Abstract: An integrated circuit includes: one or more protected circuits; a license control circuit configured to request, from a license issuer, a license for activating the one or more protected circuits, the license request having a seed value; and a cryptographic circuit configured to verify the authenticity of a license received from the license issuer based on the seed value, wherein the license control circuit is configured to impose a validity limit on the received license, and to request a new license from the license issuer before the validity limit of the received license.

Abstract: An authentication method for a tag device includes exchanging authentication codes between the tag device and an authentication server to perform mutual authentication. A reader device acts as a communications bridge between the tag device and the authentication server. The reader device may observe mutual authentication between the tag device and the authentication server as an indicator that the tag device is authentic. A failure of mutual authentication indicates that the tag device is not authentic.

Abstract: Techniques for detecting malware via scanning for dynamically generated function pointers in memory are disclosed. In some embodiments, a system/process/computer program product for detecting malware via scanning for dynamically generated function pointers in memory includes detecting a dynamically generated function pointer in memory based on an analysis of monitored changes in memory during execution of a malware sample in a computing environment; and generating a signature based on detection of the dynamically generated function pointer in memory, wherein the malware sample was determined to be malicious.

Abstract: A first IoT device includes a memory, a transceiver, bloom filter evaluation, false positive comparison and control modules. The memory stores: a bloom filter set including an array of bits representing entries in a certificate revocation list; and a false positive set including a list of certificate entries falsely identified as being revoked. The transceiver receives from a second IoT device a message including a certificate. The bloom filter evaluation module receives the bloom filter set from a back office station and determines whether an identifier associated with the certificate is in the bloom filter set. The false positive comparison module receives the false positive set from the back office station and determines whether the identifier is in the false positive set. The control module permits communication between the first and second IoT devices based on whether the identifier is in the bloom filter and false positive sets.

Abstract: Systems and methods are provided for object identifier translation using a key pairs platform in a virtualized or cloud-based computing system. A key pair refers to a pair of identifiers held by an entity. Each key pair includes at least one anonymized object identifier. Advantageously, the key pair system protects privacy and provides anonymity for objects by not disclosing the identity of the objects or the underlying data associated with the objects.

Abstract: A method of performing ordered statistics between at least two parties is disclosed which includes identifying a first dataset (xA) by a first node (A), identifying a second dataset (xB) by a second node (B), wherein xB is unknown to A and xA is unknown to B, and wherein A is in communication with B, and wherein A and B are in communication with a server (S), A and B each additively splitting each member of their respective datasets into corresponding shares, sharing the corresponding shares with one another, arranging the corresponding shares according to a mutually agreed predetermined order into corresponding ordered shares, shuffling the ordered shares into shuffled shares, re-splitting the shuffled shares into re-split shuffled shares, and performing an ordered statistical operation on the re-split shuffled shares, wherein the steps of shuffle and re-split is based on additions, subtractions but not multiplication and division.

Abstract: The technology disclosed relates to distributing a trained master deep learning (DL) stack with stored parameters to a plurality of organizations, to detect organization sensitive data in images, referred to as image-borne organization sensitive documents, and protecting against loss of the image-borne organization sensitive documents. Disclosed is providing organizations with a DL stack update trainer, under the organizations' control, configured to allow the organizations to perform update training to generate updated DL stacks, without the organizations forwarding images of organization-sensitive training examples, and to save non-invertible features derived from the images, ground truth labels for the images, and parameters of the updated DL stacks.

Abstract: An application server of an authentication system includes a requesting part that makes a request for possession authentication which is authentication using an authenticator, when the requesting part receives a request for authentication of a user from a terminal, a verifying part that receives an authentication result of the possession authentication and information for verification from the authentication server, and verifies the validity of the authentication server on the basis of the received information for verification, and a providing part that provides a function related to the application to the terminal if the verifying part verifies that the authentication server is valid. The authentication server of the authentication system includes a possession authentication part and a result transmission part that transmits the authentication result of the possession authentication and the information for verification to the application server.

Abstract: A method, system and apparatus for requesting a plurality of credentials from a trusted entity. A local validation device (LVD) receives a credential request or an identifier from each of a plurality of user devices. The LVD generates or compiles a bundle of credential requests corresponding to the plurality of user devices. The LVD transmits the bundle of credentials requests to the MVD. The MVD receives the bundle of request and performs a validation for each request in the bundle and then communicates the credentials and/or the results of the validations to the LVD. The LVD communicates credentials to each of the plurality of user devices. In some cases, the LVD performs the validation for each credential request. For instance, the LVD can receive a local enforcement policy from the MVD, which can provide instructions or guidance to the LVD as to how to perform the validations.

Abstract: In a display system according to the present disclosure, a server device includes an authentication processor that authenticates a user for use of a file, based on authentication information of the user input at a user terminal and an access information generator that generates first access information for accessing the file if the user is authenticated by the authentication processor for use of the file, and a display device includes a file acquirer that acquires the file from the server device, based on the first access information generated by the access information generator, and a display processor that displays the file acquired by the file acquirer, on the display.

