Abstract: Disclosed embodiments relate to securely facilitating decentralized management of identity data. Operations may include identifying a prompt to perform an attestation process for an identity; receiving, from the identity, a first request including: an index associated with encrypted data, a second part of a first cryptographic key, and a challenge token; generating a challenge response based on the challenge token; sending a second request to a data management hub including: the index and the challenge response; receiving a response to the second request, from the data management hub, the response including: doubly encrypted data formed by encrypting a copy of the encrypted data and a first part of the first cryptographic key; and decrypting the doubly encrypted data.

Abstract: Methods, systems and computer program products for data analytics. An information ecosystem comprises a plurality of participants and a plurality of data sets associated with the participants. An event initiates performance of a computation over different obfuscated data sets to determine an obfuscated computational result. An integrity value pertaining to constituent data of the different obfuscated data sets and, correspondingly, an integrity value pertaining to the computational result itself, is quantified by checking if the earlier offered data set or any constituents thereof are consistent with one or more aspects of later retrieved data. Certain variations of methods, systems and computer program products are used for verifying data accuracy in privacy-preserving computations that are performed in a health ecosystem where the data sets pertain to health information associated with the participants.

Abstract: A fully homomorphic encryption method based on modular operation, the method including: acquiring a plaintext of any numerical value data type in an encryption process and converting the plaintext to a corresponding plaintext system plaintext according to an encryption requirement; performing an encryption operation on each number in the system plaintext, and combining ciphertexts acquired by the encryption operation to obtain a corresponding ciphertext combination; performing a ciphertext operation on the ciphertext combination using a ciphertext source code, a ciphertext radix-minus-one complement, and a ciphertext complement code based on modular encryption; and using modular division to decrypt a result of the ciphertext operation to obtain a decrypted plaintext.

Abstract: Packet forwarding includes creating a first lookup table for mapping packets to nodes based on the number of nodes in a first set of nodes. A received packet is mapped to a mapping value using a predetermined mapping function. The first lookup table is indexed using a first subset of bits comprising the mapping value. A second lookup table is created in response to adding a node to the first set of nodes. A subsequently received packet is mapped to a mapping value using the same predetermined mapping function to index the second lookup table using a second subset of bits comprising the mapping value.

Abstract: A method and system for performing an operation on protected sensitive data. A processor of a data processing system receives, from a computing system: (i) the protected sensitive data, (ii) an identification of an operation that accesses and utilizes the protected sensitive data during performance of the operation, and (iii) a request to perform the operation, wherein the computing system is external to the data processing system. The processor de-protects the received protected sensitive data, which generates unprotected sensitive data from the protected sensitive data. The processor performs the operation, which includes accessing and utilizing the unprotected sensitive data and generating a result. After the operation is performed, the processor re-protects the unprotected sensitive data, which restores the protected sensitive data. The processor sends the result to the computing system.

Abstract: The present application describes a method, system, and non-transitory computer-readable medium for exchanging encrypted communications using hybrid cryptography protocol. According to the present disclosure, a first device divides a first communication into at least a first secret and a second secret. The first device encrypts the first secret using a first cipher suite and the second secret using a second cipher suite. The first device generates a first signature of the first encrypted secret and the second encrypted secret according to a first signature generation algorithm associated with the first cipher suite and a second signature of the first encrypted secret and the second encrypted secret according to a second signature generation algorithm associated with the second cipher suite. The first device transmits the first encrypted secret and the second encrypted secret, the first signature, and the second signature to the second device.

Abstract: Examples of the present disclosure describe systems and methods for partially encrypting conversations using different cryptographic keys. Messages communicated during a conversation session may be encrypted using a cryptographic key. Other conversation participants may then decrypt the messages using the cryptographic key. During the conversation, an event may occur that causes a new cryptographic key to be generated. The conversation participants may then use the new cryptographic key when communicating. As such, previously-encrypted messages may be inaccessible to new members that do not have the old cryptographic key, while newly-encrypted messages may be inaccessible to former members that do not have the new cryptographic key. An isolated collection may store the messages and related cryptographic keys. Relationships may exist within the isolated collection, such that messages may be related to one another and messages may also be related to the cryptographic keys used to encrypt them.

