Abstract: Disclosed are various examples for kernel level application data protection. In one example, a security label and a list of permitted applications are received. The security label is utilized to limit access to files that embed the security label. A security label map is written within a kernel layer of the client device. The security label map includes the security label and the list of permitted applications. A secured file is generated by embedding the security label within a file stored on the client device.

Abstract: Disclosed are methods, devices, and computer-readable media for securing data in motion and at rest in a secure memory device. In one embodiment, a memory device is disclosed comprising a storage medium and a processor, the processor configured to: receive a software image, validate a digital signature associated with the software image, write the software image to the storage medium, receive a request to launch the software image from a host processor, validate the software image, and transmit the software image to the host processor.

Abstract: A communication system is described in which user plane communication and control plane communication for a particular mobile communication device can be split between a base station that operates a small cell and a macro base station. Appropriate security for the user plane and control plane communications is safeguarded by ensuring that each base station is able to obtain or derive the correct security parameters for protecting the user plane or control plane communication for which it is responsible.

Abstract: A system comprising: (a) a compliance server adapted to receive an audio feed of a telephone conversation; (b) an identification module adapted to ascertain IP addresses from which said audio feed originates and identify participants in said telephone conversation using said IP addresses; and (c) an analysis module adapted to ascertain a subject of said telephone conversation.

Abstract: A computer-implemented method includes receiving, by a transcoder, second encrypted data. The second encrypted data is data that has been encrypted in a first key to create first encrypted data that is then encrypted in a second key to create the second encrypted data. The method includes receiving the second key and decrypting the second encrypted data using the second key to obtain the first encrypted data. The method includes encrypting the first encrypted data using a third key to create third encrypted data, and sending the third encrypted data to a destination node. A computer-implemented method includes receiving, by a transcoder, a second encrypted key. The second encrypted key is a key that has been encrypted in a first key to create a first encrypted key that is then encrypted in a second key to create the second encrypted key.

Abstract: Examples of the disclosure are directed to dynamic selection of a specific location at a destination for delivery or transfer of an item. A connected speaker can communicate with an autonomous carrier using an audio signal. The audio signal can contain identifying information associated with the specific location. The autonomous carrier can complete delivery of the item at the specific location.

Abstract: A foreign wireless communication system is operated in a local communication network as if the foreign wireless communication system were a local wireless communication system. A data communication link is established between the wireless communication system and a service provider in a local wireless communication network. An outgoing request for authentication information is communicated from the wireless communication system to a remote administration system over the data communication link. The authentication information is received over the data communication link from the administration system and is transmitted over a signal link from the wireless communication system to the service provider. A requested wireless communication service is received at the wireless communication system based on authentication of the wireless communication system by the service provider using the authentication information.

Abstract: A computer system and a method are provided for storage and distribution of encryption keys in sequence. Encryption keys, such as public keys, are provided key pointers as properties, the key pointer indicating another key, to thereby form a sequence. A current key is designated, and the sequence is advanced to a successor key indicated by the key pointer of the current key upon a predetermined succession event. The current key is transmitted upon receipt of a key request. In various embodiments, succession events can include occurrence of an expiration date, or the addition of a new key to the sequence.

Abstract: A system allows a user to store his personally identifiable information (PII) on a personal device. When a third party wants to access the user's PII (e.g., to update the PII or to retrieve the PII), a notification will be presented to the user on the personal device seeking consent to the access. The notification may inform the user as to what information is being requested and which entity is requesting the access. The requested access will be denied unless the user consents to the access. In this manner, the user is given control over the dissemination of his PII. Additionally, the system alters or adjusts the PII that is stored in third-party servers so that even if these servers are breached, the user's actual PII is not exposed.

Abstract: Techniques are described to generate a first security key when a user equipment operating in an inactive state initiates a data transmission or a procedure to resume network connection. The first security key is generated based on a second security key associated with a first network node and a counter value, and the first security key is associated with a second network node and is used to generate user plane security keys to transmit data to or to receive data from one or more network nodes.

Abstract: A system, method, and computer program product are provided for sending and receiving messages using a noisy cryptographic system. To send a message, N secret keys are negotiated using a noisy cryptographic system, where K secret keys are expected to be noiseless. A secret polynomial that includes the N secret keys is generated, and K points on the secret polynomial are derived. For each of the N secret keys, a secret key MAC key is derived and a secret key MAC is calculated using the derived secret key MAC key. A secret key MAC header is generated that includes an array of each of the secret key MACs and possibly a corresponding public key. Message integrity plaintext is generated that includes an encrypted message, the secret key MAC header, and an array of the K points on the secret polynomial. A final message that includes the message integrity plaintext is generated for being sent.

