Abstract: Embodiments herein describe techniques for validating binary files used to configure a hardware card in a computing system. In one embodiment, the hardware card (e.g., an FPGA) includes programmable logic which the binary file can configure to perform a specialized function. In one embodiment, multiple users can configure the hardware card to perform their specialized tasks. For example, the computing system may be server on the cloud that hosts multiple VMs or a shared workstation. Permitting multiple users to directly configure and use the hardware card may present a security risk. To mitigate this risk, the embodiments herein describe techniques for validating encrypted binary files.

Abstract: A data encryption system receives data to be encrypted prior to being transmitted to a storage unit. The received data is analyzed to determine a secure storage approach based on a risk level associated with the received data. In response to the risk level satisfying a threshold risk level the data encryption system uses a convergent encryption technique to encrypt the received data, but in response to the risk level failing to satisfy the threshold risk level, the data encryption system encrypts the received data using a key based on a random number. The encrypted data is transmitted to a storage unit.

Abstract: A method of encoding data, including: obtaining a data stream comprising a first sequence of values; duplicating of the first sequence of values; offsetting the duplicate first sequence of values; braiding the first sequence of values and the offset duplicate first sequence of values, creating a braided data sequence; and outputting the braided data sequence.

Abstract: The disclosure concerns an encryption function applied to a first word, a second word, a third word, and a fourth word including: multiplying the third word by the fourth word; adding the result of the multiplication; subtracting the result of the addition to the second word from the result of the addition to the first word; adding the result of the subtraction; combining with a constant the result of the addition of the third word to the result of the subtraction; and multiplying by two the result of said combination and circularly shifting the codes of the respective results of the addition of the fourth word to the result of the subtraction, of the addition of the second word to the result of the multiplication, and of the addition of the first word to the result of the multiplication.

Abstract: A method to protect a device key in a device comprising at least one secure element locally connected to at least one time programmable memory storing a global value in form of a bit string comprising locked bits and unlocked bits. The locked bits are irreversibly pre-programmed in the one-time-programmable memory during an initialization phase of the device while the un-locked bits remaining in an initial state may be programmable by the secure element. The secure element is configured to generate, at initialization of the device, a device specific value by using the global value, program the device specific value previously obtained in the one time programmable memory, and erase the global value by programming the unlocked bits of the corresponding bit string. A further object of the disclosure includes a device configured to carry out the method.

Abstract: Techniques are presented for efficiently provisioning application-agnostic resource access to a variety of applications without modification to the native access control mechanisms of the applications and without transmission of a user's credentials over the network. A user of an application is authenticated by an authorization provider. An access token for the authenticated user is generated. A session password is generated based at least in part on the access token. The session password is applied by the user to the native access control mechanism of an application to facilitate access to resources (e.g., set of subject data) by the application. The resource access is achieved without modification to the native access control mechanism of the application and without transmission of the credentials (e.g., username, password, etc.) of the user over the network.

Abstract: A cryptographic communication method using a dynamically-generated private key is provided. A signal generation unit outputs a second signal obtained by giving an error in a predetermined range to a signal obtained based on a first signal. An error correction generation unit outputs a third signal obtained based on the second signal and auxiliary information for correcting an error included in the second signal. A private-key generation unit generates a first private key based on the third signal. An encryption calculation unit outputs an encrypted signal obtained by encrypting a fourth signal based on the first private key.

Abstract: There is disclosed a method of handling a sensor, comprising the steps of: challenging a subset of sensor components under uniform conditions; receiving output signal values from said subset; for each component, determining the statistical moment of order i of the temporal distribution of the output signal value of said each sensor component; and determining one or more pathological sensor components whose sum of the distances of values to other components of the subset is greater than a threshold, the distance between two sensor components being determined by the difference of the ith statistical moment values of the two temporal distributions associated to the components obtained when challenging said subset under uniform conditions. Described developments comprise the use of imaging sensors, key or identifier generation, authentication mechanisms, determination of thresholds, use of helper data files, adjustments of light sources and/or beam shaping, handling of lossy compression and of videos.

