Abstract: A method of maintaining ongoing authentication of a user of an application without the need to enter and re-enter a username and a corresponding password for each session initiated between a client side application residing on a client side platform and a server; and wherein the password is not stored on the server; the method comprising utilising an unbroken chain of one-time pass codes; each pass code in the chain being unique to the username and client side application; each pass code renewed periodically and preferably at least once during each said session.

Abstract: A method for managing certificates includes the steps of transmitting, over an electronic network by an electronic device of a client, a certificate request to a certificate management portal separate from the client, establishing an interaction with an electronic interface of a certificate authority by the certificate management portal; generating, by the certificate authority, a certificate package, delivering the generated certificate package to the certificate management portal, and downloading from the certificate management portal, by the client, at least one certificate of the delivered certificate package.

Abstract: A processor comprising a first register to store a wrapping key, a second register to store a pointer to a handle stored in a memory coupled to the processor, the handle comprising a cryptographic key encrypted using the wrapping key, and a core to execute a decryption instruction. The core is to, responsive to the decryption instruction, identify, in the decryption instruction, a pointer to ciphertext stored in the memory, retrieve the ciphertext and the handle from the memory, decrypt the cryptographic key of the handle based on the wrapping key, and decrypt the ciphertext based on the decrypted cryptographic key.

Abstract: A device may receive a set of cryptographic parameters associated with an integer, wherein the set of cryptographic parameters includes a linked list of potential prime integers, in an order, used to generate the integer. The device may determine, iteratively and in the order, whether each potential prime integer included in the linked list of potential prime integers is a prime integer using a primality test or a lookup operation based on a set of proven prime integers. The device may determine whether the integer is a proven prime integer based on determining whether each potential prime integer included in the linked list of potential prime integers is a prime integer. The device may authorize, when the integer is a proven prime integer, the integer for use in a cryptographic protocol.

Abstract: An aggregate maximum is efficiently obtained while keeping confidentiality. A flag converting part (12) converts a form of a share of a flag representing a last element of a group. A flag applying part (13) generates a share of a vector in which a value of a value attribute is set if a flag representing the last element of the group is true, and a predetermined value is set if the flag is false. A sorting part (14) generates a share of a sorted vector obtained by sorting the vector with a permutation which moves elements so that the last elements of each group are sequentially arranged from beginning. An output part (15) generates and outputs a share of a vector representing a maximum of each group from the sorted vector.

Abstract: A method of manufacturing a secure computing hardware apparatus includes receiving at least a secret generator, wherein the secret generator is configured to generate a module-specific secret, receiving a device identifier, wherein the device identifier is configured to produce at least an output comprising a secure proof of the module-specific secret, and communicatively connecting the device identifier to the secret generator.

Abstract: A method of securely storing a target number is provided based on the Chinese-Remainder Theorem, A set of n congruence pairs of numbers are generated, wherein a target number (a secret) can be uniquely derived from any t out of the n pairs. In one aspect the divisors are pre-selected such that any randomly selected n integers from the sequence are a valid Asmuth-Bloom sequence for any access structure (t, n) where 1<t?n?N. In another aspect, means are provided for pre-storing members of a Mignotte or Asmuth-Bloom sequence of N divisors in a look-up table from which n divisors can be selected. In this way a flexible access structure is supported. CRT secret shares for a selected access structure can be generated without having to perform the laborious process of calculating Mignotte sequences for each secret and access structure. Storage required to store the secret shares is also reduced by storing and retrieving congruence pairs in the form of an index and a remainder.

Abstract: Embodiments described include systems and methods for incorporating a watermark in an audio output. An embedded browser, which is executable on one or more processors of a client device, may detect an audio data stream from a network application accessed via the embedded browser. A watermarking engine of the embedded browser intercepts the audio data stream responsive to detecting the audio data stream. The watermarking engine incorporates a digital signal corresponding to a watermark into the audio data stream, prior to being produced as an audio output by an audio speaker. The watermarking engine causes the watermark to be present in the audio output produced by the audio speaker, the watermark configured to be inaudible by a human and recordable by an audio recording device.

