Abstract: The present disclosure relates to a system, a method, and a non-transitory computer readable storage medium for deep packet inspection scanning at an application layer of a computer. A method of the presently claimed invention may scan pieces of data received out of order without reassembly at an application layer from a first input state generating one or more output states for each piece of data. The method may then identify that the first input state includes one or more characters that are associated with malicious content. The method may then identify that the data set may include malicious content when the first input state combined with one or more output states matches a known piece of malicious content.

Abstract: A method of dynamically adjusting access privileges of system identities. A set of access logs associated with a system are analyzed in order to generate a restricted access policy for an over privileged system identity. An initial access policy of the system identity is replaced with the restricted access policy and a continuous monitoring and access management (CMAM) service is initiated. Access logs are collected for a monitoring time window and an access denied error can be extracted from the access logs. The access denied error can be compared to an ignore list and/or the access denied error can be added to the ignore list. Authorization checks can be performed to determine if the action associated with the access denied error is authorized. If the action is authorized, the access policy is adjusted to allow for performance of the action.

Abstract: A computer system and method having a user interface including a touch-sensitive display screen. The system and method enables entry of a password which includes displaying a first array of a plurality of images on the touch-sensitive display prompting a user to select with a finger one of the plurality of images displayed. Subsequently at least another array of a plurality of images successive to the first array is displayed on the touch sensitive display prompting a user to select with a finger one of the plurality of images displayed in the another array of images. A computer processor then determines if a user selected a predetermined image from the first array of the plurality of images and a predetermined image from each at least another array of plurality of images displayed after the first array. If determined, the user is permitted access to an application executable on the computer system.

Abstract: Systems and methods for enabling Media Access Control Security (MACsec) at a MAC layer, according to IEEE 802.1AE, and extending MACsec are provided. An edge device, according to one implementation, includes one or more User-to-Network Interface (UNI) ports and a plurality of Network-to-Network Interface (NNI) ports. The edge device also includes a processing device and a memory device configured to store a computer program having instructions. The instructions, when executed, allow the processing device to provide network security on a Media Access Control (MAC) layer, the network security defined by the MAC Security (MACsec) protocol. The instructions also allow the processing device to provide network path protection by enabling packet routing over multiple paths via the plurality of NNI ports on a network layer.

Abstract: A base station identifies received backhaul traffic including IP packets based on whether or not the reception was via a secure tunnel, e.g., an IPsec tunnel. Recovered data, e.g., an IP packet from an IPsec tunnel, is associated with an IPsec identifier having a value indicating that the packet came from an IPsec tunnel. Data, e.g., recovered IP packets, associated with an identifier indicating receipt via an IPsec tunnel are stored in a first transmission buffer, e.g., a high priority transmission buffer, while other recovered IP packets which were not received via an IPsec tunnel are stored in a second transmission buffer corresponding to a lower, e.g., normal, transmission priority. A downlink transmission scheduler, e.g. an MAC or frame scheduler, schedules transmission of frames includes IP packet data from both buffers, with data in the first buffer being given higher priority to reduce latency with regard to the IPsec traffic.

Abstract: A computer-implemented method for reencrypting data. A key management service receives a web service application programming interface or other request to reencrypt data from a first key to a second key, where the first key and the second key are managed by the key management service on behalf of a user of the service. The key management service response to the request by performing the associated operations and providing a response with the reencrypted data.

Abstract: A server can record a device static public key (Sd) and a server static private key (ss). The server can receive a message with (i) a device ephemeral public key (Ed) and (ii) a ciphertext encrypted with key K1. The server can (i) conduct an EC point addition operation on Sd and Ed and (ii) send the resulting point/secret X0 to a key server. The key server can (i) perform a first elliptic curve Diffie-Hellman (ECDH) key exchange using X0 and a network static private key to derive a point/secret X1, and (ii) send X1 to the server. The server can conduct a second ECDH key exchange using the server static private key and point X0 to derive point X2. The server can conduct an EC point addition on X1 and X2 to derive X3. The server can derive K1 using X3 and decrypt the ciphertext.

Abstract: Implementations related to coding and/or decoding image data employing video coding with embedded motion are disclosed.

Abstract: A system/method for secure communication between client devices includes receiving a request, at a secure communication platform, from a from a first client device to communicate with a second client device; determining, by the secure communication platform, whether the first client device is permitted to communicate with the second client device; if communication is permitted: generating, by the secure communication platform, a one-time use ephemeral key; transmitting, by the secure communication platform, the generated one-time use ephemeral key to the first and second client devices; establishing, by the secure communication platform, a secure communication session directly between the first and second client devices, wherein communications between the first and second client devices are encrypted and decrypted using the one-time use ephemeral key; and destroying, by the secure communication platform, the one-time use ephemeral key upon termination of the secure communication session between the first and

Abstract: An image display system includes a first terminal device and with a second terminal device whose usable function range is smaller than a usable function range of the first terminal device. The image display system includes a display projection unit, a communication unit that establishes wireless connection with the first and second terminal devices, a control unit that manages the wireless connection, and a connection control image generating unit. The control unit and the connection control image generating unit generate a terminal connection image including information for connecting the second terminal device with the image display system, based on terminal connection permission information that assigns the second terminal device whose wireless connection with the display system is permitted, the terminal connection permission information being transmitted from the first terminal device. The display projection unit displays the terminal connection image.

