Abstract: Technologies for end-to-end biometric-based authentication and locality assertion include a computing device with one or more biometric devices. The computing device may securely exchange a key between a driver and a secure enclave. The driver may receive biometric data from the biometric sensor in a virtualization-protected memory buffer and encrypt the biometric data with the shared key. The secure enclave may decrypt the biometric data and perform a biometric authentication operation. The computing device may measure a virtual machine monitor (VMM) to generate attestation information for the VMM. A secure enclave may execute a virtualization report instruction to request the attestation information. The processor may copy the attestation information into the secure enclave memory. The secure enclave may verify the attestation information with a remote attestation server. If verified, the secure enclave may provide a shared secret to the VMM. Other embodiments are described and claimed.

Abstract: In accordance with some embodiments, a protected execution environment may be defined for a graphics processing unit. This framework not only protects the workloads from malware running on the graphics processing unit but also protects those workloads from malware running on the central processing unit. In addition, the trust framework may facilitate proof of secure execution by measuring the code and data structures used to execute the workload. If a part of the trusted computing base of this framework or protected execution environment is compromised, that part can be patched remotely and the patching can be proven remotely throughout attestation in some embodiments.

Abstract: In an embodiment, a system is adapted to: record at least one measurement of a virtual trusted execution environment in a storage of the system and generate a secret sealed to a state of this measurement; create, using the virtual trusted execution environment, an isolated environment including a secure enclave and an application, the virtual trusted execution environment to protect the isolated environment; receive, in the application, a first measurement quote associated with the virtual trusted execution environment and a second measurement quote associated with the secure enclave; and communicate quote information regarding the first and second measurement quotes to a remote attestation service to enable the remote attestation service to verify the virtual trusted execution environment and the secure enclave, and responsive to the verification the secret is to be provided to the virtual trusted execution environment and the isolated environment. Other embodiments are described and claimed.

Abstract: Technologies for secure input and display of a virtual touch user interface include a computing device having a security monitor that may protect memory regions from being accessed by untrusted code. The security monitor may use hardware virtualization features such as extended page tables or directed I/O to protect the memory regions. A protected touch filter driver intercepts requests for touch input and allocates a transfer buffer. The transfer buffer is protected by the security monitor. A touch screen controller may write touch input data into the protected transfer buffer. The touch input data may be shared by the touch filter driver with authorized applications through a protected communication channel. A graphical virtual user interface may be generated by trusted code and rendered into a hardware overlay surface. The user interface may include a virtual keyboard. The security monitor may protect the overlay surface. Other embodiments are described and claimed.

Abstract: Technologies are provided in example embodiments for analyzing an encrypted network flow. The technologies include monitoring the encrypted network flow between a first node and a second node, the network flow initiated from the first node; duplicating the encrypted network flow to form a copy of the encrypted network flow; decrypting the copy of the encrypted network flow using a shared secret, the shared secret associated with the first node and the second node; and scanning the network flow copy for targeted data.

Abstract: Technologies for secure input and display of a virtual touch user interface include a computing device having a security monitor that may protect memory regions from being accessed by untrusted code. The security monitor may use hardware virtualization features such as extended page tables or directed I/O to protect the memory regions. A protected touch filter driver intercepts requests for touch input and allocates a transfer buffer. The transfer buffer is protected by the security monitor. A touch screen controller may write touch input data into the protected transfer buffer. The touch input data may be shared by the touch filter driver with authorized applications through a protected communication channel. A graphical virtual user interface may be generated by trusted code and rendered into a hardware overlay surface. The user interface may include a virtual keyboard. The security monitor may protect the overlay surface. Other embodiments are described and claimed.

Abstract: An apparatus and method for preserving image privacy when manipulated by cloud services includes middleware for receiving an original image, splitting the original image into two sub-images, where the RGB pixel values of the sub-images have a bit value that is less than RGB pixel values of the original image. The sub-images are encrypted by adding a keystream to the RGB pixel values of the sub-images. The sub-image data is transmitted to a cloud service such as a social network or photo-sharing site, which manipulate the images by resizing, cropping, filtering, or the like. The sub-image data is received by the middleware and is successfully decrypted irrespective of the manipulations performed by the cloud services. In an alternative embodiment, the blocks of the original image are permutated when encrypted, and then reverse-permutated when decrypted.

Abstract: Technologies are provided in example embodiments for analyzing an encrypted network flow. The technologies include monitoring the encrypted network flow between a first node and a second node, the network flow initiated from the first node; duplicating the encrypted network flow to form a copy of the encrypted network flow; decrypting the copy of the encrypted network flow using a shared secret, the shared secret associated with the first node and the second node; and scanning the network flow copy for targeted data.

Abstract: Cryptographic access control of multimedia video is presented. A method includes generating as metadata an access control policy (ACP) associated with video, the ACP including authorization rules and cryptographic information associated with an encryption policy; encrypting the video according to the encryption policy; and encoding the encrypted video with the authorization rules and the cryptographic information, which may be used to decrypt and render the encoded video. As an example, an authorized receiver device having credentials and/or capabilities matched to the authorization rules may extract the ACP information from the encrypted video and use it to decrypt and properly render the video.

