Abstract: A pathway identification system includes processor and memory hardware. The memory hardware stores a pathway database including pathways corresponding to at least one pathway parameter, a framework database including a set of framework transformation models, and instructions. The instructions include, in response to receiving a first pathway parameter corresponding to a user, identifying a subset of pathways of the pathways corresponding to the first pathway parameter. The instructions include obtaining a first set of framework transformation models from the framework database, determining a pathway value for each pathway of the subset of pathways using the first set of framework transformation models, and selecting at least one pathway of the subset of pathways based on the corresponding pathway value. The instructions include transmitting information encoding the at least one pathway to the operator device and transforming a user interface of the operator device to display the at least one pathway.

Abstract: Methods and systems related to an exhaust gas treatment system including, in order: (i) a first means for injecting a nitrogenous reductant; (ii) a first selective catalytic reduction (SCR) catalyst; (iii) an ammonia slip catalyst (ASC); and (iv) a second selective catalytic reduction (SCR) catalyst, wherein the ASC comprises an SCR catalyst and a supported palladium (Pd) component.

Abstract: Techniques are taught for encrypting one or more target partitions effectively “in-place”. This effectively in-place encryption is extremely desirable when a root/OS partition (such as /, /usr, /bin, etc.) needs to be encrypted without having to manually back up its contents to another location where they may be exposed in plaintext form, encrypting a new partition, and restoring the contents back to it. The techniques of the present disclosure are also applicable for encrypting effectively in-place user data partitions. To accomplish its objectives, the technology provides an install sequence/process and a modified boot sequence to automatically encrypt partitions effectively in-place. In various embodiments, the selection of copy partitions where copy data is temporarily stored in encrypted form, is performed manually or automatically.

Abstract: Techniques are disclosed for managing encrypted storage resources based on key-metadata. The per-key key-metadata is stored in a key management system/server (KMS) along with respective cryptographic keys. The cryptographic keys in the KMS may be data keys or wrapping keys for the data keys. The management of the storage resources is provided via a central console which is a user interface of a console server in authenticated communication with the KMS. The key-metadata associates cryptographic keys to their respective encrypted storage resources. This association is used by the console server to drive the console. The console allows an admin to view/list all encrypted storage resources and related cryptographic objects including keys and digital certificates, as well as to perform various administrative/management functions on them.

Abstract: Techniques are disclosed for managing encrypted storage resources based on key-metadata. The per-key key-metadata is stored in a key management system/server (KMS) along with respective cryptographic keys. The cryptographic keys in the KMS may be data keys or wrapping keys for the data keys. The management of the storage resources is provided via a central console which is a user interface of a console server in authenticated communication with the KMS. The key-metadata associates cryptographic keys to their respective encrypted storage resources. This association is used by the console server to drive the console. The console allows an admin to view/list all encrypted storage resources and related cryptographic objects including keys and digital certificates, as well as to perform various administrative/management functions on them.

Abstract: Techniques are disclosed for a configurable stackable filesystem (CSF) that interfaces with an underlying filesystem and client applications via a virtual filesystem interface (VFS). The CSF can perform a variety of operations on its files and directories. The operations implemented by the CSF can be configured to be performed via a configuration file on the specified files/directories. These operations comprise monitoring/logging including permissions and access control lists (ACL) changes, encryption, compression, rate-limiting and time-of-use enforcement, etc. The configuration file can be updated and loaded into the CSF with immediate effect at runtime, and without requiring to unmount the CSF and disrupting the processes using it. The CSF itself is advantageously modularly implemented as multiple layers or individual CSFs each specializing in one type of operation.

Abstract: Techniques are disclosed for dynamically allocating dedicated encrypted storage for containers/applications in a containerized environment. Only those container(s) are able to access an encrypted storage volume that have access to the volume secret for the volume. The volume secret is combined with a pre-key using a hash-based key derivation function (HKDF) to obtain the volume/encryption key for the volume. In various aspects, one is able to specify the amount of encrypted storage desired/required in a storage/host volume to be allocated to a container on-demand. The containerized application for which an instant dynamically allocated dedicated storage volume is created may be a composable multi-container or microservices application. The encrypted storage volume is optimally assembled from the partitions of the storage devices available on a host. The storage devices may be local to the host or remote or in the cloud.

