Abstract: Systems and methods for providing multicast group (MCG) membership relative to partition membership in a high performance computing environment. In allowing a subnet manager of a local subnet to be instructed that all ports that are members of the relevant partition should be set up as members for a specific multicast group, the SM can perform a more efficient multicast-routing process. It is also possible to limit the IB client interaction with subnet administration conventionally required to handle join and leave operations. Additionally, subnet manager overhead can be reduced by creating a spanning tree for the routing of multicast packets that includes each of the partition members added to the multicast group, instead of creating a spanning tree after each multicast group join request is received, as conventionally required.

Abstract: Rotation of a wireless client device address is based on an encryption key and a nonce value. Key information and nonce value information are shared between a wireless client device and a network infrastructure component over a secure communication channel. The wireless client device encrypts the nonce value using the key information and encodes the encrypted value as a device address. The wireless client device then identifies itself via a source address value in a message transmitted over a wireless network. Upon receiving the message, the network infrastructure component decrypts information derived from the source address value and compares the resulting data to the nonce value. If a match is identified, the network infrastructure identifies the wireless client device as a source of the message. In some embodiments, the nonce value is updated with each rotation to provide for improved entropy of generated device addresses.

Abstract: In an example, there is disclosed a system and method for providing a service-oriented architecture, including request/response, over a publish/subscribe framework. In one embodiment, a system is disclosed for adding layers upon a publish/subscribe messaging framework for sophisticated messaging such as point-to-point (request/response) and the ability to query for available services, in a reliable, scalable manner.

Abstract: A method for distributing encrypted cryptographic data includes receiving, by a key service, from a first client device, a request for a first public key. The method includes transmitting, by the key service, to the first client device, the first public key. The method includes receiving, by the key service, from an access control management system, an encryption key encrypted with the first public key and a request from a second client device for access to the encryption key. The method includes decrypting, by the key service, the encrypted encryption key, with a private key corresponding to the first public key. The method includes encrypting, by the key service, the decrypted encryption key, with a second public key received from the second computing device. The method includes transmitting, by the key service, to the second client device, the encryption key encrypted with the second public key.

Abstract: The invention relates to a method for transferring data in a publish-subscribe system (100) comprising a key distribution server (200) and a plurality of communication devices (101, 102, 103, 104) which can be coupled to the key distribution server (200) and which comprise at least one server device and a number of client devices.

Abstract: A system comprises an interface and a processor. The interface is configured to provide a request to join a publish group from a client or a point to point communication link of a lattice mesh; and receive a group key or a host public key. The processor is configured to determine whether a message has been received; in response to the message having been received, determine whether the message is to be sent on; in response to the message being determined not to be sent on, decode the message using the group key or the host public key; determine whether to store the message in a backfill database; in response to determining to store the message in the backfill database, store the message in the backfill database.

Abstract: An apparatus for monitoring a multicast group is provided. The apparatus includes a storage, a receiver and an operation processor. The storage is configured to store first data including a first authenticated message authenticated as being published by a publisher of the multicast group to n-th data including an n-th authenticated message authenticated as being published by the publisher where n is a natural number of 2 or more. The receiver is configured to receive status data including a first propagation message to be delivered to the multicast group. Further, the operation processor is configured to generate monitoring information including status information of the multicast group by using the status data and the first to n-th data.

Abstract: In one example, a system comprises a plurality of non-last-hop routers (non-LHRs) of a network, the non-LHRs configured with a multicast distribution tree for a multicast group to transport first multicast packets of a multicast flow toward one or more LHRs, wherein a router of the non-LHR routers is configured to receive unicast packets for an application session associated with the multicast group, encapsulate the unicast packets in a multicast header to generate the first multicast packets for distribution using the multicast distribution tree, and output the first multicast packets; and the one or more LHRs, wherein the one or more LHRs are interested receivers of the multicast group, and wherein the one or more LHRs are configured to receive the first multicast packets of the multicast flow, extract the unicast packets for the application session, and send the unicast packets to one or more clients of the application session.

Abstract: A method including determining, by a first device, a sharing encryption key based at least in part on an access private key associated with encrypted content and an assigned public key associated with a second device; encrypting the access private key associated with the encrypted content utilizing the sharing encryption key; and transmitting the encrypted access private key to enable the second device to access the encrypted content. Various other aspects are contemplated.

