Abstract: A computer-implemented method is for tamper-evident recording of a plurality of executable items. Each executable item is associated with a data item verification fingerprint. The method includes computing an aggregated verification fingerprint from data item verification fingerprints using a one-way compression function so that the aggregated verification fingerprint has a first bit length. The first bit length is less than a total bit length of a concatenation of the data item verification fingerprints. The method further includes storing the aggregated verification fingerprint in a blockchain, attempting to execute an element of code, validating the element of code against the aggregated verification fingerprint, and, based on the validation, allowing execution or denying execution of the element of code.

Abstract: Improved optical network security (e.g., using a computerized tool) is enabled. Various embodiments herein can send (e.g., via a network) to a group of network devices comprising a first network device and a second network device, a first encrypted data stream, a second encrypted data stream, a first hash code, and a second hash code, wherein the first network device deletes the second encrypted data stream after the first network device hashes the second encrypted data stream, and in response to the second network device being determined not to have received the second hash code within a defined threshold time, determine that the first network device is unauthorized to use the network.

Abstract: Modification of application implementation may include modification, addition, and/or removal of machine-readable instructions. Modification of machine readable instructions prior to run-time may modify implementation of one or more features. Physical computer processor(s) may be configured by computer readable instructions to obtain machine-readable instructions. Machine-readable instructions may, cause a target computing platform to implement an application when executed. Physical computer processor(s) may obtain information regarding implementation of the application by the target computing platform and analyze the machine-readable instructions and/or the information to create one or more rules for modifying application implementation by the computing platform. Physical computer processor(s) may modify the machine-readable instructions based on the rules to add features to and/or remove features from the machine-readable instructions.

Abstract: There is provided a computerized method of secure communication between a source computer and a destination computer, the method performed by an inspection computer and comprising: receiving data sent by the source computer to the destination computer; inspecting the received data using one or more filtering mechanisms, giving rise to one or more inspection results; separately signing each of the one or more inspection results; determining, based on an inspection management policy, whether to send at least some of the inspection results and/or derivatives thereof for manual inspection; upon a positive determination, providing manual inspection of the at least some inspection results and/or derivatives thereof, and providing signing of the at least one manual inspection result; and analyzing signed inspection results and performing additional verification of the signed inspection results when a result of the analyzing meets a predefined criterion specified by the inspection management policy.

Abstract: A method for performing a security chip protocol comprises receiving, by processing hardware of a security chip, a message from a first device as part of performing the security chip protocol. The processing hardware retrieves a secret value from secure storage hardware operatively coupled to the processing hardware. The processing hardware determines a path through a key tree based at least in part on the message. The processing hardware derives a validator at least in part from the secret value using a sequence of entropy redistribution operations associated with the path through the key tree. The processing hardware exchanges the validator between the security chip and the first device as part of the security chip protocol in order to authenticate at least one of the security chip or the first device.

Abstract: Functional wrappers are scripts and related software that provide a way to group and invoke functionality comprising semantic intent in a legacy application. These functional wrappers allow programmatic access to functionality in legacy applications in contemporary software architectures without risk of porting errors. Additional functionality to provide features with presently expected, but not available at the time the legacy applications were developed, such as functional wrappers to provide parallelism and scaling, are disclosed. Finally, automatic generation of the functional wrappers are also disclosed.

Abstract: A computer-implemented method is for tamper-evident recording of a plurality of executable items. Each executable item is associated with a data item verification fingerprint. The method includes computing an aggregated verification fingerprint from data item verification fingerprints using a one-way compression function so that the aggregated verification fingerprint has a first bit length. The first bit length is less than a total bit length of a concatenation of the data item verification fingerprints. The method further includes storing the aggregated verification fingerprint in a blockchain, attempting to execute an element of code, validating the element of code against the aggregated verification fingerprint, and, based on the validation, allowing execution or denying execution of the element of code.

Abstract: Systems and methods for protected verification of user information are provided. Multiple computing systems may transmit or receive communications from one or more other computing systems as part of the protected user information verification. For example, a user may utilize a verification service to independently verify the user's information to third-party systems without the verification service actually storing, receiving, accessing, or otherwise coming into contact with the user-specific information that it is verifying. In this way, the system can protect a user's personal information while streamlining the user's verification with one or more third parties.

