Abstract: A hardware and software bundle that can enable computers and mobile phones to communicate small data packages without relying on the internet or the central cellular network infrastructure. The bundle enables users to send text messages and other data. For example, GPS coordinates, multimedia from the situation, accelerometer and other sensor data can all be sent over a decentralized network, enabling enhanced communication and situation response when the central grid is unavailable.

Abstract: A message distribution system replicates a collection of messages across multiple regional data centers. When any of the data centers receives a message for distribution from an authorized publisher, it transmits the message to each of the other data centers so that the collection of messages is immediately replicated among each data center. When any data center determines that a subscriber is connected to it, that data center determines which messages in the data collection the subscriber is authorized to receive, and it automatically sends those messages to the subscriber.

Abstract: A method of adding a new device (221) to a device group (210), the device group (210, 220) including a plurality of devices, wherein each device in the device group possesses a device group key and device keys of all other devices in the device group for encryption of messages, except its own device key. The method includes: establishing a secure connection between the new device (221) and a first device (211) in the device group (210); sending, by the first device (211) in the device group (210), the device group key and device keys of all other devices (212, 213, . . . , 21N) in the device group (210) to the new device (221); distributing, by one of the other devices (212, 213, . . . , 21N) in the device group (210), the device key of the first device (211) in the device group (210) to the new device (221); generating and distributing, by one of the devices (211, 212, 213, . . . , 21N) in the device group (210), a device key of the new device (221) to all other devices (211, 212, 213, . . .

Abstract: A method of providing security in a computer system includes dividing a block of data into initial left and right halves, and calculating updated left and right halves for each of a plurality of rounds. Calculating the updated left half includes applying a first function to an input left half to produce a first result, and mixing the first result with an input right half. Calculating the updated right half includes applying a second function to the input left half to produce a second result, and mixing the second result with a round key. The input left and right halves are the initial left and right halves for the first round, and thereafter the updated left and right halves for an immediately preceding round. And method may include producing a block of ciphertext with a key composed of the updated left and right halves for the last round.

Abstract: A method of providing security in a computer system includes performing a memory refresh of a window of memory locations in a memory, and in which each memory location stores a version value and a block of ciphertext. The version value may be updated with each write operation at a memory location; and the block of ciphertext may be produced with a key that changes with each write operation and from memory location to memory location. The memory refresh may include performing a periodic read operation followed by a corresponding write operation at each memory location. Between the read and write operations, the version value stored at the memory location may be compared with a chronologically earliest version value stored at any memory location of the window, and validity of the block of ciphertext stored at the memory location may be verified based on the comparison.

Abstract: Techniques are disclosed for securing traffic flowing across multi-tenant virtualized infrastructures using group key-based encryption. In one embodiment, an encryption module of a virtual machine (VM) host intercepts layer 2 (L2) frames sent via a virtual NIC (vNIC). The encryption module determines whether the vNIC is connected to a “secure wire,” and invokes an API exposed by a key management module to encrypt the frames using a group key associated with the secure wire, if any. Encryption may be performed for all frames from the vNIC, or according to a policy. In one embodiment, the encryption module may be located at a layer farthest from the vNIC, and encryption may be transparent to both the VM and a virtual switch. Unauthorized network entities which lack the group key cannot decipher the data of encrypted frames, even if they gain access to such frames.

Abstract: In a compression processing storage system, using a pool of encryption processing cores, the encryption processing cores are assigned to process either encryption operations, decryption operations, and decryption and encryption operations, that are scheduled for processing. A maximum number of the encryption processing cores are set for processing only the decryption operations, thereby lowering a decryption latency. A minimal number of the encryption processing cores are allocated for processing the encryption operations, thereby increasing encryption latency. Upon reaching a throughput limit for the encryption operations that causes the minimal number of the plurality of encryption processing cores to reach a busy status, the minimal number of the plurality of encryption processing cores for processing the encryption operations is increased.

Abstract: A method of dynamically adapting a graphical password sequence provides a secure means to access a restricted account through a dynamic password defined by element selection requirements. A selection grid is dynamically generated with graphical elements, and a password sequence is inputted by selecting certain grid cells containing graphical elements. Various preferences provide full customizability for the dynamic password, and security measures increase the difficulty of an undesirable user ascertaining the element selection requirements. The dynamic password can adapt over time through user input by designating one of the sequential locations of the password sequence as a sequence updating parameter.

Abstract: One particular example implementation of an apparatus for mitigating unauthorized access to data traffic, comprises: an operating system stack to allocate unprotected kernel transfer buffers; a hypervisor to allocate protected memory data buffers, where data is to be stored in the protected memory data buffers before being copied to the unprotected kernel transfer buffers; and an encoder module to encrypt the data stored in the protected memory data buffers, where the unprotected kernel transfer buffers receive a copy the encrypted data.

Abstract: Cloud storage of sensitive data is improved by ensuring that all cloud-based data is encrypted at all times, not only when the data is at rest (i.e., stored), but also while data is being processed or communicated. Cryptographic keys can advantageously be managed via cloud based resources without exposing sensitive data. Instead, a key management system maintains cryptographic functions on administrative hosts and endpoints outside of cloud-based resources so that any vulnerabilities of the cloud-based resources will expose only encrypted data, and keys and sensitive data will never be exposed in unencrypted form. Thus sensitive data is protected end-to-end among hosts and endpoints using, e.g., platform independent cryptographic functions and libraries within a web browser or the like, and the cloud functions simply as a storing and forwarding medium for secure data.