Abstract: Systems and techniques for information-centric network namespace policy-based content delivery are described herein. A registration request may be received from a node on an information-centric network (ICN). Credentials of the node may be validated. The node may be registered with the ICN based on results of the validation. A set of content items associated with the node may be registered with the ICN. An interest packet may be received from a consumer node for a content item of the set of content items that includes an interest packet security level for the content item. Compliance of the security level of the node with the interest packet security level may be determined. The content item may be transmitted to the consumer node.

Abstract: To provide a terminal device that can share a session key for use in encryption communication with multiple terminal devices at a certain timing without relying on an existing server device.

Abstract: A client machine writes to a virtual disk on a remote storage platform. Metadata is generated and stored in replicas on different nodes of the storage platform. A modified log-structured merge tree is used to store and compact string-sorted tables of metadata. During file storage and compaction, a consistent file identification scheme is used across all metadata nodes. A fingerprint file is calculated for each SST (metadata) file on disk that includes hash values corresponding to regions of the SST file. To synchronize, the fingerprint files of two SST files are compared, and if any hash values are missing from a fingerprint file then the key-value-timestamp triplets corresponding to these missing hash values are sent to the SST file that is missing them. The SST file is compacted with the missing triplets to create a new version of the SST file. The synchronization is bi-directional as between distinct computer nodes.

Abstract: A client machine writes to and reads from a virtual disk on a remote storage platform. Metadata is generated and stored in replicas on different metadata nodes of the storage platform. A modified log-structured merge tree is used to store and compact string-sorted tables of metadata. During file storage and compaction, a consistent file identification scheme is used across all metadata nodes. A fingerprint file is calculated for each SST (metadata) file on disk that includes hash values corresponding to regions of the SST file. To synchronize, the fingerprint files of two SST files are compared, and if any hash values are missing from a fingerprint file then the key-value-timestamp triples corresponding to these missing hash values are sent to the SST file that is missing them. The SST file is compacted with the missing triples to create a new version of the SST file. The synchronization is bi-directional.

Abstract: One or more embodiments of techniques or systems for intelligent data presentation are provided herein. Data can be presented on similar devices having different characteristics in different manners. For example, data may be rendered in a first manner on a first device having one monitor, the same data may be rendered in a second manner on a second device having two displays or a different display size. Financial information, sales data, banking information, etc. may be presented in a variety of ways based on capabilities or properties of a device accessing the information or data. Similarly, renderings may be selected based on interaction capabilities or interaction options a user may have with different renderings or presentations. In other embodiments, user interaction with an automated teller machine (ATM), call center, vehicle, or other interface can be based on device properties or device capabilities.

Abstract: Systems and methods are described for implementing a device isolation service. A device isolation service creates and administers per-device virtual networks for individual computing devices, thereby isolating the computing devices from each other and limiting device-to-device communication. The device isolation service may further provide a monitored and access-controlled network that facilitates access to the isolated devices, thereby allowing “administrator” devices to access and administer devices while preventing a compromised device from seeing, probing, or compromising other devices on the network. The device isolation service may group devices by category or function, and may put devices that communicate with each other on the same virtual network while isolating other devices to different virtual networks.

Abstract: Systems for communicating over a network and between two or more network connected devices. In particular, the disclosure reveals systems which may utilize multicast communication protocols to facilitate secure communication among one or more network connected devices. A system for secured messaging may include a network system including a first server, a second server and a first node. Further, the first server is configured to authenticate the first node for secure multicast messaging, and the second server is configured to authenticate the first node for secure multicast messaging.

Abstract: A system comprises an interface and a processor. The interface is configured to provide a request to join a publish group from a client or a point to point communication link of a lattice mesh; and receive a group key or a host public key. The processor is configured to determine whether a message has been received; in response to the message having been received, determine whether the message is to be sent on; in response to the message being determined not to be sent on, decode the message using the group key or the host public key; determine whether to store the message in a backfill database; in response to determining to store the message in the backfill database, store the message in the backfill database.

