Abstract: The present description relates to systems and techniques for allowing a third party verifier to verify aspects of secured data, or successful communication thereof. For example, a message or other data may be associated with a shared manifest that describes aspects of some data but does not reveal or expose the data. As a result, the data may be kept private while selective privacy and verification with respect to the data is achieved by the inclusion of only selected aspects of said data in the shared manifest.
Abstract: The invention relates to a process for transmitting streaming digital content to a client device for access to digital content. The inventive process makes it possible, in particular, to apply an access control system to the protection of direct-mode video streams. The process also makes it possible to significantly improve the security and safety of the system, based on a periodic mandatory back-communication on the part of the client device.
Type:
Grant
Filed:
May 30, 2017
Date of Patent:
September 15, 2020
Assignee:
4T S.A.
Inventors:
David Naccache, Lukasz Jeczminski, Mateusz Zajakala, Jas Saini
Abstract: Certain embodiments described herein are generally directed to a first host machine exchanging a Security Parameter Index (SPI) value with a second host machine by storing the SPI in an options field of an encapsulation header of an encapsulated packet.
Abstract: Implementations and methods herein provide a networked storage system including a plurality of physical storage devices configured to store data on a plurality of virtualized volumes, a key store configured to store a plurality of encryption keys, and a secure messaging manager configured to encrypt a message to each of the plurality of virtualized volumes using a different encryption key.
Abstract: A system provides cloud-based identity and access management. The system receives a request from a client for a resource, authenticates the request, and accesses a microservice based on the request. The system determines, by the microservice, whether the resource is cached in a near cache or in a remote cache, retrieves the resource from the near cache or from the remote cache when the resource is cached, and calls an administration microservice to obtain the resource when the resource is not cached. The system then provides the resource to the client.
Abstract: Methods are described for constructing a secret key by multiple participants such that any quorum combination of participants can generate a fixed number of key components that can be combined by a recipient to generate the secret key. The methods permit an identical secret key to be generated by a different sized quorum from different participants if required. The keys may be used as private keys for encryption, decryption, digital signatures or authentication tokens and each key is generated from a key index. The circuits used by a quorum of participants for the generation of keys feature nested non-linear devices connected in series with outputs multiplied by stored secret values. Example applications are described including blinded cipher text generation, a multi-signature cryptocurrency system and an encrypted cloud storage system.
Abstract: Protecting the security of an entity by using passcodes is disclosed. A user's passcode device generates a passcode, where sometimes the device is called Alice. In an embodiment, the passcode is generated in response to receipt of user information. The passcode is received by another system (called Bob or the second party), which authenticates the passcode by at least generating a passcode from a passcode generator or nonce, and comparing the generated passcode with the received passcode. The passcode is temporary. At a later use a different passcode is generated from a different passcode generator. In these embodiments, there are asymmetric secrets stored on the passcode device (Alice's device) and by the administrator (Bob's device). This adds more security so that if the backend servers are breached, the adversary cannot generate valid passcodes. In some embodiments, the passcode depends on a nonce or the rounded time.
Abstract: A security system comprises an access control node broadcasting a beacon including a time stamp and user devices generating replies to the beacon that are based on credential information for the user of the user device and the time stamp. The system relies on the users' wireless-capable mobile computing devices such as smartphones, tablets, or wireless fobs. A credential management system proves a system for the authentication of users and then issues security tokens as credential information to the users' mobile computing devices. These tokens are presented wirelessly by the devices to the security system's access control nodes, for example, where the access control nodes then decide whether to grant or deny access.
Abstract: To provide an information processing apparatus, a reading control method, and a computer readable storage medium that can improve the secrecy of information written in a secret area compared with the case of controlling access only by authentication, the information processing apparatus includes a nonvolatile memory that has a secret area where secret information is stored, an authentication controller that authenticates access to the nonvolatile memory, a flag information storage unit that stores flag information, and a memory controller that controls access to the nonvolatile memory by using the flag information stored in the flag information storage unit. The memory controller allows reading of the secret information from the secret area when a value of the flag information is a specified value and validity of access is authenticated by the authentication controller.
Abstract: Aspects of the present disclosure provide systems and methods for directly transferring tenant data hosted on a source domain to a target domain, wherein the source and target domains are associated with different server farms. Additionally, where the source domain is managed by a source management layer and the target domain is managed by target management layer, which source and target management layers are not in a trust relationship. Aspects describe establishing a secure, direct communication bus between the source and target management layers in order to accomplish a plurality of steps involved in transferring the tenant, wherein tenant data transferred thereon is encrypted. In example aspects, the direct communication bus terminates upon completion of the tenant data transfer.
Type:
Grant
Filed:
May 15, 2017
Date of Patent:
July 14, 2020
Assignee:
Microsoft Technology Licensing, LLC
Inventors:
Patrick J. Simek, Prashant Gaurav, Kalyan K. Kona, Ilker Celikyilmaz
Abstract: A third party intermediary and a data protection method, system, and non-transitory computer readable medium, include a content request receiving circuit configured to receive a service request from a user, to communicate the service request to a provider, and to receive pre-approved versions of content from the provider, a content matching circuit configured to match a pre-approved version of content of the pre-approved versions of content to the user based on a condition of the user, a user data receiving circuit configured to receive user data to complete the pre-approved version of the content, and a zero-knowledge verifiable computing circuit configured to execute a program using zero-knowledge verifiable computing to remove private content from the pre-approved version of the content to ensure privacy of the condition of the user from the provider.