Abstract: A method may include generating, via a setup function, public parameters associated with a random updatable function. The method may further include generating, via an initialization function and based at least in part on the public parameters generated by the setup function, a first random element and a first state. The method may further include generating, via an update function and based at least in part on the public parameters generated by the setup function, a third random element and a second state. Inputs of the update function may include the first state generated by the initialization function and a second random element.

Abstract: A system, an apparatus, a computer program product and a method for obfuscation-based security and authentication. The method comprises: obtaining a different key for each different device; obfuscating an interface layer utilized by components of the device to interact, using the key, to produce an obfuscated interface layer; and providing, directly or indirectly, the two components with the key to allow the two components to utilize the obfuscated interface layer to interact with each other. The system comprises a plurality of devices that are instances of a same device and a server coupled to a memory retaining a plurality of keys, each of which is used to obfuscate interface layers of a different device to produce heterogeneous set of devices instead of a homogenous set of devices. Communications and operations with the plurality of devices are performed in an obfuscated manner through the server.

Abstract: An apparatus and methodology for securing data exchanged between devices in a NarrowBand IoT (NB-IoT) environment is disclosed. The apparatus embodies a cryptoprocessor having a confidentiality block and an integrity block. The confidentiality and integrity blocks are coupled to a bus interface through data channels via a multiplexer/demultiplexer (MUX) and first-in-first-out transmitter and receiver. The confidentiality and integrity blocks are further coupled to a cipher block through data channels via a MUX. The cipher block is operable to implement at least one stream cipher and at least one block cipher.

Abstract: A network includes a logical network and a physical network. The logical network includes a plurality of logical nodes. Each logical node is connected to a respective identification core. Each identification core includes at least one semiconductor chip having a physical randomness. Each semiconductor chip generates one of a plurality of pairs of private keys and public keys based on the physical randomness thereof according to an input received by the one of the at least one semiconductor chip under a public key cryptography. One of the public keys is regarded as a logical address of one of the logical nodes, which is connected to one of the identification cores. The physical network includes a plurality of physical nodes. Each identification core is one of components in each physical node. The logical network is uniquely linked to the physical network by the pairs of private keys and public keys.

Abstract: A software architecture encoded on a non-transitory computer readable medium, where the software architecture includes a first protocol, wherein the first protocol is configured to form a plurality of groups, wherein each group of the plurality of groups comprises a set of randomly selected nodes from a network. The software architecture further includes a second protocol, wherein the second protocol is configured to randomly select a first group from the plurality of groups formed by the first protocol. Additionally, the software architecture includes a third protocol, wherein the third protocol is configured to designate the first group to sign a first message by generating a first group signature. Furthermore, the software architecture includes a hash function, wherein the hash function is configured to generate a hash value from the first group signature.

Abstract: Sensitive data may be anonymized for use in user interfaces by applying a cryptographic hash function to the data. The hashed value may be broken into hash tokens and the hash tokens converted to human readable tokens using a 1:1 conversion function. The human readable tokens can then be concatenated together to provide a human readable identifier of the sensitive data.

Abstract: Methods and apparatus to authenticate and differentiate virtually identical resources using session chaining are disclosed. In response to a session request from at least one of a management device or a resource, example methods and apparatus locate a session chain stack associated with an identifier of the at least one of the management device or the resource, and determine whether a first nonce at a top of the session chain stack associated with the identifier of the at least one of the management device or the resource is equal to a second nonce associated with the session request from the at least one of the management device or the resource.

Abstract: A method of controlling a vehicle that includes a plurality of electronic control units (ECUs), the method including: allocating an order in which at least one ECU among the plurality of ECUs is to be assigned an encryption key, based on a data rate of each ECU; receiving, by the at least one ECU, at least one encryption key that is assigned to the at least one ECU according to the allocated order; and performing, by the at least one ECU and using the assigned at least one encryption key, (i) encryption of data to be transmitted through a Controller Area Network (CAN) communication bus, or (ii) decryption of data that is transmitted through the CAN communication bus.

Abstract: Various embodiments are generally directed to the providing for mutual authentication and secure distributed processing of multi-party data. In particular, an experiment may be submitted to include the distributed processing of private data owned by multiple distrustful entities. Private data providers may authorize the experiment and securely transfer the private data for processing by trusted computing nodes in a pool of trusted computing nodes.

