Abstract: Disclosed are programs, systems, and methods which are capable of using an application program previously used without modification and improving a security counter-measure when a data file is browsed and edited in a user terminal without installing a new security counter-measure program. An information control program has a function of adding a predetermined modification to transmitted/received information, which is transmitted and received between an OS and an application which is capable of generating a data file and saving the data file to an arbitrary information storage area. A save restriction function of restricting saving of the file not encrypted using a predetermined encryption key, a storage destination restriction function of restricting an area other than a predetermined area from being designated as the file storage destination, and a decrypting function of decrypting the file stored in the predetermined area using the predetermined encryption key are provided.

Abstract: Disclosed is a method, a device, and/or a system of initiation and transfer of a cryptographic database and/or a cryptographic unit. In one embodiment, an electronic mint generates and mints proofs in an indelible media using a hash function. The proofs and/or an origin hash based on the proofs may be usable to seed a hash chain of a cryptographic bearer database and/or a cryptographic unit with an evolving state hash. The database and/or unit is issued from a treasury server and transferred between user devices as coordinated by a tracking server that utilizes one or more immutable records to track the database and/or unit and retain uniqueness of the bearer database in its most evolved state. Transfers may update user state hash of an evolving user profile usable as an authentication token and/or to show assent to a transaction resulting in a seal hash of acceptance.

Abstract: A producer system may insert an encrypted value in a field in a message, where the message is associated with a schema that specifies a public key used to encrypt the encrypted value of the field and further specifies a type of an unencrypted form of the encrypted value, insert one or more unencrypted values in one or more fields in the message, and send the message to an external computing system. A consumer system may receive the message, determine, based at least in part on the public key specified by the schema, a private key associated with the public key, and decrypt, using the private key, the encrypted value of the field into the unencrypted form of the encrypted value.

Abstract: A system for and method of automatically providing access credentials to employees based upon the time and location of the employee when the request was made are provided. The system and method also control the provision of access credentials to an employee by using the employment status and role of the employee to determine whether the employee is authorized to receive the requested access credentials.

Abstract: Aspects of the invention include initializing a local key manager (LKM) on a node of a computing environment. The node includes a plurality of channels. The LKM is configured to provide a secure data transfer between the node and an other node of the computing environment. A connection is established, by the LKM, between the LKM and an external key manager (EKM) that stores a shared key for the node and the other node. In response to establishing the connection, the LKM registers security capabilities of the plurality of channels. The security capabilities are used by the LKM to provide the secure data transfer between the node and the other node.

Abstract: The present disclosure includes apparatuses, methods, and systems for secure communication for a key replacement. An embodiment includes a processing resource, memory having a first operator's key, and a vehicular communication component. The vehicular communication component can be configured to provide, to a server, a public key generated along with a private key and decrypt, in response to receipt of a second operator's key (e.g., received in response to providing the public key to the server) encrypted using the public key, the second operator's key using the private key. The vehicular communication component can be configured to replace, in response to decrypting the encrypted second operator's key, the first operator's key with the second operator's key.

Abstract: A system allows a user to store his personally identifiable information (PII) on a personal device. When a third party wants to access the user's PII (e.g., to update the PII or to retrieve the PII), a notification will be presented to the user on the personal device seeking consent to the access. The notification may inform the user as to what information is being requested and which entity is requesting the access. The requested access will be denied unless the user consents to the access. In this manner, the user is given control over the dissemination of his PII. Additionally, the system alters or adjusts the PII that is stored in third-party servers so that even if these servers are breached, the user's actual PII is not exposed.

Abstract: Systems and methods for manipulation of private information in untrusted environments are disclosed. In one embodiment, in a trusted computing environment comprising at least one computer processor, for a plurality of data records, a method for manipulation of private information in untrusted environments may include: (1) separating each data record into a confidential data attribute and a non-confidential data attribute; (3) calculating an encrypted value for the confidential data attribute using an encryption key; (4) calculating an authentication value for the confidential data attribute using a hash value key; (5) associating the encrypted value and the authentication value in a protected data set; and (6) associating the non-confidential data record with the associated encrypted value and the authentication value; and (7) exporting the protected data set to an untrusted computing environment.

Abstract: A system and method for authenticating a digitally signed document by one or more users includes a user processor to execute a user facing application to collect and transmit user data associated with the users. The system also includes a KYC Provider subsystem, including a KYC Provider database, and a KYC Provider processor to electronically receive the user data from the user processor and to automatically compare the user data and the verified user data to generate a KYC Provider report. An administrator processor electronically receives the user data from the user processor and the KYC Provider report from the KYC Provider processor to automatically: inspect the KYC Provider report to verify the identity of the one or more users; apply a digital signature of the one or more users to a document; issue an authenticity report associated with the signed document; and publish the authenticity report to a database.

Abstract: A kernel driver on an endpoint uses a process cache to provide a stream of events associated with processes on the endpoint to a data recorder. The process cache can usefully provide related information about processes such as a name, type or path for the process to the data recorder through the kernel driver. Where a tamper protection cache or similarly secured repository is available, this secure information may also be provided to the data recorder for use in threat detection, forensic analysis and so forth.

Abstract: Embodiments are generally directed to message authentication code (MAC) based compression and decompression. An embodiment of an apparatus includes one or processors to process data; and a computer memory; wherein the one or more processors are to perform compression of a fixed transmission or storage unit, the transmission or storage unit including multiple slots, the compression of the transmission or storage unit including the one or more processors to calculate a MAC for data in the transmission or storage unit, determine whether a special value is present in any slot of the transmission or storage unit, and upon determining that the special value is present in a respective slot of the transmission or storage unit, remove the special value from the transmission or storage unit, shift remaining data of the transmission or storage unit to provide room in a first slot the transmission or storage unit, and insert the MAC in the first slot to generate a compressed transmission or storage unit.