Abstract: A method includes determining a password-length threshold. The password-length threshold may comprise an integer. The method also includes obtaining, for a first user, a set of nucleotide locations. The number of nucleotide locations in the set may be greater than or equal to the integer. The method also includes obtaining a first sample of the user's DNA. The method also includes determining, in the first sample, a nucleotide at each nucleotide location in the set of nucleotide locations, resulting in a first nucleotide-password sequence. The method also includes performing a one-way hashing operation on the first nucleotide-password sequence with a first hashing algorithm, resulting in a first hashed password.

Abstract: Systems, apparatuses, methods, and computer program products are disclosed for post-quantum cryptography (PQC). An example method includes monitoring an enveloped data structure comprising a data envelope and data encrypted based on a first set of PQC encryption attributes. The example method further includes generating an electronic indication of a change in the enveloped data structure. The example method further includes retrieving PQC cryptographic performance information associated with a set of PQC cryptographic techniques. The example method further includes generating a second set of PQC encryption attributes for encrypting the data based on the change in the enveloped data structure and the PQC cryptographic performance information. Subsequently, the example method includes encrypting the data based on the second set of PQC encryption attributes.

Abstract: An example operation may include one or more of receiving a transaction request into at least one node of a blockchain network, the transaction request comprising one or more transaction parameters and one or more encryption keys, processing the transaction request to produce a transaction result, encrypting one or more parameters of the transaction result to produce an encrypted transaction result, storing the encrypted transaction result in a data block of the blockchain, and storing the one or more encryption keys in one or more key stores of the blockchain network.

Abstract: A method performed by a device for protecting data is provided. The method comprises inputting, to a Physically Unclonable Function, PUF, of the device, a challenge; obtaining, from the PUF, a response; and protecting the data by using the response. A device, a method in an encryption unit, computer program and computer program product are also provided.

Abstract: Method for generating cryptotokens including identifying an asset; using a secret sharing algorithm, creating a token that corresponds to the asset, wherein the token represents a private key and comprises a first half and a second half; on the client side, generating first half of public key and first half of private key; transmitting first half of public key to a server; on the server, using first half of public key to generate a second half of private key; generating second half of public key using second half of private key; associating the asset with the token; access to the asset requires the first second halves of the private key; performing a transaction with the asset by transferring first half of private key from first user to second user, and re-associating the asset from first to second user; first half of private key is never stored together with second half.

Abstract: A network usage control method comprises receiving (S2, S5) a handset identifier (e.g. an IMEI number) of a requesting terminal device (2) seeking to use a mobile network (4); retrieving verification information (S7) for verifying an identity of an authorised terminal device associated with the handset identifier; verifying (S9), based on the verification information, whether the requesting terminal device (2) is the authorised terminal device; and controlling (S10, S11) usage of the mobile network by the requesting terminal ON device in dependence on whether the requesting terminal device is verified as the authorised terminal device. Cryptographic keys can be used to bind the handset identifier to a particular handset and verify that a device presenting a given handset identifier is actually the authorised handset for that handset identifier. This prevents thieves being able to circumvent blacklisted handset identifier of a stolen handset by cloning a valid handset identifier from another device.

Abstract: Using various embodiments, methods and systems for securing user data are described. In one embodiment, a system includes a server side application accessing a service key from a conventional key vault and an escrowed key which can then be used to compute a key to the key using which information can be encrypted. Other embodiments include using a timer service to further safeguard secure user information.

Abstract: A method and system for authenticating a device is disclosed. The method includes the steps of: receiving a helper bit string and a first MAC; measuring a first response bit string of a physical unclonable function of the device with respect to a challenge bit string; subtracting the first response bit string from the helper bit string; decoding a result of the subtraction using a uniformly distributed random matrix, the shared secret bit string being provided from the decoding if the helper bit string was encoded using a previously measured second response bit string that is within a threshold level of similarity to the first response bit string, the decoding outputting an error value otherwise; determining a second MAC based on the shared secret bit string, the uniformly distributed random matrix, and the helper bit string; and determining whether the second MAC matches the first MAC.

Abstract: An example system can include a reference biometric template (RBT) reader, an authenticator, and an auxiliary system. In some examples, during an initial enrollment process, the RBT reader obtains a biometric from a user, transforms the biometric into an RBT, and provides different shares of the RBT to the authenticator and the auxiliary system. The authenticator and the auxiliary system create respective shares of helper data. In some examples, the authenticator and the auxiliary system use a non-commutative transformation function to embed a secret key in their respective shares of the helper data. The auxiliary system provides its share of the helper data to the authenticator. The authenticator combines its share of the helper data with the share provided by the auxiliary system to create a full version of the helper data. The helper data can be used in a subsequent authentication process between the RBT reader and the authenticator.