Abstract: A system comprises an interface and a processor. The interface is configured to provide a request to join a publish group from a client or a point to point communication link of a lattice mesh; and receive a group key or a host public key. The processor is configured to determine whether a message has been received; in response to the message having been received, determine whether the message is to be sent on; in response to the message being determined not to be sent on, decode the message using the group key or the host public key; determine whether to store the message in a backfill database; in response to determining to store the message in the backfill database, store the message in the backfill database.

Abstract: In a method for delivering targeted television advertisements based on online behavior, IP addresses indicating online access devices and IP addresses indicating television set-top boxes are electronically associated for a multitude of users. Using user profile information derived from online activity from one of the online access IP addresses, a television advertisement is selected, such as by using behavioral targeting or demographic information, and automatically directed to the set-top box indicated by the set-top IP address associated with that online access IP address. Preferably neither the user profile information nor the electronic association of online access and set-top box IP addresses includes personally identifiable information.

Abstract: A current user lifecycle phase and a desired outcome for a user for a current user lifecycle phase are identified. Messages eligible to be shown to the user are identified based upon the current user lifecycle phase for the user. From the eligible messages, particular messages can be selected for delivery to the user based upon one or more governance rules, user attributes, user activity, seasonality, and/or the desired outcome for the current user lifecycle phase for the user. The selected messages can then be shown to the user. In this manner, relevant messages can be presented to the relevant users at a relevant time.

Abstract: Systems and techniques are provided for random oracles in open networks. A node computing device of an open network may choose a random secret. The random secret may be a numeric or alphanumeric value. The node computing device may distribute shares of the random secret to node computing devices that are members of essential subsets for the node computing device. The node computing device may receive a share of a random secret from a second node computing device. The node computing device may be a member of an essential subset of the second node computing device. The node computing device may sign a deterministic seed message using the share of the random secret received from the second node computing device to generate a signature share. The node computing device may reveal the signature share and may receive a random value in response.

Abstract: The present invention relates to a communication interface (200) for supporting communication between a wireless device (101, 102, 103) and a server (121) over a low power wide area network, LPWAN, comprising: an untrusted execution part (201) configured to operate in accordance with an LPWAN communication protocol stack (203) including at least one secured LPWAN protocol using cryptographic primitives; a memory (205) for storing computer code (206) and at least one cryptographic key (207, 208, 209) in an encrypted form; a trusted execution part (202) incorporating a root secret (210) for decrypting the at least one cryptographic key (207, 208, 209) from the memory (205), wherein the trusted execution part (202) is configured to execute the cryptographic primitives of the at least one secured LPWAN protocol using the decrypted cryptographic key and computer code (206) from the memory (205).

Abstract: Techniques for secure team-based communication on existing wireless mesh networks are disclosed. In an example, a first network node receives a network encryption key from a headend system. The first network node receives a sub-group encryption key that is unique to a sub-group of nodes, a sub-group identifier, and a sub-group node list that lists the sub-group of nodes associated with the sub-group identifier. The first network node generates an application layer message for a second node of the sub-group of nodes at an application layer. The first network node encrypts the application layer message using the sub-group encryption key. The first network node generates a team packet that is addressed to a selected node and includes the encrypted application layer message and the sub-group identifier. The first network node encrypts the team packet using the network encryption key and transmits the encrypted team packet to the selected node.

Abstract: A method for distributing encrypted cryptographic data includes receiving, by a key service, from a first client device, a request for a first public key. The method includes transmitting, by the key service, to the first client device, the first public key. The method includes receiving, by the key service, from an access control management system, an encryption key encrypted with the first public key and a request from a second client device for access to the encryption key. The method includes decrypting, by the key service, the encrypted encryption key, with a private key corresponding to the first public key. The method includes encrypting, by the key service, the decrypted encryption key, with a second public key received from the second computing device. The method includes transmitting, by the key service, to the second client device, the encryption key encrypted with the second public key.

Abstract: Privacy preserving secure task automation. A method may include generating, by a first section of a platform, a pair of encryption keys (private and shared secret keys); receiving, by a second section of the platform, platform user data, trigger service user data; and action service user data, wherein the user of the services and platform are the same; sending the shared secret key to the services; storing the private key in the first section; receiving from the trigger service, by the second section, a first communication encrypted with the shared secret key, regarding occurrence of a trigger; determining, by the first section, that the trigger corresponds to the user of the platform; encrypting a second message with the shared secret key, requesting invocation of the action based on the trigger; and transmitting the second encrypted message to the action service without the data related to the user of the platform.

