Abstract: The disclosure is directed towards the detection of supply chain-related security threats to software applications. One method includes identifying differences between updated source code and previous source. The updated source code corresponds to an updated version of an application. The previous source code corresponds to a previous version of the application. A risk score is determined for the updated version. The risk score is based on a machine learning (ML) risk model. The ML risk model analyzes the differences between the updated source code and the previous source code. A value of the risk score corresponds to potential security threats that are associated with the updated version. The potential security threats are not associated with the previous version of the application. The risk score is provided to interested parties.

Abstract: An encryption key management method includes: receiving a data registration request from a supplier terminal, determining a data identifier associated with the content data, encrypting a master key with a public key of the supplier terminal, and providing the supplier terminal with the master key encrypted with the public key of the supplier terminal, the data identifier, and a key update count value; receiving a subscription application related to the data identifier from a first subscriber terminal, encrypting the master key with a public key of the first subscriber terminal, and providing the first subscriber terminal with the master key encrypted with the public key of the first subscriber terminal and the key update count value; receiving encrypted content data encrypted with the symmetric key and a hash for the content data from the supplier terminal; and transmitting the encrypted content data and the hash to the first subscriber terminal.

Abstract: Access to blockchain data may be removed by deleting an encryption key held in a remote server. Incoming data is stored in the blockchain after being encrypted at the key server. An ordinary blockchain user gains access to the data, after forwarding the encrypted data to the remote key server for decryption. Upon receipt of an input (e.g., time stamp), the key server deletes the key. Thereafter, the encrypted data on the blockchain is rendered inaccessible to the ordinary blockchain data user. At no point, does the ordinary data user have access to the key stored in the remote server. Embodiments may find particular use in removing access to personal data stored in a blockchain following the elapse of a predetermined amount of time, as may be required by privacy laws. Granular control over data access can may be afforded through the use of composite keys and/or key hierarchies.

Abstract: Methods and systems for providing merchant in-context checkout are described. A user is authenticated based on credentials received from a first application running on a computing device. An authentication code is provided to the first application. A signed verifier and the authentication code is then received from a second application running on the computing device. The authentication code and the signed verifier received from the second application are then validated, and a device token is provided to the second application upon validation. The device token is exchangeable by the second application for an access token that is usable for making payment calls from the second application.

Abstract: A base key that is stored at a device may be received. A network identification may further be received. A device identification key may be generated based on a combination of the network identification and the base key. Furthermore, the device identification key may be used to authenticate the device with a network that corresponds to the network identification.

Abstract: An interface element connected to a device and a security die-chip are fabricated in a single package. The security die-chip may provide a security authentication function to the interface element that does not have the security authentication function. The security die-chip may include a physically unclonable function (PUF) to provide a private key, and a hardware security module to perform encryption and decryption using the private key.

Abstract: A TPM with programmable fuses in an SOC includes an on-die RAM storing a blown-fuse count and a TPM state including a PIN-attempt-failure count and a fuse count, read from off-die NV memory. During initialization, if the blown-fuse count is greater than TPM state fuse count, TPM state PIN-attempt-failure count is incremented, thereby thwarting a replay attack. A PIN is received for access, and if the TPM state PIN-attempt-failure count satisfies a policy, a fuse is blown and the blown-fuse count incremented. If the fuse blow fails, TPM activity is halted. If the fuse blow succeeds and the PIN is correct, the TPM state PIN-attempt-failure count is cleared, but if the PIN is incorrect the TPM state PIN-attempt-failure count is incremented. TPM state fuse count is set equal to the blown-fuse count, and the TPM state is saved to off-die NV memory.

Abstract: Examples disclosed herein relate to using an integrity manifest certificate to verify the state of a platform. A device identity of a device that has the device identity provisioned and stored in a security co-processor to retrieve an integrity proof from the security co-processor. The device includes at least one processing element, at least one memory device, and a bus including at least one bus device, and wherein the device identity is associated with a device identity certificate signed by a first authority. The integrity proof includes a representation of each of a plurality of hardware components including the at least one processing element, the at least one memory device, the at least one bus device, and a system board and a representation of plurality of firmware components included in the device. The integrity proof is provided to a certification station.