Abstract: Example implementations relate to a method and system for provisioning an identity certificate for a BMC of a platform. Based on the certificate signing request (CSR) received from the BMC, a certificate authority (CA) associated with the platform manufacturer may verify the identity of the security processor and private key of BMC. A cryptographic audit session log between a provisioning service of the platform and the security coprocessor of the platform is received along with the CSR at the CA implemented in a cloud system. The CA verifies the signature on the received cryptographic audit session log. After verification, validation tools at the cloud system determine a first time and second time associated with the security coprocessor. When the difference between the first time and the second time is below an expected time of cryptographic communication, the CSR is considered as a valid request and an identity certificate for the BMC is generated and transmitted to the platform.

Abstract: A proxy revocation service provides a reliable service for performing revocation checks. The proxy revocation service queries public certificate authorities for the revocation status of a set of digital certificates and maintains a database of the revocation statuses. The proxy revocation service provides a singular endpoint that is Application Protocol Interface (API) accessible to web clients. Web clients communicate with the proxy revocation service through use of API message to perform revocation checks, rather than communicating with the public certificate authorities using an online certificate status protocol (OCSP). Use of the proxy revocation service provides both a reliable service for performing revocation checks as well as shifts the complexity away from the web clients.

Abstract: A proxy revocation service provides a reliable service for performing revocation checks. The proxy revocation service queries public certificate authorities for the revocation status of a set of digital certificates and maintains a database of the revocation statuses. The proxy revocation service provides a singular endpoint that is Application Protocol Interface (API) accessible to web clients. Web clients communicate with the proxy revocation service through use of API message to perform revocation checks, rather than communicating with the public certificate authorities using an online certificate status protocol (OCSP). Use of the proxy revocation service provides both a reliable service for performing revocation checks as well as shifts the complexity away from the web clients.

Abstract: Systems, methods, and apparatuses for a virtual transponder utilizing inband telemetry are disclosed. A disclosed method for a virtual transponder utilizing inband telemetry comprises receiving, by a vehicle, encrypted host commands from a host spacecraft operations center (SOC). The method further comprises receiving, by the vehicle via the host SOC, encrypted hosted commands from a hosted payload (HoP) operation center (HOC). Also, the method comprises reconfiguring a payload on the vehicle according to unencrypted host commands and/or unencrypted hosted commands. In addition, the method comprises transmitting payload data to a host receiving antenna and/or a hosted receiving antenna. In addition, the method comprises transmitting, by a host telemetry transmitter on the vehicle, encrypted host telemetry to the host SOC. Further, the method comprises transmitting, by the payload antenna, encrypted hosted telemetry to the HOC.

Abstract: A method for managing data includes obtaining a workload generation request, wherein the workload generation request specifies a security compliant rule, in response to the workload generation request: selecting a first set of resource devices using a resource allocation master list, initiating a security compliance test on the first set of resource devices to obtain a security compliance result, making a first determination, based on the security compliance result, that the first set of resource devices meet a security compliance criterion, and in response to the first determination: storing a virtual certificate in a security compliance database based on the security compliance result, and allocating the first set of resource devices to a workload based on the workload generation request.

Abstract: A computer-implemented method for allowing access to an application includes program code executing on a processor(s) receiving a username and a password as input from a user, in respective fields on a login screen. The program code generates a respective ciphered text corresponding to each of the received username and the received password. The program code displays the respective ciphered text as—a modified onscreen output on the login screen, alongside the respective entered username and password which are shown in an unreadable form on the login screen. The program code provides viewing controls to the user. The program code verifies the user based on the respective ciphered text displayed as the modified output on the login screen.

Abstract: Example methods, apparatus, systems and articles of manufacture (e.g., non-transitory physical storage media) to provide trust topology selection for distributed transaction processing in computing environments are disclosed herein. Example distributed transaction processing nodes disclosed herein include a distributed transaction application to process a transaction in a computing environment based on at least one of a centralized trust topology or a diffuse trust topology. Disclosed example distributed transaction processing nodes also include a trusted execution environment to protect first data associated with a centralized trust topology and to protect second data associated with a diffuse trust topology. Disclosed example distributed transaction processing nodes further include a trust topology selector to selectively configure the distributed transaction application to use the at least one of the centralized trust topology or the diffuse trust topology to process the transaction.

Abstract: A system and method of detecting an unauthorized access, phish attempt, or ransomware attempt based on limiting network transmission of data packets within an authorized device range. The method includes establishing a router hop limit value to predetermine an authorized device range for data packets to be exchanged between communicating pair devices and limiting transmission of data packets to within the predetermined authorized device range by discarding data packets after reaching the predetermined authorized device range as a function of the established hop limit value, to exclude devices beyond the predetermined authorized device range. Analyzer, Explorer, Setter, Modifier and Monitor Modules interoperate to suppress spurious communications from remote intruders.

Abstract: A secure computing platform and method for securely enabling inserted or replacement hardware devices during boot of a computing platform are discussed. More particularly, an authorized list holding identifying information associated with approved insertable or replaceable hardware devices is maintained in non-volatile storage and checked by the firmware during a platform boot sequence against identifying information provided by the inserted or replacement hardware devices. Only devices whose information matches the stored authorized list information are enabled.

Abstract: Disclosed are various examples for managing firmware passwords, such as BIOS passwords. A password reset command can be generated and transmitted to a client device. A management agent can execute the command and provide confirmation to a management service that the password has been updated.