Abstract: A computer-implemented method includes: receiving, by a platform including one or more computing devices, a blockchain authorization information generation request from a client, in which the blockchain authorization information generation request includes a target blockchain identifier and user information; determining, based on the target blockchain identifier, a target blockchain; determining a blockchain parameter of the target blockchain, in which the blockchain parameter indicates one or more requirements for authorization information used to join the target blockchain; generating blockchain authorization information based on the blockchain parameter and the user information, in which the blockchain authorization information conforms to the one or more requirements; and sending the blockchain authorization information to the client.

Abstract: Data masking is provided by, for at least one predetermined data item in data to be sent, applying a one-way function to that data item to produce a first value, producing a masked data item by encrypting the first value via a deterministic encryption scheme using a current encryption key for a current epoch, and replacing that data item by the masked data item. A data-provider computer sends the masked data to the data-user computer. On expiry of the current epoch, the data-provider computer generates a new encryption key for the encryption scheme in a new epoch, produces mask-update data, dependent on the current and new encryption keys, and sends the mask-update data to the data-user computer. The mask-update data permits updating, at the data-user computer, of masked data items produced with the current encryption key into masked data items produced with the new encryption key.

Abstract: The present disclosure is directed to systems and methods to protect against SCA and fault injection attacks through the use of a temporary or ephemeral key to cryptographically alter input data portions. Universal resistant block (URB) circuitry receives a seed data value and a at least one secret key data value and generates an ephemeral key output data value. Cryptographic circuitry uses the ephemeral key data value to transform an input data portion to produce an transformed output data portion. The use of an SCA or fault injection attack on the transformed output data portion will reveal only the ephemeral key data value and not the at least one secret key data value. Further, where a unique ephemeral key data value is used to transform each input data portion, an attacker cannot discover the ephemeral key in a piecemeal manner and must instead discover the complete ephemeral key data value—significantly increasing the difficulty of performing a successful SCA or fault injection attack.

Abstract: Technologies for secure data transfer include a computing device having a processor, an accelerator, and a security engine, such as a direct memory access (DMA) engine or a memory-mapped I/O (MMIO) engine. The computing device initializes the security engine with an initialization vector and a secret key. During initialization, the security engine pre-fills block cipher pipelines and pre-computes hash subkeys. After initialization, the processor initiates a data transfer, such as a DMA transaction or an MMIO request, between the processor and the accelerator. The security engine performs an authenticated cryptographic operation for the data transfer operation. The authenticated cryptographic operation may be AES-GCM authenticated encryption or authenticated decryption. The security engine may perform encryption or decryption using multiple block cipher pipelines. The security engine may calculate an authentication tag using multiple Galois field multipliers. Other embodiments are described and claimed.

Abstract: This disclosure relates to method and system for providing a light weight secure communication for computing devices. In one example, the method includes generating a new encryption key based on a selected encryption key from among a plurality of encrypted keys and a current synchronized hash based on a set of pre-defined rules, generating an updated synchronized hash based on a message to be transmitted and the current synchronized hash using a pre-defined hash algorithm, encrypting the message to be transmitted using the new encryption key to generate an encrypted message, transmitting the encrypted message, and replacing the current synchronized hash with the updated synchronized hash. The set of pre-defined rules and the pre-defined hash algorithm are retrieved from a pre-installed library. Further, the current synchronized hash, the plurality of encryption keys, and the pre-installed library are synchronized between the first computing device and the second computing device.

Abstract: A system for establishing a trusted path for secure communication between client devices and server devices, such as between an account holder and a financial institution, can provide the core security attributes of confidentiality (of the parties), integrity (of the information), anti-replay (protection against replay fraud) and/or anti-tampering (protection against unauthorized changes to information being exchanged and/or modules that generate and communicate such information). A messaging layer implementation in favor of a transport layer implementation can provide a trusted path. This infrastructure features secure cryptographic key storage, and implementation of a trusted path built using the cryptographic infrastructure. The trusted path protects against unauthorized information disclosure, modification, or replays. These services can effectively protect against Man-in-the-Middle, Man-in-the-Application, and other attacks.