Abstract: This disclosure relates to method and system for encrypting and decrypting a facial segment in an image with a unique server key. The method includes receiving an image from one of a plurality of users. The image includes a plurality of facial segments. The method further includes, for each facial segment from the plurality of facial segments, identifying a unique user associated with the facial segment using a facial recognition algorithm, encrypting the facial segment with a unique server key, generating a protection frame, unlockable with the unique server key, to cover the facial segment, and decrypting the facial segment while rendering the image for at least one of the plurality of users upon receiving the unique server key from the at least one of the plurality of users.

Abstract: An electronic apparatus includes: a wireless communication unit wirelessly communicating with an external access point; and a processing unit performing communication control for the wireless communication unit. The processing unit performs uninstallation of driver software causing the wireless communication unit to operate and installation of the driver software after the uninstallation, as a self-repair and reboot, when there is an error in wireless connection with the external access point.

Abstract: The present invention relates to the field of quantum communication, especially a quantum key distribution device that can be configured with multiple protocols. It uses the simplified Faraday-Michelson interference ring in combination with the intensity modulator to perform timestamp encoding in a chopping manner. The phase modulation is completed with a Sagnac ring device composed of a single-polarization phase modulator, a polarization beam splitter and a Faraday rotator, so as to achieve the purpose of composite encoding and decoding, thus realizing a quantum key distribution device which can be configured with multiple protocols and multiple decoy state schemes. This device can be compatible with multiple protocols including BB84 protocol, the reference frame-independent protocol, the six-state protocol and SARG protocol and is characterized with polarization-independent phase modulation and low system complexity.

Abstract: There is provided a method for authentication in device to device discovery. A method performed by a Discoverer device, comprises broadcasting a direct discovery request, receiving a direct discovery response from a Discoveree device, the direct discovery response comprising a first token, and the Discoverer device using the first token to verify that the Discoveree device is authorized to respond to the direct discovery request.

Abstract: An information intermediating apparatus in an information transaction system including an information providing apparatus, an information acquiring apparatus and the information intermediating apparatus connected to a communication network, includes: a first receiver that receives second information, of first and second information necessary for restoring transaction object information, and first feature information indicating a feature of the first information; a second receiver that receives second feature information from the information acquiring apparatus, the second feature information being calculated from the first information transmitted to the information acquiring apparatus from the information providing apparatus; a feature information determination unit that determines whether an identity is present between the first feature information and the second feature information; and a transmitter that transmits the second information to the information acquiring apparatus, when the feature information d

Abstract: A method of authenticating data received from a user device by a service provider may include receiving user credentials from the user device via a secure communication channel; upon verifying the user credentials, providing to the user device via the secure channel a permission token, where the permission token includes at least a shared secret, where a data within the permission token is not observable to the user device and a shared secret data outside the data of the permission token, the shared secret data observable to the user device; and receiving a request from the user device via a non secure communication channel, where the request may include at least the permission token and a hash digest formed using at least a portion of the shared secret data.

Abstract: In one implementation, the disclosure provides systems and methods for generating a secure signature using a device-specific and group-specific moving target authentication protocol. According to one implementation, generating the secure signature entails determining a state of a first device in association with a select time interval. The state of the first device is defined by one or more time-variable characteristics of the first device. The device computes an output for a signing function that depends upon the determined state of the first device associated with the first time interval.

Abstract: A communication method and a device, the method including obtaining, by a terminal device, a security key, where the terminal device performs the obtaining while the terminal device is in a state in which the terminal device has disconnected a radio resource control (RRC) connection from a first network device, and in which the terminal device retains context information for a context, in the first network device, of the terminal device, and sending, by the terminal device, a first message to a second network device, where the first message includes an identifier of the terminal device and at least one of encrypted uplink data or encrypted signaling, the at least one of encrypted uplink data or encrypted signaling is encrypted by using the security key, and where the second network device is different from the first network device.

Abstract: The controller circuitry is configured to identify one of the plurality of different position assistance information for use by the terminal device to identify a position of the terminal device, and to estimate the position of the terminal device by combining the identified position assistance information with the radio signal received by the position detection receiver circuitry. The position assistance information is identified in accordance with a permission allocated to the terminal device. By providing system information which is unencrypted and other system information which is encrypted, conditional access to the position assistance information can be provided in which a lowest level of position assistance information can provide the least level of position estimation accuracy.