Abstract: There is disclosed in one example a hardware computing platform, including: a processor; a memory; a network interface; and a security module, including instructions to cause the processor to: receive a request to download a file via the network interface; download a first portion of the file into a buffer of the memory; analyze the first portion for malware characteristics; assign a security classification to the file according to the analysis of the first portion; and act on the security classification.

Abstract: A method to participate in a blockchain-implemented token distribution process is disclosed. The token distribution process divides an initial quantity of tokens at an input address associated with an input node into a plurality of sub-quantities and uses a mixer node to distribute the sub-quantities to multiple output addresses associated with respective output nodes using a blockchain. The token distribution process utilizes a hierarchical token distribution scheme to recruit the mixer node. The hierarchical token distribution scheme involves a first commitment channel (Ui ? Uij) for a first transaction between the upstream node and a recruited mixer node (Uij), and for each of the plurality of downstream nodes, a second commitment channel (Uij ? Uijk) for a second transaction between the mixer node and a selected downstream node, wherein an unlocking script for the first transaction is derived from an unlocking script for any one of the second transactions.

Abstract: A device includes a first memory circuit and a processing circuit. The first memory circuit is configured to store first hash data. The processing circuit is coupled to the first memory circuit. The processing circuit is configured to: at least based on a volume of the device, define a size of a distinguishable identification (ID) and a size of second hash data; based on a combination of at least one bit of each of the distinguishable ID and IDs of the device, generate the second hash data; and compare the first hash data with the second hash data, in order to identify whether the device is tampered. A method is also discloses herein.

Abstract: Data is handled in a distributed computing environment comprising at least one server and a plurality of clients comprising at least a first client and a second client. The first client sends a first request for data to the second client, receives a first response from the second client as a response to the first quest, determines a probability of validity of the data requested based on a validity indication included in the first response indicating a probability that the data requested from the second client is invalid. The first client determines that the data requested by the first request and available from the second client is likely invalid, sends a second request to the server to obtain the data from the server and receives the data from the server.

Abstract: In a computing system, data is ingested into a primary row of shards in a stamp data structure. The stamp data structure includes a primary row of data shards and a set of replica rows of data shards so the data shards are arranged in rows and columns in the stamp structure. The ingested data is replicated from the primary row into the replica rows of data shards. Each of the data shards, in each row, is evaluated to identify a particular data shard in each column of shards to generate a logical row of data shards. Queries against the data shards are serviced from the logical row of data shards. The system dynamically controls expansion and contraction of the number of data shards in a row and of the number of replica rows.

Abstract: Systems and methods for providing access to online content while also securing user confidential information are presented. User confidential information (e.g., user phone number or e-mail address) may be used to authenticate and authorize a client device to access online resources, such as microservices exposed via application programming interfaces (APIs). With the techniques described herein, such user confidential information is protected both in transit over a network connection and while at rest in storage on the client device. This is achieved through the use of an encrypted access token (e.g., a JSON Web Encryption (JWE) token) including the user confidential information in an encrypted form. The client device receives such encrypted access token from an identity provider (IDP) and passes it to a resource server API to access the microservices associated with the API, without the client device decrypting the user confidential information contained therein.

Abstract: A computer implemented method for validating software is provided. The method includes generating a first check value, by a remote computing device, based on a unique value and software of the remote computing device, outputting the first check value and the unique value from the remote computing device to a secure data repository, obtaining, by a secure computing device, an authentic copy of the software of the remote computing device, obtaining, by the secure computing device, the unique value and the first check value from the secure data repository, computing, by the secure computing device, a second check value based on the authentic copy of the software for the remote computing device and the unique value, and determining, by the secure computing device, whether the remote computing device has authentic software based on a comparison of the obtained first check value and the second check value.

Abstract: Systems and methods for improved distributed symmetric cryptography are disclosed. A client computer may communicate with a number of cryptographic devices in order to encrypt or decrypt data. Each cryptographic device may possess a secret share and a verification share, which may be used in the process of encrypting or decrypting data. The client computer may generate a commitment and transmit the commitment to the cryptographic devices. Each cryptographic device may generate a partial computation based on the commitment and their respective secret share, and likewise generate a partial signature based on the commitment and their respective verification share. The partial computations and partial signatures may be transmitted to the client computer. The client computer may use the partial computations and partial signatures to generate a cryptographic key and verification signature respectively. The client computer may use the cryptographic key to encrypt or decrypt a message.

