Abstract: A key broker monitors network traffic metadata and determines which decryption keys are required at one or more packet brokers in order to decrypt relevant traffic required by various network monitoring devices. The key broker retrieves the required keys from a secure keystore distributes them, as needed, to the network packet brokers, and dynamically updates the decryption keys stored in the network packet brokers in response to changes in network traffic.

Abstract: Implementations disclose methods and systems for facilitating an automated user login into a first application hosted by a first-screen device. A method includes detecting, by a second-screen device, a message transmitted by the first-screen device over a network; determining, based on the message, that the first application hosted by the first-screen device is requesting user authentication for the automated user login; presenting, via a second application hosted by the second-screen device, a prompt for user input indicating user acceptance of the automated user login; receiving the user input indicating the user acceptance of the automated user login; and responsive to the user input, transmitting an authentication code from the message to the server device to perform the user authentication for the automated user login into the first application.

Abstract: A system and method for insuring privacy, access control, and authentication for electronic user data submitted to social media platforms, email systems, web sites, and other electronics and software based communication and storage systems is provided. Control over user data is provided such that the user can determine which other users may have access to the data, and only such permitted users will be able to access the data. All other parties, including the operators of the system platform in use, will not be able to view the submitted data. Authentication is provided such that the viewer of the data is ensured that the author of the data is in fact the author indicated in the data, and that the data has not been modified since it was submitted. Data privacy, access control, and authentication is provided in a seamless and convenient manner for both the author and recipients of the data.

Abstract: A self encryption drive (SED) receives a media encryption key (MEK) from a key management server. The MEK is stored only in volatile memory of the SED. Data is encrypted for storage in a non-volatile storage media of the SED based on the MEK. Further, the MEK is erased in the volatile memory to crypto-erase the SED by deleting all instances of the MEK stored by the SED.

Abstract: A method includes receiving, by a computing device, a message from a host device. In response to receiving the message, the computing device generates an identifier, a certificate, and a key. The identifier is associated with an identity of the computing device, and the certificate is generated using the message. The computing device sends the identifier, the certificate, and the key to the host device. The host device verifies the identity of the computing device using the identifier, the certificate, and the key.

Abstract: Techniques are described for managing risk in a network that includes one or more Internet-of-Things (IoT) devices. Management module(s) may operate to determine a model for an IoT in a home, office, or other environment, the model describing typical operations of the device(s) that are connected over an IoT. The operations of the IoT devices may be monitored for compliance with the model. The management module(s) may detect instances when one or more IoT devices exhibit behaviors that are a deviation from the normal operations indicated in the model, such as device failures. A policy may operate (e.g., as a smart contract) to transfer value to a user account in response to detecting an operational deviation of IoT device(s).

Abstract: A node including processing circuitry configured to: generate anonymized data based at least in part on a first cryptographic key and network data, calculate a coordination vector, generate initialized data based at least in part on the anonymized data, a second cryptographic key and the coordination vector, transmit the initialized data, the random vector, a security policy and instructions to analyze n iterations of the initialized data and the security policy using the random vector and the second cryptographic key, and receive results of the analysis of the n iterations of the initialized data and the security policy using the random vector and the second cryptographic key. The analysis of an m iteration of the n iterations correspond to an analysis of the initialized data with prefix preservation where the analysis of the remaining iterations of the n iterations fail to be prefixed preserved.

Abstract: A plurality of communicatively coupled, networked assets may be threatened or attacked by a cybersecurity attack. The operational resiliency of the computer network determines whether the cybersecurity attack leads to a shutdown of one or more assets, or even the entire computer network. A cybersecurity server selectively restricts and controls the data flow over the network and transforms a configurable, networked asset from a low, medium, and high cybersecurity mode. The cybersecurity server may reside on a firewall device or other networked device, and adjusts the cybersecurity mode based on a criticality score that measures the operational resiliency of the computer network. The criticality score changes as cybersecurity threats or attacks are identified and as mitigation strategies are implemented on the networked assets.

Abstract: A system and computerized method for generating an improved cyber-security rule ordering for cyber-security threat detection or post-processing activities conducted by a rules-based cyber-security engine deployed within a network device is described. Herein, historical metadata associated with analytics conducted on incoming data by a rule-based cyber-security engine and in accordance with a plurality of rules is described. These rules are arranged in a first ordered rule sequence. The historical metadata is analyzed to determine one or more salient rules from the plurality of rules. The plurality of rules are reprioritized by at least rearranging an order to a second ordered rule sequence with the one or more salient rules being positioned toward a start of the second ordered rule sequence. Thereafter, the rule-based cyber-security engine operates in accordance with the reprioritized rule set that is arranged in the second ordered rule sequence to achieve improved performance.

Abstract: Disclosed are apparatus and methods for programming a plurality of nonvolatile memory (NVM) devices. Each NVM device self-generates and stores a unique encryption key. Each NVM device concurrently receives an image from a multiple-device programming system to which all the NVM devices are communicatively coupled. Each NVM device encrypts the received image using such NVM device's unique encryption key to produce a unique encrypted image for each NVM device. Each NVM device stores its unique encrypted image within a nonvolatile memory of such NVM device. The unique encryption key can then be securely transferred to a host device for decrypting the image accessed from one of the NVM devices.