Abstract: An SeNB informs an MeNB that it can configure bearers for the given UE. At this time, the MeNB manages the DRB status, and then sends a key S-KeNB to the SeNB. The MeNB also sends a KSI for the S-KeNB to both of the UE and the SeNB. After this procedure, the MeNB informs an EPC (MME and S-GW) about the new bearer configured at the SeNB, such that the S-GW 50 can start offloading the bearer(s) to the SeNB 30. Prior to the offloading, the EPC network entity (MME or S-GW) performs verification that: 1) whether the request is coming from authenticated source (MeNB); and 2) whether the SeNB is a valid eNB to which the traffic can be offload.

Abstract: A system, method, and computer program product are provided for sending and receiving messages using a noisy cryptographic system. To send a message, N secret keys are negotiated using a noisy cryptographic system, where K secret keys are expected to be noiseless. A secret polynomial that includes the N secret keys is generated, and K points on the secret polynomial are derived. For each of the N secret keys, a secret key MAC key is derived and a secret key MAC is calculated using the derived secret key MAC key. A secret key MAC header is generated that includes an array of each of the secret key MACs and possibly a corresponding public key. Message integrity plaintext is generated that includes an encrypted message, the secret key MAC header, and an array of the K points on the secret polynomial. A final message that includes the message integrity plaintext is generated for being sent.

Abstract: Electronically signed data is persistently stored in data storage. After the passage of time, the data may be accessed and presented to a trusted entity for verification of the data. The trusted entity may have access to secret information used to sign the data. The trusted entity may use the secret information to verify an electronic signature of the data. One or more actions may be taken based at least in part on a response provided by the verification system.

Abstract: A Method and a system for managing undesired service requests sent from at least one terminal to a network are described, wherein the network comprises a network node for storing trusted service-information. The method comprises the steps of: the network receiving a service request from a terminal, the request comprising service request information; and, sending, preferably via a secure communication channel, a user verification request for requesting the user to verify the service requested by the terminal if at least part of the service request information is not listed in the trusted service-information.

Abstract: A security device providing a security function for an image, a camera device including the same, and a system on chip (SOC) for controlling the camera device are provided. An image transmitting device may include an image processor configured to process an image to be transmitted to an external device, and a security circuit including a key shared with the external device. The security circuit may be configured to generate a tag used for image authentication by using data of a partial region of the image and the key based on region information for selecting the partial region of the image. The image transmitting device may be configured to transmit the tag, generated to correspond to the image, to the external device with data of the image.

Abstract: A lifecycle management method, system, and computer program product include establishing a public key infrastructure (PKI) for end-to-end encryption of control plane and data plane communications by providing encryption between arbitrary components for applicant execution where an interaction pattern is isolated, secure, and a multi-tenant environment.

Abstract: Embodiments as disclosed herein may provide systems and methods for component integration and security. In particular, in one embodiment, a native component that presents a network based interface may be on a device, where that native component may expose a network based interface for access by other components. This native component can then be accessed through the network based interface. To address security concerns and other issues, the native component may be configured to determine if a received request is associated with the same user space and only respond to requests originating from the same user space.

Abstract: A method performed by a network server is provided for authentication and key management for a terminal device in a wireless communication network. The method includes authenticating the terminal device during a primary authentication session for the terminal device. The method further includes responsive to a successful authentication of the terminal device, obtaining a first key. The method further includes generating bootstrapping security parameters. The parameters include a second key derived from the first key and a temporary identifier. The temporary identifier identifies the terminal device and the bootstrapping security parameters.

Abstract: The disclosed computer-implemented method for preventing data loss from data containers may include (1) identifying, at a computing device, a process running in a data container on the computing device, (2) intercepting an attempt by the process to exfiltrate information from the computing device via at least one of a file system operation or a network operation, and (3) performing a security action to prevent the intercepted attempt. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: An authentication method for a QKD process includes: a sender selects a basis for preparing authentication information according to an algorithm in an algorithms library, and respectively applies different wavelengths to send quantum states of control information and data information according to a preset information format; a receiver filters the received quantum states, employs a basis of measurement corresponding to the algorithm to measure the authentication information quantum state, sends reverse authentication information when the measurement result is in line with the algorithm, and terminates the distribution process otherwise. In addition, the sender terminates the distribution process when its local authentication information is inconsistent with the reverse authentication information.

Abstract: The present disclosure relates to processing operations configured to efficiently enable a client and a server to establish secure communication upon initial connection between the client and the server. Upon initial connection to with the server, the client provides an encrypted token which serves as both proof of authentication/identity and provides, in the encrypted token, an encryption key that the server can utilize to initiate secure communication with the client. The server is able to trust the encrypted token and the encryption key because the encrypted token is signed and encrypted by an authentication service that has a trusted relationship with the server and because the authentication service has pre-shared decryption and signature verification keys with the server. The server utilizes the encrypted key to secure communications with the client without requiring additional processing to lookup client identity or any further intervention from the authentication service.