Abstract: In one embodiment, an apparatus includes a storage element, and a processing element configured to verify an asymmetric digital signature in order to authenticate a data item signed with the asymmetric digital signature, upon successful verification of the asymmetric digital signature, generate a symmetric MAC of the data item and store the symmetric digital in the storage element, and retrieve and verify the symmetric MAC in order to authenticate the data item.

Abstract: This application discloses a Docker container based application licensing method, apparatus, device and medium, wherein the method includes identifying a Docker container which is in a startup state, obtaining an image file of the Docker container and obtaining a license file of the Docker container from the image file, and determining whether the Docker container is authorized to be licensed according to the license file. Thus, a problem is solved that a controllable protection cannot be done for a software provider due to replication and abuse of authorization.

Abstract: An apparatus (4) comprises memory access circuitry (12) to control access to data stored in a memory; and memory integrity checking circuitry (20) to verify integrity of data stored in the memory, using an integrity tree (26) in which the association between parent and child nodes is provided by a pointer. This helps to reduce the memory footprint of the tree.

Abstract: A module with an embedded universal integrated circuit card (eUICC) can include a received eUICC profile and a set of cryptographic algorithms. The received eUICC profile can include an initial shared secret key for authentication with a wireless network. The module can receive a key K network token and send a key K module token to the wireless network. The module can use the key K network token, a derived module private key, and a key derivation function to derive a secret shared network key K that supports communication with the wireless network. The wireless network can use the received key K module token, a network private key, and the key derivation function in order to derive the same secret shared network key K derived by the module. The module and the wireless network can subsequently use the mutually derived key K to communicate using traditional wireless network standards.

Abstract: Various embodiments discussed herein enable the detection of malicious content. Some embodiments do this by determining a similarity score between content, computer objects, or indications (e.g., vectors, file hashes, file signatures, code, etc.) known to be malicious and other content (e.g., unknown files) or indications based on feature weighting. Over various training stages, certain feature characteristics for each labeled malicious content or indication can be learned. For example, for a first malware family of computer objects, the most prominent feature may be a particular URL, whereas other features change considerably for different iterations of the first malware family of computer objects. Consequently, the particular URL can be weighted to determine a particular output classification corresponding to malicious behavior.

Abstract: A system converts the data of data objects stored in a DDOS from one data format to another while the system is live and available to process requests for access to the data objects being converted. This process does not require taking the DDOS offline and also does not require locking a data object for the entire conversion of the data object.

Abstract: An apparatus may comprise an electronic circuit configured to perform one or more functions or operations, and a memory associated with the electronic circuit. The memory stores a customer-side circuit identification (ID) comprising watermark value combined with a pseudo-random number that is generated as a function of a seed value, wherein the seed value is based on a timestamp generated by computer. An external interface may be coupled to the memory, wherein the external interface provides read-access to the customer-side circuit ID.

Abstract: A device receives an access-key package. The access-key package comprises a signature. The device obtains a validation package. The validation package comprises a validation device ID and validation timestamp. The device validates the signature in the access-key package. The device also obtains an updated timestamp. The device then compares the validation timestamp to the updated timestamp.

Abstract: A computer-implemented method of permitting authentication of data added to an initial plurality of unique data items stored on a computer, all of the data items being converted via a one-way function to respective equal length unique digests (or hashes); and the hashes being stored as a linked dataset in which the value of each successive hash is dependent on the value of the previous hash combined with a new hash resulting from the hashing of the most recently added data. The most recent hash in the linked dataset (hash chain) is the cumulative result of all previous hashes in their original sequence, each hash in the dataset being unique to the most recently added data. Each cumulative hash is constructed by incorporating one or more pre-existing cumulative hashes into the source data, before the new hash is calculated.