Abstract: Embodiments presented herein provide systems and methods for creating and modifying a hash chain. A hash chain is created to track resource-privilege transfers between entities. A root node of the hash chain identifies the resource and specifies a digest of a possession token held by a first entity that initially possesses the privilege. A transfer of the privilege to a second entity can be recorded by adding an expansion node to the hash chain. If the second entity successfully reveals a possession token that a hashing function associated with the hash chain maps to the digest, an expansion node is linked to the root node. The expansion node indicates the possession token and a successor digest that is based on a successor possession token.

Abstract: A system may read source data corresponding to a source variable and apply a transformation to the source variable to generate an output variable. The transformation may include logic, and the output variable may be configured for ingestion into a big data storage format. The system may record lineage data of the output variable that comprises the transformation and/or the source variable. The system may also receive a request to generate a requested output variable. The requested output variable may be generated from a second transformation that is the same as the first transformation. The system may thus match the first transformation to the second transformation using the lineage data. In response to matching the first transformation to the second transformation, the system may deny the request. The original output variable may be returned in response to the matching the first transformation to the second transformation.

Abstract: A system, computer program product, and computer-executable method of providing a layout-independent cryptographic stamp of a distributed data set from a data storage system, the system, computer program product, and computer-executable method comprising receiving a request for a cryptographic stamp of the distributed data set, creating a hash of each slice of the distributed data set, and using each hash from each slice of the distribute data set to create the cryptographic stamp of the distributed data set.

Abstract: A method for blockchain-based data verification is provided. The method includes: obtaining target data submitted by a data submitter, wherein a first data digest of the target data is recorded in a blockchain; computing a second data digest of the target data; determining whether the second data digest matches the first data digest of the target data recorded in the blockchain; and determining that the target data submitted by the data submitter is valid in response to determining that the second data digest matches the first data digest of the target data recorded in the blockchain.

Abstract: Initial data is included in a data structure such as an initial container at an initial entity, along with rules and a data signature of at least a portion of the initial data and other container contents relating to the initial entity and the initial data. Each rule defines at least one condition governing the permissible transfer and processing of the initial data by other entities in a provenance chain. Each receiving entity creates a container of its own to encapsulate received containers, and, after optional processing of its own, such as adding or altering data and rules, digital signature for its container. The digital signatures may be obtained from a hash tree-based signing infrastructure that returns data signatures enabling recomputation of a logically uppermost value of the hash tree. A lineage map of any given container may also be displayed for analysis by a user.

Abstract: Provided is a process including: receiving, with one or more processors, a first request to store a record from a computing entity; encoding, with one or more processors, the record in a first plurality of segments; arranging, with one or more processors, the first plurality of segments in respective content nodes of a first content graph, wherein at least some content nodes of the first content graph have two or more content edges of the first content graph pointing to two or more respective other content nodes of the first content graph; and storing, with one or more processors, the content nodes of the first content graph in a verification graph.

Abstract: A method is provided for providing a notary service for a file, the method including the steps in which: (a) when a notary service request for a specific file is obtained, a server generates, by using a hash function, or supports the generation of, a message digest of the specific file; and (b) if a predetermined condition is satisfied, the server registers, in a database, or supports the registration of, a representative hash value or a value obtained by processing the representative hash value, the representative hash value being generated by calculating at least one neighboring hash value that matches a specific hash value, wherein the specific hash value is a hash value of the result of encrypting the message digest with a private key of a specific user and a private key of the server.

Abstract: A server configuration management system is disclosed. The system comprises a script database storing a plurality of audit policies, a plurality of servers that each comprises an agent that executes at least a portion of one of the plurality of audit policies, and a configuration management server communicatively coupled to the script database and each agent. The configuration management server sends an audit script to a plurality of agents executing on a plurality of non-production servers of a common device group in a non-production environment, receives audit results from the plurality of agents, sends a remediate script to corresponding agents executing on non-compliant non-production servers, and responsive to a non-production server malfunctioning as a result of execution of the remediate script, creates, via a user interface, and implements an exception for a production server in the common device group in a production environment that corresponds to the non-production server.