Abstract: A computer-implemented method includes: receiving, by a platform including one or more computing devices, a blockchain authorization information generation request from a client, in which the blockchain authorization information generation request includes a target blockchain identifier and user information; determining, based on the target blockchain identifier, a target blockchain; determining a blockchain parameter of the target blockchain, in which the blockchain parameter indicates one or more requirements for authorization information used to join the target blockchain; generating blockchain authorization information based on the blockchain parameter and the user information, in which the blockchain authorization information conforms to the one or more requirements; and sending the blockchain authorization information to the client.

Abstract: A processor of a remote crypto cluster (RCC) may obtain an encrypted specific key from at least one data source through at least one network. The processor of the RCC may derive intermediate data in blind based on the encrypted specific key. The intermediate data may include information from which a derived key is derived. The processor of the RCC may send the intermediate data in blind to a client device.

Abstract: Disclosed is an input/output circuit for a physical unclonable function generator circuit. In one embodiment, a physical unclonable function (PUF) generator includes: a PUF cell array comprising a plurality of bit cells configured in a plurality of columns and at least one row, and at least one input/output (I/O) circuit each coupled to at least two neighboring columns of the PUF cell array, wherein the at least one I/O circuit each comprises a sense amplifier (SA) with no cross-coupled pair of transistors, wherein the SA comprises two cross-coupled inverters with no access transistor and a SA enable transistor, and wherein the at least one I/O circuit each is configured to access and determine logical states of at least two bit cells in the at least two neighboring columns; and based on the determined logical states of the plurality of bit cells, to generate a PUF signature.

Abstract: Various techniques provide systems and methods for facilitating data encryption/decryption and almost immediate erasure of associated information. In one example, a method includes receiving first data in a first memory. The method further includes receiving a first key in a second memory. The method further includes generating, by a logic circuit, second data based on the first data and the first key. The method further includes providing the second data for transmission. The method further includes erasing the first data and/or the first key in one-half clock cycle of generating the second data. Related methods and devices are also provided.

Abstract: A method, apparatus, and computer-readable medium for searching polymorphically encrypted data includes generating one or more pseudonymous tokens by encrypting a ciphertext using a first algorithm and an encryption key, the first algorithm comprising a polymorphic algorithm configured to generate a distinct pseudonymous token for each application of the polymorphic algorithm to the same plaintext, storing, the one or more pseudonymous tokens in one or more data stores, and identifying data in the one or more data stores that corresponds to the ciphertext by querying the data store using a search token generated by encrypting the plaintext using a second algorithm and the encryption key, the search token being distinct from the one or more pseudonymous tokens.

Abstract: A data management system manages secured data for a plurality of users. The data management system utilizes an access authorization system to authenticate users seeking access to the data management system. The access authorization system provides access tokens to authenticated users. The access tokens enable the authenticated users to access the data management system without again providing authentication data. The access authorization system includes, for each user, an access policy that governs whether the users can use the access tokens to access the data management system. The access tokens have a finite lifetime. If the users use the access tokens within the finite lifetime and if the users satisfy all of the access rules of the access policies, then the lifetime of the access tokens can be extended a finite number of times.

Abstract: An active shooter response system is disclosed. The system utilizes a system of sensors and drones which may receive data at a base station. The base station may centrally process the data from the drones and the sensors so that a coordinated attack on the active shooter can be formulated either automatically without human intervention or manually at the base station by an operator of the system.

Abstract: A method and apparatus provides a communication connection between a user equipment and a network entity including a plurality of radio bearers having security keys. A connection reconfiguration message is received, which identifies bearer specific changes to be made to a subset of radio bearers including less than all of the plurality of radio bearers, that impact the security keys being used by the subset of radio bearers, where the connection reconfiguration message includes a bearer identification field that identifies the radio bearers included in the subset and a chaining counter. The requested changes are applied to the subset of radio bearers associated with the bearer identification field without resetting the communication connection with the communication network.

Abstract: A method begins or continues with deleting a security code from random access memory (RAM) of a computing device when the computing device is inactive. The security code is required for functionality of the computing device and is stored in the RAM. The method continues with detecting a reactivation request. In response to the reactivation request, the method continues with obtaining authentication data from an activation requester, generating a set of blinded random numbers, and requesting a plurality of encoded data slices from a plurality of other devices. The method continues with performing a sequence of operations on the plurality of encoded data slices using the authentication data and the set of blinded random numbers to produce a recovered security code. When the recovered security code is verified, the method continues with storing the recovered security code as the security code in RAM and activating operation of the computing device.