Abstract: System and method for providing secure machine to machine, M2M, communications comprising a device management, DM, server configured to obtain credentials of one or more M2M devices and provision the one or more M2M devices with credentials of a virtual private network, VPN. An application programming interface, API. A VPN server comprising a first communications interface configured to communicate API requests and API responses with the API. A second communications interface configured to provide a VPN for the one or more M2M devices. Logic configured to issue an API request, wherein the request includes the credentials of the VPN. Receive an API response from the DM server including an indication of the one or more M2M devices provisioned with the credentials of the VPN. Initiate a VPN over the second interface between the one or more M2M devices and the VPN server.

Abstract: A method of compression is disclosed in which an input sequence of bits is divided into a plurality of portions. Each portion is sub-divided into a plurality of sub-divisions. Frequency analysis is performed to determine the number of occurrences of each sub-division permutation and new values are assigned, based on the frequency analysis, to each of the sub-division permutations. For each portion a label representing the permutation of bits in that portion is assigned. The label comprises a representation of a combined value resulting from combining the new values associated with the sub-division permutations of that portion. A processed sequence of bits is generated by replacing, within the input sequence of bits, bit portions with the respective label representing the permutation of bits in that portion.

Abstract: The invention relates to a method for storing data blocks from client devices to a cloud storage system, the method includes the steps of: d) storing an encrypted first data block and a challenge of the first data block of a first client device on the cloud storage system, e) determining if a hash of a second data block of a second client device stored on the cloud storage system equals the hash of the first data block, f) if yes, transmitting the challenge of the first data block from the cloud storage system to the second client device, g) extracting, at the second client device, the bits at the positions or at the range contained in the challenge, hashing the extracted bits, encrypting the hashed bits with a public key of the first client device or of the second client device and uploading the encrypted bits from the second client device to the cloud storage system, and h) storing the encrypted bits from the second client device on the cloud storage system.

Abstract: Systems and methods for secure communications between mobile applications installed on a user's mobile device. In some embodiments, a first application installed on a user's mobile device generates a key and transmits the key and a message to a server, where the message is to be communicated to a second application. According to disclosed embodiments, there is no limit on the size or a type of data included in the message. The server receives the message and the key from the first application. The first application shares the key with the second application which is then transmitted to the server for authenticating the second application. Upon authenticating the second application, the server transmits the message to the second application. In some embodiments, the applications and/or the server exchanges data with goods/services providers associated with the applications.

Abstract: The present disclosure relates to network security software cooperatively configured on plural nodes to authenticate and authorize devices, applications, users, and data protocol in network communications by exchanging nonpublic identification codes, application identifiers, and data type identifiers via pre-established communication pathways and comparing against pre-established values to provide authorized communication and prevent compromised nodes from spreading malware to other nodes.

Abstract: A method is disclosed of retrofitting an elevator machine with primary and secondary braking, the machine being disposed on a machine support frame in an elevator machine room, and engaging one or more ropes for providing selective movement of an elevator car disposed in an elevator shaft, the machine having a drive sheave including a cylindrical brake drum, and brake components including dual brake arms; the method including: removing the brake components; affixing flanged disc segments about the drum and interlocking the flanged disc segments to form a brake rotor; and mounting respective brake calipers to frame mounts for providing primary and secondary braking to the elevator machine.

Abstract: A method is provided for encoding at least one image cut into blocks. The method implements, for a current block to be encoded, the acts of: predicting the current block with the aid of at least one predictor block, determining a residual data block representative of the difference between the predictor block and the current block, selecting, according to a predetermined criterion, a pair of mathematical operations including a permutation operation and a transformation operation from among a plurality of permutation operations, and a plurality of transformation operations, applying the permutation operation of said selected pair to the data of the determined residual block, applying the transformation operation of said selected pair to the permuted data, and encoding the data from said applied transformation operation.

Abstract: A method includes transmitting, by a user device, an encrypted user profile to a locking device, the encrypted user profile including a user key and encrypted by a server using a lock key; decrypting, by the locking device, the encrypted user profile using the lock key to generate a decrypted user profile and obtain the user key from the decrypted user profile; generating, by the user device, an encrypted firmware update command, the encrypted firmware update command encrypted using the user key of the user profile; transmitting, by the user device, the encrypted firmware update command to the locking device; decrypting, by the locking device, the encrypted firmware update command using the user key to generate a decrypted firmware update command; and installing, by the locking device, a firmware update in accordance with the decrypted firmware update command in response to successfully decrypting the encrypted firmware update command.

