Abstract: Described embodiments provide systems and methods for establishing an end-to-end cryptographic context. A service node may be located intermediary between a client and server which provides a service to the client. At least one network device may be located intermediary between the service node and the server. The service node may obtain information for validating the service. The service node may establish an end-to-end cryptographic context between the service node and server through the network device(s). A first network device of the network device(s) may share a cryptographic context with the service node, which existed prior to establishment of the end-to-end cryptographic context. The service node may transmit a message to the network device encrypted using the first cryptographic context. The encrypted message may inform the first network device to pass through traffic that is encrypted using the end-to-end cryptographic context.

Abstract: According to one embodiment, a broadcast request is received from a host that hosts an application that initiated a broadcast message to be broadcast to one or more DP accelerators of a plurality of DP accelerators coupled to the host, where the broadcast request includes one or more DP accelerator identifiers (IDs) identifying the one or more DP accelerators. A broadcast session key for a broadcast communication session to broadcast the broadcast message is received from the host. For each of the one or more DP accelerator IDs, a public key of a security key pair corresponding to the DP accelerator ID is identified. The broadcast message is encrypted using the broadcast session key. The broadcast session key is encrypted using the public key. The encrypted broadcast message and the encrypted broadcast session key are transmitted to a DP accelerator identified by the DP accelerator ID.

Abstract: According to certain implementations, a permissions gateway receives an access request indicating multiple sets of secured data that include high-granularity data stored on multiple secured data repositories. The access request is compared to a permission set with multiple consent parameters, which indicate access types for the secured data. Based on a comparison of the access request to a permission set, the permissions gateway queries, the permission gateway queries a first data repository for a high-granularity dataset that includes a portion of the high-granularity data, and queries a second data repository for a low-granularity dataset that includes a summary of part of the high-granularity data. The permissions gateway generates a multi-granularity response to the access request, based on a combination of the high-granularity dataset and the low-granularity dataset.

Abstract: An operation method of a security device which includes a plurality of physical unclonable function (PUF) cells includes selecting a target PUF cell of the plurality of PUF cells, selecting at least two reference PUF cells of the plurality of PUF cells based on a sorted list, reading a plurality of sensing data from the target PUF cell and the at least two reference PUF cells, and determining a target bit corresponding to the target PUF cell based on the plurality of sensing data to output the determined target bit.

Abstract: A set of distance measurable encrypted feature vectors can be derived from any biometric data and/or physical or logical user behavioral data, and then using an associated deep neural network (“DNN”) on the output (i.e., biometric feature vector and/or behavioral feature vectors, etc.) an authentication system can determine matches or execute searches on encrypted data. Behavioral or biometric encrypted feature vectors can be stored and/or used in conjunction with respective classifications, or in subsequent comparisons without fear of compromising the original data. In various embodiments, the original behavioral and/or biometric data is discarded responsive to generating the encrypted vectors. In another embodiment, distance measurable or homomorphic encryption enables computations and comparisons on cypher-text without decryption of the encrypted feature vectors. Security of such privacy enabled embeddings can be increased by implementing an assurance factor (e.g.

Abstract: Methods, systems, and computer-readable media for processing policy variance requests in an enterprise computing environment are presented. A computing platform may receive, from a first endpoint computing device, a request for a first policy variance. In response to receiving the request, the computing platform may authenticate the first endpoint computing device based on enrollment information and may validate contents of the request. Subsequently, the computing platform may generate a policy variance result message based on approval or rejection of the request for the first policy variance. Then, the computing platform may send, to the first endpoint computing device, the policy variance result message. By sending the policy variance result message to the first endpoint computing device, the computing platform may cause the first endpoint computing device to execute a policy action corresponding to the approval or rejection of the request for the first policy variance.

Abstract: A system for anonymizing motor vehicle position information includes a global positioning system (GPS) module disposed within a host vehicle, a control module disposed within the host vehicle and in electronic communication with the GPS module. The control module executes a control logic for collecting real-time host vehicle telemetry data packets from the GPS module, and a control logic for continuously wirelessly communicating the real-time host vehicle telemetry data packets.

Abstract: Executing an application within a scope of user-granted permission in a decentralized network that implements a distributed edger. First, receiving a request from an entity for using data stored in a data storage that is associated with a DID owner as one or more inputs of an application associated with the entity to generate one or more results. Next, one or more characteristics of the application associated with the entity is identified. Based on identified one or more characteristics, a scope of permission to access the requested data that is to be granted to the entity is determined. Then, the scope of permission is granted to the entity to use the data as the one or more inputs of the application associated with the entity. Finally, the one or more results from the application is received.

Abstract: According to certain implementations, a permissions gateway receives an access request indicating multiple sets of secured data that include high-granularity data stored on multiple secured data repositories. The access request is compared to a permission set with multiple consent parameters, which indicate access types for the secured data. Based on a comparison of the access request to a permission set, the permissions gateway queries, the permission gateway queries a first data repository for a high-granularity dataset that includes a portion of the high-granularity data, and queries a second data repository for a low-granularity dataset that includes a summary of part of the high-granularity data. The permissions gateway generates a multi-granularity response to the access request, based on a combination of the high-granularity dataset and the low-granularity dataset.

Abstract: A system validates the establishment and/or continuation of a connection between two applications over a network. The system uses network application security rules to allow or disallow connections between the two applications. Those rules include definitions of the source and destination applications to which the rules apply. The system automatically updates the application definitions over time to encompass new versions of the applications covered by the security rules, but without encompassing other applications. The system is then capable of applying the updated rules both to the original applications and to the updated versions of those applications. This process enables the security rules to maintain security over time in a way that is consistent with the original intent of the rules even as applications on the network evolve.