Abstract: A file validation method and system is provided. The method includes retrieving from an authoritative source system, an artifact file. Identification information identifying a requesting user of the artifact file is recorded and associated metadata and a modified artifact file comprising the metadata combined with the artifact file are generated. An encryption key including a first portion and a second portion is generated and the first portion is stored within a central key store database. An encrypted package comprising the modified artifact file and the second portion of the key is generated.

Abstract: A signature rule processing method, a server, and an intrusion prevention system is provided. The method includes: performing, by a cloud server, correlation analysis on signature rule usage status information of each security device connected to the cloud server and a latest signature rule set published by the cloud server, to obtain a most active threat signature rule identification list, and sending, by the cloud server, update information to each security device to update a signature rule after generating the update information according to the most active threat signature rule identification list. The present invention is applicable to the field of network security systems.

Abstract: At least one node in a distributed hash tree verification infrastructure is augmented with an identifier of an entity in a registration path. A data signature, which includes parameters for recomputation of a verifying value, and which is associated with a digital input record, will therefore also include data that identifies at least one entity in the hash tree path used for its initial registration in the infrastructure. An uppermost value of the hash tree verification infrastructure is entered as, or as part of, a transaction in a blockchain.

Abstract: Disclosed is a digital signature service system and method based on a hash function in which a main agent, who requires the generation of a digital signature, does not personally generate the digital signature, and wherein digital signatures may be simultaneously and stably generated for large-scale data such as multiple electronic documents and digital data using a hash function and a hash tree, which are known as a simple and secure method, to guarantee the integrity of the data in a digital signature-based structure based on a server.

Abstract: Techniques are disclosed for presenting and collecting end user license agreement acceptance for software applications or firmware components executed on a computing appliance. A sentry component allows only certain commands to be executed before the relevant end user license agreements are accepted, e.g., commands to configure a network interface and web server on the appliance executed on a shell over a serial interface. Once configured the web server is used to provide a rich interface for presenting end user license agreements and obtaining acceptance thereof. Once the user accepts the terms of the relevant license agreements, then the appliance is made active and all configuration commands become operational, including commands needed to configure the device and start services which would otherwise be prohibited by the sentry component prior to license acceptance.

Abstract: Techniques are disclosed for presenting and collecting end user license agreement acceptance for software applications or firmware components executed on a computing appliance. A sentry component allows only certain commands to be executed before the relevant end user license agreements are accepted, e.g., commands to configure a network interface and web server on the appliance executed on a shell over a serial interface. Once configured the web server is used to provide a rich interface for presenting end user license agreements and obtaining acceptance thereof. Once the user accepts the terms of the relevant license agreements, then the appliance is made active and all configuration commands become operational, including commands needed to configure the device and start services which would otherwise be prohibited by the sentry component prior to license acceptance.

Abstract: An approach is provided for providing end-to-end security in multi-level distributed computations. A distributed computation security platform determines one or more signatures associated with one or more computation closures of at least one functional flow. The distributed computation security platform also processes and/or facilitates a processing of the one or more signatures to generate at least one supersignature. The distributed computation security platform further determines to associate the at least one supersignature with the at least one functional flow.

Abstract: The various technologies presented herein relate to analyzing a plurality of shares stored at a plurality of repositories to determine whether a secret from which the shares were formed matches a term in a query. A threshold number of shares are formed with a generating polynomial operating on the secret. A process of serially interpolating the threshold number of shares can be conducted whereby a contribution of a first share is determined, a contribution of a second share is determined while seeded with the contribution of the first share, etc. A value of a final share in the threshold number of shares can be determined and compared with the search term. In the event of the value of the final share and the search term matching, the search term matches the secret in the file from which the shares are formed.

Abstract: Provided are apparatuses and methods of generating and verifying signature information for data authentication. A method of verifying signature information may involves receiving signature information with respect to a predetermined number of data segments from a transmitter, constructing a hash tree based on the signature information, and verifying a validity of the signature information, by verifying trapdoor hash values using a root hash value of the constructed hash tree.