Abstract: A board portal system provides the ability to manage multiple boards, where each of the boards may be a separate legal entity. The board portal may provide the ability to establish links between the multiple boards and create parent-child relationships with subsidiary boards. With the board portal, users can create content and make it viewable and accessible across multiple boards that related through a parent-child relationship. At the same time, the board portal maintains a requisite level of separation between the related boards in the portal using encryption and/or other separation techniques. As a result, the board portal facilitates flexible workflow patterns and communication processes based on the proper hierarchical structure that exists between the parent organization and its subsidiaries.

Abstract: A method for the disclosure of at least one cryptographic key used for encrypting at least one communication connection between a first communication subscriber and a second communication subscriber in which, in a publish-subscriber server, at least one of the communication subscribers logs on as a publishing unit and at least one monitoring device logs on as a subscribing unit, and in a subsequent negotiation of a cryptographic key by the publishing unit, automatically the negotiated cryptographic key is supplied from the publishing unit to the publish-subscribe server, the negotiated cryptographic key is transmitted from the publish-subscribe server to the at least one subscribing unit, and the encrypted communication connection from the subscribing unit is decrypted using the cryptographic key is provided. The following also relates to a corresponding system.

Abstract: An objective is to enable conversion of a key sharing scheme having asymmetricity into a key sharing scheme with an authentication function. In a key sharing device, a key selection unit selects, out of two static keys of different classifications, one static key being different from a static key of a key-sharing counterpart. A temporary key generation unit generates a temporary key of the same classification as the static key selected by the key selection unit. A shared key generation unit generates a shared key using the static key selected by the key selection unit and a temporary key generated by the counterpart.

Abstract: In some examples, a robot middleware system including a first robot middleware node, a second robot middleware node, and one or more secure encrypted type-enforced context message between the first robot middleware node and the second robot middleware node.

Abstract: A method includes: initiating a data channel over a networked gaming service, including generating a channel key, the channel key being used to encrypt content communicated over the data channel, and generating a first encrypted channel key by encrypting the channel key with a public key associated to an owner of the data channel; adding a participant to the data channel, including generating a second encrypted channel key by encrypting the channel key with a public key associated to the participant; wherein a message sent via the data channel includes encrypted content generated by using the channel key to encrypt content for the message, and further includes the first encrypted channel key and the second encrypted channel key.

Abstract: In some aspects, the disclosure is directed to methods and systems for providing coordinative security among network devices across multi-level networks. Shared cryptographic secrets among the network devices are used as the basis for mutual security authentication and peering among these devices. The cryptographic secrets can be embedded in the SoC devices for these devices or dynamically generated based on unique identification information and attributes of these SoC devices. The messages for authentication and peering can be communicated directly among the network devices or indirectly via a cloud security portal entity that acts as a messaging proxy. The mutual authentication and peering process can be carried out coordinately among the network devices and a cloud security portal in a one-to-one mesh relationship, or in a transitive layering relationship, where each network entity authenticates and peers with its direct subordinates in a multi-level network.

Abstract: A method by a management server is described. The method includes receiving a credentials request from a requesting management node. The credentials request includes a public key of the requesting management node. The method also includes determining whether the management server has credentials encrypted for the requesting management node in a local cache. The credentials are encrypted using the public key of the requesting management node and cannot be decrypted by the management server. The method further includes sending the encrypted credentials to the requesting management node when the management server has the encrypted credentials. The requesting management node can decrypt the encrypted credentials using a private key.

Abstract: Systems and techniques are described for authenticating a user. A described technique includes receiving, by an identity management application running on a user computer, a request to authenticate a user to access a user application using the user computer. The technique includes determining, by the identity management application, that a mobile device associated with the user is connected to the user computer using a short distance wireless connection. The technique includes requesting, by the identity management application running on the user computer, authentication information for the user from the mobile device over the short distance wireless connection. The technique includes receiving, by the identity management application running on the user computer, the authentication information for the user from the mobile device over the short distance wireless connection.