Abstract: The present disclosure relates to systems, non-transitory computer-readable media, and methods for dynamically controlling ephemeral messaging threads and ephemeral message duration settings across computing devices while improving security by maintaining end-to-end encryption. In particular, in one or more embodiments, the disclosed systems can transmit encrypted ephemeral messages, including ephemeral message duration settings and ephemeral setting timestamps. The disclosed systems can decrypt received messages on receiving client devices and dynamically apply ephemeral message duration settings to different message threads. For example, the disclosed systems can modify existing duration settings at a receiving client device to match a received ephemeral message duration setting based on determining that the received ephemeral setting timestamp predates an existing setting timestamp.

Abstract: Described herein are systems and methods for host multihoming with no state synchronization between top-of-rack (ToR) switches coupled to multiple hosts. ToR switches of a multi-homing system share a virtual MAC address and respond to Address Resolution Protocol (ARP) requests and/or Neighbor Discovery (ND) solicitations for a default gateway IP address from the host with the virtual MAC address. Ports on a ToR switch may be configured either with a static ARP and/or ND entry, or be configured to learn via a discovery protocol. The lightweight host multihoming system may have modified flooding behavior, ARP/ND handling, and data path forwarding. ARP/ND traffic from a host is processed by a ToR switch, while other multicast traffic may be discarded. Embodiments of the host multihoming system provide a lightweight solution for software implementation with minimal changes imposed on the host or network design.

Abstract: In a distributed system, data is shared between three or more electronic devices. The first device generates and signs an object that includes the data. A second device receives the signed object and determines whether the signed object is valid. If valid, the second device will generate a validated signed object and send it to a third device. The third device will validate the object by determining whether the object includes valid signatures of both the first and second devices.

Abstract: A solid state drive (SSD) device includes: non-volatile memory, and volatile memory associated with an SSD device controller. In response to determining that the SSD device is to transition to a power saving mode, information is transferred from the volatile memory to a host memory of a host computer via a communication interface, and the at least some of the volatile memory is transitioned to an OFF state. In response to determining that the SSD device is to transition from the power saving mode to a normal operating mode, the at least some of the volatile memory of the SSD device is transitioned to an ON state in which the at least some of the volatile memory is capable of retaining data, and the information from the host memory is transferred to the volatile memory of the SSD device via the communication interface.

Abstract: A method by a wireless transmitting device for distinguishing between a quality of service (QoS) management frame and a non-QoS management frame is described. The method includes generating a frame that includes a frame header, wherein the frame header includes a frame control field, wherein the frame control field includes a partial traffic identifier or subtype (PTID/subtype) subfield, wherein the PTID/subtype subfield indicates whether the frame is a quality of service (QoS) management frame or a non-QoS management frame and transmitting the frame through a wireless medium.

Abstract: Data messages such as data packets in an IPv4 or IPv6 format are processed with a view to compression/decompression, using information obtained from sources other than the data packet itself, or the stream to which it belongs. This may involve additional dynamic processing defined in specifications identified by a shared marker, or obtained from an additional data source such as a static file, database application or the like. Embodiments described herein enhance this approach with a dynamic determination of data components.

Abstract: Methods and systems for a device identification system may be provided. The device identification system may determine an identity of a user device associated with a transaction. The identity may be determined by network address information, hard link information, soft link information, and/or other such information. The network address information may include IPv4 information, IPv6 information, a device ID, and/or other such information. The identity of the user device may be determined and a transaction conducted from the user device may be assigned a fraudulent transaction risk score according to the information. Transactions that are determined to be at a high risk of fraud may be reviewed or otherwise flagged and/or canceled.

Abstract: A method for a system includes receiving with a first transceiver of a first smart device, an advertisement signal from a stationary beacon, outputting with the first transceiver of the first smart device, a first ephemeral ID that is not permanently associated with the first smart device, to the stationary beacon, receiving with the first transceiver of the first smart device, a beacon identifier from a stationary beacon, outputting with a second transceiver of the first smart device, the first ephemeral ID, a first user identifier and the beacon identifier to an authentication service, storing in an association log in the authentication service, the first ephemeral ID, the first user identifier and the beacon identifier, and storing in a beacon log in the authentication service, a log of the stationary beacon including the first ephemeral ID.

