are disclosed. The HN(e)B includes a Trusted Environment (TrE) and interfaces including unprotected interfaces, cryptographically protected interfaces, and hardware protected interfaces. The H(e)NB includes security/authentication protocols for communication between the H(e)NB and external network elements, including a Security Gateway (SGW). | 05-20-2010 |
20100131758 | Nondesctructive interception of secure data in transit - In a data level security environment, the data level security mechanism operates on plaintext data. Data level security operations identify a point in the information stream where plaintext data is available for interception. Typically this is a point in the processing stream just after the native DBMS decryption functionality has been invoked. A database monitor intercepts and scrutinizes data in transit between an application and a database by identifying a transition point between the encrypted and plaintext data where the cryptographic operations are invoked, and transfers control of the data in transit to a database monitor application subsequent to the availability of the data in plaintext form. | 05-27-2010 |
20100146270 | System and Method of Indicating the Strength of Encryption - A method and system are provided for secure messaging on mobile computing devices. The method and system provide for an indication of a security trust level associated with a security method used with an electronic message. | 06-10-2010 |
20100161978 | SYSTEM AND METHOD FOR HANDLING CROSS-PLATFORM SYSTEM CALL IN A HYBRID SYSTEM - A system and associated method for handling a system call in a hybrid system. The hybrid system comprises a first computer system and a second computer system coupled to the first computer system at a respective kernel of the respective computer system. A user application of the first computer system requests a kernel service by invoking a system call to a first kernel. The first kernel determines that the system call is remotely executed by a second kernel of the second computer system. The system call and associated parameters are converted to be executable in the second computer system and transferred to the second computer system. The second computer system executes the system call and a result is returned to the first computer system. The result is reversely converted for the first computer system and the user application receives the result. | 06-24-2010 |
20100211777 | WIRELESS TERMINAL DEVICE, WIRELESS CONNECTION METHOD, AND PROGRAM - A wireless terminal device which can be easily connected with an access point with a simple procedure and with no expertise, a wireless connection method and a program are provided. In a wireless terminal device ( | 08-19-2010 |
20100211778 | SECURITY MANAGEMENT DEVICE AND SECURITY MANAGEMENT METHOD - To provide a security management device, a security management method, a security management program and a security management system that are capable of ensuring a desired security while scheming to save a labor for the security management by the security management device performing access control of a terminal in accordance with a security level of the terminal and prompting it to do security setting. Whether or not a security level reaches a predetermined level is judged by detecting the security level of a terminal from an access pattern, and, in the case of judging that the security level of the terminal does not reach the predetermined level, an access permission range of the terminal is changed. | 08-19-2010 |
20100235632 | PROTECTING AGAINST DENIAL OF SERVICE ATTACKS USING TRUST, QUALITY OF SERVICE, PERSONALIZATION, AND HIDE PORT MESSAGES - According to an embodiment of the invention, a system for processing a plurality of service requests in a client-server system includes a challenge server for: presenting a cryptographic challenge to the client; initializing a trust cookie that encodes a client's initial priority level after the client correctly solves the cryptographic challenge; computing a trust level score for the client based on a service request wherein said trust level score is associated with an amount of resources expended by the server in handling the service request such that a higher trust level score is computed for service requests consuming less system resources; assigning the trust level score to the client based on the computation; and embedding the assigned trust level score in the trust cookie included in all responses sent from the server to the client. The system further includes an application server coupled with a firewall. | 09-16-2010 |
20100306534 | ENABLING MULTI-LEVEL SECURITY IN A SINGLE-LEVEL SECURITY COMPUTING SYSTEM - According to an embodiment, a system may comprise a mass storage device that is operable to be coupled to one or more processors. The mass storage device may comprise a base operating system that is operable to be executed by the one or more processors. The base operating system may be operable to implement a single security level. The mass storage device may also comprise a virtual operating system that is operable to be executed by the one or more processors. The virtual operating system may be executed using a virtualization tool that is executed by the base operating system. The virtual operating system may be operable to process information according to a plurality of security levels and communicate the information to one or more computing systems. The information may be communicated according to the plurality of security levels of the information. | 12-02-2010 |
