Abstract: An advanced encryption and key exchange (AEKE) algorithm for quantum safe cryptography is disclosed. The AEKE algorithm does not use hard mathematical problems that are easily solvable on a quantum computer with Shor's algorithm. Instead, new encryption algorithm uses simple linear algebra, rank deficient matrix and bilinear equation, which will be easy to understand, fast, efficient and practical but virtually impossible to crack.

Abstract: The presently disclosed method and apparatus for sharing security metadata memory space proposes a technique to allow metadata sharing two different encryption techniques. A section of memory encrypted using a first type of encryption and having first security metadata associated therewith is converted to a section of memory encrypted using a second type of encryption and having second security metadata associated therewith. At least a portion of said first security metadata shares a memory space with at least a portion of said second security metadata for a same section of memory.

Abstract: A method creates and distributes cryptographic keys for securing communication at two terminals. Signals for creating correlated values in the two terminals are distributed via a first communication channel burdened with error, and the correlated values are present as keys. A checksum is formed on the basis of the first key present in the first terminal and the checksum is transferred to the second terminal via a second communication channel. A second checksum is formed on the basis of the second key present, and information derived from the two checksums is transferred via the second communication channel to a server. Based on the information derived from the checksums, the server determines a correction value, which, when applied to one or both keys, brings the keys into correspondence. The correction value is transferred to one or both terminals via the second communication channel and is applied to one or both keys.

Abstract: Techniques are provided for protection of private keys in message signing based on elliptic curve cryptography. One method comprises obtaining a private key to generate a signature for a message; selecting a random integer as an internal private key in a predefined range based on an elliptic curve order; computing an internal public key as an elliptic curve point using a scalar multiply operation based on (i) the internal private key blinded using a random blinding value, (ii) an elliptic curve base point, and (iii) an inverse value for the random blinding value added to a result of the scalar multiply operation; generating a first signature portion based on the elliptic curve point; generating a second signature portion based on an inverse of the selected random integer generated from a message-dependent value and the first signature portion; and forming a signed message using the first and second signature portions.

Abstract: Systems and methods for maintaining chain of custody for assets offloaded from a portable electronic device. One exemplary system includes an electronic processor configured to receive, from the portable electronic device, an asset manifest including an asset identifier, a fixed-length unique identifier associated with the asset identifier, and a manifest digital signature. The electronic processor is further configured to transmit to the portable electronic device a storage message based on the asset manifest; receive, from the portable electronic device, an upload completion message; retrieve, from a data warehouse an asset file; and determine, for the asset file, an asset file fixed-length unique identifier.

Abstract: According to an embodiment, an information processor includes a memory and one or more hardware processors coupled to the memory. The one or more hardware processors are configured to function as a calculating unit, a determining unit, and a generating unit. The calculating unit is configured to calculate a key length. The determining unit is configured to determine a block size corresponding to a unit of processing in key generation and an outputtable size indicating the size of a key outputtable by the key generation. The generating unit is configured to generate a key having the key length by a hash operation using a matrix having a size determined by the block size and the outputtable size.

Abstract: A trusted device, such as a wristwatch, is provided with authentication circuitry, used to perform an authentication operation to switch the trusted device into an authenticated state. Retention monitoring circuitry monitors the physical possession of the trusted device by the user following the authentication operation and switches the trusted device out of an authenticated state if the trusted device does not remain in the physical possession of the user. While the trusted device remains in the physical possession of the user, communication triggering circuitry is used to detect a request to establish communication with a target device that is one of a plurality of different target devices and communication circuitry is used to communicate with that target device using an authenticated identity of the user.

Abstract: An apparatus includes a memory, and a processor. During a first mode of operation, the hardware processor obtains a first key and a second key from a first system. The first system includes a first subsystem and a second subsystem. The first key indicates that a user previously accessed the first subsystem and the second key indicates that the user previously accessed the second subsystem. During a second mode of operation, the processor receives a request indicating that the user is seeking to access the second system. The processor then performs an authentication of the user, which includes receiving an authentication string from the user that includes a first user key and a second user key, determining that the first user key matches the first key, and determining that the second user key matches the second key. In response, the processor provides the user with access to the second system.

Abstract: Systems and methods for role-based access control to computing resources are presented. In an example embodiment, a request to perform a type of access of a computing resource is received via a communication network from a process executing on a client device. Using a data store storing process identifiers and associated access control information, access control information associated with the requesting process is identified based on a process identifier of the requesting process. Based on the access control information associated with the requesting process, a determination is made whether the requesting process is allowed to perform the requested type of access of the computing resource. The request is processed based on the requesting process being allowed to perform the requested type of access of the computing resource.

Abstract: Examples described herein include systems and methods for providing privacy information to a user of a user device. An example method can include detecting, at a management server, access of the private data by an entity other than the user, such as an administrator who is authorized to access the management server. The method further includes generating an event reflecting the access of the private data. The generated event can be stored as part of an event log in a database. The method further includes providing the event to the user device for display to the user. The event displayed on the user device can include information such as an identity of the accessing entity, a description of the private data that was accessed, and when the access occurred. The user can select a displayed event at the user device and request further information on the event from an administrator.