Abstract: Providing smart contracts including secrets encrypted with oracle-provided encryption keys using thresholding cryptosystems is disclosed. In one example, a contract creator encrypts sensitive data necessary for executing a smart contract into ciphertext with multiple symmetric cryptographic keys using a threshold cryptosystem, such that a subset of at least size R of the symmetric cryptographic keys are required to decrypt the ciphertext. The symmetric cryptographic keys are encrypted into wrappers using a public cryptographic key of a contract executor. Envelopes are generated using public cryptographic keys of corresponding contract oracles, where the envelopes include the wrappers encrypted using the public cryptographic keys, and policies that specify condition(s) precedent and are authenticated using the public cryptographic keys. The smart contract, including the envelopes, the ciphertext, and R, is then deployed to the contract executor.

Abstract: Embodiments of content management systems that utilize encryption are disclosed. An object management module of a content management system is adapted to encrypt an object using a data key that is generated based on the content. The data key is encrypted using a tenant key associated with a tenant of the system. The encrypted object is stored in an object store, and a storage record for the stored encrypted object is stored in a data store, along with the encrypted data key and a tenant key identifier.

Abstract: A key delegation request is received from a host system. The key delegation request includes a new public key. A challenge is generated based on the new public key and a root public key, and the challenge is provided to the host system responsive to the request. A first and second digital signature are received from the host system. The first digital signature is generated by cryptographically signing the challenge using a new private key corresponding to the new public key and the second digital signature is generated by cryptographically signing the challenge using a root private key corresponding to the root public key. The first digital signature is validated using the new public key and the second digital signature is validated using the root public key. Based on successful validation of both signatures, the new public key is utilized in one or more cryptographic operations.

Abstract: A hybrid encryption method for securely transferring an electronic data package from a sender to a plurality of clients. The method comprises storing a shared symmetric key on each of the clients. The sender encrypts a private key of an asymmetric key pair using the shared symmetric key. The sender encrypts the data package with a temporary symmetric key to generate an encrypted data package. The sender encrypts the temporary symmetric key with the public key of the asymmetric key pair to generate an encrypted temporary symmetric key. The sender transmits the encrypted data package, the encrypted temporary symmetric key, and the encrypted private key to the clients. Each client decrypts the encrypted data package by: using the shared symmetric key to decrypt the encrypted private key; using the decrypted private key to decrypt the encrypted temporary symmetric key, and using the decrypted temporary symmetric key to decrypt the encrypted data package.

Abstract: For communicating securely between electronic devices using symmetric key encryption, a first electronic device transfers to a second electronic device metadata with positional information which indicates the position of a first cryptographic key in a cryptographic key hierarchy. The second electronic device derives the first cryptographic key by way of a one-way function from a second cryptographic key stored in the second electronic device, using the positional information received from the first electronic device. Subsequently, the first electronic device and the second electronic device communicate data securely with symmetric key encryption using the first cryptographic key.

Abstract: A network-accessible cyber-threat security analytics service is configured to receive and respond to requests that originate as name queries to a Domain Name System (DNS) service. Threat intelligence information provided by the service is organized into threat intelligence zones that correspond to zones exposed via the DNS service. Upon receipt of a DNS query, the query having been generated by an application seeking access to threat intelligence data exposed by the service, the query is translated into a DNS zone-specific API request based on the type of threat intelligence information sought. The zone-specific API request is then used to retrieve the requested threat intelligence information from a threat intelligence database. The requested threat intelligence information is then returned to the application by being encoded as part of a response to the DNS query. In this manner, the DNS protocol is leverage to facilitate highly-efficient access and retrieval of threat intelligence information.

Abstract: A method and apparatus for commissioning a device to an Internet of Things (IoT) Hub using a permissioned blockchain. The method includes preparing a device to be commissioned by providing the device with meta-information and a set of cryptographic keys, initializing the device to facilitate communication with a permissioned blockchain by a trusted user, storing at least a portion of the meta-information in the permissioned blockchain, and receiving and storing by the device, a hash key from the permissioned blockchain, the hash key based on the storing. The method also includes connecting to the device via a service tool to obtain the hash key and verifying the hash key with the permissioned block chain. If the verifying is successful, communicating device information to a cloud service, the cloud service in communication with the IoT Hub to enable the commissioning.

Abstract: closed circuit television (CCTV) image data distribution processing apparatus includes a CCTV image data receiver configured to receive CCTV image data from a CCTV camera, an encryption processor configured to perform encryption-processing on the CCTV image data, a data splitter configured to split the CCTV image data into chunk data, an index processor configured to perform index-processing on the chunk data with an index generated through the encryption, and a controller configured to distribute and store the index-processed chunk data in a plurality of storage servers corresponding to corresponding indexes, respectively, or to decode chunk data to restore original CCTV image data when receiving the chunk data stored in the storage server.

Abstract: An email validation system receives an email validation request from a requestor to validate an email, the email validation request indicating at least a sender domain indicating a domain of the sender of the email. The email validation system determines whether the sender domain is in a whitelist of known domains, wherein a known domain is a domain that is linked to an organization whose provenance is known, such that it can be linked to an identifiable entity in the real world. The email validation system generates, in response to determining that the sender domain is not in the list of known domains, a message indicating that the email is not valid. The email validation system generates, in response to determining that the sender domain is in the list of known domains, the message indicating that the email is valid, and transmits the message to the requestor.

Abstract: A system and method for media content management include creating, via a digital vault, a container file comprising media content submitted by a user and content metadata; verifying, via the digital vault, a completeness of the content metadata associated with the media content in the container file; classifying, via the digital vault, the container file based on the completeness of the media content; identifying a salable content item that is to be put up for sale; creating, via the digital vault, a nonfungible token (NFT) container file and populating the NFT container file with the salable content item and NFT metadata; offering the specified ownership rights to the salable content item for sale via an NFT transaction; and updating the NFT container file to reflect a new owner of the ownership rights to the salable content after sale of the salable content item.