Abstract: A method for providing purchased content is provided. Management data including the identification data of the purchased content data stored in the information processing apparatus is received. Backup data of a user identification associated with the information processing apparatus is updated based on the management data. A request with the user identification associated with the information processing apparatus is received. A determination is made as to whether the request is authorized based on an authentication process. A list of identification data of content data identified in the backup data is provided to the information processing apparatus in response to a determination that the request is authorized. Further, the purchased content data without the fee is provided to the information processing apparatus based on a user selection of the identification data of the purchased content data from the list of the identification data of the content data.

Abstract: The present technology pertains to responding to a kernel level file event for a content item and presenting a file event window associated with the content item. A client device can detect the kernel level file event for the content item. This can be accomplished using a kernel extension on a client device that is networked with a content management system. The client device can then retrieve data associated with the content item, including an instruction for the content item. The client device can then perform the instruction. This instruction can be to retrieve collaboration data from the content management system and present the collaboration data in a file event window.

Abstract: A terminal pairing method and a pairing terminal includes acquiring, when a terminal detects a preset pairing trigger event, a pairing hidden value that is of the terminal and that is associated with the preset pairing trigger event; and implementing, by the terminal, pairing with the peer end by using the pairing hidden value of the terminal. Compared with some approaches, in the present disclosure, pairing can be accurately implemented without using an NFC interface, which reduces costs of terminal pairing.

Abstract: An email request is received from a client device, where the email request is intended for an email server and includes a request for an email recipient's certificate. The compliance status of the client device is obtained. If the client device is in compliance, the email request is modified, and the modified email request is sent to the email server while a certificate retrieval request in the email request is redirected to a certificate repository implemented in a server separate from a certificate repository maintained by the email server. The email certificate is retrieved from the certificate repository and combined with information received from the email server to generate a response, which is sent to the client device.

Abstract: According to a first aspect of the present disclosure, a method for facilitating secure communication in a network is conceived, comprising: encrypting, by a source node in the network, a cryptographic key using a device key as an encryption key, wherein said device key is based on a device identifier that identifies a destination node in the network; transmitting, by said source node, the encrypted cryptographic key to the destination node. According to a second aspect of the present disclosure, a corresponding non-transitory, tangible computer program product is provided. According to a third aspect of the present disclosure, a corresponding system for facilitating secure communication in a network is provided.

Abstract: In a server serving as an information distribution apparatus and an information communication terminal, contents are managed by using content identifiers (content IDs) managed as IDs conforming to a rule of uniformity. Particularly, in the information communication terminal, a content ripped from a recording medium and stored in storage means is also managed by using a content identifier acquired from the information distribution apparatus. In this way, contents stored in the storage means can be managed by using content IDs each managed as an ID common to the information communication terminal and the information distribution apparatus. In communication between the information communication terminal and the information distribution apparatus, a content identifier conforming to a rule of uniformity identifies a content to which the content identifier is assigned so that the terminal is capable of downloading the content as well as acquiring additional information relevant to the content from the apparatus.

Abstract: Methods and systems for simplified encryption key generation in optical networks use a Transport Layer Security (TLS) protocol to securely generate an encryption key at both endpoints of an optical path provisioned in an optical transport network. Instead of generating yet another key for payload data transmission, the encryption key from TLS is used for encrypting payload data transmission without using the TLS protocol.

Abstract: A computing system can initiate one or more recording mechanisms to record content within a passenger interior of the vehicle as a driver transports a rider. After the vehicle arrives at a drop-off location, the computing system can dual encrypt the content utilizing a first public key associated with the driver and a second public key associated with the requesting user and store the dually encrypted content in a storage device. Decryption can require a pair of private keys associated with the rider and the driver.