Abstract: A password-less method for authenticating a user includes capturing one or more images of a face of the user and comparing the one or more images with a previously collected face template. Randomly selected colored light and randomized blinking patterns are used to capture the images of the user. Such captured images are compared to previously collected face templates, thereby thwarting spoof attacks. A secret image, known only to the user and the device, is moved from one area of the display to another randomly selected area, using the movements of the user's head or face, thereby providing a Turing based challenge. Protected audio video path (PAVP) enabled devices and components are used to protect the challenge from malware attacks.

Abstract: Both end-to-end security and traffic visibility may be achieved by a system using a controller that derives a cryptographic key that is different for each client based on a derivation key and a client identifier that is conveyed in each data packet. The controller distributes the derivation key to information technology monitoring devices and a server to provide traffic visibility. For large key sizes, the key may be derived using a derivation formula as follows: client_key_MSB=AES 128(base_key_1, client_ID), ??(1) client_key_LSB=AES 128(base_key_2, client_ID+pad), and ??(2) client_key=client_key_MSB?client_key_LSB, where (1) and (2) are executed in parallel. The client key and a client identifier may be used so that end-to-end security may be achieved.

Abstract: Both end-to-end security and traffic visibility may be achieved by a system using a controller that derives a cryptographic key that is different for each client based on a derivation key and a client identifier that is conveyed in each data packet. The controller distributes the derivation key to information technology monitoring devices and a server to provide traffic visibility. For large key sizes, the key may be derived using a derivation formula as follows: client_key_MSB=AES128(base_key_1,client_ID),??(1) client_key_LSB=AES128(base_key_2,client_ID+pad),and??(2) client_key=client_key_MSB?client_key_LSB, where (1) and (2) are executed in parallel. The client key and a client identifier may be used so that end-to-end security may be achieved.

Abstract: An embodiment may include circuitry to establish, at least in part, a secure communication channel between, at least in part, a client in a first domain and a server in a second domain. The channel may include a first and second domain sessions in the first and second domains. The circuitry may generate first and second domain session keys that may encrypt, at least in part, respectively, the first and second domain sessions. The first domain session key may be generated based upon a first domain key assigned to the first domain and a first data set associated with the first domain session. The second domain session key may be generated based upon a second domain key assigned to the second domain and a second data set associated with the second domain session.

Abstract: A password-less method for authenticating a user includes capturing one or more images of a face of the user and comparing the one or more images with a previously collected face template. Randomly selected colored light and randomized blinking patterns are used to capture the images of the user. Such captured images are compared to previously collected face templates, thereby thwarting spoof attacks. A secret image, known only to the user and the device, is moved from one area of the display to another randomly selected area, using the movements of the user's head or face, thereby providing a Turing based challenge. Protected audio video path (PAVP) enabled devices and components are used to protect the challenge from malware attacks.

Abstract: A method and device for securely sharing images across untrusted channels includes downloading an encrypted image from a remote server to a computing device. The encrypted image may be encrypted at the time of uploading by another user. The current user of the computing device is authenticated using a facial recognition procedure. If the current user is authenticated and is determined to be authorized to view the decrypted image, the encrypted image is decrypted and displayed to the user. If the user becomes unauthenticated (e.g., the user leaves the computing device or another user replaces the current user), the encrypted image is displayed in place of the decrypted image such that the decrypted image is displayed only for authorized persons physically present at the computing device.

Abstract: In accordance with some embodiments, a protected execution environment may be defined for a graphics processing unit. This framework not only protects the workloads from malware running on the graphics processing unit but also protects those workloads from malware running on the central processing unit. In addition, the trust framework may facilitate proof of secure execution by measuring the code and data structures used to execute the workload. If a part of the trusted computing base of this framework or protected execution environment is compromised, that part can be patched remotely and the patching can be proven remotely throughout attestation in some embodiments.

Abstract: Technologies are provided in example embodiments for analyzing an encrypted network flow. The technologies include monitoring the encrypted network flow between a first node and a second node, the network flow initiated from the first node; duplicating the encrypted network flow to form a copy of the encrypted network flow; decrypting the copy of the encrypted network flow using a shared secret, the shared secret associated with the first node and the second node; and scanning the network flow copy for targeted data.

Abstract: One particular example implementation of an apparatus for mitigating unauthorized access to data traffic, comprises: an operating system stack to allocate unprotected kernel transfer buffers; a hypervisor to allocate protected memory data buffers, where data is to be stored in the protected memory data buffers before being copied to the unprotected kernel transfer buffers; and an encoder module to encrypt the data stored in the protected memory data buffers, where the unprotected kernel transfer buffers receive a copy the encrypted data.

Abstract: Methods and systems for cryptographic access control of multimedia video, include embedding as metadata access control policy (ACP) information, including authorization rules and cryptographic information tied to an encryption policy, into encrypted video. An authorized receiver device having credentials and/or capabilities matched to the authorization rules is able to extract the ACP information from the encrypted video and use it to decrypt and properly render the video.

Abstract: Embodiments of techniques and systems for biometric-data-based media encryption are described. In embodiments, an encryption key may be created for a recipient user based at least in part on biometric data of the recipient user. This encryption key may be maintained on a key maintenance component and used by a sharing user to encrypt a media file for access by the recipient user. One or more access policies associated with recipient user may be encrypted in the encrypted media file as well. In embodiments, the media file may be encrypted for use by multiple recipient users. When a recipient user desires to access the encrypted media file, a decryption key may be generated in real time based on contemporaneously captured biometric data and used to provide access to the encrypted media file. Other embodiments may be described and claimed.