Abstract: A method for secure online collaboration is provided. The method includes receiving, at a server of a cloud-based storage system, first encrypted data from a first client device. The cloud-based storage system stores a plurality of documents in an encrypted form. The method also includes determining a document of the plurality of documents that is associated with the first encrypted data. The document is not accessible to the server in a decrypted form. The first encrypted data represents an edit to a portion of the document. The method further includes determining a plurality of user accounts of collaborators of the document. The plurality of user accounts includes a first user account associated with the first client device. Moreover, the method includes providing the first encrypted data to one or more other client devices that are each associated with one of the plurality of user accounts, excluding the first user account.

Abstract: Systems, methods, and related technologies for device compliance monitoring are described. In certain aspects, one or more compliance rules associated with a device classification are used to determine a compliance level of a device. The one or more compliance rules may be based on a standard. An action can be initiated based on the compliance level.

Abstract: A semiconductor device includes a memory, a random number generation circuit, and a control circuit. The memory stores key information, and the random number generation circuit generates first and second random number signals. The control circuit generates sixth and seventh random number signals from the first random number signal and the key information, generates encrypted update data from update data using the seventh random number signal, transmits the first and second random number signals as request signals to an external terminal device, receives, from the external device, first and second response signals as response signals in response to the request signals, generates an eighth random number signal using the first response signal, the second and the sixth random number signals as input signals, and provides the encrypted update data for the external terminal device when the second response signal coincides with the eighth random number signal.

Abstract: An information processing apparatus includes a display unit that displays plural images consisting of one or more correct answer images selected from a candidate set, which consists of images not including images corresponding to public information of a user in an image group owned by the user, and one or more incorrect answer images other than the one or more correct answer images, and an image authentication unit that performs authentication of the user by having the user select at least one or more of the correct answer images from the plural displayed images.

Abstract: A method, a computer program product, and a system for removing padding oracles in encryption techniques. The method includes padding a plaintext message using a padding scheme producing a padded plaintext message. The method also includes encrypting the padded plaintext message using a block cipher generating an encrypted data block of fixed-size as well as a hash value. The method further includes randomly generating an ephemeral key and an initialization vector. The method also includes prepending the hash value, the ephemeral key, and the initialization vector to the encrypted data block. The method includes performing an encryption technique to the encrypted data block prepended with the hash value, the ephemeral key, and the initialization vector.

Abstract: An incident manager application (IM) for responding to data security incidents in enterprise networks is disclosed. An IM tracks the incidents in an enterprise network by storing incident objects and incident artifact (IA) metadata created for the incidents, where the incident objects and IAs include information concerning the incidents. Incident response team (IRT) personnel of the enterprise networks can define action conditions within the IM that are associated with the incident objects. When the information within the incident objects and/or IAs meets the defined action conditions, the IM includes the objects that cause the action conditions to be satisfied in messages. Devices such as user account databases and configuration servers within the enterprise network can then download the messages and execute actions that reference the objects extracted from the downloaded messages to implement a response to the incidents.

Abstract: Systems and methods perform selective rate limiting with a distributed set of agents and a remote controller. An agent receives a packet from a client, and inspects the packet using different rules. Each rule may include at least one different (i) rule definition with traffic dimensions identifying a different attack, (ii) signal with which to identify attack traffic matching the rule definition, (iii) threshold specifying a condition, and (iv) action to implement based on the condition of the threshold being satisfied. The agent provides the signal in response to the packet matching the traffic dimensions from the rule definition of a particular rule. The controller updates a value linked to the signal and a client identifier of the client, and implements the action of the particular rule across the distributed set of agents in response to the value satisfying the condition for the particular rule threshold.

Abstract: The technology disclosed herein provides a proof-of-work key wrapping system that uses integrated key fragments to cryptographically control access to data. An example method may include encrypting a first cryptographic key to produce a wrapped key, wherein the first cryptographic key enables a computing device to access content; determining a plurality of key fragments of a second cryptographic key, wherein the second cryptographic key is for decrypting the wrapped key and at least one of the plurality of key fragments is derived using one of the key fragments as input; selecting a set of cryptographic attributes for deriving the plurality of key fragments, wherein the set of cryptographic attributes are selected in view of a characteristic of the computing device; and providing the wrapped key and the set of cryptographic attributes to the computing device, the set of cryptographic attributes facilitating determination of the second cryptographic key.

Abstract: A data protection implementation solution includes utilizing a peer-to-peer network and incorporating an auditing method to record and/or track transactions related to a customer's data. A private peer-to-peer network such as inter planetary file system (IPFS) is used to achieve secured and fast data accessibility while also managing data modifications. An auditing method such as blockchain is used to record activity related to data within the IPFS network. The IPFS network may include a plurality of nodes, among which data is distributed. Devices are registered with the network, and public keys, private keys, and node identifiers are used to authenticate users and secure the data. By incorporating blockchain with the IPFS network, file commit transactions are validated and a clear ledger regarding time of modification and count of file edits is provided.