Abstract: Disclosed are embodiments for information barriers that are conditional on the type of information being communicated. Information barrier polices provided by the disclosed embodiments selectively allow communication between accounts or groups based on characteristics of the content of the communication. For example, communication between a marketing department and an engineering department may be conditional on the communication not including any sensitive information. The determination of whether the communication includes sensitive information is further designed to provide good performance even in environments that maintain substantial portions of data in an offsite or cloud environment, where latencies associated with searching large datastores can be prohibitive.

Abstract: There is provided a method and system for an advanced endpoint protection. With this methodology, when a file is requested to be executed on any endpoint, all intelligence sources would be checked to decide if that file has any known or potential vulnerability associated with it. If there is any information about any known or potential vulnerability, it would be launched inside the secure container to isolate the all resource usage of that application from the rest of the known good and secure applications in order to achieve the secure computing environment on an endpoint.

Abstract: A method for accessing a web-based repository service from a cloud platform is provided. The method may include receiving, at a gateway controller, a first request from an endpoint to access the web-based repository service. Upon successfully verifying the first request, a redirect request to a reverse proxy at the gateway controller may be returned to the endpoint. The redirect request may include a cryptographic signature and the first request. The reverse proxy may respond to the redirect request from the endpoint by accessing, on behalf of the endpoint, the web-based repository service to store and/or retrieve data. The web-based repository service may be accessed by sending, to the web-based repository service, an encrypted second request corresponding to the first request. Related systems and articles of manufacture, including computer program products, are also provided.

Abstract: A session user enters session user credential the session user credentials that are compared with stored user credentials to validate the session user credentials. The session user identifies a selected communications method from the at least one communications method presented to the session user, and an authentication message is sent to the session user using the selected communications method. The session user enters a handwritten session signature in response to the authentication message. The handwritten session signature entered by the session user is compared with the reference signature associated with the session user to validate the handwritten session signature. If the handwritten session signature is validated, the session user is authenticated. If the session user has been validated, the session user is allowed to access a set of user information that is associated with the session user and stored on the partner server.

Abstract: The present disclosure involves systems, software, and computer implemented methods for verifying encrypted data provider data on a public storage medium. One example method includes receiving a verification request to verify encrypted data provider data stored on a public storage medium. Public storage medium entries relevant to the verification request are identified and retrieved. A homomorphic cryptosystem is used to homomorphically calculate a first encrypted target function result based on encrypted data provider data. The homomorphic cryptosystem and a verifying entity cryptosystem are used to re-encrypt the first encrypted target function result to generate a second encrypted target function result that is encrypted under the verifying entity cryptosystem and not encrypted under the homomorphic cryptosystem.

Abstract: An in-vehicle computer generates a message authentication code about its own log using its own signature key and thereby transmits a log annotated with its message authentication code to a vehicle information collection device. The vehicle information collection device generates the signature key of the in-vehicle computer, verifies the message authentication code, which is included in the log annotated with its message authentication code received from the in-vehicle computer, using generated signature key, and thereby stores the log relating to the successfully verified message authentication code on storage media.

Abstract: An example operation may include one or more of receiving a request to store a data block on a hash-linked chain of data blocks, dynamically selecting a subset of non-consecutive data blocks which have been previously stored within the hash-linked chain of data blocks, generating a linking hash based on a hash value of the data block to be stored and an accumulation of hash values from the subset of non-consecutive data blocks, and adding the data block to the hash-linked chain of data blocks, wherein the added data block includes the linking hash stored therein.

Abstract: Techniques are disclosed relating to user authentication. In some embodiments, a computing system maintains an exception handler of a software development platform. The exception handler is executable to process a particular type of exception that causes an authentication of users of applications running on the software development platform. The computing system may receive, at the exception handler, an indication of the particular type of exception thrown by a particular application. In response to receiving the indication of the particular type of exception, the exception handler issues to a web browser interacting with the application, a request that the web browser redirect to an authentication server configured to perform an authentication of a user of the particular application. The computing system receives, from the authentication server, a result of the performed authentication and returns the result to the particular application.

Abstract: A user's session of a web application or a website in a web browser is recorded and replayed while protecting private and sensitive data from unauthorized access. All the captured data needed to re-create (replay) the user's session in the browser itself is recorded and exported on demand. The need to transmit potentially sensitive and private data continuously to external server(s) is eliminated while still guaranteeing availability of a record of user activity leading up to any point of interest during the user's session. By encrypting recording information and redacting all non-layout content (e.g. text nodes, images, inputs) from the browser DOM before capturing the DOM, the visual layout of the page is maintained and the probability of leaking the user's sensitive or private information is reduced. The replaying user is still able to derive meaningful information about the user's interaction with the web application or website without jeopardizing privacy.

Abstract: An encryption key distribution system includes: a key distribution ECU that transmits an encryption key; and a key reception ECU that receives the encryption key, the key distribution ECU: transmits the encryption key to the key reception ECU; and determines completion of transmission of the encryption key, based on a result of determination as to whether first verification data transmitted from the key reception ECU matches second verification data of the encryption key which is calculated from a common key stored in the key distribution ECU and an identifier of the key reception ECU, the key reception ECU: records the received encryption key in the key reception ECU; calculates the first verification data from the same common key as the common key stored in the key reception ECU and the identifier of the key reception ECU; and transmits the calculated first verification data to the key distribution ECU.