Abstract: A system is provided for exchanging symmetric cryptographic keys using computer network port knocking. The system may receive, from a networked computing device, a first series of packets on a first series of ports which may signify a request to open a secure network connection. Once the secure network connection has been opened, the system may receive a second series of packets on a second series of ports which may be used as seed values to generate a symmetric cryptographic key. Finally, the system may then receive a third series of packets on a third series of ports which may signify the end of the second series of packets (e.g., the seed values). In this way, the system may exchange symmetric key values with the networked computing device which may then be used to open secure communication channels between the system and the computing device.

Abstract: A method, system and computer program product relating to an application server operable to manage a microservice-based application, i.e. app, on behalf of clients, the clients being available for use by system actors who may be, for example, end users, bots, developers or other apps. A permissions validator is used to compute effective permissions in response to client requests. The requests are granted or denied conditional on the effective permissions being at least a subset of the permissions required to be given by any of the app's microservices that are needed for the resource being requested. The effective permissions are computed from an intersection of a set of actor permissions, a set of client permissions and a set of resource permissions.

Abstract: A method, apparatus, and system for assigning the execution of a cryptography and/or compression operation on a data segment to either a central processing unit (CPU) or a hardware cryptography/compression accelerator is disclosed. In particular, a data segment on which a cryptography and/or compression operation is to be executed is received. Status information relating to a CPU and a hardware cryptography/compression accelerator is determined. Whether the operation is to be executed on the CPU or on the hardware accelerator is determined based at least in part on the status information. In response to determining that the operation is to be executed on the CPU, the data segment is forwarded to the CPU for execution of the operation. On the other hand, in response to determining that the operation is to be executed on the hardware accelerator, the data segment is forwarded to the hardware accelerator for execution of the operation.

Abstract: A system related to black hole filtering is provided. The system can allow a dynamic routing protocol on a network device to determine whether a route learned by the dynamic routing protocol is a black hole route. The route may be learned through another source. In response to a determination that the route is the black hole route, the dynamic routing protocol may generate a routing update that indicates the route as the black hole route. The dynamic routing protocol may then advertise the routing update to each neighbor network device.

Abstract: The disclosure relates to detecting vulnerabilities in managed client devices. A system determines whether a vulnerability scan of a computing device is required to be performed. The system installs a vulnerability detection component in the computing device in response to determining that the vulnerability scan is required to be performed. The system requests the vulnerability detection component to perform the vulnerability scan of the computing device. The system transmits a result of the vulnerability scan to a remote management service for the computing device.

Abstract: The present invention relates to a block chain-based method of generating data block shared between a plurality of nodes. According to an example, the method for generating the data block may comprise a step for obtaining at least one binding data having public or private characteristics; a step for determining a binding key having a decoding permission level for each binding data; a step for encoding the binding data using the binding key; and a step for generating a data block including the encoded binding data, and at least a portion of the binding key.

Abstract: In accordance with an embodiment, a physically unclonable function device includes a set of transistor pairs, transistors of the set of transistor pairs having a randomly distributed effective threshold voltage belonging to a common random distribution; a differential read circuit configured to measure a threshold difference between the effective threshold voltages of transistors of transistor pairs of the set of transistor pairs, and to identify a transistor pair in which the measured threshold difference is smaller than a margin value as being an unreliable transistor pair; and a write circuit configured to shift the effective threshold voltage of a transistor of the unreliable transistor pair to be inside the common random distribution.

Abstract: A method of optimizing performance of and securing cloud storage and databases including analyzing data comprised by a data request by an agent application on a computerized device, the data request being generated by a client application and inserting a tag into the data request responsive to the analysis of the data comprised by the data request, the tag indicating storage requirements for at least one of security, access speed, or fault tolerance.

Abstract: Embodiments include side channel defender circuitry to protect shared code pages in executable only memory (XOM) from side-channel exploits. The side channel defender circuitry receives system calls and determines whether code pages include executable code, whether the code pages include writeable code, and whether the code pages include instructions capable of altering or modifying one or more protection keys associated with code pages stored in XOM. If the code pages contain executable code that is writeable or executable code that includes instructions capable of altering or modifying one or more protection keys associated with code pages stored in XOM the side channel defender circuitry, the side channel defender circuitry aborts the system call.

Abstract: A system and method for secure communications between a master and a plurality of devices in a wireless communications network are provided. The method includes encrypting, on said master, downlink plaintext for multicast transmission to a plurality of devices over a wireless communications link utilizing a symmetric key encryption algorithm in accordance with a first counter value and a shared symmetric session key; and decrypting, on one of said devices, multicast downlink cyphertext received from said master over said wireless communications link utilizing a symmetric key decryption algorithm in accordance with a second counter value and said shared symmetric session key.