Abstract: The present disclosure provides a method and device for identifying a flashing light source. The method includes as follows. A processor obtains an image captured via a rolling shutter image sensor, the rolling shutter image sensor capturing an image of an environmental background, wherein the environmental background may include movable flashing light sources. A processor obtains stripe sets in the image, wherein the stripe sets can be obtained by capturing the flashing light sources via the rolling shutter image sensor. A processor takes a center of each stripe set as a reference point, and samples along a first direction to obtain n sampling points. A processor identifies the flashing light source by processing the n sampling points. With this disclosure, the identifying automatically of the flashing light source can be achieved.

Abstract: Disclosed herein is an authenticating mark formed on the surface of a product or package. The said mark comprising: at least an overt portion of visible 3D random image in the form of physically unclonable function (PUF) characterized in that the said PUF is random cracks or colors. Additionally, phosphor particles might be added to this pattern as covert features. It further disclose a system and method for identifying genuine or counterfeited products by analyzing the image of a 3D-PUF and its encrypted image using a commonly held scanning device.

Abstract: A method and computer-readable storage medium for a computer system to perform an encryption scheme is disclosed that is capable of encrypting big data that includes complex data, including image data, sensor data, and text data, and supporting both symmetric and asymmetric-key handling. The encryption scheme uses double hashing using two different consecutively-applied hash functions. With double hashing, the encryption scheme eliminates the threat of known cryptanalysis attacks and provides a highly secure ciphering scheme. Also, the ciphertext header generated in the encryption scheme enables efficient cloud data sharing. A user can share the encrypted data later by re-encrypting the seed and sharing a new ciphertext header without the need of re-encrypting the data or changing the secret or private key. Thus, the encrypted data stays as is in the cloud, and only the seed is encrypted and shared as needed.

Abstract: A computer-automated maintaining a physical configuration of an antenna operating within radio access network (RAN) of a mobile wireless network is described. A feature subset of a covering set of features for the antenna is specified. A centroid is generated for the antenna, wherein the centroid comprises a current long-term values of the feature subset obtained by processing multiple data sets for the feature subset over a relatively long time period. An antenna change detection decision is rendered, wherein the rendering an antenna change detection decision comprises first applying a current short-term values of the feature subset, which are representative of a current status of the antenna, to the centroid to render a current distance from centroid. In accordance with detecting an antenna change event during the applying, an antenna change event notification is issued that corresponds to the detected antenna change event.

Abstract: A mechanism for securing a mobile app for execution on a mobile device. The mechanism includes loading a non-trusted portion of the mobile app from a non-trusted application provider onto the mobile device, operating a key provisioning server to generate keys associated with a trusted execution environment, transmitting the keys associated with the trusted execution environment to the mobile device and to a key directory server, authenticate the mobile device, and upon authenticating the mobile device, transmitting a trusted portion of the mobile app including a trusted application to the mobile device, and installing the trusted portion of the mobile app on the mobile device thereby providing a trusted execution environment. Other systems and methods are disclosed.

Abstract: Techniques are disclosed for securing data in a cloud storage. Plaintext files are stored as secured, encrypted files in the cloud. The ciphering scheme employs per-block authenticated encryption and decryption. A unique file-key is used to encrypt each file. The file-key is wrapped by authenticated encryption in a wrapping-key that may be shared between files. A centralized security policy contains policy definitions which determine which files will share the wrapping-key. Wrapping-keys are stored in a KMIP compliant key manager which may be backed by a hardware security module (HSM). File metadata is protected by a keyed-hash message authentication code (HMAC). A policy engine along with administrative tools enforce the security policy which also remains encrypted in the system. Various embodiments support blocks of fixed as well as variable sizes read/written from/to the cloud storage.

Abstract: A white-box system for authenticating a user-supplied password, including: a password database including a salt value and an authentication value for each user; a white-box implementation of a symmetric cipher configured to produce an encrypted value by encrypting the user-supplied password using the salt value associated with the user as an encoded secret key; and a comparator configured to compare the encrypted value with the authentication value associated with the user to verify the user-supplied password.