Abstract: A verifiable, redactable log, which, in some embodiments, may contain multiple hash values per entry in order to sever confidentiality of a log from verifiability. Logs may be verified using recalculation of hashes and verification of trusted digital signatures. In some embodiments, the log may be divided into segments, each signed by a time server or self-signed using a system of ephemeral keys. In some embodiments, log messages regarding specific objects or events may be nested within the log to prevent reporting omission. The logging system may receive events or messages to enter into the log.

Abstract: The present invention relates to methods and apparatus for in obtrusively determining previous actions and information associated with a user and generating web page content based upon previous actions and stored information.

Abstract: A data processing device for playing back a digital work reduces the processing load involved in verification by using only a predetermined number of encrypted units selected randomly from multiple encrypted units constituting encrypted contents recorded on a DVD. In addition, the data processing device improves the accuracy of detecting unauthorized contents by randomly selecting a predetermined number of encrypted units every time the verification is performed.

Abstract: An embodiment computing device operating in a data storage system includes an object storage controller operable to divide an object into blocks and to create an object hash from hash values, and a network interface in communication with the object storage controller, the network interface operable to transmit the blocks to a storage subsystem that generates one of the hash values from each of the blocks, to receive the hash values from the storage subsystem, and to provide the hash values to the object storage controller for creation of the object hash from the hash values. In an embodiment, the object storage controller is operably coupled to a processor and a memory or stored on a computer readable medium.

Abstract: Transformations of digital records are used as lowest level inputs to a tree data structure having a root in a core system and having nodes computed as digital combinations of child node values. Signature vectors are associated with the digital records and have parameters that enable recomputation upward through the tree data structure to either a current calendar value or onward to a composite calendar value that is a function of calendar values in a calendar, which comprises a set of computed calendar values, such that the calendar values have a time correspondence. Recomputation yields the same value only if a candidate digital record is an exact version of the original digital record included in the original computation of the value, indicating authentication of the candidate digital record. The authentication process as such is independent of any trust authority that issues cryptographic keys.

Abstract: In one exemplary embodiment, an apparatus includes a memory storing data and a processor performing operations. The apparatus generates or maintains an accumulation tree for the stored data—an ordered tree structure with a root node, leaf nodes and internal nodes. Each leaf node corresponds to a portion of the data. A depth of the tree remains constant. A bound on a degree of each internal node is a function of a number of leaf nodes of a subtree rooted at the internal node. Each node of the tree has an accumulation value. Accumulation values of the root and internal nodes are determined by hierarchically employing an accumulator over the accumulation values of the nodes lying one level below the node in question. The accumulation value of the root node is a digest for the tree.

Abstract: Systems and methods are disclosed which enable the establishment of file dates and the absence of tampering, even for documents held in secrecy and those stored in uncontrolled environments, but which does not require trusting a timestamping authority or document archival service. A trusted timestamping authority (TTSA) may be used, but even if the TTSA loses credibility or a challenger refuses to acknowledge the validity of a timestamp, a date for an electronic document may still be established. Systems and methods are disclosed which enable detection of file duplication in large collections of documents, which can improve searching for documents within the large collection.

Abstract: A system that incorporates the subject disclosure may include, for example, instructions which when executed cause a device processor to perform operations comprising sending a service request to a remote management server; receiving from the management server an authentication management function and an encryption key generator for execution by a secure element and an encryption engine for execution by a secure device processor, sending a request to establish a communication session with a remote device; and communicating with the remote device via a channel established using an application server. The secure element and the secure device processor authenticate each other using a mutual authentication keyset. The secure element, the secure device processor and the device processor each have a security level associated therewith; the security level associated with the secure device processor is intermediate between that of the secure element and that of the device processor. Other embodiments are disclosed.

Abstract: An information processing system including a medium where a content to be played is stored; and a playing apparatus for playing a content stored in the medium; with the playing apparatus being configured to selectively activate a playing program according to a content type to be played, to obtain a device certificate correlated with the playing program from storage by executing the playing program, and to transmit the obtained device certificate to the medium; with the device certificate being a device certificate for content types in which content type information where the device certificate is available is recorded; and with the medium determining whether or not an encryption key with reading being requested from the playing apparatus is an encryption key for decrypting an encrypted content matching an available content type recorded in the device certificate, and permitting readout of the encryption key only in the case of matching.