Abstract: A system for signaling coordinated workers in a common goal through intelligent icons transferred across networks to computer screens. The system can comprise one or more electronic data processors. The system can also include a module configured to execute on the more or more electronic data processors, where the module can be configured to display a plurality of intelligent icons, each containing authorizing information that is retained in a file associated with a authorizing entity on a computer screen. The intelligent icons can be potentially loaned to authorized individuals on a list and used to authenticate users of the system with biometric, image, machine readable codes stored surreptitiously within the intelligent icon. Also, the intelligent icon can be used for friend-foe identification in battlefield and homeland security/border control scenarios.

Abstract: Authentication with security in wireless networks may be provided. A first confirm message comprising a first send-confirm element and a first confirm element may be received. Next, an Authenticator Number Used Once (ANonce) may be generated and a second confirm message may be sent comprising the ANonce, a second send-confirm element, and a second confirm element. Then an association request may be received comprising a Supplicant Number Used Once (SNonce) and a Message Integrity Code (MIC). An association response may be sent comprising an encrypted Group Temporal Key (GTK), an encrypted Integrity Group Temporal Key (IGTK), the ANonce, and the MIC. An acknowledgment may be received comprising the MIC in an Extensible Authentication Protocol (EAP) over LAN (EAPoL) key frame and a controller port may be unblocked in response to receiving the acknowledgment.

Abstract: A methodology for requesting at least one signed security measurement from at least one module is provided. The methodology includes receiving the at least one signed security measurement from the at least one module; validating the at least one signed security measurement; generating a signed dossier including all validated signed security measurements in a secure enclave, the signed dossier being used by an external network device for remote attestation of the device.

Abstract: A method for rendering a multimedia data stream tamper-proof and of evidential value when recorded in a block chain system reads and decodes the multimedia data stream to obtain multiple frames of data arranged in sequence, and calculates a hash value of each frame of data of the multimedia data stream. One or more items of data are selected from the multiple frames of data based on a predetermined rule and information as to properties of the one or more items of data is uploaded to the block chain system for recording purposes. A device for applying the method to a multimedia data stream is also disclosed.

Abstract: Methods and systems for providing data manifests as a service (DMAAS) are described herein. A first computing system, may generate a first data manifest comprising a first count parameter and a first hash parameter associated with a first data exchange transaction between the first computing system and a second computing system, store the first data manifest to a blockchain data store and transfer a data payload of the first data exchange transaction. The second computing system may analyze the data payload received via the transport mechanism, generate a second data manifest including a second count parameter and a second hash parameter and store the second data manifest to the blockchain data store. A DMAAS computing system facilitates access to the blockchain data store, identifies transmission errors, and triggers acceptance of data at the second computing system upon a successful data exchange transaction.

Abstract: A method for storing a data file (DF) on a storage entity (SE) includes receiving, by a proxy (PE) and from a computing entity (CE), a plurality of hash values corresponding to a plurality of blocks of the DF. The PE may check whether the plurality of blocks of the DF are stored in the SE based on the plurality of hash values. Based on determining that at least a subset of the plurality of blocks of the DF are not being stored in the SE, the PE may compute a secret associated with an encryption key. The PE may transmit, to the CE, the secret. The PE may receive, from the CE, information including storage locations of the subset of the plurality of blocks within the SE and one or more hash values, of the plurality of hash values, associated with the subset of the plurality of blocks.

Abstract: A verifier peer system transmits a request to an application of another peer system to obtain integrity data of the application. In response to the request, the verifier peer system obtains a response that includes kernel secure boot metrics of the other peer system and integrity data of the application and of any application dependencies. If the verifier peer system determines that the response is valid, the verifier peer system evaluates the integrity data and the kernel secure boot metrics against a set of Known Good Values to determine whether the integrity data and the kernel secure boot metrics are valid. If the integrity data and the kernel secure boot metrics are valid, the verifier peer system determines that the other peer system is trustworthy.

Abstract: A set of security templates is maintained including first and second templates. The first template specifies time and location stamp authentication for a file, and contextual security conditions that must be met before the file can be accessed. The second template specifies the time and location stamp authentication, but not the contextual security conditions. One of the first or second security templates is applied to the particular file. When the second security template is applied, a GPS-crypto device adds a time and location stamp to the particular file. The particular file is signed using a private key associated with the GPS-crypto device to generate an authentication signature based on the time and location stamp. The authentication signature is added to the particular file to allow a recipient to verify the time and location stamp of the particular file using a public key corresponding to the private key.