Abstract: In aspects of active key rolling for sensitive data protection, a data security system includes memory storage implemented as a data store to maintain a batch of sensitive data instruments each encrypted with a previous encryption key. A data encryption service can receive a request from a client device for data in a sensitive data instrument from the batch of the sensitive data instruments. The data encryption service can decrypt the sensitive data instrument with the previous encryption key making the requested data in the sensitive data instrument available for access by the client device. The data encryption service can then re-encrypt the sensitive data instrument with a new encryption key effective to update the encryption of the sensitive data instrument, the updated encryption being triggered based on the request for the data and the decryption of the sensitive data instrument.

Abstract: Methods, apparatus, systems and articles of manufacture manage credentials in hyper-converged infrastructures are disclosed. An example method includes establishing, by executing an instruction with at least one processor, a communication between a software defined data center manager of the hyper-converged infrastructure and a component of the hyper-converged infrastructure using first credentials included in a known hosts file. The example method also includes generating, by executing an instruction with the at least one processor, second credentials at the component in response to a power-on event detected by the software defined data center manager. The example method also includes recording, by executing an instruction with the at least one processor, the second credentials at the known host file.

Abstract: Disclosed is a random binary sequence-based sequence encryption method accompanied with random reconfiguration of a key.

Abstract: Arrangements for dynamically authenticating multiple devices in a key network are provided. In some examples, registration information associated with a plurality of devices in a key network may be received. The registration information may include device attributes. Device keys including cross reference data may be generated and transmitted to the plurality of devices. A reference key including one or more starting points for executing one or more hop sequences based on generated hop counts in the reference key may be generated. A first authentication code may also be generated and a hash value of the first authentication code may be stored. Upon receiving a request for authentication, the reference key may be transmitted to the requesting device. The hop sequence(s) may then be executed by one or more of the computing devices in the key network to generate a comparison authentication code.

Abstract: A method for anonymously carrying out a transaction, wherein one-time passwords encrypted by means of a one-way function are sent by an authentication server to a service device. The non-encrypted one-time passwords are sent by the authentication server to a secure element of a mobile device. In order for a transaction to be effected, the secure element sends the one-time passwords to the service device.

Abstract: A method for protected communication between a mobile unit coupled to a smartphone and a server, wherein it is possible to access a service of the server via the smartphone by registration data. Processes are provided for the first-time input of a PIN number in association with the registration data; definition of a secret of the mobile unit; storage of the registration data; the PIN number and the secret in a secure memory in the smartphone; input of the PIN number on the mobile unit; transmission of the PIN number and the secret from the mobile unit to the secure memory; reading of at least a portion of the registration data from the secure memory if the transmitted PIN number and the transmitted secret match the stored PIN number and the stored secret; and transmission of at least the portion of the registration data from the smartphone to the server.

Abstract: According to various aspects, a delay-based physical unclonable function (PUF) device is provided. According to one embodiment, the PUF device includes circuitry for generating output bits of entropy by comparing, or “racing”, a plurality of PUF cells. A PUF cell is a building block of the PUF device. For example, the PUF device may include two identically designed circuits with only process related variations and each circuit can be a PUF cell. According to another aspect, if PUF cells with same history of winning or losing are being compared in a race, adversaries cannot predict the outcome of the current race based on previous race results. Accordingly, systems and methods are described herein for generating multiple rounds of races based on the previous rounds of races. Thus, one PUF cell can be used in multiple pairwise comparisons while maximal entropy is extracted.

Abstract: The present invention relates to a security device which performs processes such as authentication or cryptography, for example a security device for securely holding a key used in a cryptographic process, and a security method therefore.

Abstract: A wireless device (24) includes a modem (56) and processing circuitry (50, 52). The modem is configured to modulate signals for transmission over wireless channels, and demodulate signals received over the wireless channels. The processing circuitry is configured to receive a first frame from a second wireless device over a wireless channel via the modem, and transmit a second frame to the second wireless device via the modem over the wireless channel, to calculate a first Channel State Information (CSI) based on the first frame, to calculate a first normalized CSI by applying to the first CSI a normalization procedure, and generate, based on the first normalized CSI, a first key that due to the normalization procedure has an increased likelihood to match a second key generated in the second wireless device based on the second frame, and to communicate securely with the second wireless device over the wireless channel using the first key.