Abstract: Methods, systems, and apparatus are disclosed which enable flexible insertion of forensic watermarks into a digital content signal using a common customization function. The common customization function flexibly employs a range of different marking techniques that are applicable to a wide range of forensic marking schemes. These customization functions are also applicable to pre-processing and post-processing operations that may be necessary for enhancing the security and transparency of the embedded marks, as well as improving the computational efficiency of the marking process. The common customization function supports a well-defined set of operations specific to the task of forensic mark customization that can be carried out with a modest and preferably bounded effort on a wide range of devices. This is accomplished through the use of a generic transformation technique for use as a “customization” step for producing versions of content forensically marked with any of a multiplicity of mark messages.

Abstract: A data processing device for playing back a digital work reduces the processing load involved in verification by using only a predetermined number of encrypted units selected randomly from multiple encrypted units constituting encrypted contents recorded on a DVD. In addition, the data processing device improves the accuracy of detecting unauthorized contents by randomly selecting a predetermined number of encrypted units every time the verification is performed.

Abstract: This disclosure relates generally to methods and systems for determining when a file has changed. According to one aspect of the present disclosure, a method of determining if contents of a file have changed can include determining if a digital signature created as a function of contents of the file has changed, and when the digital signature has changed, overlaying the contents of the file with a first mark that indicates the contents have changed and blocks a view of the contents of the file.

Abstract: An upload and verification system allows a user to upload files which the user would like to attached to the electronic record of a certain event associated with the company, for example, an insurance claim. A quarantine server may receive the uploaded file and scan the file for malicious code. The quarantine server may transmit the file to temporary storage server. The temporary storage server may receive the file, may convert the file to a file format supported by the company system and may compress the file. The temporary storage server may also transmit a preview of the file back to the client device, where the user can verify that the correct document has been uploaded and no mistakes have been made.

Abstract: An image forming apparatus which can prohibit any users but a user who has made a deposit from operating the image forming apparatus for a chargeable process. A communication controller of the image forming apparatus obtains pieces of proper information of cell-phones. An ID management section issues IDs for the respective pieces of proper information, and the communication controller sends the IDs to the corresponding cell-phones. At an input section, a user of one of the cell-phones inputs the ID sent thereto. Thereafter, the communication controller receives an access from a cell-phone and receives proper information of the cell-phone. In this moment, it is judged whether the cell-phone which has made an access is identical with the cell-phone of which ID was inputted at the input section. Only when the communication controller identifies the cell-phone, the communication controller permits the image forming apparatus to communicate with the cell-phone.

Abstract: The present invention relates generally to digital watermarking. In one implementation, we provide a hierarchical digital watermark detector method. The method includes: i) in a first layer of a hierarchical search, performing watermark detection on blocks of at least a portion of an incoming suspect signal; ii) identifying a first block in the portion that is likely to include a decodable digital watermark; and iii) in a second layer of the hierarchical search, performing additional watermark detection on overlapping blocks in a neighborhood around the first block. Another implementation provides a hierarchical watermark detector including a buffer and a detector. The buffer stores portions of an incoming signal. The detector evaluates watermark detection criteria for blocks stored in the buffer, and hierarchically zooms into a neighborhood of blocks around a block associated with watermark detection criteria that satisfies detection criteria.

Abstract: A client computer runs a communicator employed to connect to a server computer in a cloud. The communicator is updated on a regular basis to update its algorithms for processing raw data into secured data. The server computer receives and validates the secured data, and attempts to update the communicator if the secured data is invalid. The server computer may deem the client computer as being infected when the update is reinitiated a predetermined number of times. The raw data may be restructured, or encrypted using an encryption scheme where the key used for the encryption is not provided to the receiver of the data. The algorithm for data restructuring and encryption may be included in the update to the communicator. Communication between the client computer and the server computer may be on a dynamically selected channel indicated in a previous communication.

