Abstract: For a host that executes one or more guest virtual machines (GVMs), some embodiments provide a novel encryption method for encrypting the data messages sent by the GVMs. The method initially receives a data message to send for a GVM executing on the host. The method then determines whether it should encrypt the data message based on a set of one or more encryption rules. When the process determines that it should encrypt the received data message, it encrypts the data message and forwards the encrypted data message to its destination; otherwise, the method just forwards the received data message unencrypted to its destination. In some embodiments, the host encrypts differently the data messages for different GVMs that execute on the host.

Abstract: An ID service on an app server interacts with a corresponding identity app installed on a user device such as a smart phone. At setup, the ID service receives the user's public key and only a segment of the corresponding private key. A special challenge message is created and partially decrypted using the private key segment on the server side, and then decryption is completed on the client app using the remaining segment(s) of the private key to recover the challenge. A token authenticator based on the result of the decryption is sent back to the identity service, for it to verify validity of the result and, if it is valid, enable secure login without requiring a password.

Abstract: The description relates to password reset security. One example can receive a login request and a password for a cloud-based user account. The example can also retrieve stored authenticated user information associated with the password. The example can further send a notification of the login request to a contact address associated with the cloud-based user account. The notification can contain at least some of the stored authenticated user information.

Abstract: A method, computer usable program product or system for automatically sharing a set of sensitive data in accordance with a set of predetermined policy requirements including receiving across a network a set of certified policy commitments for a node; authenticating the set of certified policy commitments; utilizing a processor to automatically determine whether the set of certified policy commitments satisfies the set of predetermined policy requirements; and upon a positive determination, transmitting across the network the set of sensitive data to the node.

Abstract: A client device bootstraps against a trusted server by obtaining an activation code that includes an identifier and a one time password. The client device sends a message to a public server requesting an address of a trusted server associated with the identifier. The client device receives the address of the trusted server from the public server and initiates a communication session with the trusted server at the address provided by the public server. The one time password is used as a shared secret to secure the communication session. The client device downloads cryptographic information from the trusted server.

Abstract: Computerized methods and systems receive neutralized data items on a first entity from a second entity over a network by receiving a first data item from the second entity. A security protocol that applies rules and policies is applied to the first data item to create a second data item that is a neutralized version of the first data item. The first data item and the second data item are converted into comparable forms. The second data item is analyzed against the first data item by comparing the comparable forms to form at least one comparison measure. The second data item is received on the endpoint if the at least one comparison measure satisfies a threshold criterion. The security protocol is modified to adjust the applied rules and policies if the at least one comparison measure does not satisfy the threshold criterion.

Abstract: Distributed systems for protecting networked computer assets from compromise are disclosed. The distributed system includes one or more enterprise event sources, such as endpoint(s). The system also includes a server, such as a Big Data Analytics server, and optionally a security management server such as a Security Information and Event Management server. The Big Data Analytics server processes data collected from the enterprise event sources and produces behavioral profile models for each endpoint (or group of similar endpoints). The profiles, models, and ontology analysis are provided to the endpoints. Endpoint analytics use the output from the analytics servers to detect deviations from the endpoint's behavioral profile.

Abstract: Disclosed are various approaches for providing authentication of a user and a client device. A user's credentials can be authenticated by an identity provider. In addition, a device posture assessment that analyzes the device from which the authentication request originates is also performed. An authentication request can be authenticated based upon whether the device posture assessment reveals that device to be a managed device that is in compliance with compliance rules.

Abstract: Provided are a method and device for authenticating an identity based on fusion of multiple biological characteristics. The method includes: collecting at least two types of biological characteristic identity information of a to-be-identified user; performing characteristic extraction on each type of the collected biological characteristic identify information, to obtain characteristic information corresponding to the type; establishing characteristic matrixes based on the characteristic information; performing normalization processing on each of the characteristic matrixes; performing dynamic weighting fusion on all of the normalized characteristic matrixes, to obtain a fused characteristic matrix; matching the fused characteristic matrix with a preset standard matrix, to obtain a matching score; and obtaining an identity identification result of the to-be-identified user based on a Bayesian decision model and the matching score.

Abstract: The various embodiments set forth an apparatus comprising an earpiece, a sensor configured to measure an inherent attribute associated with a user, a wireless transceiver configured to communicate with a wireless access point of a wireless communication network, and a controller. The controller is configured to establish authenticated access to the wireless communication network based on the inherent attribute associated with the user. An advantage of the disclosed embodiment is that a hearable device can conveniently authenticate user access to a network with enhanced security, based on one or more inherence factors that are measured by the hearable device.

Abstract: To achieve one-pass and one-rate authenticated encryption capable of performing parallel processings and totally performing encryption and decode processings by only one encryption function. An authenticated encryption device comprises an authenticated encryption means for applying a two-round Feistel structure using an encryption function assigned with an auxiliary variable for a round function per two blocks to an input plaintext or encrypted text thereby to generate an encrypted text or decoded plaintext. The authenticated encryption means finds an encrypted text chunk CC[i]=(C[i_1], C[i_2]) corresponding to an i-th plaintext chunk MC[i]=(M[i_1], M[i_2]) when dividing a plaintext into chunks per two blocks as: C[i_1]=F_K((N,Tw_i_1),M[i_1])xor M[i_2], C[i_2]=F_K((N,Tw_i_2),C[i_1])xor M[i_1].