Abstract: Techniques are disclosed for encrypting internet-of-things (IoT) data of an IoT network only once at its inception until its final consumption without intervening encryption/decryption stages/cycles. The present encrypt-decrypt-once design thus eliminates potential exposure of the IoT data in its plaintext form of a traditional approach employing intervening encryption/decryption cycles. The present design is also efficient and reduces the burden on IoT resources by eliminating the need for encrypting and decrypting the data multiple times. To accomplish these objectives, a number of schemes for device enrollment, authentication, key distribution, key derivation, encryption and encoding are disclosed. A preferred key distribution scheme employs key distribution certificates or KD-certs for distributing key material to the edge devices. KD-certs may be group KD-certs that are shared across a group of edge devices.

Abstract: Techniques are disclosed for encrypting internet-of-things (IoT) data of an IoT network only once at its inception until its final consumption without intervening encryption/decryption stages/cycles. The present encrypt-decrypt-once design thus eliminates potential exposure of the IoT data in its plaintext form of a traditional approach employing intervening encryption/decryption cycles. The present design is also efficient and reduces the burden on IoT resources by eliminating the need for encrypting and decrypting the data multiple times. To accomplish these objectives, a number of schemes for device enrollment, authentication, key distribution, key derivation, encryption and encoding are disclosed. The devices employ authenticated encryption because it provides confidentiality, integrity, and authenticity assurances on the encrypted data. The final consumption of the IoT data may be at a designated gateway or a corporate system.

Abstract: Techniques are disclosed for dynamically allocating encrypted storage for containers/applications in a containerized environment. In various aspects, one is able to specify the amount of encrypted storage desired/required in a storage/host volume to be allocated to a container on-demand. The containerized environment may employ its own hardware resources or be implemented on an infrastructure-as-a-service (IaaS). The containerized application for which an instant dynamically allocated storage volume is created may be a composable multi-container or microservices application. The encrypted storage volume is optimally assembled from the partitions of the storage devices available on a host. The storage devices may be local to the host or remote or in the cloud. Techniques are also disclosed for decommissioning a previously allocated encrypted storage volume based on the present design.

Abstract: Techniques are disclosed for securing data-at-rest at an internet-of-things (IoT) site with an unreliable or intermittent connectivity to the key manager operating at a corporate data center. The IoT site deploys one or more IoT devices/endpoints that generate IoT data according to the requirements of the site. The IoT data generated by these devices is collected/aggregated by one or more gateway devices. The gateways encrypt their data-at-rest gathered from the IoT devices using cryptographic keys. In the absence of a reliable connection to a backend corporate key manager, the design employs LAN key managers deployed locally at the IoT site. The gateways obtain keys from the LAN key managers to encrypt the IoT data before storing it in their local storage. The LAN key managers may periodically download keys from the corporate key manager or generate their own keys and then later synchronize with the corporate key manager.

Abstract: A computer system and methods for securing files in a file system with storage resources accessible to an authenticable user using an untrusted client device in a semi-trusted client threat model. Each file is secured in the file system in one or more ciphertext blocks along with the file metadata. Each file is assigned a unique file key FK to encrypt the file. A wrapping key WK assigned to the file is used for encrypting the file key FK to produce a wrapped file key WFK. A key manager is in charge of generating and storing keys. The file is encrypted block by block to produce corresponding ciphertext blocks and corresponding authentication tags. The authentication tags are stored in the file metadata, along with an ID of the wrapping key WK, wrapped file key WFK, last key rotation time, an Access Control List (ACL), etc. The integrity of ciphertext blocks is ensured by authentication tags and the integrity of the metadata is ensured by a message authentication code (MAC).

Abstract: Techniques are disclosed for dynamically allocating storage for containers/applications in a containerized environment. In various aspects, one is able to specify the amount of storage desired/required in a storage/host volume to be allocated to a container on-demand. The containerized environment may employ its own hardware resources or be implemented on an infrastructure-as-a-service (IaaS). The containerized application for which an instant dynamically allocated storage volume is created may be a composable multi-container or microservices application. The storage volume is optimally assembled from the partitions of the storage devices available on a host. The storage devices may be local to the host or remote or in the cloud. Techniques are also disclosed for decommissioning a previously allocated storage volume based on the present design.