Abstract: A client computer runs a communicator employed to connect to a server computer in a cloud. The communicator is updated on a regular basis to update its algorithms for processing raw data into secured data. The server computer receives and validates the secured data, and attempts to update the communicator if the secured data is invalid. The server computer may deem the client computer as being infected when the update is reinitiated a predetermined number of times. The raw data may be restructured, or encrypted using an encryption scheme where the key used for the encryption is not provided to the receiver of the data. The algorithm for data restructuring and encryption may be included in the update to the communicator. Communication between the client computer and the server computer may be on a dynamically selected channel indicated in a previous communication.

Abstract: A method of generating a keyless digital multi-signature is provided. The method includes receiving multiple signature generation requests from one or more client computers, building subtrees based on the signature generation requests, and constructing a search tree including the subtrees. The method also includes assigning explicit length tags to leaf nodes of the search tree to balance the search tree and applying a hash function to each of the search tree nodes. The root hash value and the height of the search tree make up a generated aggregate signature request, followed by receiving an aggregate signature based on the aggregate signature request. The keyless digital multi-signature is generated based on the aggregate signature and contains an implicit length tag to verify that the number of signature generation requests is limited. The aggregate signature is generated if the height of the search tree does not exceed a predetermined height limitation.

Abstract: A compression method applies a selection rule to input symbols and generates a reduced partial set of symbols. The partial set is checked against a dictionary-index for a match. A match identifies a range of matching symbols in a dictionary. The length of the matching range is iteratively increased by checking previous and next symbols in the input data and the dictionary until a matching range length meets a threshold limit or the length of the matching range cannot be increased further. Compressed data corresponding to the input symbols is provided where input symbols are copied over and symbols in a matched range of data are replaced with a representation of their corresponding start location and length in the dictionary.

Abstract: In various embodiments, a method comprises scanning a directory structure to generate a scan result comprising a plurality of discovered systems, identifying one or more accounts associated with at least one of the plurality of discovered systems, configuring a security appliance to change one or more old passwords to one or more new passwords for the one or more accounts, and changing, with the configured security appliance, the one or more old passwords to the one or more new passwords.

Abstract: A method for data integrity protection includes receiving items of data for storage in a storage medium. The items are grouped into multiple groups, such that at least some of the groups include respective pluralities of the items. A respective group signature is computed over each of the groups, thereby generating multiple group signatures. An upper-level signature is computed over the group signatures. Groups of the items, the group signatures, and the upper-level signature are stored in respective locations in the storage medium.

Abstract: The claimed subject matter relates to architectures that can construct a hierarchical set of decryption keys for facilitating user-controlled encrypted data storage with diverse accessibility and hosting of that encrypted data. In particular, a root key can be employed to derive a hierarchical set of decryption keys and a corresponding hierarchical set of encryption keys. Each key derived can conform to a hierarchy associated with encrypted data of the user, and the decryption capabilities of the decryption keys can be configured based upon a location or assignment of the decryption key within the hierarchy. The cryptographic methods can be joined with a policy language that specifies sets of keys for capturing preferences about patterns of sharing. These policies about sharing can themselves require keys for access and the policies can provide additional keys for other aspects of policy and or base-level accesses.

Abstract: A method for producing an electro-biometric signature allowing legal interaction between and the identification of persons utilizing biometric features. The method includes inputting a user's biometric features in a pre-determined sequence and checking that no feature is entered repeatedly.

Abstract: A system (50) is used for identifying a content item. The system (50) receives a received first identifier (101) of the content item, the received first identifier being based on at least part of a baseband level representation of the content item; a received second identifier (102) of the content item, the received second identifier being based on at least part of an encoded representation (103) of the content item; and the at least part of the encoded representation (103) of the content item. The system comprises a second identifier generator (53) for generating a generated second identifier based on the at least part of the encoded representation (103) of the content item; and a validation unit (54) for validating the received first identifier as a valid first identifier of the content item if the generated second identifier matches the received second identifier.

Abstract: An authentication system for digital records has a hash tree structure that computes an uppermost, root hash value that may be digitally signed. A random or pseudo-random number is hashed together with hash values of the digital records and acts as a blinding mask, making the authentication system secure even for relative low-entropy digital records. A candidate digital record is considered verified if, upon recomputation through the hash tree structure given sibling hash values in the recomputation path and the pseudo-random number, the same root hash value is computed.