Abstract: A system for a time-based one-time password security system operating at a provisioning server may comprise transmitting one or more first locally generated random-string numbers for generation of a first time-based one-time password to a remotely connected internet of things sensor and a remotely connected internet of things sensor hub. The system may also comprise executing code instructions to associate the internet of things sensor with a first client key in a table stored in a memory operatively connected to the processor, associate the internet of things sensor hub with a second client key in the table, and associate the internet of things sensor and internet of things sensor hub with the one or more first locally generated random-string numbers in the table. Further the first remotely generated random-string numbers may identify a first preset function for generation of a first session key used in encrypting and decrypting sensor data records.

Abstract: Method and systems using stateful encryption for non-bypassable FPGA configuration including receiving, at an FPGA, FPGA-configuration data comprising a cryptographic state to initialize a cryptographic state of the FPGA, and decrypting, at the FPGA, the FPGA-configuration data, wherein decrypting the FPGA-configuration data yields at least a second cryptographic state and decrypted FPGA-configuration data. Embodiments can include receiving, at the FPGA, a challenge message, processing, at the FPGA, the challenge message to yield at least a third cryptographic state and a response, and transmitting the response from the FPGA.

Abstract: Techniques described herein are directed toward creating, visualizing, and simulating a threat based whitelisting security policy and security zones for networks. The disclosed technology may be implemented by providing a graphical user interface (GUI) on a network orchestration and security platform that facilitates creation and visualization of security zones and security policies for networks.

Abstract: A technique for generating a keystream (128) for ciphering or deciphering a data stream (122) is provided. As to a method aspect of the technique, a nonlinear feedback shift register, NLFSR (112), including n register stages implemented in a Galois configuration is operated. At least one register stage of the implemented n register stages is representable by at least one register stage of a linear feedback shift register, LFSR. A first subset of the implemented n register stages is representable by a second subset of a second NLFSR. A number of register stages receiving a nonlinear feedback in the second NLFSR is greater than one and less than a number of register stages receiving a nonlinear feedback in the implemented NLFSR. The keystream (128) is outputted from a nonlinear output function (118). An input of the nonlinear output function (118) is coupled to at least two of the implemented n register stages of the NLFSR (112).

Abstract: A device, system, and method protects cryptographic keying material. The method is performed at an electronic device including a plurality of components housed in an enclosure. The method includes determining a tamper state of the enclosure, the tamper state being one of a secure state in which the enclosure has not been physically tampered or an unsecure state in which the enclosure has been physically tampered. When the tamper state is the secure state, the method includes associating a first value with the application. When the tamper state is the unsecure state, the method includes associating a second value with the application. The first value is configured to enable access to the data in the data storage unit. The second value prevents access to the data in the data storage unit.

Abstract: A host device communicates with a stylus device. A digitizer at the host device receives a scrambled stylus code frame transmitted from the stylus device. The scrambled stylus code frame includes a scrambled data field and an unscrambled data field. The scrambled data field has been scrambled by the stylus device using a pseudo-random sequence. A descrambler descrambles the at least one scrambled data field of the scrambled stylus code frame using the pseudo-random sequence to output at least one descrambled data field in a descrambled stylus code frame. The descrambled stylus code frame further includes the at least one unscrambled data field. A synchronizer synchronizes the at least one descrambled data field and the at least one unscrambled data field of the descrambled stylus code frame with a supported code pattern.

Abstract: An encryption processing device includes an encryption processing section that repeats a round operation on input data and generate output data, and a key scheduling section that outputs a round key to be applied in the round operation to the encryption processing section. The encryption processing section has an involution property in which a data conversion function E and an inverse function E?1 are executed sequentially, and executes the round operation in which a constant is applied once or more in only one of the function E and the inverse function E?1. The constant is a state that satisfies a condition that all of constituent elements of a state which is a result of a matrix operation with the linear conversion matrix which is applied in the linear conversion processing section at a position adjacent to the exclusive-OR section to which the constant is input are nonzero.

Abstract: In a computer-implemented method for automating application updates in a virtual computing environment, an update script and a digital signature for the update script are received, where the update script comprises an application update for updating an application installed on the virtual computing environment. The digital signature of the update script is validated using a public key of the virtual computing environment. Provided the digital signature of the update script is validated, the update script is executed to update the application.

Abstract: Sending encrypted data to a service provider includes exchanging an encryption key between an entity and a service provider without retaining the encryption key and while hiding an identity of said entity from the service provider and forwarding encrypted data based on the encryption key to the service provider from the entity while hiding the identity of the entity from the service provider.

