Abstract: A system described herein may receive an authentication request from a User Equipment (“UE”). The authentication request may include a particular identifier, such as an application group identifier. The system may determine whether a token is available (e.g., has been previously generated) for the UE and the particular identifier. If such token is not available, the system may initiate an authentication procedure that includes receiving input from the UE, and may generate the token, indicating that the authentication procedure has been completed. If the token is available, then the system may forgo initiating the authentication procedure. The system may output the token, such that a service provider system authenticates the UE based on the generated token and provides services to the UE based on authenticating the UE.

Abstract: A method at a network element for securely sharing services across domains, the method including receiving a request at the network element to add a first domain and an edge domain to a system; provisioning a public key of the network element to the first domain and the edge domain; receiving a public key of the first domain; populating, in the network element, a table with services provided by the first domain or the edge domain; populating, in the network element, a second table with applications installed at the first domain or edge domain and permissions for services for the applications; and controlling access to the services by the applications.

Abstract: A system and methods for mitigating Kerberos ticket attacks within a domain is provided, comprising an authentication object inspector configured to observe a new authentication object generated by an identity provider, and retrieve the new authentication object; and a hashing engine configured to retrieve the new authentication object from the authentication object inspector, calculate a cryptographic hash for the new authentication object, and store the cryptographic hash for the new authentication object in a data store; wherein subsequent access requests accompanied by authentication objects are validated by comparing hashes for each authentication object to previous generated hashes.

Abstract: Techniques of keyless authentication of computing services in distributed computing systems are disclosed herein. One example technique includes upon receiving a command to instantiate a computing service, transmitting a request to an authentication service for an identity assertion token corresponding to an application execution of which instantiates the computing service. The example technique can also include upon receiving the requested identity assertion token, storing the received identity assertion token in the container and modifying an entry of a configuration file in the container that allows the instantiated computing service to access the stored identity assertion token and authenticate to the authentication service using the identity assertion token.

Abstract: A method for pervasive resource identification includes receiving an authentication request from a first application service. The authentication request requests authentication of a user of a user device. The method includes obtaining device information associated with the user device of the user and generating a unique opaque identifier for the user device based on the device information. The method includes obtaining authentication credentials from the user device. The authentication credentials verify an identity of the user. In response to receiving the authentication credentials from the user device, the method includes generating an authentication token and encoding the unique opaque identifier into the authentication token. The method also includes transmitting the authentication token to the first application service.

Abstract: The present disclosure is directed to systems and methods for securely managing and administering an encryption/decryption key using distributed ledger technology (DLT). In some examples, a client may possess a data attribute (or a dataset of data attributes). The client may receive tokenization parameters to apply to the data attribute to encrypt the data attribute. After tokenizing the data attribute, the client may then request the creation of an encryption key to be applied to the token. A third-party key management system (KMS) may create an encryption key and a salt. The salt may be applied to the token, and the salted token may then be encrypted. Additionally, a decryption key may be created and stored securely at the third-party KMS. The client may transmit the encrypted token to a third-party consolidation platform, wherein the consolidation platform requests access to the decryption key to unveil the underlying token.

Abstract: A method, apparatus, system, or computer-readable medium for performing object-level encryption and key rotations is disclosed. A service platform may store data items organized into one or more asset clusters. A first content encryption key may be set as the active encryption key for an asset cluster. The active encryption key may be encrypted using the master encryption key. A first subset of data items may be encrypted using the active encryption key (e.g., the first content encryption key). After the number of data items encrypted using the active encryption key satisfies a threshold value, the first content encryption key may be set as an inactive encryption key and a second content encryption key may be set as the new active encryption key for the asset cluster. A second subset of the plurality of data items may be encrypted using the active encryption key (e.g., the second content encryption key).

Abstract: An example method includes detecting, using sensors, packets throughout a datacenter. The sensors can then send packet logs to various collectors which can then identify and summarize data flows in the datacenter. The collectors can then send flow logs to an analytics module which can identify the status of the datacenter and detect an attack.

Abstract: There is provided an authentication system for validating identity credentials of a user attempting to access a resource provided by a remote resource provision system. The authentication system includes an input configured to receive, from the resource provision system, an authentication request comprising a cryptographic representation of digital identity data of the user and an associated token identifier, where the digital identity data comprises at least one image of an identity credential of the user. The system also includes a processor configured to: determine a pre-stored cryptographic identifier corresponding to the token identifier; and compare the received cryptographic representation with the pre-stored cryptographic identifier.

Abstract: Established user habits in carrying multiple wirelessly detectable devices are used to provide or substantiate authentication. In some embodiments, simply detecting that expected devices are co-located within a limited spatial region is sufficient to establish that the devices are being carried by a single individual. In other embodiments, particularly where the potential for spoofing by multiple individuals is a concern, single-user possession of the devices may be confirmed by various corroborative techniques. This approach affords convenience to users, who may be working at a device that lacks the necessary modality (e.g., a fingerprint or vein reader) for strong authentication.

Abstract: An accessory device receives authentication information from a host computing device connected thereto and determines whether the authentication information is valid. If the authentication information is valid, the accessory device applies a first access policy that specifies whether the accessory device can provide the host computing device with access to none, some, or all of various computing resources of the accessory device. If the authentication information is not valid, the accessory device applies a second access policy that is different than the first access policy. The accessory device can also be provisioned with access policies by a host computing device if the host computing device successfully authenticates with the accessory device. In either case, authenticating the host computing device may include verifying a digital signature of a certificate provided by the host computing device using a public key of a certificate authority that has been provisioned to the accessory device.