Abstract: A computer-implemented method and system for controlling remote access to a computer system is disclosed. A method includes generating a secret value at a first computer system; sharing the secret value with associated computer systems; choosing a time length for validity; computing a derived key based on the secret value; and controlling remote access to the computer system based on the derived key and a unique identifier associated with the first computer system.

Abstract: Systems, methods, and computer-readable media for generating a keystream using media data and using the keystream to encrypt and decrypt messages are described herein. The keystream may be generated independently and at least partially in parallel by both a sender and a receiver of a message. The sender may use its independently generated keystream to encrypt a message and a receiver may use its independently generated keystream to decrypt the message. Both the sender and receiver may utilize the same algorithm for generating their respective keystreams, thereby ensuring that the same keystream is generated by both sender and receiver. The sender may share a session key with a receiver using an asymmetric encryption technique. The session key may contain a collection of subkeys. Both the sender and the receiver may independently determine media database indices that match the subkeys and aggregate the corresponding media data streams to obtain the keystream.

Abstract: A method for generating a key includes: obtaining key parameters indicated by a network side, the key parameters at least comprising a next hop chaining counter (NCC) and frequency point information for generating a key, the frequency information being a frequency of one Synchronization Signal Block (SSB) of a target cell; and generating an AS key based on the key parameters.

Abstract: Embodiments described herein enable the interoperability between processes configured for pointer authentication and processes that are not configured for pointer authentication. Enabling the interoperability between such processes enables essential libraries, such as system libraries, to be compiled with pointer authentication, while enabling those libraries to still be used by processes that have not yet been compiled or configured to use pointer authentication.

Abstract: An access point AP authentication method, a system, and a related device are provided, so as to improve security of accessing an AP of a WLAN by a terminal. The method is as follows: determining, by the terminal, an AP feature according to a feature generation rule corresponding to the access point AP of the wireless local area network WLAN; sending, by the terminal to the AP, a request message for requesting to provide an AP feature, and obtaining a response message that is returned by the AP according to the request message; and determining, by the terminal according to the response message and the determined AP feature, whether the AP can be authenticated.

Abstract: First data from a user device is received on an electronic computing device. The first data is encrypted to generate second data. The second data is fragmented and stored in a plurality of data stores.

Abstract: A physical layer secret key generation scheme exploiting randomness of the road surface and driving behavior is described herein. A symmetric key generation scheme can be implemented in any existing V2V visible light communication. By analyzing and simulating numerous samples taken from NGSIM vehicle trajectory data, the natural driving behavior and road surface roughness can be exploited as a source of randomness to generate symmetric cryptographic security keys.

Abstract: A device may cause a Media Access Control Security (MACsec) session to be established on a first link of a link aggregation group (LAG) that includes a plurality of links with a different device. The device may cause a data structure to be updated to identify the first link as a MACsec enabled LAG link and may send traffic via the first link. The device may cause a MACsec session to be established on at least one additional link of the LAG and may cause the data structure to be updated to identify the at least one additional link as a MACsec enabled LAG link. The device may send, after causing the data structure to be updated to identify the at least one additional link as a MACsec enabled LAG link, additional traffic via the first link and the at least one additional link.

Abstract: A secondary OS device unlocking system includes a key management system and a server device. The server device includes a storage device storing primary OS information, a remote access controller device, and a BIOS. During server device initialization operations, the BIOS sends the remote access controller device a request to unlock a storage device using a storage device locking key stored in the key management system. In response to the storage device not being unlocked, the BIOS retrieves secondary OS information and boots using the secondary OS information to provide the secondary OS that retrieves the storage device locking key and uses it to unlock the storage device, and then performs a reboot operation. The BIOS then retrieves the primary OS information from the unlocked storage device, and boots using the primary OS information to provide a primary OS.

Abstract: A method for securing user data that is stored to a tape cartridge having a medium auxiliary memory (MAM) is described. When user data is sent to a tape library from a client, the tape library sends a request to a cloud based key management service for a data key to encrypt the user data and an encrypted data key that corresponds to the data key. The data key is used to encrypt the user data which is then stored to the tape cartridge and the encrypted data key is stored to the MAM. Upon decrypting the encrypted user data, the encrypted data key is extracted from the MAM and sent to the cloud based key management service where it is used to produce the data key from the cloud based key management service which is then sent to the tape library. When the tape library is in possession of the data key, the encrypted data in the tape cartridge can then be decrypted and sent to a requester of the user data.