Type:
Grant
Filed:
March 24, 2016
Date of Patent:
July 7, 2020
Assignee:
INTERNATIONAL BUSINESS MACHINES CORPORATION
Inventors:
Samuel Scott Adams, Susann Marie Keohane, James R. Kraemer, Jeb R. Linton
Abstract: A portable device is provided. The portable device may include a display; an input device; a camera; a processor coupled to the display, the input device, and the camera; and a computer readable medium coupled to the processor, the computer readable medium comprising code, executable by the processor, to implement a method comprising: receiving authentication data from the input device, determining whether the received authentication data matches authentication data associated with an authorized user, and displaying, on the display, a credential, an item, and data associated with the item.
Abstract: Various embodiments are generally directed to techniques to load and run secure enclaves for use by kernel mode applications. An apparatus to provide kernel mode access to a secure enclave includes a kernel mode secure enclave driver to provide user mode support for a kernel mode application and to initialize a secure enclave on behalf of the kernel mode application and a user mode secure enclave manager to process an instruction from the kernel mode application to the secure enclave.
Abstract: Provided is a process of securing data in a distributed storage and processing application, the process including: obtaining a cluster of computing nodes, wherein: the cluster stores a plurality of ciphertexts; accessing a transformation key with a first computing node; transforming the ciphertext with the first computing node based on the transformation key into a transformed ciphertext configured to be decrypted with a temporary access key; decrypting the transformed ciphertext with the second computing node based on the temporary access key to obtain plaintext data.
Type:
Grant
Filed:
May 6, 2017
Date of Patent:
June 23, 2020
Assignee:
ZeroDB, Inc.
Inventors:
Mikhail Egorov, MacLane Scott Wilkison, David Nu{grave over (n)}ez, Isaac Agudo
Abstract: A system, method and computer program product obtains user data relating to a plurality of system users, who have previously been granted access to a resource in a context without complying with a ruleset defining criteria for automatically accessing the resource in the context. A combination of two or more user data properties having common values in user data of a subset of two or more of the plurality of system users is identified. A determination of whether the number of system users in the subset exceeds a predetermined threshold is made. If the number of system users in the subset exceeds the predetermined threshold, the ruleset is updated to include criteria based on the identified combination of two or more user data properties.
Type:
Grant
Filed:
March 31, 2017
Date of Patent:
June 2, 2020
Assignee:
INTERNATIONAL BUSINESS MACHINES CORPORATION
Inventors:
Alan Byrne, Paul Connolly, Bryan D. Osenbach
Abstract: Method and system for routing communications traffic between a machine to machine, M2M, device connected to a telecommunications network and having an International Mobile Subscriber Identity, IMSI, and a server, the method comprising assigning an access point name, APN, from a plurality of APNs based on the IMSI of the M2M device. Routing, via the assigned APN, communications traffic between the M2M device and the server, wherein the server is determined based on one or more of: the IMSI, the APN and a characteristic of a communication traffic between the M2M device and the server.
Abstract: An inconsistency in shares is detected with a small volume of communications traffic. n inconsistency detecting devices generate random numbers si and make the random numbers si public. The n inconsistency detecting devices generate a common random number s which is the sum total of the random numbers s0, . . . , sn?1. The n inconsistency detecting devices calculate shares [c]i. The n inconsistency detecting devices generate shares [r]i, each of which would become a random number r by reconstruction. The n inconsistency detecting devices calculate shares [d]i, each of which would become a judgment value d by reconstruction. One inconsistency detecting device receives shares [d]1, . . . , [d]n?1 from n?1 inconsistency detecting devices. The one inconsistency detecting device restores n?k shares [d]?k, . . . , [d]?n?1 from k shares [d]0, . . . , [d]k?1. The one inconsistency detecting device judges, for j=k, . . . , n?1, whether or not a share [d]j and a share [d]?j coincide with each other.
Type:
Grant
Filed:
February 1, 2016
Date of Patent:
May 26, 2020
Assignee:
NIPPON TELEGRAPH AND TELEPHONE CORPORATION
Inventors:
Dai Ikarashi, Ryo Kikuchi, Koki Hamada, Koji Chida
Abstract: A material set, such as an asymmetric keypair, is processed using an associated workflow to prepare the material set for activation and/or use. In one embodiment, a material set is generated and information about the material set is communicated to a workflow manager. Based at least on the information, the workflow manager generates a workflow that when accomplished will allow the material set to be activated and/or used. In another embodiment, a service provider provides a key manager, workflow manager and destination for the key, such as a load balancer that terminates SSL connections. A key can be generated by the key manager, sent through the workflow manager for processing (potentially communicated to third parties such as a certificate authority, if needed) and installed at a destination.
Type:
Grant
Filed:
February 24, 2016
Date of Patent:
April 21, 2020
Assignee:
Amazon Technologies, Inc.
Inventors:
Graeme D. Baer, David M. Hulme, Benjamin E. Seidenberg
Abstract: A communication device to allocate shared keys to plural channels includes a storage, a receiver, a storage controller, an allocator, and an encryption processor. The storage includes a predetermined number of storage areas to store one or more shared keys shared with a destination device. The receiver is configured to receive a shared key. The storage controller controls storing the received shared key in any of the storage areas every time the shared key is received. The allocator can allocate the storage areas to communication channels used for communicating encrypted data between the communication device and the communication destination device, based on a ratio predetermined for each communication channel. The encryption processor can, according to a cryptosystem determined for the each communication channel, encrypt data and decrypt the encrypted data by using the shared key acquired from the storage area allocated to each communication channel.
Abstract: Program code intended to be copied into the cache memory of a microprocessor is transferred encrypted between the random-access memory and the processor, and the decryption is carried out at the level of the cache memory. A checksum may be inserted into the cache lines in order to allow integrity verification, and this checksum is then replaced with a specific instruction before delivery of an instruction word to the central unit of the microprocessor.