Abstract: A public-private key cryptographic scheme is described for granting authenticating a client to a remote device or service in order to access a secure resource. The client is provided the public key, but the private key is stored in a hardware security module (HSM) that the client is not able to access. The client requests a digital signature be generated from the private key from a secure vault service. The secure vault service accesses the HSM and generates the digital certificate, which is then passed to the client. The digital certificate may be added to a security token request submitted to an identity provider. The identity provider determines whether the digital signature came from the private key.

Abstract: A method for auto discovery of sensitive data may include: (1) receiving, at data enrichment computer program in a metadata processing pipeline, raw metadata from a plurality of different data sources; (2) enriching, by the data enrichment computer program, the raw metadata; (3) converting, by the data enrichment computer program, the raw metadata and the enhanced raw metadata into a sentence structure; (4) predicting, by a category prediction computer program in the metadata processing pipeline, a predicted category for the sentence structure; (5) identifying, by a sensitive data mapping computer program, a sensitive data category that is mapped to the predicted category based on a policy mapping rule; (6) determining, by the sensitive data mapping computer program, a risk classification rating for the predicted category; and (7) tagging, by the sensitive data mapping computer program, the data source associated with the metadata based on the risk classification rating.

Abstract: A secure data transfer apparatus, where a processor in the apparatus is configured to execute a driver software to generate cryptography information, a cryptography device in the apparatus is configured to obtain a current cryptography parameter based on the cryptography information, and perform a cryptography operation using the current cryptography parameter, a Peripheral Component Interconnect Express (PCIe) interface in the apparatus configured to perform a ciphertext data exchange with a memory controller in a memory located external to the apparatus, where the ciphertext data exchange includes sending the ciphertext data from the cryptography device to the memory controller when the memory is to be written, and sending the ciphertext data from the memory controller to the cryptography device when the memory is to be read.

Abstract: A computer-implemented method for secure multi-datasource query job status notification that includes accessing notification characteristics for a query job status. Occurrence of the query job status and a present security level may be determined. Based on the notification characteristics, a notification may be generated at least in part by omitting available data based on the present security level. Based at least in part on the occurrence of the query job status, transmission of the notification to an end user computing device may be directed.

Abstract: One disclosed example method includes a leader client device associated with a leader participant generating a meeting key for a video meeting joined by multiple participants. For each participant, the leader client device obtains a long-term public key and a cryptographic signature associated with the participant. The leader client device verifies the cryptographic signature of the participant based on the long-term public key and the cryptographic signature. If the verification is successful, the leader client device encrypts the meeting key for the participant using a short-term private key generated by the leader client device, a short-term public key of the participant, a meeting identifier, and a user identifier identifying the participant. The leader client device further publishes the encrypted meeting key for the participant on the meeting system. The leader client device encrypts and decrypts meeting data communicated with other participants based on the meeting key.

Abstract: Computer-readable media, methods, and systems are disclosed for processing log entries in an in-memory database system employing tenant-based, group-level encryption for a plurality of tenants. A request to generate a database transaction log record is received. A log entry handle corresponding to the allocated log buffer is provided. In response to determining that the transaction log record to be written into the log buffer contains tenant-specific content, certain content requiring group-level encryption is flagged. An encryption group identifier is received, and the tenant-specific content is encrypted with a corresponding group-level encryption key. The group-level encryption group identifier is appended to the transaction log header, and log data containing the log buffer is encrypted with one or more encryption keys. Finally, the encrypted log data is persisted and subsequently read, unencrypted, and replayed under appropriate circumstances.

Abstract: When a user attempts to execute a procedure for transfer or the like from an app, user authentication is first required by a PIN code or the like. When the user authentication is successful, function limitation of an IC chip is released and a mode in which a function provided by the IC chip can be used is set. The app encrypts a procedure message describing procedure content with a private key using the function of the IC chip and creates an electronic signature. When the electronic signature and the procedure message are sent to an online service server, the server verifies the electronic signature using the corresponding electronic certificate. When the procedure message is sent from a valid user and it is confirmed as a result of the verification that the content is not altered, the server executes the procedure for transfer or the like in accordance with the content of the procedure message.

Abstract: A computer-implemented method includes: storing an encryption public key that is associated with a group of nodes, each node in the group associated with a private key share, the private key shares associated with a threshold private key reconstruction scheme for the group to allow an encryption private key associated with the encryption public key to be determined from at least a threshold of the private key shares; iteratively obtaining a plurality of indicators provided by a plurality of nodes of the group, each of the indicators representing one of an encryption private key share or a dummy signal; and identifying the encryption private key by iteratively: i) selecting a subset of the indicators; ii) calculating a possible shared secret; and iii) evaluating each possible shared secret against the encryption public key to determine whether the possible shared secret is the encryption private key. The invention is suited for implementation on a blockchain.

Abstract: Systems, methods, and computer-readable media for on-demand security provisioning using whitelist and blacklist rules. In some examples, a system in a network including a plurality of pods can configure security policies for a first endpoint group (EPG) in a first pod, the security policies including blacklist and whitelist rules defining traffic security enforcement rules for communications between the first EPG and a second EPG in a second pods in the network. The system can assign respective implicit priorities to the one or more security policies based on a respective specificity of each policy, wherein more specific policies are assigned higher priorities than less specific policies. The system can respond to a detected move of a virtual machine associated with the first EPG to a second pod in the network by dynamically provisioning security policies for the first EPG in the second pod and removing security policies from the first pod.