Abstract: Memory security technologies are described. An example processing system includes a processor core and a memory controller coupled to the processor core and a memory. The processor core can receive a content read instruction from an application. The processor core can identify a cache line (CL) from a plurality of CLs of a cryptographic cache block (CCB) requested in the content read instruction. The processor core can load, from a cryptographic tree, tree nodes with security metadata. The processor core can retrieve, from the memory, the CCB. The processor core can generate a second MAC from the CCB. The processor core can compare the first MAC with the second MAC. The processor core can decrypt the CCB using security metadata when the first MAC matches the second MAC. The processor core can send at least the identified CL from the decrypted CCB to the application.

Abstract: A routing method of forwarding task instructions between secured computer systems in a computer network infrastructure includes calling up routing information stored in a key computer system, generating a task file in the key computer system, wherein the task file comprises at least the routing information and a task description of at least one task for the target computer system; transmitting the task file based upon the routing information along the communication path from the key computer system by the group of the broker computer systems to the target computer system; verifying validity of the task file by the target computer system; executing at least one task in the target computer system by the task file in the case that verification of validity of the task file was successful.

Abstract: A cracking method for cracking a secret key of an encrypting device includes: building up a leakage model for the encrypting device; performing a mathematical calculation on the leakage model, according to a plurality of sets of input data, to generate a mathematical model; generating a plurality of sets of hypothesized keys; generating a plurality of sets of simulation data corresponding to the hypothesized keys using the mathematical model; providing the input data for the encrypting device and detecting a plurality of sets of leakage data generated by the encrypting device; performing the mathematical calculation on the leakage data to generate calculated data; determining a correlation between each of the simulation data and the calculated data; and determining one of the hypothesized keys to be consistent with the secret key according to the correlation.

Abstract: Methods and systems for providing a third party application with access to files stored on a server are disclosed. A method may include receiving, from a browser at a client device, a request for a file stored on the server, wherein the request is received via a web page provided by the third party application and rendered by the browser, the web page comprising an embedded user interface (UI) component associated with the server to access the file stored on the server, wherein the request includes a document identifier associated with the file, an application identifier of the third-party application, and an origin identifier, wherein the origin identifier is associated with the web page provided by the third party application and rendered by the browser.

Abstract: A computer located outside of an organizational computing environment is remotely prepared and configured to work in the organizational computing environment. A hypervisor operating system is installed and replaces the primary operating system of the computer, and the primary operating system, virtual software appliances (VSA) and virtual machines (VM) can execute as processes of the hypervisor. The hypervisor is configured to establish secure connection with organizational computing environment and to receive from it organization-configured image software for configuring the compute to work in the organizational computing environment. The secure connection can also be used for remote maintenance of the computer even when the computer operating system is faulty or inactive.

Abstract: An apparatus for connecting an Internet of Things (IoT) hub to a wireless network, the apparatus including: 1) a security module to generate a first secret and a second secret, and to encrypt a wireless key using the second secret to generate a first-encrypted key; and 2) a connection logic to establish a secure communication channel between an IoT hub and an IoT service using the first secret, transmit the second secret to the IoT hub and the first-encrypted key to the IoT service, receive from the IoT service a twice-encrypted key generated by encrypting the first-encrypted key using the first secret, and transmit the twice-encrypted key to the IoT hub, which decrypts it using the first secret to generate the first-encrypted key, which is further decrypted using the second secret to generate the wireless key. The IoT hub using the wireless key to connect to the wireless network.

Abstract: Encryption of data across an environment, such as a shared resource environment, can be updated using keys generated using one or more revocable stream cipher algorithms. Data stored in the environment can be encrypted under a first key, or other such secret. When it is desired to update the encryption, a second key can be generated under which the data is to be re-encrypted. Instead of distributing the second key, a revocable stream cipher generator can generate an intermediate key based on the first and second keys, that when processed with the first key will produce the second key. Such an approach enables data to be re-encrypted under the second key without distributing the second key. Further, the unencrypted data will not be exposed in the process. In some embodiments, the re-encryption can be performed on an as-needed basis in order to reduce processing requirements.

Abstract: In one embodiment, a method includes receiving a request for an object; retrieving one or more rules to evaluate whether to allow or deny access to the object, wherein a first rule is of an allow-type or a deny-type; evaluating the first rule by executing one or more of its operations, wherein when any of the executed operations of the first rule returns a result that is not definitive, if the first rule is of the allow-type, assigning a final result as an indication to skip evaluation of the rule, and if the rule is of the deny-type, assigning the final result to the first rule as an indication to deny access to the object; determining final results for the one or more rules; and based on the final results, allowing or denying access to the object.

Abstract: According to one general aspect, a method of using a first probing device may include monitoring one or more encrypted communications sessions between a first computing device and a second computing device. In some implementations of the method, each encrypted communications session includes transmitting a plurality of encrypted data objects between the first and second computing devices. The method may include deriving, by the first probing device, timing information regarding an encrypted communications session. The method may also include transmitting, from the first probing device to a second probing device, the derived timing information.