Abstract: Provided is a transmitting terminal capable of sharing an encryption key among a number of specific apparatuses using fewer resources and securely. A transmitting terminal (400) has an inquiry ID generation unit (420) which embeds an encryption key in logical results of an XOR between an ID of a receiving terminal and random blocks according to predetermined key embedding rules in order to generate an inquiry ID. The key embedding rules are stipulations for inverting the values of bit positions corresponding to each bit value of the encryption key, in the block position correspondence relationships between the bit positions of the encryption key and the positions of the blocks into which the logical result of the XOR have been partitioned and the bit position correspondence relationships between the bit values of the encryption key and the bit positions within the blocks, which have been predefined.

Abstract: A method may include obtaining a layer two identification of an endpoint that is seeking access to a network, the endpoint omitting an agent to communicate a layer three address of the endpoint to a policy node, applying one or more authentication rules based on the layer two identification of the endpoint, assigning the layer three address to the endpoint, learning, by the policy node, the layer three address of the endpoint, and provisioning layer three access for the endpoint to the network based on the learned layer three address.

Abstract: An order-preserving encryption (OPE) encryption method receives a plaintext (clear text) and generates a ciphertext (encrypted text) using a software arbitrary precision floating point libraries during initial recursive computation rounds. In response to the ciphertext space reducing to breakpoint, the OPE encryption method continues computations using a hardware floating point processor to accelerate the computation. In this manner, the OPE encryption method enables efficient order preserving encryption to enable range queries on encrypted data.

Abstract: Techniques for improving computer system security by detecting and responding to attacks on computer systems are described herein. A computer system monitors communications requests from external systems and, as a result of detecting one or more attacks on the computer system, the computer system responds to the attacks by modifying the behavior of the computer system. The behavior of the computer system is modified so that responses to communications requests to ports on the computer system are altered, presenting the attacker with an altered representation of the computer system and thereby delaying or frustrating the attack and the attacker.

Abstract: Multiple variants of an API can coexist through API management by using metadata in a pre-processing and post-processing system to weed out requests to which a client does not have permission and return parameters that do not belong with the API request variant. Metadata is added to request objects such that an instance of a request object may be examined to determine a request handler to properly inspect the request object and recommend further processing or rejection of the instance. Metadata may also be added to a response object created as a result of processing the request object such that a response handler may be identified to ensure the fields match the proper response to the request object. The API may be dynamically managed at the point of request and also at the point of return rather than a statically coded whitelist checked multiple times within the code itself.

Abstract: An electronic asymmetric unclonable function applied to an electronic system being evaluated includes an electronic system and an AUF array electronically associated with the electronic system. The AUF array includes a plurality of non-identical cells. Each of the non-identical cells includes a test element representing a characteristic of the electronic system being evaluated and a measurement device evaluating the test element. A comparison unit processes an output of the measurement device to provide a multi-bit output value representing a magnitude of differences.

Abstract: An electronic asymmetric unclonable function applied to an electronic system being evaluated includes an electronic system and an AUF array electronically associated with the electronic system. The AUF array includes a plurality of non-identical cells. Each of the non-identical cells includes a test element representing a characteristic of the electronic system being evaluated and a measurement device evaluating the test element. A comparison unit processes an output of the measurement device to provide a multi-bit output value representing a magnitude of differences.

Abstract: Methods, apparatus, systems and devices for facilitating transfer of a remote session from a first user terminal to a second user terminal are disclosed herein. According to one example, the transferred remote session is a telephone call session. According to another example, the transferred remote session is a session of a rights-enabled remote on-demand service—for example, a service where on demand media content is remotely provided or an interactive game service. In some embodiments, data indicative of usage rights for the remote service is transferred from the first to the second user terminal. In some embodiments, in order to transfer the session between the first terminal and second terminal, the user terminals are brought in proximity or into contact, and data indicative of the session is sent via a short-range communications channel, for example a short-range contact or ‘wired’ channel, or a short-range wireless link, for example, a Bluetooth or infrared link.

Abstract: Methods and apparatus are provided for securing communications between a node and a server, for example, during a boot process. In accordance with an aspect of the invention, a method is provided for securing communications between a node and a server, comprising: dynamically gathering hardware-related metadata for the node using a process running in memory; generating a unique identifier for the node using the hardware-related metadata; generating a public/private key pair for the node using the unique identifier; and securing communications between the node and the server using the public/private key pair. The process comprises, for example, an in-memory microkernel executing on a boot node. The hardware-related metadata comprises, for example, information about physical characteristics of the node. The unique identifier for the node can optionally be further based on information obtained from a Trusted Processing Module. The node can be authenticated using the public/private key pair.

Abstract: A method in one example embodiment includes generating a signature for an object in a compute node in a network, searching a memory element for the signature, and responsive to determining the memory element does not contain the signature, scanning the object. The method also includes updating the memory element with a scan result, and synchronizing the memory element of the compute node with one or more memory elements of one or more other compute nodes in the network. In specific embodiments, the scan result includes the signature of the object and a threat level of the object. In further embodiments, the synchronizing includes sending the scan result to one or more other compute nodes in the network. In more specific embodiments, the scan result is sent with one or more other scan results after a predetermined interval of time from a previous synchronization.