Abstract: A method, a computer program product, and a system for embedding a message in a random value. The method includes generating a random value and applying a hash function to the random value to produce a hash value. Starting with the hash value, the method further includes reapplying the hash function in an iterative or recursive manner, with a new hash value produced by the hash function acting as an initial value that is applied to the hash function for a next iteration, until a bit sequence representing a message is produced in a message hash value. The method further includes utilizing the message hash value as a new random value that can be used by an encryption algorithm.

Abstract: Systems and methods directed to a third-party gateway that controls egress traffic from Internet Data Centers (IDC) and/or Virtual Private Clouds (VPC) are described. When egress traffic reaches the third-party gateway, a forward proxy may obtain a service identified or otherwise associated with the source IP address and port. Once, the service is identified, the third-party gateway may obtain a configuration rule specified by a rule manager to determine if the service is allowed to access the destination host(s). If the destination host is approved for the service, the forward proxy may send the traffic to the internet. If the destination host is not approved for the service, the forward proxy may block or otherwise drop the respective communication. In some examples, one or more auditors or auditing agencies may access essential information from the third-party gateway to view egress traffic logs and verify egress traffic approved destinations.

Abstract: A method for being allocated a discovery resource by a user equipment (UE) in a communication system supporting a device to device (D2D) scheme is provided. The method includes determining whether a discovery resource request message may be transmitted to a network entity; transmitting the discovery resource request message to the network entity based on the determining result; and receiving a discovery resource response message as a response message to the discovery resource request message from the network entity.

Abstract: Verification of a data recipient is disclosed, including: sending, to a server, a request for requested information, wherein the request includes identifying information associated with a user; receiving, from the server, at least two pieces of information over different transmission channels; sending, to the server, recovered security data that is generated based at least in part on the at least two pieces of information, wherein the server is configured to determine whether the recovered security data matches stored security data; receiving, from the server, protected requested information associated with the request; and using the recovered security data to recover unprotected requested information based at least in part on the protected requested information.

Abstract: Systems and methods are disclosed for securing a network, for admitting new nodes into an existing network, and/or for securely forming a new network. As a non-limiting example, an existing node may be triggered by a user, in response to which the existing node communicates with a network coordinator node. Thereafter, if a new node attempts to enter the network, and also for example has been triggered by a user, the network coordinator may determine, based at least in part on parameters within the new node and the network coordinator, whether the new node can enter the network.

Abstract: Systems and methods are disclosed herein for a user to use a trusted device to provide sensitive information to an identity provider via QR (Quick Response) code for the identity provider to broker a website login or to collect information for the website. A user may securely transact with the website from unsecured devices by entering sensitive information into the trusted device. The identity provider may generate the QR code for display by the website on an unsecured device. A user running an application from the identity provider on the trusted device may scan the QR code to transmit the QR code to the identity provider. The identity provider may validate the QR code and may receive credential information to authenticate the user or may collect information for the website. Advantageously, the user may perform a safe login to the website from untrusted devices using the trusted device.

Abstract: Provided is a detection device which is suitable for receiving a service within a network assembly, having the following:—means for providing cryptographic security at or above the transport level of the communication protocol levels which can be used in the network assembly for at least one first existing communication connection between the detection device and a network access device which is arranged in the network assembly and which can be used to monitor data detected by the detection device and/or control an additional device within the network assembly using the data detected by the detection device,—means for generating and/or determining network access configuration data for at least one additional second communication connection, which is to be cryptographically secured below the transport level, between the detection device and the network access device,—means for providing the generated and/or determined network access configuration data to the network access device.

Abstract: Novel tools and techniques might provide for implementing secure communications for IoT devices. In various embodiments, a gateway or computing device might provide connectivity between or amongst two or more Internet of Things (“IoT”) capable devices, by establishing an IoT protocol-based, autonomous machine-to-machine communication channel amongst the two or more IoT capable devices. For sensitive and/or private communications, the gateway or computing device might establish a secure off-the-record (“OTR”) communication session within the IoT protocol-based, autonomous machine-to-machine channel, thereby providing encrypted machine-to-machine communications amongst the two or more IoT capable devices, without any content of communications that are exchanged amongst the IoT capable devices over the secure OTR communication session being recorded or logged.

