Abstract: Techniques are disclosed relating to application verification. In various embodiments, a computing device includes a secure circuit configured to maintain a plurality of cryptographic keys of the computing device. In such an embodiment, the computing device receives, from an application, a request for an attestation usable to confirm an integrity of the application, instructs the secure circuit to use one of the plurality of cryptographic keys to supply the attestation for the application, and provides the attestation to a remote computing system in communication with the application. In some embodiments, the secure circuit is configured to verify received metadata pertaining to the identity of the application and use the cryptographic key to generate the attestation indicative of the identity of the application.

Abstract: A device receives a time-based restriction for usage by a first user with respect to an application, a website or a device-level function. The device receives encrypted data indicating a usage by the first user on a second device with respect to the application, website or device-level function. The device determines that at least one of the usage by the first user on the second device or a usage by the first user on the device with respect to the application, website or device-level function violates the time-based restriction. The device provides, in response to the determining, a notification that the time-based restriction has been violated by the first user.

Abstract: Techniques are disclosed relating to application verification. In various embodiments, a computing device includes a secure circuit configured to maintain a plurality of cryptographic keys of the computing device. In such an embodiment, the computing device receives, from an application, a request for an attestation usable to confirm an integrity of the application, instructs the secure circuit to use one of the plurality of cryptographic keys to supply the attestation for the application, and provides the attestation to a remote computing system in communication with the application. In some embodiments, the secure circuit is configured to verify received metadata pertaining to the identity of the application and use the cryptographic key to generate the attestation indicative of the identity of the application.

Abstract: A device receives a time-based restriction for usage by a first user with respect to an application, a website or a device-level function. The device receives encrypted data indicating a usage by the first user on a second device with respect to the application, website or device-level function. The device determines that at least one of the usage by the first user on the second device or a usage by the first user on the device with respect to the application, website or device-level function violates the time-based restriction. The device provides, in response to the determining, a notification that the time-based restriction has been violated by the first user.

Abstract: A device receives a time-based restriction for usage by a first user with respect to an application, a website or a device-level function. The device receives encrypted data indicating a usage by the first user on a second device with respect to the application, website or device-level function. The device determines that at least one of the usage by the first user on the second device or a usage by the first user on the device with respect to the application, website or device-level function violates the time-based restriction. The device provides, in response to the determining, a notification that the time-based restriction has been violated by the first user.

Abstract: A device receives a time-based restriction for usage by a first user with respect to an application, a website or a device-level function. The device receives encrypted data indicating a usage by the first user on a second device with respect to the application, website or device-level function. The device determines that at least one of the usage by the first user on the second device or a usage by the first user on the device with respect to the application, website or device-level function violates the time-based restriction. The device provides, in response to the determining, a notification that the time-based restriction has been violated by the first user.

Abstract: A device receives a time-based restriction for usage by a first user with respect to an application, a website or a device-level function. The device receives encrypted data indicating a usage by the first user on a second device with respect to the application, website or device-level function. The device determines that at least one of the usage by the first user on the second device or a usage by the first user on the device with respect to the application, website or device-level function violates the time-based restriction. The device provides, in response to the determining, a notification that the time-based restriction has been violated by the first user.

Abstract: Systems, methods, and computer-readable media may be provided for securely authenticating device identification and/or user identification for low throughput device-to-device wireless communication.

Abstract: Techniques are disclosed relating to application verification. In various embodiments, a computing device includes a secure circuit configured to maintain a plurality of cryptographic keys of the computing device. In such an embodiment, the computing device receives, from an application, a request for an attestation usable to confirm an integrity of the application, instructs the secure circuit to use one of the plurality of cryptographic keys to supply the attestation for the application, and provides the attestation to a remote computing system in communication with the application. In some embodiments, the secure circuit is configured to verify received metadata pertaining to the identity of the application and use the cryptographic key to generate the attestation indicative of the identity of the application.

Abstract: A device receives a time-based restriction for usage by a first user with respect to an application, a website or a device-level function. The device receives encrypted data indicating a usage by the first user on a second device with respect to the application, website or device-level function. The device determines that at least one of the usage by the first user on the second device or a usage by the first user on the device with respect to the application, website or device-level function violates the time-based restriction. The device provides, in response to the determining, a notification that the time-based restriction has been violated by the first user.

Abstract: A device receives a time-based restriction for usage by a first user with respect to an application, a website or a device-level function. The device receives encrypted data indicating a usage by the first user on a second device with respect to the application, website or device-level function. The device determines that at least one of the usage by the first user on the second device or a usage by the first user on the device with respect to the application, website or device-level function violates the time-based restriction. The device provides, in response to the determining, a notification that the time-based restriction has been violated by the first user.

Abstract: Systems, methods, and computer-readable media may be provided for securely authenticating device identification and/or user identification for low throughput device-to-device wireless communication.