Abstract: Systems, methods, and computer-readable media are described for a network address block treatment server. The network address block treatment server identifies blocks of network addresses, associates them with treatments, and generates compact representations of the network address blocks. Blocks may be identified based on network activity data or on the treatment of individual network addresses, and treatments may be associated with address blocks based on address-level and/or block-level criteria. Treatments may include, for example, denying service requests, throttling, queueing, issuing a challenge-response, or limiting the number or scope of services. The network address block treatment server may review treatments periodically or upon receipt of additional network activity data. The server may implement treatments in connection with firewall or routing services, or may transmit address block representations and associated treatments to network service providers for implementation.

Abstract: Enterprise users' mobile devices typically access the Internet without being protected by the enterprise's network security policy, which exposes the enterprise network to Internet-mediated attack by malicious actors. This is because the conventional approach to protecting the mobile devices and associated enterprise network is to tunnel all of the devices' Internet communications to the enterprise network, which is very inefficient since typically only a very small percentage of Internet communications originating from an enterprise's mobile devices are communicating with Internet hosts that are associated with threats. In the present disclosure, the mobile device efficiently identifies which communications are associated with Internet threats, and tunnels only such identified traffic to the enterprise network, where actions may be taken to protect the enterprise network.

Abstract: A method for uniquely authenticating a device provides for receiving a scoping request, allocating a scope ID responsive to the request, and storing one or more device identification credentials in a database. Each device identification credential stored in the database includes the allocated scope ID and a device ID provided within the scoping request. The method further provides for receiving a registration request specifying a device identification credential and authenticating the specified device identification credential by confirming a match between the specified device identification credential and one of the device identification credentials stored in the database. The method further provides for provisioning the device with initial configuration information responsive to the authentication.

Abstract: A device such as a network-attachable data transfer device may be configured to operate in a cluster to coordinate the storage of data. A cluster manifest may include data and/or metadata related to devices of the cluster. In some cases, a cluster manifest may include, for each of one or more devices of a cluster: an encrypted payload; an identifier associated with the particular device; and an encrypted data entry. The encrypted payload may encode a cryptographic payload key used in part to perform storage operations. The encrypted data entry may include one or more encrypted partitions that are each decryptable by a different security module of the device. The decrypted partitions may be assembled to form a cryptographic key that may decrypt the encrypted payload. The cluster manifest may be provided to a locked device of a cluster as part of a process for unlocking the locked device.

Abstract: The disclosed embodiments provide a system that detects unwanted electronic components in a target asset. During operation, the system generates a sinusoidal load for the target asset. Next, the system obtains target electromagnetic interference (EMI) signals by monitoring EMI signals generated by the target asset while the target asset is executing the sinusoidal load. The system then generates a target EMI fingerprint from the target EMI signals. Finally, the system compares the target EMI fingerprint against a reference EMI fingerprint for the target asset to determine whether the target asset contains unwanted electronic components.

Abstract: A token or other storage device uses Internet identities to set file access attribute rights. Subsequently, requests to access a file can be controlled by confirming the Internet identity of the requestor by either validating the request with a known public key or retrieving the public key from an Internet identity provider. Files may be stored encrypted and may be re-encrypted with the public key associated with Internet identity making the request.

Abstract: An execution of a data object is identified by a computing device. In response to identifying the execution of the data object, it is determined that the data object has requested a sensitive action of the computing device before interacting with a user of the computing device. In response to determining that the data object has requested the sensitive action, the data object is classified as a high-risk data object.

Abstract: Disclosed herein are display techniques that will allow sensitive data displayed on a computer screen to only be viewed by authorized users and will render computer screen unreadable to unauthorized users. One or more display techniques are capable of automatically scrambling and unscrambling display screen of the computing device in which only an intended viewer is able to view data on the display screen using deciphering glasses.

Abstract: Embodiments provide a system and method for network tracking. Through various methods of packet encapsulation or IP option filling, one or more packets of information can be tagged with a unique security tag to prevent unauthorized access. A user agent can be validated by an authentication server through acceptance of one or more user credentials. The authentication server can generate a security token that can be transmitted to the user agent. The user agent can generate a keystream from the security token, and portions of that keystream can be attached to the packets as the security tag. The tagged packets can be forwarded to an authenticator, who can recreate the keystream from a copy of the security token provided by the authentication server. If the tags generated from the authenticator match the tags on the tagged packet, the authenticator can strip the tag from the tagged packet and forward the packet on to its next network address.

Abstract: This disclosure relates to enhanced overlay network-based transport of traffic to and from customer branch office locations, facilitated through the use of the Internet-based overlay routing. A method of selecting an ingress edge region of the overlay network begins by mapping a service hostname to an IKEv2 destination of an outer IPsec tunnel associated with a first overlay network edge. An IKEv2 session is established from the first overlay network edge to the customer router. Upon tunnel establishment, a secondary lookup is performed to determine whether the first overlay network edge is an appropriate ingress region. Based on a response to the secondary lookup, a IKEv2 redirect is issued to a second overlay network edge. A new tunnel is then established from the second overlay network edge to the customer router. Thereafter, an additional lookup may also be performed to determine whether the second overlay network edge remains an appropriate ingress region.