Abstract: A method of sharing of a reference key (AppKey) between a connected object and at least one server. The method includes the object applying a function (f) to at least one datum (DevEUI, AppEUI, DevNonce) and to a key (KSE) specific to a secure element of the object to generate the reference key, transmitting to the server a join request of the object to a network of connected objects, which include the datum, and the key (KSE) of the secure element not being transmitted to the server. The method further includes obtaining, by the server, of the key (KSE) of the secure element on the basis of the request, the server applying the function (f) to the datum and to the key (KSE) obtained by the server, so as to obtain the reference key.

Abstract: An improved financial terminal automatically reconfigures into different financial processing terminal types. In one embodiment, the terminal comprises a housing; a card reader configured to accept at least a portion of a card having an integrated circuit; at least one display; at least one processor; and at least one memory configured to store machine readable code, the machine readable code comprising a first kernel corresponding to a first transaction type and a second kernel corresponding to a second transaction type.

Abstract: This application relates to a technique that enables a software application to perform an operation on a file stored on a file system, while enforcing privacy measures. The technique includes receiving, from a file browser, a selection of file made accessible by a file access service. The file access service is associated with the file system storing the file. The file browser executes in a mode that prevents the software application from identifying content displayed within the file browser. The technique also includes, provided the software application is authorized to access the file, communicating a first list of operations for receipt by the software application, in which the software application selects a first subset of operations, to perform on the file. Furthermore, the technique includes establishing, to perform the first subset of operations on the file, a first direct communication link between the software application and the file access service.

Abstract: Methods, systems and apparatus are provided for facilitating financial transactions using an IC type financial card via a terminal. A user is provided a list of transaction types, such as PIN-based, signature-based, etc., and a requested transaction is processed via a first selected transaction type. If the transaction is unsuccessful, the terminal automatically presents a list of remaining available transaction types from which the user may select and the transaction is processed by the next selected transaction type. If the transaction is successful, funds are provided to the user, such as in the form of currency/coins or funds transfer.

Abstract: A system and method of downloading firmware into an embedded device while maintaining the integrity and confidentiality of the firmware is disclosed. In one embodiment, the process comprises four phases. In the first phase, unauthenticated content is written into the memory of the embedded device. In the second phase, this content is verified. In the third step, a secure connection is established between the host and the embedded device. In the fourth step, the firmware is loaded into the embedded device using this secure connection. The firmware is encrypted as it is transferred from the host to the embedded device and is never accessible outside of the embedded device.

Abstract: In aspects of string matching in encrypted data, a computing device stores homomorphic encrypted data as a dataset, and implements a string matching application that receives an encrypted query string as a query of the homomorphic encrypted data. The string matching application can then apply algorithms to perform addition and multiplication operations, and determine whether there are matching strings of the encrypted query string in the dataset. The string matching application can compute, for each row of the dataset, a sum of some function of dataset bits and query bits for a row result, and multiply the row results of the computed rows to determine matching strings. Alternatively, the string matching application can compute, for each row of the dataset, a product over some function of the dataset bits and the query bits for a row result, and add the row results of the computed rows to determine matching strings.

Abstract: Embodiments of the present invention may provide the capability for performing public-key encryption with proofs of plaintext knowledge using a lattice-based scheme that provides improved efficiency over conventional techniques. For example, in an embodiment, a computer-implemented method of verifying encryption may comprise generating a ciphertext, derived from a plaintext, via an encryption scheme, proving validity of the ciphertext, wherein the proof includes at least one challenge value, and using a decryption procedure that recovers a plaintext by choosing at least one additional challenge value at random from a challenge space.

Abstract: Various embodiments relate to a key protocol exchange that provide a simple but still secure key exchange protocol. Security of key exchange protocols has many aspects; providing and proving all these properties gets harder with more complex protocols. These security properties may include: perfect forward secrecy; forward deniability; key compromise impersonation resistance; security against unknown key share attack; explicit or implicit authentication; key confirmation; protocol is (session-)key independent; key separation (different keys for encryption and MACing); extendable, e.g. against DOS attacks . . . (e.g. using cookies, . . . ); support of early messages; small communication footprint; and support of for public-key and/or password authentication.