Abstract: Securely communicating requests may include transmitting an encrypted response including an encryption library and a public key to a client device, the encrypted response encrypted using transport encryption established between a router device and the client device, receiving an encrypted request including data encrypted using the encryption library and the public key, the encrypted request encrypted using transport encryption established between the client device and router device, and transmitting an encrypted agent message to agent software in a customer environment, the encrypted agent message including the data encrypted using the encryption library and the public key, the encrypted agent message encrypted using transport encryption established between the router device and agent software, wherein the encrypted agent message is decryptable by the agent software using a private key inaccessible within the provider environment.

Abstract: Methods and systems for generating a random number include extracting feature information from a structure having a random physical configuration. The feature information is converted to a string of binary values to generate a random number. Pseudo-random numbers are generated using the random number as a seed to improve the security of encrypted information.

Abstract: Techniques are disclosed relating to authenticating a second mobile device for participation in a multi-factor authentication process. In disclosed embodiments, a server generates an authentication decision, based on communicating with a first mobile device as a factor in the multi-factor authentication process. After receiving a request from the first mobile device to authorize participation of a second mobile device in the multi-factor authentication process, the server may generate a secret and transmit the secret to the first mobile device. The server may receive information from the second mobile device, based on the second mobile device capturing an image of a display by the first mobile device, where the display is based on the transmitted secret. In some embodiments, the server then verifies the content of the information using the secret and verifies that the information is received within a determined time interval from transmitting the secret.

Abstract: Provided are a computer program product, system, and method for generating master and wrapper keys for connected devices in a key generation scheme. For each of the devices, a wrapped master key comprising a master key for the device and a wrapper key is stored. The wrapper keys for a plurality of the devices are generated by another of the devices. For each of a plurality of the devices, the master key for the device is used to generate the wrapper key for a target device comprising another of the devices. For each of the devices, the wrapper key for the device is used to decrypt the stored wrapped master key. At least one of the devices uses the master key for the device to encrypt and decrypt data at the device.

Abstract: A computer-implemented method includes: receiving, by a platform including one or more computing devices, a blockchain authorization information generation request from a client, in which the blockchain authorization information generation request includes a target blockchain identifier and user information; determining, based on the target blockchain identifier, a target blockchain; determining a blockchain parameter of the target blockchain, in which the blockchain parameter indicates one or more requirements for authorization information used to join the target blockchain; generating blockchain authorization information based on the blockchain parameter and the user information, in which the blockchain authorization information conforms to the one or more requirements; and sending the blockchain authorization information to the client.

Abstract: The disclosure relates to systems, methods and devices for secure routing and recording of network data streams passing through a network switch. Specifically, the disclosure relates to systems, methods and devices for reversibly deconstructing networks' OSI L1-L7 in time and space, in the process of selectively recording network data streams for secure access, as well as providing external rule-based security auditing and functioning as a black-box in industry-specific applications.

Abstract: A method for user credential location using prefix matching is described. In one embodiment, the method may include enabling a user to generate remotely a cryptographic hash of a user credential of the user, receiving a portion of the cryptographic hash from the user, comparing the portion of the cryptographic hash with a plurality of cryptographic hashes of user credentials stored at a database, determining whether a match exists between the portion of the cryptographic hash and at least one of the plurality of cryptographic hashes, and transmitting a notification to the user indicating whether the user credential is stored at the database based at least in part on a result of the comparing.

Abstract: An apparatus and method for managing meter data. The apparatus for managing meter data includes a metering unit for acquiring meter data from a target device based on time information; a communication unit for receiving a message including the time information from a server device and transmitting the meter data to the server device; and a security unit for creating a private key using the time information and encrypting the meter data using the private key.