Abstract: The techniques herein are directed generally to a “zero-knowledge” data management network. Users are able to share verifiable proof of data and/or identity information, and businesses are able to request, consume, and act on the data—all without a data storage server or those businesses ever seeing or having access to the raw sensitive information (where server-stored data is viewable only by the intended recipients, which may even be selected after storage). In one embodiment, source data is encrypted with a source encryption key (e.g., source public key), with a rekeying key being an encrypting combination of a source decryption key (e.g., source private key) and a recipient's public key. Without being able to decrypt the data, the storage server can use the rekeying key to re-encrypt the source data with the recipient's public key, to then be decrypted only by the corresponding recipient using its private key, accordingly.

Abstract: A log acquirer acquires an analysis communication log and a malicious communication log. A signature generator generates a signature serving as a condition for detecting a terminal infected with malware based on a field and a value included in the malicious communication log. A malware analysis report acquirer acquires information on the malware. A malware information adder adds the information on the malware to the signature. A log analyzer analyzes the analysis communication log using the signature and detects the terminal infected with the malware. A detection result display unit displays the detection result obtained from the analysis communication log by the log analyzer and the information on the malware added to the signature used in the analysis of the analysis communication log in a manner associated with each other.

Abstract: A service controller includes a network interface for coupling to a local area network of a hospitality establishment, and one or more processors coupled to the network interface. The one or more processors are configured to detect a device identifier of a user device on a local area network of a hospitality establishment, determine whether a guest of the hospitality establishment is associated with the device identifier, and automatically activate a service for the user device at the hospitality establishment in response to detecting the device identifier on the local area network when a guest of the hospitality establishment is determined to be associated with the device identifier.

Abstract: Techniques for providing data protection in an integrated circuit are provided. An example method according to these techniques includes determining that an unauthorized update has been made to software or firmware associated with the integrated circuit, and corrupting an anti-replay counter (ARC) value, maintained in a one-time programmable memory of the integrated circuit and used by the integrated circuit to protect contents of a non-volatile memory, responsive to determining that the unauthorized update has been made to the software or the firmware.

Abstract: Systems and methods for malware detection techniques, which detect malware by identifying the C&C communication between the malware and the remote host. In particular, the disclosed techniques distinguish between request-response transactions that carry C&C communication and request-response transactions of innocent traffic. Individual request-response transactions may be analyzed rather than entire flows, and fine-granularity features examined within the transactions. As such, these methods and systems are highly effective in distinguishing between malware C&C communication and innocent traffic, i.e., in detecting malware with high detection probability and few false alarms.

Abstract: An authentication device authenticates a user using biometric information. The authentication device including: a storage unit, a first acquisition unit, a second acquisition unit, a controller, an authentication processing unit, and an update processing unit. When the first acquisition unit acquires identification information, and a combination for which the number of successes for the acquired identification information is greater than or equal to a predetermined number is present in combination information, the controller sets a threshold such that a false acceptance rate for erroneously authenticating a person other than a registered user becomes lower than when the combination is not present.

Abstract: A system for a secure connection includes an interface and a processor. The interface is configured to receive a request from a user of a tenant to enable a connection for a specific internal network application or service to an external network destination. The processor is configured to determine whether the connection is enabled for the specific internal network application or service for the tenant; and in response to determining that the connection is enabled, providing a token required for the connection to the external network destination.

Abstract: A method for end-to-end transmission of a piece of encrypted digital information includes the following steps: selection, on the computer equipment of the transmitter, of a piece of digital information and a digital identifier of the recipient; temporary encryption of the piece of digital information by execution of a local encryption application on the computer equipment with the private key of the sender; decryption of the piece of information on the equipment of the sender and encryption of the piece of information with the public key of the recipient; transmission to the recipient, by the computer equipment, from the sender, of the piece of digital information encrypted with the public key of the sender, optionally by the intermediary of the transactional platform; and decryption by the computer equipment of the recipient of the piece of information with the public key of the sender.

Abstract: Provided are a key generation device and an in-vehicle computer which is installed in a vehicle. The key generation device includes a vehicle interface, a key generation unit that generates first and second keys, a cryptographic processing unit that encrypts the first key with an initial key to generate first encrypted data and encrypts the second key with the first key to generate second encrypted data, an expected value calculation unit that calculates an expected value of stored data using the second key, and a verification unit that verifies a received measured value on the basis of the expected value, and the key generation device transmits the first and second encrypted data to the vehicle. The in-vehicle computer includes an interface unit, a cryptographic processing unit that decrypts the received first encrypted data, and decrypts the received second encrypted data, and a measured value calculation unit.

Abstract: A secure password-based single sign-on process enables a user to access a web application without the authorization credentials transmitted over a distributed computing network. A network directory service system utilizes an identity management system, outside of the client device, to execute a sign-on to a web-based resource in a Hyper-V container. The browser cookie from the sign-on process is returned to the client device in a sign-on script that the client-side browser uses to transition to the web portal or home page of the target web-based resource.

Abstract: An exemplary method comprises generating receiving an authentication request from a graphical user interface on a first computing device; generating a first encrypted media element; displaying the encrypted media element on the GUI; receiving a second encrypted media element from a second computing device; upon determining that the first and second encrypted media elements have a positive match, querying an identification value associated with the second computing device; receiving the identification value associated with the second computing device; upon the identification value matching a data record within a database, determining an account associated with the data record within the database; and authenticating the first computing device by granting the first computing device access to the account associated with the second computing device.