Abstract: A method and system for verifying Internet connectivity at an access point in a fast, secure, and privacy-friendly manner. During operation, the system may perform passive network discovery, challenge response discovery, and/or active discovery to verify Internet connectivity for a mobile device. Passive network discovery involves the mobile device using a public key of a server to decrypt a time value to verify Internet connectivity. The mobile device receives the encrypted time value as part of the server's signed timing information in an overloaded WiFi beacon frame. Challenge response discovery involves the mobile device sending an encrypted challenge to servers, and a server returns a correct response to the challenge to confirm Internet connectivity. Active discovery involves a mobile device sending HTTP GET requests to a randomly selected set of servers without including a user agent, and a server may send an HTTP REPLY to confirm Internet connectivity.

Abstract: One embodiment of the present invention provides a system for enhancing security in a secure communication channel. During operation, the system collects contextual information associated with a mobile device or a user of the mobile device and determines whether a trigger condition is met based on the collected contextual information. In response to determining that the trigger condition is met, the system performs a first type of key-ratcheting operation on a current cryptographic key to update the cryptographic key. In response to determining that the trigger condition is not met, the system performs a second type of key-ratcheting operation on the current cryptographic key to update the cryptographic key. The system then encrypts a to-be-sent message using an encryption key associated with the updated cryptographic key.

Abstract: One embodiment of the present invention provides a system for stable selection of collaborating partners for exchanging security data. During operation, the system receives vectors of collaboration values from a plurality of entities. A collaboration value is a measure of an expected benefit of collaborating with a respective entity. The system sorts each of the vectors by the collaboration values of the respective vector. The system then determines matching entities given a number of partners wanted by each organization in N. The system may add matching entities to lists of collaborating partners given the number of partners wanted by each organization in N. Subsequently, the system sends the lists of collaborating partners to facilitate exchanging security data with partners in the list of collaborating partners.

Abstract: A method and system for verifying Internet connectivity at an access point in a fast, secure, and privacy-friendly manner. During operation, the system may perform passive network discovery, challenge response discovery, and/or active discovery to verify Internet connectivity for a mobile device. Passive network discovery involves the mobile device using a public key of a server to decrypt a time value to verify Internet connectivity. The mobile device receives the encrypted time value as part of the server's signed timing information in an overloaded WiFi beacon frame. Challenge response discovery involves the mobile device sending an encrypted challenge to servers, and a server returns a correct response to the challenge to confirm Internet connectivity. Active discovery involves a mobile device sending HTTP GET requests to a randomly selected set of servers without including a user agent, and a server may send an HTTP REPLY to confirm Internet connectivity.

Abstract: One embodiment of the present invention provides a system for enhancing security in a secure communication channel. During operation, the system collects contextual information associated with a mobile device or a user of the mobile device and determines whether a trigger condition is met based on the collected contextual information. In response to determining that the trigger condition is met, the system performs a first type of key-ratcheting operation on a current cryptographic key to update the cryptographic key. In response to determining that the trigger condition is not met, the system performs a second type of key-ratcheting operation on the current cryptographic key to update the cryptographic key. The system then encrypts a to-be-sent message using an encryption key associated with the updated cryptographic key.

Abstract: One embodiment of the present invention provides a system to facilitate collaboration for mitigating network threats. During operation, the system receives encrypted data sets from a plurality of entities. The data sets including data describing threats to network security. The system performs privacy-preserving operations on the encrypted data sets, such as private set intersection. The system then computes one or more metrics based on results of the private set intersection computations. The system may generate a similarity matrix based on the one or more metrics, and returns one or more similarity values from the similarity matrix to one or more entities of the plurality of entities.

Abstract: One embodiment of the present invention provides a system for privacy-preserving sharing of data for secure collaboration. During operation, the system obtains a first set of data describing network events associated with one or more network addresses. Next, the system negotiates with a potential partner to determine a metric for deciding whether to share data. The potential partner is associated with a second set of data describing network events. The system then computes a value for the metric in a privacy-preserving way, based on the first set of data and the second set of data. Subsequently, the system determines whether the metric value exceeds a predetermined threshold, and, responsive to determining that the metric value exceeds the predetermined threshold, the system shares the first set of data with the potential partner, while controlling how the data should be shared to optimize benefits and risks of collaboration.

Abstract: One embodiment of the present invention provides a system for privacy-sensitive ranking of aggregated data. During operation, the system distributes secret keys to a plurality of devices. The system then generates a plurality of probability density functions in a privacy-preserving way using encrypted data received from a subset of the plurality of devices. The encrypted data is data that has been encrypted with one or more of the secret keys by the subset of devices. The system then generates a plurality of probability mass functions, each probability mass function associated with a corresponding probability density function. Subsequently, the system computes a plurality of distance values, each respective distance value being a measure of distance from a probability mass function to a second distribution. The system then ranks the probability mass functions and/or associated attributes according to their respective distance from the second distribution.