Abstract: A system includes a user computing device with an application for removal of privacy data. The application obtains vehicle information associated with a target vehicle that has a target in-vehicle device from which privacy information of a user is to be removed. Using the vehicle information, the application determines vehicle parameters associated with the target vehicle. The application obtains a privacy information removal file comprising an instruction set associated with removing privacy data from candidate in-vehicle devices, and presents the instruction set. A user experience feedback associated with the candidate in-vehicle devices is obtained and stored in a database.

Abstract: Techniques for verifiable computation for cross-domain information sharing are disclosed. An untrusted node in a distributed cross-domain solution (CDS) system is configured to: receive a first data item and a first cryptographic proof associated with the first data item; perform a computation on the first data item including one or more of filtering, sanitizing, or validating the first data item, to obtain a second data item; generate, using a proof-carrying data (PCD) computation, a second cryptographic proof that indicates (a) validity of the first cryptographic proof and (b) integrity of the first computation on the first data item; and transmits the second data item and the second cryptographic proof to a recipient node in the distributed CDS system. Alternatively or additionally, the untrusted node may be configured to transmit a cryptographic proof to a trusted aggregator in the CDS system.

Abstract: A first network device may install a receiving key for decrypting traffic on protocol hardware associated with a data plane of the first network device. The first network device may receive, from the data plane, a first notification indicating that the receiving key is installed on the protocol hardware and may provide, to a second network device, a first message identifying the receiving key. The first network device may receive, from the second network device, an acknowledgment message indicating that the receiving key is installed on the second network device and may install a transmission key for encrypting traffic on the protocol hardware. The first network device may receive, from the data plane, a second notification indicating that the transmission key is installed on the protocol hardware and may provide, to the second network device, a second message identifying the transmission key.

Abstract: This document describes a module and method for authenticating data transfer between a storage device and a host device. The module is configured to allow encrypted data to be exchanged between the storage device and the host device once the module has verified that the storage device has been correctly paired with an authorized host device whereby the verification step does not require a password to be manually entered or an additional external device to be attached.

Abstract: Described is a system for maintaining dual-party authentication requirements for data retention compliance in a distributed storage environment that includes servers or nodes with remote access components. When administering a data retention policy, an operating system component may require a dual-party authentication mechanism to prevent data deletion, while a different authentication mechanism may control access to the remote access components. Access to the remote access component by a single privileged user, however, may enable overriding or compromising the retention lock compliance implemented by the operating system. Accordingly, the system may tie the dual-party authentication requirement to the authentication mechanism of the remote access components.

Abstract: An information processing apparatus in which a plurality of applications operate is provided. The apparatus comprises a verification unit that verifies whether or not an application can be trusted; and a controller that controls the application, wherein during the execution of a first application executed in response to a user instruction, the controller causes the verification unit to verify a second application that the first application dynamically imports, before the second application is loaded.

Abstract: Systems and methods for performing data protection operations including garbage collection operations and copy forward operations. For deduplicated data stored in a cloud-based storage or in a cloud tier that stores containers containing dead and live segments or dead and live regions such as compression regions, the dead compression regions are deleted by copying the live compression regions into new containers and then deleting the old containers. The copy forward is based on a recipe from a data protection system and is performed using a serverless approach.

Abstract: A computerized method for analyzing an object is disclosed. The computerized method includes performing, by a first cybersecurity system, a first malware analysis of the object, wherein a first context information is generated by the first cybersecurity system based on the first malware analysis. The first context information includes at least origination information of the object. Additionally, a second cybersecurity system, obtains the object and the first context information and performs a second malware analysis of the object to determine a verdict indicating maliciousness of the object. The second malware analysis is based at least in part on the first context information. The second cybersecurity system generates and issues a report based on the second malware analysis, the report including the verdict.

Abstract: Method and apparatus for virtualized environment where virtual computing instances interface a service platform operated on a physical computing apparatus are disclosed. A new virtual computing instance interfacing the service platform can be created, the created new virtual computing instance belonging to a class of virtual computing instances. At least one security credential is obtained from a storage of security credentials associated with the class of the new virtual computing instance. Data communicated with at least one further computing instance is secured based on the obtained at least one security credential.