Abstract: Techniques are disclosed for dynamically allocating dedicated encrypted storage for containers/applications in a containerized environment. Only those container(s) are able to access an encrypted storage volume that have access to the volume secret for the volume. The volume secret is combined with a pre-key using a hash-based key derivation function (HKDF) to obtain the volume/encryption key for the volume. In various aspects, one is able to specify the amount of encrypted storage desired/required in a storage/host volume to be allocated to a container on-demand. The containerized application for which an instant dynamically allocated dedicated storage volume is created may be a composable multi-container or microservices application. The encrypted storage volume is optimally assembled from the partitions of the storage devices available on a host. The storage devices may be local to the host or remote or in the cloud.

Abstract: Techniques are disclosed for dynamically allocating storage for containers/applications in a containerized environment. In various aspects, one is able to specify the amount of storage desired/required in a storage/host volume to be allocated to a container on-demand. The containerized environment may employ its own hardware resources or be implemented on an infrastructure-as-a-service (IaaS). The containerized application for which an instant dynamically allocated storage volume is created may be a composable multi-container or microservices application. The storage volume is optimally assembled from the partitions of the storage devices available on a host. The storage devices may be local to the host or remote or in the cloud. Techniques are also disclosed for decommissioning a previously allocated storage volume based on the present design.

Abstract: Techniques are disclosed for dynamically allocating encrypted storage for containers/applications in a containerized environment. In various aspects, one is able to specify the amount of encrypted storage desired/required in a storage/host volume to be allocated to a container on-demand. The containerized environment may employ its own hardware resources or be implemented on an infrastructure-as-a-service (IaaS). The containerized application for which an instant dynamically allocated storage volume is created may be a composable multi-container or microservices application. The encrypted storage volume is optimally assembled from the partitions of the storage devices available on a host. The storage devices may be local to the host or remote or in the cloud. Techniques are also disclosed for decommissioning a previously allocated encrypted storage volume based on the present design.

Abstract: Techniques are disclosed for encrypting internet-of-things (IoT) data of an IoT network only once at its inception until its final consumption without intervening encryption/decryption stages/cycles. The present encrypt-decrypt-once design thus eliminates potential exposure of the IoT data in its plaintext form of a traditional approach employing intervening encryption/decryption cycles. The present design is also efficient and reduces the burden on IoT resources by eliminating the need for encrypting and decrypting the data multiple times. To accomplish these objectives, a number of schemes for device enrollment, authentication, key distribution, key derivation, encryption and encoding are disclosed. The devices employ authenticated encryption because it provides confidentiality, integrity, and authenticity assurances on the encrypted data. The final consumption of the IoT data may be at a designated gateway or a corporate system.

Abstract: Techniques are disclosed for securing data in a cloud storage. Plaintext files are stored as secured, encrypted files in the cloud. The ciphering scheme employs per-block authenticated encryption and decryption. A unique file-key is used to encrypt each file. The file-key is wrapped by authenticated encryption in a wrapping-key that may be shared between files. A centralized security policy contains policy definitions which determine which files will share the wrapping-key. Wrapping-keys are stored in a KMIP compliant key manager which may be backed by a hardware security module (HSM). File metadata is protected by a keyed-hash message authentication code (HMAC). A policy engine along with administrative tools enforce the security policy which also remains encrypted in the system. Various embodiments support blocks of fixed as well as variable sizes read/written from/to the cloud storage.

Abstract: Techniques are disclosed for securing data-at-rest at an internet-of-things (IoT) site with an unreliable or intermittent connectivity to the key manager operating at a corporate data center. The IoT site deploys one or more IoT devices/endpoints that generate IoT data according to the requirements of the site. The IoT data generated by these devices is collected/aggregated by one or more gateway devices. The gateways encrypt their data-at-rest gathered from the IoT devices using cryptographic keys. In the absence of a reliable connection to a backend corporate key manager, the design employs LAN key managers deployed locally at the IoT site. The gateways obtain keys from the LAN key managers to encrypt the IoT data before storing it in their local storage. The LAN key managers may periodically download keys from the corporate key manager or generate their own keys and then later synchronize with the corporate key manager.

Abstract: A cellular telecommunications network architecture is described where certain UEs are configured to assist the network to improve coverage in regions of poor radio conditions. In certain embodiments, appropriate UEs are selected to act as a dynamic, out-of-band coverage extensions. Network performance can thereby be improved when serving users at the cell edge (or in other poor radio condition regions of a cell). Data from UEs connected to those assisting UEs is encrypted to allow secure transit of data without requiring modification to the RAN or Core Network.