Abstract: A computer program product and a system comprising: a cluster of Secure Execution Platforms (SEPs) having connectivity to a data storage, each SEP of said cluster is configured to maintain, using a key, confidentiality of data while processing thereof; the key is shared among the SEPs of said cluster, the key is automatically generated by the cluster or portion thereof and is unavailable to any non-cluster entity; the data storage retains encrypted data that is encrypted using the key; a first SEP of the cluster is configured to encrypt client data using the key to obtain encrypted client data and store the encrypted client data in the data storage; and a second SEP of the cluster is configured to retrieve encrypted stored data from the data storage, decrypt the encrypted stored data using the key to obtain non-encrypted form of the encrypted stored data.

Abstract: A method for carrying out data integrity protection on a communication network. According to an implementation, a wireless communication device indicates, to a wireless network, the maximum data rate up to which integrity protection is supported for user plane data. A network node (e.g., a node of the core network, such as an SMF) receives this information and determines whether or not to enable integrity protection for user plane data based on the information (possibly in conjunction with other information such as the minimum data rate to be supported, etc.). The network node then communicates the decision to enable or disable integrity protection to a RAN node (e.g., a wireless base station).

Abstract: Methods and systems for providing fast random access and/or inspection of records within an encrypted communication session are presented. The encrypted communication session may include encrypted records that were encrypted using rotating encryption keys. A key index is generated for the encrypted communication session. The key index includes the encryption keys used during the encrypted communication session and timestamps associated with the encryption keys. To access a particular record within the encrypted communication session, a particular encryption key is selected from the encryption keys stored in the key index. The particular record is decrypted using the selected encryption key.

Abstract: A method for providing encrypted data on a client, a cloud or the like includes, providing, for each user, a user-specific encryption key for encrypting user-specific plaintext. A common decryption key is computed with a pre-determined f netion using the user-specific encryption keys as input for the function, The function is a polysized function supporting poly-many additions and a single multiplication. Each user-specific plaintext is encrypted with the corresponding user-specific encryption key resulting in user-specific ciphertexts, The encrypting is performed such that encryption is homomorphic in the user-specific plaintext as well in the user-specific encryption keys. A. common ciphertext is computed with the function using the user-specific ciphertexts as input for the function. The common ciphertext and the common decryption key are provided for decryption.

Abstract: The present disclosure relates to a communication server and a method for secured transmission of messages from an enterprise server to a telecom server for delivering to end users. The enterprise server comprises a first gateway hosted therein to encrypt and transmit the encrypted messages to the communication server. The communication server receives and pushes the encrypted messages to the end users through the telecom server. The telecom server comprises a second gateway hosted therein to retrieve the push messages and to determine capability of decryption at user devices.

Abstract: An apparatus, circuit, and method for controlling a service access in a packet data communication system are provided. The method includes broadcasting information related to whether a service access to a specific service is possible.

Abstract: Dynamic wireless link security can be used to connect a wireless computing device to a wireless network. A determination is made as to the minimum level of security required and a wireless communication channel corresponding to that level of security is selected from among multiple, available wireless communication channels with varying levels of security. At least one of the wireless communication channels is an unencrypted channel with access control, which can be used when information is already encrypted or when encryption is not needed due to low sensitivity of the information. The determination can be made with user input or by inspecting metadata in content to be sent over the wireless link.

Abstract: A board portal system provides the ability to manage multiple boards, where each of the boards may be a separate legal entity. The board portal may provide the ability to establish links between the multiple boards and create parent-child relationships with subsidiary boards. With the board portal, users can create content and make it viewable and accessible across multiple boards that related through a parent-child relationship. At the same time, the board portal maintains a requisite level of separation between the related boards in the portal using encryption and/or other separation techniques. As a result, the board portal facilitates flexible workflow patterns and communication processes based on the proper hierarchical structure that exists between the parent organization and its subsidiaries.

Abstract: Technologies for secure collective authorization include multiple computing devices in communication over a network. A computing device may perform a join protocol with a group leader to receive a group private key that is associated with an interface implemented by the computing device. The interface may be an instance of an object model implemented by the computing device or membership of the computing device in a subsystem. The computing device receives a request for attestation to the interface, selects the group private key for the interface, and sends an attestation in response to the request. Another computing device may receive the attestation and verify the attestation with a group public key corresponding to the group private key. The group private key may be an enhanced privacy identifier (EPID) private key, and the group public key may be an EPID public key. Other embodiments are described and claimed.