Abstract: A blockchain-based method for document transformation and accountability is provided. Document templates for real property transfer are maintained. Each template includes data fields. Some of the document templates are collected as transaction documents for a transaction for the property transfer. The data fields are populated with received data values. Compliance checking is performed on the populated data values. The checked transaction documents are provided to a network having a first tier of network nodes and a second tier of supernodes. One of the supernodes is selected to validate the transaction documents. The validated transaction documents are added to a ledger of transactions. A hash of the validated transaction documents is transmitted to the first tier. One of the network nodes is selected to commit the hash to a blockchain of the first tier. The hash is committed to copies of the blockchain.

Abstract: Methods, systems, and media for providing dynamic media sessions with audio stream expansion features are provided. In some embodiments, the methods include: receiving an indication that audio content associated with a video content item is to be presented by a follower device synchronously with the audio content presented by the leader device; identifying candidate follower devices by determining whether devices connected to a local area network are capable of being designated as a follower device; causing a user interface to be presented that indicates each candidate follower device; receiving, via the user interface, a selection of one of the candidate follower devices; and transmitting, from the leader to the selected follower device, control instructions that cause the audio content associated with the video content item to be presented synchronously by the selected follower device with the video content item presented by the leader device.

Abstract: Methods and apparatus to monitor media presentations are disclosed. Example methods disclosed herein include presenting information via a display of a media device, the information indicating that monitor software in the media device can be enabled, the monitor software to monitor media presented by the media device, the monitor software to be disabled by default. Disclosed example methods also include detecting a first user input that is to authorize the monitor software in the media device to be enabled, and in response to detection of the first user input: (i) enabling the monitor software in the media device to generate and report at least one of video fingerprints, audio fingerprints, video watermarks or audio watermarks representative of media presented by the media device, and (ii) transmitting, via a network interface, a notification to a remote monitoring entity to indicate that the monitor software in the media device has been enabled.

Abstract: A system that provides responses to requests obtains a key that is used to digitally sign the request. The key is derived from information that is shared with a requestor to which the response is sent. The requestor derives, using the shared information, derives a key usable to verify the digital signature of the response, thereby enabling the requestor to operate in accordance with whether the digital signature of the response matches the response.

Abstract: A method and apparatus include including, in a moving pictures experts group (MPEG) dynamic adaptive streaming over hypertext transfer protocol (DASH) media presentation description (MPD) file, an initialization presentation element that identifies an initialization presentation and one or more initialization groups included in the initialization presentation. An initialization group element that identifies an initialization group and one or more initialization sets included in the initialization group is included in the MPD file. An initialization set element that identifies an initialization set is included in the MPD file. The MPD file is transmitted to a client device.

Abstract: Methods, systems, techniques, and devices for smart factory reset procedures are described. In accordance with examples as disclosed herein, a memory system may receive one or more commands associated with a reset procedure. The memory system may identify, in response to the one or more commands, a first portion of one or more memory arrays of the memory system as storing user data and a second portion of the one or more memory arrays as storing data associated with an operating system. The memory system may update a mapping of the memory system based on identifying the first portion and the second portion. The memory system may transfer the data associated with the operating system to a third portion of the one or more memory arrays and perform an erase operation on a subset of physical addresses of the set of physical addresses.

Abstract: Disclosed herein are systems and method for performing secure computing while maintaining data confidentiality. In one exemplary aspect, a method receives, via an application, both data and a request to perform a secure operation on the data, wherein the secure operation is to be performed using a secure compute engine on a cloud platform such that the data is not viewable to a provider of the cloud platform. The method applies transformations to the data so that the data is not viewable to the provider. The method transmits the transformed data to the secure compute engine on the cloud platform to perform the secure operation on the transformed data, receives a result of the secure operation from the secure compute engine, and transmits the result to the application.

Abstract: A request is received from a trusted application to authorize a client application that requests a service offered by the trusted application. Whether the client application is authorized to access the trusted application is determined in view of the request. An authentication of a user of the client application is caused in response to determining the client application is authorized to access the trusted application. An authorization result is returned to the trusted application in view of the determining and the authentication.