Abstract: A cloud system and a device associate cloud user authentication information and local user authentication information with each other and manage the cloud user authentication information and the local user authentication information. The local user authentication information and the execution request are transmitted to the device, and the cloud user authentication information and an execution result are transmitted to the cloud system.

Abstract: A method is provided for protecting a trained machine learning model that provides prediction results with confidence levels. The confidence level is a measure of the likelihood that a prediction is correct. The method includes determining if a query input to the model is an attempted attack on the model. If the query is determined to be an attempted attack, a first prediction result having a highest confidence level is swapped with a second prediction result having a relatively lower confidence level so that the first and second prediction results and confidence levels are re-paired. Then, the second prediction result is output from the model with the highest confidence level. By swapping the confidence levels and outputting the prediction results with the swapped confidence levels, the machine learning model is more difficult for an attacker to extract.

Abstract: The disclosure is directed to a network gateway device (“gateway”) that provides various network management features, including a device zoning feature in which client computing devices (“client devices”) connected to the gateway are assigned to different device zones. The client devices connected to the gateway form a local area network (LAN) of the gateway, and can access an external network, e.g., Internet, using the gateway. Each of the device zones has a specific set of network access privileges. Different device zones can have different network access privileges and can provide device isolation in the LAN at different degrees.

Abstract: A transmitting device and a receiving device independently generate shared encryption keys by exchanging a ternary datastream composed of trits encoded by polarized photons generated and measured using one of two polarization orientations. The first orientation defines two mutually-orthogonal polarization axes and a mixed polarization state formed by a combination of the two axes for that orientation. The second orientation also define two mutually-orthogonal polarization axes and a mixed polarization state formed by a combination of the two axes for that orientation. The mutually-orthogonal axes of one orientation are combinations of the mutually-orthogonal axes of the other orientation. The sender and receiver independently choose an orientation for each trit and use trits where each party's polarization orientations agree to determine addresses in separate cryptographic tables belonging to each party.

Abstract: At least any one of input keys KA0, KA1, KB?0, and KB?1 is set so that the input keys KA0, KA1, KB?0, and KB?1 which satisfy KA1?KA0=KB?1?KB?0=di are obtained, and an output key Kig(I(A), I(B)) corresponding to an output value gi(I(A), I(B)) is set by using the input keys KA0, KA1, KB?0, and KB?1, where input values of a gate that performs a logical operation are I(A), I(B)?{0, 1}, an output value of the gate is gi(I(A), I(B))?{0, 1}, an input key corresponding to the input value I(A) is KAI(A), and an input key corresponding to the input value I(B) is KB?I(B).

Abstract: A key updating method includes receiving, by a terminal, a key updating notification sent by an operation server, generating, by the terminal, a new private key and a new public key using a trusted execution environment (TEE) system of the terminal, storing the new private key in the TEE system, performing signature processing on the new public key using an upper-level private key of the new private key to obtain to-be-verified signature information, and sending, by the terminal to the operation server, a storage request carrying a device identifier of the terminal, the new public key, and the to-be-verified signature information.

Abstract: A module such as an M2M device or a mobile phone can include a removable data storage unit. The removable data storage unit can include a nonvolatile memory, a noise amplifying memory, and a cryptographic unit. The nonvolatile memory can include (i) shared memory for access by both the module and the cryptographic unit, and (ii) protected memory accessible only by the cryptographic unit. The cryptographic unit can use a noise memory interface and noise amplifying operations in order to increase and distribute bit errors recorded in the noise amplifying memory. The cryptographic unit can (i) generate a random number using the noise amplifying memory and (ii) input the random number into a set of cryptographic algorithms in order to internally derive a PKI key pair. The private key can be recorded in protected memory and the public key signed by a certificate authority.