Abstract: An Internet of Things (IoT) networking authentication system and a method thereof are provided. The IoT networking authentication system includes an idle IoT apparatus and a networked IoT apparatus. The idle IoT apparatus encrypts a connection request according to a key to generate a connection request ciphertext and sends the connection request ciphertext. The networked IoT apparatus receives the connection request ciphertext and decrypts, according to the key, the connection request ciphertext to obtain the connection request. The networked IoT apparatus authenticates the idle IoT apparatus according to the connection request to generate an authentication result. The networked IoT apparatus determines, according to the authentication result and a networking condition, whether to allow the idle IoT apparatus to join an IoT network, so as to generate a connection response. The networked IoT apparatus outputs the connection response to the idle IoT apparatus.

Abstract: Traditional key generation methods in a noisy network often assume trusted devices and are thus vulnerable to many attacks including covert channels. The present invention differs from previous key generation schemes in that it presents a mechanism which allows secure key generation with untrusted devices in a noisy network with a prescribed access structure.

Abstract: A method for cryptographic key provisioning includes, via a main authentication server (MAS), generating a first secret key and registering a client by performing a first portion of a first instance of a distributed threshold oblivious pseudo-random function. The first instance of the function results in the client obtaining a root secret key and the MAS obtaining a corresponding root public key. The method includes authenticating the client to the MAS by performing a first portion of a second instance of the distributed threshold oblivious pseudo-random function. The second instance of the function results in the client obtaining the root secret key. Information stored by the client, the first secret key, and a second secret key generated by a support authentication server are inputs to at least one of the first and second instances of the distributed threshold oblivious pseudo-random function.

Abstract: A decentralized key management system according to an embodiment of the present disclosure includes a bootstrap for generating a key and obtaining a certificate corresponding to the generated key, a memory for receiving the key and the certificate from the bootstrap and storing the key and the certificate, a container, in response to a mount command of the bootstrap, for reading the key and the certificate from the memory and being mounted with the key and the certificate, and a controller for generating the bootstrap, and deleting the bootstrap after the container mounts the key and the certificate.

Abstract: Provided herein are exemplary systems and methods for creating a secure self-validating network of blockchain/distributed ledger participants. Some exemplary mechanisms support self-validation, mutual-validation, external-validation and privacy controls. Such mechanisms enable the deployment and continued operation of large scale blockchain and distributed ledger systems with a self-certifying security system. They create the ability for rules to be codified to control the rights, privileges and access of nodes depending on their self-certification and external-certification. Also provided is an audit trail of these certifications which can be used for liability claims, insurance, security analytics and forensics.

Abstract: A device that is capable of eliminating a power trace that can be analyzed in a power analysis attack and serves as a highly effective countermeasure against power analysis attacks. The device comprising an optical source providing optical energy to an integrated circuit. An optical detector optically linked to the optical source and converts the optical energy from the optical source into electrical energy to power a secure circuit.

Abstract: A system and method provide streamlined restricted access to a secure server through a communications network. A client identifier parameter value is established and uniquely associated with a user registering with an authentication server, and is stored in at least first and second predetermined storage forms within a data storage system, the first form readable exclusively by a client device of the user and the second form readable by the authentication server. The client device then authenticates by retrieving the client identifier parameter value from the data storage system and providing it to the authentication server, which independently retrieves the client identifier parameter value from the data storage system for comparison, and initiates an interactive communication session between the client device and the secure server responsive to the comparison. Between comparisons, the client identifier parameter values are stored exclusively on the data storage system and deleted from all other devices.

Abstract: An object sharing system and an object sharing method are provided. The system includes a plurality of shared objects and a plurality of data servers. The shared objects are respectively provided by a plurality of object suppliers. The data servers are respectively provided by the object suppliers and connected to form a distributed data redundancy network so as to store a plurality of sub-secret data separated from shared secret information in a decentralized way. The data server of each of the object suppliers is connected to the shared objects provided by the object supplier, and collects a required quantity of sub-secret data for reconstructing the shared secret information via the distributed data redundancy network so as to reconstruct the shared secret information configured to verify an access right to the shared object for a user device when receiving an access request for the shared object from the user device.

Abstract: A method performed by a device for protecting data is provided. The method comprises inputting, to a Physically Unclonable Function, PUF, of the device, a challenge; obtaining, from the PUF, a response; and protecting the data by using the response. A device, a method in an encryption unit, computer program and computer program product are also provided.

Abstract: A method, an apparatus, and a system for performing authentication on a terminal in a wireless local area network are provided. The method uses a feature code as a part of an authentication credential. The feature code is a function of capability parameters of a terminal. The feature code can identify the terminal, so that the authentication server determines the authentication result based on a MAC address and the feature code of the terminal.