Abstract: Devices and techniques for efficient host assisted logical-to-physical (L2P) mapping are described herein. For example, a command can be executed that results in a change as to which physical address of a memory device corresponds to a logical address. The change can be obfuscated as part of an obfuscated L2P map for the memory device and written to storage on the memory device. The change can then be provided a host from the storage.

Abstract: The example embodiments are directed to a system and method for forecasting anomalies in feature detection. In one example, the method includes storing feature behavior information of at least one monitoring node of an asset, including a normalcy boundary identifying normal feature behavior and abnormal feature behavior for the at least one monitoring node in feature space, receiving input signals from the at least one monitoring node of the asset and transforming the input signals into feature values in the feature space, wherein the feature values are located within the normalcy boundary, forecasting that a future feature value corresponding to a future input signal from the at least one monitoring node is going to be positioned outside the normalcy boundary based on the feature values within the normalcy boundary, and outputting information concerning the forecasted future feature value being outside the normalcy boundary for display.

Abstract: A system can provide a web browser application that generates a request for a data object to a server. The system can include a syncer delegate that intercepts the request from the web browser application and determines whether the requested data object is available in a cache memory. If the data object is available in the cache memory, the requested data object is transferred from the memory to the web browser application and the request is forwarded to a server over a network. If the data object is not available in the cache memory, the request is forwarded to a server over a network. The server can transfer the data object over the network to the syncer delegate, which can provide the data object to the web browser application and update the cache with the newly-received data object.

Abstract: Disclosed are various embodiments for a transmission service to suspend temporarily transmission of electronic communications to a recipient. In one embodiment, the transmission service receives a request to suspend receiving electronic communications temporarily for a suspension period. In response, the transmission service suspends transmitting electronic communications to the recipient during the duration of the suspension period. Then, the transmission service resumes transmitting electronic communications to the recipient upon the expiration of the suspension period.

Abstract: A computer-implemented method of managing security services for one or more cloud computing platforms is disclosed. The method comprises receiving, by a security gateway system having a processor, a digital communication related to one of one or more computing applications hosted by a virtual cluster for private use on a cloud computing platform, the security gateway system residing within the cloud computing platform, the security gateway system performing network security gateway functions for the one or more computing applications. The method also comprises storing the digital communication in association with a timestamp in a storage device. The method further comprises receiving a piece of threat intelligence data indicating a security threat from a main controller residing outside the virtual cluster; storing the piece of threat intelligence data in a database; and determining whether the piece of threat intelligence data applies to any of the digital communications in the storage device.

Abstract: The present invention filters access points presented to a user and locks onto an access point. An access point filtering unit determines the access points accessible by a client device and then filters them to present only the access points that are acceptable under a security policy in force. An access point locking unit has a plurality of operating modes and can lock onto a user selected access point, a security policy prescribed access point, or the access point with the best signal profile. The present invention also includes several methods such as: a method for filtering access points for presentation to the user, a method for locking onto an access point selected by the user, a method for locking onto an access point with the best signal profile, and a method for locking onto an access point prescribed by a security policy for a given location.

Abstract: Systems, apparatuses and methods may provide for detecting an identifier communication from a writing implement and transitioning a previously modified interior page of an electronic notepad from a locked state to an unlocked state if the identifier communication corresponds to one or more stored identifiers. Moreover, a plurality of additional interior pages of the electronic notepad may be maintained in the locked state while the previously modified interior page is in the unlocked state.

Abstract: Techniques are disclosed relating to generation of cryptographic private keys. In some embodiments, a computing system receives a request for a private key for use with a service that uses a key of a first length, where the request specifies a key of a second length that is less than the first length. The system then generates a hashing scheme based on the second length and a key computation time, where the hashing scheme includes a number of hashing rounds and a set of hashing functions. The system creates a synthetic key of the second length and uses the synthetic key and the hashing scheme to create a normal key of the first length, where the synthetic key permits a user to access the service by supplying the synthetic key and without having to supply the normal key. The disclosed cryptographic techniques may advantageously allow for memorization of private keys.

Abstract: A computer implemented method of generating cryptographic keys for a hardware security module (HSM), the method including generating a plurality of cryptographic keys and storing the cryptographic keys for use by the HSM in providing cryptography functions, wherein the cryptographic keys are generated based on numerical data generated by a hardware random number generator, such that a rate of generation of the cryptographic keys unconstrained by the resources of the HSM, wherein the hardware random number generator operates based on a plurality of statistically random entropy data sources originating from natural phenomena so as to increase a degree of randomness of the numerical data.

Abstract: Methods of providing multi-key encryption of a data set are provided. Operations include providing, to a first data user of the data set, a first user specific data point, providing, to a second data user of the data set, a second user specific data point, and providing, to the first data user and the second data user, at least two shared data points that, when used with either of the first user specific data point or the second user specific data point, define a component polynomial that corresponds to a component that is defined in the data set. Operations further include providing, to the first data user, a first key share point that, in combination with the first user specific data point, defines a first data user polynomial that identifies a first encryption key that is on the first data user polynomial.

Abstract: A Zero Knowledge Proof (ZKP)-based privacy protection method and system for authenticated data in a smart contract wherein initialization is performed. Inputting a security parameter obtains a public parameter. A Data Authenticator (DA) generates a public/private key pair. A key pair is generated using the public parameter and a verification circuit as inputs, the key pair including a proof and a verification key. Authentication on private data of a Decentralized App (DApp) User (DU) is performed using the private key of the DA, and generates a signature. A DU prover terminal inputs private data as an input value and a calculation result and hash value as output values. The DU generates a ZKP using the proof key. A validator verifies whether the ZKP is correct. If verification passes, the calculation result is correct; otherwise the calculation result is wrong. The validator executes a smart contract based on the verification result.