Abstract: A system, a method and a computer program product and a system, for Key Fragment Management (KFM). The KFM system comprises a plurality of KFM instances and a client device. At least two KFM instances are executed on execution platforms of two different service providers. Each KFM instance retains a root key fragment. The client device is configured to perform a cryptographic process relating to a data item using a data-specific key. Each KFM instance is configured to generate a data-specific key fragment based on a data identifier of the data item and based on the root key fragment in response to the client device requesting to generate the data-specific key for the data item. The data-specific key is generated based on a plurality of data-specific key fragments generated by the each KFM instances.

Abstract: A method for transmitting, by a transmitter, a packet to a receiver of a communication system. The packet including data encrypted according to a symmetric key encryption protocol by determining the value of a generation information and determining an encryption key according to the value of the generation information. The data to be included in the encrypted packet to be transmitted is encrypted according to the encryption key. A truncated information is calculated based on the generation information. A verification code for the encrypted packet is calculated according to the encrypted data and the first portion of the generation information. The encrypted packet to be transmitted is formed according to the truncated information, the verification code and the encrypted data.

Abstract: An apparatus comprises an encryption key generator to generate a media encryption key to encrypt data in number of memory components, where the encryption key generator is configured to wrap the media encryption key to generate an encrypted media encryption key, The encrypted media encryption key is stored in a non-volatile memory. The apparatus comprises firmware having instructions to transition the apparatus to and from a secure state using the encrypted media encryption key.

Abstract: A computation device (200) arranged to evaluate a data function (S) mapping a number (n) of input variables to a number of output variables (m). The computation device comprises selection mechanism (220) receiving as input selection variables and an evaluation mechanism (210) arranged to receive the one or more evaluation variables and to evaluate the evaluation functions for the received evaluation variables, an evaluation function receiving as input the evaluation variables.

Abstract: A system and method provides access to one or more web services by capturing a human perceptible rendering on a separate device, identifying a code from the human-perceptible rendering captured and granting access to the one or more web services, responsive to the code identified and an identifier of the user.

Abstract: The current document is directed to distributed-secure-storage systems, and processes carried out within the distributed-secure-storage systems, that provide for secure storage and retrieval of confidential and critical data, referred to as “secrets,” within distributed computer systems. The secret-storage systems partition an input secret into multiple secret shares and distribute the secret shares among multiple secret-share-storing node subsystems, without persistently storing the secret itself. An agent within a client device subsequently requests a secret share corresponding to a secret, or a share of data derived from the secret share, from each of the multiple secret-share-storing nodes. The multiple secret-share-storing nodes additionally cooperate to periodically alter the stored secret shares corresponding to a secret in a way that allows agents to recover the original secret, or derived data, from all or a portion of the altered secret shares or derived-data shares.

Abstract: A device may store raw random data in a raw random data store. The raw random data may include a first plurality of data strings. The device may generate, using a quotient ring transform (QRT), cryptographic random data based on the raw random data. The cryptographic random data includes a second plurality of data strings that is transformed from the first plurality of data strings based on an extraction state stored in an extraction state store. The device may store the cryptographic random data in a cryptographic random data store and may use the cryptographic random data for various purposes.

Abstract: An information processing apparatus that authenticates sets of distributed authentication information without collecting, the sets of distributed authentication information, to be collected at any one of apparatuses included in a system.

Abstract: A method for remotely acquiring secret key, comprising steps of detecting an injection key acquisition instruction; generating a temporary key pair when the injection key acquisition instruction is detected; acquiring a locally stored private key in a random key pair, and using a private key in the random key pair to perform signature on a public key in the temporary key pair to generate a temporary key signature; acquiring a first identity authentication certificate; sending the temporary key signature and the first identity authentication certificate to a remote injection server; receiving an injection key ciphertext signature and a second identity authentication certificate which is returned by the remote injection server according to the temporary key signature and the first identity authentication certificate; and acquiring and storing an injection key according to the injection key ciphertext signature and the second identity authentication certificate.

Abstract: Secure vehicular communication is described herein. An example apparatus can include a processor and a vehicular communication component. The vehicular communication component can be configured to generate a vehicular private key and a vehicular public key, provide the vehicular public key to a plurality of external communication components wherein each respective one of the plurality of external communication components is positioned on a different transportation assistance entity, provide data to at least one of the plurality of external communication components, receive, in response to providing the data, additional data from the at least one of the plurality of external communication components, wherein the additional data is encrypted using the vehicular public key, and decrypt the additional data using the vehicular private key.