Abstract: A method, apparatus and computer program product are provided for encrypting and decrypting data using multiple authority keys including receiving, from a first computing device, a data decrypt request to decrypt encrypted data, the data decrypt request comprising a user key, determining that the user key is associated with a key hierarchy that comprises a server key, decrypting the server key using the user key, decrypting the encrypted data using the decrypted server key and permitting access to the decrypted data by the first computing device.

Abstract: Various examples are directed to secure memory arrangements and methods of using the same. A gateway device of the secure computing system may receiving a first message from an external system. The first message may comprise a first message payload data and first asymmetric access data. The gateway device may determine that the first asymmetric access data matches the first message payload data based at least in part on an external system public key. The gateway device may access a first system controller symmetric key associated with a first system controller in communication with the gateway device and generate a first symmetric access data based at least in part on the first system controller symmetric key and the first message payload data. The gateway device may send the first message payload data and the first symmetric access data to the first system controller.

Abstract: A secure element (SE) for processing a digital key includes a communication interface for communicating with a host, a memory for storing programs and data for processing the digital key, and a processor for executing the programs stored in the memory to receive a digital key processing request from a target device, determine whether a service is providable to the target device, by using a service-provider-specific service performance manager, process the digital key by using a digital key manager based on digital key processing information stored in the memory, upon determining that a service is providable to the target device, issue a digital key processing certificate by using the service-provider-specific service performance manager based on authentication information stored in the memory, and transmit the digital key processing certificate to at least one of a service provider and the target device.

Abstract: Embodiments relate to systems for distribution of cryptographic keys generated with high quality entropy on to new or configurable devices using a centralized entropy provider located at a server and a provisioning device that communicates between the server and the configurable devices. The server may receive a request from a provisioning device for a cryptographic keypair. For example, the provisioning device may be physically connected to a configurable device for bootstrapping and requests the identity keys to install on to the configurable device. The server generates the cryptographic keypair having newly generated public and private keys for the configurable device. The server encrypts the newly generated keypair (e.g., in the form of a private key and a certificate having the public key) using the public key of the provisioning device and transmits the encrypted keypair to the provisioning device for decryption and installation on to the configurable device.

Abstract: A method of rolling security for a system that includes multiple server groups, such as a first server group of one or more servers and a second server group of one or more servers. The method includes repeatedly initiating rebuilding of the first server group of one or more servers. The method also includes repeatedly initiating rebuilding of the second server group of one or more servers. The rebuilding of the first server group of one or more servers is staggered in time from the rebuilding of the second server group of one or more servers. The servers may be physical servers or virtual machines. Rolling security may also be applied to software containers, computing devices within a data center, and computing devices outside of a datacenter.

Abstract: A client node (CN) requests content from an access node (AN). Rule set ACR_CN is provided to CN and AN and ACR_AN is used by AN. A request sent by CN in violation of ACR_CN may be blocked and cause AN to block subsequent requests from CN that would be allowed per ACR_CN. A request blocked according to ACR_AN but not ACR_CN is blocked but subsequent requests may still be allowed according to ACR_CN and ACR_AN. Authenticated distribution of the ACR_CN and ACR_AN may be performed in cooperation with a controller using authenticated tokens (AT).

Abstract: The disclosed technology teaches confirming delegation of authorization from an authorization server (AS) by a client to a service, including an AS issuing an OAuth2 access token in the form of a Macaroon (MAT), optionally with caveats, including a root signature, and providing the MAT to a client. Included is the client modifying the OA2 access token by appending caveats that narrow authorization, and by applying a message authentication code (MAC) chaining algorithm to generate an updated signature to include in the resulting MAT with caveats (MATwC), the client delegating authorization to a service by forwarding the MATwC to the service and the service using the MATwC to access a resource server (RS), the RS passing the MATwC to the AS, and the AS determining authenticity of the MATwC as a bearer token and evaluating scope of authorization from the MAT as narrowed by the caveats, and reporting results.

Abstract: Systems and methods related to a bridge application that facilitates interoperability between a remotely-served application and locally connected peripheral devices. The bridge application may execute on a local machine and be addressable at the loop-back address of the local machine. Requests issued to the bridge application may be verified as originating from a trusted source. In turn, requests from a locally performed and remotely-served application may be issued to local hardware resources such as peripheral devices or the like.

Abstract: A method and system for determining whether a consensus has been achieved for adding a block to a distributed ledger. The system receives a candidate block to add to the distributed ledger and receives block approvals of approving participants for the candidate block. The system calculates a total block approval stake that the approving participants have in the distributed ledger. The system identifies a total stake that participants have in the distributed ledger. When the total block approval stake is at least a threshold fraction of the total skate, the system indicates that the consensus has been achieved for adding the candidate block to the distributed ledger.

Abstract: An illustrative example embodiment of a controller associated with a container includes a processor and memory. The controller is configured to generate a derived key based on global positioning system information corresponding to a location of the controller. The controller uses the derived key to authenticate a user device.