Abstract: The present disclosure relates to a communication server and a method for secured transmission of messages from an enterprise server to a telecom server for delivering to end users. The enterprise server comprises a first gateway hosted therein to encrypt and transmit the encrypted messages to the communication server. The communication server comprises a routing unit for routing the encrypted messages from the enterprise server to the user devices via the telecom server. The telecom server comprises a second gateway hosted therein to retrieve the encrypted messages. The user device comprises a third gateway hosted therein to retrieve the encrypted messages from the telecom server in case the decryption is taking place at user device.

Abstract: A gateway is configured to be situated in a local area network (LAN) of Internet Protocol (IP)-based units having a serverless page party (SP2) function that employs multicast technology for page/party audio. The gateway converts multicast call traffic to unicast call traffic for transmission over the Internet to one or more IP units with SP2 function in different LANs. These different LANs are each provided with respective gateways that are configured to convert the unicast traffic back to multicast traffic to connect the page/party audio of an SP2 system among disparate facilities having different LANs, obviating the need for a dedicated and expensive wide area network for inter-LAN communication among IP units with SP2 function. A license and configuration server is configured to maintain a database of IP addresses of each gateway assigned to the respective inter-LAN or Internet groups and to communicate group IP addresses to the gateways.

Abstract: A network node and a method of updating and distributing secret keys in a distributed network is suggested. The network comprises a plurality of nodes connected to a shared medium of the distributed network. Each node of the plurality of nodes is member of at least one group of a plurality of groups. Each group is associated with a secret group key. Each node of the plurality of nodes stores only the one or more secret group keys, of which it is member. A first node of the plurality of nodes generates an authenticated update key request. The authenticated update key request comprises an indication of a membership, of which the first node is member. The first node broadcasts the authenticated update key request on the shared medium of the distributed network. Each remaining nodes of the plurality of nodes receives the authenticated key update.

Abstract: There is disclosed in one example a sentinel device, including: a hardware platform including at least a processor and configured to provide a trusted execution environment (TEE); and a security engine operable to instruct the hardware platform to: determine that an internet of things (IoT) device in a first realm R1 requires a secure communication channel with a second device in a second realm R2; query a key server for a service appliance key for the secure communication channel; establish a secure communication channel with the endpoint device using the service appliance key and the TEE; and provide a security service function within R1 including brokering communication via the secure communication channel between the IoT device and the second device.

Abstract: In one embodiment, a system includes a hardware processor having at least one core to execute instructions; and a logic to generate a group public key for a subnet having a plurality of computing devices and generate a plurality of group private credentials for the plurality of computing devices, provide the group public key to the plurality of computing devices and provide each of the group private credentials to one of the plurality of computing devices, to enable communication between the plurality of computing devices of the subnet without validation messaging with the system. Other embodiments are described and claimed.

Abstract: The invention relates to a method for the identification of security processors in a system for delivering protected multimedia content, in which: upon request from an identification device, a network head-end transmits (136) a command to suspend a first identified pre-determined security processor which, in response, switches (136) from an active state to an idle state; the sharing server detects (120) that the first security processor is in the idle state and then transmits (120) access control messages to a second security processor instead of the first security processor; in response to the identification of at least the second security processor, upon request from the identification device, the network head-end transmits (134) a command to re-establish the first security processor, and, subsequently, in response, the first security processor switches (134) from the idle state to the active state.

Abstract: A server device (100) receives access from an application (31) running on a terminal device (200). The server device (100) authenticates the application (31) of the terminal device (200) with a user name and a password and if successful, transmits an access token to the application (31) and approves access. Issuing an access token, the server device (100) postpones the expiration date given to other access tokens associated with the terminal device (200). When an access token received from the application (31) of the terminal device (200) is associated with the terminal device (200) and stored as being unexpired, the server device (100) approves access from the application (31) and postpones the expiration dates given to all access tokens associated with the terminal device (200).

Abstract: An alias key is generated for each person identification (ID) in a database table. The alias key us used to lookup the corresponding person ID in the database table. In addition, for each alias key, a temporary alias key is generated that is used to lookup the corresponding alias key in the database table. A plurality of queries are received from at least one remote client that each specify at least one of the temporary alias keys. Data is later transmitted to the at least one remote client that is responsive to the queries. Related apparatus, systems, techniques and articles are also described.