Abstract: This disclosure provides systems, methods, and apparatuses for wireless communication. In some aspects, An example method includes receiving, from a second wireless communication device, a frame associated with one or more wireless sensing measurements, verifying an integrity of the received frame associated with a message integrity code (MIC) in the received frame, and obtaining one or more wireless sensing measurements associated with the received frame.

Abstract: Systems and methods for a machine learning based approach for identification of malware using static analysis and a machine-learning based automatic clustering of malware are provided. According to various embodiments of the present disclosure, a processing resource of a computer system receives a potential malware sample. A plurality of feature vectors is extracted from the potential malware sample and is converted into an input vector. A byte sequence is generated by walking a plurality of decision trees based on the input vector. Further, a hash value for the byte sequence is calculated and a determination is made regarding whether the hash value matches a malware hash value of a plurality of malware hash values corresponding to a known malware sample. Upon said determination being affirmative, the potential malware sample is classified as malware and is associated with a malware family of the known malware sample.

Abstract: A microcontroller includes a CPU and a cryptographic circuit, and when a first program uses the cryptographic circuit, the second program transmits installation information of the first program and encrypted program installation information to the cryptographic circuit. The cryptographic circuit decrypts the encrypted program installation information and compares it with the installation information of the first program. In the case of match, the use of the cryptographic circuit by the first program is permitted.

Abstract: A multi-functional authentication apparatus and an operation method for the same are provided. The multi-functional authentication apparatus integrates multiple communication modules into one device. A biometric authentication procedure is firstly performed when activating this multi-functional authentication apparatus. A security code is generated through a security authentication mechanism provided by this apparatus after reading biometric features. After that, according to a connection protocol, one of the communication modules of the multi-functional authentication apparatus is activated to connect with an external host. The security code is transmitted to the host via the communication module for identifying a user. The multi-functional authentication apparatus acts as an authenticator that allows a user to login to a computer system or obtain a network service after authentication.

Abstract: Described herein are embodiments that provide out-of-band authentication for vehicular communications using Joint Automotive Radar Communications (“JARC” if singular, “JARCs” if plural). A method includes receiving, by a directional radio of a connected vehicle, a directional communication having a payload that includes the first temporary identifier and sensor data for a purported transmitter of the directional communication. The method includes initiating, by the directional radio and a radar of the connected vehicle, a set of JARCs with the purported transmitter to determine an authenticity status of the first temporary identifier. The method includes executing a vehicular action for the payload of the directional communication responsive to the authenticity status.

Abstract: Some embodiments are directed to a keyed message authentication code (MAC) device (100) for computing a keyed MAC for an input message using encoded representations. The keyed MAC device may be configured to apply a sequence of compressions functions, at least one of which takes a state as input in an encoded representation.

Abstract: Techniques are disclosed for managing encrypted data stored in one or more blocks of a first data structure. One embodiment presented herein includes a computer-implemented method, which includes retrieving the encrypted data from the one or more blocks. The method further includes placing the encrypted data in a container object. The method further includes applying an encryption technique to the container object to generate an encrypted container object and a key. The method further includes generating a second data structure. A first block of the second data structure may include either the encrypted container object or information related to the encrypted container object.

Abstract: An embodiment of the present invention is directed to Branch Migration Tool that migrates accounts in an efficient manner. The Branch Migration Tool enables a user to select and copy key tables within the iDDA Global platform to a local instance. In addition, the Branch Migration Tool is transparent to clients with existing account numbers being retained.

Abstract: A system and method for providing multifactor authentication. A disclosed method includes receiving a request at a server to launch a new session for an application on a client device, generating a plurality of codes, each of the plurality of codes associated with a respective identifier, and forwarding the plurality of codes via a short messaging service (SMS) message to a user associated with the client device. The method further includes sending the respective identifier associated with a given code of the plurality of codes to the application and receiving a submitted code entered into the application from the client device. Once received, the method compares the submitted code with the given code associated with the respective identifier and authenticates the user in response to the submitted code matching the given code.