Abstract: Systems and methods that efficiently combine multiple wireless networks or devices resulting in faster, more reliable, and more secure mobile Internet. A Virtual Private Network (VPN) service application is operated to route outgoing and incoming data packets of a mobile device. The mobile device is (i) either coupled to a remote server through the VPN service application for data packets transfer between the remote server and the mobile device or (ii) performs cross-layer translation for data packets transfer between the mobile device and direct target hosts on the Internet. Concurrently using multiple channels secures data packets transfer by sending encrypted data packets over multiple channels and receiving the encrypted data packets by a single apparatus. Data packets are designated to be transferred via a Wi-Fi channel or a cellular channel, and then transferred using both the Wi-Fi channel and the cellular channel.

Abstract: Various aspects of the present disclosure generally relate to wireless communication. In some aspects, a user equipment concurrently communicates with a source base station (BS) and a target BS on a connection with the source BS and a connection with the target BS as part of a make-before-break (MBB) handover procedure; and performs a common packet data convergence protocol (PDCP) function for the connection with the source BS and the connection with the target BS before the connection with the source BS is released as part of the MBB handover procedure. Numerous other aspects are provided.

Abstract: In one embodiment, a method for automatic inference of meeting attendance is provided. The method comprises sending a calendar request to a plurality of users that are invited to a meeting. The method further comprises receiving from each user of the plurality, a unique string identifying the user. The method further comprises generating a lookup table identifying the users of the plurality and their respective unique strings. The method further comprises receiving a first string broadcasted by a first user during the meeting. The method further comprises, responsive to determining that the broadcasted first string does not match one of the unique strings in the lookup table, performing an action to prevent the first user from receiving meeting content determined to be confidential.

Abstract: A system and related methods for providing greater security and control over access to classified files and documents and other forms of sensitive information based upon a multi-user, multi-modality permission strategy centering on organizational structure, thereby making authentication strategy unpredictable so to significantly reduce the risk of exploitation. Based on the sensitivity or classification of the information being requested by a user, approvers are selected dynamically based on the work environment, e.g., mobility, use of the computing device seeking access, authentication factors under applicable environmental settings, access policy, and the like.

Abstract: A method and system for deterring attacks at potential breach points between servers and an account and login server for creating and subsequent verification of accounts. Various cryptographic primitives are used to manipulate passwords to generate verifiers. The verifiers are used with external hardware security modules (HSMs) to eliminate HSMs and intermediate steps between the HSM and login servers as potential breach points.

Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, for creating source-specific, persistent patient identifiers for healthcare service providers. One method includes accessing a record of healthcare data, wherein the record includes patient identifying information (PII) associated with one or more persons to whom the healthcare data pertains. The portions of PII included in the accessed record of healthcare data are extracted from the accessed record and encrypted. Based on one or more business rules, one or more hashed tokens are created by applying one or more hashing functions to the extracted portions of PII. A source-specific identifier is received, the source-specific identifier having been encoded in a manner specific to an organization associated with the computer system and having been encoded with reference to the one or more hashed tokens. An association is stored between the source-specific identifier and the accessed record of healthcare data.

Abstract: A computer-implemented method of a distributed database system includes generating a database index. The method includes mapping a first specified number of bits of the database index to a database key. The method includes mapping a second specified number of bits to a data object associated with the database key. The method includes storing the first specified number of bits of the database key in a dram memory. The method includes storing second specified number of bits with the data object in a solid-state device (SSD) storage.

Abstract: This invention establishes means and protocols to secure data, and practice online authentication, using large undisclosed amounts of randomness, replacing the algorithmic complexity paradigm. Computation is limited to basic primitives like transposition, and bit-flipping. Security is credibly appraised through combinatorics calculus, and this transfers the security responsibility to the user who determines how much randomness to use.

Abstract: Users desire a system that provides for the setting of custom, content-agnostic, permissions at a message, document, and/or sub-document-level through a communications network. Such a system may also allow the user to apply customized privacy settings and encryption keys differently to particular parts of a document. Customized encryption keys may be applied to particular parties (or groups of parties) to enhance the security of the permissions settings. In the case of structured document file types, dynamically-rendered content can present a challenge to accurately display to viewers, because one or more of the document's values referred to by the dynamically-rendered content may be encrypted or otherwise unavailable to the recipient—even though the dynamically-rendered content itself is viewable by the recipient.

Abstract: Using the same mathematical principle of paring with errors, which can be viewed as an extension of the idea of the LWE problem, this invention gives constructions of a new key exchanges system, a new key distribution system and a new identity-based encryption system. These new systems are efficient and have very strong security property including provable security and resistance to quantum computer attacks.

Abstract: Using the same mathematical principle of paring with errors, which can be viewed as an extension of the idea of the LWE problem, this invention gives constructions of a new key exchanges system, a new key distribution system and a new identity-based encryption system. These new systems are efficient and have very strong security property including provable security and resistance to quantum computer attacks.