20110055560 | CONVERSION OF CRYPTOGRAPHIC KEY PROTECTION - Protection of cryptographic keys is converted between one level of security and another level of security. The one level of security is different from the another level of security, and the another level of security includes the components of the one level of security. | 03-03-2011 |
20110066851 | Secure Route Discovery Node and Policing Mechanism - A computer implemented method and computer program product for obtaining a secure route. A trusted host sets a node security association for a trusted host. The trusted host receives, at the trusted host, a client communication request directed to a destination host. The trusted host builds a secure route query comprising a trusted host address, a destination host address, and at least one security level, to form at least one secure route. The trusted host sends packets from the trusted host to the destination host based on the at least one secure route. The packets are responsive to the client communication request, and the packets each have a security label that matches the security level. | 03-17-2011 |
20110083012 | PRINTING DEVICE CAPABLE OF AUTHORIZING PRINTING LIMITEDLY ACCORDING TO USER LEVEL, PRINTING SYSTEM USING THE SAME AND PRINTING METHOD THEREOF - A printing device which authorizes a printing limitedly according to a user level, a printing system using the same and a printing method thereof. The printing device includes an interface part receiving a printing data requested by a user and a security level of the requested printing data; an authentication part determining whether to print the requested printing data based on the security level and a pre-stored user level of the user; a printing part printing the requested printing data; and a controller transmitting the requested printing data received through the interface part to the printing part if the authentication part permits the printing. Accordingly, even if a user obtains an access to the system, because the user has a limitation in using and printing the data depending on his/her position or job, the security of the data can be more effectively guaranteed. | 04-07-2011 |
20110113243 | WIRELESS AD HOC NETWORK SECURITY - Providing network security includes detecting network traffic associated with an ad hoc network that includes a first station and a second station, and preventing data sent by the first station from reaching the second station. | 05-12-2011 |
20110145574 | SECURITY MANAGEMENT SERVER AND IMAGE DATA MANAGING METHOD THEREOF - A security management server includes an input unit for receiving image data from at least one network camera; a control unit for assigning an access authority level to each image data received via the input unit; and a storage unit for storing therein the image data along with the access authority levels assigned by the control unit. When receiving a request for a specific image data among the image data stored in the storage unit from a user having a user access authority level, the control unit compares the user access authority level and the access authority level assigned to the specific image data, and based on comparison result thereof, selectively provides the specific image data to the user. | 06-16-2011 |
20110173445 | SYSTEM AND METHOD FOR CONTENT BASED APPLICATION OF SECURITY LEVELS TO ELECTRONIC DOCUMENTS - The subject application is directed to a system and method for automated application of security levels to electronic documents. | 07-14-2011 |
20110173446 | System and Method for Securing Wireless Transmissions - A system and method for securing wireless transmissions is provided. A method for transmitting secure messages includes selecting a bin of codewords from a plurality of bins. The bin of codewords containing a plurality of sub-bins of codewords, and the selecting is based on a first message. The method also includes selecting a sub-bin of codewords from the plurality of sub-bins of codewords based on a second message, selecting a codeword from the sub-bin of codewords, and transmitting the selected codeword to a legitimate receiver. | 07-14-2011 |
20110238984 | MULTI-LEVEL SECURITY CLUSTER - Some embodiments may include multiple computers comprising a multi-level security system. The security system includes a first set of zones and a second set of zones, each having access to resources of a computer, a first security container having a first security label containing the first set of zones, and a second security container with a second security label containing the second set of zones. The resources and data of each of the first and second set of zones inherit the security label of their corresponding security container. The security system further includes a global zone, the global zone has access to the resources of the computer, a kernel having access to the security label information for each security container and zone, where requests for data and resources stored on the computer are first sent to the kernel, and the kernel adds the security label data, the kernel or the global zone on any computer perform security checks, and then the request may then be processed by the kernel or global zone on any computer. | 09-29-2011 |