Abstract: Aspects of the disclosure include methods, apparatuses, and non-transitory computer-readable storage mediums for receiving media data. One apparatus includes processing circuitry that receives a media presentation description (MPD) file that includes an essential property descriptor for session-based dynamic adaptive streaming over hypertext transfer protocol (DASH). The essential property descriptor indicates a session-based description (SBD) file and includes a set of keys for a part of a uniform resource locator (URL) that is used for receiving the media data. The processing circuitry determines a respective value for each of the set of keys based on whether the respective value is included in the SBD file and modifies the URL based on the set of keys and the determined values.

Abstract: A mobile network operator (MNO) uses a provisioning server to update or install profile content in a profile or electronic subscriber identity module (eSIM). In an exemplary embodiment, the profile is present on a secure element such as an embedded universal integrated circuit card (eUICC) in a wireless device. One or more MNOs use the provisioning server to perform profile content management on profiles in the eUICC. In some embodiments, an MNO has a trust relationship with the provisioning server. In some other embodiments, the MNO does not have a trust relationship with the provisioning server and protects payload targeted for an MNO-associated profile using an over the air (OTA) key.

Abstract: An approach for operating at least one touch-sensitive, flat input device of a complete device, the input device being connected via a message-based bus connection to a control device of the complete device, and messages containing touch datasets describing touch data events being transmitted to the control device, which evaluates the messages for input information for an application program implemented by the control device, wherein when a security function in the control device that queries sensitive input information is accessed, the touch datasets are transmitted from the input device to the control apparatus via the bus connection in encrypted form until the associated input process has ended.

Abstract: Methods and systems for contingency communication are disclosed. In one embodiment, a method for providing emergency services may be performed by a base station operating in a communication system in an embodiment, the method for providing emergency services includes transmitting a beacon signal to indicate an emergency status to enable portable devices to operate in a stress mode. A distress signal may be transmitted by a mobile device in response to the beacon signal to the base station, wherein the distress signal carries information at least comprising user identity associated with the mobile device, geolocation of the mobile device, or biometrics of a user of the mobile device.

Abstract: Techniques for modifying queries in a set of nested queries are disclosed. A graphical user interface displays a query detail region alongside a nested query display region. The graphical user interface includes functionality to provide for modification of queries in the nested set of queries. Based on a selection by a user, a query modification tool promotes a query attribute from a child query to one or more parent queries. Based on another selection by a user associated with one query in the set of nested queries, the system deletes an attribute from each query in the set of nested queries. Responsive to a selection to create multiple conditions for a query rule, the system modifies the functionality of the user interface to enable entry of multiple condition characteristics. Based on a further selection, the system creates the multiple conditions for the query rule.

Abstract: A system, method and computer-readable medium provide secure communication between a first and a second computer system based on supersingular isogeny elliptic curve cryptography. The first computer system and the second computer system each determine kernels KA and KB including computing mP+nQ by accessing a lookup table stored in a memory that contains a range of doubles of an end point of the respective kernels, where P and Q are points on the public elliptic curve and m and n are integers. The first computer system and the second computer system compute secret isogenies by determining a respective kernel KBA and KAB using mixed-base multiplicands with a single inversion, including computing the respective kernel KBA and KAB by converting the multiplicands to base 32, and computing scalar multiplications using the base 32 multiplicands.

Abstract: Described embodiments provide systems and methods for establishing an end-to-end cryptographic context. A service node may be located intermediary between a client and server which provides a service to the client. At least one network device may be located intermediary between the service node and the server. The service node may obtain information for validating the service. The service node may establish an end-to-end cryptographic context between the service node and server through the network device(s). A first network device of the network device(s) may share a cryptographic context with the service node, which existed prior to establishment of the end-to-end cryptographic context. The service node may transmit a message to the network device encrypted using the first cryptographic context. The encrypted message may inform the first network device to pass through traffic that is encrypted using the end-to-end cryptographic context.

Abstract: A method including determining an assigned key pair associated with a device, the assigned key pair including an assigned public key and an associated assigned private key; determining an access key pair associated with content to be encrypted, the access key pair including an access public key and an associated access private key; encrypting the access private key using a combination encryption key determined based at least in part on the access private key and the assigned public key; encrypting a randomly generated key by utilizing the access public key; and encrypting the content utilizing the randomly generated key. Various other aspects are contemplated.