Abstract: Described is a system for biometric based security. The system converts biometric data into a cryptographic key using a reusable fuzzy extractor process. The reusable fuzzy extractor process comprises a generation process and a reconstruction process. The generation process takes as input a public parameter and a first biometric input and outputs a public helper string and a first random string. The reconstruction process takes as input a public helper string and a second biometric input and outputs a second random string. The reusable fuzzy extractor process is reusable such that multiple public helper strings do not reveal any information about the first biometric input and the first random string. Secured data is unlocked by applying the cryptographic key for biometric security of access to secured data.

Abstract: Systems and methods allow to take advantage of the natural statistical variation of physical properties in a semiconductor device in order to create truly random, repeatable, and hard to detect cryptographic bits. This may be accomplished by recursively pairing mismatch values of Physically Unclonable Functions (PUF) elements so as to ensure that generated PUF key bits remain insensitive to environmental errors, without affecting the utilization rate of available PUF elements. The pairing process may be applied to any given hardware to generate more stable PUF bit sequences that provide a higher margin of error, increase the number of bits for a given margin of error, or any combination thereof.

Abstract: A method for keystroke-based behavioral verification of user identity of a subject user of a computer system includes obtaining an enrollment signature corresponding to an identified user and serving as a unique identifier of the identified user, the enrollment signature including an enrollment determinate vector generated based on supplying enrollment keystroke data to a deep neural network for processing. The method further includes obtaining verification determinate vector(s), the verification determinate vector(s) for comparison to the enrollment signature to determine whether the subject user is the identified user.

Abstract: The present disclosure relates to a PUF apparatus and method for generating a persistent, random number. The generated number is random in that each particular instance of PUF apparatus should generate a randomly different number to all other instances of PUF apparatus, and is persistent in that each particular instance of the PUF apparatus should repeatedly generate the same number, within acceptable error correction tolerances. The persistent, random number is determined by selecting one or more PUF cells, each comprising a matched pair of transistors that are of identical design, and comparing an on-state characteristic of the pair (e.g., turn-on threshold voltage or gate-source voltage). The difference in on-state characteristic of each selected pair of transistors is caused by random manufacturing differences between the transistors. This causes the randomness between each different instance of PUF apparatus, and should be relatively stable over time to provide persistence of the generated number.

Abstract: Techniques to facilitate protecting control data used in an industrial automation environment are disclosed herein. In at least one implementation, an encryption key pair is generated for an industrial controller, wherein the encryption key pair comprises a public key and a private key. The private key is stored within a secure storage system of the industrial controller. Controller program content is then encrypted using the public key to generate encrypted controller content. The encrypted controller content is then provided to the industrial controller, and the industrial controller is configured to decrypt the encrypted controller content using the private key and execute the controller program content.

Abstract: A method of asymmetrical encryption and transferring encrypted data is provided that incorporates the Lucente Stabile Atkins Cryptosystem (“LSA” algorithm). This algorithm uses certain properties of mathematical objects called “groups”. Groups are sets of elements that are equipped with an operator and have the closure, associativity, identity, and invertibility properties. The LSA algorithm uses groups to encrypt and decrypt (secret sharing) any kind of symbolic information between two or more parties.

Abstract: A wearable device includes a user information obtainer configured to obtain user information, a controller configured to selectively generate, in response to a user being authenticated based on the user information, an encryption key for encryption of content of an external device; and a communicator configured to transmit the encryption key to the external device.

Abstract: A random number generation device includes conductive lines including interruptions and a number of conductive vias. A via is located at each interruption. Each via randomly fills or does not fill the interruption. A circuit is capable of determining the electric continuity or lack of continuity of the conductive lines.

Abstract: A monitoring device includes: a PUF-information acquiring unit acquiring PUF-information; a first PUF-information change value calculating unit calculating a degree of change from PUF-information acquired at a previous time to PUF-information acquired at a current time as a first PUF-information change value; a second PUF-information change value calculating unit calculating a degree of change from initial PUF-information to the PUF-information acquired at the current time as a second PUF-information change value; an unauthorized use determining unit comparing the first PUF-information change value with a first threshold and determining that there is unauthorized use of the predetermined monitoring target device when the first PUF-information change value is greater than the first threshold; and a deterioration determining unit comparing the second PUF-information change value with a second threshold and determining that the predetermined monitoring target device has deteriorated when the second PUF-informati