20110276800 | Message Service Indication System and Method - Systems and methods for operation upon a data processing device for handling messages with different levels of security, are provided herein. A method for operation upon a data processing device for handling messages with different levels of security includes examining an attribute of a message received over a network in order to determine a security-related level associated with the message, generating a visual indication for display to a device user that is indicative of the determined security-related level, wherein the generated visual indication is applied to a displayed portion of text associated with the message, and changing the visual indication when the message viewed. | 11-10-2011 |
20120011360 | KEY MANAGEMENT SYSTEMS AND METHODS FOR SHARED SECRET CIPHERS - Various embodiments are described herein for a Key Management System (KMS) and associated methods for providing authentication and secure shared key distribution capabilities without revealing a device's secret key. The KMS allows one or more accessing applications or devices residing on a variety of systems and associated with a plurality of organizations to efficiently authenticate other applications or devices with which they are in communication and to securely establish a shared secret between authenticated applications or devices. Secret keys may be cached throughout the KMS system for off-line and efficient operations. The KMS system enables authentication of devices and secure communication between these devices which may have been created and secured under different domains without those domains having an a priori relationship. | 01-12-2012 |
20120036357 | CRYPTOGRAPHIC METHOD AND APPARATUS - A method of formatting data for transmission to another party including the step of incorporating in the data a flag indicative of the absence of data for authentication of the sender. An authentication tag length is also included to permit variable length tags to be used. | 02-09-2012 |
20120047364 | SYSTEM AND METHODS FOR PROVIDING DATA SECURITY AND SELECTIVE COMMUNICATION - Systems and methods for providing data security and selective communication are provided in which a classified communication is received and processed for retransmission to a recipient having a different clearance authorization than that associated with the communication. The retransmitted data includes a subset of data that is selected based on predetermined criteria, and is determined automatically by a guard application, such that the retransmitted information is properly sanitized. | 02-23-2012 |
20120060030 | SYSTEM AND METHOD OF PROVIDING TRUSTED, SECURE, AND VERIFIABLE OPERATING ENVIRONMENT - A method and system of synergizing hardware, firmware, software, and useful feature(s) into a trusted, secure, and verifiable operating environment (TSVOE) that is critical for businesses and consumers that rely on information technology products and/or services. Such products provide various capabilities such as protecting the corporate infrastructure from attack, protecting the client from attack, designing a customizable operating schema, advanced validation of client authentication, establishing a clean environment within a dirty environment, etcetera. Moreover, by ensuring that operating environment security is achieved, a product can provide guarantees that modern state-of-the-art systems cannot. Finally, diversification of hardware, software, firmware, and features creates robust products. | 03-08-2012 |
20120079271 | METHOD AND APPARATUS FOR WIRELESS DEVICE AUTHENTICATION AND ASSOCIATION - Methods and devices controlling association and/or authentication of wireless devices. At a first wireless device which is unassociated and unauthenticated with a second device, a state variable representing the second device may be stored, where the variable indicates that the second device is unassociated and unauthenticated with the first device. A message may be received from the second device requesting to associate. The variable may be changed to indicate that the second device is associated and unauthenticated. A message may be received from the second device requesting to authenticate, and the state variable may be changed to indicate that the second device is authenticated. In some cases, a wireless device stores variable(s) representing a second device, the variables indicating that the second device is unassociated and unauthenticated, receives a message from the second device requesting authentication, and changes a state variable to indicate that the second device is authenticated. | 03-29-2012 |
20120151209 | MULTILEVEL SECURITY SERVER FRAMEWORK - Systems, apparatus and other embodiments associated with a multi-level security (MLS) server framework are presented. An MLS server framework provides a trusted virtual environment to host multiple tenants, categories, classification enclaves and security enclaves. The MLS server framework includes virtual machines, virtual networks, a mandatory access control (MAC), a hypervisor and a virtual trusted platform module (vTPM) management machine. The virtual networks are connected to the virtual machines and the hypervisor is connected to the MAC and the virtual networks. The MAC sets security policies and the hypervisor enforces the security policies and classifies virtual components within a trusted virtual environment formed by the MLS server framework. The vTPM management machine provides attestation of each virtual machine to ensure the MLS server framework is in a secure state. | 06-14-2012 |