Abstract: Techniques for risk evaluation include receiving, from a requesting entity, a request for monitoring target entities specifying a first identifier associated with each target entity and target entity information. The system generates a second identifier and a third identifier for each target entity and stores a mapping of the second identifiers to the first identifiers and the third identifiers, preventing the second identifiers from being provided to the requesting entity. The system monitors a periodically updated data set and determines risk metrics for the target entities, comparing each risk metric to a threshold value to identify target entities whose risk data indicates an insider threat. The system generates a third identifier for the identified target entities and provides the third identifiers to the requesting entity. Responsive to a request for a corresponding first identifier, the system identifies and provides the first and third identifiers to the requesting entity.

Abstract: A system and method for controlling access to a message after communication. A sender sends an encrypted message to a recipient. The sender also sends an encryption key and the identity of the recipient to a services component. The recipient authenticates its access rights with the services component to obtain the encryption key. The key is held for a period of time for the recipient to access the encrypted message. The recipient may re-authenticate with the services component to again obtain the key to subsequently access the message. The sender may revoke or reinstate the receiver's access to the message by updating the service component.

Abstract: Techniques for implementing a key vault as an enclave are presented. The techniques include securely storing, in a key vault enclave, a key for an encryption system according to a key use policy; sending an vault attestation report of a key vault enclave to a vault client; and performing an operation in the key vault enclave with the key. Some embodiments further include receiving, at the key vault enclave, a client attestation report of the vault client wherein the vault client and key vault enclave are hosted on different native enclave platforms.

Abstract: An assigning device (100) for assigning fixed identifiers to fuzzy identifiers, the assigning device comprising a database storing multiple fuzzy identifiers, and a matching unit (130) arranged to determine if a matching fuzzy identifier exists in the database that matches a fuzzy input identifier according to a matching criterion and to determine if a matching fuzzy identifier does not exist in the database according to an absent criterion.

Abstract: A method for Multipath Quick User Datagram Protocol (UDP) Internet Connections (MPQUIC) over Quick SOCKS (QSOCKS) in a wireless network is provided. The method includes receiving, by a QSOCKS server, a Client Hello (CHLO) message from a QSOCKS client device using a QSOCKS method tag, wherein the CHLO message comprises a plurality of client-supported SOCKS Authentication (AUTH) procedures, selecting, by the QSOCKS server, a candidate client-supported SOCKS AUTH procedure from the plurality of client-supported SOCKS AUTH procedures, and transmitting, by the QSOCKS server, a reject packet using the QSKM tag to the QSOCKS client device, wherein the reject packet includes information indicating the selected candidate client-supported SOCKS AUTH procedure.

Abstract: Systems and methods for token secured routing are disclosed. An outbound routing table is maintained. A first token state is determined. A token value is determined based on the determined token state. First and second portions of the token value are identified. The first message is encrypted using the second portion of the first token value. A first packet is generated that includes the first portion as a token and includes the encrypted first message. The first packet is sent to the second node based on the second outbound routing entry in the outbound routing table.

Abstract: A system can control access to encrypted data shared by a group of users by the use of a vault key that is associated with a group of users. The encrypted data can include encrypted secret data generated from the secret data using a secret key, an encrypted secret key can be generated from the secret key by the use of a vault key, and an encrypted vault key generated from the vault key by the use of a public key associated with a user of the group of users. The system can allow users to store and access the encrypted data only if the user is a current member of the group. The system can verify the user's membership status from a group manager, such as a system managing a channel or chat session.

Abstract: A system is provided for facilitating access to data stored in a cloud-based storage service. Data associated with a user account is stored at the cloud-based storage service. A portion of the data is associated with a heightened authentication protocol. A request for an application to receive data that is associated with the heightened authentication protocol is received at the cloud-based storage service. In response to the request, the request is authenticated based on the heightened authentication protocol. In response to authenticating the request, permission is granted for the application to receive the data that is associated with the heightened authentication protocol. In response to a locking of the data that is associated with the heightened authentication protocol, an indication that the data is unavailable is sent to the application.

Abstract: A computer implemented method of generating cryptographic keys for a hardware security module (HSM), the method including generating a plurality of cryptographic keys and storing the cryptographic keys for use by the HSM in providing cryptography functions, wherein the cryptographic keys are generated based on numerical data generated by a hardware random number generator, such that a rate of generation of the cryptographic keys unconstrained by the resources of the HSM, wherein the hardware random number generator operates based on a plurality of statistically random entropy data sources originating from natural phenomena so as to increase a degree of randomness of the numerical data.