Abstract: Information, such as a cryptographic key, is used repeatedly in the performance of operations, such as certain cryptographic operations. To prevent repeated use of the information from enabling security breaches, the information is rotated (replaced with other information). To avoid the resource costs of maintaining a counter on the number of operations performed, decisions of when to rotate the information are performed based at least in part on the output of stochastic processes.

Abstract: A ciphertext generation apparatus that can compare the magnitudes of encrypted numerical values and largely reduce the risk of information leakage while maintaining the confidentiality. This apparatus includes a derived key generator that generates a derived key based on a main key and a document, an auxiliary derived key generator that generates an auxiliary derived key based on the main key, the document, and the derived key, an identifier-specific ciphertext generator that generates, based on an identifier of the document, the derived key, and the auxiliary derived key, an identifier-specific ciphertext in which the identifier is encrypted, and a relative value ciphertext generator that generates, based on the identifier and the derived key, a relative value ciphertext. A character string including the identifier-specific ciphertext and the relative value ciphertext is generated as a ciphertext for the document.

Abstract: Systems, methods, software and apparatus enable end-to-end encryption of group communications by implementing a pairwise encryption process between a pair of end user devices that are members of a communication group. One end user device in the pairwise encryption process shares a group key with the paired end user device by encrypting the group key using a message key established using the pairwise encryption process. The group key is shared among group members using the pairwise process. When a transmitting member of the group communicates with members, the transmitting member generates a stream key, encrypts stream data using the stream key, encrypts the stream key with the group key, then transmits the encrypted stream key and encrypted stream data to group members. The group key can be updated through the pairwise encryption process. A new stream key can be generated for each transmission of streaming data such as voice communications.

Abstract: Embodiments of the present invention use a limited-use public/private key pair to encrypt and decrypt messages sent through an intermediary. The messages may contain sensitive information and may be transmitted between entities over one or more networks. In some embodiments, the entities and/or the networks may be untrusted. Nevertheless, the content of the messages may remain protected by virtue of the limited-use key pair infrastructure.

Abstract: Examples of the present disclosure describe systems and methods for partially encrypting conversations using different cryptographic keys. Messages communicated during a conversation session may be encrypted using a cryptographic key. Other conversation participants may then decrypt the messages using the cryptographic key. During the conversation, an event may occur that causes a new cryptographic key to be generated. The conversation participants may then use the new cryptographic key when communicating. As such, previously-encrypted messages may be inaccessible to new members that do not have the old cryptographic key, while newly-encrypted messages may be inaccessible to former members that do not have the new cryptographic key. An isolated collection may store the messages and related cryptographic keys. Relationships may exist within the isolated collection, such that messages may be related to one another and messages may also be related to the cryptographic keys used to encrypt them.

Abstract: A technique includes performing a plurality of instances of retrieving components of a security key from a plurality of locations of an electronic device and constructing the security key from the components. The technique includes inhibiting electromagnetic field-based eavesdropping from being used to reveal the security key, where the inhibiting includes varying a protocol that is used to retrieve the components among the instances.

Abstract: An information processing apparatus includes circuitry that retains firmware and performs processing based on the firmware, receives a command from an external device, and transmits a predetermined response to the external device as processing of the firmware in a case where the received command is a predetermined authentication command.

Abstract: Authenticated requests can be sent without requiring the requests to include or potentially expose secret information used for the authentication process. A client device use a security credential such as a key to sign a request to be sent to a recipient. When the request is received, the recipient determines whether the request was signed using the correct key for the sender. In some embodiments a client token is included with the request that statelessly encodes the key, enabling a recipient capable of decoding the client token to determine the key and compare that key to the signature of the request. The sender can store the secret information in a secure location, such as a browser security module, such that the secret information is not exposed to the browser or script executing on the client device.

Abstract: Systems, methods, and computer-readable media are disclosed for processing and message padding an input message as well as processing an extended output message (EOM) in a manner that ensures that the input message and the padded message are processed only a single time, thus avoiding generation of an incorrect message digest. In addition, in those scenarios in which multiple padded message blocks are generated, the disclosed systems, methods, and computer-readable media ensure that all of the padded message blocks are processed.