20120198231 | SECURE COMMUNICATION DEVICE - The invention relates to a confidence core architecture that is more efficient in terms of design and evaluation than the usual architectures. The confidence core respects the partitioning principle of security recommendations, typically partitioning the red and black domains and the injection of keys. In this approach, the invention proposes the conversion of an existing single-interface component, namely an evaluated smart card component, into a multi-interface component that respects the partitioning principles. The component for carrying out the interface conversion is designed on a minimal, and if possible, an exclusively hardware basis that only implements the flow secure routing. | 08-02-2012 |
20120324222 | MULTIPLE INDEPENDENT LEVELS OF SECURITY (MILS) HOST TO MULTILEVEL SECURE (MLS) OFFLOAD COMMUNICATIONS UNIT - Systems and methods for use in secure network communication. A physical network interface receives a network packet associated with a security level. The network packet is transmitted from the physical network interface to a security policy component. The network packet is routed to a stack offload engine by the security policy component based on a network address associated with the network packet and the security level associated with the network packet. The network packet is provided by the stack offload engine to a software application via trusted memory interface that transfers the packet to a memory portion of a plurality of memory portions. The memory portion corresponds to the security level. | 12-20-2012 |
20130219177 | SECURE DATA PROCESSING DEVICE AND METHOD - A secure data processing device is provided. The device includes a main Operating System (OS), a plurality of main processes which are executed under control of the main OS and which are associated with each other, a secure OS which is simultaneously operated with the main OS, and at least one secure process which is executed under control of the secure OS and which corresponds to at least one of the plurality of main processes. If at least one of the plurality of main processes is in an abnormal operation state, an operation of the least one secure process is interrupted and initialized according to a request of the main OS. | 08-22-2013 |
20140068257 | METHOD FOR HANDLING PRIVACY DATA - The present invention aims to improve data protection against illegal access by a strong differentiation of the security level specific on a type of data so that when the protection on a part of the data is violated, the remaining data are still inaccessible. A method for controlling access, via an open communication network, to user private data, comprising steps of: dividing the user private data into a plurality of categories, each category defining a privacy level of the data, encrypting the user private data of each category with a category key pertaining to the category of the data, attributing to a stakeholder an entity configured for accessing to at least one category of user private data, and authorizing the access to the at least one category of user private data for the entity of the stakeholder, by providing the stakeholder with the category keys required for decrypting the user private data of the corresponding category. | 03-06-2014 |
20140115330 | Set Top Box Architecture Supporting Mixed Secure and Unsecure Media Pathways - A media processing device, such as a set top box, having a plurality of selectable hardware and software components for supporting multiple media pathways providing differing levels of security. In general, each security level corresponds to a particular certification service boundary definition(s) or key/authentication and security management scheme for managing resources such as hardware acceleration blocks and software interfaces. Different sets of components may be adaptively employed to ensure composited compliance with one or more security constraints and to address component unavailability. Security constraints may be applied, for example, on a source or media specific basis, and different versions of a media item may be provided over multiple pathways providing corresponding levels of security. In one embodiment, a service operator or content provider may provide requisite certification or security requirements, or otherwise assist in selection of pathway components. | 04-24-2014 |