Abstract: A logic circuit for generation of data signatures and/or encryption of data packets to be transferred from an industrial controller snoops data as it is written to an output buffer within the industrial controller. The logic circuit generates a secure signature and/or coordinates encryption of the data packet being transferred between the shared memory location and the output buffer. If encryption of the data is required, an encryption module may both encrypt the data and generate a secure signature. If encryption is not required, the logic circuit generates the secure signature. In either case, the logic circuit controls ownership of the memory address in which the secure signature is to be written to coordinate with the MAC transferring the secure signature to the output buffer, providing a uniform interface between the SPP module and the MAC.

Abstract: Information source agent systems and methods for distributed content storage and management using content signatures that use file identicality properties are provided. A data management system is provided that includes a content engine for managing the storage of file content, a content signature generator that generates a unique content signature for a file processed by the content engine, a content signature comparator that compares content signatures and a content signature repository that stores content signatures. Information source agents are provided that include content signature generators and content signature comparators. Methods are provided for the efficient management of files using content signatures that take advantage of file identicality properties. Content signature application modules and registries exist within information source clients and centralized servers to support the content signature methods.

Abstract: Systems and methods for secure peer-to-peer communications are described. Devices registered into trusted network may be capable of establishing a shared data encryption key (DEK). In embodiments, each device may be configured to obtain a share of a data encryption key (DEKi) that can be stored locally. The shares may be shares in an M of N Secret Sharing Scheme. This may involve a network that includes an integer, N, devices, and in which M devices may share a secret (i.e. the DEK) during communications, M being an integer less than or equal to N. To obtain the entire DEK during encryption/decryption, a requesting device may send requests to M of N devices for their shares of the DEK. Once M shares are obtained, they may be used generate the DEK for encrypting/decrypting data between the devices.

Abstract: Zero round trip secure communications are implemented based on noisy secrets with a polynomial secret sharing scheme. A sender identifies two negotiated noisy secrets associated with an encrypted message to send to a receiver system. The sender utilizes a first negotiated noisy secret for sub-key selection, and generates a secret polynomial using Shamir's polynomial-based secret sharing scheme with N positive integer points and a message key as a secret. The sender divides the first negotiated noisy secret into a plurality of sub-keys, and divides a second negotiated noisy secret into test blocks of a length equivalent to a length of a sub-key. The sender utilizes each of the plurality sub-keys for encrypting a corresponding test block along with one unique point of the secret polynomial. Moreover, the sender sends all encrypted test blocks and corresponding encrypted points of the secret polynomial to the receiver with the encrypted message.

Abstract: A computer-implemented method comprises, storing user identity records in digital data repositories relating to user identity information collected from a plurality of sources, receiving a request specifying a partial hash of particular user identity information, generating and submitting a query to the digital data repositories to retrieve a set of user identity records that match the partial hash, generating and storing a bloom filter based on the plurality of user credential values associated with the particular user identity information, the bloom filter being configured to allow a client computing device to determine whether a particular user credential value that is associated with the particular user identity information is included in the plurality of user credentials represented by the bloom filter, transmitting the bloom filter to the client computing device.

Abstract: In a method of operating a memory system, first security data and a first timestamp for preventing a replay attack are written by a host device to a first memory area which is an external memory area. A second timestamp is updated by the host device based on the first timestamp. The second timestamp corresponding to the first timestamp is stored in a second memory area distinguished from the first memory area. A first notification signal representing a result of updating the second timestamp is received by the host device. A writing operation for the first security data is completed when it is determined, by the host device, based on the first notification signal that the second timestamp is successfully updated.

Abstract: A method of remotely initializing at least one device is disclosed. The method includes initializing at a local host a cryptographic authorization sequence after receiving a secure input value. The method further includes receiving at a local host cryptographic controller a first authorization request from a first remote device. After a challenge-response authentication protocol, the first remote device is authenticated and receives a public key infrastructure certificate. The method includes receiving at a first remote cryptographic controller a second request from a second remote device. After a challenge-response authentication protocol, the first remote device is authenticated, but does not receive a public key infrastructure certificate. A system for remotely initiating at least one device is also disclosed.

Abstract: Various arrangements for performing secure domain name system (DNS) routing are presented. A secure signature may be generated using an internet protocol (IP) address of an authorized device. An encoded character string may be generated that comprises the IP address. The domain name server may receive a request for an IP address mapped to the hostname. The hostname may be validated using the secure signature. The IP address of the authorized device may be decoded from the encoded character string at least partially in response to the hostname being validated by the domain name server. The IP address decoded from the encoded character string may be transmitted at least partially based on the hostname being validated and the request for the IP address.

Abstract: A device access control system includes a first computing system that is coupled to a second computing system via a network, and that includes a device access controller subsystem coupled to devices, a central processing subsystem, and a device access control manager subsystem. The device access control manager subsystem identifies first application(s) configured for provisioning by the central processing subsystem and second application(s) configured for provisioning by the second computing system, configures the device access controller subsystem to provide the central processing subsystem access to a first subset of the devices to allow the central processing subsystem to provide the first application(s), and configures the device access controller subsystem to provide the second computing system access via the device access control manager subsystem to a second subset of the devices to allow the second computing device to provide the second application(s) using the second subset of the devices.