Abstract: Techniques are described for providing low-overhead cryptographic memory isolation to mitigate attack vulnerabilities in a multi-user virtualized computing environment. Memory read and memory write operations for target data, each operation initiated via an instruction associated with a particular virtual machine (VM), include the generation and/or validation of a message authentication code that is based at least on a VM-specific cryptographic key and a physical memory address of the target data. Such operations may further include transmitting the generated message authentication code via a plurality of ancillary bits incorporated within a data line that includes the target data. In the event of a validation failure, one or more error codes may be generated and provided to distinct trust domain architecture entities based on an operating mode of the associated virtual machine.

Abstract: Examples provide a system for managing access-restricted partial cryptographic keys for encrypting and decrypting data. In some examples, a slot server generates and stores a first partial key. The first partial key is access-restricted based on access control data. A slot value mapped to the storage location is returned to the client by the slot server. The client generates a second partial key which is stored at the client device with the slot value. To obtain the first partial key, the client sends a request to the slot server, including the slot value. The requesting client is validated using access control data. If the request comes from a validated client, the slot server provides the first partial key to the client. The first partial key and the second partial key are combinable to generate a composite key for encrypting and decrypting data.

Abstract: In an embodiment a method includes providing a table including a plurality of data records (R1 . . . Rn) corresponding to a plurality of profile data, providing a master profile including fields to be personalized (F1 . . . Fk . . . Fp) corresponding to one or more of the data records (R1 . . . Rn) to store the different types of personalization values (V1 . . . Vm), combining the one or more of the data records (R1 . . . Rn) in the table with the master profile by inserting the personalization values (V1 . . . Vm) in the fields to be personalized (F1 . . . Fk . . . Fp) to obtain respective personalized profile packages, coding the one or more of the data records (R1 . . . Rn) to obtain encoded data records (CRi), applying the coding to the offset table to obtain encoded data offset (COi) and combining for each record (Ri) the encoded data record (CRi) and the data offset (OCi) in an encoded personalization record (URi).

Abstract: An existing Simple Authentication and Security Layer (SASL) framework is modified to overcome message size limitations by implementing a control byte that enables segmentation of SASL messages. In implementations in which client computing devices utilize a trusted platform module (TPM) for enhanced security, the client computing device can transmit multiple public keys and other information to a provisioning service during an attestation process. This information can be segmented across multiple messages while leveraging the SASL framework. A control byte may be utilized in each message and define attributes about the respective messages, such as whether a current message is an interim or final message segment. Likewise, the provisioning service can divide a challenge key into multiple segments and include a control byte for each segment. The control byte within segmented messages enables utilization of the TPM public keys and thereby can leverage the heightened security provided by the TPM.

Abstract: Systems, methods, and articles of manufacture, including computer program products, are provided for classification systems and methods using modeling. In some example embodiments, there is provided a system that includes at least one processor and at least one memory including program code which when executed by the at least one memory provides operations. The operations can include generating a representation of a sequence of sections of a file and/or determining, from a model including conditional probabilities, a probability for each transition between at least two sequential sections in the representation. The operations can further include classifying the file based on the probabilities for each transition.

Abstract: The present disclosure involves systems, software, and computer implemented methods for a efficient distributed secret shuffle protocol for encrypted database entries using dependent shufflers. Each of multiple clients provides an encrypted client-specific secret input value. A subset of clients are shuffling clients who participate with a service provider in a secret shuffling of the encrypted client-specific secret input values. The protocol includes generation and exchange of random numbers, random permutations and different blinding values. A last protocol step includes using homomorphism, for each client, to perform computations on intermediate encrypted data to homomorphically remove a first blinding value and a second blinding value, to generate a client-specific rerandomized encrypted secret input value.

Abstract: A method of computer authentication of a user request for a Subscriber Identity Module (SIM) card transfer by a biometric signature from a user equipment (UE) comprising assigning a risk score, by a mobile service provider, to a user account based on user activity in the user account, wherein the user activity includes a SIM card transfer authorization. The mobile service provider then sends a message requesting a biometric signature from an authentication application executing in memory on the UE. The authentication application on the UE then proceeds capturing a biometric signature, encrypting the biometric signature, and sending an encrypted biometric signature to the mobile service provider using a wireless communication protocol. The mobile service provider then compares the biometric signature to an authorized signature and modifies the risk score based on the comparison.

Abstract: The present disclosure involves systems, software, and computer implemented methods for a communication-efficient secret shuffle protocol for encrypted data based on homomorphic encryption and oblivious transfer. A service provider and multiple clients participate in a secret shuffle protocol of randomly shuffling encrypted client-specific secret input values. The protocol includes generation and exchange of random numbers, random permutations and different blinding values, including use of an oblivious transfer mechanism. A last protocol step includes using homomorphism, for each client, to perform computations on intermediate encrypted data to homomorphically remove a first blinding value and a second blinding value, to generate a client-specific rerandomized encrypted secret input value. As a result, the client-specific rerandomized encrypted secret input values are generated in an order that is unmapped to an order of receipt, at the service provider, of the encrypted secret input values.

Abstract: A consent and privacy preferences management environment (300) includes an application (302) and a Consent Management System (CMS) (304). The CMS (304) stores and processes consent information (306) of an end user (308). The application (302) obtains the consent information and uses the CMS (304) to manage choices of the end users (308) about certain activities, events, or other situations. Third parties (310) use the application (302) to submit requests for consent. The application (302) maps the request into fields of an API (314) for processing by the CMS (304) and receives a response from the CMS (304). The application then provides or denies consent regarding the end user (308) based on the response and filters or masks data based on organizational policies, end user consent, and the context. The data structure of the CMS (304) adapts to a wide variety of consent application environments.