20160028739 | Set Top Box Architecture Supporting Mixed Secure and Unsecure Media Pathways - A media processing device, such as a set top box, having a plurality of selectable hardware and software components for supporting multiple media pathways providing differing levels of security. In general, each security level corresponds to a particular certification service boundary definition(s) or key/authentication and security management scheme for managing resources such as hardware acceleration blocks and software interfaces. Different sets of components may be adaptively employed to ensure composited compliance with one or more security constraints and to address component unavailability. Security constraints may be applied, for example, on a source or media specific basis, and different versions of a media item may be provided over multiple pathways providing corresponding levels of security. In one embodiment, a service operator or content provider may provide requisite certification or security requirements, or otherwise assist in selection of pathway components. | 01-28-2016 |
20160028740 | METHOD AND APPARATUS FOR PROVIDING AN ADAPTABLE SECURITY LEVEL IN AN ELECTRONIC COMMUNICATION - A method of communicating in a secure communication system, comprises the steps of assembling a message at a sender, then determining a security level, and including an indication of the security level in a header of the message. The message is then sent to a recipient. | 01-28-2016 |
20160085967 | TECHNIQUES FOR ENABLING CO-EXISTENCE OF MULTIPLE SECURITY MEASURES - Various embodiments are directed enabling anti-malware software to co-exist with protective features of an operating system. An apparatus may include a processor component including an IDT register storing an indication of size of an IDT; a monitoring component to retrieve the indication and compare the indication to a size of a guard IDT in response to modification of the IDT register to determine whether the guard routine is to inspect the IDT and a set of ISRs; and a cache component to overwrite the IDT and set of ISRs with a cached IDT and cached set of ISRs, respectively, based on the determination and prior to the inspection to prevent the guard routine from detecting a modification by an anti-malware routine, the cached IDT and cached set of ISRs generated from the IDT and set of ISRs, respectively, prior to the modification. Other embodiments are described and claimed. | 03-24-2016 |
20160105280 | Identifying Security Boundaries on Computing Devices - During booting of a computing device, multiple security boundaries are generated. A security boundary refers to a manner of operation of a computing device or a portion of the computing device, with a program executing in one security boundary being prohibited from accessing data and programs in another security boundary. As part of booting the computing device measurements of (e.g., hash values or other identifications of) various modules loaded and executed as part of booting the computing device are maintained by a boot measurement system of the computing device. Additionally, as part of booting the computing device, a public/private key pair of one of the security boundaries is generated or otherwise obtained. The private key of the public/private key pair is provided to the one security boundary, and the public key of the public/private key pair is provided to the boot measurement system. | 04-14-2016 |
20160117519 | MULTI-LEVEL SECURITY SYSTEM FOR ENABLING SECURE FILE SHARING ACROSS MULTIPLE SECURITY LEVELS AND METHOD THEREOF - A multi-level security system includes a storage medium partitionable into a plurality of partitions, a file system coupleable to the plurality of partitions, and a plurality of enclaves. Each enclave is assigned a security classification level. Each enclave resides in a different storage partition of the storage medium. Data stored on the storage medium is cryptographically separated at rest on a per-enclave basis. Cryptographic separation occurs at the disk block level, allowing individual blocks to be read and decrypted. The system also includes a reference monitor that enforces a system security policy that governs access to information between the enclaves. The reference monitor allows an enclave having a first classification level to securely read-down to an enclave having a second classification level lower than the first classification level and to write to another enclave having the first classification level. | 04-28-2016 |
20160119298 | SYSTEM AND METHOD FOR ENCRYPTION KEY MANAGEMENT IN A MIXED INFRASTRUCTURE STREAM PROCESSING FRAMEWORK - A system and method for protecting streams in a mixed infrastructure includes determining processing elements that are to access a data stream in a stream processing environment and determining a security level for each processing element. Keys are generated per stream per processing element in accordance with the security level. The keys are associated with processing elements in an access control list in a location accessible by producing and consuming processing elements. The stream is decrypted for processing using keys released upon authenticating processing elements in accordance with the access control list. At security boundaries, the stream is re-encrypted in accordance with a next processing element. | 04-28-2016 |
20160119362 | DATA PROCESSING SYSTEM, METHOD OF INITIALIZING A DATA PROCESSING SYSTEM, AND COMPUTER PROGRAM PRODUCT - A data processing system is conceived, which comprises at least two security levels and key material stored at a specific one of said security levels, wherein the key material is tagged with a minimum security level at which the key material may be stored. | 04-28-2016 |
20180025148 | INCORPORATING RISK-BASED DECISION IN STANDARD AUTHENTICATION AND AUTHORIZATION SYSTEMS | 01-25-2018 |