Abstract: In example embodiments, systems and methods extract a model of a computer application during load time and store the model in memory. Embodiments may insert instructions into the computer application at run time to collect runtime state of the application, and analyze the collected data against the stored model to perform detection of security events. Embodiments may also instrument an exception handler to detect the security events based on unhandled memory access violations. Embodiments may, based upon the detection of the security events, dynamically respond, such as by modify a computer routine associated with an active process of the computer application. Modification may include installing or verifying an individual patch in memory associated with the computer application.

Abstract: The present disclosure describes techniques for storing encrypted files in a secure file repository and transferring those encrypted files to one or more recipients. A user selects a file to upload to a secure file repository. A secure collaboration app on the user's device generates a first encryption key that is used to encrypt the file. The encrypted file is then uploaded to the secure file repository, which provides the secure collaboration app with a random file name and a location of the encrypted file. The secure collaboration app updates locally stored metadata of the first encrypted file. To securely transfer the file, the user generates a second encryption key, encrypts the metadata with the second encryption key, and transmits the encrypted metadata to one or more receivers. The one or more receivers decrypt the encrypted metadata and use the decrypted metadata to retrieve the file and decrypt it.

Abstract: A device-management system performs processing, such as audio processing, in an instance of a virtual machine corresponding to a functionally limited (local) device. To register the user device, the device-management system receives a registration request that includes device information, encryption data, and an indication of an associated user account. The device-management system then sends this registration data to a service-provider system, which returns a shared encryption key. The device-management system and the user device may use this shared encryption key to securely communicate. The device-management system may de-allocate the instance upon detecting a period of inactivity of the user device and may re-allocate the instance when new activity is detected. The device-management system may further determine when and if audio data to be sent to the user device is encoded using a codec not implemented by the user device.

Abstract: In general, embodiments of the present invention provide systems and computer readable media for implementing a single data integration platform that supports multiple data access interfaces to a single corpus of stored dynamic data collected from multiple data sources. In embodiments, the data integration platform includes a record tables layer that stores a group of data records and supports a CRUD interface for accessing the data records; a resolution mapping layer that stores a set of entities generated by a many-to-one mapping of data records to entities using entity resolution; and an entities layer that stores resolved entities which may be accessed via either a search interface based on search criteria or a hybrid search interface that supports “get via record id” queries.

Abstract: The invention relates to an authentication method. The method comprises: collecting, based on a predetermined authentication policy, at least one context data element; constituting, based on the at least one collected context data element, a data packet; generating, by using a predetermined hash type algorithm and the data packet, as input to the predetermined hash type algorithm, a hash; sending the generated hash; generating, as a hash distance generation step, a hash distance between the generated hash and a predetermined reference hash; and authenticating successfully or not based on the generated hash distance, as an authentication step. The invention also relates to corresponding device and system.

Abstract: The technology disclosed herein provides an enhanced cryptographic access control mechanism that uses a cryptographic keys that are based on location data. An example method may include: determining location data of a computing device; transforming the location data in view of conversion data associated with the computing device, wherein the conversion data causes a set of alternate location data values to transform to a specific cryptographic value; creating, by a processing device, a cryptographic key in view of the transformed location data; and using the cryptographic key to enable access to a protected resource.

Abstract: A method and devices for securely and privately generating a threshold vault address and distributed individual key shares reliant upon individually selected polynomial functions, without revealing the key shares and without ever reconstructing the private key. A digital asset stored at the threshold vault address may be used as an input to a transaction through generating a digital signature corresponding to the threshold vault address. Methods and devices are described for collaboratively generating the digital signature without reconstructing the private key or revealing individual key shares. Methods and devices are described for refreshing the distributed private key shares.

Abstract: An encryption key generating engine includes a random number pool, an entangling string generator, and a control circuit. The random number pool stores a plurality of random bits, and values of the plurality of random bits are generated randomly. The entangling string generator provides an entangling string according to an input key. The control circuit is coupled to the random number pool and the entangling string generator. The control circuit retrieves a sequence of random bits from the plurality of random bits stored in the random number pool according to the input key, receive the entangling string from the entangling string generator, and entangle the entangling string with the sequence of random bits to generate a secret key.